Business Continuity Event Planning: Business Impact Analysis (BIA)

This is the second of two posts examining the prepare step in building and managing a BCEM (Business Continuity Event Management) plan.  In the previous post, we saw how understanding the business is critical to a business impact mitigation and process recovery.  The activities discussed produce input for the business impact analysis, including:

• Business objectives


• Regulatory environment


• Critical processes


• Threats


• Process interdependencies


• Process vulnerabilities

Using this information, we can plan for inevitable process failures.  The BIA uses business impact information and the probability of specific business continuity events to calculate levels of business risk.  The end result of a BIA is a picture of the BCEM threat, vulnerability, mitigation, and response framework and how that framework reduces risk to levels acceptable to management.

Instead of segregating the BIA from risk assessment and mitigation activities, I integrated them into an overall business continuity risk management process.  The result is a continuous, risk-centric approach to BCEM preparation.

What is Business Impact?

Business impact is a measure of how an organization might be affected by a process failure, caused by technology, premise, or human resource issues.  Impact is classified as either revenue or non-revenue.

Revenue impact includes the full or partial failure of any process which produces, collects, or processes business income.  Examples include:

• Accounts receivable systems


• Availability of revenue generating facilities


• Availability of sales, service or product delivery, or revenue collection employees


• Any other process whose failure diminishes the organization’s ability to fund operations, pay its bills, or make payroll

Non-revenue impact is caused by challenges that do not directly affect short term realization of revenue, including:

• Payroll systems


• Availability of employees not directly related to revenue generation, such as human resources


• Public perception


• Regulatory compliance


• Environmental damage

Although causes of non-revenue impact might not result in immediate financial losses, some could result in long term financial damage through loss of investor or customer good will.

Business impact can be calculated using either a qualitative or a quantitative approach.  Qualitative analysis depends on the experience of employees and consultants to arrive at risk scores.  The results of the quantitative approach are estimates of potential dollar losses based on known costs or revenue streams.  Most organizations don’t understand process interruption costs well enough to use quantitative BIA methods.  So we’ll focus on a qualitative approach in this article. 

The BIA

The BIA, as presented in this series, is a risk management tool.  A very simple formula depicts the relationship between business impact and risk.

Risk = Probability of Occurrence * Business Impact

Probability of occurrence is calculated using the threat and vulnerability analysis performed in the previous step, understanding the business.  It’s represented as the number of occurrences expected in a single year.  This is known as the Annual Rate of Occurrence.

For example, if information about known threats, vulnerabilities, and actual events lead an analyst to believe a threat will cause a weakness to interrupt business operations once every four years, the probability of occurrence is .25. 

During a qualitative BIA, the analyst uses probability of occurrence (PO) and business impact (BI) to arrive at a risk score.  The risk score is a measure of the amount of damage resulting from one or more failed critical processes.   

The BIA Process

Figure 1 depicts BIA phases—the Prepare step in the BCEM Planning cycle—at a high level.

Figure 1

 

The first phase, Understand the Business, was covered in the last post.  In the remaining sections of this article, we’ll step through the next three.

Calculate MTDs

MTD (Maximum Tolerable Downtime) is the maximum time a critical process can be down, or hindered in some way, without irreparable harm to the business.  It’s typically calculated as part of a BIA and is used during risk calculations.

At a high level, a BIA begins with identifying critical processes, describes resources necessary to maintain them, calculates the financial or PR impact on the business if the process fails, and determines process MTD.  Other processes which depend on the failed process’ output also suffer.  So a BIA must also describe the interrelationship between all critical processes and factor this into their MTDs.

A process MTD is an adjustable value, affected by several variables.  For more information on MTDs and how to calculate them, or extend recovery periods, see Calculating MTD based on impact mitigation and recovery capabilities.

Perform FMEA

The FMEA (Failure Modes and Effects Analysis) was developed to predict and mitigate possible failures in manufacturing processes.  Unlike root cause analysis, which takes place following an event, FMEA activities precede system or process implementation.  They help prepare teams for inevitable failures, mitigating business impact.  This makes FMEA a good fit for BCEM planning.

The best way to describe FMEA is stepping through a commonly used tool.  See Figure 2.  (Download the FMEA template.)

Continue Reading