Why a BIA?
The BIA is really the foundation of a BCM (Business Continuity Management) process or approach. During the BIA, one of the prime goals is to identify the most important products and services of an organization. These products and services are of chief importance because they provide the main contributions (in financial terms) or are important for the customers of the organization. For a services company, a call center might be very important because customers rely on this contact point for placing orders, file complaints ask or help, etc. If this key resource fails, the impact – increasing over time – would soon be unacceptable.
Without having identified those critically important assets (processes, systems, people, suppliers…) it is not possible to create an answer to the challenge of developing a business continuity strategy. As a customer of mine once completely rightfully formulated, the business continuity strategy is the answer to the questions raised during the BIA.
As ISO 22301:2012 makes a risk assessment mandatory, the BIA may well serve to contribute to this requirement, too. As ISO 22301:2012 does not specify when the risk assessment is to be done in relation to the BIA, it can be done before (as a foundation) or after (being in possession of detailed information) the BIA. My recommendation is to do the risk assessment twice: before and after the BIA. In this way, we get a starting point for the BIA and after its completion we get a refined risk assessment.
The BIA in the BCM Lifecycle
We learned that the BIA precedes the development of the business continuity strategy. After this phase, a BCM response is set up (e.g. measures proposed in the strategy are implemented, a BC plan is produced and an emergency response team is created). After some time, we again need to conduct a BIA. Why?
While starting with a BCM “project” (after having obtained management commitment and other prerequisites have been fulfilled), a BCM approach actually never ends. BCM measures need to continually follow the development of the organization. For example, if an organization decides to set up a new subsidiary, acquires another company, launches a new product or switches suppliers, the risk landscape may change (and in most situations does change). As an organization doesn’t stand still, we periodically need to re-analyze the situation with a next BIA. There is no need to start from scratch; we need to address any changes to the organization and its environment.
The BIA’s contribution to organizational development
While the main focus and purpose of a BIA is its contribution to a BCM approach, there are bonuses even when – for the moment – not considering business disruptions. As the BIA deeply and thoroughly analyzes the business processes of an organization, this might be the first time that such an analysis ever has taken place. The resulting insights may yield advantages for the day-to-day operation and my lead to better, more stable and reliable processes. For example, a dependency on a single supplier, an unstable interface between software packages or missing process documentation might be uncovered, all contributing to a more stable daily operation – and all of which might prevent business disruptions altogether.
See also the following Webinar on the importance of the BIA