How to implement business impact analysis (BIA) according to ISO 22301

I’ve spoken to many business continuity practitioners, and most of them (both beginners and experts) are telling me that the most difficult part of ISO 22301 implementation is the business impact analysis.

So, here are my tips on how to implement the BIA – this article is an excerpt from my upcoming book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation):

Purpose

Business impact analysis is primarily here to give you an idea about the timing of your recovery (Maximum Acceptable Outage/Recovery Time Objective) and the timing of your backup (Recovery Point Objective/Maximum Data Loss), since the timing is crucial – the difference of only a couple of hours could mean life or death for certain companies. For example, if you are a financial institution, recovery time of 4 hours could mean you will probably survive a disruption, whereas recovery time of 12 hours is unacceptable for certain systems/activities in a bank, and disruption of a full day would probably mean the bank would never be able to open its doors again. And there is no magic standard that would give you the timing for your organization – not only because the timing for every industry is different, but also because the timing for each of your activities could be different. Therefore, you need to perform the business impact analysis to draw the correct conclusions.

Options

Since this step in the ISO 22301 project is time consuming and complex, you can decide whether it will be performed by the your own Business continuity coordinator, or by some hired expert (e.g. a consultant) – for the sake of simplicity, I will mention only the Business continuity coordinator in this article. In any case, this person has to develop the BIA Questionnaires for collecting the information (or configure the tool, if it is used), organize interviews or workshops, compile all the data and produce the report (or include the results in the Strategy if no separate report is produced).

If you only send the methodology and BIA Questionnaires to the responsible persons in each activity and tell them to fill them in, the results you get will probably be unusable. The reason this will happen is that people find it very difficult to understand what business impact analysis is all about, even though you have written your methodology well.

Therefore, if you want your BIA to succeed, you basically have two options:

a) Perform business impact analysis through interviews – this means that the Business continuity coordinator will interview the responsible person(s) from each activity, where he will explain the purpose of BIA first, and make sure that every assessment made by the responsible person makes sense and is not biased.

b) Perform workshops with responsible persons first – in such workshops, the Business continuity coordinator explains to all responsible persons the purpose of BIA, and through several real-life examples, shows how to perform the analysis.

Of course, conducting interviews will probably yield better results; however, this option is much more time consuming for the Business continuity coordinator.

Inputs

The main input for the business impact analysis process is the BIA Methodology, and you also need a list of your business continuity activities (i.e. processes or departments).

All the information must be given by, and assessments made by, the responsible persons from each activity. While doing that, they must use the worst-case scenario criteria: what would have happened in a huge storm, not some average storm; a breakdown of your whole IT infrastructure, not just some insignificant server; loss of data from your main server, not from one laptop only; your CEO and main system administrator are missing, not only some lower-level employees; and all of this happens when you have a short deadline to deliver an important product to your most important customer.

If your respondents tell you “This is never going to happen to us!” – just tell them to read a couple of news stories from the crime section. Besides, business continuity is here to prepare you for bad times, not for good times.

Here are a few tips for collecting the required information from the responsible persons from each activity:

Decisions

As already mentioned, all the assessments must be done by the responsible persons from each activity – this is because they know their activities the best, so doing the assessment is not the job of the Business continuity coordinator. However, the Business continuity coordinator is crucial for coordinating the whole effort, and for making sure that the criteria for assessing the impact are the same. For example, responsible persons from activities tend to overestimate the importance and the impact of their activities – so you might get an assessment, say from your accounting department, that if their activity is disrupted for two hours it would have a catastrophic impact (4). To counteract such an unreasonable assessment you should ask them the following question: “Do you really think that the company will go bankrupt if your department doesn’t work for two hours?” – after such a question, the assessment usually becomes reasonable.

Where the Business continuity coordinator must be actively involved is in making the decision about MAO and RPO – usually, he makes these decisions together with the responsible persons from activities, based on the results from BIA Questionnaires.

Here is an example of how the responses related to Maximum Acceptable Outage in the BIA Questionnaire for a particular activity might look:

Example_BIA_1

Figure 1: Example of BIA Questionnaire – determining the Maximum Acceptable Outage

The decision about MAO is basically made visually – by looking at this example (and assuming this is a small company with annual revenue of 1 million U.S. dollars and a profit of 150,000 U.S. dollars), higher impacts begin with 8 hours (question #1), whereas it is obvious that multiple high impacts will begin at 24 hours. Therefore, as the first step, some consideration should be given if clients’ reactions might be tolerated for a disruption longer than 8 hours (question #1) – if so, in the second step, MAO for this activity will be set somewhere between 8 hours and 24 hours. To determine the Recovery Time Objective (RTO) for this activity, the dependencies on other activities will have to be examined, and then the final decision on RTOs of each activity can be made.

And here’s an example of how the responses to the BIA Questionnaire might look for Maximum Data Loss/RPO:

Example_BIA_21

Figure 2: Example of BIA Questionnaire – determining the Maximum Data Loss/RPO

The decision about Maximum Data Loss/RPO is also made visually – in this example, RPO for Software #1 should be 24 hours, for Software #2 it is 8 hours, for Database XYZ it’s less than 1 hour (probably zero), and for Paper-based document ZXY, about 1 week.

What does this mean in practice? This means that backup for Software #1 should be done at least every 24 hours, because you can afford to lose a maximum of 24 hours of data. For Software #2, the backup should be made at least every 8 hours, Database XYZ should be probably backed up in real time (e.g. synchronous or asynchronous replication – this is typical for transactional databases in banks), and Paper-based document ZXY should be copied or scanned at least within a week of its creation. All these conclusions should be documented in the Business continuity strategy or related Backup policy.

Documentation

Similar to risk assessment, if the organization doesn’t use the tool, then the results are usually collected through Excel questionnaires – in this case, the Business continuity coordinator collects all these questionnaires; if the tool is used, then these are collected automatically.

No matter if the tool is used or not, the information that is collected during the BIA process must include all the elements mentioned in BIA Methodology.

If yours is a larger company, you should probably compile all these results in a Business impact analysis report; however, smaller companies will be just fine with summarizing all the results in the Business continuity strategy.