Analysis - About
Analysis is the Professional Practice within the business continuity management lifecycle that reviews and assesses an organisation to identify its objectives, how it functions and the constraints of its operating environment.
The main technique used for the analysis of an organisation for business continuity purposes is the Business Impact Analysis (BIA).
The business continuity professional uses the BIA to determine the organisation’s business continuity requirements.
BIA - Concepts & Assumptions
The BIA is not a one-time or single stage activity. Initially, it can help clarify the scope of the business continuity programme, after which it becomes an integral part of the ongoing lifecycle to confirm business continuity requirements, leading to the determination and selection of business continuity solutions.
The BIA can be used to ask top management questions which relate to the organisation’s objectives and priorities, relating to products and services.
The BIA considers both the products and services that an organisation delivers as well as the processes, activities and dependencies that ensure the delivery of these products and services.
BIA - Process
The BIA process can be summarised as follows:
- Prioritise the organisation’s products and services by determining the MTPD for each.
- Prioritise the process or processes required to deliver the organisation’s most urgent products and services, including identification of the activities that make up those processes, if required.
- Prioritise the activities that deliver the most urgent products and services, and determine the resources required for the continuity of these activities following an incident, as well as their interdependencies.
- Perform a final analysis or consolidation of analyses which should lead to the determination of business continuity requirements.
- Seek top management approval of BIA results.
When conducting a BIA, the following points should be considered:
- The scope of the business continuity programme can be clarified, or may need to be modified following the Initial BIA findings.
- Determining impacts over time should demonstrate to top management how quickly the organisation needs to respond to a disruption.
- A consistent approach to performing the BIA should be used throughout the organisation.
- The method used should be robust enough to ensure that the information is collected consistently and impartially. This ensures that individuals do not over or underestimate the urgency of their activities.
- Only relevant information to be used in the analysis should be collected.
- Impacts do not need to be precisely determined and can be estimated.
BIA - Outcomes
The overall outcome of performing the BIAs at each level is to determine the business continuity requirements, enabling the organisation to build capability to deliver its products and services at acceptable pre-defined levels following a disruption.
Initial BIA - About
An Initial BIA defines the organisation in terms of products and services, and processes.
It is a high-level analysis that can be used to develop a framework for the more detailed BIAs and clarify the scope of the business continuity programme.
It is usually required the first time an organisation conducts a BIA.
However, it can be useful to repeat the Initial BIA following a substantial change in the organisation or if several years have passed since the last BIA.
Initial BIA - Process
The process for developing an Initial BIA should include:
- Deciding the terms of reference and draft scope of the Initial BIA.
- Identifying products and services which can be grouped to simplify the information collection and analysis.
- Agreeing the impacts to be considered, for example, financial and reputational.
- Agreeing and documenting the impacts over time relating to delivery failure of products and services.
- Estimating the MTPD for each Product & Service.
- Identifying the processes that deliver the products or services. This should consider organisation-wide and departmental processes.
- Identifying owners for each process, for example, subject matter experts to provide information about the processes.
- Identifying how and when a disruption to the process could result in damage to the delivery of products and services.
- Presenting the findings to top management for review and approval.
Initial BIA - Outcomes
The outcomes of an Initial BIA are:
- A list of the organisation’s products and services (grouped together where appropriate).
- The impacts over time relating to the delivery failure of products and services.
- Estimated MTPDs for products and services.
- A list of processes and owners that contribute to the delivery of the products and services.
- A breakdown of internal and external activity dependencies.
- A list of products, services, processes, and activities that have been excluded, along with the justification for the exclusion.
Product & Service BIA - About
In a Product & Service BIA, the organisation identifies and prioritises its products and services.
It may also be used to review and clarify the scope of the business continuity programme in terms of products and services.
A Product & Service BIA can be used to determine the impact of a disruption before implementing a significant organisational change.
The following are examples of significant organisational changes:
- Introduction of a new product or service.
- Retirement of an existing product or service.
- Relocation or a change in the geographical positioning of the business.
- Significant change in business operations, structure, or personnel levels.
- A significant new supplier or outsourcing contract.
Using the Product & Service BIA should enable the organisation to take advantage of any changes to improve its business continuity capability and build organisational resilience.
Product & Service BIA - Process
The Product & Service BIA process should include:
- Reassessing the scope of the business continuity programme, including:
> reviewing any exclusions, and
> considering the inclusion of new products or services. - Collecting the information necessary to perform the Product & Service BIA.
- Understanding the potential impact of significant developments within the organisation or the operating environment.
- Assigning products and services to groups for analysis purposes.
- Reviewing impacts as well as the criteria to determine the MBCO.
- Documenting the impacts of a product or service group delivery failure.
- Estimating the MTPD for each product or service group.
- Obtaining top management sign off of the Product & Service BIA results.
- Proceeding to the Process BIA.
Product & Service BIA - Outcomes
The outcomes of a Product & Service BIA are:
- Clarification or modification of the scope of the business continuity programme.
- A list of the organisation’s prioritised products and services.
- Evaluation of impacts over time.
Process BIA - About
A Process BIA determines the process or processes required for the delivery of the organisation’s products and services and assesses the impact of a process disruption on the delivery of these products and services.
The scope of the Process BIA may be linked to the Product & Service BIA scope, which examines the impacts of disruption to one or more Product & Service groups.
Process BIA - Process
The Process BIA should include the following steps:
- Determine the scope of the Process BIA.
- Identify process owners.
- Identify the dependencies for the processes that deliver the prioritised products and services (which may be done across several departments and should consider organisation-wide and departmental dependencies).
- Identify suitable personnel, for example, subject matter experts, to provide process-level information.
- Collect the information necessary to perform the Process BIA.
- Identify how disruption to the process could result in disruption to the delivery of the products and services.
- Define the time frame within which the disruption to each process would become unacceptable and cause failure to deliver products and services.
- Define any impacts not considered by top management, such as backlogs and capacity issues.
- Consider the duration or lead time of the process.
- Obtain confirmation from the process owner concerning the accuracy of the information in the Process BIA.
- Obtain support from top management for the conclusions of the Process BIA.
- Publish the results of the Process BIA.
Process BIA - Outcomes
The outcomes of the Process BIA are:
- A list of processes that contribute to the delivery of the organisation’s prioritised products and services within the scope of the business continuity programme.
- Identification of the interdependencies of the processes.
- The MTPD, RTO, and RPO (where appropriate) for each process.
- Identification of any processes that have been outsourced by the organisation and therefore present an increased risk.
- SLAs and more frequent reviews should be considered for these processes.
Activity BIA - About
The Activity BIA identifies and prioritises the activities that contribute to the identified process or processes that directly deliver the products and services.
The Activity BIA is where the organisation collects detailed information about the resources required to continue activities which support the organisation’s strategic objectives.
Dependencies on external suppliers and outsourced service providers can be determined at this level when defining resource requirements.
It is usually appropriate to identify the common dependencies, for example, utilities (power, water, telecoms etc.) at the activity-level as they affect most processes.
The following information should be collected during the Activity BIA:
- The processes that the activity supports (where appropriate).
- The operational methods for the activity.
- The duration or lead-time of the activity.
- Fluctuations in demand or peak operating times.
Factors not already discovered that may affect the determination of business continuity requirements, for example, backlogs, or legal and regulatory requirements of this activity.
Detailed information regarding the resources required to continue activities fall into the following categories:
“People. Information and data. Buildings, work environment and associated utilities. Facilities, equipment, and consumables. ICT systems. Transportation. Finance. Partners and suppliers”.
Activity BIA - Process
The Activity BIA process should involve the following:
- Identify and prioritise the activities which contribute to the process or processes that deliver the prioritised products and services.
- Collect the information necessary to perform the activity BIA, including:
> An understanding of activity details and interdependency information.
> An understanding of activity-specific RTOs.
> A breakdown of the resources required to maintain the activities at an agreed level and within the MTPD and RTO. - Consider any additional activities that may be created during a disruption, including the need to clear backlogs.
- Obtain approval by the activity owner to confirm the accuracy of the information.
- Obtain the support of top management for the conclusions.
Activity BIA - Outcomes
The outcomes of an Activity BIA are:
- A list of activities that contribute towards the processes needed to deliver products and services.
- The MTPD and RTO and the justification for each activity, which should determine the time frame of the solutions for each activity.
- A breakdown of activity dependencies, both internal and external.
- An understanding of the resources required to provide the agreed service levels.
- The RPO for data and hard copy records.
- Documentation of the internal and external interdependencies for the prioritised activities.
Risk & Threat Assessment - About
The BIA evaluates the impacts over time relating to the delivery failure of products and services following a disruption and determines the business continuity requirements.
The business continuity professional uses risk assessment techniques to identify unacceptable levels of risk and single points of failure.
Risk assessment information and methods to evaluate the threat of disruption enable effective business continuity solutions and mitigation measures to be designed.
Risk & Threat Assessment - General Principles
During the Analysis stage, the BIA is typically conducted first so that the risk and threat assessment and mitigation measures can focus on the organisation’s prioritised activities and supporting resources.
This can maximise the benefit of any investment, and reduce the frequency or impact of disruptions.
Risk & Threat Assessment - Process
The key steps when undertaking a risk and threat assessment as part of the business continuity programme are as follows:
- List the known and anticipated internal and external threats.
- Estimate the impact of each threat on the organisation.
- Determine the probability of disruption for each threat.
- Calculate a risk score of each threat by combining the scores for impact and probability.
- Prioritise the threats based on the risk score for the prioritised activities.
- Identify unacceptable areas of risk, which may include SPOFs.
- Share the outcomes with the relevant interested parties.
- Use the information resulting from the risk and threat assessment to identify options for mitigation measures in the Design stage of the business continuity management lifecycle.
Risk & Threat Assessment - Outcomes
The outcomes from the risk and threat assessment as part of the business continuity programme are:
- An awareness of the range of potential threats that could disrupt the organisation’s activities.
- A prioritised list of the threats based on the risk of disruption to the organisation’s activities.
- Identification of any unacceptable risks and SPOFs.
- Identification of potential options for measures to reduce the frequency or scale of impact of the prioritised threats.
Final Analysis
Following all BIAs, it is good practice to perform a final analysis to consolidate the information collected and finalise the business continuity requirements.
This final analysis should:
“…challenge and check the information to ensure that it is:
Correct, accurate and reliable. Credible, believable, and reasonable. Consistent, clear, and repeatable. Current, up-to-date, and available in a timely manner. Complete and comprehensive.”
This final analysis and consolidation activity should result in the following:
“Confirmation of impacts over time.
Review and confirmation of resource dependencies and requirements.
Consolidation of resource requirements, for example, across processes, organisational structures, or locations.
Review and confirmation of the interdependencies of processes and activities, and their relation to the delivery of products and services…”.
After consolidating the information, the business continuity professional should present the outcomes of the BIA to top management for review and approval.
This is typically done in a BIA summary report to highlight key findings and enable the business continuity solutions and mitigation measures to be designed.
The BIAs should be regularly reviewed at pre-agreed intervals or following significant change as defined within the business continuity policy.
