How to Perform a Business Impact Analysis
In business, nothing is certain. The mere act of starting a business already comes with inherent risks, the biggest being the possibility that it will fail to earn a respectable profit, much less break even, during its first years of operation. Along the way, many things could go wrong, regardless of whether the factors that led to it happening is within the management’s control or not.
It is not just the bottom line of the company, or its potential or status as a going (and growing) concern that is uncertain. Unexpected events and circumstances can spring on the organization in its day-to-day operations. For instance, businesses are also vulnerable to accidents in the workplace. Emergencies can come up and have repercussions on the operations of the business. Worse, when natural and man-made disasters take place, business operations are sure to be affected.
During times like these, adapting a helpless “there is nothing we can do” attitude is not going to help the business at all. Part of effective and efficient management is to ensure that there are safeguards and coping mechanisms in place, in the event that these events happen. Usually, this comes in the form of a continuance plan or a disaster recovery program, aimed at keeping the company afloat and operational in the interval between the aftermath of a disaster happening until such time that operations resume and go back to normal.
However, developing these measures cannot be done at random, with key members of the organization deciding what actions to perform on the fly, or what recovery processes to apply. That will definitely be extremely inefficient, not to mention stressful on the part of management, or the focal person of the recovery attempts. It is important for management to fully assess the potential losses or damages that the business may sustain in case something untoward happens and operations have to stop for a certain period of time.
The tool that will come in handy in this case is what is known as the Business Impact Analysis.
THE BUSINESS IMPACT ANALYSIS
Business Impact Analysis, or BIA, refers to the process of determining, assessing and evaluating the potential effects of an interruption or stoppage of critical operations, functions and processes of the business due to an accident, emergency, or disaster. It is a systematic method of predicting the possible and probable consequences of these disruptions, usually with a worst-case scenario perspective.
Incidentally, the United Kingdom set out specific guidelines for the conduct of BIA, and has specified that the BIA process also involves analysis of the business functions or processes that will be directly (and indirectly) impacted by a disruption.
The output of the BIA is the Business Impact Analysis Report, which provides a detailed description of the potential risks that the business will face when disaster strikes. Much of the report will be quantified, since this is the language that will make the most impression to management and the personnel involved in developing disaster recovery strategies. It will list all the vulnerabilities of the business operations, including all possible loss scenarios. The impact of the disruptions will also be contained in the report.
Large businesses with strong and solid disaster recovery planning programs integrate BIA into their programs, making it one of the vital stages. In fact, these disaster recovery programs will not be fully developed unless BIA has been conducted, since the output of BIA will figure greatly in the strategies and policies that will be contained in the disaster recovery program of the company.
Therefore, we can surmise that BIA has two components: the exploratory part and the planning part.
Assumptions in BIA
BIA operates under two assumptions:
- Every component of the organization is dependent on the continued operations or functioning of all the other components.
- Some components of the organization are more crucial than others, and are likely to require larger fund allocation if and when a possible loss scenario takes place.
For example, it is assumed that the operations of the production line of a firm will depend on the functions of Human Resources, in terms of hiring of workers. If HR is unable to carry out its recruitment process and personnel management, production will suffer. In the same way, if Finance is unable to process payment of salaries and purchase of materials for production, production is also likely to be interrupted.
However, when a disaster occurs and the components to bear the greatest brunt are the areas where the Finance department and the company cafeteria are located, fund allocation for the restoration and recovery of the two components will be different. Production will still continue even if the cafeteria is closed for a specific period, which cannot be said for the Finance department. Thus, the company will spend more for the recovery of the Finance department as compared to that of the company cafeteria.
Possible Loss Scenarios
What are the possible loss scenarios that businesses are faced with, and have the potential of disrupting or interrupting operations? Performing risk assessment will help a company identify its possible loss scenarios. Some of the most common ones that are found across businesses and industries are listed below.
- Accidents: All too often, businesses suffer from losses due to workplace accidents. For example, fire at the factory where the critical operations of the business are performed can cause closure. A burst pipe in the water supply may also incapacitate the work area for quite some time. The machines being used may malfunction and shut down, unable to work unless it undergoes major repair or is replaced with a new one.
- Emergencies: These are unexpected situations that pose considerable danger, thereby calling for immediate action. The immediate action, in this case, is often the stoppage of business operations. Political and civil unrest, for example, may involve riots on the streets and other similar acts of violence. Usually, these will drive businesses to close their doors and stop operating until things have settled down. Although these are not strictly dangerous or perilous, they also count as emergencies that will result to interruption of operations. Examples are:
- Failure of suppliers to deliver raw materials and other goods and services needed on time;
- Failure of suppliers to deliver raw materials and other goods and services needed altogether;
- Labor disputes within the company leading to workers refusing to continue working until their demands have been heard and met by management;
- Utility failures, such as water shortage and shortage of power supply;
- Cyber attacks, when the company’s information system is under threat by external forces; and
- Absenteeism of key employees may also give rise to emergencies.
- Disasters: These could be natural disasters (force majeure) or man-made disasters. Examples are earthquakes, strong typhoons/hurricanes, large-scale bush fires, massive power outages or shutdowns, and volcanic operations. These may result to physical damage to properties, specifically those that are used in the operations.
WHY YOU SHOULD CONDUCT BUSINESS IMPACT ANALYSIS
Fundamentally, BIA is considered to be at the heart of the company’s disaster recovery planning, since it used for planning purposes, particularly for the minimization of risks in case operational interruptions or disruptions resulting from disasters and similar incidents.
BIA aids response and decision-making in case of unforeseen events that result to operational disruptions.
In times of crisis, businesses cannot afford to be arbitrary and random in making decisions, particularly on their response to the impacts of the crisis to the operations of the business, and the organization as a whole. Having performed BIA will enable management to make more informed decisions and appropriate responses in the face of the disastrous impacts.
Management will certainly feel more confident in making decisions and judgments, since they have solid facts and figures backing them up, in the form of the findings obtained during the conduct of the BIA.
BIA aids in resource allocation during the period of non-operation.
One of the biggest issues that must be resolved in times of crisis is the spending of the company in response to the adverse impacts to its operations. BIA will enable the company to know its priorities: which operations are most vital, which departments will need the most resources during recovery, and which processes may be discontinued without significant impact to the other components of the business.
BIA provides a basis or a set of criteria to be used for testing the company’s recovery plans.
Aside from identifying and evaluating the possible loss scenarios and the qualitative and quantitative impacts to the company, BIA also serves as a useful tool in identifying the recovery requirements which, in turn, will be used in developing strategies for the recovery plan of the company. Paul Kirvan of the Business Continuity Institute said it best when he described BIA as the “starting point” for defining the recovery strategies of the organization when responding to disruptive events.
It is a fact that disruptions and interruptions in business operations has a direct impact on the company’s financial performance. But businesses know better than to assume that the company’s profits or bottom line is the only area where it will suffer. Aside from finances, failures and poor performance due to operational disruptions will also affect other areas such as business reputation, marketing and safety. Legal compliance may also be compromised.
BIA entails identification of both operational and financial impacts that the organization will suffer due to an interruption or disruption of its business processes and operations. Just by going over the following possible impacts, there is no question that BIA is of great importance.
- Lost income: Disruption of operations translates to lost sales which, in turn, result to lost income. For every day that the company is unable to open its doors and operate as in a normal business day, there is a corresponding amount of sales that is lost and income that is unrealized. The company may try to seek comfort in the excuse that they will still be able to generate those sales, but there will only be a slight delay. However, delayed income is still lost income.
- Higher costs: The company is likely to find its expenditures increasing. The disruption of operations will call for damage control, which may entail employees having to render overtime work in order to make up for the disruption. To further speed things up, the company may also resort to outsourcing and other means. Obviously, this means that the company will have to spend more: on overtime and differential pay, on the cost of outsourcing, and other incidental expenses.
- More spending on fines and penalties: Failures are also bound to affect the company’s compliance with legal and regulatory requirements. The disruptions can potentially lead to missed deadlines, which result to penalties, fines and surcharges. This adds up to the costs, increasing the related spending due to the disruption.
- Decline in business reputation: The reputation of the business will also suffer if disruptions are not dealt with swiftly and effectively. Businesses are expected to deliver their goods and services smoothly, and any interruption will have an adverse effect on the public perception of how your company does business.
- Loss of customers: A business that stops its operation, even for a short period, can expect to lose customers. Customer dissatisfaction will rise and your market share will drop. Naturally, customers will look elsewhere for the products or services that they used to get from the business, but which the latter cannot provide, albeit temporarily. A business cannot afford to lose even a day in operations, since it could mean the potential shift of customers to the competition.
5 PHASES OF THE BUSINESS IMPACT ANALYSIS PROCESS
There are no formal standards or fixed guidelines on how BIA is to be conducted. Organizations, depending on their size, nature, and their business environment, often tailor their BIA methodology to suit these variabilities. However, we can present this multi-phase process in general terms, or how most companies do it. There may be some tweaks here and there, but the essence remains the same.
Phase 1: Initiation of BIA
This is considered as the first step in BIA. Before starting BIA, there is a presumption that senior management gave the green light or agreed to the project.
This involves the following steps:
Step 1: Define objectives, goals, and scope of the BIA
There should be clarity when it comes to what the organization hopes to achieve by conducting BIA.
Step 2: Form the BIA project team
Management may choose to designate existing staff as members of the team to conduct BIA, provided that they are skilled and knowledgeable in conducting BIA. Another option chosen by organizations is outsourcing BIA to third parties, particularly those that specifically provide this type of service.
Phase 2: Acquisition of Information
The BIA project team can go about gathering information in various ways, and these may include conducting interviews and follow-up interviews, if necessary. Without a doubt, the most frequently used tool is the BIA Questionnaire, which is essentially a detailed survey, developed by the BIA project team, with targeted questions designed to obtain answers that may be used to assess the potential effect of a disruption or interruption.
The respondents, or the people to be interviewed or given the BIA Questionnaire to answer, include the company’s managers, team leaders, supervisors, and workers who are knowledgeable about the business processes. In some cases, business partners, or those who are not within the organization but are working with the organization in close proximity, enough to gain insight and knowledge about its operations, may also be considered as reliable sources of information.
The information to be gathered, which are usually incorporated in the BIA Questionnaire, include:
- The name of the process, and a detailed description with the following:
- The “functional parent”, or where the process is performed. This could mean the department or division where it belongs, and the actual location where it is performed.
- All the inputs into, and the outputs from, the process.
- Resources and tools needed in the performance of the process, which includes the human resources (the workers directly and indirectly involved), facilities (e.g. office, furniture), technologies (e.g. network, computers, software), and methodologies (e.g. techniques)
- The users of the process, or those that benefit from them. This will describe interdependencies across systems and processes.
- The timing and maximum allowable or tolerable duration of disruption before the impact is felt. The questionnaire may also ask for an expected or estimated time frame for recovery.
- The financial and operational impacts experienced during the disruption, with detailed descriptions of each impact. These include estimates and approximations, such as the estimated costs to be incurred and estimated losses during the interruption.
- Any regulatory, legal or compliance impacts that may arise during the disruption, with corresponding explanation and potential costs.
- Historical data regarding past disruptions experienced by the company, with complete descriptions, the associated impacts, and the responses.
The information collected will be subjected to review, which means the information must be documented in a coherent manner for easier accessibility by those who will perform evaluation. Usually, they are summarized in tables, schedules and diagrams. For example, most BIA teams present processes in workflow diagrams.
In many instances, the BIA team may start creating a draft of its BIA Report using the information gathered, and this will be used in the evaluation.
Phase 3: Analysis of Information
The collected information will be subjected to evaluation and review, and this can either be done manually or using a computer, whichever is easier, more practical, and more reliable.
The review is done in order to accomplish three objectives:
- To come up with a prioritized list of business functions or processes, with the most crucial ones on top of the list.
- To identify the human and technology resources required to maintain optimal level of operations.
- To establish the recovery time frame, or the length of time needed to recover the process or function and bring the business operations back to normal, or as close to it as possible.
In this phase, the project team will look deeper into the implications of the impacts, and this is made possible by the quantification performed during the information gathering phase.
Phase 4: Documentation of Findings
This is the part where the findings will be documented, and the Business Impact Analysis Report will be prepared.
Again, just as there are no standards for the conduct of the BIA, there are no fixed formats for the BIA Report. Generally, however, the BIA Report has the following parts or sections:
- Executive Summary
- Objectives and Scope of the BIA
- Methodologies used in the acquisition information, and its subsequent analysis or evaluation
- Summary of findings
- Detailed findings on the departments, units and other functional areas, highlighting the following:
- the most crucial processes or functions
- the impact of the disruptions to the various areas of the business
- the acceptable duration of disruption
- the tolerable levels of losses
- comparison between the potential financial costs and the estimated costs for recovery strategies that may be employed
- Supporting documents for the findings, such as tables, charts, schedules and diagrams, with brief narrative explanations highlighting the potential losses that the business may sustain
- Recommendations for recovery, such as policies and activities that have to be implemented in order to bring the business back to its normal operational state, and how they will be prioritized. Logically, the processes that will suffer the brunt of financial and operational impacts must be the first to be subjected to recovery strategies.
Phase 5: Presentation of BIA Report to Management
Decision-making is the responsibility of senior management. They are the ones who will have the final say, so they are the final recipients of the finalized BIA Report.
Senior management will rely on the contents of the BIA Report when developing strategies for the company’s disaster recovery program, and even in the formulation of a continuity plan for the business.
It is important to note that, since business operations tend to change or evolve, perhaps because of the introduction of new technologies, tools and processes, then the BIA Report will have to be updated as well. It is the responsibility of senior management to periodically review the BIA Report and update it when necessary.
In Palo Alto, we meet co-founder and CEO of Totango, Guy Nirpaz. He shares his story how he …