| Understanding the Organisation |  |
In order to protect key products and services it vital that the organisation identifies critical activities and the resources needed to produce those products and services. In understanding the organisation the business continuity management programme can be closely aligned to the business continuity strategy and ultimately the overall goals of the organisation
These steps can be summarised as
01 Business Impact Analysis; what would happen if?
02 Identification of Critical Activities and Resources; what is important
03 Continuity Requirements; what will we need to carry on
04 Risk Assessment; look at the threats and likelihoods
05 Risk treatment; choose what to do about the risks
01
Business Impact Analysis
Much has been written about business impact analysis and sometimes it is over complicated but essentially a BIA determines the impact of disruption to activities that support the organisations output, its products or services.
The impact may be different over time so the BIA should be able to show a time element and their may be different categories of impact.
The BIA should be carried out by personnel familiar with the process being assessed usually with assistance from business continuity or risk management staff so that not only is the method suitable and applicable to the organisation but that the information contained within it is correct.
The maximum tolerable period of disruption for each activity should be defined so that critical functions may be identified.
Spreadsheets and scoring matrices can be useful in helping organise and collate the results as can the many BIA management software applications currently available if the organisation is large, complex or dispersed but a simple Word document may also be sufficient.
There are no fixed methods of carrying out a BIA; each organisation must find a method that suits it best but the standard contains broad principles. There is no 'magic method' that will provide all the answers.
The key factors in achieving an effective Business Impact Analysis are
- Identify what you want out of it
- Identify activity experts (i.e. don't ask the facility manager about accounting software)
- Develop a plan for gathering the data
- Summarise the findings
- Validate
- Present
Organisations can sometimes fall in to the traps of over complications, trying to reduce the BIA to an exact statistical exercise and worrying about getting it 100% right the first time around. As we have seen in the previous section, BCM is an iterative management process which can and should be revisited often. The BIA may therefore be in summary format in the first pass.
It is much more valuable for a BIA to show only the largest impacts yet available within a reasonable time than one with every eventuality covered but not available to senior managers for a year. Don't laugh, this is a very easy and common mistake to make.
One of the most effective BIA's I have seen is one that was done in an afternoon with all company directors present. Why was it so effective?
It focussed on the most immediate and likely impacts and was turned into a plan of action the next morning.
Of course it was light on detail and missed a lot of minor systems, some with a greater impact that imagined. The organisation recognised that its initial BIA was flawed and implemented a back filling exercise to catch the errors and omissions whilst mitigating the impacts of those it found in its first pass.
Perfect is the enemy of good enough
An example of a BIA is shown below
The definition of LOW, MEDIUM or HIGH impacts should be done before the BIA process commences, they might be split as shown above or combined. Again the exact nature of the BIA should be determined by the organisation.
An excellent way to gather information to support the BIA is via a simple interview process. Sending blank spreadsheets out and asking people to fill them in, a more common activity than one might imagine, is doomed to failure with poor quality information resulting in incorrect assumptions and flawed plans. Speak to people, this is the single most effective way of creating a BIA.
A valuable time saving can also be made if during the BIA interview, interviewees are asked how long could they make do without one resource or the other before it became critical. For example, email or the building.
02
Identification of Critical Activities
What is a priority for recovery?
The identification of critical activities should be obtained from the BIA.
These activities can then be prioritised for recovery and resources allocated according to this priority. The maximum disruption that can be tolerated will feed into the recovery time objective when determining BCM strategies.
03
Continuity Requirements
We have determined critical activities and the impact of disruption on them from the above processes.
The continuity requirements to support each activity can then be determined. These may include;
- Staff
- Facilities and premises
- Supporting technology
- Information
- External services
- Suppliers
- Raw materials or assemblies
For example
04
Risk Assessment
The risk to the organisations critical activities should be clearly understood
For each resource supporting these critical activities a risk assessment should be undertaken to determine the threats, vulnerabilities and impacts.
There are many techniques for carrying out risk assessments and the method chosen should be suitable for the organisation, wherever possible aligning with other risk assessment methods in use, for example in an Information Security Management System.
Sample Risk Assessment
05
Risk Treatment
Once the risks have been determined there are a number of options available to organisations, what to do about them.
There are 4 options
- Use business continuity to reduce the risk
- Accept the risk, it might be low enough to tolerate or there may be nothing that can be done with a reasonable degree of resource allocation or effort
- Transfer the risk to some other, for example insurance
- Change or stop the activity under question, permanently or temporarily
No comments:
Post a Comment