Should the business strategy be considered when developing the BIA?
The business impact analysis (BIA) process seeks, in simple terms, to determine what needs to be recovered and the time it will take to recover the activity, considered critical, of the business
Therefore it is like taking a snapshot of the processes and performing the respective impact analysis.
Once obtained, the primary basis for the construction of recovery plans is available.
However, it is important to know if, during the business impact analysis, important aspects such as the business strategy should be considered or not.
Let’s look at a hypothetical situation about an organization:
A financial institution has stipulated in its strategy to increase its credit card customers by three years by 25%.
In that same period, increase the use of online banking by 15% and increase its presence with customer service offices by 5 out of a total of 70.
This plan already has one year since its declaration in the strategy and is being executed on time.
The BIA is being developed at this time. Should that information be considered?
We would do it.
Although it is very likely that they meet many specialists who will say that it is not necessary.
They are based on the principle of criticality of processes focused on downtime.
They are right and to exemplify it better we will borrow the expression of a great friend in charge of an emergency unit:
“The first thing that is treated in a critical situation of life or death is” brain, heart and lung. “
But let’s review this aspect:
What is the purpose of determining this “downtime”?
In practice, it is to obtain the impact of not serving the public, identifying financial losses.
As well as the income not received, fines for non-compliance, among other consequences.
These impacts are related to business processes and are prioritized to develop the respective countermeasures that will become the recovery plans.
These plans are nothing more than specific procedures to maintain the basic operation of the organization.
They focus on their criticality of impact.
They are based on all the organization’s processes being evaluated and classified by virtue of their priority of recovery and dependence, including technological ones.
Here is why we would take the strategy into account and you might think that we are deviating from the standards.
However, the argument is “dependence.”
If we are developing a BIA at this time for a recovery plan or update it, it will be adequate depending on the downtime on the critical processes that are determined.
Now suppose that from today there is no interruption event, but within 18 months.
The strategy of the organization has been materializing and the plan has not been updated.
Could the recovery plan be able to mitigate the impact having missed the strategy?
It may work, with some difficulties and losing a lot of initial effectiveness.
Why does this happen?
Sometimes the growth of the organization based on its business may not change the process at all and appear to be sufficient to keep the recovery plan as it is.
However, in our hypothetical model the operating volumes, the number of people in the units, values of the consolidated transactions, points of attention among other elements have changed.
It is quite possible that the technological infrastructure had to be expanded to support the strategic plan, as well as other technological support processes that could have been outsourced.
Therefore, in our method the strategy is observed.
The numbers are used to project the dimension for when the business plan is materialized.
It is undoubtedly more work, because scenarios should be made in which it is considered that the business strategy materialized or not.
But it is still an additional scenario to those considered by best practices.
Many specialists may argue that this step is not necessary, if the plan has a frequent maintenance process, tests are performed and all recommendations are applied to keep contingency plans up to date.
However, we do this because the reality is that, based on experience, the plans lose validity very quickly and the business need prevails over compliance.
At the point where the maturity of the continuity management process within the organization reaches a manageable level, the same maintenance framework should gradually capture these changes and consider them for the necessary adjustments.
Likewise, to maintain its development plan with the responsibility of the Board of Directors, who must show that the continuity of the business and operations supports the continuity and survival of the strategic objectives of the Organization, approving changes in scope that merits its application within the organization.