Redefining the BIA – Usefulness and Uses

If we agree on the basic premise that Business Continuity can be defined as sustaining what is critical to the enterprise’s survivability during periods of discontinuity; then we must recognize that the activity known as the Business Impact Assessment (Analysis) or BIA needs to be redefined.  The BIA, as currently practiced does not necessarily achieve the following:

• Define what is critical to the organization;
• Develop strategies to recover/sustain during times of discontinuity.

I posit a two phase BIA framework consisting of a pre-event general analysis and a post-event identification and assessment of business impacts and potential consequences for the enterprise.

Events are nonlinear and therefore carry uncertain outcomes.  As a result, traditional pre-event BIAs are of little value when conducted using concepts such as mission critical, recovery time objectives, recovery point objectives, etc.  Events evolve; the elements of randomness and nonlinearity create opaqueness (opacity: the quality of being difficult to understand or explain) that a traditional BIA underestimates.

Pre-Event General Analysis: Points and Questions

1. Customers – Sustainability within current markets, capacity to overcome disruptions and continually transform to meet the changing needs and expectations of customers, shareholders and stakeholders.

2. Current Competitors – Define immediate market areas and determine strength of competition to influence market share, human capital, customer base.

3. Providers – Sustainability, strength in markets served, loyalty, capacity to manage surge.

4. Suppliers – Ability to influence capabilities to provide product/services, readily available alternatives.

5. Stakeholders – Capability to meet expectations.

6. Government/Geo-Political – Regulatory agencies and compliance scrutiny, potential actions – direct impact, potential actions – indirect impact.

7. Substitutes – Readily available alternatives, differentiating qualities.

8. New Entrants – Barriers to entry, financial challenges, customer loyalty, customer tolerance level.

9. Economic – Changing market demands for services/products (internal/external).

10. Social – Human capital, skills, perception/image, moral, ethical impacts.

11. Technology – Infrastructure (internal/external) ability to handle surges, vulnerabilities, cascade effects of failure.

12. Financial Capacity – Ability to draw on reserves to offset cash flow disruption.

Post-Event Impact and Consequence Analysis: Points and Questions

The second phase BIA focuses on the evolving situation (nonlinearity, uncertain outcomes, etc.) – identification and assessment of business impacts and potential consequences for the enterprise as they are unfolding.  We rarely make a credible attempt to identify post-incident impacts and consequences in any significant detail.  So, re-entry, recovery, restoration and resumption of operations are step-children that are skimmed over in the traditional BIA process.

Below are key analysis areas for an “Active Analysis” framework, as follows:

• Human Capital – consisting of management, employees, stakeholders, suppliers, providers, partners, contract/vendor entities, etc.

• Clients – consisting of current, new and former customers.

• Systems – consisting of internal operating systems and critical external infrastructures.

• Suppliers – consisting of providers of essential business logistics/services, etc.

• Utilities – consisting of electric, gas, water and telephone service providers.

• Telecommunications – consisting of internal telecommunications systems linked to external telecommunications providers.

• Energy Supply – consisting of energy delivery systems and energy support systems.

• Government Services – consisting of emergency management, police, fire, emergency medical, Federal, State and local government bodies and political support systems.

• Transportation – consisting of air, land and water transportation system and support systems.

• Financial Services – consisting of financial markets, investments, statutory deposit requirements and cash flow systems.

Each of these elements would be constantly assessed as part of an “Active Analysis” post-event BIA framework to determine the potential impact of loss or degradation to the enterprise and its networks.  The above is an example and is not meant to be exhaustive.  In the post-event environment you will have to be creative and you will have to be responsive.

Conclusion

When it comes to building your BIA program, focusing on survivability is the right approach, provided you have thoroughly done your homework and understand what survivability means to the organization.  Post-event opacity will produce numerous situations that challenge survivability.  Looking in the rearview mirror of the traditional BIA can result in confusion, chaos and unintended consequences.

About the Author

Geary Sikich – Entrepreneur, consultant, author and business lecturer

Contact Information: E-mail: G.Sikich@att.net or gsikich@logicalmanagement.com.  Telephone: 1- 219-922-7718.

Geary Sikich is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies to protect their asset base.  With a M.Ed. in Counseling and Guidance, Geary’s focus is human capital: what people think, who they are, what they need and how they communicate. With over 25 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, Geary brings unprecedented value to clients worldwide.

Geary is well-versed in contingency planning, risk management, human resource development, “war gaming,” as well as competitive intelligence, issues analysis, global strategy and identification of transparent vulnerabilities.  Geary began his career as an officer in the U.S. Army after completing his BS in Criminology.  As a thought leader, Geary leverages his skills in client attraction and the tools of LinkedIn, social media and publishing to help executives in decision analysis, strategy development and risk buffering.  A well-known author, his books and articles are readily available on Amazon, Barnes & Noble and the Internet.

REFERENCES

Apgar, David, Risk Intelligence – Learning to Manage What We Don’t Know, Harvard Business School Press, 2006.

Davis, Stanley M., Christopher Meyer, Blur: The Speed of Change in the Connected Economy, (1998).

Jones, Milo and Silberzahn, Philippe, Constructing Cassandra: Reframing Intelligence Failure at the CIA, 1947–2001, Stanford Security Studies (August 21, 2013) ISBN-10: 0804785805, ISBN-13: 978-0804785808

Kami, Michael J., “Trigger Points: how to make decisions three times faster,” 1988, McGraw-Hill, ISBN 0-07-033219-3

Klein, Gary, “Sources of Power: How People Make Decisions,” 1998, MIT Press, ISBN 13 978-0-262-11227-7

Sikich, Geary W., Graceful Degradation and Agile Restoration Synopsis, Disaster Resource Guide, 2002

Sikich, Geary W., “Integrated Business Continuity: Maintaining Resilience in Times of Uncertainty,” PennWell Publishing, 2003

Sikich, Geary W., “Risk and Compliance: Are you driving the car while looking in the rearview mirror?” 2013

Sikich, Geary W., “Risk and the Limitations of Knowledge” 2014

Tainter, Joseph, “The Collapse of Complex Societies,” Cambridge University Press (March 30, 1990), ISBN-10: 052138673X, ISBN-13: 978-0521386739

Taleb, Nicholas Nassim, “The Black Swan: The Impact of the Highly Improbable,” 2007, Random House – ISBN 978-1-4000-6351-2, 2nd Edition 2010, Random House – ISBN 978-0-8129-7381-5

Taleb, Nicholas Nassim, Fooled by Randomness: The Hidden Role of Chance in Life and in the Markets, 2005, Updated edition (October 14, 2008) Random House – ISBN-13: 978-1400067930

Taleb, N.N., “Common Errors in Interpreting the Ideas of The Black Swan and Associated Papers;” NYU Poly Institute October 18, 2009

Taleb, Nicholas Nassim, “Antifragile: Things that gain from disorder,” 2012, Random House – ISBN 978-1-4000-6782-4