In the previous blog we established that BCMS is not a subset of ISO 31000. The entire thinking behind BCMS is that in spite of every precaution we exercised, the catastrophe has taken place? Under these circumstances, how do we keep operating the business?
With this question, our focus immediately shifts from mitigating well-defined risks to analyzing other disruptive events. The question then becomes, what are the critical process failures within an organization which could cause disruption beyond the risks we have identified? If there is disruption how does it impact the survival of the organization? This also leads to the question, how quickly we must return to normality. In more precise terms, what is our Recovery Time Objective (RTO)? This crucial step of Business Impact Analysis defining acceptable RTO is the central to BIA.
Disruptive event in majority of cases may be the result of factors which invariably may not fall under traditional risk analysis. So the crucial insight gained from this exercise is; to identify disruptive events, we must look “Beyond Risk’. Even after we have agreed to this approach, the next question is this: In operational terms, how do we look ‘Beyond Risk’?
One technique is to put aside individual risks for the moment and identify crucial processes within the company which would have a profound impact if disrupted. In turn, an individual process itself will be impacted by several other factors, where the identification of a pool of risks being just one dimension. What are the other dimensions of a disruptive event? How do we measure, identify and manage them? That leads to the design of the first pillar of BCMS and that is Business Impact Analysis (BIA).
The essential role of BIA is to probe, collect and identify all factors likely to disrupt a critical process. Within this framework, the software should prompt and lead us to identify all key factors affecting a business process and that is the key to a sound Business Impact Analysis framework.
It follows that the BIA should also bring out the cost factors of not putting in place the recovery measures (do nothing) against the costs of establishing appropriate measures when an event occurs. This helps management make decisions of where to plan for and invest in having assurances around the measures in bringing the business back to normal.
To sum it up: our biggest challenge in designing BCMS software has been to create a comprehensive blueprint to carry out ‘Business Impact Analysis’. A successful BIA is inherently multi-faceted, touching several departments, impacting many related parties, encompassing risks with varying intensity. Once this analysis is successfully carried out, half of the battle of implementing sound BCMS is won. That should give us a brief reprieve because let us not forget that BIA is just the starting point and the first pillar. There are many more venues to be explored to implement a successful BCMS which we will explore in the next blog.