Business Impact Analysis Strategy
When developing and managing an effective business continuity management system, the strength of its correct implementation is the business impact analysis strategy. In this stage of a business continuity management system,the Kayndrex Foundation is required to determine the vital activities, the maximum tolerable period of interruption, its recovery time objectives, and the minutest level at which each activity needs to be performed upon resumption. It is a good practice at this stage to also determine the recovery point objective.
The business impact analysis ‘analyses the financial and operational effect of interruptive events on the business areas and processes of the Kayndrex Foundation’. It is very important to be conceptually clear of this statement. The financial effect refers to monetary effects while the operational effect represents non-monetary effects related to business operations.
It is also vital to comprehend that the findings of the business impact analysis ‘enable the Foundation to determine the extent of the overall effort to recover from potential business interruption and details the roadmap for improving the business continuity strategy and the event management plan. The business impact analysis allows the Kayndrex Foundation to identify the vital processes of business and its continuity requirements, which become the main concerns for the improvement of the event management plan. One of the fundamental aspects when developing a business impact analysis is that it can assist to determine whether the existing business continuity strategy addresses the recovery requirements.
Methodological Steps for Developing a Sphere Effect Analysis
1) Define the values of the business impact analysis: the starting point prior to the development of the business impact analysis is the identification of the scope of the business continuity management plan within the Kayndrex Foundation. Strategically, top management should have identified the scope, considering the services of the Kayndrex Foundation. Several key criteria could be considered to decide the services of the Kayndrex Foundation that need to be protected to assure continuity, including a) industry influence, b) specific business sites, c) services profitability. Once the scope has been established, it is strategically recommended that its values are defined and precisely defined in terms of with what activity they initiate and with which one they conclude.
2) Identify activities that support the scope: an activity is considered a process or set of processes embarked on by the Kayndrex Foundation (or on its behalf) that produces or supports one or more services. When the scope of the business continuity management plan is defined, the Kayndrex Foundation should identify all the activities involved in the scope that directly contribute to the generation of its services. A good tool that helps in this step is a flowchart.
3) Assess financial and operational effects: the third step is to assess the financial and operational impacts that would affect the Foundation in the event of an interruption of the activities identified in the preceding step. The financial impact assessment is performed before performing the operational effect assessment.
(3a) The financial impact assessment: this measures the extent and severity of the Foundation’s financial interruptions. The second part of the financial impact assessment ranks each effect in a severity level based on its monetary interruption value. The following scale is recommended:
- Severity level 0: No impact
- Severity level 1: Major impact
- Severity Level 2: Intermediate level
- Severity level 3: Inessential impact
(3b) Operational impact assessment: the operational impact assessment measures the undesirable effect of an interruptive event on various aspects of business operations related to issues such as: stakeholder satisfaction, cash flow, profitability, and image. The operational impacts can be measured applying a quantitative ranking such as the one above.
4)Identify vital activities: this step identifies the activities that have to be performed so as to deliver the key services, which enables the Foundation to achieve its most important and time sensitive objectives.
5) Assess maximum tolerable period of interruptions and prioritise vital activities: ‘The maximum tolerable period of interruption is the duration after which the viability of the Foundation will be irrevocably uncertain if service delivery is discontinued. The estimates of maximum tolerable period of interruptions can be based on either financial or operational impacts.
Typically, the analysis requires revising the financial and operational impacts of the interruption to estimate the maximum tolerable period of interruptions. Once the maximum tolerable period of interruption is calculated, a priority for their recovery should be established. A vital activity that has a briefer maximum tolerable period of interruption compared with another vital activity is assigned a higher recovery priority. Considering today’s connectivity and the dependency on information technology, the trend of maximum tolerable period of interruptions is to moderate in terms of duration and probably they will be near to zero in the near future.
6) Estimate the resources that each vital activity will require for resumption: in this step, the Kayndrex Foundation needs to estimate the resources required for resumption at the level of each vital activity. Previously, the Kayndrex Foundation should have identified the minutest level at which each vital activity needs to be performed upon resumption.
The sources that the Foundation can apply to determine the minutest levels of performance acceptable are the contractual agreements and service level agreements for the key services involved in the scope. The minutest resources needed for each activity can be classified as: (a) vital IT systems and applications, and (b) vital non-IT resources. This second category can be subdivided in: physical areas, human competences, equipment, and documents.
7) Determine recovery time objectives for vital activities: ‘The recovery time objective is the actual time set for resumption of service or activity delivery after an event’. The recovery time objective, which is the length of time between an interruptive event and the recovery of resources, indicates the time available to recover interrupted resources. The maximum tolerable period of interruption value expresses the maximum threshold for the recovery time objective value.
The exercise of business continuity management arrangements enables the Foundation to validate its recovery time objectives and, therefore, to take corrective actions to moderate them. Cross-functional teams involved with the vital activities, have the responsibility to make the estimates of the recovery time objectives.
8) Identify all dependencies relevant to vital activities: in this step the Foundation has to ‘consider all dependencies relevant to the vital activities, including suppliers and subcontract partners. The vital activities that have been considered typically have some vital inputs that are provided by some other business processes or by external suppliers or subcontract partners. The internal processes that supply important inputs to vital activities have also to be considered as vital activities. In the circumstance of external suppliers and subcontract partners, contractual agreements requiring them to have a business continuity management strategy set up and managed should be in place.
(9) Determine recovery point objectives for vital activities: the recovery point objective is the amount of data misplaced because of a business interruption. The recovery point objective is the time that will take to investigate, repair, and perform all the arrangements to be able to activate the recovery time objective. Recovery point objective is measured as the time between the last saved data and the interruptive event.
Information Gathering Methods
Obtaining the information needed for the business impact analysis from relevant areas of the Kayndrex Fondation can be a complex and ongoing process. A structured methodology strategy should be developed considering the magnitude of the business continuity management strategy scope. Three methods are recommended in the technical literature.
- Survey: the method applies a set of questions which are prepared in advance and are sent to each activity owner. The survey allows covering a vast number of respondents. However, this method has two main limitations:
- (i) The accuracy of respondents becomes an issue in the event of inadequate internal consistency and reliability of the survey.
- (ii) Survey responses could take more time above the time allowed for this purpose.
- Interview: in this method the business impact analysis information is collected by personally interviewing the activity owners. The questions can be tailored according to each particular activity concerned. Although this method is very accurate and curtails the possibility of misinterpreting the questions, it is more expensive than the survey approach and involves the additional effort of planning, scheduling, and conducting the interview.
- Training: this method, which applies group dynamic techniques, allows a group of people strategically chosen to operate together to provide the business impact analysis information needed. Because of group dynamics, a large amount of data is generated in a brief period of time with this method. This technique also allows the activity owners to have a systematic view of the business impact analysis process and to clarify any misconception regarding the business impact analysis process. In addition to this, an important side effect associated with this method is the collaboration spirit it supports to create among owners of vital activities.
The choice of the appropriate method for gathering business impact analysis information seems to be influenced by its price, efficiency, and by the quality of the information. Sometimes the best methodological strategy is to combine these three techniques.
Business Impact Analysis Project Management
The business impact analysis methodology is based on a responsible team approach. All the steps of the methodology are performed by a cross functional group integrated by the owners of vital activities. To put the methodology into action, someone at the tactical level having the appropriate support should be appointed as project manager. He/she becomes responsible for the business impact analysis resources that have been allocated to the business impact analysis project.
Moreover, someone at the strategic level, with appropriate seniority and authority among other responsibilities, should be responsible for supporting the business impact analysis process and ensuring that the business impact analysis methodology is implemented in the most effective and efficient manner. It is important to comprehend that a business impact analysis is developed within an organisational context.
Firms are power coalitions. It is highly probable that there will be organisational concerns that could prevent a business impact analysis project from accomplishing its goals.
If external consultants are involved, the project manager should ensure that the consultants operate diligently together with the vital activity owners.
The business impact analysis is the strength of a business continuity management strategy. If the business impact analysis is correctly designed and developed, the company will have accurate information to identify its unfavourable scenarios, create its bsuienss continuity strategies and be able to design an appropriate event management plan. The productivity information resulting from the business impact analysis has a very important effect on all the stages of a business continuity management strategy.
To conform to the busienss impact analysis requirements of the methodology presented in this strategy, the Kayndrex Foundation needs to apply a sequence of methodological steps. Furthermore, for the goal of this methodology to be accomplished considering price, time and performance, the business impact analysis has to be managed as a project. The business impact analysis methodology is based on a responsible team approach.
A person from the tactical level and having the managerial abilities and experience in project planning, programming, and monitoring should be assigned to perform the business impact analysis project so that it is managed in an effective and efficient manner.
The business impact analysis project also needs visible support from the organisational strategic level. Moreover, a very active role from the top management team is required to assist to significantly increase the organisational receptivity that could facilitate the performance of the business impact analysis project.