Business Impact Analysis: How Long Do You Have To Recover From A Disaster?
Robert Clark, business continuity consultant and BCI-approved trainer with more than 40 years of business continuity experience, and Danielle Ricci, Vice President of Marketing for AlertFind, recently discussed why organizations must create and regularly audit their business impact analysis if they want to avoid business disruption or even bankruptcy after a disaster.
Robert and Danielle offer expert advice on how business continuity, emergency preparedness and disaster response managers can ensure they’re protecting their organizations from disasters ranging from hurricanes and wildfires to insider threats and terrorism.
Join Robert Clark and Danielle Ricci as they continue this conversation and answer your questions live on January 31st.
Here are some highlights from their conversation:
Danielle Ricci: Could you start by explaining what a business impact analysis is and how it fits into the business continuity management process?
Robert Clark: First, the business continuity management life cycle is a holistic process. That enables organizations to continue to operate or recover quickly from some form of serious disaster that's disrupted its operation. This could be caused by any one of a number of incidents such as natural disasters, IT failures, cyber attacks, head offices that have burned down, terrorism, pandemics, etc.
So business continuity management helps to provide the framework for building organizational resilience within the organization to provide the capability for an effective response that safeguards that organization's key stakeholders, its reputation and brand, plus its value-creating activities. In other words, the products and services that a company is in business to sell.
Business impact analysis is not just a vital part of the life cycle of business continuity management, it's the foundation. If you get this wrong, whatever follows in the business continuity program is also likely to be wrong. Now, business impact analysis provides us with a number of key deliverables. It identifies and prioritizes the organization’s critical products and services, as well as back-office processes which are often forgotten.
It enables organizations to calculate their maximum tolerable periods of disruption for each critical product and service. In other words, it's what I tend to call the drop dead date. If they've not got a problem fixed by then, then they could be facing bankruptcy.
Products and services also have a recovery time objective. That is the time that an organization would look to have them up and running. That might be partially, that might be completely, but it's the figure that we would work to. And that's not just IT, that's the entire business.
And here we have what's called the recovery point objective. And that tells us how much data an organization can afford to lose, which might be absolutely nothing. On the other hand, they may say, "Well, we could live without a couple of hours worth, or maybe two or three days, or perhaps even a week's worth of data," but the recovery point objective tells us, and that affects our data management within the business continuity and disaster recovery environment.
We also have minimum business continuity objective. This could tell us that an organization could survive working at maybe 20% or 50% of its normal capacity for a period of time. Rather than recover everything at once, this means we could stagger it.
It’s also important to identify who the key employees are. They may be told to go back to work after two days, whereas other people are told to wait at home for a week. Each of the products and services would depend upon what I call the depending infrastructure. We're talking about buildings, employees, IT, data, your suppliers and so on.
And it could be something, along with one of these, that actually cause the failure in the first place. All this information provides us with our BIA, business impact analysis. And it helps us to establish the best way to tackle any problems within the organization that may occur. From there we create our business continuity plan.
Danielle Ricci: In your experience, what percentage of companies have actually completed a comprehensive BIA?
Robert Clark: It's difficult to put an accurate number on that. In my experience, the percentage who completed BIAs tend to vary from one industry to another. If you take the financial sector, it's regulated and adopting business continuity is not an option. And because it's mandatory, companies know that they will be audited by their respective financial authorities, and that focuses their attention on business continuity.
So perhaps with the exception of a new company entering the sector, you would tend to find more mature companies with programs in place and the business impact analysis is treated as a key component.
In non-regulated industries, it's very inconsistent. Most of the organizations that ask for help from consultants like myself either haven't engaged in the business continuity process, or they're not necessarily confident in what they have put in place. There are others that ask consultants to review their plan as a sort of health check.
The review comes down to the question, “How long have you got after a disaster to recover before the survival of the business is placed in serious jeopardy?” If the answer is, ''I don't know,'' especially if it comes from someone like the CEO, that's a pretty strong indication they are not performing a BIA.
Issues with the BIA can come from a variety of things. A lot of companies don't necessarily have the budget to engage a full-time business continuity professional or they just pick someone and make them the business continuity manager. That can be an issue in small or medium organizations.
I've come across a number of people that have been given the responsibility, but they know nothing about it. Many just start off by building a plan without giving any thought to business priorities and critical timescales that you would expect a BIA to establish.
Another issue can arise with an organization that believes business continuity is just an IT problem. Now, back in the 1960s and 1970s, this was the norm. And we had IT disaster recovery originate there, which in turn has evolved into business continuity as we know it today.
But in 2012, business continuity came of age. The international standard was launched. But organizations that still think it's an IT problem tend to give the responsibility to the IT manager.
Danielle Ricci: So when you start working with a company on a business impact analysis, who needs to be involved in the process?
Robert Clark: You need support from the business units. They are the people that should know their business. And let's assume that I'm the guy with some business continuity skills. It's really a case of getting a blend of the two. Between my knowledge and their knowledge, you are able to provide the information for a sensible set of parameters for the BIA.
It’s not something you can just say to someone, "You're the new business continuity manager. Come back when you've finished a BIA, and you have full responsibility." It's got to be something that the business engages with that they feel they have ownership of the final outcome.
Danielle Ricci: When you're speaking to employees to gather information for the BIA, how do you get them to see the value of a business continuity plan?
Robert Clark: This doesn't just apply to business continuity. It's a problem I found that many organizations will have with people. They'll say, "I'm just too busy to engage." Frankly, the best way to remedy this is to make it one of their objectives. And if those objectives are financially linked, they tend to take them a little more seriously.
So it's a mindset problem. Now, if I have the opportunity, I try to speak to individuals, sometimes collectively, sometimes on a one-to-one basis and actually provide them with an insight into some of the things that can go wrong and how they can help to avoid them. I would rather go with them hand-in-hand than dragging them along kicking and screaming. But I'm afraid sometimes the latter is necessary.
If I find I'm being blocked, then my obvious route is to go back to the sponsor and say, "Look. Can you help? So-and-so is not talking to me or they're not completing their deliverables in time. Can you help?" Because if they're paying me on a daily basis, it's costing them more money for me to just sit there, twiddling my thumbs, waiting for someone to deliver the goods.
Danielle Ricci: In addition to the lack of employee engagement, what are some other common issues that you run into?
Robert Clark: When it comes to the prioritization of products and services, this can result in a lot of debate amongst individuals who believe their area of the company is more important than everyone else's. We see people failing to realise this results in a much more complicated business continuity solution than is necessary, and invariably that means the cost will be higher.
Danielle Ricci: Does the business impact analysis also influence the IT side of a business, with regard to its IT disaster recovery?
Robert Clark: Yes, where you've got an organization that's had business continuity implemented after its IT disaster recovery, then the IT disaster recovery parameters, in terms of how quickly the data and systems were recovered, was just a guess because there was no business rationale available to say when something needs to be recovered.
When a BIA is produced, a lot of organizations forget to do a gap analysis. When they do, they find out the business needs it recovered in two days but it will take IT five days to do it.
On the other hand, IT can recover it in two hours, but you don’t need it that fast. You've over-engineered the IT solution, and you're paying more money than you need to. But if you go through the process of developing your BIA, developing your business continuity plan and your IT disaster recovery plan during the same time, then IT should be taking their lead from the BIA. Otherwise, there's no point. The business and IT are not working in sync with each other.
Danielle Ricci: I want to pivot a bit and talk about risk. Specifically, the type of risk you see companies most often overlook.
Robert Clark: Well, the biggest risk I think companies overlook is not actually going through a risk assessment process. Now, that may seem pretty obvious. But a lot of companies do forget it. You need to sit down and think, "So what are the potential risks that my organization is facing?" No two organizations are the same. In the U.S., you may need to include hurricanes in your risk assessment but we probably wouldn’t here in the United Kingdom.
But we're all in the firing line when it comes to cyber attacks. What a lot of people don't realize is that every single day there are more than 300,000 new cyber threats.
It’s nearly impossible for organizations like Norton and McAfee to keep up. If companies do not know how to react to a major attack, it could cause them serious embarrassment, affecting their reputation and their brand.
There’s no single threat that organizations overlook. There is no easy answer.
In London, terrorism is way up the list of priorities for most organizations, not just from the point of view of a direct attack on the company, but also the company's employees, the company's supply chain and so on.
In the Northern Hemisphere, we're just coming into flu season, and in the U.K. there are reports of thousands of people admitted to the hospital. The number of deaths is into three figures. This could deprive organizations of some of their workforce, whether they are directly affected, whether they've got to look after children or parents, whether they can get to work. Because worst case scenario, you could have situations where transport closes down.
There are lots of things that companies just don't think about or choose to ignore. And to be fair, companies can say, "We understand the risk and we have decided to accept it." Now that is perfectly allowable in business continuity planning. But they need to understand the risk before they can actually say, "We accept it."
Danielle Ricci: That prompted me to think about communications and being able to communicate with your employees. Could you talk a little about that?
Robert Clark: With communications, you need to be considering your stakeholders, and they could be internal, e.g. your employees. They could also be external.
What messages do you need to be communicating? How are you going to communicate it? Are you going to be using the telephone or text message? Are you going to be using television broadcasts? Are you going to be using Twitter?
Look at the wildfires in California. Everyone who was considered to be at risk got a text message. They didn't use social media because they thought everyone was more likely to see a text than they were to look at Twitter, Facebook, or any of the other social media platforms.
So you need to plan your communications in advance. And you also need to identify alternative channels of communication because it's quite possible that whatever has caused the crisis [fires, hurricanes, etc.] could also take out some of your lines of communication. So you need a contingency within your communications plan so that you’re able to get ahold of everyone, even if there's been an impact on your communication capability.
Danielle Ricci: I want to come back to our BIA. How frequently should this be done? Are there any “triggering” events that should prompt companies to audit their BIA immediately?
Robert Clark: The industry standard is that you should revisit your BIA at least every 12 months. If your organization has undergone some kind of change, which could be reorganization, acquisition, a merger, or the introduction or discontinuation of products or services, this could have an effect on your BIA and your need for business continuity.
Again, you may find that the business continuity plan is inadequate, or you may find, "We don't need to do this anymore because we stopped selling that product," or "We've stopped offering that service." So it can work both ways.
To do this, you need to do a comparison exercise, asking "So what's changed in the BIA?" And the answer might be nothing. That's good news and you don't need to go ripping the business continuity plan apart.
I’ve come across organizations that created a great BIA but they haven’t looked at it for several years. And it just loses its currency. It loses its credibility. Every business continuity plan should have details of who might need to be contacted, where they can be contacted. I've seen communication details where, "In the event this happens, phone so-and-so."
Well, then you see that they have people listed that I know no longer work for that company. So you’re going to have to make sure that you keep everything up to date, and that's not easy.
One of the things a lot of companies don't do is document control. And this may seem a very small thing but it can have a big impact. At the front of every BIA it should say what the document is and who owns it. When was it last changed? Why was it changed? What's the current version number?
So it's little things like this that you can use to make sure that everyone knows exactly what version of the document you're using. You don't always have the luxury of time to sort these things out on the day of a disaster. And if you're one of these organizations that doesn’t need to recover for a month, you might be OK. But conversely, if you need to be up and running within a few days, you don’t have the luxury of time to map it out.
Danielle Ricci: And you can't assume that 100% of your employees are going to be available after a disaster, and you have to nominate backups for them, right?
Robert Clark: In my five years as the resourcing director for consulting for northern Europe, I did an exercise and discovered that the best I could expect was that 80% of the organization would be available for assignment to a client site at any one time. And the 20% wasn’t available for any number of reasons - vacation, maternity leave, sickness, training, jury service, armed forces training, etc.
After comparing notes with other organizations of similar size, 80% seems to be about the norm. Some of the organizations will say, ''If we have a disaster, then we are assuming that everyone in the organization will be available.'' Bad mistake.
If you have a situation where one of the people who isn’t available is key to the recovery, and you do not have a backup for him or for her, then you've got a fundamental problem to start with.
We did an unannounced training exercise where employees were given an envelope as they entered work. In that envelope it said something like, ''We're conducting a business continuity recovery and sorry, but you're dead.'' Or, ''You have been assigned to recover this or to recover that.'' And it randomly selected people. It wasn't predetermined as to who was and who wasn't going to be told that they were dead.
It proved whether the organization could recover without the expertise of these people. The spooky thing about this exercise was that this was in 1985, I think, and the scenario was a plane crashed into a building.
This was 16 years before 9/11. Many organizations did not survive 9/11 for that very reason. Organizations need to actually look beyond,''Yes, I've got a team of 20 people. They're all going to be available.'' It's a fallacy.
Danielle Ricci: Anything else you'd like to add to help companies create an effective BIA?
Robert Clark: If it's an organization that is a novice to business continuity planning, I think one of the best things they can do is to provide the relevant people in the organization with training. If you just say, ''You're the business continuity manager. Go produce a business continuity plan,'' without any support, it’s grossly unfair to the individuals and to the company.
So I believe they need to A, provide a budget for business continuity, but within that budget, factor in some training. They also need to provide some form of awareness training for the entire staff because there's no point in having a business continuity plan if no one knows about it. That might be something they can do internally. It might be something they support from outside.
It can also be useful to have a consultant pointing them in the right direction. Whether they’re providing them with guidance, or validating the work they've done, saying, ''Yeah, that looks good,'' or, ''Hang on a minute. You've missed the point here. You need to emphasize this and this.''
I would recommend the Business Continuity Institute Good Practice Guidelines for anyone interested in learning more about business continuity. It tells you what you need to do and how to do it.
Danielle Ricci: Ultimately, business continuity is about the health and future of your business, so it's an excellent investment both in protecting your business and your people.
Robert Clark: An awful lot of people don't necessarily appreciate that business continuity is not just protecting the company, it is protecting their own livelihood. So that's something which gets lost on people. It’s one of the arguments I use when people tell me they’re too busy to participate. Well, you're actually a stakeholder in this because if the company goes pear-shaped, it's your job that's likely to disappear, and it can strike a chord with people.
Want to learn more about how to identify risks and prepare a comprehensive business continuity plan that will help your business weather any disaster? Register for AlertFind’s webinar, “Business Impact Analysis: How Long Do You Have After A Disaster To Recover Before Your Business Fails?” featuring business continuity expert Robert Clark Ricci 2 p.m. EDT on Thursday, Jan. 31.
You are well on your way toward protecting your staff and organization.
Take the next step toward protecting your organization by learning more about emergency notification systems and the vital role they play in your emergency preparedness plan.