The risk assessment (RA) and the business impact analysis (BIA) form the backbone of traditional continuity planning. They are considered fundamental components in virtually every best practice guide and industry standard. Employing these two practices leads practitioners along a trajectory that further entangles their work in the many related techniques of traditional continuity planning, along with the negative outcomes of these techniques. Practitioners should eliminate the use of the risk assessment and business impact analysis.
Risk Assessment
The results of a risk assessment may lead the practitioner, leadership, participants, and organization as a whole to prepare for and mitigate threats that never materialize while other non-identified threats materialize instead. Preparing for the wrong threats is a waste of resources and may lead to a false sense of security that further jeopardizes the organization.
Some threats, such as cyber attacks, disgruntled employees, and utility or infrastructure disruptions, are identified and mitigated but materialize nonetheless. It is precisely because bad things will happen, despite the best efforts of very capable risk managers to prevent them, that continuity planning is so critical. (See additional points in “Prepare for Effects, not Causes.”)
There are also significant liabilities for continuity practitioners who do not possess the training and expertise to properly implement and follow through on a risk assessment. Risk assessment is a technique of risk management, a discipline with its own body of knowledge apart from business continuity. Administering a proper risk assessment and implementing the resulting action items may necessitate deep knowledge of actuarial tables, information security, insurance and fraud, state and federal regulations, seismological and meteorological data, and the law. Typical continuity practitioners do not possess such deep knowledge; those who do are most likely specifically trained as risk managers. Adaptive BC practitioners as such should eliminate the risk assessment from their scope of responsibility.
Business Impact Analysis
The purpose of a formal business impact analysis is to identify an organization’s services along with the potential daily or hourly loss, usually in terms of money, that a disruption of the service would have on the organization. Over time, the purpose of a BIA has changed, expanded, and become indistinct. The term BIA now often includes recovery time objective (RTO) and recovery point objective (RPO) data, response and recovery strategies, upstream and downstream dependencies, and other information.
The BIA as a measure of estimated losses should be abandoned. Its main purpose was to help leadership identify the most critical services and to set a prioritization for continuity planning efforts. The discipline should eliminate the BIA because:
- The goal of quantifying the impact of disaster is likely a non-starter from the beginning. Numerous commentators have identified numerous deep flaws at the core of the BIA practice. Rainer Hübert’s definitive paper, “Why the Business Impact Analysis Does Not Work,” makes a compelling argument for the industry to abandon the practice of BIA work entirely because of the “very costly and even fatal misinterpretations and misrepresentations” inherent in the process.
- Executive leadership can be trusted to identify critical services based on their experience and knowledge of the organization (as discussed in “Obtain Incremental Direction from Leadership”) and therefore can set general direction and prioritization for preparedness planning.
- The proper sequence to restore services at time of disaster will depend on the exact nature of the post-disaster situation, a situation that cannot be predicted ahead of time. Because the organization must be flexible and responsive to the situation as it unfolds in real time, recovery time targets and a prescriptive recovery sequence should not be predetermined.
Due to the increasingly nebulous and confused understanding of the term BIA, along with the many connotations and associations that the term has within traditional continuity planning, both the practice and term itself should be entirely abandoned in Adaptive BC.