For the most part, the BCM industry states that reviews of Business Impact Analysis (BIA) findings and results are to be done on an annual basis; however, I propose that this thinking change. It is difficult of companies of all sizes and industries, to set aside time every year to review BIA’s, let along set time and resources aside to participate in various BCM tests and plans & process reviews. It takes allot out of a departments schedule, where they need to focus on other initiatives.
As I wrote in “BIA Organization Integration”, if an organization has been successful in integrating the BIA into existing company procedures, especially when it comes to changes and impact identified through Program and Project Management practices, then the annual BIA review might be a thing of the past.
As projects and programs are identified and now that the BIA is incorporated into business practices, then the BIA is proactively identifying potential changes and impacts to BCM plans and processes on an on-going basis, rather than at a single point of time; the scheduled annual review. These project reviews and updated may be done on multiple occasions throughout the year because there are multiple projects in various phases of the project management life cycle. This means a greater level of review and input to the BCM program, not the usual once a year.
However, and this is something that cannot be sidestepped or overlooked, not all projects regardless of the number of projects in flight, might have any impact upon some groups. It might change the way a department does the work but doesn’t change the equipment they use, the number of resources it takes to perform the work or the IT equipment used to process the work. So even though projects may provide BIA assessments on multiple occasions, the overall company BIA will still need to be reviewed at some point. But because projects are providing updates on a regular basis, and presumably the updates are being incorporated into the BCM program on a regular basis, rather than the usual standard of ‘at least annually’ the overall review of the company BIA may be in a position to be reviewed bi-annually.
Now there’s another aspect to having projects and programs provide BIA updates proactively identify operational impacts. Once the BIA updates have been received, those changes need to be assessed by the BCM team to identify what impacts are there upon the various plans and processes. As there could be multiple projects having impacts throughout the year, that means that updates may not completed immediately and/or it may mean that some updates for one project cannot be made or completed until a dependent project has completed work. So how can we only perform updates at specific times of the year? Or, rush to get an entire plethora of updates completed, when there are interdependencies in play?
I suggest that let the projects implement their change as scheduled and then give the BCM team a 6 month timeframe post change implementation to update all required documentation. The BIA would have proactively identified the upcoming change and would be on the radar of the BCM group, which could then begin to schedule timeframes for when the corresponding BCM plans need to be updated. Some may be quick and not need the required 6 months and may be completed by the change implementation date but other of a larger scope and scale, may require additional time to get activities reconfigured and up to date (e.g. IT Disaster Recovery Plans and corresponding restoration and recovery configurations, which usually take longer to complete). Include in that 6 months, some level of testing for the newly updated documentation, process, strategy or plan. Of course, the testing method will depend on the change itself; you’re not going to do a full-on Simulation test if the change is a re-organization of resources but you might need a table-top to help familiarize new transferred individuals into their new roles (assuming there was a shift in crisis or disaster team membership), as an example.
Adapting the BIA reviews to the corporate culture and embedding it into that culture will provide a benefit to all involved. As it stands, many see BCM as an afterthought that often gets in the way of activities and if it becomes part of their activities, through smooth planning and transitioning, the company can be in a better position going forward with a stronger program in place. BCM must adapt to the workings of the company as best it can and BCM professionals and practitioners cannot expect a company to adapt to the need to BCM practices. There has to be some give and take to make both sides benefit. Embedding the BIA – at the very least – into existing organizational processes and becoming flexible with review timelines by leveraging the benefits of embracing a new approach to the BIA, will over time, strengthen the BCM program because it’ll be walking in step with the rest of the organization, rather than lagging behind and always trying to play catch up.
© StoneRoad 2016
A.Alex Fullick has over 19 years’ experience working in Business Continuity and is the author of numerous books, including “Watch Your Step”, “BIA: Building the Foundation for a Strong Business Continuity Program” and “Testing Disaster Recovery and Business Continuity Plans.”