“What do we KNOW?” Well, the answer has to be “very little” compared to what we could know, but it is enough to get or keep a decent business continuity management system running. Getting all we should know from work force is quite easy when asking the right questions. They know quite a lot! And to be honest we have to make them guess. Although the information we gather is based on a guess it is of great value. Estimate is the start of business continuity management. Building a management system on estimation works! Estimate can be seen … it has to be even seen as the first step in a sensible business continuity process:  to consider the potential impacts of a breach in the business processes is the core discipline. The Business impact analysis (BIA). The argument is that no one cannot properly plan for a disaster when having little idea of the likely impacts on the business/organization.  This is undoubtedly the case, yet it is surprising how many organizations bypass this initial step in the continuity process. The BIA essentially means systematically assessing the potential impacts resulting from various (unavailability) events or incidents. It is common for the impacts resulting from other types of incident (such as breach of loss of data integrity or confidentiality) to be simultaneously explored, but this need not be the case. However, there are certainly advantages to undertaking a comprehensive and wider focused business impact and risk analysis exercise. The business impact analysis is intended to help understand the degree of potential loss (and various other unwanted effects) which could occur. This will cover not just direct financial loss, but other issues, such as reputational damage, regulatory effects, etc. BIA is the key part of the business continuity process that analyzes mission-critical business functions, and identifies and quantifies the impact a loss of those functions may have on the organization. Although the BIA can take a great deal of time for data gathering and analysis, its value is essential for developing continuity plans. BIA do not have to be dozens of pages long. They simply need the right information, and that information should be current and accurate. It is - in the end -asking the right questions and raising guesses. There are no formal BIA standards, but there are many business continuity standard templates available, which is problematic in a way: if the methodology is not appropriate, e.g. a mid-sized company relies on some MS Word and Excel Sheets, then the sheer volume of data is likely to lead to mismanagement. Accuracy and up-to-dateness will only be assured when the BIA is founded on a smart (also simply) system of steady inquiry, correct storage and proper analysis.  An appropriate software consequently has to provide a flexible framework for the BCM, BIA-templates, a comprehensive database and best a way to easily enter your organization's structure, activities/processes and resources. So, when analyzing the impact on your organization, why not also consider other benefits such as productivity gains from new capabilities in the product? Such features clearly show that BCM, BIA and Risk Management base on almost the same data and similar principals, which leads to the question why companies do not combine these disciplines and manage their business processes and risks on the same data base and with ONE software. Well, “I don`t  KNOW?”

For more information on governance, risk, and compliance management topics, visit www.grc-lounge.com.

Tags: risk LoungeTalk