Business Impact Analysis evolution
This time around, I am focusing on how the new normal will change BIAs. You know the Business Impact Analysis (BIA), the pillar of the planning process to build a continuity plan. We have so many lessons learned from the pandemic that I am sure we will be sharing the learnings for years to come. However, as we move from the pandemic to endemic phase of COVID-19, there are changes we can make now to harden our business continuity programs.
If you follow my blogs, you know that I already shared that the plan format we leveraged for years is evolving. As part of that evolution, it is time to step back and consider how our planning process may change—many practitioners based their impact assessments on four key categories. The four categories are typically a variation of the workplace, personnel, supplier, and technology loss or interruption. One of the significant lessons learned from COVID-19 is that most companies realized they could successfully work remotely.
The rise of Zoom meetings & technology
The shift from a reliance on conducting business in the workplace to enabling staff to work remotely is a seismic change in the work environment. It also allows employees to work flexibly, working both from home and in an office when needed. I sat in on an insightful BCI World Conference panel this week. I heard Bethany Warren, an expert in Business Continuity, Organisational Resilience, and Occupational Psychology, speak to the importance of recognizing these cultural changes. One of the components of a traditional BIA is to understand the impacts of a location loss. With most companies embracing hybrid work arrangements, our continuity planning needs to adapt, too.
With the rise of focus on operational and organizational resilience, our BIAs should consider the totality of risk. Future BIAs will emphasize the importance of the flexible workplace, where work gets done is less important than its quality. Tomorrow’s BIA will look at the totality of the service continuum, including an increased focus on IT tools. Tech is already an essential focus for successful impact analysis. However, corporations rely on the technological tools we leverage to do work in the changing work landscape. Additionally, the threat of cyber-attacks increases with the new vulnerability of a dispersed framework of cloud computing, VPN reliance, WiFi, and virtual meeting platforms. Post-pandemic BIAs will need to map this reliance and understand impacts from outages or malware, ransomware, and phishing attacks.
Less emphasis on location loss
Before the pandemic, some business groups I worked with were already adopting work-from-home strategies. These segments were going entirely virtual with their teams and embracing continuity plans without locations. The concept of a business continuity plan without reliance on location is a foreign concept to some. For many years, the primary recovery strategy for most operations was to relocate to another office if their site was damaged or inaccessible.
The office setting was the lynchpin and purpose for having a continuity plan. Often, the importance of adequate staffing, reliance on vendors or technology was an afterthought. How new normal will change BIAs is that the focus has flipped. Most operations proved that although in-person collaboration is preferred, it is not necessary for business success. Now that nearly everyone has established that they can work from home, continuity plans need to change. So, it is time that our analysis process realigns with the new reality. Of course, not all industries will see this shift; it primarily impacts the service sector.
Operational and organizational resilience
As part of the planning process, BIAs should strive to incorporate an operational resilience focus. By mapping out service-level dependencies, we will more clearly understand risks and gaps to address them. A solid risk assessment has always been vital to the business continuity planning process. However, the BIA should better knit together functional dependencies to align strategies supporting a service. Business continuity usually focuses on a process (or function) and builds the recovery plan.
However, in reality, no process recovers alone. One of the learnings I am taking from the pandemic is the importance of organizational recovery. For example, payroll takes multiple functions to accomplish. It can include inputs from HR, the comptroller, treasury, and often a payroll vendor. So, if any of the supporting activities fail to resume after an interruption, payroll is not successfully executed. As part of our path forward, it is better if business continuity becomes part of the culture of resilience rather than a siloed discipline. Developing a more holistic BIA process is a key to that. Imagine a BIA format that assesses a service rather than a single function or department. The learnings are automatically much deeper and encourage increased enterprise plasticity.
Increased power and network outage risk
Another area that deserves attention as we come out of the pandemic is recognizing that remote working strategies come with increased risk. By de-emphasizing reliance on the traditional workplace and replacing it with home offices, the ability to recover from power or network outages emerges in importance. For impact categories, practitioners need to consider this during a BIA. If the function or service relies heavily on a remote workforce or hybrid model, employee preparedness increases in importance. Considering that the nearest offices can be damaged or lack adequate generator power is critical to planning.
Many business partners assume that if their employee’s residence is damaged, they can transfer work to others, return to an office, or wait for recovery. Having experienced an unexpectedly severe Nor’easter that brought down both power and network for over 50 hours, my employer was happy for their investment in a hotspot and my underwriting a home generator. Not everyone is this prepared. Practitioners should use the BIA to identify the viability of workaround strategies.
Our Path Forward
If any of this resonated, then you understand that the way we manage BIAs must change. As always, I don’t advocate throwing out all of the good aspects of what we do. Instead, I suggest that we evolve our practices to keep pace with and anticipate change. Too often, business continuity programs lag behind organizational changes. The pandemic is an opportunity for us to get ahead of the curve or keep pace with it.
It is time for us to consider improving and better serving our organizations in the changing landscape. Business leaders understand resilience. In a previous blog, I wrote about what to expect when COVID ends, highlighting another aspect of business continuity’s evolution. In another, The End Of Business Continuity As We Know It; I reflected that COVID is a watershed moment for our field. Adjusting the BIA is part of the modernization vital to ensuring business continuity’s value today and in the future. Seize the moment to review and update your assessment process to align with your companies’ changing working methods. Taking action now will increase the preparedness of the employees, operations, and assets for the next crisis event.