The Role of Risk Management and Business Impact Analysis in Business Continuity Management

Created by Alisa Jashari | 11/12/2019

Business continuity is defined by the International Standardization Organization (ISO) as the “capability of the organization to continue the delivery of products or services at acceptable predefined levels following a disruptive incident”. Business Continuity Management is the process of creating and maintaining systems that prevent and recover from potential threats risking the vitality of the company.

The goal of business continuity planning is to ensure that core functions of an organization are not severely affected by threats, disasters and unexpected incidents and enable the quick recovery from unplanned incidents by responding on time. Business Continuity Management is closely linked to revenue growth, as business continuity planning minimizes financial and operational consequences of disruptions. According to Touche Ross, 90% of businesses without a disaster recovery plan will fail after a disaster.

According to the Business Continuity Management Systems standard, ISO 22301:2012, the aim of business continuity management systems is to plan, establish, implement, operate, monitor, review, maintain, and improve a management system to protect against, reduce likelihood of, respond to, and recover from disruptive incidents. In bringing together a business continuity plan, the organization focuses on several different areas. Two crucial components of a business continuity management process are business impact analysis and risk management.

BUSINESS IMPACT ANALYSIS

Business Impact Analysis is defined as the systematic process of evaluating the impact of potential disruption scenarios on the key processes of the organization. Instances of disruption scenarios are: suppliers failing to deliver on time, power outages affecting production, and so on. The impact of this disruption may be of an operational or financial nature, varying from low to high severity. Examples of impact scenarios include revenue loss, delay in service delivery, inability to meet business objectives, fines, inability to reach the stakeholder and customers satisfaction level and so on. In order to ensure business continuity and to strengthen the capability of the organization to continue the delivery of products or services at acceptable predefined levels following a disruptive incident, organizations should first consider the results of the business impact analysis.

The business impact analysis can be conducted because it can serve as a tool to minimize the risks faced by organizations and find solutions to treat such risks. As such, the outcome of a business impact analysis can be risk-centered recovery solutions. ISO guides organizations to conduct a BIA by following the requirements set by ISO 22301:2012. The steps to effectively conduct the business impact analysis include:

Identification of key processes and their outputs
Determination of the criticality of the key processes of the organization
Identification of the consequences of a disruption on the identified critical processes
Identification of the interdependencies with key internal and external stakeholders
Identification of available resources to support the operations
Identification of alternative processes
Determination of the maximum acceptable outage time for each process
Determination of recovery time objectives
Confirmation of the level of preparedness of the critical processes to manage disruption

The efficient conduction of the business impact analysis enables organization to obtain an understanding of:

The identification and criticality of the main processes, functions, resources and interdependencies.
How disruptive events will affect the organizations capability to achieve its objectives.
How to manage the impact of disruptive events and recover the organization to an acceptable level.
The priority list of critical processes
The financial and operational impacts caused by the loss of critical processes

RISK MANAGEMENT

Risk is a situation that exposes an object to harm or a measurement of uncertainty. It has four key components such as events, assets, outcome and probability. Risk is defined, understood, perceived and interpreted differently depending on the discipline or field it is being used. Risk management refers to the process of identifying, analyzing, monitoring and managing potential, existing or inherent risks. This process is performed in an organization in order to minimize the negative impact of risks that can be faced by an organization. The purpose of risk management is to identify which risks pose a threat to an organization and provide recommendations on how to treat, eliminate and prevent risk reoccurrence.

Management system standards such as ISO 22301 recommend organizations to integrate a risk management or risk assessment process within their management system in order to achieve risk management objectives. A framework that can be used to establish and integrate a risk management framework is ISO 31000 which provides generic guidelines on risk management. ISO suggests the use of the 31000 guidelines since it increases the likelihood of achieving objectives, improving the identification of threats and opportunities, and the effective use and allocation of resources for risk treatment.

The risk management process based on the ISO 31000 guidelines includes the following phases:

Identification of the scope, context and criteria
Performing the risk assessment process
Performing the risk treatment process and selecting the risk treatment options
Monitoring and reviewing the risk management process
Recording and reporting the risks to top management
Communicating the risks and consulting with stakeholders

Risk management is a necessary process of business continuity management because it is crucial to have intrinsic structures within the organization that systematically analyze risk. While risk management focuses on the identification, assessment, and prevention of risks, business continuity management focuses on the overall incident prevention and management in an effort to minimize downtime and loss in an organization.

Business Impact Analysis and Risk Management Complement Each Other

It depends on the organization’s goals, objectives, size, processes and priorities on which process will be carried out first, the business impact analysis or the risk management. However, it must be noted that both processes are required to be performed by the ISO 22301. Each process has a unique purpose and is performed to achieve certain objectives, therefore the two of the following approaches can help an organization decide which process is to be carried out first.

1^st Approach – Performing the Business Impact Assessment first: Organizations may choose to perform the business impact analysis first to identify crucial business functions, then proceed with risk assessment to analyze the risks that those functions are exposed to.

2^nd Approach – Performing the Risk Assessment first: An organization may choose to perform a risk assessment first to identify the pool of threats the organization is exposed to. Then, perform the business impact analysis to estimate the impact of disruption.

The first approach can be useful for a unit-based analysis, while the second approach is more of a corporate-level approach. Nonetheless, both processes complement each other towards the achievement of business continuity goals. Business impact analysis identifies key activities and their impact, whereas risk management focuses on protecting those activities from the identified risks. When these two processes are integrated within the organization’s business continuity plan, the organization reduces the likelihood of having extended losses from down-time. Effective risk management and business impact analysis helps organizations to protect against, reduce likelihood of, respond to, and recover from disruptive incidents.