Business Impact Analysis (BIA) has been an established part of Business Continuity (BC) for many years now, but with the publication of BS 25999 and the 2008 update of the BCI’s Good Practice Guidelines (GPG), a new technique know as Continuity Requirements Analysis (CRA) was introduced that was ambiguously included as part of the BIA and as a separate technique.
The BIA measures the impact on an organisation of disruption over time and the CRA identifies the resources required to recover from a disruption. Historically, the term BIA covered both techniques, and many BC practitioners still mean both techniques when they refer to a BIA. This causes confusion, particularly as the two techniques are invariably undertaken at the same time using the same questionnaire, workshop, or interview.
To my mind, a new term is required that encompasses both techniques, and I suggest Business Continuity Analysis (BCA). BIA can then mean just the BIA, whenever it is used, and BCA can be used to cover the analysis required to measure the impact on an organisation of disruption over time and to identify the resources required to recover from the disruption.
The concept of the maximum Tolerable Period of Disruption MTPD) has been around for some years now, but it still seems to cause a great deal of confusion amongst Business Continuity practitioners. The definition, as per the BCI’s Good Practice Guidelines (GPG) seems straightforward and unambiguous enough – the duration after which an organisation’s viability will be irreparably damaged if a product or service delivery cannot be resumed – so why the confusion?
It’s only when you look closely at the definition and try to think about how it might be applied in practice that you’ll see that it’s actually of very little use because you will never really know if an organisation’s viability has been irreparably damaged, let along the point at which this happens. It’s only after there has been an incident that has caused the disruption of the delivery of a product or service that you can see if the organisation’s viability has been irreparably damaged, and even then it won’t become apparent until a long time after the disruption. If you try to use this definition when undertaking a Business Impact Analysis, you will find it extremely difficult to identify the MTPD of the organisation’s products and services, and well-nigh impossible to identify the MTPD’s of the activities that need to be undertaken to ensure their delivery.
From experience, I have found that it’s much better to think about the time after which there is a serious threat to the viability of the organisation, as it’s something that people can stand a chance of estimating. So, instead of asking “At what point would the non delivery of product X cause your organisation to be irreparably damaged?”, I tend to ask “At what point would the non delivery of product X pose a serious threat to the viability of your organisation?”
The BCI’s definition of MTPD assumes that there is a point after which there is irreparable damage, and before that point there isn’t irreparable damage. In reality, things aren’t so black and white. The longer the disruption goes on, the more likely it is that the viability of the organisation will be threatened. There is no single MTPD. Instead there is a probability curve that identifies the chance that the organisation will be irreparably damaged at a point in time.