In last week’s blog, we talked about the importance of identifying the right BIA impact categories for your business impact analysis.
As a reminder, these are the six categories appropriate to your industry and organization that your management chooses to measure to assess the impact to the organization of disruptions to its operations.
Now that you have selected the right impact categories for your industry and company, you’re ready to determine the weighting you will use for each category.
In today’s blog we’ll talk about what this means, why it’s important, and how to go about doing it.
Weighting your impact categories is the process of ranking your six chosen impact categories in order of how important it is to the business that each one be avoided.
Note what it is not: It is not a ranking of processes in terms of how important they are to the business. That’s not our concern. What we’re interested in is the various quantitative and qualitative impacts of a disruption over time to the business functions and enterprise.
Many things are vital to the business but not especially time-sensitive. Weighting impact categories is about evaluating the negative impact to the business of having the different functions interrupted.
Although I used the word “ranking” above, the process is actually more nuanced. What you want to do is assign a percentage value to each of your six categories, with the sum of the six totaling 100 percent.
The percentage value you give each category is your team’s estimate of the negative impact on your organization’s key mission and operations of having that function interrupted.
The reason you want to weight your impact categories is because you cannot restore everything first. You can only restore one or two things first; the rest have to wait until you can get to them. Therefore, reason suggests you should choose to restore first the functions whose interruption is causing you the most damage.
Another reason it is important to weight your impact categories has to do with human nature—in this case, the tendency of humans to rate what they do as being more important than what everyone else is doing.
More often than not, when the different business units at an organization are asked how important they are to the organization’s mission, the majority state that they are of critical importance.
But if management were required to create recovery plans which treated every department as critical, the cost would be prohibitive.
Everyone wants to feel that what they do is important and that the company could not operate without them. And in most cases, they are correct: the company would be impacted if they were not operational. But for some departments the impact would not be felt for days or weeks while for others it would be felt right away.
In weighting impact categories, we are attempting to identify the business functions whose interruption would have an immediate impact on the organization.
By weighting BIA impact categories, we are reducing the likelihood that the pride of the business units will distort the recovery effort in a manner that detracts from the interests of the organization overall.
So how do you go about assigning a weight to the impact categories?
You do three things:
First, consult with the management team supporting your BIA. Gather their input as you rank and weight your impact categories. What areas do they think are the most important and in what proportion?
Second, in collaboration with your management team, look at the impact categories you selected and rate them by their relative importance to your company. Consider the mission of your company and how important each impact category is to the company. For example, a bank might prioritize its impact categories as follows:
Third, assign a percentage to each impact category based on its relative importance. This isn’t an exact science. Typically the top the categories make up the majority of the weighting percentage. Here are the same example BIA categories that we used above with weighting percentages added:
The total of the weightings should add up to 100 percent.
In the example, what is most important to the bank is the following: not losing revenue; minimizing impact to customer service; maintaining their brand and image; and minimizing penalties, fines, and sanctions. Based on the above weighting, the business processes that have the most significant impacts in these top four categories will be critical and need to be recovered the soonest.
The most common mistake people make in weighting their organization’s impact categories is not taking the process seriously enough.
Remember: How you weight the different areas is your judgment of what is critical and what is not. Your weightings might determine what is restored first and what later after a disruption. The consequences for your organization are potentially huge.
Take the process seriously. You want the right processes to be designated as critical!
What happens after you weight your BIA impact categories? You integrate the results into your BIA process.
The impact categories and their weightings are used to evaluate the dollar and non-dollar impact of a disruption to each business process over various periods time (12 hours, 24 hours, etc.). This in turn allows you to determine the Recovery Time Objective (RTO) for the different business processes, by helping you to determine where the most significant impacts will occur during disruptions of various length.
Quantitative Impact Score | RTO 0 – 4 Hrs or Less | RTO 1 – 12 Hrs or Less | RTO 2 – 24 Hrs or Less | RTO 3 – 48 Hrs or Less | RTO 4 – 5 Days or Less | RTO 5 – 5 Days or More |
---|---|---|---|---|---|---|
Loss of Revenue | 1 | 1 | 1 | 1 | 1 | 1 |
Increase in Operating Expense | 1 | 1 | 1 | 1 | 1 | 2 |
Penalties, Fines and Sanctions | 1 | 1 | 1 | 1 | 1 | 2 |
Qualitative Impact Score | RTO 0 – 4 Hrs or Less | RTO 1 – 12 Hrs or Less | RTO 2 – 24 Hrs or Less | RTO 3 – 48 Hrs or Less | RTO 4 – 5 Days or Less | RTO 5 – 5 Days or More |
---|---|---|---|---|---|---|
Customer Impact | 3 | 4 | 4 | 4 | 4 | 5 |
Legal/Regulatory Requirements | 1 | 1 | 1 | 1 | 2 | 2 |
Brand, Image and Reputation | 3 | 4 | 4 | 4 | 4 | 5 |
In this example, the impacts to customer service and brand, image and reputation (both of which have high weightings of importance) are significant within the first 12 – 24 hours. Based on the scoring, this process experiences a significant impact in 12 hours and would need to be recovered in 12 hours or less.
Weighting your impact categories is a small task that can make a big difference to the effectiveness of your BIA and recovery plan.
You work hard to make your business a success—shouldn’t that include protecting your most critical assets? A BIA is the first step to ensuring that your business will continue to thrive in the event of disruptive external factors beyond your control.
We’d like to help you take this first step. The BIA On-Demand (BIAOD) tool makes it easy for you to pinpoint the most critical units of your business. Running in a secure portal, the tool walks you through a full evaluation of your business processes, including dollar and non-dollar impact as well as recovery time objectives. In the end, it automatically calculates the level of criticality of each unit you’ve chosen to evaluate and produces a detailed report of the results.
Visit our website to schedule a demo of how the BIA On-Demand tool works or to get in touch with questions. If you’re struggling with a BIA currently or want guidance through the process, we’re here to help.