Disaster Recovery Journal Winter 2024

can illuminate the rich web of interdepen dencies on which the whole organization ultimately stands. They also help us estab lish recovery time and point objectives for each of those dependencies so we know just how long the disruption can last until the impact is intolerable. Every BC professional knows this. Most could finish my thoughts. (These are some of the aforementioned parameters by which we write recovery strategies.) We know who and what is involved, we know how long we have to do it, and we can state precisely when to set it all into motion. We know exactly which types of disruptions could occur for a business unit and what kinds of plans must be built. The BIA inputs can later serve a dataset to help create tabletop scenarios. Let’s flip this narrative back on our selves. Although our internal stakeholders own their plans, they rely on us for consul tative advice and for effective plan exer cising. They know the plan is good – not only from their own expert intuition and understanding – but because the internal contingency planning experts have also signed it off. They will participate most in exercises that are severe, plausible, and relevant in view of the BIA results. Yes, it is on them to write, validate, use their plan, and ultimately to participate in exercises. However, it is equally on us to ensure these plans are up-to-par in every way we can. The BIA is a key tool to do so. For this reason, all the technical pur poses of the BIA – from RTO/RPO, through to prioritization and dependency mapping, and beyond – serve as assurance to ourselves and our stakeholders there is substance behind our certifications and value beyond our policies. We know the plan works because we know its provisions match the needs discovered and validated in the BIA process. In this way, BIAs are not just best practices for the organization, they are best practices to check and bal ance us as professionals. The Future of the BIA This set of arguments for the value of BIAs is by no means comprehensive, nei ther is each point addressed fully in this

short article. We must not ignore calls for continued improvement and change to BC methodology, including BIA, within proper guardrails. However, there are bad approaches to this already in the conver sation. For example, some on industry forums have called for wrapping BIAs into BCPs, but this makes for messy, long, and therefore ineffective plans. Others have elected to remove it from the life cycle altogether, which essentially consti tutes a reversion to “wing-it” planning that will make disruption impacts worse. In response to these missteps, two directions for the future of BIAs are offered here. First, the BIA’s image problem is con nected in part to how it’s been presented. A strong, values-based and data-driven argument for the BIA can be ruined by a poorly conducted BIA workshop or by unskillfully made tools. A decrepit spread sheet in Excel 2007, with neon colors, broken macros, and hilariously small font, is not a good BIA. I have seen these across many supplier risk assessments and even presented as “good” at the end of a con tinuity of government training course. It might capture the same information, but it does damage to the program’s reputa tion and stakeholder buy-in. Careless con struction of the tools ignores the impact of stakeholders’ experience to the detriment of its purpose, and it reflects a stagnated BC team. The BC professional must avoid this at all costs, and the business stakeholder must call it out for the sake of their orga nization’s continuity capability. Many organizations are already transitioning to various digital tools for their BIAs. As we improve this “felt experience” of our end users we must also ensure we are asking good questions. In the end, better presen tation can promote better engagement, leading to better BIAs. Second, we need to be forward-think ing with regard to technology advance ments. More and more organizations are adopting digital, automated tools, creating and drawing from extensive data reposi tories. Many BC programs appear to be enjoying increasing access to data that, in some cases, is enabling insight into

deeper, longitudinal and enterprise-wide intelligence. These systems will continue to evolve and be more deeply embedded into organizations’ workflow and internal platforms. The days of an annual renewal of continuity information are numbered: we are already seeing opportunities to gather live resiliency data from centrally managed tables and datasets that also plug into the day-to-day work of the business. With smarter technologies, we will see live dependency mapping for the entire enterprise in sync with the same for supply chains, enterprise risk data, outage and weather maps, asset and inventory records, and more. I do not need to describe the value of these use cases for the design of continuity strategies and plans, to say nothing of their value for incident man agement and vulnerability identification. We will be able to see patterns over time with less dependence on human memory. Digital solutions in BC remain largely manual today, but this will change. Are we ready to embrace them? Final Thoughts A bad answer to the question “what’s the real value of a BIA” is as frustrat ing to leaders in our organizations as the question is to us as BC practitioners. We must continually return to the reasons why we conduct BIAs so we can continu ally make them better. A better BIA will make a better BC program. We will see better plans, better exercises, better poli cies, better compliance, and better incident response. GGG The views expressed in this article belong to the author and do not necessarily represent the views, policy, or position of any other indi vidual or entity with whom the author may be affiliated, present or past. v

Samuel McKnight, CBCP, is an early career business continuity analyst with two years of experience in the field. He works in business continuity for a major U.S. utility and has previously supported an operational resil

ience program for a bank in the United Kingdom. He holds a master’s degree in management from the University of St Andrews, Scotland, where he studied and wrote on sense making in organizations under crisis. McKnight also holds certifications from FEMA, PMI, and the LSE.

DISASTER RECOVERY JOURNAL | WINTER 2024 31