Business continuity justifications
There are many business continuity justifications that can be used to buy in stakeholders in setting up business continuity program. In the absence of regulatory requirements, audit findings or specific customer demands can be useful.
However, the best method to sell management on the need for a business continuity program is using the results from a risk assessment and Business Impact Analysis (BIA).
The risk assessment is the process of identifying the continuity-related risks to an organization through a review of the business environment, an evaluation of the probabilities of certain events and a review of risk mitigation controls design and operation.
The BIA is the careful study of an organization’s individual business processes and support functions, as well as the system of business processes in its entirety, to better understand objectives regarding continuity of operations. The key tasks that make up a BIA include:
• Estimating the financial impact of downtime by calculating the quantifiable loss potential
• Measuring the less tangible impacts of downtime
• Identifying process interdependencies
• Estimating the impact of a business interruption on stakeholder perception, and process timing
• Defining recovery time objectives for business processes and applications, as well as application-specific recovery point objectives
• Establishing a level of capability at the recovery time objective
The conclusions drawn by the risk assessment and BIA, together with the corresponding recommendations,are bolstered through industry benchmarking data regarding program scope, recovery objectives, spending and strategies.
The organization’s insurance carrier also may be able to provide information regarding business interruption premium savings offered by a tested business continuity program, as well as insightregarding Director and Officer (D&O) Liability insurance.
The last component of the executive management sales message is the cost-benefit analysis. The cost is the funding and resources necessary to add resiliency and recoverability to the existing business and technology environment, whereas the benefit is impact avoidance.
The process described above is often executed as a special project, although an emerging trend is to execute the risk assessment/BIA as an internal audit sponsored project.
The Institute of Internal Auditors, or The IIA, has issued Practice Advisory 2110-2 stating that internal auditors can play a direct role in the organization’s planning, to include the risk assessment, without compromising independence.
Business continuity justifications go beyond ordinary risk management