When our customers are going through Business Impact Analysis (BIA) it’s pretty common for them to ask us for guidance. They want to know what we’ve learned from others so they can avoid some mistakes.
We thought this would be helpful info to pass along in a blog post, and we’re also going to host a live, only-20-minutes-long, Ask Me Anything session on the topic on August 5th. To get a calendar invite for the AMA session, click here.
We hope the information below is helpful and we’d love to hear your feedback. Contact us and let us know what you think.
Without question, the following are the top 3 most common mistakes we’ve observed from teams going through a BIA. The bad thing about these mistakes is that they end up being very costly to the organization and to the people involved.
Course-correcting after these issues takes real budget and time. For some, these have led to a false sense of security that left them open for cyber attacks and disrupted operations. For those in risk management leadership, careers have even taken a side-step because these mistakes were not caught quickly enough.
We don’t want to scare anyone, but we do want to point out that there are real consequences with these things (issues) and they should be taken seriously.
We should state up front that we’re not talking about malicious dishonesty here. What we typically see (because it always comes out later) is that someone wasn’t completely honest about how much improvement was really needed in a certain area. Or just how broken something actually was. Or that something was completely missing, had never been done, or just hadn’t been done in a while.
You can chalk this up to a bunch of different reasons. Culture in the company, politics, pride, or someone just simply deciding they don’t want to work on that thing.
Up front, before the BIA process gets going, everyone needs to come to an agreement that the findings in the process are not a judgement on current employees or past employees. The BIA shouldn’t be a positive/negative judgement at all. It should be accepted as the state of which things currently are. A starting point for moving forward. That’s it. Figure out what’s working, not working, broken, missing, needs updating, etc. Then prioritize and assign next step tasks.
This should be the first thing you put serious time into with those going through the BIA process. Leaders should make every effort to make sure their teams understand they can be fully honest and transparent. If this can’t happen, your BIA is flawed from the very beginning and you will most likely miss some of the most important risks that should be focused on.
The point of going through a BIA is to understand where the risks are, and how they should be prioritized so that everyone is working towards a common goal. During the process, many goals associated with the outcome of the BIA may be discussed. If they’re not documented and agreed-upon, there is a high probability of many people leaving the process with different understandings of what the group as a whole should be working towards, and what each of them individually should work on first.
Documenting goals as a Top 3 item to for BIA processes may seem overly simple, but we see this skipped all the time. Everyone leaves the BIA process thinking that everyone else is on the same page as they are. But, in fact, they all have a slightly different understanding of what the goals and next steps are. This leads to wasted time in areas that may be a low priority to company leadership, and leaves top risks exposed.
Before an assessment begins and risks are discovered, the group should come to agreement on how to score a risk and rank it for prioritization. This means coming up with a scoring system that is based on the business outcome goals of the company and factors in the context of how tolerant of risk the business leaders are at that time. Here’s a public doc from The University of Iowa with a great template to help you get started with your threat matrix (scoring system).
Risk tolerance is going to be different at every organization and will change inside each organization with new leaders, changes in the economy, updates in regulation and a long list of other variables. It’s important to discuss this and acknowledge the tolerance of risk in some areas and lack of tolerance in others.
Just like with number 1 above, document this. If the discussion doesn’t happen, and the ranking/scoring system isn't documented, you’re going to end up assigning risk scores that are higher or lower than they should be. You and the other teams involved will end up putting time into lower priority areas that should be invested elsewhere and, once again, leaving the door open to unwanted cyber activity in critical areas.
We hope this post was helpful. If you’ve never run a BIA and you feel stuck on where to get started, this National Institute of Standards and Technology (NIST) doc will be helpful. Essentially, the doc teaches you how to know what area of the business to focus on first, find the risks there, and understand how to know when you’ve hit your goals. Hint: skip to Appendix B near the end of the doc and you’ll find specific info on running a BIA.
If you’d like to learn more and ask questions, get a calendar invite for the 20 minute AMA session on August 5th here. We’ll be looking forward to seeing you there.