This is a topic of great debate, and is the chicken or the egg question for contingency planners everywhere. Recently, I was asked to share an infographic that placed the Business Impact Analysis before the Risk Assessment.  While there is nothing wrong with the graphic, and you can see it, Disaster Recovery infographic by Singlehop I am in some disagreement with the placement.

Interestingly enough, I just had a conversation with a colleague, whom I respect, and that works for another large company that provides business continuity and disaster recovery services, on this very topic.

With the creation of the ISO 22301, which does not specifically address the order, but does mention BIA’s first, many businesses are now conducting the BIA first. Here is my personal and professional opinion on why this is both wrong, and a mistake.

Whenever I work with a business, and we are conducting an analysis on their risks and associated impacts, we always do the risk analysis/risk assessment first. I have a great many reasons for doing it in this way, but let me share just a snippet of why we do it this way.

First, let’s look at the Risk Assessment. The Risk Assessment looks at a given hazard.  It measures both, the potential likelihood of the hazard occurring, and the potential impact it may have on the business. This provides you with some system of measurement on how great the risk to your business the hazard will be.

I just want to mention here that there are many methods of scoring the actual measurement to achieve, or arrive at a final hazard score. For instance the National Fire Protection Association (NFPA) 1600 utilizes a method of scoring of High (H), Medium (M), Low (L) for probability of occurrence and the same H, M, L for impact. This provides a score, such as, ML which would be equal to Medium probability of Occurrence with a Low impact.

I use a slightly modified version of the NFPA 1600 model that I developed over the years, but it is generally the same idea. Once we look at all the potential known hazards we take the top 10, top 5, and top 3 hazards respectively to know which hazards are the biggest known threats to the business.  

This process allows us to have a high-level overview of what the greatest risks are to the business, and what the potential impact will be.

Once we arrive here, it is time to take a deep dive into the impact the top threats will have on your business. It also provides us a potential outline of events that are likely to cause major disruptions to the business. This provides us with a scenario to use for context during the Business Impact Analysis.

During the deep dive into the Business Impact Analysis you will look at each individual process, individuals and applications that support each process, the interdependencies between departments and each process has upon each other, the financial impact to the business if this process is disrupted, additional financial impact of fines, penalties, SLA’s, and contractual agreements. Does this process need to be recovered immediately? Can it wait? Should it be on hold indefinitely until operations return to normal? What is the recovery costs associated with each process?

The Business Impact Analysis gets into such fine details of each business process and business unit that it can itself become a disruption. This is why they are done only every couple of years. Usually two years being the norm, but some companies may do them only every five years.

The Risk Assessment, being such a high-level overview can be done monthly, quarterly, or even yearly, with little to no disruption to the businesses normal operations. It also provides an excellent way of tracking emerging and future threats to the business.  

I hope with this you can see where I am coming from, and why a risk assessment should be done both first, and more frequently. Also, as a big proponent of the NFPA 1600 standard, if you have the book, Implementing NFPA 1600 National Preparedness Standard, turning to page 12, and page 19 respectively provides an ordered list where the Risk Assessment comes before the Business Impact Analysis.

The NFPA 1600 Section number 5.3 on Risk Assessments also provides an ordered list of steps that includes identifying hazards, Assess the vulnerability, Analyze the potential impact, and then lastly to conduct a Business Impact Analysis to determine business continuity and recovery strategies.  

I am a big believer in knowing your risks and conducting risk assessments on a regular basis. Performing a BIA with just an overal organizational risk or operational risk falls short of a complete and proper risk assessment.

Also, risk assessments should be tied into your enerprise risk management if you have one and should have controls established for reductions or prevention of risks when possible.