Business Impact Assessment: The Emperor’s New Clothes? by Andrew Hiles, FBCI
A Business Impact Assessment (BIA) stems from a Risk Assessment (RA) that is, at best, subjective – no matter how many decimal places it is calculated to, it depends on the balance of experience of the risk assessor (experience of a particular risk happening makes it seem more likely to happen again); on insurance statistics, emergency services data, past incidents etc. These statistics usually provide averages: if your feet are in the freezer and your head is in the fire, your average temperature is fine. But it isn’t very comfortable. These averages have little direct relevance to me, here, now.
Recently Air France lost a plane with 228 people in it. Per se, that does not alter the risk statistics one jot. What it does mean, however, is that Air France will probably increase its maintenance – and that may (or may not) alter the statistics slightly. So, after every non-natural disaster (assuming we learn from it) the probability (probably!) reduces – until we forget about it, get blasé, slack off, and it happens again. This may happen also with the impact (but the United Kingdom Foot & Mouth disaster showed the UK government learned nothing from the previous FMD crisis – except maybe how to unnecessarily amplify the impact exponentially).
If we follow the statistics, something like 99.567% of all men involved in a car accident in North America and Europe happen to men wearing pants. The obvious risk reduction measure would be to take your pants off when driving.
Statistical research is driven by funding and tends (maybe inadvertently, let’s be charitable) to follow a predetermined line to reach a preferred solution. How many successful grant applications have there been to researchers wanting to prove global warming does not exist? Or to follow, with equal vigour, all of the other possible causes of cancer apart from smoking? What possible causes? Hair sprays, deodorant sprays, adhesive fumes, exhaust fumes….
So why perform RA? In a BIA we always focus on the end results, not the cause. However, an RA does help to identify weaknesses, allows us to do something about them and logic says it therefore reduces the likelihood of the worst case (and lesser cases) happening. And, an RA provides great starting points for Business Continuity exercise scenarios.
So, having done the RA, we turn to the BIA. So we apply a probability factor. Past performance is no guarantee of future profits, the small print reads in the financial adverts (how very true over the last 2 years!): equally it is no indicator of future risks happening. Annualised risk losses are a joke: life just isn’t like that. Nothing happens, or it all happens at once (or maybe it just seems to, from my subjective experience!).
Don’t talk about software – it just adds credibility to a fundamentally flawed process. A classic was a well-known risk assessment package used by a client that solemnly informed its users that there was an 80% chance of an impact of £2,165,096. Not £2,165,095, not £2,165,097. C’mon! Garbage In, Garbage Out.
While we were bandying thoughts on RA and BIA, David Lindstedt suggested a possible improvement was to borrow from project management (PM). What about using the “3-point method,” he suggested, where you estimate the Optimistic, Pessimistic, and Most Likely outcomes, then use the formula Estimate = O + 4M + P / 6?
BIA is probably more complex than PM, because it is built up from (usually) a larger number of individual risks to many different functions and their impacts, with the probability that not all of them will happen at the same time. Also the impact is time-dependent for each risk.
The PM line is essentially a weighted mean – equally meaningless (sorry about the pun) for use in BIA.
Basing a business continuity strategy on the outcome from the PM basis would not avoid the possibility that, if the worse than (sort of) mean case happened, the organization that followed it would be vastly under-provided for.
Another weakness of the PM method: the most optimistic case could be zero impact – playing with numbers based on one of them being zero or infinity might be good sudoku but…. does it have a practical value? Indeed, the most optimistic impact could even be positive. When we were doing a BIA for an oil company, and were trying to get an impact value, one senior manager said: “Disaster? It just means the price of oil goes up.” And it’s not just the oil industry that can literally profit from disaster – like the growth in market share, brand value and share value of companies handling a disaster well (the ‘winners’). If you follow Knight & Pretty’s (Oxford Metrica) logic, a well-handled disaster can improve share value etc by 10 – 20%. It’s like a soldier having a ‘good war.’
Losses for the same event will vary according to the day or business cycle. So on what basis do you use the BIA to decide business continuity strategy: plan for the worst case with everything going wrong at the same time – paying hefty sums out of scarce revenue and capital for recovery capability for an event or scenario which actuarially is highly unlikely? Or, an average loss and not be able to cope with the actual event? Averages again – they bear little resemblance to reality. Or lesser loss – and probably be inadequately prepared for the real one? How scientific is that decision? Impact value depends on what time period you are looking at – days, weeks, months or years.
Most BIAs don’t take insured value into account. Insurance? I’ve seen too many incidents not covered by insurance and too many policies so loaded with exclusion clauses that make full payout for the real incident improbable. Insurance can take years to be paid – often too late to do much good. Besides, you have to prove loss (difficult) and insurance is forensic – it pays out on past performance, not on forecasts.
OK, I’ve been using similar methods to those above, for lack of anything better. But has anyone out there got a better way of conducting a BIA than using specious statistics and subjective judgment?
My wife, Dr Yvonne Gunn, was for many years a Fellow of the Chartered Institute of Statistics. Having discussed the various bases for RA and BIA with her, her professional and academic judgement was: “It’s all b*******.”
Oh, who is this maverick? Andrew Hiles, FBCI, a director of Kingswell International, a consulting company specialising in managing business risk and service delivery. I was founding Director and first Chair of the Business Continuity Institute and confess, wryly, to being the author of Enterprise Risk Assessment & Business Impact Analysis, published by Rothstein Associates.
Tags: BIA, business impact assessment, Hiles, Kingswell, RA, RIA, risk assessment
