One of the differentiators of the new approach to Business Continuity advocated by Adaptive BC is the removal of the Business Impact Analysis and risk assessment from the business continuity process. But is that a realistic proposal? This survey seeks the views of business continuity professionals on this issue.
Complete the survey
Introduction
Adaptive BC is an alternative approach to traditional business continuity planning. It is ‘based on the belief that the practices of traditional business continuity planning have become increasingly ineffectual’ and proposes nine principles to found its new approach. Of these the one which had proved to be the most controversial is the principle that Adaptive BC omits risk assessments and business impact analyses.
The rational behind this omission is as follows:
The risk assessment (RA) and the Business Impact Analysis (BIA) form the backbone of traditional continuity planning. They are considered fundamental components in virtually every best practice guide and industry standard. Employing these two practices leads practitioners along a trajectory that further entangles their work in the many related techniques of traditional continuity planning, along with the negative outcomes of these techniques. Practitioners should eliminate the use of the risk assessment and business impact analysis.
If you remove the BIA from the business continuity process, what, if anything, would take it’s place? David Lindstedt, one of the founders of the Adaptive BC approach, explains as follows:
“Let’s go ahead and assume that the BIA could, in fact, provide an hourly or daily cost in terms of lost revenue or lost market share for each service or department that could be temporarily eliminated due to an incident. (Naturally, I think this is a problematic assumption based on commentators and research, but let’s make the assumption anyway.) Shouldn’t leadership know what is important without having to conduct a BIA? Don’t the Board, executives, and top leadership have clear knowledge of what is most important to the continued functioning of their organization without a BIA? Or, perhaps more precisely, is leadership so inaccurate in their estimations of departmental value that the BIA properly changes these estimations and provides a more accurate picture of value to executives?”
Is it really possible to omit risk assessments and BIAs and still develop a functional business continuity plan? Please give your views in the following survey and in the comment section below.
Complete the survey
Source: ContinuityCentral
I consider that we should keep in mind that BCP and enterprise risk management (ERM) are related. The BCP is concerned with the continuity of operations across the whole organization. Ensuring continuity is a critical part of an ERM approach. From this perspective, BIA is similar to the risk assessment that is undertaken as a part of the overall risk management process. However the emphasis of a BIA is the identification of the relative importance and criticality of each function, rather than identifying the events that could undermine that particular function. Considering this critical difference between BCP and ERM, we may conclude that the risk assessment and the BIA are related. As we could not consider the ERM process without the risk assessment phase, the BIA will be required in order to identify appropriate continuity strategies for each function.
I totally, strongly disagree. I have no idea, what kind of experience has brought the authors to propose such approach, but obviously, they experiences were not good. When it comes to survival, details are extremely important. I also don’t understand the technology advancement argument – does it mean, that because technology is changing we should also change something, which is not broken – a good, proven methodology? BCM methodology is not dependent neither on a particular market sector nor on a particular technology. Adaptive BC, just like the “expert methods” in risk management can lead to a nice and comforting but usually false feeling of security.