BIA Best Practices: How To Compensate For Exaggerated Business Unit Valuations
Luke Simpson, Editor
Mike Keating, Vice President, Business Continuity Management at Reinsurance Group of America
This is one area where bringing in outside help can be extremely beneficial. Consultants with a broad base of experiences can often push back on business leaders in the first conversation about continuity objectives, making the whole process operate more smoothly. I have found that the longer the misperception exists, the more resistance there is to changing the error. Some other techniques I have used include:
Steering Committee Reconciliation: One of the great advantages of a BCM Steering Committee is its ability to reconcile recovery time objectives (RTOs) and recovery point objectives (RPOs) across the enterprise. This tends to normalize the exaggerations we can hear from business leaders when they provide unrealistic answers — in a non-confrontational way. It’s especially helpful where there are a few outliers requesting aggressive treatment of common systems, skills or facilities.
Metrics: Anytime you ask businesses to justify their answers through a common filter of metrics or objectives you take away their ability to make unsubstantiated claims about how important they are. By asking them to justify aggressive continuity objectives in the light of specific and, in many cases, measurable criteria, you diminish the opportunities for exaggeration.
Sarcasm: Unfortunately, being nice does not always work. One client’s administration department refused to come off of a zero hour RTO. I told them I felt sorry for them. They asked what I meant, and I explained that I couldn’t possibly maintain my sanity working every weekend and not being able to take vacations. Over the next few minutes I was able to use my over the top reaction to help them realize that their organization does, in fact, cope with the interruption of their functions regularly, and that we should find a more rational RTO for their unit that recognized their importance at certain times of the year without imposing that standard on the BCM program year round.
Brian Zawada, Director of Consulting Services at Avalution Consulting
I think all business continuity professionals with experience performing a BIA have faced this problem at some point. I have three recommendations that I often employ to overcome this challenge:
Engage executive management up-front: Before meeting with business unit managers, it’s critical to meet with the program sponsor and/or executive management representatives (in the form of a steering committee) to establish the scope of the program and the BIA. Scoping the program based on products and services (as opposed to the organizational chart or facilities listing), and assigning a management-approved downtime tolerance for each (even if preliminary) is an excellent approach to estimate risk tolerance and set boundaries for business unit managers.
Do your homework in advance: BIA data gathering is best when both parties are prepared. The business continuity professional should do as much as possible in order to understand how the business unit contributes to each in-scope product/service, as well as any applicable contractual or regulatory obligations. Understanding the basics will certainly contribute to jointly identifying value and appropriate recovery objectives.
Ask for justification: A key element of the BIA is understanding or estimating the potential impacts associated with a disruption. Asking the business unit manager to justify a criticality rating or a recovery time objective is certainly a method to assist business unit managers with the self-assessment process. Prepare to ask probing questions in order to reach more definitive conclusions, particularly questions that relate to financial, reputational, operational, contractual or legal impacts. Additionally, prepare to share executive management’s guidance and information related to risk tolerance, as well as how the business unit manager aligns to the delivery of an in-scope product or service.
Mike Jennings, CBCP, MBCI, Senior Director, Disaster Readiness Program Office at Blue Cross Blue Shield of Massachusetts
In my opinion, this is one of the more challenging aspects to conducting a BIA. Most of us do not want to hear that we or our business unit is not critical or not worthy of a rapid recovery. I have seen cases where business unit managers dig in their heels and insist that they need recovery sooner. Human nature and ego play into this over inflated sense of value and in order to be successful you’ve got to tackle it head on. Some of the ways that I have been successful in doing this are framing, peer evaluation and senior leader validation.
Framing: I think that the situation has to be framed correctly from the beginning of the process. In other words, you’ve got to make sure that the participants understand the goals and objectives of the BIA. You have to give them an idea of the parameters of the analysis and then everyone working from the same assumptions.
When I conduct BIAs I inform the participants that:
- A major disruption of IT systems has occurred at the data center for all computer systems — there will be no availability for 30 days
- All network data lines are inaccessible
- Overtime, outside services, etc. are authorized and personnel can access their primary locations.
During workshops I emphasize the importance of realistic assumptions and data. I point out the fact that some will inevitably score their unit as super critical when, in fact, they may not be. My experience has demonstrated that if this situation is addressed up front, people are less likely to go down that path [of exaggeration].
Peer review the data: Bring all participants back into the room and lay out RTOs, RPOs, assumptions, critical processes, etc. There is nothing better, in my opinion, than one business leader asking a peer about why they scored something. This serves as a great equalizer and people tend to be better about their responses from the beginning.
Senior leader validation: Finally, you’ve got to get the data to the executive team for rationalization. A high level presentation of the data will help them to understand and will enable them to validate it. Believe me, they will let you know if something seems askew.
John Jackson, EVP at Fusion Risk Management
I have done several hundred BIA department or business unit interviews, and the issue of departmental personnel overstating their criticality, or “value,” is an age old problem. It usually manifests itself in the determination of financial impact and I have seen situations where the total of all the financial impacts from an outage exceeds the annual revenue of the organization — a perfect example of the problem.
I think the problem stems from the interviewee not being able to relate to the question being posed, and therefore the answer is subjective, not objective. So, what techniques can be utilized to address this issue? I think there are two: One on the front end and one on the backend.
The front-end approach involves working with a senior level of management to determine the key performance indicators (KPIs) by which the organization manages and measures itself. All too often, BIA questions and results are structured around three indicators: financial impact, operational impact and regulatory impact. Valid and important, you say? I agree, but possibly not the most important three measurements to every organization.
First, find out what is critical to the organization. Is it financial, sales, annual revenue, gross profit, net profit or another measurement? Then structure the questions around those measures, and that will lessen people broadly interpreting what financial impact means.
Second, when you say operational, does that mean customer satisfaction, fulfillment of orders, manufacturing capacity, off-shelf days? Again, don’t just say operating impact; narrow it to something that the interviewee can relate to and is consistent across the organization.
Third, I believe too many organizations focus on regulatory, which may not be an issue, so ask management about penalties in contracts, or cooperative agreements that may be more relevant.
Relate the types of impacts to the KPIs of the organization you are interviewing, not some time tested but generic impacts that elicit subjective, often overstated, responses.
Then, after you have conducted the interviews and gathered the data, spend time discussing the results with the management team to determine how they view the results you have gathered.
The age old adage “garbage in, garbage out” applies perfectly to this situation, so before all the analysis is done, take some time to see how management views the high level results. If you need to go back and verify information or dig a bit deeper, it can be done before you produce erroneous results.
Another adage, “measure twice, cut once,” applies here: Make sure your information is as good as possible, before distributing final BIA results.
Marianne Guinee, MBCI, Corporate Contingency Planning at HSBC
I think techniques vary depending on the type and size of the organization, and if you are doing the BIA ‘manually’ with interviews or via an automated tool. Remember that getting the best information possible the first time is far more effective than compensating for answers you receive.
Educating the people answering the questions will always get you a good return on investment. Ensuring the person answering the questions understands:
- That the questions refer to their department not being able to do its functions, opposed to those downstream of that department not being able to do their jobs.
- What is meant by things like financial impact or operational impact. In the pre-BIA training you provide ensure you are as specific as possible as to what you wish them to consider when answering the question. Some organizations design their BIA with many weighted questions and others with only a few. If you are using just a few questions, it is imperative that you are as clear as possible.
In addition to avoiding vague question, make sure you speak with senior management to ensure the BIA is set up to account for the key indicators of both the industry and the company.
If you are conducting your BIA with interviews, limit the number of people involved to more easily understand and see overlaps/overestimations of impacts.
Some compensating and evaluation of the results will always be required and you, the BCP team, are not the best qualified to do that — your senior management is. Once you put your draft ‘ranking’ together, send it to your business unit management team for their review and validation. They know their business line inside and out, and they will quickly see anything that really stands out, giving you a clear direction of where a much more in-depth review is required.
