As the world continues to recover from the COVID-19 pandemic, some organizations are having a more difficult time bouncing back than others. Unfortunately, some businesses have had devastating outcomes such as massive layoffs, temporary closures, and even permanently going out of business. Some of these undesired outcomes may have been prevented or mitigated with a structured and well thought out continuity plan.
Continuity planning can occur at many levels including at the project, department, organizational, or enterprise level. At the project level, a business analyst considers what will happen if a project solution fails or underperforms. This is usually documented in the form of transition requirements. At the higher levels, a business analyst collaborates with organizational leaders in key areas to determine the steps that need to be taken in the occurrence of major events that significantly disrupt business operations. With that said, I’ll be discussing the role a business analyst can play in developing an effective continuity plan.
First, let’s discuss what a business continuity plan is. Essentially, this is a comprehensive plan to make operational changes that will allow an organization to continue business or services through a crisis, disaster, or operational disruption. The process of developing and maintaining this plan is known as business continuity planning. Typically, business continuity consists of the following three key areas:
- Risk Management – Identifying and Managing Risks (positive and negative). General responses to risk include avoiding, mitigating, transferring, and accepting risk. These are the steps taken before a risk occurs to prevent or reduce losses.
- Contingency Planning – Proactively planning the process of handling potential emergencies. This involves identifying steps that will be taken when a risk event occurs. This type of planning is considered a component within risk management and greatly improves the chances of surviving high impact situations and preventing major losses.
- Crisis Management – Reacting to a risk event that has occurred. This involves handling crises or disasters when they do occur according to the business continuity plan.
A common approach to continuity planning is to focus on core products and services while pausing operations on less important activities until the organization or business reaches a normal state. The general steps to create a business continuity plan are discussed below.
Business Impact Analysis
This involves identifying core operations and processes that the company cannot survive without and the tools and resources that support them. A business analyst would perform a current state value stream analysis to determine the activities that add the most value and are therefore the most critical to delivering products and services to the customer. The BA would use the value stream analysis to identify the stakeholders, information, resources, and material that impacts the organization’s ability to produce a product or service. This would also form a basis for assessing the impact of potential changes to any of the core activities and resources in terms of cost, impact, schedule, and urgency.
The BA would also perform a stakeholder analysis to determine individuals and groups involved in or impacted by the core operations and processes. The BA may use tools such as stakeholder lists, stakeholder maps, and org charts to identify relevant parties. Considerations for the stakeholder analysis would include the main functions of the stakeholders, their locations, key concerns, and how they are impacted by changes. A common question related to stakeholders when performing continuity planning is what is the minimum number of stakeholders needed to remain functional during a specific risk event.
Identify Key Threats and Impacts
Identifying key threats often involves understanding the organization enough to understand what impacts its revenue and value proposition. A tool a business analyst may use to identify risk is a SWOT analysis to identify internal and external threats that could potentially impact the organization. Each threat would be classified as a risk event and documented on a risk registrar. The BA will need to identify how unknowns, constraints, and dependencies contribute to risk, and how the risk can negatively impact the organization. Key organizational concerns for risk are lost sales/revenue, increased expenses, dissatisfied customers, loss of employees, as well as reputational and physical damage to the organization. In addition, the BA will need to understand the organization's risk tolerance, which could be risk-averse (unwilling to accept risk), neutral (some risk is ok), and risk-seeking (willing to accept risk for higher returns). Taking this into consideration will aid the BA in working with decision-makers to recommend a course of action.
Analyze and Treat Risk
Now that the risks have been identified, the BA will need to facilitate the analysis of these risks. This involves considering the likelihood and frequency of the risk occurring, estimating the level of risk (low, medium, high), and describing the consequences of the risks as they relate to business value and the ability to meet business objectives. This is usually described in terms of cost, duration of the risk event, quality of products and services, as well as reputation. These activities may be facilitated with the risk registrar and a risk impact scale. While considering the organization’s risk tolerance, all this information would be assessed to determine whether each risk event should be:
- Avoided - risk is removed or process adjusted to ensure it does not occur
- Transferred - the responsibility of the risk is moved or shared with a third party
- Mitigated – take actions to reduce the probability of the risk occurring
- Accepted – don’t do anything about the risk except create a workaround
- Increased - take on more risk to in exchange for greater opportunity or returns
The business analyst will collaborate with decision-makers and key stakeholders to step through scenarios of each risk event occurring and then define the appropriate response to these events.
Create a Readiness Plan
Now that the majority of the analysis work is done, how’s it’s time to document the steps that need to be taken in or to maintain continuity when the risk events occur. The main areas of concern during continuity planning are steps that need to be taken to maintain the safety of people, protect the physical structure of the entity, repurpose technology based on limited access, adjust relationships with vendors, and reduce reliance on suppliers. The plan will identify temporary changes or alternative resources for these elements. As every organization is different, several additional perspectives may be focused on as well.
To increase preparedness and the effectiveness of the continuity plan the BA will work with organizational leaders to determine a core team of business continuity leaders, who will be responsible for detailed training, protocol testing, as well as implementing and communicating the plan. This team will also be chiefly responsible for updating and maintaining the plan as new information is received, lessons are learned, and organizational objectives change. A key point to remember is that the continuity plan should be communicated to and rehearsed with stakeholders regularly to maintain readiness. The BA will collaborate with the decision-makers to assign roles to each team member. A roles and permission matrix may be a useful tool for this activity. It’s also likely that the business continuity team is established as an initial step in the continuity planning process to allow them to be a part of the plan development process. Key components of a business continuity plan include:
- Contact information for key stakeholders
- Instructions for using the plan
- Policies or industry standards used to develop the plan
- Procedures and response guidelines
Closing Thoughts
To recap, I’ve discussed what a business continuity plan is as well as the key elements that comprise the plan, which includes risk management, contingency planning, and crisis management. I also presented the business analyst role in the main components of creating a continuity plan, including business impact analysis, identify key threats and impacts, analyze and treat risk, and create a readiness plan. While there are a number of participants involved in developing a business continuity plan, a business analyst has the capabilities to increase the overall success and effectiveness of the plan in terms of development and implementation when an actual crisis or disaster occurs.
Author: Dr. Michael F. White, Founder and CEO of The Business Analysis Doctor, LLC
Michael has an extensive background in business analysis, project management, and coaching. He has even been recognized as a top 100 visionary in education. Michael has driven innovation at some of the top financial institutions in the nation, holds a Doctorate in Business Administration as well as CBAP, IIBA-AAC, and IIBA-CBDA designations. To learn more about The Business Analysis Doctor, LLC visit https://thebadoc.com