BCM – How to determine the criticality of a process in a BIA?

Authors: Joris Bouve and Manu Steens

In BCM there is a lot of talk about time-critical processes (TCP), essential processes (EP) and necessary processes (NP).

Typically one uses as definition:

  • TCP: those processes that have to be restarted within two working days;
  • EP: those processes that do not have to restart within two days, but within two weeks;
  • NP: those processes that do not have to restart within two weeks, but within two months.

How critical a process is, can also be approached in a different way: if the impact of a too long outage (eg > 2 days) of the process becomes too much to handle, then you have to quickly (eg in <2 days ) restart the process.

The question here is: how do you determine the criticality of a process?

Proceed as follows (see table below):

  • List the processes in the [process] column;
  • Determine the impact on your service if the process threatens to fall out in the following columns.
  1. If the impact is of such a nature that the service is seriously compromised in the event of an outage that would last for more than 2 days or if there is a legal provision that requires a restart within a period of 2 days, you describe that impact in the column. in. There is then a time-critical process. In the [process criticality] column, enter TCP.
  2. 2 dagen].”>when outage > 2 days]. You can also state here what measures you will take to minimize the effect or how you can still guarantee the intended service
  3. If the impact is of such a nature that the service is seriously compromised in the event of an outage that would last more than 2 weeks or if there is a legal provision that requires a restart within a period of 2 weeks, you describe that impact in the column 2 dagen].”>when outage > 2 weeks]. in. There is then an essential process. In the [process criticality] column, enter EP.
  4. If the impact is such that the service is seriously compromised in the event of an outage that would last for more than 2 months or if there is a legal provision that requires a restart within a period of 2 weeks, you describe that impact in the column 2 dagen].”>when outage > 2 months]. It is then a necessary process. In the [process criticality] column, enter NP.

In the column [dependencies] you enter which expertise, logistic means, IT resources, … you need.
As described under point 2), you enter in column [criticality process] to which category the process belongs: time-critical, essential, or necessary

Process Impact when outage  > 2 days Impact when outage > 2 weeks Impact when outage > 2 months Dependencies criticity process
[name process] [Description] [Description] [Description] TCP/EP/NP


Two examples:

  • The crisis management process. If this starts only after an hour, serious reputational damage can already be caused by, for example, incorrect communication in the media. It must therefore certainly be started within two days. The 2 columns next to it need not be filled in anymore. With the dependencies, you put eg the expertises, the meeting room, laptops, smartphones, communication tools etc. In the last column you place the decision of the chosen type of process, in this case TCP.
  • Process X must be able to start up within 5 days in August, because otherwise a rule from the legislation can be violated, with corresponding fines and reputational damage. 2 dagen].”>when outage > 2 weeks’ and you choose the type of process ‘EP’. In dependencies you can, for example, write communication with the bank, the name of an an administrative employee and the right software program.

This choice of type of process (TCP, EP or NP) can then be adopted one by one in the Business Impact Analysis. The dependencies can also be taken over.


Risk management strictly spoken – Key Risk Indicators and risk intelligence

Author: Manu Steens

An important concept in strategic risk management is that of risk intelligence.

Risk intelligence is a “systematic process for gathering and analyzing information about the risks of the organization’s business, to be able to make strategic decisions based on this and then to do better as business in a competitive environment.” So it is a possible answer to competitive intelligence from potential opponents.

It is therefore more extensive than a classic risk analysis process with accompanying actions. It is all relevant information.

The organization must therefore be capable of providing for events and external impulses for changes. Furthermore, it must be a process because risks are changeable, and strategies must be able to be adjusted, and because new risks constantly arise.

One of the possible predictors are indicators: KPI and KRI (Key Performance Indicators and Key Risk Indicators). I discuss the KRI here. (Please note: the KRI provides information, the analysis of this information must still be done (to create knowledge) by the owners of the risk.)

KRI based on outcomes

Key Risk Indicators are often effect indicators. They measure whether the set objectives, the outcomes of the processes, have been met.

KRI on the basis of outcomes, are effect indicators. Conversely, impact indicators can be considered as a sub-class of the risk indicators. However, it is best to speak of effect indicators with regard to people who are averse to risk management as another topic that management adheres to.

But how do you achieve effect indicators?

Strictly spoken by determining the outcomes of the process, the project, the objective. A trick to determine these outcomes is not t take the output of the processes or projects as the final stage of the activity, but the purpose of the activity. This can be done by describing the process / project in one or only a few sentences, and ending this description with one or more completions after the words “in order to …” or “so that …”.

There you contrast criteria that you then periodically want to keep an eye on to see if they are exceeded, or show a tendency, or make a jump and the like.

An example here can create clarity.

In the operation of a BCM manager, there is a process that starts with each cycle. This cycle can be described in ISO 22301, but also in the GPG of TheBCI.org.

An example is for crisis communication: “Speaking to the media with a clear voice from the organization during the crisis”. This is an objective of the crisis management team, because the goal during a crisis is that the transfer of information is easily verifiable, just as fully as possible and in accordance with the requirements of the moment. The undesirable consequence that you are running is that a number of people wrongfully talked to the media with all the wrong information flows that can follow from them. You can therefore do a measurement as follows:

T = “Sum of (The number of people who (unjustly) speak to the media) of the crises that month.”

You can then illustrate the measurement with smileys as follows:

Green smiley: 0 people

Yellow smiley: youdo not use this one here

Red smiley: 1 or more people

Gray smiley: there was no need for communication to the media due to no crisis settlement that month.

KRI based on risk analysis

But there is also a second class of Key Risk Indicators, which do not base themselves on the outcomes or targets set, but which refer back to the risk analysis of the process, the project or the objective (s).

An explanation of the method can most easily be illustrated with the Bow-Tie risk analysis method.

In the Bow-Tie method one can predictively work by looking at the left side (preventive side) of the bow tie, where one has pierced through to the root causes of a desired or undesirable event.

Once the relevant causes have been inventoried, criteria must be established in which these causes occur. For example, (hypothetical) accidents among foresters peak when 15% of foresters have less than 1 year experience in the sector and their supervisors are younger than 30. Then one can draw up a KRI for HRM to find out what the age of the supervisors is. and the combination of the experience of their guests. When a new recruitment with this combination exceeds this criterion, for example, a reorganization of seniors and juniors can be implemented.

As one readily sees, these KRI are certainly important for their predictive power. They are predictive, where the KRI on the basis of outcomes show that something has gone wrong or something is going wrong.

That predictive indicators can make the difference between success and failure in the intended effect, and they are based on the results of the complete risk analysis, is a reason to carry out a complete risk analysis according to the American model.

The important thing about the KRI is that it is possible to adapt the existing strategies during the process. One can anticipate.