In our webinar “MTPDs, Ownership, Consensus: The BIA Essentials You Can’t Skip,” we shared practical ways to strengthen your Business Continuity program, covering impact criteria, risk tolerance, realistic RTOs and MTPDs, and leadership engagement. Here we answer the key questions posed by our audience, offering guidance on common BIA challenges like rolling reviews, prioritization, stakeholder fatigue, and recalibrating assumptions.
Whether you’re starting from scratch or fine-tuning an existing program, these Q&As offer actionable insights grounded in best practices. If you have any question that are not answered here, get in touch.
1. Can annual BIA reviews be done via stakeholder forms rather than interviews?
Yes, to save time and prevent “BIA-fatigue” among stakeholders, self-assessment forms are an effective way of structuring the BIA reviews. This is particularly true for updates rather than complete reassessments. A couple of preconditions we recommend for this approach are:
- the initial BIA was conducted via detailed interviews and/or workshops
- there have been no significant organizational or process changes
- the form is structured with clear guidance and pre-populated prior data
For critical processes or where there are known changes, we recommend conducting interviews or follow-up workshops to validate assumptions and uncover hidden dependencies.
Maintain operations during disruptions
Continuity Manager takes BCM from planning to operations, ensuring you not only know what to prioritize in a disruption, but can also trigger plans to maintain critical services.
2. Are rolling BIAs a good idea (e.g., tier 1 annually, tier 2 every second year, etc.)?
Yes, but it’s important to capture and take into account major changes in the organization or the operating environment and flag these in the risk and change monitoring process as changes may affect the criticality of services. Our recommendation is to use both a fixed review cycle (e.g., every 12 months) and event-driven triggers. Rolling reviews can be done cleverly, reviewing a subset of BIAs on a quarterly basis, prioritizing tier 1 services so that they are reviewed on at least an annual basis. This keeps the program manageable without going stale. This approach:
- aligns with risk-based prioritization encouraged in ISO 22301
- prevents “BIA fatigue” among stakeholders
- deters over-inflation of criticality since higher tiers face more frequent scrutiny
3. Should Leadership set MTPDs and business owners set RTOs? Also, how do we engage them in the process?
This division of responsibility aligns with best practice:
- The Leadership Team sets the Maximum Tolerable Period of Disruption (MTPD) based on clearly defined impact criteria and strategic risk appetite
- Process/Resource Owners define Recovery Time Objectives (RTOs) to deliver continuity within that tolerance
Often, we see major gaps when RTOs are set for a process or resource based on SLAs or operational factors when they don´t take into account business requirements or critical dependencies. Conversely, there can also be a tendency from the business to overstate the importance of individual resource RTOs, without considering redundancies that can help bridge the gap. Ensuring that these gaps are clearly identified and discussed leads to engagement and helps prioritize work and investments.
To engage leadership, we would stress the importance of clearly defined impact criteria, that help put abstract discussions into the context of actual impact, whether it is revenue, compliance or reputational risk. Also, impact scenarios, what if simulations, and tabletop exercises with leadership participation, all help drive engagement, and validate BIA results.
Build the resilience of your organization from top to bottom
With over 25 years of experience around the globe, our consultants help organizations be better prepared and faster to respond to crises and disruptions.
4. How do you assess critical functions with strong contingency plans?
This is an important aspect of the BIA, assessing the risk of exceeding the MTPD in a disruption often tends to get overlooked. Functions with strong contingency options/plans such as manual workarounds, alternate sites, will still be critical, but they generally need less attention. The criticality is based on the function and what the output is from it. As a next step you can assess the risk of exceeding MTPD/RTO where existing redundancies and plans are considered. A discussion on how feasible the redundancies are (as they may increase workload in the short term) is important during validation of the BIA results. An approach to validate this can be to score impact with and without contingency measures during the BIA mapping.
To navigate these discussions, we recommend stakeholders consider RTO as a measure of how urgently the recovery needs to start, based on tolerable impact, not a measure of how robust the backups are.
5. What about prioritization. Are all people, processes, and technology part of the business continuity program?
During dependency mapping, we strongly encourage organizations to consider all people, processes, and technology. However, grounding the BC program in clear definitions of impact and risk acceptance helps focus resources on the most critical functions and services. Not every asset needs detailed continuity plans, but dependencies must be understood and documented. All components should be mapped, but planning effort should be proportional to risk and impact.
6. What is expected during the BIA review and what does recalibration mean?
BIA reviews are mainly intended to ensure that previous assumptions about criticality, dependency mapping, and risk assessments are still valid. Therefore, it’s important to check for:
- organizational changes (new processes, vendors, technology)
- shifts in impact tolerances or changes in strategy
- changing risks from external factors, real-life incidents etc.
- updated recovery capabilities, e.g., new disaster recovery platforms
By recalibration, the organization ensures alignment between potential impact, response and resilience investments. This means:
- adjusting RTOs/MTPDs based on new data
- validating and, if required, updating assumptions from previous BIAs
- ensuring recovery priorities reflect the current business reality.
Watch the webinar
