Analysing the entity and its context

This section provides guidance on how entities can analyse their operations and environment. This involves the identification of critical business processes, and the activities and resources that support them. The identification of internal and external interdependencies is also important. Once all of these elements have been identified, it is possible to analyse the consequences of a business disruption. This process is commonly referred to as a business impact analysis.

Link with risk management
Better practice entities are able to demonstrate a direct link between the entity’s risk management and business continuity management processes and activities. One way to do this is to share (or co-create) entity information that is necessary for both risk management and business continuity management. For example, a risk assessment for each core business function and IT service, which identifies the assets, threats, vulnerabilities and controls in place for each activity, would assist in analysing the entity and its context from a business continuity perspective. Disruption scenarios, to which the entity may be vulnerable, including the effect of interdependencies with third parties/suppliers are another valuable piece of information.

Identify critical business processes

The critical business processes of the entity are those processes essential to achieving business objectives. A structured approach to identifying critical business processes requires entities to:

• define critical business processes;
• categorise and rank critical business processes;
• identify interdependent business processes; and
• determine the minimum requirements for each critical business process.

Define critical business processes
It is important to have a clear and agreed understanding of the entity’s business objectives, and the critical business processes which ensure those objectives are met.
Good starting points to achieve this understanding are high-level planning documents such as corporate plans, business plans and operational plans. These plans have already documented the entity’s business objectives and assessments of key risks.

To assist in achieving consistency in terminology and common agreement in process definition, entities may wish to utilise a business process classification scheme. Classification schemes provide generic categorisations of business processes common to entities. An example of a classification scheme is provided in Figure 4. This diagram outlines the high level business processes categorised between strategic, business (operational), support and interdependent processes. Within each process classification are a number of major business processes.

Figure 4 - Example of a process classification scheme

Categorise and rank critical business processes
Critical business processes need to be ranked in order of their importance to the entity.
This ranking reflects the importance of the business process to achieving business objectives. The ranking of critical business processes may consider such issues as:

• failure to meet statutory obligations for service delivery;
• failure to meet key stakeholder expectations;
• loss of cash flows essential to business operations;
• the degree of dependency on business processes by internal business units or clients;
• cumulative damage to the entity by the disruption to the critical process; and
• reputational consequences.

To determine the ranking, it is important that the concerns of executive and senior management are obtained regarding business priorities and continuity issues. Structured interviews and/or facilitated group meetings are tools for gathering this information.

In a small or non-complex entity it may be possible to gather this information from one group meeting. This has the added advantage of ensuring participants are aware of all entity priorities and can agree on the ranking of critical processes, together with their corresponding activities and resources.

In a larger or complex entity it will generally be necessary to conduct a series of interviews or facilitated group sessions. In either event, it is important that the information collected through these approaches is reported back to the participants for their confirmation.