By Daryl Lee Spiewak, CEM, TEM, Lead Trainer for the CEM Commission

Last month we discussed the Planning standards with a concentration on Risk Assessment. This month we continue our discussion of Planning standards with a concentration on Business Impact Analysis (BIA) requirements.

Planning Standards: Business Impact Analysis

The NFPA® 1600 version 2013 “Planning Standards: Business Impact Analysis” requires the entity to conduct a business impact analysis. “The entity shall evaluate the potential impact resulting from interruption or disruption of individual functions, processes and applications.”

• In addition, “The BIA shall identify those functions, processes, infrastructure, systems and applications that are critical to the entity and the point in time [recovery time objective (RTO)] when the impact of the interruption or disruption becomes unacceptable to the entity.” This requirement is similar to the activities performed during a Threat Hazard Impact Risk Assessment (THIRA).
• The standard next requires that the BIA “identify dependencies and interdependencies across functions, processes and applications to determine the potential for compounding impact in the event of an interruption or disruption.” Again, this requirement is similar to the activities performed during a THIRA. Many hazards have compounding effects, such as floods, hurricanes, tsunamis and dam failures, so this part isn’t really new. It simply has a few different terms from those that emergency managers were using.
• The third requirement is for the entity’s crisis management planning team to “evaluate the potential loss of information and the point in time [recovery point objective (RPO)] that defines the potential gap between the last backup of information and the time of the interruption or disruption.” This is new for many emergency managers, but is standard practice for information technology and computer disaster recovery folks.
• The final requirement states, “The BIA shall be used in the development of recovery strategies and plans to support the program.” This requires that the emergency manager use the results of the BIA in a manner similar to the results from the THIRA.

References

For information and discussion on “Planning Business Impact Analysis,” refer to NFPA® 1600 version 2013 Appendix A.5.3. through A.5.3.6. At this point, FEMA does not have any Independent Study courses or other related references for conducting a Business Impact Analysis. After FEMA publishes one, the exam will be modified to use the new IS course. Until then, please refer to the NFPA® 1600 version 2013 (pdf) which may be downloaded free here.

Next Month

Next month we will describe the Resource Needs Assessment requirements. We will also provide a recommended list of FEMA Independent Study courses and/or other references to study.

IAEM Bulletin, April 2014

AEM^® and CEM^® are registered trademarks of the International Association of Emergency Managers.