BCM – How to determine the criticality of a process in a BIA?

Authors: Joris Bouve and Manu Steens

In BCM there is a lot of talk about time-critical processes (TCP), essential processes (EP) and necessary processes (NP).

Typically one uses as definition:

  • TCP: those processes that have to be restarted within two working days;
  • EP: those processes that do not have to restart within two days, but within two weeks;
  • NP: those processes that do not have to restart within two weeks, but within two months.

How critical a process is, can also be approached in a different way: if the impact of a too long outage (eg > 2 days) of the process becomes too much to handle, then you have to quickly (eg in <2 days ) restart the process.

The question here is: how do you determine the criticality of a process?

Proceed as follows (see table below):

  • List the processes in the [process] column;
  • Determine the impact on your service if the process threatens to fall out in the following columns.
  1. If the impact is of such a nature that the service is seriously compromised in the event of an outage that would last for more than 2 days or if there is a legal provision that requires a restart within a period of 2 days, you describe that impact in the column. in. There is then a time-critical process. In the [process criticality] column, enter TCP.
  2. 2 dagen].”>when outage > 2 days]. You can also state here what measures you will take to minimize the effect or how you can still guarantee the intended service
  3. If the impact is of such a nature that the service is seriously compromised in the event of an outage that would last more than 2 weeks or if there is a legal provision that requires a restart within a period of 2 weeks, you describe that impact in the column 2 dagen].”>when outage > 2 weeks]. in. There is then an essential process. In the [process criticality] column, enter EP.
  4. If the impact is such that the service is seriously compromised in the event of an outage that would last for more than 2 months or if there is a legal provision that requires a restart within a period of 2 weeks, you describe that impact in the column 2 dagen].”>when outage > 2 months]. It is then a necessary process. In the [process criticality] column, enter NP.

In the column [dependencies] you enter which expertise, logistic means, IT resources, … you need.
As described under point 2), you enter in column [criticality process] to which category the process belongs: time-critical, essential, or necessary

Process Impact when outage  > 2 days Impact when outage > 2 weeks Impact when outage > 2 months Dependencies criticity process
[name process] [Description] [Description] [Description] TCP/EP/NP


Two examples:

  • The crisis management process. If this starts only after an hour, serious reputational damage can already be caused by, for example, incorrect communication in the media. It must therefore certainly be started within two days. The 2 columns next to it need not be filled in anymore. With the dependencies, you put eg the expertises, the meeting room, laptops, smartphones, communication tools etc. In the last column you place the decision of the chosen type of process, in this case TCP.
  • Process X must be able to start up within 5 days in August, because otherwise a rule from the legislation can be violated, with corresponding fines and reputational damage. 2 dagen].”>when outage > 2 weeks’ and you choose the type of process ‘EP’. In dependencies you can, for example, write communication with the bank, the name of an an administrative employee and the right software program.

This choice of type of process (TCP, EP or NP) can then be adopted one by one in the Business Impact Analysis. The dependencies can also be taken over.


Risk management strictly spoken – Key Risk Indicators and risk intelligence

Author: Manu Steens

An important concept in strategic risk management is that of risk intelligence.

Risk intelligence is a “systematic process for gathering and analyzing information about the risks of the organization’s business, to be able to make strategic decisions based on this and then to do better as business in a competitive environment.” So it is a possible answer to competitive intelligence from potential opponents.

It is therefore more extensive than a classic risk analysis process with accompanying actions. It is all relevant information.

The organization must therefore be capable of providing for events and external impulses for changes. Furthermore, it must be a process because risks are changeable, and strategies must be able to be adjusted, and because new risks constantly arise.

One of the possible predictors are indicators: KPI and KRI (Key Performance Indicators and Key Risk Indicators). I discuss the KRI here. (Please note: the KRI provides information, the analysis of this information must still be done (to create knowledge) by the owners of the risk.)

KRI based on outcomes

Key Risk Indicators are often effect indicators. They measure whether the set objectives, the outcomes of the processes, have been met.

KRI on the basis of outcomes, are effect indicators. Conversely, impact indicators can be considered as a sub-class of the risk indicators. However, it is best to speak of effect indicators with regard to people who are averse to risk management as another topic that management adheres to.

But how do you achieve effect indicators?

Strictly spoken by determining the outcomes of the process, the project, the objective. A trick to determine these outcomes is not t take the output of the processes or projects as the final stage of the activity, but the purpose of the activity. This can be done by describing the process / project in one or only a few sentences, and ending this description with one or more completions after the words “in order to …” or “so that …”.

There you contrast criteria that you then periodically want to keep an eye on to see if they are exceeded, or show a tendency, or make a jump and the like.

An example here can create clarity.

In the operation of a BCM manager, there is a process that starts with each cycle. This cycle can be described in ISO 22301, but also in the GPG of TheBCI.org.

An example is for crisis communication: “Speaking to the media with a clear voice from the organization during the crisis”. This is an objective of the crisis management team, because the goal during a crisis is that the transfer of information is easily verifiable, just as fully as possible and in accordance with the requirements of the moment. The undesirable consequence that you are running is that a number of people wrongfully talked to the media with all the wrong information flows that can follow from them. You can therefore do a measurement as follows:

T = “Sum of (The number of people who (unjustly) speak to the media) of the crises that month.”

You can then illustrate the measurement with smileys as follows:

Green smiley: 0 people

Yellow smiley: youdo not use this one here

Red smiley: 1 or more people

Gray smiley: there was no need for communication to the media due to no crisis settlement that month.

KRI based on risk analysis

But there is also a second class of Key Risk Indicators, which do not base themselves on the outcomes or targets set, but which refer back to the risk analysis of the process, the project or the objective (s).

An explanation of the method can most easily be illustrated with the Bow-Tie risk analysis method.

In the Bow-Tie method one can predictively work by looking at the left side (preventive side) of the bow tie, where one has pierced through to the root causes of a desired or undesirable event.

Once the relevant causes have been inventoried, criteria must be established in which these causes occur. For example, (hypothetical) accidents among foresters peak when 15% of foresters have less than 1 year experience in the sector and their supervisors are younger than 30. Then one can draw up a KRI for HRM to find out what the age of the supervisors is. and the combination of the experience of their guests. When a new recruitment with this combination exceeds this criterion, for example, a reorganization of seniors and juniors can be implemented.

As one readily sees, these KRI are certainly important for their predictive power. They are predictive, where the KRI on the basis of outcomes show that something has gone wrong or something is going wrong.

That predictive indicators can make the difference between success and failure in the intended effect, and they are based on the results of the complete risk analysis, is a reason to carry out a complete risk analysis according to the American model.

The important thing about the KRI is that it is possible to adapt the existing strategies during the process. One can anticipate.

Risk Issues and Crisis Management in Public Relations – A Casebook of Best Practice

Authors: Michael Regester & Judy Larkin

In this book, the authors discuss risk management (although they only speak of risk issues) and crisis management as part of what they call ‘Issues management’ and that with an approach from the perspective of public relations. Here they give numerous examples in the form of case studies.

The book is divided into two parts: a section on the elaboration of issues management, which looks suspiciously like risk management, because it has many similar building blocks, and a second section on crisis management, emphasizing both the importance of the teams, as the communication aspects.

Issues management is working on the drafting of a procedure of issues management, in which a great deal of attention is paid to the components that the authors consider important. The whole is concluded with some overviews of concrete approaches in two existing organizations.

Concerning Crisis Management, it is the intention that you remember the following (not necessarily in this order and certainly not an exhaustive list):


  • Be the first to share, recognize first that there is a problem.
  • Rectify immediately any error that comes into the media.
  • Be complete, correct, honest, transparent and willing to communicate. Do not say things like ‘no comment’ and if nothing is known yet, then tell them you will not leave no stone unconverted untill is known how things work.
  • Provide a place to speak to the press. It’s best to work one-on-one for the television channels. The latter can take a lot of time and energy and therefore it can be interesting to have a single TV interview set up in consultation with all channels.
  • Start communicating immediately, even if you do not have any information yet.
  • Always discuss the following topics in the following order:

    • People
    • Environment and environs
    • Properties
    • Money

And always talk first about the facts, then emotions and then state a vision of what you will do or are doing about it. Prevent a void in communication.

  • Always make sure that your actions are in the spotlight, and that you are heard.
  • Avoid putting bad blood in the population.
  • Visit the disaster site.
  • Acknowledge fault when it is proven, not before. Refer to experts for the evidence and do not be tempted into endless defense talk.
  • Never speculate about what you do not know.
  • If the press does not pay attention to you, do not walk away, stay in the area but do not pull any attention to your organization. Do not be a ‘sitting target’.
  • Do not ignore any media source.
  • Be willing to pay ex-gratia.

All this is extensively upholstered with cases where it worked and where it did not work.

Key Risk Indicators

Authors: Ann Rodriguez and Viney Chadha

In the book, the authors discuss the entire set-up and implementation of a Key Risk Indicators framework that can be used as an integral part of the Risk Management Framework, as a tool that can be used to support decision making in day-to-day management.

In the first chapter, the authors explain the foundations of KRI: measuring is after all knowing. That is why you also need to know that there are different types of indicators. The book covers Key Risk Indicators, Key Performance Indicators and Key Control Indicators.

Very important is the common language, the Risk taxonomy, which the people in the organization must speak. This is important, amongst other things, for the recognition of deviations that may occur in the measurements and / or the interpretation thereof.

But one of the most important aspects is with regards to Risk management and KRI, is the culture of the organization. One of the possible aspects is how committed the employees are to achieving common objectives. Another aspect is how well the three lines of defense have been developed and how well they work together.

In a few short chapters, the importance of the Enterprise Risk Management and the ERM Framework are discussed. The Operational Risk Management is discussed afterwards in a very extensive chapter. The most important program elements according to the authors are: risk and control self-assessments, scenario analysis, business environment assessments, data of internal losses, data of external losses, issues management and ultimately: the KRI.

In chapters 7, 8 and 9 the authors discuss the preparation of a KRI Framework, the life cycle of the KRI program and the KRI Project that implements everything. Chapters 10 and 11 deal with the use of KRIs and how you report about them, and what you report to them, depending on whether they do other things with the numbers … (The board does not need the same figures as Senior Management, for example).

In chapter 12, the authors discuss a tool that can determine whether an indicator is a “Key” indicator.

The story ends with a series of Case studies. The classic, Union Carbide in Bhopal could not be ignored. In addition, the authors also provide a number of KRI that could have yielded an alternative outcome. Finally, a number of concluding thoughts tell us that KRI must evolve from an art to a science. This book contributes to this.

The Psychology Of Information Security – Resolving conflicts between security compliance and human behavior

Author: Leron Zinatullin

In this book the author explains the human side of IT Security. By linking the behavior of the target group (the people in the organization) to the desired outcomes (an information-safer environment) the IT security consultant has to bring this about.

But that requires knowing what the situation is, what the employees’ world is, what they view as their goals. And what they experience as being onerous.

Research shows that there are three objections to information-safe work by the employees:

  • There is no clear reason to comply with the IT security rules
  • The cost of fulfilling it is too high
  • There is an inability to comply with the rules

The author doesn’t claim that this list is exhaustive. The author does not go much further than the fact that you have to solve this with empathy for desired usability. How you do that is by communicating intensely with the target group. Unfortunately, the author proposes a classical scheme of communication, completely bilateral, one on one, instead of a communication in a network of people, many to many.

According to him, the goal of working on the information security culture is to show the employees that it can be an easy way of working. One of the explanations of a weak culture in this area is the “broken windows theory”: if a window falls in a neighborhood, the whole neighborhood will have to deal with a negative influence. But the theory would also work the other way around, and showing the good example is worthwhile.

Then the author talks about the psychology of compliance with the rules: this includes external and internal factors. The external factors include reward, punishment, competition. The internal factors include giving meaning, pleasure and interest. There are interactions between both groups of motivations, strengthening or weakening. In addition, other factors are decisive, such as autonomy, etc.

In the last chapter, the author gives a first glance at how changing the approach to security.