Criticality is Not Aggregated
The next flaw is a variation of the previous flaw. BIAs do not aggregate process criticality across various interdependencies. That is, they do not provide a methodology to dynamically adjust a process’ criticality based on unplanned, but nevertheless present interdependencies that change the assumptions that were used when determining the process’ inherent criticality.
One such interdependency is location. Interruption of a process at a single location is one thing. Loss of that same process across all locations is a different thing entirely. Few events would interrupt a process across all of its locations, and those events are usually substantially mitigated. As such, the traditional BIA will typically determine criticality assuming that only one (or a few) locations have been impacted. However, what if despite best efforts, all locations have been interrupted? A traditional BIA will not provide the ability to adjust the process’ inherent criticality on-the-fly to accommodate the unlikely, but nevertheless manifested increased impact, nor will it offer any guidance on how the increased criticality effects other processes and resource allocation.
Another example of interdependency is the shared dependency on a common resource. Say for example, three processes all depend on Application ABC as a critical resource. Planning efforts have “ensured” that Application ABC will not be interrupted…it has been implemented with continuous availability and synchronous replication. As such, the three processes will never be interrupted concurrently, an assumption taken into account when defining their inherent criticality. However, now assume that Application ABC has been interrupted…despite best efforts its data has been corrupted across all instances. As a result, all three processes have been interrupted…a theoretical impossibility. The traditional BIA will do nothing to help reprioritize the three processes given their unplanned concurrent interruption, nothing to help you decide how their priority must change relative to other processes, and nothing to recommend how their resource needs should be reprioritized given their “new criticality”. In the traditional BIA, criticality is not aggregated…but it must be!