For BCP (ISO 22301) BIA and risk analysis purposes, should the heads of organisational units and asset owners be identified by name, or is the function/position sufficient?

ANSWER

In BIA (Business Impact Analysis) and risk analysis, it is important to identify those responsible for individual organisational units or assets, in order to establish their contribution to the organisation’s activities and the potential impact of their unavailability in the event of a crisis. Rather than providing names, it may be sufficient to list the functions or positions that are critical to the continuity of the organisation’s operations. For example, instead of a specific name, terms such as ‘IT department manager’, ‘production manager’, or ‘finance director’ may be used. Such identifications allow the identification of who is responsible for decisions and actions within a given organisational unit, without the need to specify individual names, which may be more flexible and better accommodate personnel changes within the organisation.