BIA and BCP Approval/Renewal OOB Workflow

sherry_norris · ‎02-07-2022

Hi all!!

For BIAs and BCPs, are there any OOB Approval/Review workflows documented that show lifecycles? For example, is there anything OOB that would show/document (allow 🙂 ) a BIA to go from draft, review, approval, and then back to review when a threshold is reached so it can be reviewed and approved again?

The same goes for BCPs.

This is much like the lifecycle of a policy, standard, or policy exception, where you have an approval and an upcoming expiration. The owner is notified that it will expire, and it has to be reviewed and re-approved.

Can anyone point me to documented workflows/lifecycle diagrams, etc. OOB if they exist for BIAs and BCPs?

Thanks so much!!

Rana Baghdar · ‎02-08-2022

Hi Sherry,

Have you taken a look at the docs for BCM?

BIA: https://docs.servicenow.com/bundle/sandiego-governance-risk-compliance/page/product/grc-business-continuity-management/task/create-business-impact-analysis.html

BCP: https://docs.servicenow.com/bundle/sandiego-governance-risk-compliance/page/product/grc-business-continuity-management/task/create-bcp-plan-template-workspace.html

The different states and how they are triggered are mentioned there. From experience, the expires field is triggered when the plan is submitted and approved, and has a due date until same date next year.

Hope this helps!

🙂

rahuldebaru · ‎12-02-2022

It still is not clear how one can "review" a BIA/BCP after it is approved. By industry standards, all BIA/BCPs are required to be reviewed and reapproved at least yearly. Does this mean one has to create a new one every year?

Rana Baghdar · ‎02-13-2023

Hi @rahuldebaru

If using OOTB functionality then all BIAs and BCPs expire after 1 year, this is automatically defined by the system. The expiration date is set to be 1 year after approval date. E.g., if something is approved on the 13th of february 2023, it will expire on the 13th of february 2024.

When a BIA or BCP expires, it is automatically moved to the state "archived", and these are displayed as overdue BIAs or expired BCPs in the BCM Workspace.

Hence, all BIAs and BCPs are flagged by the system however - as far as I know there is no OOTB notification process for this.

When working with a BIA or BCP that tis either overdue or expired, one is able to copy the same BIA/BCP, and all of the existing data will be copied over as well. The new BIA/BCP will be sent to the state "Draft" where one can either submit it for review or for approval. When approved, one can still go in and edit it until it expires, then one is also able to review and reapprove it yearly as stated by industry standards.

Some relevant links:
View approval state flows for a business impact analysis (servicenow.com)

View approval state flows for a business plan (servicenow.com)

Approval configuration (servicenow.com)

If this helps you out please hit the thumb icon and mark as correct 🙂

-R

klicea · ‎05-25-2023

I'd love to see documented workflows also.

My understanding is that OOB there is a notification that goes to the BIA Owner prior to the expires by date so that the owner can then click 'Edit' which resets the BIA back to Draft, allowing it to be edited and then go through the workflow to Approved. Once Approved, presumably a new 'Expires by' date is set (365 days from the new Approved date). No need to create a new one, thankfully. Depending on the change in the BIA, though, a script might have to be written to write back to the Business Process table to reflect current updates.