EAFLOW · CASE · INSURANCE

A BIA by graph traversal, not by interviews and spreadsheets

A leading insurance organization, with an operation in Argentina, validated the Discovery phase of Operational Continuity & Resilience over the corpus it already had loaded in EAFlow —modernized processes, inventoried IT portfolio and migrated risk-and-control catalog—: a preliminary BIA built by traversing the Operational Graph, the critical process ↔ application dependencies exposed as a query, the disruption risks anchored to the existing catalog and an RTO / RPO baseline with documentary gaps identified, before committing to the implementation of BCP, DRP and drills.

The validation, over real operational data, showed that criticality is built on traced data and not on assumptions: critical processes identified by a graph query, dependencies and disruption risks connected, and a BCM readiness report as an input to decide the scope and the schedule of the implementation.

See Operational Continuity & Resilience Operational validation · early adopter

The challenge

Insurance-sector organizations with an operational-continuity function face the same pattern every time they start or renew their BCM program. The problem is not the lack of will: it is that the BIA starts from scratch and the operational context lives scattered.

The Business Impact Analysis is built with interviews, spreadsheets and manual consolidation. Each cycle repeats the effort because the previous result stayed in a static document.
The critical processes are listed in a spreadsheet, but the list does not appear next to the applications that support them, nor the disruption risks that apply, nor the plans that cover each node.
The dependencies are mapped in silos: IT keeps its application map, Operations its critical-process map, Risk its continuity-risk map, and they do not cross.
The RTO / RPO objectives are agreed in committee and stay separated from the real operational architecture; any change forces a manual re-review of whether they remain coherent.
The BCP / DRP plans live as loose documents in a folder, and the drill evidence stays in minutes and emails, with traceability that is rebuilt at each audit.
Committing to a full BCM program at once, without first having identified the critical processes, the dependencies and the real gaps, invites over-scoping the project.

Continuity is not held up by blank spreadsheets. It is held up by a BIA built over the corpus the organization already has loaded and connected to the graph.

The EAFlow solution

Operational Continuity & Resilience is a cross-cutting solution in the Risk, Control and Continuity area, built on the common Operational Graph layer of EAFlow Platform. This validation covered its Discovery phase: a scoped Discovery that leverages the operational corpus already loaded by the client to build the continuity foundation before committing to the later implementation. The validation covered, over the corpus of the client's operation, the continuity Discovery scenario:

Preliminary BIA by graph traversal. The Discovery builds the Business Impact Analysis by traversing the processes of the modernized corpus, their supporting applications and the disruption risks of the already-loaded catalog. Criticality is identified over traced data and validated with the continuity team —it is not invented from scratch.
Critical process ↔ application dependencies visible. The traversal exposes which applications support which critical processes and which disruption risks apply over each node. The information was scattered; the Discovery consolidates it as a navigable foundation.
Disruption risks anchored to the existing catalog. The risks of the assurance catalog already migrated to the graph are filtered for those that apply to continuity, and are connected to the identified critical processes and applications. The connection is preliminary; its binding productization is left for the implementation.
RTO / RPO baseline per critical process. Preliminary recovery-time and recovery-point objectives are recorded against the processes identified as critical. The baseline is a starting point for validation with the team, not a contractual commitment.
Documentary gaps identified. The Discovery maps which BCP, DRP, recovery procedures, contacts and drill evidence exist in the client's document repository, and which are missing. The gap between the current state and full coverage is made explicit.
BCM readiness report. The Discovery closes with an executive report —critical processes, mapped dependencies, connected disruption risks, documentary gaps and RTO / RPO baseline— as an input for the sponsor to decide the scope and the schedule of the implementation.
Three roles of the continuity model declared. The Discovery declares the three roles that operate the model in the implementation (Continuity owner, Risk and IT-governance owner, IT operations team) and how each consumes the continuity graph. It does not activate them; it declares them.

The Discovery is assisted, not automatic: it identifies candidate critical processes by graph traversal and validates them with the team. The actual level of access to each corpus and to the document repository is confirmed by maturity and technical validation; when a corpus is not loaded, the Discovery declares the gap and proposes its prior or parallel loading.

What was validated

The experience was run over the operational corpus the client already had loaded: modernized processes, inventoried IT portfolio and migrated risk-and-control catalog. The team went through the full Discovery: identification of critical processes by graph traversal, mapping of process ↔ application dependencies, filtering of disruption risks over the existing catalog with a preliminary connection to process and application, recording of the RTO / RPO baseline per critical process, an inventory of the existing plans in the document repository and explicit identification of the gaps. The close was a BCM readiness report with a recommended scope and a phased roadmap.

Demonstrated capabilities

Operational Graph as the common continuity-context foundation.
Preliminary BIA by graph traversal, with criticality over traced data validated by the team.
Critical process ↔ application dependencies mapped over the client's inventory.
Disruption risks filtered from the existing risk-and-control catalog and connected preliminarily to process and application.
Preventive and recovery controls referenced to the disruption risk.
Preliminary RTO / RPO baseline per critical process, as a non-contractual starting point.
Inventory of existing BCP / DRP / procedures / evidence and a documentary-gaps report.
Three roles of the continuity model declared and a BCM readiness report delivered.

Observed outcome

The BIA moved from "being built from scratch with interviews and spreadsheets" to being built by graph traversal, with criticality anchored to traced data and validated with the team. The process ↔ application dependencies, previously scattered in silos, became visible as a graph query; the disruption risks of the existing catalog became connected to the processes and applications; and the RTO / RPO baseline with the documentary gaps was recorded as a starting point.

The validation confirmed that the Discovery is executed over the client's real operation and delivers an actionable BCM readiness report, leaving the decision on the scope and schedule of the implementation —binding BIA, connected BCP / DRP, drills, resilience dashboard— in the hands of the sponsor, with the Discovery as evidence and not as a forced commitment.

Why it matters for other organizations

The pattern repeats in insurance-sector organizations that start or renew their BCM program: the BIA starts blank, the critical processes live without connected context, the dependencies are in silos and the plans are loose documents, while committing to a full program at once is perceived as risky. Demonstrating, over the client's operation, that a preliminary BIA is built by traversing the already-loaded corpus —with dependencies, disruption risks and gaps identified— turns an "all or nothing" decision into one informed by evidence.

Starting with a continuity Discovery over the existing graph is also a low-risk entry point: the same Operational Graph that holds the processes, the IT inventory and the risk catalog later holds the later continuity model.

How it scales — related solutions

The continuity foundation raised in the Discovery is reused on the same Operational Graph:

Toward later implementation of the accelerator Operational Continuity & Resilience
The natural next phase —binding BIA, agreed RTO / RPO, BCP / DRP connected to their processes and assets, drill logging with evidence, an executive resilience dashboard, continuity-governance alert flows and ownership transfer to the team.
Toward full risk and control Risk & Control Assurance
Connecting the disruption risks to the full catalog —with tests, findings, action plans and evidence— closes the risk-control-evidence-plan trail over the common graph.
Toward process knowledge Process Knowledge
When the modernized process corpus gains depth of roles, applications and documents, the BIA gains operational context.
Toward the application inventory Live IT Inventory
Deepening the IT portfolio —with vendors, criticality, dependencies and integrations— refines the dependency model and the functional-criticality model of continuity.
Toward living documents Document Governance & Evidence
When the BCP / DRP, procedures and evidence enter document governance with a traceable approval and publication flow, the continuity model gains control over the validity of its plans.

Assess my use case See Operational Continuity & Resilience