While business impact analysis (BIA) is seen by many as the backbone of any business continuity management system (BCMS) it is lacking a formal methodology. Here, Alberto G. Alexander, Ph.D, MBCI, details nine methodological steps for developing a BIA and discusses information gathering methods and BIA project management aspects.
When developing and managing an effective BCMS, the backbone of its correct implementation is the business impact analysis (BIA) stage.
In this phase of a BCMS, according to ISO 22301:2012, an organization is required to determine the critical activities, the maximum tolerable period of disruption (MTPD), its recovery time objectives (RTO), and the minimum level at which each activity needs to be performed upon resumption. It’s a good practice at this stage to also determine the recovery point objective (RPO).
One of the main constraints that organizations encounter is how to develop a methodology to establish and document the prerequisites of a BIA in conformance with a specific standard or guideline. This article seeks to address this issue.
Methodological steps for developing a business impact analysis
The BIA “analyses the financial and operational impact of disruptive events on the business areas and processes of an organization” (Alexander, 2009). It is very important to be conceptually clear about this statement. The financial impact refers to monetary losses such as lost sales, lost funding and lost revenue. The operational impact represents non-monetary losses related to business operations and usually includes loss of competitiveness, poor customer service and damage to business reputation.
It is also crucial to understand that the findings of the BIA “enable an organization to determine the extent of the overall effort to recover from potential business disruption, and details the roadmap for developing the business continuity strategy and the incident management plan (IMP)” (Alexander, 2009). The BIA allows the organization to identify the critical processes of business and its continuity requirements, which become the main issues for the development of an IMP. “One of the fundamental aspects when developing a BIA is that it can help to determine whether or not the existing business continuity strategy addresses the recovery requirements” (Priti, 2017)
Figure one, below illustrates the methodological steps for developing a BIA.
Figure one: Methodological steps for developing a business impact analysis
A brief description of the steps follows:
1) Define the boundaries of the BIA: the starting point prior to the development of the BIA is the identification of the scope of the BCMS within the organization. Strategically, top management should have identified the scope, considering the products and services of the organization. Several key criteria could be considered to decide the products and services of the organization that need to be protected to assure continuity; including: a) market pressure, b) specific company sites, c) products and services profitability. Once the scope has been established, it is strategically recommended that its boundaries are outlined and precisely defined in terms of with what activity they initiate and with which one they terminate.
2) Identify activities that support the scope: an activity is considered a process or set of processes undertaken by an organization (or on its behalf) that produces or supports one or more products or services. When the scope of the BCMS is delimited, the organization should identify all the activities involved in the scope that directly contribute to the generation of its products and services. A good tool that helps in this step is a flowchart.
3) Assess Financial and operational impacts: the third step is to assess the financial and operational impacts that would affect the organization in the event of a disruption of the activities identified in the preceding step. The financial impact assessment is performed before carrying out the operational impact assessment.
(3a) The financial impact assessment: this measures the extent and severity of the organization’s financial losses. A financial impact assessment is carried out for each activity. The question to be asked is “What would the magnitude and severity of financial loss be if the activities were interrupted following a disruption?” The losses are estimated on a daily basis. Figure two offers an example of financial losses for a specific scope.
Figure two: illustration of financial impacts
The second part of the financial impact assessment ranks each impact in a severity level based on its monetary loss value. The following scale is recommended:
- Severity level 0: No impact
- Severity level 1: Minor impact
- Severity Level 2: Intermediate level
- Severity level 3: Major impact
(3b) Operational impact assessment: the operational impact assessment measures the negative impact of a disruptive event on various aspects of business operations related to issues such as: customer satisfaction, cash flow, profitability and image. According to the industrial sector it belongs to and to the nature of its activities, each organization will identify the adequate operational impact criteria. Figure three shows some criteria that focus on five different operational aspects: cash flow, profitability, portfolio, image and customer satisfaction to illustrate operational impact ranking activities. The ranking values of each activity represent the level of negative impact in the event it is disrupted. The operational impacts can be measured using a quantitative ranking such as: none, low, medium, high, and highest.
Figure three: illustration of operational impacts
4) Identify critical activities: this step identifies the activities that have to be performed in order to deliver the key products and services, which enable an organization to meet its most important and time sensitive objectives. The financial and operational impact rankings assigned in step three provide a basis for identifying critical activities. An activity is considered critical if any of the following is true:
- A severity level of 2 or 3 is assigned to its financial impact;
- A ranking of high is assigned to at least three of its operational impacts;
- A ranking of high is assigned to at least two of its operational impacts and a ranking of highest is assigned to at least one;
- A ranking of highest is assigned to at least two of its operational impacts.
The critical activities listed in Figure four (below) were obtained by applying the above selection criteria to the impact rankings of business activities presented in figures two and three.
Figure four: critical activities
5) Assess MTPDs and prioritize critical activities: “The maximum tolerable period of disruption (MTPD) is the duration after which the viability of the organization will be irrevocably threatened if product and service delivery cannot be resumed” (Alexander, 2009). The estimates of MTPD can be based on either financial or operational impacts. The personnel responsible for assessing the financial and operational impacts are asked the following question: “What is the maximum period of time that can be tolerated for this process based on the financial and operational impact levels?” Let’s imagine that the financial loss of US $25,000 per day becomes unacceptable when it exceeds US $50,000. Therefore, the MTPD is two days, since then the financial losses will exceed US $50,000, if the disruption continues for a longer period of time. This example assumes that the operational impacts are insignificant relative to the financial losses.
Usually the analysis requires revising the financial and operational impacts of the disruption to estimate the MTPD. Once the MTPDs are calculated, a priority for their recovery should be established. A critical activity that has a shorter MTPD compared with another critical activity is assigned a higher recovery priority. Considering today’s connectivity and the dependency on information technology, the trend of MTPDs is to shrink in terms of duration and probably they will be close to zero in the near future. Figure five presents the MTPDs and recovery priorities for the critical activities presented in Figure four.
Figure five: MTPDs and recovery priorities
6) Estimate the resources that each critical activity will require for resumption: in this step, the organization needs to estimate the resources required for resumption at the level of each critical activity. Previously, the firm should have identified the minimum level at which each critical activity needs to be performed upon resumption.
The sources that a business can use to determine the minimum levels of performance acceptable are the contractual agreements and service level agreements for the key products and services involved in the scope. The minimum resources needed for each activity can be classified as: (a) critical IT systems and applications, and (b) critical non IT resources. This second category can be subdivided in: ‘physical areas’, ‘human competences’, ‘equipment’ and ‘documents’. An illustration of critical activities and resources needed for resumption is shown in Figure six.
Figure six: critical activities and resources needed for resumption
7) Determine RTOs for critical activities: “The recovery time objective (RTO) is the target time set for resumption of product, service or activity delivery after an incident” (Fullick, 2013). The RTO, which is the length of time between a disruptive event and the recovery of resources, indicates the time available to recover disrupted resources. The MTPD value expresses the maximum limit for the RTO value.
The exercise of business continuity management arrangements enables the organization to validate its RTOs and, therefore, to take corrective actions to reduce them. Cross-functional teams involved with the critical activities, have the task to make the estimates of the RTOs. Figure seven offers an illustration of the RTOs for the critical activities identified in Figure four.
Figure seven: RTOs and RPOs for critical activities
8) Identify all dependencies relevant to critical activities: in this step the organization has to “consider all dependencies relevant to the critical activities, including suppliers and outsource partners” (Alexander, 2009) The critical activities that have been considered usually have some vital inputs that are provided by some other company processes or by external suppliers or outsource partners. The internal processes that supply important inputs to critical activities have also to be considered as critical activities. In the case of external suppliers and outsource partners, contractual agreements requiring them to have a BCMS set up and managed should be in place. It is important to bear in mind that every company is only as a resilient as its weakest link in the supply chain.
(9) Determine recovery point objectives for critical activities: the recovery point objective is the amount of data lost because of a business disruption. The RPO is the time that will take to investigate, repair and carry out all the arrangements to be able to activate the RTO. RPO is measured as the time between the last data backup and the disruptive event. In the BIA process, RPO is determined for each application, by asking the critical activity owners the following question: “What is the tolerance, in terms of length of time, to loss of data that may occur between any two backup periods?” The response to this question indicates the values of RPO. In Figure seven there is an example of RPOs for certain critical activities. The RPO has always to be less than the RTOs.
Information gathering methods
Obtaining the information needed for the BIA from relevant areas of the organization can be a complex and frustrating process. A structured methodology strategy should be developed considering the magnitude of the BCMS scope. Three methods are recommended in the technical literature (Graham, Kaye, 2006) (Hiles, Barnes, 2001)
- Survey: the method uses a set of questions which are prepared in advance and are sent to each activity owner. The survey allows covering a vast number of respondents. However, this method has two main constraints: (1) The accuracy of respondents becomes a problem in the event of lack of internal consistency and reliability of the survey. (2) Survey responses may not be returned within the time allowed for this purpose.
- Interview: in this method the BIA information is collected by personally interviewing the activity owners. The questions can be tailored according to each particularly activity concerned. Although this method is very accurate and minimizes the possibility of misinterpreting the questions, it is more expensive than the survey approach and involves the additional effort of planning, scheduling, and conducting the interview.
- Workshop: this method, which uses group dynamic techniques, allows a group of people strategically chosen to work together to provide the BIA information needed. Because of group dynamics, a large amount of data is generated in a short period of time with this method. This technique also allows the activity owners to have a systematic view of the BIA process and to clear out any misunderstanding regarding the BIA process. In addition to this, an important side effect associated with this method is the teamwork spirit it helps to create among owners of critical activities.
The choice of the appropriate method for gathering BIA information seems to be influenced by its cost, efficiency, and by the quality of the information. Sometimes the best methodological strategy is to combine these three techniques.
Business impact analysis project management
The BIA methodology is based on a task force approach. All the steps of the methodology are performed by a cross functional group integrated by the owners of critical activities. To put the methodology into action, someone at the tactical level having the appropriate support should be appointed as project manager. He/she becomes responsible for the BIA resources that have been allocated to the BIA project.
Moreover, someone at the strategic level, with appropriate seniority and authority among other responsibilities, should be accountable for supporting the BIA process and ensuring that the BIA methodology is implemented in the most effective and efficient manner. It is important to understand that a BIA is developed within an organizational context.
Organizations are “power coalitions” (Cyert, March, 1963). It is highly probable that there will be organizational obstacles that could prevent a BIA project from accomplishing its goals.
If external consultants are involved, the project manager should ensure that the consultants work closely together with the critical activity owners.
The business impact analysis is the backbone of a BCMS. If the BIA is not correctly designed and developed, the company will not have accurate information to identify its threatening scenarios, create its business continuity strategies nor will it be able to design an appropriate incident management plan. The output information resulting from the BIA has a very important impact on all the stages of a BCMS.
In order to conform to the BIA requirements of the methodology presented in this article, the organization needs to use a sequence of methodological steps. Furthermore, in order that the goal of this methodology is accomplished considering cost, time and performance, the BIA has to be managed as a project. The BIA methodology is based on a task force approach.
A person from the tactical level and having the managerial abilities and experience in project planning, programming and monitoring should be assigned to carry out the BIA project in order that it is managed in an effective and efficient manner.
The BIA project also needs visible support from the organizational strategic level. Moreover, a very active role from the top management team is required to help to significantly reduce the organizational resistance that could hinder the performance of the BIA project.
Dr. Alberto G. Alexander holds a Ph.D from The University of Kansas and a M.A. from Northern Michigan University. He is a MBCI, BCMS IRCA Lead Auditor and Approved Tutor. He is the managing director of the international consulting and managerial training firm: “Eficiencia Gerencial y Productividad”, located in Lima, Peru. He can be contact at: firstname.lastname@example.org
- Alexander, Alberto. “A Methodology for Business Impact Analysis: The BS 25999-2:2007 Approach” The Business Continuity Journal, Volume Three, Issue Four, 2009 UK
- Priti, Sikdar Practitioner’s Guide to Business Impact Analysis, CRC Press, New York, 2017
- Fullick, Alex Business Impact Analysis. Stone Road Press, Ontario, 2013
- Hiles, Andrew. Business Continuity: Best Practices. Rothstein Associates Inc, Connecticut, 2004
- Graham, Julia. Kaye, David. A Risk Management Approach to Business Continuity. Rothstein Associates, Inc. Connecticut, 2006
- Cyert, Richard. March, James. A Behavioral Theory of the Firm. Prentice Hall. New Jersey, 1963
- ISO 22301:2012 Societal Security-Business Continuity Management Systems-Requirements.