This resource explores what the business impact analysis (BIA) is, how to get started, and provides access to an easy to use BIA and Risk Assessment Worksheet to carry out your first business impact analysis or to improve existing BIAs.
What is a business impact analysis?
A business impact analysis (BIA) is a method for analyzing how disruptions may impact an organization. The analysis considers the timescales of a disruption, as well as its intensity, and looks at the resulting impacts on important products and services; and the processes and activities that support these.
The BIA is an ongoing process, with analyses taking place periodically or when a significant change is made within the organization.
The outcomes of BIAs are:
- Mapping of impact types
- An assessment of cascading impacts as an incident develops
- Identification of tolerance for different impacts, including an assessment of the point in time where impacts would become unacceptable to the organization. (This is termed the MTPD – the maximum tolerable period of disruption – and is expressed as a timescale in minutes, hours, or days.)
- Establishment of recovery time objectives (RTOs) – the planned timescale within which impacted aspects of the organization need to be resumed
- Strategies for incident response and achieving resumption within the RTOs.
What is the purpose of a business impact analysis?
Many organizations struggle to understand why a BIA is so important. However, when you think about business continuity as a long-term process, the BIA is the requirements gathering portion of the process. Just like a project manager wouldn’t start executing a project without clear requirements, the same is true for business continuity: a BIA should deliver clear requirements. Specifically, the business impact analysis:
Provides confirmation of business continuity program acope
The BIA identifies the business activities and resources necessary to deliver the organization’s most important products and services. By understanding how the organization delivers its products and services, the BIA process may uncover activities or resources that were not originally in the program’s scope. Also, by understanding activity and resource impacts associated with disruption, the organization can identify which activities and resources need to be performed, regardless of circumstance, which may have an impact on the program’s scope.
Identifies legal, regulatory, and contractual obligations
Many organizations do not have a clear, unified understanding of obligations. In fact, it is very rare to see any entity within an organization that has a full grasp of what is required during a disruption, and what the implications are if the organization cannot meet those obligations. The BIA enables the organization to create a thorough understanding of these obligations and to enable the appropriate level of business continuity planning to achieve compliance.
Provides clarity on business continuity strategy spend
One of the most valuable aspects of the BIA is the estimation of impacts tied to downtime. Understanding financial, reputational, contractual, legal/regulatory, operational, and other impacts enable the organization to develop the business case, with appropriate justification, to select, implement, and maintain business continuity strategies. With proper justification, the organization is set-up to identify and implement appropriate capabilities needed to meet recovery objectives – resulting in the appropriate spend.
Captures preliminary plan content
The BIA process can be used to begin the data collection effort for business continuity plans. When performing the BIA, the organization can begin to collect business continuity plan content, such as existing controls and recovery strategies, team and staffing requirements, internal and external contact information, and other resource-specific information required for the business continuity plan. Once this information is collected, the organization can begin to populate the business continuity plan and present a starting point to those charged with creating and maintain the plans (as opposed to starting with a blank template).
Business impact analysis and risk assessment
The BIA and risk assessment are often talked about at the same time, and that’s because many business continuity programs perform them together (or in close coordination). Here are the key distinctions between a BIA and a risk assessment:
- A BIA is particularly focused on establishing business continuity requirements, identifying resource dependencies, and justifying proposed business continuity requirements by estimating the impacts associated with downtime. A risk assessment focuses on understanding the likelihood and severity associated with a loss of the activity and resources with the objective of establishing a prioritized list of risk treatments to decrease the likelihood that the organization experiences a disruption to its ability to deliver products and services.
- Some organizations, and some other risk disciplines, perform risk assessments based on an evaluation of potential threats (commonly called hazard and vulnerability analysis – HVA); however, in business continuity, we conduct a risk assessment based on failure modes (this approach is sometimes called failure modes and effects analysis). The reason is simple – it’s hard to identify all the threats that could interrupt a business! It is more practical to look at core failure modes – specifically the disruption of resources needed to perform an activity.
So, the how-to instructions below will provide you a way to complete both a BIA and risk assessment together!
How to conduct a business impact analysis
There are five key steps when conducting a business impact analysis:
Step one: Scope the business impact analysis
The first step in performing a successful BIA is to ensure that the right business activities and resources are in-scope. This is done using a scoping meeting. During this meeting, four questions should be addressed:
- Why are we doing business continuity?
- What are we trying to protect?
- 'How much' business continuity do we need?
- Who should be involved in the program?
The scoping meeting does several things for a business continuity program. Specifically, it aligns leadership on program objectives, determines the right program participants, and allows for tailored governance documentation. The most important output of this meeting, however, is identifying the in-scope products and services for an organization’s business continuity program. Identifying products and services allows the organization to focus the business continuity program on maintaining operations that support the most important aspects of the business during a disruption.
Once products and services are identified as in-scope, required departments (or business functions, depending on your organization’s nomenclature) and the subordinate activities should be identified for inclusion in the BIA process. A BIA should consider all departments that complete activities needed to deliver products and services to stakeholders, consistent with expectations.
Step two: Schedule business impact analysis interviews
After identifying in-scope departments and activities, schedule a one-hour meeting with each department’s leadership as well as any required subject matter experts. Include a meeting invite informing them of the purpose of the business impact analysis, meeting objectives, and required preparation.
Of note, it is important that meeting participants represent the department at the right level. Participants should have:
- An understanding of the organization’s key priorities (as they relate to products and services);
- A thorough understanding of the day-to-day activities completed by the department; and
- An understanding of the resource dependencies required to complete each business activity.
Step three: Execute BIA and risk assessment interviews
Interviews should determine the activities the department performs that supports the delivery of in-scope products and services. For each identified activity, it is important to capture the steps necessary to complete the activity, peak operation times, downtime impacts (i.e. reputational, contractual, operational), and the dependencies that are required to perform each activity.
The following dependency types should be documented:
- Third-party suppliers (vendors)
- Other Departments (interdependencies)
It is important that, for each dependency, a description of its use, manual workarounds or alternate suppliers (as appropriate and if known), and recovery time and recovery point objectives (if applicable) are captured. In addition, conduct the risk assessment by assigning a 1-10 value for the likelihood of loss and impact of loss for each dependency. Once all data is collected, these numbers can be multiplied together to provide a risk rating for every dependency.
In addition to dependencies, it is important to understand if the department has experienced any event that has prevented it from completing operations in the past. These are higher risk events that merit strong planning.
Step four: Document and approve each department-level BIA report
Following each department-level meeting, a documented report with the results of the meeting should be completed. These reports should contain all pertinent information that was captured during the interview, as well as recommendations based on the information collected. A great example is recommendations regarding recovery time objectives based on the impacts estimated.
After the report is drafted, distribute it to the meeting participants. The meeting participants will review the document, make any necessary edits or changes, and approve the report. Each department-level report is a 'puzzle piece' necessary to establish organization-wide business continuity requirements for management’s review and endorsement.
Step five: Complete a BIA and risk assessment summary
After all department-level meetings and reports have been completed and approved, it is time to complete an organizational-wide BIA and risk assessment summary to enable management’s review and approval. The purpose of this is to provide an overview of the key activities, resource requirements, and risks identified during the department-level meetings. Additionally, this report is used as an opportunity to make risk treatment-related recommendations related to key risks that were identified.
After coordinating the department-level BIA conclusions, the BIA and risk assessment results and recommendations should be presented to leadership (typically, the Business Continuity Steering Committee). While presenting to leadership, a focus should be placed on:
- Revisiting the products and services identified previously
- Verifying the requested recovery times and their alignment to products and services
- Presenting key risks and recommendations to address them
These recommendations should be prioritized for leadership by focusing on achieving the right level of resilience (based on the guidance provided during the scoping meeting) and the development of strategies to address the loss of necessary activities and resources.
The business impact analysis and risk assessment data gathering worksheet
Using the form below you can obtain a business impact analysis template provided by Riskonnect. This is designed to help you capture all the essential information for your first departmental BIA or to help you improve existing BIAs.
After submitting the form you can access a fully editable template designed to help you quickly capture all the essential information for a departmental business impact analysis, including activities, dependencies, requirements, and risks.