Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu
Home Blog Business Impact Analysis – An Overview Guide

Business Impact Analysis - An Overview Guide

What is a Business Impact Analysis?

A Business Impact Analysis (BIA) is a process to provide a greater understanding of how a business works and reveals the effects of losing critical parts of your business processes. It serves as a foundation for introducing a Business Continuity Management Plan (BCMP) and can be used to develop strategies and plans for a business to recover in the case of a potential threat or event happening.

Whilst a Business Impact Analysis is one of the requirements of the ISO22301 Business Continuity Management System standard, even if you’re not aligning to this standard, we would advise that an organization conducts a Business Impact Analysis and puts a Business Continuity Plan in place to reduce the impact of potential internal and external threats.

Illustration showing papers and a magnifying glass to show Business Impact Analysis

What does a Business Impact Analysis provide?

  1. A clear understanding of an organization’s most critical objectives.
  2. It allows Management to decide on Maximum Tolerable Outage (MTO) for each function. The MTO defines the time-period that could be endured as a result of disruption before being deemed unacceptable.
  3. The information to determine and recommend an appropriate recovery strategy.
  4. Outline for dependencies that exist, both internally and externally to realise objectives.

What are the 3 primary goals of a Business Impact Analysis?

  1. Determine Criticality – identify every critical business function and determine the impact of a disruption.
  2. Estimate Maximum Downtime – the maximum amount of time that the business can tolerate while still making a profit.
  3. Evaluate Resource Requirements – resources used for realistic recovery activities need to be thoroughly evaluated.

What are the objectives of a Business Impact Analysis?

  1. Prioritise the business’s objectives.
  2. Determine the critical deliverables of the business.
  3. Identify the critical resources required by the deliverables.
  4. Determine the impact of disruptions over time.
  5. Determine resumption timeframes for critical operations following disruptions.
  6. Provide information from where appropriate recovery strategies can be determined.

The BIA distinguishes between critical and non-critical business activities. Two values are assigned for each critical function:

  • Recovery Point Objectives (RPO) – is the maximum acceptable amount of data loss after an unplanned data-loss incident, expressed as an amount of time.
  • Recovery Time Objectives (RTO) – is the maximum tolerable length of time that a computer, system, network, or application can be down after a failure or disaster occurs.

Note: the BIA is:

  • Not a facility risk analysis or assessment
  • Not a Risk Analysis
  • Must be regularly reviewed and updated

Why is a Business Impact Analysis important?

The Business Impact Analysis is the foundation for the Business Continuity Plan. A BIA ensures recovery and continuous performance of essential business functions occurs quickly through all circumstances in an emergency. The BIA provides a methodical approach to examine, identify, and prioritise the mission essentials listed below:

  1. Functional processes and recovery timelines.
  2. Vital hard copy and electronic records.
  3. Internal and external operational interdependencies.
  4. Personnel requirements.
  5. Office resources and supplies.
  6. Data system requirements.

What are the additional benefits of a Business Impact Analysis?

  1. Helps classify the business into services. ISO22300 calls it: Mission Critical Activities
  2. Helps define the business into three or more logical sets of services
  3. Helps the business identify which strategy is best, which does not use a monetary and non-monetary approach
  4. It can be performed relatively quickly compared to strategizing an incident management plans (IMP) or BCP formulation and implementation
  5. It helps formulate single or multiple IMP and BCPs against individual threats and impacts
  6. For those seeking ISO22301 certification, the Business Impact Analysis is a mandatory requirement
  7. A BIA can determine the scope of a Business Continuity Management System (BCMS)

The Business Impact Analysis Process

The BIA process consists of the following areas:

  1. Project Planning – Senior management commitment sets the objectives of the BIA project and a project team is assembled.
  2. Data Gathering – The team identifies the critical business functions and the tools and expertise required to perform each of them. Interviews are conducted to collect the data needed.
  3. Data Analysis – The team observes the data collected and translates it into quantitative numbers.
  4. Documentation – The BIA Report lists the findings and recommendations from the analysis and goes to the Senior Management Team (SMT). The report includes a list of critical IT and business functions with criticality levels.
  5. Management – The Management Team reviews the BIA and approves as necessary. Note, Senior Management should estimate the potential financial (qualitative) loss by the business unit, projected over time.

Key Questions to be considered are: 

  • Daily activities conducted in each area of the business.
  • Long-term or ongoing activities performed by each area of the business.
  • Potential losses if these business activities could not be accomplished.
  • How long each business activity would be unavailable for (either completely or partially) before the business would suffer.
  • If these activities depend on any outside services or products.
  • How important the activities are to the business?

What’s included in a Business Impact Analysis Report?

The Business Impact Analysis Report contains the following information:

  • Executive Summary
  • Objectives
  • Scope
  • Data gathering and analysis methodology
  • Summary of findings
  • Detailed findings:
    • Business Function
    • Criticality and Impact Assessments
    • Maximum Tolerable Downtime Assessment for each
    • Dependencies, both internal and external, should be enumerated
    • Correlation to IT systems should be explained
    • Initial Impact findings
    • Feedback from departmental managers on draft report
  • Charts and graphs to illustrate potential loss
  • Recommendations

It is important to take the time to produce a good Business Impact Analysis and report as this will provide the solid foundation to create, implement and embed a BCMS that will be effective during disruptive incidents.

 

Written by Ted Spiller, CertiKit’s Compliance Consultant. Ted has worked for many year’s in ISO standards and is an ISO22301 Auditor. 

More ISO22301 Resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO22301:2019 standard, we’ve put together a list of our best free resources including sample documents, blogs and downloadable documents.

Free ISO22301 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

Compared to competing toolkits, your ISO27001 document structure was very good. The provided "Introduction" of each was useful (I have moved those out of the core documents and into a more comprehensive manual) for the general audience vs security staff. The inclusion of references to 27017 and 27018 were appreciated. You provided more "ISMS-C" oriented artefacts than competitors.

Trusted By Design Inc.
Canada

View all Testimonials

Cookie Control

CertiKit uses cookies to improve your user experience. Some are essential for our website to work, but for others you have a choice over which ones you’re happy for us to use.

Please set the controls below to enable or disable the types of cookies shown.

Nice to have cookies
What are these?

Advertising Cookies
What are these?

Cookie Policy