What is a Business Impact Analysis?
A Business Impact Analysis (BIA) is a process to provide a greater understanding of how a business works and reveals the effects of losing critical parts of your business processes. It serves as a foundation for introducing a Business Continuity Management Plan (BCMP) and can be used to develop strategies and plans for a business to recover in the case of a potential threat or event happening.
Whilst a Business Impact Analysis is one of the requirements of the ISO22301 Business Continuity Management System standard, even if you’re not aligning to this standard, we would advise that an organisation conducts a Business Impact Analysis and puts a Business Continuity Plan in place to reduce the impact of potential internal and external threats.
What does a Business Impact Analysis provide?
A clear understanding of an organisation’s most critical objectives.
It allows Management to decide on Maximum Tolerable Outage (MTO) for each function. The MTO defines the time-period that could be endured as a result of disruption before being deemed unacceptable.
The information to determine and recommend an appropriate recovery strategy.
Outline for dependencies that exist, both internally and externally to realise objectives.
What are the 3 primary goals of a Business Impact Analysis?
Determine Criticality – identify every critical business function and determine the impact of a disruption.
Estimate Maximum Downtime – the maximum amount of time that the business can tolerate while still making a profit.
Evaluate Resource Requirements – resources used for realistic recovery activities need to be thoroughly evaluated.
What are the objectives of a Business Impact Analysis?
Prioritise the business’s objectives.
Determine the critical deliverables of the business.
Identify the critical resources required by the deliverables.
Determine the impact of disruptions over time.
Determine resumption timeframes for critical operations following disruptions.
Provide information from where appropriate recovery strategies can be determined.
The BIA distinguishes between critical and non-critical business activities. Two values are assigned for each critical function:
Recovery Point Objectives (RPO) – is the maximum acceptable amount of data loss after an unplanned data-loss incident, expressed as an amount of time.
Recovery Time Objectives (RTO) – is the maximum tolerable length of time that a computer, system, network, or application can be down after a failure or disaster occurs.
Note: the BIA is:
Not a facility risk analysis or assessment.
Not a Risk Analysis.
Must be regularly reviewed and updated.
Why is a Business Impact Analysis important?
The Business Impact Analysis is the foundation for the Business Continuity Plan. A BIA ensures recovery and continuous performance of essential business functions occurs quickly through all circumstances in an emergency. The BIA provides a methodical approach to examine, identify, and prioritise the mission essentials listed below:
Functional processes and recovery timelines.
Vital hard copy and electronic records.
Internal and external operational interdependencies.
Personnel requirements.
Office resources and supplies.
Data system requirements.
What are the additional benefits of a Business Impact Analysis?
Helps classify the business into services. ISO22300 calls it: Mission Critical Activities
Helps define the business into three or more logical sets of services
Helps the business identify which strategy is best, which does not use a monetary and non-monetary approach
It can be performed relatively quickly compared to strategising an incident management plans (IMP) or BCP formulation and implementation
It helps formulate single or multiple IMP and BCPs against individual threats and impacts
For those seeking ISO22301 certification, the Business Impact Analysis is a mandatory requirement
A BIA can determine the scope of a Business Continuity Management System (BCMS)
The Business Impact Analysis Process
The BIA process consists of the following areas:
Project Planning – Senior management commitment sets the objectives of the BIA project and a project team is assembled.
Data Gathering – The team identifies the critical business functions and the tools and expertise required to perform each of them. Interviews are conducted to collect the data needed.
Data Analysis – The team observes the data collected and translates it into quantitative numbers.
Documentation – The BIA Report lists the findings and recommendations from the analysis and goes to the Senior Management Team (SMT). The report includes a list of critical IT and business functions with criticality levels.
Management – The Management Team reviews the BIA and approves as necessary. Note, Senior Management should estimate the potential financial (qualitative) loss by the business unit, projected over time.
Key Questions to be considered are:
Daily activities conducted in each area of the business.
Long-term or ongoing activities performed by each area of the business.
Potential losses if these business activities could not be accomplished.
How long each business activity would be unavailable for (either completely or partially) before the business would suffer.
If these activities depend on any outside services or products.
How important the activities are to the business?
What’s included in a Business Impact Analysis Report?
The Business Impact Analysis Report contains the following information:
Executive Summary
Objectives
Scope
Data gathering and analysis methodology
Summary of findings
Detailed findings:
Business Function
Criticality and Impact Assessments
Maximum Tolerable Downtime Assessment for each
Dependencies, both internal and external, should be enumerated
Correlation to IT systems should be explained
Initial Impact findings
Feedback from departmental managers on draft report
Charts and graphs to illustrate potential loss
Recommendations
It is important to take the time to produce a good Business Impact Analysis and report as this will provide the solid foundation to create, implement and embed a BCMS that will be effective during disruptive incidents.
