Business impact analysis is a key part of the ISO22301 standard as much of what comes after it (Risk assessment, strategies, plans etc.) is based on its conclusions so its worth spending some time to get it right. You’ll need to get the most appropriate people fully involved in the process so that they not only contribute their understanding of how your business activities work, but they also feel some ownership of the conclusions which will help later when you’re asking them to write some plans.
The Toolkit provides a business impact analysis workbook which prompts for the main items of information to be identified and recorded. The first is to list the main business activities of the organization together with their purpose, resources dedicated and legal constraints (workbook tab Key business activities). For a large organization there may be very many activities and the BIA may need to be split into more manageable parts in order to cover the whole company. There may already be a centralized list of business activities in existence within the organization in which case it makes sense to use that (as long as it is reasonably current). Focus on those activities that are generally regarded as the most important ones first as this will give you a head start. There may be some less well known activities that turn out to be important but this is relatively rare, so concentrate your efforts on the areas of greatest reward at least initially.
After listing the key business activities, you then need to assess the impact of each one not happening (workbook tab Impact of Disruption). Impact can be in different areas such as finance (loss of revenue, cashflow etc.), customers (they may be unable to run their businesses if you don’t provide this activity, or end users may be affected sometimes significantly depending on the products and services you provide) or reputation (will customers or clients come back after you have rectified the problem?). The other factor is how quickly these impacts are felt; some activities might have a gradual impact if they are not delivered whereas for others the effect could be immediate. Use the workbook to set out, for each activity in turn, how the impact builds in each area over time to give an overall impact rating (total score).
On the next workbook tab, Key Targets, this analysis will then give you an indication of two important factors used in business continuity:
The RTO may be the same as the MTPD but often it makes sense to make it a shorter time to allow for delays in recovery. On this worksheet we also need to assess how much of the activity you need to provide as a minimum e.g. the level of degraded service. This is referred to by the ISO22301 standard as the Minimum Business Continuity Objective, or MBCO. The last key target, the Recovery Point Objective (RPO), is particularly relevant to IT systems where data needs to be recovered to a specific time before the failure occurred (e.g. no more than one hour before). All of these factors are important when we start to consider business continuity strategies and plans to meet them and the cost of achieving that.
We also need to assess and document what resources are needed across the board to recover each activity over time. Otherwise we may find we don’t have enough desks or computers or space etc. to recover everything according to the plan. The recovery process may need to happen gradually and so resources may be added at key points. The idea is to work out how much of each resource will you need and when in order to meet your minimum business continuity objective (MBCO) for each activity. The total of these will tell you your overall requirement for planning purposes.
At the end of the BIA we should have a clear understanding of what is needed for recovery purposes and when, based on a solid understanding of the organization.