Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you request to download our free implementation guide, we use your name, company name (which is optional) and your email address to email you a link to download the requested document. We may also email you after your download in order to follow up on your interest in our products and services. We will do this based on our legitimate interest in marketing to prospects for our products and services. Your name and email address are stored on our website which is hosted with Digital Ocean. Your personal data is stored for one year after you requested your download, after which it is deleted.

Reveal Menu

Business Impact Analysis with ISO22301

 

Business impact analysis is a key part of the ISO22301 standard as much of what comes after it (Risk assessment, strategies, plans etc.) is based on its conclusions so its worth spending some time to get it right. You’ll need to get the most appropriate people fully involved in the process so that they not only contribute their understanding of how your business activities work, but they also feel some ownership of the conclusions which will help later when you’re asking them to write some plans.

iso23001small

What does your business actually do?

The Toolkit provides a business impact analysis workbook which prompts for the main items of information to be identified and recorded. The first is to list the main business activities of the organization together with their purpose, resources dedicated and legal constraints (workbook tab Key business activities). For a large organization there may be very many activities and the BIA may need to be split into more manageable parts in order to cover the whole company. There may already be a centralized list of business activities in existence within the organization in which case it makes sense to use that (as long as it is reasonably current). Focus on those activities that are generally regarded as the most important ones first as this will give you a head start. There may be some less well known activities that turn out to be important but this is relatively rare, so concentrate your efforts on the areas of greatest reward at least initially.

What happens if it can't work normally?

After listing the key business activities, you then need to assess the impact of each one not happening (workbook tab Impact of Disruption). Impact can be in different areas such as finance (loss of revenue, cashflow etc.), customers (they may be unable to run their businesses if you don’t provide this activity, or end users may be affected sometimes significantly depending on the products and services you provide) or reputation (will customers or clients come back after you have rectified the problem?). The other factor is how quickly these impacts are felt; some activities might have a gradual impact if they are not delivered whereas for others the effect could be immediate. Use the workbook to set out, for each activity in turn, how the impact builds in each area over time to give an overall impact rating (total score).

RTOs and MTPDs...

On the next workbook tab, Key Targets, this analysis will then give you an indication of two important factors used in business continuity:

  • Maximum Tolerable Period of Disruption (MTPD) – how long before the impact becomes unacceptable to the organization
  • Recovery Time Objective (RTO) – the target time to recover the activity to at least partial operation

The RTO may be the same as the MTPD but often it makes sense to make it a shorter time to allow for delays in recovery. On this worksheet we also need to assess how much of the activity you need to provide as a minimum e.g. the level of degraded service. This is referred to by the ISO22301 standard as the Minimum Business Continuity Objective, or MBCO. The last key target, the Recovery Point Objective (RPO), is particularly relevant to IT systems where data needs to be recovered to a specific time before the failure occurred (e.g. no more than one hour before). All of these factors are important when we start to consider business continuity strategies and plans to meet them and the cost of achieving that.

And finally resources...

We also need to assess and document what resources are needed across the board to recover each activity over time. Otherwise we may find we don’t have enough desks or computers or space etc. to recover everything according to the plan. The recovery process may need to happen gradually and so resources may be added at key points. The idea is to work out how much of each resource will you need and when in order to meet your minimum business continuity objective (MBCO) for each activity. The total of these will tell you your overall requirement for planning purposes.

At the end of the BIA we should have a clear understanding of what is needed for recovery purposes and when, based on a solid understanding of the organization.

Over 3000 businesses have purchased our toolkits

Testimonials

We're a small company (170 employees) and we don't have the time to "re-create the wheel", nor the budget to hire a consultant. This toolkit gives us the recipe and the ingredients to put together a business continuity system.

Vice President
Altek Electronics

View all Testimonials