Business Impact Analysis, often abbreviated to BIA, is a key component of Business Continuity Planning (BCP). In this article, we will try to explain all you need to know about conducting an effective BIA, and in particular, help to answer some common questions about it, including:
Table of Contents
Toggle- Why is a business impact analysis important?
- What data does a business impact analysis gather?
- What should be included in a business impact analysis?
- What is the difference between business impact analysis and risk assessment?
- What is the goal and purpose of a business impact analysis?
- How often should a business impact analysis be performed?
So if you want to find out more, then please read on!
What is Business Impact Analysis?
Business impact analysis is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident, or emergency. One definition of what is business impact analysis says that it is ‘The process of analyzing the activities within an organization and the effect that a business disruption might have upon them.’ That’s a good, simple definition. Of course, when you get to the detail, there is a lot more to BIA than that. This could explain why some organizations struggle to understand what is BIA. Some aren’t even aware of it.
Business impact analysis (BIA) is a component of business continuity planning that helps to identify which activities and functions within the business are critical and non-critical to its operation. A BIA also determines the specific impacts of any disruptions in both financial and non-financial terms. It also determines how much downtime can be tolerated and the associated estimated recovery times and recovery requirements for different scenarios. The tolerable downtime is unlikely to be the same across the whole organization. For example, any downtime for a team that takes sales orders from retail customers will significantly impact your business, whereas you could probably manage without the staff restaurant for quite a long time.
How often should a BIA be done?
A BIA should first be performed as an early stage in formulating any business continuity plan. This will help you to focus your continuity planning activities on the parts of your business that are most critical to its operation and help you to define recovery strategies that will restore operations before the critical downtime is reached. The business impact analysis exercise should then be repeated annually if there a significant change to how the business is operated or if a BCP test or live execution has identified any issues with the BIA.
Who carries out the analysis?
This can vary between different organizations. If the organization has a dedicated business continuity manager, then they should lead the activities, with assistance from an individual in each part of the organization. If this role doesn’t exist, then some organizations get the IT department to lead the activity, typically someone with IT service continuity management experience. Ideally, someone that is skilled and experienced in business continuity management should be involved. For many organizations this requires them to get help from a third-party, either an independent consultant or a firm specializing in this field.
What are the different types of BIA?
There are 4 recognized types of business impact analysis. These should all be included in the scope of BIA, and the relationships understood and documented:
- Capabilities: these are business functions mapped to systems and processes. For instance, cash management is a high-level capability for any bank, which would involve many different parts of the organization and many different systems.
- Services: Typical services include customer service, IT support, and IT services as consumed by users.
- Processes: These are the normal operational practices of an organization, such as order fulfilment.
- Systems: These are the individual IT systems that support the IT services, such as individual servers or network equipment. The IT department usually conducts this type of business impact analysis as part of their IT service continuity and disaster recovery planning activities.
What is the difference between business impact assessment and risk assessment?
A BIA focuses on what the impact of any disruption would be to the business, irrespective of the disruption. In contrast, a risk assessment looks at all the different types of disruption and evaluates the likelihood of the risk materializing. A stand-alone would also look at the impact of each type of risk. A BIA can provide the information for this in terms of the required recovery time objectives for critical functions. A business impact assessment concentrates on the impacts of the disruption to critical business processes and outcomes to calculate the financial and non-financial costs of the interruption, whereas a risk assessment evaluates the likely vulnerabilities.
Both BIA and risk assessments are critical components of business continuity planning.
What data does a business impact analysis gather?
A detailed questionnaire or survey is commonly used for capturing the required data. The data includes:
- Business processes
- Activities
- Resources
- Relationships
- Key personnel
- Systems used
- Contact information
- Dependencies and relationships
- Criticalities
- Recovery time objectives (RTO)
- Recovery point objectives (RPO)
All of this information is essential in assessing the potential impact of a disruptive event. The data can be collected in a number of ways, including in-person interviews and automated surveys. Follow-up interviews may be necessary to confirm understanding and fill in any gaps.
What is the goal and purpose of the analysis?
A good understanding of a BIA’s goal and purpose should always be obtained before you try and conduct one.
The goal and purpose of business impact analysis have several aspects, all related to identifying and prioritizing the business activities that need to continue during significant disruption to normal operation. The information gathered is used to understand and document the impact on the business. The goal and purpose include:
- Determine business activities and recovery criticality: These are identified and the impact of disruption to their processes is determined along with outage impacts and estimated downtime. The downtime should reflect the maximum that the organization can tolerate to stay in business.
- Identify resource requirements: Realistic recovery efforts require a thorough evaluation of the resources required to resume critical activities and related inter-dependencies as quickly as possible. The resources include facilities, personnel, equipment, IT systems, and data.
- Identify recovery priorities: Based on the previous activities’ results, resources should be clearly be linked to critical business activities. Priority levels should be established for sequencing recovery activities and resources.
The outputs from a BIA are usually documented in a business impact analysis report. The information is then used to create a business continuity plan. The contents of the report should include these four key BIA parameters:
- The Maximum Tolerable Downtime (MTD) for each business activity. This represents the maximum amount of disruption time that the managers of the activity can tolerate. Determining MTD is important because it helps with prioritizing critical activities and the design of recovery procedures.
- A Recovery Time Objective (RTO). RTO defines the maximum amount of time that a resource can remain unavailable before there is an unacceptable impact on other resources, critical activities, and the MTD. Determining the RTO is important for selecting appropriate methods to restore operations before the MTD is reached.
- Recovery Point Objective (RPO). The RPO represents the status to which the operation and any underlying systems and data must be recovered after an outage. This is often a subset of normal operations and represents the minimum activity to keep in business whilst the underlying issues causing the outage are fully resolved.
- Critical Business Functions. These are the functions or departments of the organization that are critical to being able to provide services and products during any disruption.
What are the steps involved?
The detail of the business impact analysis steps will vary between organizations, according to how they are organized and what activities the business does. However, the same generic steps should be included in each approach. These are set out below. Following these steps will enable you to generate the necessary data for assessing the risks related to business continuity for your organization and assist you with developing effective BCP plans. So what is the first activity in business impact analysis process execution?
Step 1: Scope the BIA activity.
It is important that you clearly define the scope of your business impact analysis exercise, including which business processes and resources will be included in the analysis and which services and products are in scope. This should be done formally by meeting with each part of the business and getting answers to these 3 questions:
- What is the reason for providing business continuity for your area?
- What do you want to safeguard?
- Who needs to participate in the analysis?
Taking this approach will help to identify the appropriate participants and gain management buy-in to BIA. However, the most important output is the identification of the in-scope services and products for business continuity planning. It allows BIA to be concentrated on maintaining the operations that support the most crucial processes and critical business functions of the company during a disruption. Once processes and resources are identified as being in scope, then the associated functions or departments should be selected for inclusion in the business impact analysis.
Step 2: Prepare for BIA interviews:
After in-scope departments and operations have been defined, the next step is to hold focussed meetings with each department, including management and subject matter experts. The attendees from the department need to have:
- Knowledge of the resources required for each operational process
- A detailed understanding of the daily tasks executed by the department
- A good understanding of the key objectives of the business and department
Step 3: Conduct BIA and risk assessment interviews
The purpose of these interviews is to document the tasks the department performs to deliver in-scope services and products. It is crucial to capture the key steps for the completion of each identified activity, such as peak operation times, impacts of downtime, and any dependencies with others. These are some of the different types of dependency:
- Personnel
- Equipment
- Third-party vendors or suppliers
- Facilities
- IT systems and services
The interviews are also the perfect time to capture the MTD, RTO, and RPO for the department and its activities. They should also aim to discover any alternative suppliers or manual workarounds. A risk assessment should then be done to determine the possibility of loss and the effect of loss for each dependency on a sliding scale. These can then be used to determine a risk rating for each dependency.
Step 4: Create a business impact analysis report for each department
After each meeting, a report should be prepared to document the findings and outcomes. Each report should follow the same format and include any recommendations covering missing information. For example, not every department will know what their recovery time objective is without doing further work. The report should be reviewed and confirmed by the meeting participants, making any amendments as necessary. The departmental reports are then collated into a company-wide set.
Step 5: Create a BIA and risk assessment summary
Following the completion and approval of all departmental reports, the final step is to review them as a whole, address any gaps or inconsistencies, and then prepare a cross-organization summary. This is then passed to senior management for review and approval. The emphasis of this summary report should be on:
- Evaluating key risks and providing recommendations to manage them
- Verifying recovery times and how they relate to services and products
- Highlighting the critical services and products
What are the five elements of a business impact analysis?
Every BIA should consider the following five elements:
- Management Support: getting support and approval from stakeholders and senior management teams is an essential activity for any BIA. This requires effective communication to inform and educate all on why the analysis is important.
- Critical Business Functions: identifying all critical business functions helps to determine which people will be most involved in BIA and BCP activities.
- Tools: BIA tools can greatly assist with documenting, reporting, analyzing, and gathering vital information.
- Procedures: after determining the business structure and any tools, the steps to conduct the BIA should be documented as procedures, and people assigned to do the tasks.
- Conclusions: this final element sums up all of the findings from the business impact analysis, including recommendations, plans, and next steps.
The Importance of the Analysis
So why is a business impact analysis important? Let’s look at some of the things that a BIA could do for your own organization:
- Help to define the scope of your business continuity program: One purpose of BIA is to identify the activities and resources that are required to deliver an organization’s critical services and products. This then helps to ensure that the scope of business continuity planning concentrates on these areas and may highlight any that were initially omitted.
- Help to justify spend on business continuity planning: Carrying out a BIA forces you to think about how much downtime can be tolerated for different activities and functions. If a cost can be applied to the downtime, this can be used when making the justification for developing and testing the full business continuity plan.
- The BIA process can help capture data that is essential for the BCP, including contact information for internal and external teams, the organization structure and team sizes, and recovery strategies that already exist.
Conclusion
BIA and BCP are very important related activities for any organization. A business impact analysis will help ensure that the critical parts of your business can continue to operate even in the event of disruptive external conditions beyond your control. I hope this article has given you enough information to persuade you of this necessity and has provided you with a guide to help you on your BCP journey.