A business impact analysis is a key part of the business continuity process that analyzes mission-critical business...
functions. A BIA also identifies and quantifies the potential effect that losing those functions -- operational or financial -- might have on the organization.
A BIA is critical in assessing the cost of a business disruption and how technology disaster recovery (DR) activities play a role in mitigating it. A BIA has several crucial elements: executive backing; a deep understanding of the organization; and BIA tools, processes and findings.
SearchDisasterRecovery has created a free, downloadable business impact analysis template to assist you in your business continuity (BC) management planning. Download and print out the template, and then read the step-by-step guide and best practices below to create a BIA.
The importance of a business impact analysis
Conducting a BIA is an excellent way to learn about an organization. In addition to identifying recovery priorities and time frames, a BIA can identify opportunities for process improvement.
Filling out the BIA template outlines an organization's most important components and departments and shows where it's most vulnerable. The organization can then assess and prioritize its various functions. This process is valuable not just in the context of BCDR, but for general business well-being. The BIA also notes legal, competitive, reputational, compliance and regulatory requirements.
BIA results are a key component when defining BCDR strategies, which are important for any business. Through a BIA, an organization can examine two metrics:
- Recovery time objectives (RTOs). The maximum amount of time it can take to recover from an incident.
- Recovery point objectives (RPOs). The amount of data it can afford to lose.
Both metrics are used to formulate BCDR plans.
Because the BIA is an evolving document -- and should be reviewed periodically -- it provides an opportunity for the business to analyze itself and identify areas of improvement.
Preparing a business impact analysis
BIAs represent the first step in analyzing a business and focus on people, processes, technology and facilities. Once a BIA is completed, a risk analysis identifies the risks, threats and vulnerabilities the organization faces, particularly situations that could disrupt business operations. The risk analysis helps determine how the identified risks might affect specific business operations. Assuming all business functions are performing normally, the organization should be fully viable, competitive and financially solid. Among the goals of these activities is the desire to prevent unplanned events from happening and, if they do occur, to mitigate their severity.
BIAs help BCDR professionals identify business priorities and the resources needed to support them. Questionnaires must be formulated to gather data using remote or in-person interviews. People with in-depth knowledge of and experience with the business functions being analyzed are ideal candidates for BIA interviews.
Cloud-based and automated BCDR planning tools often include BIA and risk analysis modules to facilitate data gathering and analysis. It can be useful to include an incident description as part of the interview process. Examples of such situations include the following:
- The business unit's portion of the building is destroyed.
- All records, data files, technology, supplies and other support systems are lost.
- Some key personnel aren't available.
- Primary business processes are affected immediately and for at least 30 days.
- The disaster occurs during a peak processing period for the business unit.
Incident descriptions help frame an interviewee's response so it can be aligned with specific risks and threats.
The final BIA report should provide details on system and application RTOs; critical data RPOs; use of remote working; reliance on internal and external systems and applications; and the financial, operational and reputational implications of a disruption to the business.
Tips for performing a business impact analysis
Ultimately, the BIA's purpose is to identify, document and prioritize the importance of mission-critical business processes. Here are a few tips to keep in mind:
- Secure the support of senior management. Given the nature of BIAs and the time they require, senior management buy-in can help provide funding for the BIA and ensure cooperation from employees during the data-gathering phase.
- Take the BIA process seriously. Although it can take a great deal of time to gather and analyze BIA data, BIAs need the right information, and it should be current and accurate.
- Use the new BIA standard. ISO/Technical Specification 22317:2015, Societal security -- Business continuity management systems -- Guidelines for business impact analysis (BIA), released in 2015 by ISO, provides useful guidance to improve the BIA process.
- Keep it simple. Gathering the right information is critical; the associated BIA template provides a baseline for gathering information. If a one-page BIA summary provides the relevant information versus one with dozens of pages, it's perfectly acceptable.
- Review results with business units. Once the plan is complete, review the findings with business unit leaders and the IT department to validate the assumptions.
- Be flexible. Use the BIA template as provided, or modify it to suit your project's requirements.
Using the business impact analysis template
The structure and content of the BIA template suggests key issues to address and activities to perform. This can be easily organized and managed via standard spreadsheets. If you're using an automated BIA tool, follow the steps provided by the tool, and enter data where indicated:
- Business unit name. Enter the business unit's name.
- Head count. Enter the number of full-time staff in the business unit and, optionally, part-time staff and contractors, if applicable.
- Parent process. Describe the principal activities the unit performs, such as sales, contractor interface or investor relationship management.
- Priority ranking. Enter a number for subjective ranking of process importance.
- RTO. Enter a time frame -- one hour or one week, for example. RTO values indicate the minimum time a parent process needs for it to return to business almost as usual following a disruption.
- RPO. Enter a time frame -- one hour or one day, for example. RPO values represent a point in time in which there is an acceptable loss of parent process data following a disruption.
- Parent process depends on. Enter names of organizations, processes and technologies, such as the internet or specific applications the parent process needs for normal operation.
- Parent process required by. Enter names of organizations and processes that depend on the parent process for normal operation.
- (Optional) Sub-process. Enter a description of supporting activities the unit performs, such as sales or financial analysis.
- (Optional) Priority ranking. Enter a number for subjective ranking of sub-processes and their importance to the business unit and/or the company.
- (Optional) RTO. Enter a time frame in which the sub-process must be recovered and restarted following a disruption.
- (Optional) RPO. Enter a time frame marking an acceptable loss of sub-process data following a disruption.
- (Optional) Sub-process depends on. Enter names of organizations, processes and technologies the sub-process depends on for normal operation.
- (Optional) Sub-process required by. Enter names of organizations and processes that depend on the sub-process for normal operation.
- Quantitative impact. Enter a financial amount -- such as annual revenue generated by the process -- associated with the parent process.
- Qualitative impact. Enter a nonfinancial impact to the company -- loss of reputation or customers -- associated with the parent process.
- Time needed to recover staff. Enter the estimated time to activate the minimum number of staff needed by the business to help it recover and resume operations.
- Recovery strategy. Enter specific actions the business unit and/or company can take -- such as work from home or relocate to an alternate work area -- to recover the business and resume operations to a minimally acceptable level.
- Technology and services recovery time. Enter the systems and services that must be recovered within specific time frames.
- Comments. Self-explanatory.
Where business impact analysis fits into business continuity planning
Because a BIA identifies the effect of financial, competitive or reputational disruptions and incidents to an organization, it should be considered among the key components of an organization's BCDR plan. A BIA also helps define recovery strategies that organizations can use when responding to disasters of any size.
The business impact analysis template should be filled out before launching a risk assessment. The template provides specific details about an organization's systems, technology, facilities, processes and employees, as well as how an incident would affect them. The risk assessment identifies potential risks, threats and vulnerabilities to the business, as well as the likelihood they might occur.
Once the BIA and risk assessment have been completed, the organization can build its detailed BCDR plan. It's important to review and test each element of the BCDR plan and revise it as needed because recovery processes must be validated to ensure they'll work when required.
Before an emergency or disaster occurs, a BIA identifies the mission-critical elements of the organization so the response process can start as soon as possible. Knowing which elements must be recovered the quickest can ensure recovery goals are achieved.
When a disruption or disaster occurs, it's critical to have BCDR planning documents available and to follow previously tested procedures to help the organization recover and restore operations. As such, ensure all important BCDR documents, including the BIA, are easily accessible in electronic and hard-copy forms.
During an event, crisis management and communications teams must have access to all relevant BCDR documents, including the BIA. The crisis management team must have the authority to make key decisions during the event, while the communications team must deliver vital information about the event to those affected.
After the event, the organization should examine how well its various emergency teams performed and prepare an after-action report that describes what worked and what didn't. Recommendations for improvement, including updates to the BIA, should also be included.
Goals of the BIA
The BIA not only helps employees understand how the business works, but it identifies gaps that could be exploited. Goals for a BIA should include the following:
- determining the most critical business functions and systems that support them;
- identifying financial, operational, legal and reputational costs if those systems were disrupted or destroyed;
- computing values for RPOs and RTOs;
- establishing the minimum acceptable requirements for recovery;
- meeting with critical business process owners to ensure information is correct and up to date;
- analyzing risks, threats and vulnerabilities; and
- obtaining senior management approval of the BIA report and recommended activities.
Benefits of completing a BIA
Benefits of completing a BIA include the following:
- The process gets company leaders discussing the organization and its most crucial elements. In the end, a company might find areas where improvement is needed.
- A comprehensive BIA, which can be prepared using the BIA template, is an essential part of the BCDR plan development process.
- The BIA provides concise, relevant information about an organization's most important business activities and attributes and the costs incurred if those elements are disrupted or destroyed.
- The organization increases its chances of a successful recovery and resumption of the business from having performed a BIA.
Staffing and support needed when preparing a BIA
Completing a BIA takes a lot of work, resources and people. It requires teamwork, from the person(s) filling out the business impact analysis template to the senior leadership approving the BIA report. Because input from different departments is required, the BIA team must be diligent about gathering the proper information in a timely fashion.
BIAs must highlight who has a role in the specific action items. In a larger business, there might be an entire crisis management team dedicated to the recovery effort. In a small business, one person might need to fill different roles. Therefore, it's crucial that each person knows exactly what to do so there are no missteps. In addition, for the sake of continuity, action steps should be clearly explained so an alternate team member can step in and perform the work if needed.
BIAs can be included as part of the overall BCDR plan testing process. Depending on the scope of the test and the company's culture and management commitment, certain employees should be involved in testing situations so they know what to do in an unplanned incident. Open communication among BCDR team leaders and the rest of the organization is essential to maintain a relevant, updated BIA.
Common mistakes to avoid
With a business activity that is so people- and data-intensive, mistakes can occur. Here are a few to avoid:
- Rushing through the BIA. Given the significance of the potential effect of a disruption to the organization, employees should take the time to perform a comprehensive BIA.
- Paying too much attention to one element. Don't spend so much time on one component that other parts of the business are ignored.
- Mistaking a risk assessment for a BIA. A risk assessment details what might cause downtime, while a BIA shows its effects. These should be two separate documents.