One of the most important activities to perform in the course of preparing business continuity and technology disaster recovery plans is the business impact analysis.
A business impact analysis (BIA) identifies and analyzes business processes and activities to determine the impact on an organization if it cannot perform those activities due to disaster or other disruptive incidents.
The BIA process received some important assistance with the International Organization for Standardization's launch of ISO/TS 22317:2021 Security and resilience -- Business continuity management systems -- Guidelines for business impact analysis. This standard provides useful guidance for organizations preparing for a BIA.
Where does a standard fit in the BIA process?
ISO/TS 22317:2021 describes issues for organizations to address while they plan and execute the BIA. Admins can also address these issues when they write the BIA report after the assessment and when they review the results.
The standard does not provide a template or other tool that BCDR teams can use as a BIA activity. Following the standard's outline and recommended activities, however, will ensure that the business addresses the right issues and finds relevant and actionable outcomes.
BIAs have traditionally been developed using homegrown approaches and frameworks. Most BIAs are customized and developed by the employees or external consultants assigned to the BIA.
Typical tools include Microsoft Office applications such as Word and Excel, with project management activities supported using Microsoft Project, among other available tools. Numerous BCDR plan development software options also include BIA modules that can help facilitate the process.
Along with a risk analysis, a BIA provides essential operational, financial, competitive and reputational details of an organization by identifying its most critical processes, people, facilities and technologies. It also identifies potential outcomes to the organization if one or more critical processes are disrupted or damaged beyond short-term repair efforts. In addition, BIA results identify critical time frames in the form of two pivotal metrics: recovery time objective and recovery point objective.
From an audit perspective, ISO/TS 22317:2021 can be an important foundation for BIA development as demonstrating compliance with the standard is an important finding for auditors.
Structure of ISO/TS 22317:2021
The following section extracts parts of the standard's table of contents with explanations of the various components. For a full understanding of the standard, the complete document can be found on ISO's website.
4. Prerequisites general. Introduces the standard's structure.
- 4.2. BC program context and scope. Describes what to include when describing the scope and context of a BIA project.
- 4.3. BC program roles and responsibilities. Describes the various personnel who participate in a BIA, ranging from senior management to project leads to analysts processing BIA data.
- 4.4. BC program commitment. Underscores the importance of senior management's commitment to a BIA project, especially in terms of understanding the key aspects of the business, resources needed by the business and critical priorities for business processes.
5. The BIA process. This section provides guidance on how to prepare for, execute, report on and deliver a BIA.
- 5.1. Fundamentals. Provides an overview of the following sections.
- 5.2. Project planning and management. Discusses activities to perform in the course of preparing for a BIA project, including senior management support, formation of a project team, preparing for data gathering, and setting goals and objectives for the project.
- 5.4. Product and service prioritization. With senior management support and expertise, the team identifies the most important business products and services, as well as how long they can be disrupted before the organization will experience serious losses.
- 5.5. Activity prioritization. There are numerous activities within each business process that have the potential to cause the larger business process to fail when interrupted. This section describes how to identify and prioritize these activities.
- 5.5.4. Set RTO for the activities. This step identifies and examines the high-level business processes the organization needs to achieve its mission, along with the time frame priorities of their recovery and resumption following a disruption.
- 5.6. Identify resources and other dependencies. Discusses the necessary components for a BIA project and ongoing BIA activities, including people, funding and access to subject matter experts.
- 5.7. Analysis and consolidation. This section describes the issues to examine and analyze once the organization has collected relevant business process data. It also describes preparation of the BIA report for delivery to senior management.
- 5.8. Obtain top management endorsement of BIA results. This section covers how to discuss the BIA results with senior management, obtain their agreement of the report's findings and recommendations, and prepare for the next steps.
6. Review BIA. This section describes how to translate outputs from the BIA into strategies for preparing for and responding to business disruptions. An example of these might be faster backups of critical data using data mirroring techniques and cloud storage. Another example could be increasing data center survivability by contracting key process activities to a third-party managed services provider.
ISO/TS 22317:2021 complements the global business continuity standard, ISO 22301:2019 Security and resilience -- Business continuity management systems -- Requirements, and its companion standard, ISO 22313:2020 Security and resilience -- Business continuity management systems -- Guidance on the use of ISO 22301.