A business impact analysis (BIA) attempts to review how key functions such as business operations, financial performance,...
reputation, employees and supply chains could be affected by specific risks and threats. The BIA is usually the starting point of risk identification for business continuity and can help the risk assessment process.
In this tutorial on business impact analysis questionnaires, you'll learn why they are a key factor in the BIA process, what types of questions you should include, and we've provided a business impact analysis questionnaire template to help you get started.
Factors for a business impact analysis
Factors for a BIA should include various business-related metrics, such as financial impact, reputation, regulatory censure, people, and potential downtime. The discovery process, which is facilitated through the use of questionnaires, gathers relevant information. The person creating the BIA uses discovery to identify such business attributes as critical business processes, interdependencies among business units (both internal and external), supply chain dependencies, minimum acceptable office configurations and supplies, minimum time needed to recover operations, and minimum staffing required to provide business as usual.
Business impact analysis questionnaires are extremely important because they simplify the business impact analysis discovery process; provide for uniformity of questions; and provide ease of entering answers into a suitable repository for analysis, such as a spreadsheet. They can also be modified for specific departments to address unique attributes, such as a trading department vs. a human resources department.
Table 1 below depicts the relationship between disruptive events and business factors, the fundamental issues of a BIA.
Table 1: Elements of a business impact analysis
Business impact analysis questions
Business impact analysis questions are posed to key members of each operating unit in the company, including IT. Questions should minimally address these issues:
- Understanding how each business unit operates
- Identification of critical business unit processes that depend on IT
- Financial value of critical business processes (e.g., revenues generated per hour)
- Dependencies on internal departments and business units
- Dependencies on external organizations
- Data requirements
- Minimum time needed to recover data to previous state of use
- Minimum technology and system requirements needed to conduct business
- Minimum time needed to return to normal or near-normal operations following an incident
- Minimum number of staff needed to conduct business
- Minimum office space needed to conduct business
- Minimum office supplies and services needed to conduct business
Business impact analysis outputs present a clear picture of the actual impacts on the business, both in terms of the potential problems and the probable costs. Results of the BIA help determine which areas require protection, the amount business tolerance to disruptions and the minimum IT service levels that are needed by the business.
IT needs to be a key component of BIAs, as it must be integrated into the overall strategic direction of the organization; this ensures that IT stays on the radar for the BIA. Since IT is an enabler, organizations are well advised to include IT in the BIA process.
Use business impact analysis results to define the maximum period of time for which the business can survive without its people, process, technology and physical locations. Measure the tolerances to an outage for critical applications or infrastructure services. Next, examine available options that increase resilience (reduce the risk of service loss), such that you can provide service to the business in an acceptable timeframe.
Sample business impact analysis questionnaire
Don’t overwhelm interviewees with too many questions. A well-organized business impact analysis questionnaire should be able to fulfill the discovery objectives in 20 to 25 questions, fewer if possible. Use the questions below as a starting point. We've also put together a handy business impact analysis questionnaire template for you to download.
- Business processes: Describe the business processes for your business unit; minimum acceptable recovery time frames for the business unit, and for specific processes (e.g., accounting), applications (e.g., email), etc.
- Dependencies among business units/processes: Define the business units and/or processes and/or systems that a business unit/process depends on to perform normally; specify if these are internal or external to the organization, such as supply chains.
- Criticality of business processes: To the greatest extent possible, determine which business units and/or processes are the most essential to the company and its operations.
- Availability of alternate business processes, staffing and resources: Specify alternate procedures, e.g., paper work orders or paper order forms that can be used in lieu of the principal process; access to temporary staffing; and access to alternate operating resources such as a hot disaster recovery site.
- Work backlog: For each defined business unit and/or process identified, how long will it take (e.g., hours) to process daily backlogs for each day of downtime? What technique is used, e.g., concurrent or sequential processing?
- Critical records: Specify critical business records by record name, type of media, primary location of records and alternate location (as required).
- Reporting requirements: What specific internal/external reporting, such as for regulatory requirements, is needed? Include the report name, author(s), recipient(s), frequency, delivery requirements, variances allowed and penalties (if any).
- Difficulty of recovery: Define potential recovery issues in terms of difficulty to recover operations, time needed to recover and resources needed to recover.
- Difficulty of restoration: Define potential restoration issues in terms of difficulty to restore operations to an as-normal or near-normal state.
- Tolerance to outages: Assuming a serious situation, such as destruction of the company’s headquarters location, how long (hours or days) could the business unit and/or system/application be unusable before its loss would impact the organization, its stakeholders, suppliers, regulators, etc.?
- Maximum time for disruption to business functions/processes/systems: Determine the maximum amount of time, e.g., hours, days, weeks, months, that business units, functions, processes, systems, employees, office space, etc. can be unavailable before the firm loses business, market share, revenues, customers, etc.
- Disruption impact by timeframe: Using an acceptable timeframe, such as days, weeks or months, define the impact to the organization if an event occurs at certain times of the year, or certain days of the month.
- Disruption impact by severity of incident: Specify the degree of severity of the identified outage or disruption, e.g., worst case = 5, no impact = 0.
- Disruption impact by line of business: Specify the line of business (e.g., manufacturing, accounting) and the impact to that activity, e.g., worst case = 5, no impact = 0.
- Disruption impact by operation: Define operational impacts, such as cash flow, competitive position, public image, reputation, staff morale, employee hiring and retention, financial reporting, stakeholder perceptions, shareholder perceptions, and the impact to that activity, e.g., worst case = 5, no impact = 0.
- Financial impact: Determine the estimated impact to earnings, profits, expenses, etc., in a variety of timeframes, such as days, weeks and months.
- Minimum acceptable staffing: Specify the minimum number of people needed for each business unit to operate as-normal or near-normal.
- Minimum acceptable configuration of systems: Specify minimum number of physical systems, such as servers, routers, switches, workstations, laptops, phones, copiers to resume limited operations.
- Minimum acceptable applications: Specify minimally necessary operating systems, databases, applications, utilities, etc. needed for employees and operations.
- Minimum acceptable infrastructure requirements: Specify such items as power, HVAC, voice and data communications, water supplies, food supplies.
- Minimum acceptable space requirements: Specify minimum physical space required by employees, e.g., 40 to 50 square feet.
- Minimum acceptable work space requirements: Specify such items as office supplies, furniture, lighting, phone/data connections, and electrical outlets.
- Define unique or specialized requirements: There may be a need for specialized systems, such as high-speed printers, plotters and graphics workstations; define the minimally acceptable number and type.
- Anticipated changes to the business: Provide details on special situations, such as mergers and acquisitions and planned physical moves, the presence of which could affect how the organization recovers.
- Other: Specify any other issues or concerns that may affect the recovery of a business unit, systems supporting that business unit, staffing, etc.
About this author: Paul Kirvan, CISA, FBCVI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter. He can be reached at [email protected].