business impact analysis (BIA)
What is business impact analysis (BIA)?
A business impact analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency. A BIA is an essential component of an organization's business continuity plan (BCP). It includes an exploratory component to reveal any threats and vulnerabilities and a planning component to develop strategies for minimizing risk. The result is a business impact analysis report, which describes the potential risks specific to the organization studied.
One of the basic assumptions behind a BIA is that every component of the organization relies on the continued functioning of all the others. However, some are more crucial than others and require a greater allocation of funds and operational resources in the event of a disaster.
For example, a business may be able to continue more or less normally if the cafeteria has to close, but it would come to a complete halt if the information systems and IT infrastructure crash. It is easy to confuse BIA and risk assessment (RA); they are complementary steps in the development of a BCP.
How to conduct a BIA
Even though an international standard for conducting BIAs exists, the methodologies used can vary by organization. A BIA is generally a multiphase process that includes the following steps:
- securing approval for the BIA from senior management;
- gathering trained people who can perform a BIA;
- preparing a BIA plan;
- gathering information from questionnaires, interviews and documentation that is relevant to the analysis;
- evaluating the collected information and interview data;
- performing an analysis to identify mission-critical business processes, the technologies those processes depend on, the impact if those processes cannot be performed and specific performance metrics, such as recovery time objective (RTO) and recovery point objective (RPO);
- preparing a report to document the findings;
- presenting the results to senior management;
- coordinating BIA results with RA results to help define strategies for recovery and restoration of mission-critical processes; and
- using these results to develop a BCP.
Employees who perform a BIA must examine materials available from several sources to prepare for the process. They also should review the global standard, ISO/Technical Specification 22317:2015, Societal security -- Business continuity management systems -- Guidelines for business impact analysis (BIA), developed by the International Organization for Standardization.
Other options for performing a BIA include the following:
- Consultants. When hiring a third-party consulting firm to perform a BIA, it is important to check that team members have demonstrable experience performing BIAs.
- BIA software. These applications are typically a module within a larger, more costly BCP development application.
- BC as a solution. These cloud-based offerings are also available.
BIAs often include a detailed questionnaire or survey to collect a variety of information, including the following:
- critical business processes;
- resource requirements;
- relationships with internal and external entities; and
- financial impact of a disruption.
This information is essential in assessing the potential impact of a disruptive event. An educational session may be conducted for key personnel with knowledge of the business. Such an activity may precede formal interviews as a way to set the stage for the BIA.
Information can be collected in a variety of ways, including in-person interviews and automated surveys. Follow-up interviews may be necessary.
Need more help?
Need guidance in conducting a business impact analysis and creating a BIA report? Check out this free, downloadable template.
Analyzing the results of a BIA
BIAs have many goals. They are used to determine the most crucial business functions, systems, staff and technology resources needed for operations to run optimally. They are also used to assess the time frame within which the functions must be recovered for the organization to restore operations to a normal working state. The analysis may be manual or computer-assisted.
Challenges include determining the revenue impact of a business function and quantifying the long-term impact of losses in market share, business reputation or customers. Impacts to consider include the following:
- delayed sales or income
- increased labor expenses
- regulatory fines
- contractual penalties
- customer dissatisfaction
The business impact analysis report typically includes an executive summary, information on the methodology for data gathering and analysis, detailed findings on the various business units and functional areas, charts and diagrams to illustrate potential losses, and recommendations for recovery.
The report prioritizes the most important business functions, examines the impact of business interruptions, specifies legal and regulatory requirements, details acceptable levels of downtime and losses, and lists RTOs and RPOs. It may also list the order of activities necessary to restore the business, the minimum number of employees needed to recover operations, approximate funds needed for recovery and where the recovery will occur, such as at the organization's original location or at an alternate site.
Senior managers review the report to devise a strategy for BC and disaster recovery plan (DRP) development. This should take into account maximum permissible downtime for important business functions and acceptable losses in areas such as data, finances and reputation. Managers should review and update BIA data at least annually and whenever a significant change in business operations occurs.
The role of the BIA in disaster recovery planning
As part of a DRP, a BIA is likely to identify costs linked to failures. These include loss of cash flow; replacement of equipment; salaries paid to catch up with a backlog of work; and loss of profits, staff and data. A BIA report quantifies the importance of business components and suggests appropriate fund allocation for measures to protect them and the technology supporting them.
The possibilities of failures are likely to be assessed in terms of their effects on areas such as safety, finances, marketing, business reputation, legal compliance and quality assurance. Where possible, impact is expressed monetarily for purposes of comparison.
For example, a business may spend three times as much on marketing after a disaster to rebuild customer confidence. The BIA should assess a disaster's impact over time and establish recovery strategies, priorities, and requirements for resources and time.
The role of the BIA in business continuity planning
One BIA is typically conducted to provide data to prepare both a DRP and BCP.
The BIA identifies the critical business processes, the technologies needed to support them, the employees needed to recover the business and the facilities required to support the business. Ideally, both BC and DR plans should complement each other, unless, for example, management wishes to focus on protecting the technology, with less concern about business processes.
BIA vs. risk assessment
Completing a business impact analysis and a risk assessment is essential for preparing a BCP or a DRP. A BIA often takes place prior to an RA; the two assessments cover different areas. However, both can serve as a starting point for determining DR and analyzing the impact of RTOs and RPOs, as well as the resources and materials needed for business recovery and resumption.
Business impact analysis
The BIA process focuses on the effects or consequences of an interruption to critical business functions and attempts to quantify the financial and nonfinancial costs associated with the disaster. The BIA identifies and analyzes the parts of the organization that are most crucial.
A BIA for IT might start with the identification of applications supporting essential business functions, interdependencies among existing systems, possible single points of failure and costs associated with system outages. The analysis phase examines the risks and prioritizes uptime requirements, including RTO and RPO metrics.
Data the business impact analysis questionnaire should gather
- the functional parent of a process, e.g., a department or location;
- the process name and a detailed description of the process;
- list of all inputs and outputs from the process;
- internal and external dependencies for processes, people and technology;
- maximum allowable outage time before a negative impact to the business occurs;
- descriptions of the financial and operational impact experienced during an outage;
- human and technology resources required to support the process, including computers, networks, offices and people;
- facilities needed to support the process, including office space, production centers and remote work areas;
- a description of the effects external-facing or inward-facing processes have on customers and a list of departments that depend on the process outputs;
- explanation of any legal or regulatory effects that may be created in an outage;
- descriptions of past outages and the effects associated with them; and
- descriptions of workaround procedures and work-shifting options to other departments or remote workers as applicable.
An RA identifies potential risks, threats and vulnerabilities to a business's continued operations. These can include threats such as natural disasters, like hurricanes and earthquakes; fires; supplier failures; power outages; other utility outages; and cyber attacks. The assessment identifies areas of vulnerability, such as failure points, should the hazard occur.
Assets put at risk include people, property, supply chains, IT, compliance, business reputation and contract obligations. Points of weakness that make an asset more prone to harm from identified risks are assessed. A mitigation strategy may be developed to reduce the probability that a hazard will have a significant impact.
During the RA phase, findings should be examined against various threat scenarios. Potential business disruptions should be prioritized based on the event's probability of occurring and the likelihood of adverse impacts to business operations. BIA and RA results may be used to justify investments in prevention and mitigation, as well as disaster recovery and business continuity strategies.
The information gathered for a risk assessment may include the following:
- a description of the principal activities each business unit performs;
- subjective rankings of the importance of specific processes;
- names of people or organizations that depend on the processes for normal operations;
- estimates of the quantitative impact associated with a specific business function;
- the nonfinancial effects of the loss of the function;
- critical information systems and their users;
- the staff members needed to recover important systems; and
- the time and steps required for a business unit to recover to a normal working state.
Areas to explore during the discovery phase include interdependencies among systems, business processes and departments, the risks associated with points of failure, responsibilities associated with service-level agreements, staff and space that may be required at a recovery site, special supplies and communication equipment needed, and cash management and liquidity necessary for recovery.
When information gathering is complete, the review phase begins in consultation with business leaders who can validate the findings. A spreadsheet or software application may be used to store and organize information such as interview details, business process descriptions, estimated costs, expected recovery time frames and equipment inventories. A diagram of important business processes and systems and a workflow analysis may be useful. A draft report may be prepared to gather initial feedback that can be used to prepare the final report.
Learn more about risk assessments, and get a free, downloadable risk assessment template.