IT teams in most organizations are familiar with disaster recovery and business continuity processes. However, some may not be aware of the importance of conducting a business impact analysis (BIA). A BIA is one of the most important elements of a business continuity plan. It helps companies determine the financial impact of outages or any other disruption to their business.
What Is a Business Impact Analysis and Why Is it Important?
A BIA identifies the impact of a sudden loss of business functions, usually in terms of cost to the business. A BIA also identifies the most critical business functions, which allows you to create a business continuity plan that prioritizes recovery of these essential functions. However, the reason behind the business disruption is not important. It could be due to negligence, natural disaster, cyberattack or other causes. Instead, it looks at the business impact of the disaster, prioritizes resources and determines the best approach to recovery.
A BIA is comprised of three key components:
- Business impact
- Time frames
Each of these is discussed further below. As a part of the foundation of a business continuity plan, a BIA is essential to business recovery in the event of a disaster.
Determine the most critical business functions based on cost to the business
A BIA determines a company’s most important functions that keep it afloat — its comprehensive set of business processes, the resources needed to execute these processes and the systems required for these. The potential cost associated with a business disruption, such as loss of revenue, regulatory compliance penalties, contractual penalties due to missing service-level agreements (SLAs), increased operational costs, etc., is calculated in terms of real dollars for each business function.
To assess the financial impact, one approach is to use a questionnaire to ask questions, with answers rated on a scale from 1 to 5. For example:
- What would the potential loss in revenue be if this business function went down?
- What fines and penalties would the business incur?
- What increase in operating costs would the business experience?
There could be non-dollar costs to the business as well. These include reputation damage and loss of goodwill. Your questionnaire could also include questions such as:
- What would be the potential damage to the business’ reputation?
- What would be the impact on customer service?
Identify potential threats to these functions
Once your BIA identifies the critical business functions, it determines the risks associated with them as well as the conditions that may trigger a business process outage and the probability of the recurrence of the risk.
There are three timeframes that your BIA should address:
- Recovery Point Objective (RPO) — Typically the time between data backups that represents the maximum time during which data may be lost during a disaster.
- Recovery Time Objective (RTO) — The time it would take you to recover from backup.
- Maximum Allowable Downtime (MAD) — The maximum tolerable period of downtime a particular business function can afford. It should include the time it would take to restore the function to full operation after a backup has been restored.
A BIA should determine the dependencies between business processes and systems. This helps prioritize the systems that need recovery first. A BIA helps you discern the order in which lost functions or processes must be restored. A business function that has more business processes relying on it to be operational will have a higher priority in the recovery process than others.
There could also be dependencies regarding certain vendors that you’ll need to work with to restore various systems and functions. These could include IT vendors, and Internet service providers, and should be documented in your BIA.
Are There BIA Standards?
Several standards provide guidance on how to create a BIA. These include the International Organization for Standardization (ISO) 22301, National Fire Protection Act 1600 and the Federal Financial Institutions Examination Council’s (FFIEC) BCP standard for financial institutions.
Business Impact Analysis as Part of Business Continuity Planning
A business continuity plan (BCP) describes what steps must be taken in case of an outage or disruption, whereas a BIA identifies the risk that could prompt the outage as well as the critical business functions that could be impacted by the outage and prioritizes these for recovery. A BIA lays the foundation for a solid business continuity plan and prepares an organization for the inevitable effort required to recover from a business disruption. BCPs not only focus on technical operations (hardware/software issues) but also take into account the personnel and other resources associated with business continuity.
Once your BIA is in place, it is a good practice to periodically review and update it, as your business changes over time. This allows you to leverage the BIA effectively to handle new risks and challenges. It is recommended that you do this at least every two years. A BIA, in conjunction with business continuity planning, enables an organization to minimize downtime and ensure workforce productivity even in the event of a crisis.
Learn more about business continuity planning in our ebook Transforming a Crisis Into an Opportunity.