This article is part of an Essential Guide, our editor-selected collection of our best articles, videos and other content on this topic. Explore more in this guide:
1. - Good planning and management are key for business continuity and disaster recovery success: Read more in this section
- Include vendors in your business continuity planning process
- Integrate mobile communications technology into BC/DR activities
- Defining BC/DR strategies and responses
- Optimizing document management systems for business continuity
- Integrating business continuity management system into an organization
- Consider off-the-scale scenarios in your BC/DR exercise planning
- Ten common business impact analysis mistakes
- The difference between a risk analysis process and conducting a BIA
- Use this free business impact analysis template and guide
- Getting started with IT risk assessment: A free template and guide
Explore other sections in this guide:
- 2. - Recent storage and server developments ease BC/DR planning
- 3. - Network disaster recovery planning and building resilient networks
- 4. - Security an important part of BC/DR planning
How is conducting a BIA different from a risk analysis process?
The business impact analysis (BIA) and risk assessment are usually separate processes but they must be executed concurrently or in parallel. The reasoning is that evaluating impact to the business without assessing the risk does not provide the full picture. We can think of impact as a constant; if the outage of a critical system has a high impact (financial or otherwise) on a business, no matter what we do, the impact of the actual outage remains high. We cannot change the impact; we can only try to prevent the outage.
The risk analysis process is the evaluation of threats, vulnerabilities and probability of occurrence. For example, a threat could be a company operating in an area with unreliable power with at least one failure lasting more than three or four hours per year on average (probability of occurrence) and the vulnerability is the absence of a backup power generator or uninterruptible power supply.
The resulting impact is the outage of an IT system identified as critical during the BIA. Risk also has constants in this context; the threat of a lengthy power failure and its annual occurrence will remain. The only variable is the vulnerability, which can be addressed with the installation of a generator. The threat and probability have not changed and the outage of the critical system would have the same impact, but the risk is mitigated by eliminating the vulnerability.