Essential Guide

Essential guide to business continuity and disaster recovery plans

A comprehensive collection of articles, videos and more, hand-picked by our editors

Using a business impact analysis (BIA) template: A free BIA template and guide

Learn how to perform a business impact analysis, and download our free BIA template and guide to assist you in your business continuity planning.

Paul Kirvan photoA business impact analysis (BIA) is a key part of the business continuity process that analyzes mission-critical business functions, and identifies and quantifies the impact a loss of those functions (e.g., operational, financial) may have on the organization.

SearchDisasterRecovery.com has created a free  downloadable business impact analysis template to assist you in your business continuity planning. Download and print out our template, and then read the step-by-step guide below to create a successful business impact analysis.

Using a business impact analysis template: Table of contents 

Preparing a business impact analysis
Tips for performing a BIA
A guide to using our business impact analysis template


 

 PREPARING A BUSINESS IMPACT ANALYSIS 

Once risks to an organization have been identified -- usually through a risk analysis -- the next step in a business impact analysis is to determine how the identified risks affect specific business operations. Let's assume that if all business functions are performing normally, the organization ought to be fully viable, competitive and financially solid. If an incident -- internal or external -- negatively affects business operations, the organization could be compromised.

Business impact analyses help business continuity/disaster recovery professionals identify business priorities and validate or modify them for plan development. Questionnaires must be formulated for pre-interview data gathering and/or in-person interviews. People with in-depth knowledge of and experience with the business functions being analyzed are ideal candidates for BIA interviews. In some cases it may be possible to organize interview questions into an automated survey (an example of which is BIA Professional, from SunGard Availability Services), in which the results can be captured and summarized.

Often it is useful to include an incident description for interviewees to use when answering the questions. An example of such a situation is:

  • The business unit's portion of the building is completely destroyed;
  • All records, data files, technology, supplies, and other support systems are lost;
  • Some key personnel may not be available;
  • Primary business processes will be affected immediately and for at least 30 days;
  • The disaster occurs during a peak processing period for the business unit.

Incident descriptions help frame the interviewee's response so it can be in alignment with specific risks and threats.

Ultimately, the BIA's purpose is to identify, prioritize and document the relative importance of various business processes conducted by business units.

TIPS FOR PERFORMING A BUSINESS IMPACT ANALYSIS 

Keep in mind the following key tips when performing a business impact analysis:

  1. Get the support of senior management. Given the nature of BIAs, and the time needed for research, be sure to obtain senior management support so that your project goals can be achieved
  2. Take the business impact analysis process seriously. Although the BIA can take a great deal of time for data gathering and analysis, its value can be essential as you develop plans. BIAs do not have to be dozens of pages long. They simply need the right information, and that information should be current and accurate.
  3. There are no formal BIA standards. Despite many business continuity standards available in the U.S., no formal standards exist for BIAs.
  4. Keep it simple. Gathering the right information is critical; the associated template provides a baseline for information to be gathered. If a one-page business impact analysis summary provides the relevant information, versus one with dozens of pages, it can be perfectly acceptable
  5. Review results with business units. Once the plan is complete, review the findings with business units leaders to make sure your assumptions arte correct
  6. Be flexible. The suggested template in this article may be too complex for some organizations; feel free to modify it as you see fit to accomplish your goals.

USING OUR BUSINESS IMPACT ANALYSIS TEMPLATE 

Next, we'll examine the structure and content of the template, indicating key issues to address and activities to perform. This can be easily organized and managed via standard spreadsheets.

  1. Business unit name: Enter the business unit name
  2. Head count: Enter the number of full-time staff in the business unit, optionally, part-time and contractors, if applicable
  3. Parent process: Describe the principal activities the unit performs, e.g., sales, contractor interface, or investor relationship management
  4. Priority ranking: Enter a number here for subjective ranking of process importance
  5. Recovery time objective: Enter a time frame, e.g., one hour, one week in this section; it describes the time a parent process must return to "business almost as usual" following a disruption
  6. Recovery point objective: Enter a time frame, e.g., one hour, one day in this section; this is a point in time to which parent process work should be restored following a disruption
  7. Parent process depends on: Enter names of organizations and/or processes the parent process depends on for normal operations
  8. Parent process required by: Enter names of organizations and/or processes that depend on the parent process for normal operations
  9. (Optional) Sub-process: Enter description of supporting activities the unit performs, e.g., sales analysis, financial analysis
  10. (Optional) Priority ranking: Enter a number here for subjective ranking of sub-process(es) and their importance to the business unit
  11. (Optional) Recovery time objective: Enter a time frame; it describes the time a sub-process must return to "business almost as usual" following a disruption
  12. (Optional) Recovery point objective: Enter a time frame; this is a point in time to which sub-process work should be restored following a disruption
  13. (Optional) Sub-process depends on: Enter names of organizations and/or processes the sub-process depends on for normal operations
  14. (Optional) Sub-process required by: Enter names of organizations and/or processes that depend on the sub-process for normal operations
  15. Quantitative impact: Enter a financial amount associated with the parent process, e.g., annual revenue generated by the process
  16. Qualitative impact: Enter a non-financial impact to the company, e.g., loss of reputation, loss of customers associated with parent process
  17. Time needed to recover staff: Enter the number of staff that need to be back to "business almost as usual" within specific time frames
  18. Recovery strategy: Enter specific actions the business unit can take to recover to a "business almost as usual" state, e.g., work from home, relocate to an alternate area, recover to a hot site
  19. Technology/Services recovery time: Enter the system and services in each time space that must be recovered within the specific time frame
  20. Comments: Self-explanatory

An excellent way to learn about a business is to conduct a business impact analysis. In addition to identifying recovery priorities and timeframes, conducting a BIA can also identify opportunities for process improvement.

About this author: Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.

This was first published in July 2009

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Essential Guide

Essential guide to business continuity and disaster recovery plans

1 comment

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSolidStateStorage

SearchVirtualStorage

SearchCloudStorage

SearchDataBackup

SearchStorage

Close