This article is part of an Essential Guide, our editor-selected collection of our best articles, videos and other content on this topic. Explore more in this guide:
1. - Good planning and management are key for business continuity and disaster recovery success: Read more in this section
- Ten common business impact analysis mistakes
- The difference between a risk analysis process and conducting a BIA
- How to build an incident response plan
- Focus on training teams, defining roles for ISO 22301 compliance
- Create your own disaster recovery testing scenarios
- How to set up a DR/BC maintenance program
- Use this free business impact analysis template and guide
- Getting started with IT risk assessment: A free template and guide
Explore other sections in this guide:
- 2. - Recent storage and server developments ease BC/DR planning
- 3. - Network disaster recovery planning and building resilient networks
- 4. - Security an important part of BC/DR planning
A business impact analysis (BIA) is a key part of the business continuity process that analyzes mission-critical business functions, and identifies and quantifies the impact a loss of those functions (e.g., operational, financial) may have on the organization.
SearchDisasterRecovery.com has created a free downloadable business impact analysis template to assist you in your business continuity planning. Download and print out our template, and then read the step-by-step guide below to create a successful business impact analysis.
Using a business impact analysis template: Table of contents
Once risks to an organization have been identified -- usually through a risk analysis -- the next step in a business impact analysis is to determine how the identified risks affect specific business operations. Let's assume that if all business functions are performing normally, the organization ought to be fully viable, competitive and financially solid. If an incident -- internal or external -- negatively affects business operations, the organization could be compromised.
Business impact analyses help business continuity/disaster recovery professionals identify business priorities and validate or modify them for plan development. Questionnaires must be formulated for pre-interview data gathering and/or in-person interviews. People with in-depth knowledge of and experience with the business functions being analyzed are ideal candidates for BIA interviews. In some cases it may be possible to organize interview questions into an automated survey (an example of which is BIA Professional, from SunGard Availability Services), in which the results can be captured and summarized.
Often it is useful to include an incident description for interviewees to use when answering the questions. An example of such a situation is:
- The business unit's portion of the building is completely destroyed;
- All records, data files, technology, supplies, and other support systems are lost;
- Some key personnel may not be available;
- Primary business processes will be affected immediately and for at least 30 days;
- The disaster occurs during a peak processing period for the business unit.
Incident descriptions help frame the interviewee's response so it can be in alignment with specific risks and threats.
Ultimately, the BIA's purpose is to identify, prioritize and document the relative importance of various business processes conducted by business units.
Keep in mind the following key tips when performing a business impact analysis:
- Get the support of senior management. Given the nature of BIAs, and the time needed for research, be sure to obtain senior management support so that your project goals can be achieved
- Take the business impact analysis process seriously. Although the BIA can take a great deal of time for data gathering and analysis, its value can be essential as you develop plans. BIAs do not have to be dozens of pages long. They simply need the right information, and that information should be current and accurate.
- There are no formal BIA standards. Despite many business continuity standards available in the U.S., no formal standards exist for BIAs.
- Keep it simple. Gathering the right information is critical; the associated template provides a baseline for information to be gathered. If a one-page business impact analysis summary provides the relevant information, versus one with dozens of pages, it can be perfectly acceptable
- Review results with business units. Once the plan is complete, review the findings with business units leaders to make sure your assumptions arte correct
- Be flexible. The suggested template in this article may be too complex for some organizations; feel free to modify it as you see fit to accomplish your goals.
Next, we'll examine the structure and content of the template, indicating key issues to address and activities to perform. This can be easily organized and managed via standard spreadsheets.
- Business unit name: Enter the business unit name
- Head count: Enter the number of full-time staff in the business unit, optionally, part-time and contractors, if applicable
- Parent process: Describe the principal activities the unit performs, e.g., sales, contractor interface, or investor relationship management
- Priority ranking: Enter a number here for subjective ranking of process importance
- Recovery time objective: Enter a time frame, e.g., one hour, one week in this section; it describes the time a parent process must return to "business almost as usual" following a disruption
- Recovery point objective: Enter a time frame, e.g., one hour, one day in this section; this is a point in time to which parent process work should be restored following a disruption
- Parent process depends on: Enter names of organizations and/or processes the parent process depends on for normal operations
- Parent process required by: Enter names of organizations and/or processes that depend on the parent process for normal operations
- (Optional) Sub-process: Enter description of supporting activities the unit performs, e.g., sales analysis, financial analysis
- (Optional) Priority ranking: Enter a number here for subjective ranking of sub-process(es) and their importance to the business unit
- (Optional) Recovery time objective: Enter a time frame; it describes the time a sub-process must return to "business almost as usual" following a disruption
- (Optional) Recovery point objective: Enter a time frame; this is a point in time to which sub-process work should be restored following a disruption
- (Optional) Sub-process depends on: Enter names of organizations and/or processes the sub-process depends on for normal operations
- (Optional) Sub-process required by: Enter names of organizations and/or processes that depend on the sub-process for normal operations
- Quantitative impact: Enter a financial amount associated with the parent process, e.g., annual revenue generated by the process
- Qualitative impact: Enter a non-financial impact to the company, e.g., loss of reputation, loss of customers associated with parent process
- Time needed to recover staff: Enter the number of staff that need to be back to "business almost as usual" within specific time frames
- Recovery strategy: Enter specific actions the business unit can take to recover to a "business almost as usual" state, e.g., work from home, relocate to an alternate area, recover to a hot site
- Technology/Services recovery time: Enter the system and services in each time space that must be recovered within the specific time frame
- Comments: Self-explanatory
An excellent way to learn about a business is to conduct a business impact analysis. In addition to identifying recovery priorities and timeframes, conducting a BIA can also identify opportunities for process improvement.
About this author: Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.