A business impact analysis is a key part of the business continuity process that analyzes mission-critical business functions and identifies and quantifies the impact a loss of those functions -- e.g., operational, financial -- may have on the organization.
A business impact analysis (BIA) is critical in assessing the cost of business disruption and how disaster recovery plays a role in mitigating it. The BIA has several crucial elements, which include executive backing; a deep understanding of the organization; and BIA tools, processes and findings.
SearchDisasterRecovery has created a free, downloadable business impact analysis template to assist you in your business continuity planning. Download and print out our template, and then read the step-by-step guide below to create a successful business impact analysis.
Preparing a business impact analysis
Once risks to an organization have been identified -- usually through a risk analysis -- the next step in a business impact analysis is to determine how the identified risks affect specific business operations. Let's assume that if all business functions are performing normally, the organization ought to be fully viable, competitive and financially solid. If an incident -- internal or external -- negatively affects business operations, the organization could be compromised.
Business impact analyses help business continuity/disaster recovery professionals to identify business priorities and validate or modify them for plan development. Questionnaires must be formulated for preinterview data gathering or in-person interviews. People with in-depth knowledge of and experience with the business functions being analyzed are ideal candidates for BIA interviews.
In some cases, it may be possible to develop business impact analysis questionnaires into an automated survey -- an example of which is BIA Professional from SunGard Availability Services -- in which the results can be captured and summarized. Often, it is useful to include an incident description for interviewees to use when answering the questions. An example of such a situation is when:
- the business unit's portion of the building is completely destroyed;
- all records, data files, technology, supplies and other support systems are lost;
- some key personnel are not available;
- primary business processes are affected immediately, and for at least 30 days; and
- the disaster occurs during a peak processing period for the business unit.
Incident descriptions help frame the interviewee's response so it can be in alignment with specific risks and threats.
Business impact analysis software tools can aid in your planning, but it's important to assess if an off-the-shelf product is suitable for your organization.
The final BIA report should provide key elements such as system and application recovery point objectives, reliance on internal and external systems and applications, and service-level agreements.
Ultimately, the BIA's purpose is to identify, prioritize and document the relative importance of various business processes conducted by business units.
Tips for performing a business impact analysis
Keep in mind the following key tips when performing a business impact analysis:
- Get the support of senior management. Given the nature of BIAs, and the time needed for research, be sure to obtain senior management support so that your project goals can be achieved.
- Take the business impact analysis process seriously. Although the BIA can take a great deal of time for data gathering and analysis, its value is essential as you develop plans. BIAs do not have to be dozens of pages long; they simply need the right information, and that information should be current and accurate.
- There are no formal BIA standards. Despite many business continuity standards being available in the U.S., no formal standards exist for BIAs.
- Keep it simple. Gathering the right information is critical; the associated business impact analysis template provides a baseline for information to be gathered. If a one-page business impact analysis summary provides the relevant information, versus one with dozens of pages, it is perfectly acceptable.
- Review results with business units. Once the plan is complete, review the findings with business unit leaders to make sure your assumptions are correct.
- Be flexible. The suggested template in this article may be too complex for some organizations; feel free to modify it as you see fit to accomplish your goals.
Using our business impact analysis template
Next, we'll examine the structure and content of the business impact analysis template, indicating key issues to address and activities to perform. This can be easily organized and managed via standard spreadsheets.
- Business unit name: Enter the business unit's name.
- Head count: Enter the number of full-time staff in the business unit and, optionally, part-time staff and contractors, if applicable.
- Parent process: Describe the principal activities the unit performs, e.g., sales, contractor interface or investor relationship management.
- Priority ranking: Enter a number here for subjective ranking of process importance.
- Recovery time objective: Enter a time frame -- e.g., one hour, one week -- in this section; it describes the time a parent process has to return to business almost as usual following a disruption.
- Recovery point objective: Enter a time frame -- e.g., one hour, one day -- in this section; this is a point in time to which parent process work should be restored following a disruption.
- Parent process depends on: Enter names of organizations and processes the parent process depends on for normal operations.
- Parent process required by: Enter names of organizations and processes that depend on the parent process for normal operations.
- (Optional) Subprocess: Enter a description of supporting activities the unit performs, e.g., sales analysis, financial analysis.
- (Optional) Priority ranking: Enter a number here for subjective ranking of subprocesses and their importance to the business unit.
- (Optional) Recovery time objective: Enter a time frame; it describes the time a subprocess has to return to business almost as usual following a disruption.
- (Optional) Recovery point objective: Enter a time frame; this is a point in time to which subprocess work should be restored following a disruption.
- (Optional) Subprocess depends on: Enter names of organizations and processes the subprocess depends on for normal operations.
- (Optional) Subprocess required by: Enter names of organizations and processes that depend on the subprocess for normal operations.
- Quantitative impact: Enter a financial amount associated with the parent process, e.g., annual revenue generated by the process.
- Qualitative impact: Enter a nonfinancial impact to the company, e.g., loss of reputation, loss of customers associated with parent process.
- Time needed to recover staff: Enter the number of staff that need to be back to business almost as usual within specific time frames.
- Recovery strategy: Enter specific actions the business unit can take to recover to a business almost as usual state, e.g., work from home, relocate to an alternate area, recover to a hot site.
- Technology and services recovery time: Enter the system and services in each time frame that must be recovered within the specific time frame.
- Comments: Self-explanatory.
An excellent way to learn about a business is to conduct a business impact analysis. In addition to identifying recovery priorities and time frames, conducting a BIA can also identify opportunities for process improvement.
Update: ISO releases BIA standard
BIA data results in a more focused business continuity plan
Six business continuity trends to keep an eye on