A business impact analysis is a key part of the business continuity process that analyzes mission-critical business functions and identifies and quantifies the potential impact a loss of those functions -- e.g., operational or financial -- may have on the organization.
A BIA is critical in assessing the cost of business disruption and how disaster recovery (DR) plays a role in mitigating it. The BIA has several crucial elements, which include executive backing; a deep understanding of the organization; and BIA tools, processes and findings.
SearchDisasterRecovery has created a free, downloadable business impact analysis template to assist you in your business continuity (BC) management planning. Download and print out our template, and then read the step-by-step guide and best practices below to create a successful business impact analysis.
The importance of a business impact analysis
Conducting a BIA is an excellent way to learn about an organization. In addition to identifying recovery priorities and time frames, a BIA can identify opportunities for process improvement.
Filling out the business impact analysis template outlines an organization's most important components and departments and shows where it is most vulnerable. The organization will assess and prioritize its functions, which is valuable not just in the context of BC/DR, but for general business as a whole. The BIA also notes legal, compliance and regulatory requirements.
The BIA can serve as one of the starting points for forming BC/DR strategies, which are important for any business. Through the BIA, an organization can examine its recovery time objectives (RTOs) and recovery point objectives (RPOs), which are the maximum amount of time it can take to recover from an incident and the extent of data it can afford to lose, respectively.
Because the BIA is a consistently evolving document -- and one that an organization should continually review -- it provides a chance for the business to analyze itself on a regular basis.
Preparing a business impact analysis
After the risks to an organization have been identified -- usually through a risk analysis -- the next step is to determine how the identified risks affect specific business operations. Let's assume that, if all business functions are performing normally, the organization ought to be fully viable, competitive and financially solid. If an incident -- internal or external – negatively affects business operations, the organization could be compromised.
Business impact analyses help BC/DR professionals identify business priorities and validate or modify them for plan development. Questionnaires must be formulated for pre-interview data gathering or in-person interviews. People with in-depth knowledge of and experience with the business functions being analyzed are ideal candidates for BIA interviews.
In some cases, it may be possible to develop BIA questionnaires into an automated survey -- such as BIA Professional from Sungard Availability Services -- in which the results can be captured and summarized. Often, it is useful to include an incident description for interviewees to use when answering the questions. Examples of such a situation include:
- The business unit's portion of the building is completely destroyed.
- All records, data files, technology, supplies and other support systems are lost.
- Some key personnel are not available.
- Primary business processes are affected immediately and for at least 30 days.
- The disaster occurs during a peak processing period for the business unit.
Incident descriptions help frame an interviewee's response so it can be in alignment with specific risks and threats.
Business impact analysis software tools can aid in your planning, but it's important to assess if an off-the-shelf product is suitable for your organization.
The final BIA report should provide key elements, such as system and application RPOs, reliance on internal/external systems and applications, and service-level agreements.
Tips for performing a business impact analysis
Ultimately, the BIA's purpose is to identify, prioritize and document the relative importance of various business processes conducted by business units. Here are a few tips to keep in mind.
Get the support of senior management. Given the nature of BIAs and the time needed for research, having senior management buy-in can enable you to achieve your project goals.
Take the business impact analysis process seriously. While it can take a great deal of time to gather and analyze data, its value is essential. BIAs need the right information, which should be current and accurate.
Use the new BIA standard. ISO 22317, released in 2015, can help improve your business impact analysis process.
Keep it simple. Gathering the right information is critical; the associated business impact analysis template provides a baseline for information to be gathered. If a one-page BIA summary provides the relevant information versus one with dozens of pages, it is perfectly acceptable.
Review results with business units. Once the plan is complete, review the findings with business unit leaders to make sure your assumptions are correct.
Be flexible. The suggested template in this article may be too complex for some organizations; feel free to modify it as you see fit to accomplish your goals.
Using our business impact analysis template
Next, we'll examine the structure and content of the business impact analysis template, indicating key issues to address and activities to perform. This can be easily organized and managed via standard spreadsheets.
- Business unit name: Enter the business unit's name.
- Head count: Enter the number of full-time staff in the business unit and, optionally, part-time staff and contractors, if applicable.
- Parent process: Describe the principal activities the unit performs, e.g., sales, contractor interface or investor relationship management.
- Priority ranking: Enter a number here for subjective ranking of process importance.
- Recovery time objective: Enter a time frame -- e.g., one hour, one week -- in this section; it describes the time a parent process has to return to business almost as usual following a disruption.
- Recovery point objective: Enter a time frame -- e.g., one hour, one day -- in this section; this is a point in time marking an acceptable loss of parent process data following a disruption.
- Parent process depends on: Enter names of organizations and processes the parent process depends on for normal operations.
- Parent process required by: Enter names of organizations and processes that depend on the parent process for normal operations.
- (Optional) Subprocess: Enter a description of supporting activities the unit performs, e.g., sales analysis, financial analysis.
- (Optional) Priority ranking: Enter a number here for subjective ranking of subprocesses and their importance to the business unit.
- (Optional) Recovery time objective: Enter a time frame; it describes the time a subprocess has to return to business almost as usual following a disruption.
- (Optional) Recovery point objective: Enter a time frame; this is a point in time marking an acceptable loss of subprocess data following a disruption.
- (Optional) Subprocess depends on: Enter names of organizations and processes the subprocess depends on for normal operations.
- (Optional) Subprocess required by: Enter names of organizations and processes that depend on the subprocess for normal operations.
- Quantitative impact: Enter a financial amount associated with the parent process, e.g., annual revenue generated by the process.
- Qualitative impact: Enter a nonfinancial impact to the company, e.g., loss of reputation, loss of customers associated with parent process.
- Time needed to recover staff: Enter the number of staff that need to be back to business almost as usual within specific time frames.
- Recovery strategy: Enter specific actions the business unit can take to recover to a business almost as usual state, e.g., work from home, relocate to an alternate area, recover to a hot site.
- Technology and services recovery time: Enter the system and services in each time frame that must be recovered within the specific time frame.
- Comments: Self-explanatory.
Where business impact analysis fits into continuity planning
Because a BIA identifies the cost impact of specific failures and incidents on an organization, it should be considered the lifeblood of an organization's BC/DR plan. A BIA also helps define recovery strategies that enable organizations to respond to disasters of any size.
The business impact analysis template should be filled out at about the same time as a risk assessment (RA). The RA identifies potential risks to the business and the likelihood they will occur, while the BIA lays out extensive and specific details about an organization's systems, technology, processes and employees, and how an incident would affect them.
Once the BIA and RA have been completed, the organization can build out its detailed BC/DR plans. It is important to review and test each element of those plans, and amend them as necessary, because it's not certain that processes will work unless they've been verified.
During an emergency or disaster, a BIA helps to identify the most critical elements of the organization so the response process can start as soon as possible. Knowing which elements need to be recovered the quickest can make all the difference.
While it may be a busy and frenzied time for the company, it's important to have the BIA and the rest of the BC/DR planning documents handy and follow previously tested procedures that will help the organization recover and restore operations. As a result, it's imperative that the BIA and other important documents are easily accessible, in hard-copy form and online.
The crisis management and communications teams must have detailed knowledge of the company, as well as the BIA and other planning documents. The crisis management team must have the authority to make key decisions during the crisis, while the communications team is responsible for relaying that vital information to those affected.
After the event, the organization should review its response process, which includes the effectiveness of the business impact analysis.
Goals of BIA
The business impact analysis is one of the best planning procedures an organization can undertake. Goals should include the following:
- determining the most critical functions and systems;
- figuring out financial, operational, legal and reputational costs if those systems went down;
- deciding on the RPO and RTO;
- establishing requirements for recovery;
- taking time with the critical business process to ensure information is correct and up-to-date;
- analyzing areas of weakness and vulnerability; and
- gaining senior management approval of the document.
There are many benefits to completing the BIA process and having a living document, including:
- The process gets company leaders talking about the organization and its most crucial elements. In the end, a company may find areas where improvement is needed.
- A comprehensive BIA, which an organization can achieve through the business impact analysis template, is a proactive method for solid BC/DR.
- The BIA provides concise, relevant information about an organization's most important aspects and the costs incurred if there's downtime.
Completing a BIA takes a lot of work, resources and people. It requires teamwork -- from the person filling out the business impact analysis template to the senior management approving the final document. Because input from different departments is required, employees must be diligent about providing the proper information in a timely fashion.
Within the BIA itself, it's important to highlight who has a role in the specific action items if an incident occurs. In a small business, one person may need to fill a number of different roles. A larger business may have a whole group, such as a crisis management team, dedicated to the recovery effort. It's crucial that each person assigned to a task knows exactly what to do in a given situation so there are no missteps. In addition, for the sake of continuity, any action steps should be clear enough so a replacement can step in and do the work if a designated person is not available.
The BIA can be tested as part of the overall BC/DR plans. Depending on the scope of the test and company, all staff members may want to be involved in a test in some way so it's clear what they should do in the event of an unplanned incident. Open communication between the BC managers and the rest of the organization is key to maintaining a relevant, updated BIA.
Common mistakes to avoid
With a critical business process that is so intensive, it's easy to make mistakes. Here are a few to avoid:
- Rushing through the BIA. Given the severity of the potential impact, an organization should take the time to do a comprehensive job rather than let anything fall through the cracks.
- Paying too much attention to one element. For example, don't spend so much time on the financial impact component of the BIA that you ignore other potential impacts to the business.
- Mistaking an RA for a BIA. A risk assessment details what might cause downtime, while a BIA shows its impacts. These should be two separate documents.
Update: ISO releases BIA standard
BIA data results in a more focused business continuity plan
Six business continuity trends to keep an eye on