The business impact analysis (BIA) is one of the most important activities you perform as business continuity professionals....
The Business Continuity Institute's Good Practice Guidelines (2013 edition) define a BIA as "a process of analyzing activities and the effect that a business disruption might have on them."
The importance of business impact analysis has been underscored with the recently drafted international standard, ISO 22317, Societal Security -- Business Continuity Management Systems -- Guidelines for Business Impact Analysis. The draft BIA standard is expected to provide a new level of standardization and uniformity in how BIAs are planned and orchestrated. And it addresses the key issues regarding BIAs.
Parts of the BIA process
The BIA process provides essential data about an organization that is used, in conjunction with a risk analysis, to identify the mission-critical business processes in that organization; the importance of those processes to the organization in achieving its business goals; and the financial, operational, competitive and reputational impacts to the firm if those processes are compromised. The BIA also provides important data for defining business continuity strategies, which are among the requisites needed for preparing a business continuity plan.
The BIA identifies key metrics such as recovery time objectives and recovery point objectives. It identifies key internal and external dependencies, vital records needed by the organization to operate, and critical resources (e.g., people, process, technology, facilities) the firm needs.
BIAs can take on a variety of forms and structures. They are often set up using spreadsheets so that organizations can easily identify and quantify BIA attributes and metrics, where appropriate. Once a company has completed the discovery part of the BIA process, the next steps are to analyze the data, identify key patterns and relationships, and summarize them in a detailed BIA report. BIA results identify the most critical business processes, technologies and resources. This data can be used to identify what actions and resources are needed to ensure that critical processes can be quickly recovered and restored to an acceptable level of operation in the aftermath of a disruptive event.
Risk analyses identify internal and external risks, threats and vulnerabilities, the probability they might occur, the potential impact to the organization if they do occur, and the potential financial impact. These results are mapped to BIA results to help define the strategies and tactics that must be implemented to mitigate the threats to the firm's most important business processes.
BIAs can be performed manually or they can be completed using specialized software optimized for the BIA process. After almost 30 years working in the business continuity (BC) profession, a truism is that there are almost as many ways to perform a BIA as there are BC professionals.
The new BIA standard
ISO 22317 sets the stage for a business impact analysis by identifying how BIAs fit into an overall business continuity program or business continuity management system. The first section in the BIA standard, Prerequisites, underscores the importance of senior management support for the BIA process and provides guidance for setting the BIA scope, content, participants, resources and objectives.
The next major section of the BIA standard, Performing the Business Impact Analysis, breaks down the BIA process into its component parts and activities. Figure 1 below provides a visual perspective on key BIA activities.
Who is involved in a BIA process?
Senior management defines the mission-critical business processes and their priorities for recovery and restoration in the aftermath of a disruptive event. Senior management support of the BIA is essential if the activity is to be performed properly.
Process owners, who are typically defined as heads of specific departments or functions, are the key discovery channels as they understand their critical business processes and are thus a key source of information for the BIA. Activity managers may report to process owners; they perform the actual hands-on work associated with each critical process and know the details associated with each identified process.
Once the critical business functions and processes have been identified and relevant data on each has been gathered, the analysis process begins. Senior management must review and approve the BIA report, which summarizes BIA findings and recommended actions, as the results are used to formulate business continuity strategies.
Sections in the business impact analysis standard
ISO 22317 organizes the BIA process into distinct sections:
- Project Planning and Management
- Product and Service Prioritization
- Process Prioritization
- Activity Prioritization
- Analysis and Consolidation
- Obtaining Management Endorsement of BIA Results
- Next Step -- Business Continuity Strategy Selection
Each of the above sections in the BIA standard has two key subsections: Inputs and Outcomes. Inputs list the attributes needed to address the specific activities in a section. These can be in the form of lists, documents, summaries of activities and other relevant discovery components. Outcomes delineate the likely results of the activity once it has been completed. These can include lists of results, priorities, activities and personnel.
Some of the subsections may have a Resources section, which identifies the information or assets needed to perform the activity. There may also be an Interdependencies section that defines internal and external resources a specific process or activity needs to perform properly. Outcomes are generally used in the Analysis process.
Just as business continuity plans are considered "living documents," so, too, are BIAs and risk analyses. They provide an accurate view of the business when they are conducted, and can also identify opportunities for improving business processes and activities.
ISO 22317 maps to the principal BIA activities that have been developed and refined for decades. The BIA standard is an ideal planning guide and checklist of activities to ensure that you cover all the bases when planning and executing a business impact analysis.
Although it is currently still in development, ISO 22317 is worth examining if you are preparing to perform a BIA or updating an existing BIA.
Key elements of the BIA process
The following are attributes for each subsection of the BIA process in ISO 22317:
- Project Planning and Management. Secure senior management support, setting up the project plan, identifying resources needed
- Product and Service Prioritization. Identify the most critical products and services the organization produces and the priority in which they must be recovered and restored
- Process Prioritization. Identify the most critical business and operational processes the organization performs, such as manufacturing products or producing information, and the priority in which they must be recovered and restored
- Activity Prioritization. Identify the common, yet essential, daily/weekly/monthly activities the organization performs, such as payroll, accounts payable, and regulatory compliance and reporting, and the priority in which they must be recovered and restored
- Analysis and Consolidation. Consolidate data obtained in previous activities and draw conclusions that help identify business continuity requirements. This activity also defines appropriate quantitative and qualitative analytic approaches. These can be influenced by the type, size or nature of the organization, as well as resource and skill constraints. Selected analytic approaches depend on the type of data gathered and the desired BIA outcomes.
- Obtaining Management Endorsement of BIA Results. Senior management reviews and approves the draft BIA report. Additional activities defined in this section are periodic reviews of BIA data and scheduling of subsequent BIAs to validate previous data and identify new BIA data.
- Next Step -- Business Continuity Strategy Selection. Use BIA results (along with risk analysis results) to identify business continuity strategies, such as the use of alternate manufacturing areas, working from home or moving to another office location. Strategies, along with key BIA data, are used to prepare business continuity plans.
The final primary section of ISO 22317 is BIA Process Monitoring and Review. Simply stated, this section underscores the importance of BIAs in the overall BCMS, their relevance to the business, the need to integrate BIA concepts with business activities, and the importance of periodic BIA reviews and updates.
Updated list of widely used business continuity/disaster recovery standards
Build a better business continuity management system
Maintain an effective information security program