Business Impact Assessment
A Business Impact Analysis (BIA) is a method for analyzing how disruptions may impact an organization. The analysis considers the timescales of a disruption, as well as its intensity, and looks at the resulting impacts on important products and services; and the processes and activities that support these.
The BIA is an ongoing process, with analyses taking place periodically or when a significant change is made within the organization. A BIA is conducted after Risk Assessment.
The outcomes of BIAs are:
- Mapping of impact types
- An assessment of cascading impacts as an incident develops
- Identification of tolerance for different impacts, including an assessment of the point in time where impacts would become unacceptable to the organization.
- This is termed the MTPD – the maximum tolerable period of disruption – and is expressed as a timescale in minutes, hours, or days.
- Establishment of recovery time objectives (RTOs)
- A determination of acceptable downtime. This is made only in a business impact analysis (BIA).
- The planned timescale within which impacted aspects of the organization need to be resumed
- Strategies for incident response and achieving resumption within the RTOs.
Formulating the BIA
- Interviews with Stakeholders
- Review Assets to be assessed/in-scope
- Priority Levels
- Data Priority
- Assess timeframes
- Assess change impact
- Review Assets to be assessed/in-scope
Creating and conducting a Business Impact Analysis requires support of the executives in your company. Without management support, the analysis is destined to fail. Executive backing gives you the clout you need to get cooperation and priority with other departments within the organization.
The most efficient and effective way to get management support is to ensure there is communication from the top down. The communication can be in the form of an email, a town hall meeting or a managers' meeting. Stress the importance of the BIA in keeping the business up and running in the case of a disaster.
Understand the Organization
It will be impossible to complete the second element of a Business Impact Analysis unless you have identified all the critical business functions and processes your company performs. Look to the company's organizational structure, divisions and departments to find key contacts or subject matter experts who can help you identify and learn about the processes that will be impacted by a disaster.
Business processes, systems and functions should be considered critical if the failure to perform them would result in unacceptable damage to the company.
Business Impact Analysis Tools
Business Impact Analysis tools are the core of a successful analysis. These tools come into play after you have completed your review of the business and understand what part each process, function and system plays in the overall day-to-day operations. Use tools such as organizational charts, interviews, questionnaires, data flow diagrams and BIA software to gather data necessary to analyze the potential impact of a disaster on the business.
Business Impact Analysis Process
Using the tools of BIA, list each business process and function. Designate each process as critical or non-critical to conducting business. Compile a list of personnel who must be in place to perform these functions.
For the critical functions, gather detailed information about how each is performed, who performs it, and the operational and financial impact of interruption to each on the first day of interruption. Continue to do this after the first week of interruption, after 30 days, and so forth. Determine a target recovery date for each process, each business system and each business-critical function.
Identify internal and external business dependencies. For example, list vendors who must be alerted to your status or new temporary location. Finally, designate a safe place for all the Business Impact Analysis data to be stored for future reference in the event of a disaster.
Business Impact Analysis Findings
The final element of a Business Impact Analysis is to confirm and present the findings. Confirm your business impact meaning and conclusion with department managers or key personnel to ensure that what you have determined is accurate and realistic. Present your BIA findings to the executive management team to gain approval to use the findings to develop business recovery strategies.