Business Impact Analysis (BIA)
What is Business Impact Analysis (BIA)?
A business impact analysis (BIA) is the process of determining the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption. The BIA quantifies the impacts of disruptions on service delivery, risks to service delivery, recovery time objectives (RTOs), and recovery point objectives (RPOs). These recovery requirements are then used to develop strategies, solutions, and plans.
The BIA should identify the operational and financial impacts of disrupting business functions and processes. Impacts to consider include:
- Lost sales and income
- Delayed sales or income
- Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.)
- Regulatory fines
- Contractual penalties or loss of contractual bonuses
- Customer dissatisfaction or defection
- Delay of new business plans
Purpose of a Business Impact Analysis
Many organizations struggle to understand why a BIA is so important. However, when you think about business continuity as a long-term process, the BIA is the requirements-gathering portion of the process. Just like a project manager wouldn’t start executing a project without clear requirements, the same is true for business continuity: a BIA should deliver clear requirements. Specifically, the business impact analysis:
- Provides Confirmation of Business Continuity Program Scope: The BIA identifies the business activities and resources necessary to deliver the organization’s most important products and services. By understanding how the organization delivers its products and services, the BIA process may uncover activities or resources that were not originally in the program’s scope. Also, by understanding activity and resource impacts associated with disruption, the organization can identify which activities and resources need to be performed, regardless of circumstance, which may have an impact on the program’s scope.
- Identifies Legal, Regulatory, and Contractual Obligations: Many organizations do not have a clear, unified understanding of obligations. In fact, it is very rare to see any entity within an organization that has a full grasp of what is required during a disruption and what the implications are if the organization cannot meet those obligations. The BIA enables the organization to create a thorough understanding of these obligations and to enable the appropriate level of business continuity planning to achieve compliance.
- Provides Clarity on Business Continuity Strategy Spend: One of the most valuable aspects of the BIA is the estimation of impacts tied to downtime. Understanding financial, reputational, contractual, legal/regulatory, operational, and other impacts enable the organization to develop the business case with appropriate justification, to select, implement, and maintain business continuity strategies. With proper justification, the organization is set up to identify and implement appropriate capabilities needed to meet recovery objectives – resulting in the appropriate spend.
- Captures Preliminary Plan Content: The BIA process can be used to begin the data collection effort for business continuity plans. When performing the BIA, the organization can begin to collect business continuity plan content, such as existing controls and recovery strategies, team and staffing requirements, internal and external contact information, and other resource-specific information required for the business continuity plan. Once this information is collected, the organization can begin to populate the business continuity plan and present a starting point to those charged with creating and maintaining the plans (as opposed to starting with a blank template).
Phases of a Business Impact Analysis
There isn’t one single method for performing a business impact analysis. It will be different for each business, and every company needs to customize its process to its organization’s unique needs. However, there are a few components of a business impact analysis that need to be present for it to be successful.
- Preparation: Before you start your business impact analysis, you will need to form a project team that will carry out your business impact analysis. This can be a team of current employees or an outsourced team dedicated to performing business impact analyses. To prepare for the actual work of the business impact analysis, this team, working with upper management, should define and document the objectives and scope of the impact analysis. Which departments will be involved, how the information will be collected and stored, and the project timeline should all be determined before you begin.
- Information Gathering: Gathering the raw data about your business processes is the next step in your business impact analysis. The two most common methods to collect this data are interviews with the people who manage and execute each process and a business impact analysis questionnaire. A business impact analysis questionnaire is the most efficient method of collecting information. If you were to utilize interviews instead, you would collect the same information discussed below, but it would be less standardized than a questionnaire. Project Manager provides a solid list of questions that make up a questionnaire:
- The name of the process
- A detailed description of where the process is performed
- All the inputs and outputs in the process
- Resources and tools that are used in the process
- The users of the process
- The timing
- The financial and operational impacts
- Any regulatory, legal, or compliance impacts
- Historical data
Essentially, your list should include questions that employees from several different departments can answer: managers will likely understand the financial and operational impacts, while lower-level employees performing processes will be able to provide a detailed description and all of the inputs and outputs. Regulatory and legal impacts can be answered by your compliance team, in-house counsel, or division management. You might also give the survey to outside business partners who may have insight into this process or members of upper management who are involved or have a stake in it. In short, you should have anyone who performs or manages any part of the process complete the business impact analysis survey to create the most comprehensive plan possible. Once all surveys are collected (or interviews completed, if your team is taking that route), you should consolidate all the data into one document that clearly lists the information listed above for each process. Ensure you’re not missing any information and that the collected data is concise and clear so that anyone reading it can understand the process and the most important information about it. You can even create flowcharts of each process if that’s helpful.
- Information Review And Analysis: Once you have collected all the information needed about each business process, the impact analysis can begin. Looking at each process the business impact analysis team will look at each process to determine three things:
- Which functions and processes are most important to your business’ continual operation? A prioritized list of every process is the eventual outcome of this determination. If there was a large-scale disaster tomorrow, this list would tell your business which processes to get up and running first and which ones can wait.
- What human and technology resources does each process need to operate successfully? This will allow you to prioritize people and technology in the event of a process going down; instead of involving too many people or unnecessary tech, your business can identify the critical players and get them involved until the process is up and running normally.
- What is the recovery timeline for bringing the process back to operation normally (or as close to normal as possible)? When making this determination, you should consider both how much time it will take in practical terms and how quickly your team will need to recover the process to avoid further reputational or monetary losses and identify any large disparities between these two.
If there is a process that you determine needs to be up and running within 12 hours to keep your company in operation, and your current resources can only get it operational within 24 hours, that is an issue that needs to be addressed in the recommendations section of your business impact analysis. In the end, you should have a prioritized list of processes and recovery sequences for critical functions so that in the event of any kind of business interruption, your company can make a quick determination about how to prioritize recovery. Whether the incident affects every department, one single department, or a few departments throughout the company, leadership will be able to determine what to focus on first. This prioritized list should be reviewed with some of the stakeholders that were involved in the information collection phase so that the business impact analysis team can confirm they’ve correctly prioritized processes and aren’t missing any crucial information. Department heads, upper management, and compliance, financial, and IT leaders can help you make sure you’re understanding the impacts of each process being down and how important each one is in the larger context of your business.
- BIA Report Creation: Once all of this information has been analyzed and confirmed, you’ll prepare a business impact analysis report to present to senior management and other stakeholders in disaster recovery. This report is the most important outcome of your business impact analysis because it’s what you will use to communicate your findings and recommendations to the people in your business who can change the disaster recovery process. Your business’ disaster recovery process can’t be fully developed and effective without a business impact analysis because, without it, your disaster recovery process won’t be built on reality. Suppose your company’s leadership doesn’t understand which processes are the most important to get up and running and what resources are needed to make that happen. In that case, they cannot create a fully informed disaster recovery process. It’s important to make sure that your business impact analysis team and your business leadership team understand this when you’re creating and delivering your report. Your final business impact analysis report should contain, at a minimum, the following information:
- Executive summary
- Objectives and scope of the business impact analysis
- Methodologies used in collecting information
- Summary of findings
- Detailed findings on each department, including:
- the most crucial processes or functions
- the impact of the disruptions to the various areas of the business
- the acceptable duration of the disruption
- the tolerable levels of losses
- comparison between the potential financial costs and the estimated costs for recovery strategies that may be employed
- Supporting documents for the findings
- Recommendations for recovery
This report is what you’ll provide to management and stakeholders to give them insight into the process, help them understand your findings, and learn what the best options for recovery of each process are. Take the time to make sure it is thorough, well-written, and easy to understand.
- Business Impact Analysis Recommendation Implementation: The final step in this process is implementing recommendations. Once your team has conducted the business impact analysis and communicated the findings, it is ultimately up to leadership to act on it. Still, your team can help promote the findings of the analysis and encourage leadership to move forward with your recommendations. This final step should include updates and changes to the recommendations when you find that any of your previous recommendations aren’t working as intended, new processes are implemented, or new departments are formed. Your business isn’t a static entity; it is changing and growing all the time, and your business impact analysis should change with it.
Analyzing the Results of a BIA
The goals of the BIA analysis phase are to determine the most crucial business functions and systems, the staff and technology resources needed for operations to run optimally, and the time frame within which the functions need to be recovered for the organization to restore operations as close as possible to a normal working state. The analysis may be manual or computer-assisted.
Challenges include determining the revenue impact of a business function and quantifying the long-term impact of losses in market share, business image, or customers. Impacts to consider include delayed sales or income, increased labor expenses, regulatory fines, contractual penalties, and customer dissatisfaction.
The business impact analysis report typically includes an executive summary, information on the methodology for data gathering and analysis, detailed findings on the various business units and functional areas, charts and diagrams to illustrate potential losses, and recommendations for recovery. The report prioritizes the most important business functions, examines the impact of business interruptions, specifies legal and regulatory requirements, details acceptable levels of downtime and losses, and lists the RTOs and RPOs. The report may list the order of activities necessary to restore the business.
Senior management reviews the report to devise a business continuity plan and disaster recovery strategy. This should consider maximum permissible downtime for important business functions and acceptable losses in areas such as data, finances, and reputation. Senior managers must review and update the BIA periodically as business operations change.