1. BUSINESS IMPACT ANALYSIS
Disaster Management (5584)
ASSIGNMENT # 2
HUMA WASEEM
ROLL # BR564185
COL MBA
AUTUMN SEMESTER 2019
Submitted to: Saddar Ayyub
DEPARTMENT OF BUSINESS ADMINISTRATION
ALLAMA IQBAL OPEN UNIVERSITY ISLAMABAD
HUMA MALIK
2020
2. BUSINESS IMPACT ANALYSIS (BIA)
CONTENTS
1. INTRODUCTION 1
2. BUSINESS IMPACT ANALYSIS (BIA)- OVERVIEW 1
2.1. OBJECTIVES OF THE BUSINESS IMPACT ANALYSIS 1
2.2. STEPS IN BUSINESS IMPACT ANALYSIS .. 2
2.3. UPSTREAM AND DOWNSTREAM LOSSES .. 3
3. PURPOSE OF BUSINESS IMPACT ANALYSIS 3
4. IMPLICATIONS OF NOT PERFORMING A BIA 4
5. RISK ASSESSMENT 5
6. BIA & RISK ASSESSMENT 6
7. TYPES OF PROBLEMS THAT BIA ANTICIPATES 6
8. THE ROLE OF BIA IN DISASTER RECOVERY PLANNING 7
9. IMPACT CRITICALITY 8
9.1. CATEGORIES . 8
9.2. RECOVERY TIME REQUIREMENTS .. 9
10. WHO CONDUCTS BUSINESS IMPACT ANALYSIS? 11
11. STEPS TO CONDUCT A BUSINESS IMPACT ANALYSIS 11
12. BUSINESS IMPACTS ANALYSIS CATEGORIES 14
13. DETERMINING THE IMPACT 15
14. COMMON CHALLENGES WITH A BUSINESS IMPACT ANALYSIS 16
15. MOST COMMON MISTAKES MADE IN BIA 20
16. WHEN TO REVIEW A BUSINESS IMPACT ANALYSIS? 21
17. ESSENTIAL ELEMENTS OF A BIA REPORT 21
18. SUMMARY 23
REFERENCES 24
3. BUSINESS IMPACT ANALYSIS (BIA)
1
1. INTRODUCTION
Online Business Dictionary defines Business Impact Analysis (BIA) as:
Management-level analysis aimed at identifying a firm's exposure to sudden loss of critical
business functions and supporting resources, due to an accident, disaster, emergency, and/or
threat. BIA involves assessing both financial and non-financial (customer service, market
confidence, creditor or supplier confidence) costs during business disruption and business
restoration periods. (BD, 2020)
Online defines Business Impact Analysis (BIA) as:
A business impact analysis (BIA) is the process of determining the criticality of business
activities and associated resource requirements to ensure operational resilience and continuity of
operations during and after a business disruption. The BIA quantifies the impacts of disruptions
on service delivery, risks to service delivery, and recovery time objectives (RTOs) and recovery
point objectives (RPOs). These recovery requirements are then used to develop strategies,
solutions and plans. IT Glossary, 2020).
Canadian Centre for Occupational Health & Safety (CCOHS) defines Risk Assessment as the process
where you:
Identify hazards and risk factors that have the potential to cause harm (hazard
identification).
Analyze and evaluate the risk associated with that hazard (risk analysis, and risk
evaluation).
Determine appropriate ways to eliminate the hazard, or control the risk when the hazard
cannot be eliminated (risk control). (CCOHS, 2020)
2. BUSINESS IMPACT ANALYSIS (BIA)- OVERVIEW
Business impact analysis (BIA) is a process that identifies and assesses the effects that accidents,
emergencies, disasters, and other unplanned, negative events could have on a business. The BIA
(sometimes also called business impact assessment) predicts how a business will be affected by
everything from a hurricane to a labor strike.
The Business Impact Analysis (BIA) is performed to identify the key business processes and technology
components that would suffer the greatest financial, operational, customer, and/or legal and regulatory
loss in the event of a disaster. The main intent of a Business Impact Analysis is to identify all the critical
resources, systems, facilities, records, etc., that are required for the continuity of the business. The
Business Impact Analysis is only a part of the overall Business Assessment.
4. DISASTER MANAGEMENT (5584)
2
2.1. Objectives of the Business Impact Analysis
Objectives of the Business Impact Analysis include:
Identify all business processes within each business unit
Determine the financial, customer, operational, legal and/or regulatory impacts of each process
Establish the timeframes in which business and technology processes must be recovered
Define key internal and external relationships and dependencies of each process
Identify the necessary resources required for the recovery of each process and their associated
recovery time frames
Provide a foundation for the Risk Assessment Process
Business impact analysis (BIA) predicts how a potential crisis will affect business operations, so you can
prepare.
2.2.Steps in Business impact analysis:
Business impact analysis includes the following steps:
1. Identify key business processes and functions.
2. Establish requirements for business recovery.
3. Determine resource interdependencies.
4. Determine impact on operations.
5. Develop priorities and classification of business processes and functions.
6. Develop recovery time requirements.
7. Determine financial, operational, and legal impact of disruption.
The result of performing these seven steps is a formal business impact analysis, which is used in
conjunction with the risk assessment analysis to develop mitigation strategies.
5. BUSINESS IMPACT ANALYSIS (BIA)
3
2.3.Upstream and Downstream Losses:
In addition to the direct impact of a business disruption such as an earthquake or flood, there are also
indirect impacts you should consider. These can be viewed as upstream and downstream losses.
Upstream losses are those you will suffer if one of your key suppliers is affected by a disaster. If your
company relies on regular deliveries of products or services by another company, you could experience
upstream losses if that company cannot deliver. If you run a manufacturing company that relies on raw
materials arriving on a set or regular schedule, any disruption to that schedule will impact your
your company is unharmed. Downstream losses occur when key customers or the lives in your
community are hurricane or earthquake, your sales will certainly suffer. Similarly, if your company
provides any type of noncritical service to your community and there is a flood or landslide, your sales
could take a hit while residents of the community deal with the disaster. If you operate a chain of
restaurants or movie theaters or golf courses, residents will be more focused on dealing with the disaster
than on entertainment and leisure pursuits. These are considered downstream losses even if your
business, itself, has not taken the direct impact of a disaster.
People, businesses, and communities are interrelated; very few (if any) companies exist in isolation. A
natural disaster or serious disruption can create a chain reaction that ripples through the business
community and impacts the local or regional economy. (Snedaker & Rima, 2014)
3. PURPOSE OF BUSINESS IMPACT ANALYSIS
Many organizations struggle to understand why a BIA is so important. However, when you think about
business continuity as a long-term process, the BIA is the requirements gathering portion of the
process.
same is true for business continuity: a BIA should deliver clear requirements. Specifically, the business
impact analysis:
Provides Confirmation of Business Continuity Program Scope
important products and services. By understanding how the organization delivers its products and
scope. Also, by understanding activity and resource impacts associated with disruption, the organization
can identify which activities and resources need to be performed, regardless of circumstance, which may
Identifies Legal, Regulatory, and Contractual Obligations
Many organizations do not have a clear, unified understanding of obligations. In fact, it is very rare to
see any entity within an organization that has a full grasp of what is required during a disruption, and
what the implications are if the organization cannot meet those obligations. The BIA enables the
organization to create a thorough understanding of these obligations and to enable the appropriate level
of business continuity planning to achieve compliance.
6. DISASTER MANAGEMENT (5584)
4
Provides Clarity on Business Continuity Strategy Spend
One of the most valuable aspects of the BIA is the estimation of impacts tied to downtime.
Understanding financial, reputational, contractual, legal/regulatory, operational, and other impacts enable
the organization to develop the business case, with appropriate justification, to select, implement, and
maintain business continuity strategies. With proper justification, the organization is set-up to identify
and implement appropriate capabilities needed to meet recovery objectives resulting in the appropriate
spend.
Captures Preliminary Plan Content
The BIA process can be used to begin the data collection effort for business continuity plans. When
performing the BIA, the organization can begin to collect business continuity plan content, such as
existing controls and recovery strategies, team and staffing requirements, internal and external contact
information, and other resource-specific information required for the business continuity plan. Once this
information is collected, the organization can begin to populate the business continuity plan and present a
starting point to those charged with creating and maintain the plans (as opposed to starting with a blank
template). (Avalution Consulting, 2020)
According to the Business Continuity Institute (www.thebci.org), a recognized leader in business
continuity management and certification, there are four primary purposes of the business impact
analysis:
1.
of each, and the timeframe for resumption of these following an unscheduled
interruption.
2. Inform a management decision on Maximum Tolerable Outage (MTO) for each
function.
3. Provide the resource information from which an appropriate recovery strategy can
be determined /recommended.
4. Outline dependencies that exist both internally and externally to achieve critical
objectives. (Snedaker & Rima, 2014)
4. IMPLICATIONS OF NOT PERFORMING A BIA
When organizations choose not to perform a BIA, some of the most common problems that occur that
affect the performance of the business continuity program include:
Subjective Recovery Objectives and Confusion Regarding Recovery Priorities
Without a formal BIA process, the organization often lacks focus and objectivity in determining scope,
establishing priorities and assigning appropriate recovery objectives. Without management-approved
recovery objectives, different organizational entities may have different priorities, leading to confusion
regarding what capabilities to invest in and prioritize for implementation. For example, IT will lack
7. BUSINESS IMPACT ANALYSIS (BIA)
5
necessary data and justification for assigning recovery objectives and investing in disaster recovery
capabilities.
Capability Gaps and Inaccurate Program Scope
Lack of a top-down program scoping and BIA process leads to misalignment be
expectations and program performance. Implementing strategies and plans without approved
requirements can lead to under-preparing and/or over-spending, which could lead to gaps in business
continuity
priorities before determining and implementing strategies, the organization may gradually become aware
of risks and gaps in business continuity capabilities as the program matures, leading to continuous, ad
hoc scope increases resulting in inefficiencies.
Lack of Justification for Investments in Preparedness
Many organizations attempt to implement a business continuity program, but often struggle with
connecting with management to gain necessary traction. The BIA begins to answer the questions that
management is asking what are our business continuity requirements, what do we need to do, and how
much do we needed to invest to get there? Without the BIA, the organization simply cannot
appropriately answer this question (and will certainly struggle to answer this question with confidence).
(Avalution Consulting, 2020)
5. RISK ASSESSMENT
Risk assessment looks at the various threats your company faces; business impact analysis looks at the
critical business functions and the impact of not having those functions available to the firm. These two
assessments look at the company from two different angles. The risk assessment starts from the threat
side, and the business impact analysis starts from the business process side.
general business risk, you might actually start with the business impact analysis. However, in planning
for business continuity as an outgrowth of disaster recovery, it makes more sense to understand the full
picture regarding risks and threats and then look at business impact. However, if you have a
methodology you use that starts with from the risk
assessment and the business impact analysis phases are used as input to the mitigation strategy
development. As long as you have those ready before you start the mitigation phase, you should be all
set. Figure 1 depicts where we are in the planning process thus far. (Snedaker & Rima, 2014)
Figure 1 Business Continuity and Disaster Recovery Planning Process
8. DISASTER MANAGEMENT (5584)
6
6. BIA & RISK ASSESSMENT
The BIA and risk assessment
continuity programs perform them together (or in close coordination). Here are the key distinctions
between a BIA and a risk assessment:
A BIA is particularly focused on establishing business continuity requirements, identifying
resource dependencies, and justifying proposed business continuity requirements by estimating
the impacts associated with downtime. A risk assessment focuses on understanding the likelihood
and severity associated with a loss of the activity and resources with the objective of establishing
a prioritized list of risk treatments to decrease the likelihood that the organization experiences a
disruption to its ability to deliver products and services.
Some organizations, and some other risk disciplines, perform risk assessments based on an
evaluation of potential threats (commonly called hazard and vulnerability analysis HVA);
however, in business continuity, we conduct a risk assessment based on failure modes (this
approach is sometimes called failure modes and effects analysis). The reason is simple
to identify all the threats that could interrupt a business! It is more practical to look at core failure
modes specifically the disruption of resources needed to perform an activity. (Avalution
Consulting, 2020)
Business impact analysis and risk assessment are two important steps in a business continuity plan. A
BIA often takes place prior to a risk assessment. The BIA focuses on the effects or consequences of the
interruption to critical business functions and attempts to quantify the financial and non-financial costs
associated with a disaster. The business impact assessment looks at the parts of the organization that are
most crucial. A BIA can serve as a starting point for a disaster recovery strategy and examine recovery
time objectives (RTOs) and recovery point objectives (RPOs), and resources and materials needed
for business continuance.
A risk assessment identifies potential hazards such as a hurricane, earthquake, fire, supplier failure,
utility outage or cyber attack and evaluates areas of vulnerability should the hazard occurs. Assets put at
risk include people, property, supply chain, information technology, business reputation and contract
obligations. Points of weakness that make an asset more prone to harm are reviewed. A mitigation
strategy may be developed to reduce the probability that a hazard will have a significant impact. (Rouse,
2019)
7. TYPES OF PROBLEMS THAT BIA ANTICIPATES
BIA seeks to anticipate anything that could go wrong. These events include occurrences that affect entire
countries or regions as well as issues that may be specific to a single location, organization, or industry:
Natural Disasters: Hurricanes, tornadoes, wildfires, earthquakes, volcanic eruptions, droughts,
snowstorms, etc.
Accidents: Environmental mishaps, toxic emissions (like oil leaks and chemical spills),
equipment malfunctions or breakdowns (including those that injure workers), plant fires,
explosions, product contamination, human mistakes, errors, and omissions.
9. BUSINESS IMPACT ANALYSIS (BIA)
7
Emergencies: Power or other utility outages, computer hacking attacks, data loss or corruption,
labor disputes, absenteeism, systems breakdowns (including computing infrastructure),
disruptions of supply chains, shortages of raw materials, failure by a service provider, problems
with transportation networks, loss of communications, political crises (like riots and civil wars),
and regulatory interventions (such as a factory closure after failing an inspection or a product
recall). (Smartsheet, 2020)
In a risk assessment phase, you will determine the types of threats that a business faces and then quantify
the risks. There is some debate as to whether risk assessment should follow or precede business impact
analysis, but the consensus among experts tilts toward doing the risk assessment first. That way, the BIA
process can focus on the most likely risks first.
located on the ocean coast faces a risk of flooding, and historical patterns suggest a high probability of
this event reoccurring. A similar factory in the desert would face a far lower probability of flooding. So,
the coastal company would focus more of its BIA efforts on flooding, while the desert-based company
would give planning for drought a higher priority.
Business impact analysis looks at the consequences of each threat for every aspect of an organization.
The BIA team answers questions like the following:
If a flood did occur, what would the impact be on manufacturing, distribution, customer support,
and management?
How high would floodwaters have to be to prevent orders from being shipped?
Is power likely to be shut off to the assembly line during a flood?
What would the effect be on products in mid-production? Would workers be stranded?
How long could the company continue to fulfill orders from its other warehouses?
Two baseline assumptions shape business impact analysis:
All elements of a business depend on the continued operation of its other parts.
Some aspects of a business are more critical than others and should receive more spending when
a disruption takes place in order to minimize the impact or speed recovery. (Smartsheet, 2020)
8. THE ROLE OF BIA IN DISASTER RECOVERY PLANNING
As part of a disaster recovery plan, a BIA is likely to identify costs linked to failures, such as loss of cash
flow, replacement of equipment, salaries paid to catch up with a backlog of work, loss of profits, staff
and data, and so on. A BIA report quantifies the importance of business components and suggests
appropriate fund allocation for measures to protect them. The possibilities of failures are likely to be
assessed in terms of their impacts in areas such as safety, finances, marketing, business reputation,
legal compliance and quality assurance. Where possible, impact is expressed monetarily for purposes of
comparison. For example, a business may spend three times as much on marketing in the wake of a
establish recovery strategies, priorities, and requirements for resources and time. (Rouse, 2019)
10. DISASTER MANAGEMENT (5584)
8
9. IMPACT CRITICALITY
9.1.CATEGORIES
You can develop any category system that works for you but as with all rating systems, be sure the
categories are clearly defined and that there is a shared understanding of the proper use and scope of
each. Here is one commonly used rating system for assessing criticality:
Category 1: Critical Functions Mission-Critical
Category 2: Essential Functions Vital
Category 3: Necessary Functions Important
Category 4: Desirable Functions Minor
Obviously, your business continuity plan will focus the most time and resources on analyzing the critical
desirable functions until later stages of your business recovery.
Many companies identify these four areas and set timelines for when each of these categories will be
category descriptions as-is o
Category 1: Critical Functions - Mission-Critical
A mission-critical task, service, or system is one whose failure or disruption would cause an entire
operation or business to grind to a halt. It is indispensable to continuing operations.
Uninterrupted electrical service is an obvious example of a mission-critical service for most modern
businesses and consumers.
Mission-critical has become a popular description of any essential service necessary for normal
operations. If a business operation cannot be interrupted under any circumstance without stopping
production, it considered mission-critical to the business. For example:
Databases and process control software are considered mission critical to a company that
runs on mainframes or workstations.
Emergency call centers, computerized hospital patient records, data storage centers, stock
exchanges and other operations dependent on computer and communication systems have to
be protected against breakdowns due to the system's mission-critical functions.
In each of these cases, the failure of a mission-critical service can cause severe disruption of
services, heavy financial losses, and even danger to people. (Kenton, 2019)
Category 2: Essential Functions Vital
Some business functions may fall somewhere between mission-critical and important, so you may
choose to use a middle category labeled Vital functions might include things
like payroll, which on the face of it might not be mission-critical in terms of being able to get the
function beyond the disaster recovery stage.
11. BUSINESS IMPACT ANALYSIS (BIA)
9
Category 3: Necessary Functions Important
Important business functions and -term
but they usually have a longer-
of functions and processes cause some disruption to the business. They may have some legal or
financial ramifications and they may also be related to access across functional units and across
business systems.
Category 4: Desirable Functions Minor
Minor business processes are often those that have been developed over time to deal with small,
recurring issues or functions. They will not be missed in the near-term and certainly not while
business operations are being recovered. They will need to be recovered over the longer-term. Some
minor business processes may be lost after a significan
Many companies develop numerous processes that should at some point be reviewed, revised, and
often discarded, but that rarely occurs during normal business operations due to more demanding
work. In some sense, a business disruption can be good for those small business functions and
processes as they may be reworked or revised or simply pared down after a disruption. (Snedaker &
Rima, 2014)
9.2.RECOVERY TIME REQUIREMENTS
Related to impact criticality are recovery time requirements. Here are some term defined in terms of
recovery times.
Maximum Tolerable Downtime (MTD). This is just as it sounds the maximum time a business
can tolerate the absence or unavailability of a particular business function. Different business
functions will have different MTDs. If a business function is categorized as mission-critical, or
Category 1, it will likely have the shortest MTD. There is a correlation between the criticality of a
business function and its maximum downtime. The higher the criticality, the shorter the maximum
tolerable downtime is likely to be. Downtime consists of two elements, the systems recovery time
and the work recovery time. Therefore, MTD = RTO + WRT.
Recovery Time Objective (RTO). The time available to recover disrupted systems and resources
(systems recovery time). It is typically one segment of the MTD. For example, if a critical business
process has a three-day MTD, the RTO might be one day (Day 1).This is the time you will have to
get systems back up and running. The remaining two days will be used for work recovery.
Work Recovery Time (WRT).The second segment that comprises the maximum tolerable
downtime (MTD). If your MTD is three days, Day 1 might be your RTO and Days 2 to 3 might be
your WRT. It takes time to get critical business functions back up and running once the systems
(hardware, software, and con- figuration) are restored. This is an area that some planners overlook,
especially from IT. If the s
12. DISASTER MANAGEMENT (5584)
10
From a business function perspective, there are additional steps that must be under-
back to business. These are critical steps and that time must be built into the
miss your MTD requirements and potentially put your entire business at risk.
Recovery Point Objective (RPO). The amount or extent of data loss that can be tolerated by your
critical business systems. For example, some companies per- form real-time data backup, some
perform hourly or daily backups, some perform weekly backups. If you perform weekly backups,
backups are per- formed on Satu
the entire of data. This is the recovery point objective. In this case, the RPO is one
week. If this is not acceptable, your current backup processes must be reviewed and revised .The
RPO is based both on current operating procedures and your estimates of what might happen in the
event of a business disruption. For example, if a tornado touches down in your town and your data
center is without power, you may implement your BC/DR plan. If you have an alternate computing
location, you may transfer operations to that location. Your next step would be to determine the
status of the data. Are you attempting to update systems using backups or were these alternate
locations kept up to date? When was the last data backup performed relative to business operations?
to answer after a
business disruption. and ensure your
recovery processes address these timelines.
Figure 2 graphically depicts the interplay between MTD, RTO, WRT, and RPO. Most companies use
technology and computer systems to some extent and the graphic in Figure 4.3 shows how the recovery
time is impacted by a business disruption.
Point 1: Recovery Point Objective The maximum sustainable data loss based on backup
schedules and data needs
13. BUSINESS IMPACT ANALYSIS (BIA)
11
Point 2: Recovery Time Objective The duration of time required to bring critical systems
back online
Point 3: Work Recovery Time The duration of time needed to recover lost data (based on
RPO) and to enter data resulting from work backlogs (manual data generated during system
outage that must be entered)
Points 2 and 3: Maximum Tolerable Downtime The duration of the RTO plus the WRT.
Point 4:Test, verify, and resume normal operations
10. WHO CONDUCTS BUSINESS IMPACT ANALYSIS?
A company may hire a specialist consultant or expert outsider to conduct a BIA. Or, a BIA team may
consist of a mix of internal and external individuals this guarantees that the process includes both
specialized expertise and deep knowledge of the business. Large organizations may have a staff person
or department that knows business impact analysis, and it may run the exercise.
At the start of a business impact analysis process, you need to lay the foundation for the project by
forming a team and defining its scope and objectives. The methodology for BIA can vary and be
want to have an education session for key stakeholders
to explain what your team will be doing and how they will be called upon to assist.
11. STEPS TO CONDUCT A BUSINESS IMPACT ANALYSIS
Step 1: Meet with management.
Business executives are often wary
success. Make sure management clearly understands the purpose of the BIA (including what it does and
r help and
support to unite the relevant parties, and give them all the information upfront, so there are no surprises
at any point during the process.
Step 2: Identify the scope of your BIA, and the subject matter experts who will be involved.
Most B
most critical and focus on those. Trying to do more complicates the process. Also, identify subject
matter experts for each of the units you choose. (These are the
later on.) Ideally, they should be individuals who actually do the job daily not managers because
those doing the hands-on work are the most knowledgeable about processes and system dependencies
and will provide the most accurate criticality assessment.
Step 3: Secure an IT representative to be present at each interview.
computer systems and applications in case your
accuracy.
14. DISASTER MANAGEMENT (5584)
12
Step 4: Determine the operating parameters of your BIA.
management):
What are the financial and non-
process that cannot be performed? (Disaster Recovery Journal lists the following impact
considerations, among other things: impact on customer service, noncompliance with
government regulations or contractual obligations, increased operating costs, penalties, loss of
stockholder confidence, and loss of competitive edge.)
Will I assign weighting factors to these categories to help assess the impact? Weighting factors
are used to define the level of importance of each criteria.
What data will I be gathering? (This may include data regarding required systems/applications,
dependencies, vital records, specialized equipment needs, etc.)
Step 5: Schedule your BIA interviews.
Schedule BIA interviews with each participant to talk about every process they perform and the
potential impact it would have on the company should one or more of those processes be disrupted.
Each interview should take between 2 and 2.5 hours. At the same time, schedule conference rooms
and/or tools for conducting remote interviews if necessary. Your goal is to make the process
comfortable for interviewees and as easy as possible for everyone to attend.
Step 6: Gather data before the interview (pre-work).
We find it helpful to gather basic information from each business unit before the interview concerning
pre-work helps speed the actual interviews along, though not everyone chooses to perform this step.
Step 7: Prepare yourself to facilitate the interview.
the same way every time, for each interview. Consistency helps ensure that all the data aligns across
business units, making it easier to compare.
Step 8: Conduct the BIA interviews.
Strive to complete each interview within 2.5 hours. Use prescribed questions, and be consistent. Your
goal at each interview: to leave with a
required systems and applications, and critical and noncritical dependencies.
Step 9: Send participants the completed BIA.
For each interviewee, ask for comments, revisions, and/or updates to the information that is already
stated on record. Give them one week to review the completed BIA and validate it, or provide
comments for revision.
Step 10: Aggregate the data and analyze it.
15. BUSINESS IMPACT ANALYSIS (BIA)
13
sense, review the results with the group and reassess. Look for anomalies and address them. This step is
important if you expect management to take the results seriously.
Step 11: Create a management report.
Create a BIA report to share your results with management. Your report should include:
A general overview of the BIA process
The business process criticality ranking
Additional findings
An action plan to address the most critical items
A conclusion
Supporting information (names of participants, tables summarizing business processes, etc.)
Step 12: Send the report to senior management.
In a perfect world, management reads the report and signs off on it that being the directive for relevant
sign off, however, try getting approval for some recommendations you deem most critical. This solution
reduces the cost and effort involved and will still protect your business to a large degree.
Step 13: Work on recovery strategies.
Based on the recovery time objectives and recovery point objectives for processes, systems, and
applications, work on crafting recovery strategies and solutions for the most critical units. Strategies
should include alternate work capabilities and concise, executable instructions to ensure the usefulness
(B2C, 2017)
16. DISASTER MANAGEMENT (5584)
14
12. BUSINESS IMPACTS ANALYSIS CATEGORIES
Following table summarizes some of the most important business impact analysis categories to consider:
Financial Impacts
Delayed sales or income
Contractual penalties
Regulatory fines
Increased expenses
Lost sales or income
Loss of market share
Intangible Impacts
Decreased customer satisfaction
Customer defection
Negative business reputation
Harm to brand
Diminished value of intellectual property
Loss of staff morale
Infrastructure Impacts
Delayed construction
Restricted access to facilities
Machinery/equipment damage
Building damage
Legal Impacts
Failure to fulfill contracts
Breach of warranties
Force majeure
Failure to comply with regulations
Resource Impacts
Absenteeism
Data loss/corruption
Supply chain interruption
Loss of power
Strategic Impacts
Delay in new business initiatives
Decreased focus on new business
opportunities
Reduced resources for innovation
Quality and Safety Impacts
Ability to maintain product/service
standards
Compromised worker safety
Environmental damage
(Smartsheet, 2020)
17. BUSINESS IMPACT ANALYSIS (BIA)
15
13. DETERMINING THE IMPACT
Be sure to review this list and remove any items that do not pertain to your business and add any
elements that are not included that do relate to your business. Remember, too, that a business disruption
can run that gamut from a hard drive failure to an earthquake that levels your building to a pandemic that
impacts an entire region or nation. Once looked at all the potential impact points, discuss
specific data points to collect and analyze as well as how to put those together with your risk assessment
data.
The impact of any business disruption may include:
1. Financial. Loss of revenues, higher costs, potential legal liabilities with financial
penalties.
2. Customers and suppliers. You may lose customers and suppliers due to your
problems or you may lose customers or suppliers if they experience a
business disruption or disaster.
3. Employees and staff. You may lose staff from death, injury, stress, or a decision
to leave the firm in the aftermath of a significant business disruption or natural dis-
aster. What are the key roles, positions, knowledge, skills, and expertise needed?
4. Public relations and credibility. Companies that experience business disruptions
due to IT systems failures (lost or stolen data, modified data, inability to operate
due to missing or corrupt data, etc.) have a serious public relations challenge in
front of them. These kinds of failures require a well-thought-out PR plan to help
support business credibility. What impact would system outages or data losses have
on your public image?
5. Legal. Regulations regarding worker health and safety, data privacy and security,
and other legal constraints need to be assessed.
6. Regulatory requirements. You may be unable to meet minimum regulatory
requirements in the event of certain business disruptions. You need to fully under-
stand these regulations and their requirements related to business disruptions, both
natural and man-made.
7. Environmental. Some companies may face environmental challenges if they
experience failures of certain systems. Understanding the environmental impact of
system and business failures is part of the business impact analysis phase.
8. Operational. Clearly operations are impacted by any business disruptions. These
must be identified and ranked in terms of criticality.
9. Human Resources. How will staff be impacted by minor and major business
disruptions? What is the impact of personnel responses to business operations?
What are the qualitative issues to be addressed (morale, confidence, etc.)?
10. Loss Exposure. What types of losses will your company face? These include
property loss, revenue loss, fines, cash flow, accounts receivable, accounts
payable.
18. DISASTER MANAGEMENT (5584)
16
11. Social and corporate image (strongly tied to public relations). How will
employees, customers, suppliers, partners, and the community view your company?
How will its image be altered by a minor or major business disruption?
12. Financial community credibility. How will banks, investors, or other creditors
respond to a minor or major business disruption? If the cause is a natural disaster,
the challenges are different than if the cause is man-made. If the company failed to
secure or protect data or resources, there are additional consequences both to the
corporate image and to the credibility in the marketplace.
criticality rating to them. Payroll, accounts payable, and accounts receivable usually qualify as
mission-critical business processes. Furniture requisitions for new employees usually fall to the
bottom of the list as minor. Rate all your identified business processes and sort them in order of
criticality. You might end up with a table or matrix that looks something like that shown in
Table 1.
14. COMMON CHALLENGES WITH A BUSINESS IMPACT ANALYSIS
The BIA is Too Time-Consuming
Root Cause: Conducting business impact analysis manually.
For many organizations, the BIA becomes a laborious effort and conflicts with other priorities. For
many BIA processes, the organization must dedicate hours upon hours to the BIA data gathering and
reporting effort, often based on the need to complete long and complicated surveys.
Inaccurate or Unrealistic Recovery Time Objectives
Root Cause: Recovery time objectives are assigned without adequate business justification.
An important BIA output is establishing business continuity requirements, which mean activity and
resource recovery priorities, objectives, and targets (which includes, but is not limited to, recovery
time objectives and recovery point objectives). Establishing recovery objectives helps to identify the
19. BUSINESS IMPACT ANALYSIS (BIA)
17
most time-sensitive business activities and resources, which leads to an appropriate order of recovery.
However, organizations often assign RTOs without adequate business justification, such as by asking
leadership representatives and SMEs their subjective opinion based on a limited understanding of their
capabilities or priorities, undermining conclusions and recommendations.
To ensure accurate and realistic activity and resource-specific RTOs, business continuity practitioners
should confirm that:
Department SMEs provide operational, customer/ contractual, legal/
regulatory, or other relevant impact information that justifies the proposed
business continuity requirements.
The proposed business continuity requirements reflect leadership-defined
organizational priorities and align with pre-determined management
expectations. For example, business continuity practitioners should ensure that
activities not directly supporting organizational priorities do not have overly
aggressive RTOs.
Any upstream and downstream dependencies validate that the proposed RTOs
meet their business requirements.
Root Cause: You conducting your business impact analysis frequently enough.
A BIA isn a and analysis it must be updated as the organization changes. At some
organizations, they leverage their business continuity software platform, Catalyst, to put the BIA into a
format that is continually accessible and makes the BIA a living process. In addition, work with clients
to make the BIA part of the change management and onboarding processes where
needed, so that business continuity requirements evolve over time based on evolving needs, priorities
and expectations. Finally, work with clients to implement good program management techniques that
make the BIA process repeatable and pragmatic.
BIA Data is Too Overwhelming to Analyze
Root Cause: Incorrect BIA scoping trying to boil the ocean.
A key BIA objective is to gather data to answer two primary questions: (1) what business activities
are necessary to perform business operations, and meeting organizational objectives and external
obligations (e.g., customer, regulatory), and (2) how quickly do business activities and supporting
resources need to be available before the disruption creates unacceptable impacts for the organization
or its customers, and to what performance level? For simplicity, many business continuity
practitioners choose to use organizational charts or facility lists to determine BIA scope. While it may
seem logical to use these resources, practitioners may find that using this method results in too much
data that is often difficult to analyze.
The most efficient scoping method is to identify the key organizational products and services
organizational outputs or offerings and then interview or collect data from the departments that
perform business activities delivering or supporting the delivery of these products and services.
20. DISASTER MANAGEMENT (5584)
18
This method helps focus the BIA scope and ensures that BIA participants only provide
relevant data that supports critical business activities, making data analysis more straightforward.
BIA Data is Useless or Irrelevant
Root Causes: 1) Incorrectly identified BIA participants and 2) ineffective data gathering methods.
1) Incorrectly Identified BIA Participants: Organizations often struggle with useless or irrelevant
BIA data either because they engaged the wrong BIA participants or chose ineffective data
gathering methods. As a result, the BIA data is ineffective in identifying appropriate business
continuity requirements.
When identifying BIA participants, it is important to identify internal subject matter experts
(SME) that can both understand the role in the delivery of products and services, as
well as speak to specific day-to-day departmental activities and supporting resources.
Organizations that choose to only interview high-level executives may find that these individuals
cannot speak to resource dependencies. Similarly, lower-level support staff usually do not have
high-level organizational insight and cannot provide information regarding internal organizational
dependencies and impacts, nor can speak to how the department contributes to organizational
priorities. To avoid these issues, organizations should consider the following questions when
choosing BIA participants:
Does the SME have general departmental knowledge, including the
role in the context of the larger organization?
Does the SME have the ability to identify and assign resources, as needed, to
assist in the BIA effort?
Can the SME provide details on departmental activities, such as activity
inputs, outputs, and dependencies?
2) Ineffective Data Gathering Methods: The second root cause of BIA data is
ineffective data gathering methods. Many business continuity professionals assume that a BIA is
just a series of surveys. Although many think surveys are the quickest way to complete the BIA
task because it takes the least amount of effort for the business continuity professional (side note,
using surveys often takes the same amount of time, if not more), surveys do not allow for business
continuity awareness-building with department SMEs, the ability to deliver guidance regarding
BIA data requirements, a method to collect consistent information, or even the opportunity to
collect additional data or ask clarifying questions when necessary.
Instead, experts recommends using data gathering interviews or a hybrid approach (where
interviews and questionnaires are both used) to deliver actionable results in a time-efficient
manner. In addition to following the recommended interview approach, organizations should
ensure that BIA facilitators, or those who will be collecting BIA data and driving analysis and
reporting efforts, are capable and knowledgeable in the organization and the BIA process
(together with an understanding of the BIA outcomes). A knowledgeable BIA facilitator should
not only be able to ask the right questions and capture data but should also understand when to go
the to guide discussion and draw indirect information from the SMEs.
21. BUSINESS IMPACT ANALYSIS (BIA)
19
Disengaged Executives
Root Cause: Business continuity practitioners do not effectively engage top management throughout
the BIA process.
Top management involvement is essential in driving preparedness and program improvement,
providing business continuity strategic direction, and sponsoring organizational changes in ways the
business continuity team cannot. Without engaging and building top management business continuity
awareness, business continuity practitioners may find that top management is disengaged, resulting in
lost opportunity and poor business continuity program performance.
Specific to the BIA process, top management has a role in endorsing the BIA scope and the final BIA
results. Business continuity practitioners should include leadership representatives, often a Business
Continuity Steering Committee, during the BIA scoping process, particularly to confirm:
Organizational priorities and the departments that support these priorities
Management expectations for recovery, such as downtime tolerances for in-
scope products and services
Impact categories
BIA participants
Once the BIA is complete, practitioners should develop a BIA summary presentation for top
management review and approval. Through the summary presentation, top management should be able
to understand:
Department, activity, and resource-specific business continuity requirements
Risks that lead to an increased likelihood of disruption, or risks that may
make it difficult for the organization to recovery
Gaps specific to preparedness (comparing current-state capabilities to
approved business continuity requirements)
Recommendations to address risks and enable successful recovery within
approved objectives
To ensure top management engagement, practitioners should avoid:
Reporting on non-strategic conclusions (for example, the number of BIAs
conducted or how many printers are necessary for recovery)
Providing BIA results without justification, especially communicating
unsubstantiated sky is results
Providing a of the BIA results that top management will need to
analyze themselves
(Avalution Consulting, 2020)
22. DISASTER MANAGEMENT (5584)
20
15. MOST COMMON MISTAKES MADE IN BIA
BIA experts say certain mistakes are common, especially when companies are new to business impact
analysis. Martinez says he sees the following missteps most frequently: overcomplicating BIA with an
excessive focus on data-crunching formulas, looking at too many potential impacts, and planning for too
many different adverse events.
Expert of the Business Continuity Institute says, most often made in performing a BIA
revolve around the need to complete the BIA quickly, as opposed to thoroughly. BIAs can take weeks or
even months to complete. This [time-consuming aspect] often serves as a deterrent to doing BIAs, and
what develops instead is the need to take shortcuts in order to save time and
Here are the errors that Fullick says he sees most often in BIA processes:
Lack of Management or Executive Support: BIA requires resources to be effective, and if
resources are not allocated to the process, the resulting plans will be lackluster. Moreover, BIA
staff members need training and skills to manage the effort.
Poor Follow-Up: Some organizations make a big effort on BIA, but then fizzle when it comes
to fully implementing the subsequent recovery strategies and plans.
Lack of Clarity on Scope or Level of Detail: The right scope or level of detail differs among
organizations, but within a BIA, the parameters should be uniform. Often, BIA will be
ultra-detailed for some units and very broad for others. There needs to be a consensus on what
level of scope and detail will accomplish the objectives.
Wrong Participants: An organization might call upon people without the right level of
expertise or knowledge of operations to provide information for the BIA if the process does not
have adequate support or the crisis team clearly convey its objectives.
Weak Data Collection: Questionnaires need to capture all the needed information and also be
straightforward, so respondents can complete them quickly and easily. For in-person information-
gathering, BIA analysts may lack strong interview skills and fail to glean insights.
Focusing on Tools over Process: The BIA team can become overly focused on the tools it uses
for collecting and analyzing data and lose sight of the underlying process.
Insufficient Analysis: Poor or incomplete analysis can undermine the value of the information
gathered. need to look for trends, patterns, relationships, and discrepancies
among and within the data to ensure a thorough and meaningful expert urges.
Poorly Presented Findings: The BIA may be well executed but poorly communicated. The
presentation may be unclear or provide too much detail for senior managers to extract the key
points.
Too Time Consuming: Fullick says that BIAs frequently take too long. If the process spans
many months, other organizational changes may occur, rendering the BIA out of date and
therefore irrelevant. (Smartsheet, 2020)
23. BUSINESS IMPACT ANALYSIS (BIA)
21
16. WHEN TO REVIEW A BUSINESS IMPACT ANALYSIS?
Review your business impact analysis at least annually. If your business processes change sooner, update
the BIA to reflect these revisions.
Your first BIA will likely be a lengthy process. However, updates generally go relatively quickly, unless
there have been extensive organizational changes in the interim.
Most importantly, make sure that the analysis remains comprehensive and recovery strategies remain
viable. To check, ask a few questions:
Have processes, especially critical ones, changed significantly?
Are resource requirements for processes the same as they were during the last BIA?
Have the interdependencies between processes changed?
Has the vulnerability of specific processes to emergency events changed?
Expert says that infrequent review of the BIA can cause problems. we only review and update on an
annual basis, or even less frequently, it can take a long and sometimes will feel as if
(nearly) starting the BIA over from the beginning. When that happens, it means that continuity-related
plans and processes fully representing the organization as it is they are representing the
organization as it was (Smartsheet, 2020)
17. ESSENTIAL ELEMENTS OF A BIA REPORT
Before diving into the components of the report, consider your audience. Your report should be
designed to mirror the culture of your organization from a senior management perspective. Some
companies, like those in the tech industry, are more informal; other industries, like finance or insurance,
are more traditional. Some people prefer data organized in tables, others are used to seeing charts and
graphs. Conforming to expectations in your organization and industry increases the likelihood that your
information will be received as relevant and authoritative especially in light of the challenges inherent
in the BIA process. Matching your style of delivery to the preferences of senior management is key to
presenting your results in the best possible light.
Standard Report Components
Aside from the possible variations in delivery, every BIA report should have the same key components.
The standard flow of information is as follows:
1. Executive summary. This section includes a general overview of the BIA, touching on:
The scope of the analysis: How many business units were evaluated?
Key objectives: What was identified as the goal of the BIA?
Business Impact Analysis methodology and approach: This section describes-in very
general terms- the process you used to conduct the BIA, how interviews were conducted, and
how you analyzed the resulting data. Include any assumptions you used while performing it
24. DISASTER MANAGEMENT (5584)
22
(i.e., the disruption is not disaster-specific, that it occurs during a peak time of business, etc.)
and the quantitative categories you used to measure impact (i.e., rankings from 1-5 and their
meanings).
2. Business process criticality ranking. What were the results of the study? Describe in full
which business units were deemed most critical as a result of the BIA. Also, outline the required
recovery timeframes for all evaluated business units and processes, and their critical
dependencies.
3. Additional findings. Very often the BIA interview process reveals vital information that could
be useful for future planning of recovery strategies; include that information in your report. For
instance, it may uncover unexpected areas with exceptionally broad exposure to risk.
4. Action plan. This section summarizes the key actions needed to address the most critical items
as determined by the BIA and organizes them by timeframe, for instance, those that require
immediate action (0-12 months), near-term action (12-18 months), or long-term action (18-24
months).
5. Conclusion. Tie together everything up to this point, with a summary of needed to keep
the company operational.
6. Supporting information. For those who want to see it, list the details of the process here,
including names of the participants, tables summarizing business processes, and computer
systems by recovery time.
Once finished the report, create a presentation to go along with it. Strive to make your
presentation succinct and to the point. It should essentially be a downsized version of the report. Tell
your audience quickly what the BIA was about, the results you came up with, and recommendations on
what to do next.
What Should Happen As a Result of The BIA Report
In a perfect world, management reads the report and signs off on it that being the directive for relevant
parties to get to work implementing recovery strategies and solutions to ensure the continued survival of
critical business units in the event of a disruption.
If management prepared to sign off on the full report, that mean the process has all been for
nothing. An alternative is to get approval for some recommendations and not others. Start by addressing
only those areas deemed most critical. If you can protect your most critical business units (required in the
first three to five days of a disruption), your business can continue running and servicing your customers
for at least one to two weeks even without your remaining business processes. This solution reduces the
amount of cost and effort involved and still protects your business. (Herrera, 2017)
25. BUSINESS IMPACT ANALYSIS (BIA)
23
18. SUMMARY
Performing the business impact analysis requires you to look at your entire organization from top to
bottom. You can begin by gathering subject matter experts, whether division heads, departmental
managers, or designated staff, from various parts of your company. These people should be those in the
company best able to answer the questions related to critical business activities. This relates to how your
company generates revenues, tracks customers and sales, and other key business processes.
Data can be gathered using questionnaires, interview, workshops, documents, and research. There are
pros and cons to each approach, so be sure to select the method most appropriate to your organization.
Since each company is unique, there is no size fits template you can use to delineate all critical
business processes for all companies.
However, throughout this chapter, we discussed a wide variety of business functions, processes, and
approaches that can help you develop a comprehensive list of your critical processes as well
as the key roles, expertise, and knowledge needed to carry out those critical processes.
Once this data is collected, each process must be assessed for criticality. In the big picture, how critical
is each business process to your ability to continue operating? Using a three- or four-point
rating system will help you look across the depth and breadth of your organization to understand which
processes and functions are mission-critical, which are vital or essential, which are important, and which
are minor. Your risk mitigation planning efforts will focus first on mission-critical processes and then to
vital or essential processes.
also need to develop your recovery time objectives (RTO) for each critical function. In some
cases, you might choose to associate a recovery time with criticality ratings. For example, mission-
critical functions might need to be recovered within 24 hours whereas vital or essential functions might
need to be recovered within 72 hours. Alternately, you can assign criticality and then assign recovery
time objectives to each process individually. This might make more sense in companies where there are
numerous mission-critical processes that cannot be simultaneously addressed. Again, this is a decision
you and your team have to make regarding recovery objectives. Input from division or departmental
experts, is key to understanding required recovery timeframes as well as key interdependencies that exist
among departments, processes, and systems.
There is a relationship between the cost of recovery and the cost of downtime. Each company has to
assess these costs and make decisions regarding the optimal point of inter-section. The longer the
company goes without a key process, the more expensive it becomes due to loss of sales and increase in
costs associated with the outage. However, recovery costs go down the longer you have to recover. If
you need to recover within hours, your costs to provide this type of recovery capability will be
significantly higher than if you need to recover within days. The point at which downtime costs and
recovery costs intersect is the optimal point for planning, though in the real world, it can be difficult to
determine the exact point of intersection. Keeping this concept in mind, however, will help you find the
best solutions for your company.
The business impact analysis uses business functions, business processes, and IT systems as the input
points. The analysis is performed so that each process is identified and analyzed.
The output for each process and function includes criticality assessment, financial impact analysis,
operational impact analysis, recovery objectives, dependencies, and work-around procedures. When this
is documented for each business function and key business process, you have a comprehensive look at
your company and a solid business impact analysis.
26. DISASTER MANAGEMENT (5584)
24
REFERENCES
Avalution Consulting. (2020). The Ultimate Guide to the Business Impact Analysis. Retrieved from
https://avalution.com/business-impact-analysis/
B2C. (2017). How to conduct a business impact analysis? Business 2 Community. Retrieved from
https://www.business2community.com/strategy/conduct-business-impact-analysis-01880785
BD. (2020). Business Impact Analysis (BIA). Business Dictionary. Retrieved from
http://www.businessdictionary.com/definition/business-impact-analysis-BIA.html
CCOHS. (2020).Hazard and Risk. Canadian Centre for Occupational Health & Safety. Retrieved from
https://www.ccohs.ca/oshanswers/hsprograms/hazard_risk.html
Gartner IT Glossary. (2020). Business Impact Analysis (BIA). Gartner. Retrieved from
https://www.gartner.com/en/information-technology/glossary/bia-business-impact-analysis
Herrera, M. (2017, March 14).What Goes Into A Business Impact Analysis (BIA) Report?
BCMMETRICS. Retrieved from https://bcmmetrics.com/what-goes-into-business-impact-
analysis-report/
Kenton, W. (2019, Jun 28). Mission-Critical. Investopedia. Retrieved from
https://www.investopedia.com/terms/m/mission-critical.asp
Rouse, M. (2019).Business Impact Analysis (BIA). SearchStorage. Retrieved from
https://searchstorage.techtarget.com/definition/business-impact-analysis
Smartsheet. (2020). All about Business Impact Analysis: A Step-by-Step How-To. Retrieved from
https://www.smartsheet.com/business-impact-analysis
Snedaker, S & Rima, C. (2014). Business Continuity and Disaster Recovery Planning for IT
Professionals, 2nd
ed. Amsterdam: Syngress, Elsevier