What is Business Impact Analysis?

BIA is a process which many organizations still struggle to understand its essence. However, if properly executed, a business impact analysis will deliver clear requirements gathered over time. In the rest of this article, we will be explaining all you need to know about an effective BIA and why you need to adopt it today.

What is business impact analysis?

Business Impact Analysis (BIA) is a process that aims at the establishment of business continuity needs through the identification of time-specific events in a company, depending on the effect stemming from a disruption.

What is the purpose of the business impact analysis (BIA)?

1. It Ascertains the Scope of Business Continuity Program

   The essence of BIA is to identify the business resources and activities that are important to deliver the most crucial products and services of the organization. By understanding activity impacts, the BIA process will enable the firm to discover resources or activities that were initially not in the scope of the program.

2. BIA determines Contractual, Legal, and Regulatory Obligations

   A lot of companies lack a clear and coherent understanding of obligations, as well as the effects of not meeting up with these obligations. However, through business impact analysis, the organization can achieve an in-depth understanding of the obligations, which will pave way for the right level of business continuity planning to achieve compliance.

3. It Gives Clarity on Business Continuity Strategy Budget

   BIA is very useful in the estimation of impacts associated with downtime. When the organization has adequate justification, it is prepared to identify and adopt necessary capabilities required to meet recovery objectives, thereby leading to adequate spend.

4. It Encompasses Preliminary Plan Content

   With the implementation of BIA process, an organization can embark on data capturing effort for businesses continuity strategies. During the BIA process, the company is enabled to collect business continuity plan content, such as internal and external contact data, team and staffing necessities, existing controls and recovery strategies, and other resource-specific data needed for the business continuity strategy.

Implications of not performing a BIA

1. The absence of an official BIA process will cause the lack of objectivity and focus in determining organizational scope. This will lead to confusion in regard to recovery priorities.
2. Also, it can lead to a misalignment between the actual program performance and the expectations of the management. This is because implementation of plans and strategies without endorsed requirements may cause over-spending and/or inadequate preparation, which would consequently result in gaps in business continuity capabilities.
3. Without the BIA, many organizations will be unable to justify their investments in preparedness, and this will affect their ability to connect with management to gain significant traction.

BIA vs. risk assessment

(Also Read: What is Artificial Intelligence (AI) in Business?)

How do you do a business impact analysis / Process

To perform a business impact analysis or process, it is necessary to have redefined tools and processes. In this section, we have highlighted and given detailed explanations on effective business impact analysis steps to observe in order to carry out a successful business impact analysis that will result in the delivery of approved and clear business continuity requirements.

Following these steps will enable you to generate the data that is needed to assess the business continuity-related risks of your organization, as well as how to provide guarantees to major stakeholders, document meaningful plans, and identify and develop response and recovery strategies.

Step One: Evaluate the Business Impact Analysis

It is first of all important that you ascertain that the appropriate business processes and resources are within your scope when executing an effective business impact analysis. We recommend that you implement what is termed the ‘Frame meeting’.  This is a period where you would have to cooperate with businesses to provide solutions to the 4 questions below:

1. What is the reason for performing the business continuity?
2. What do you want to safeguard?
3. What is the volume of business continuity that is needed?
4. Which parties/individuals should participate in the program?

For a business continuity program, the Frame meeting is indeed very useful. In particular, it enables detailed administrative documentation, identifies the appropriate program participants, and corresponds leadership on program goals. It is crucial to understand that the most essential output of this meeting, however, is in the identification of the in-scope services and products for the business continuity program of an organization. This is because it allows the company to concentrate the BIA on operations maintenance that supports the most crucial processes of the company during a disruption.

The moment services and products are tagged as in-scope, necessary departments (or business processes, according to the nomenclature of your organization) and the subordinate activities should be selected for inclusion in the business impact analysis. An effective business impact analysis process should take into consideration, all the departments that finish activities required to deliver services and products to stakeholders.

Step Two: Make Preparations for BIA Interviews

After the identification of in-scope departments and operations, the next step is to have a 1-hour meeting with the leadership of each department, as well as any other necessary field experts. You should send a meeting invitation detailing the necessary preparation, objectives of the meeting, and of course, the essence of the BIA.

Keep in mind that it is important for the meeting representatives to represent the department at the appropriate level. It is necessary for representatives to have:

• An understanding of the resource dependencies needed to finalize each organizational process.
• An intensive understanding of the daily tasks executed by the department; and
• An understanding of the key objectives of the business (since they relate to services and products)

Step Three: Carry Out BIA and Risk Assessment Interviews

The essence of these interviews is to ascertain the tasks the department performs to aid the delivery of in-scope services and products. It is essential to capture the important steps for the completion of each identified activity, such as peak operation times, impacts of downtime (that is; operational, contractual, and reputational), and the dependencies that are paramount to carry out each activity.

It is necessary to document the following dependency types:

• Personnel
• Equipment
• Third-party vendors or suppliers
• Facilities
• Applications; and
• Other interdependencies

Keep in mind the essence to capture the recovery time and recovery point objectives (if required), the alternate suppliers or manual workarounds (if applicable and identified), and the description of use for each dependency. Furthermore, carry out the risk assessment by allocating a 1 – 10 value for the possibility of loss and the effect of loss for each dependency.

After the collection of all these data, have these numbers multiplied together to determine a risk rating for each dependency.

In addition to dependencies, it is relevant to examine if the department has gone through any event that has hindered it from finalizing operations in the past. These are greater risk factors that require adequate planning.

Step Four: Documentation and Approval of BIA Report for Each Departmental Level

After each departmental level meeting, a documented report with the outcomes of the meeting should be delivered. These reports should contain all relevant details that were discussed during the interview. It should also detail recommendations according to the data gathered. For instance, recommendations in regard to recovery time objectives, depending on the estimated impacts, is an excellent example.

After drafting the report, it should be distributed to the participants of the meeting. Thereafter, they will examine the document, make any required changes or edits, and then approve the report. The report of each departmental level is an important puzzle piece needed to develop company-wide enterprise continuity requirements for management’s review and approval.

Step Five: Create a BIA and Risk Assessment Summary

Following the completion and approval of all department meetings and reports, the final step is to execute an organizational-wide BIA and risk assessment summary to enable the endorsement and approval of the management.

The essence of this presentation is to give an overview of the risks, resource requirements, and core activities identified in the course of the department meetings. After finalizing the department BIA program, the BIA and risk assessment outcomes and recommendations should be presented to the administration. During this process, emphasis should be placed on:

• Evaluating principal risks and recommendations to manage them
• Verification of the required recovery times and their correspondence to services and products
• Revisiting the services and products that have been previously identified

What happens after the BIA?

You should know that the BIA is just a part of the larger process. After the business impact analysis, the next thing to do is develop recovery plans, solutions, and strategies for the most crucial units. This means you may have to resort to contracting with a third-party provider for alternative services in an emergency or finding a place where your staff can continue to work in case location-based services go down.

Challenges with business impact analysis

1. BIA takes a lot of time to complete
2. The recovery time objectives can be inaccurate or unrealistic
3. When the organization evolves, BIA does not evolve
4. Analyzing BIA data can be very overwhelming
5. A lack of intensive knowledge about the organization.

FAQs

How often should a BIA be done?

Based on industry standards, we recommend updating and executing a BIA every year or two. However, depending on organizational change, the BIA may be carried out more or less frequently.

Who performs a Business Impact Analysis?

The answer to this is pretty much subjective. For some organizations, it’s the function of the company’s business continuity manager to monitor the process with assistance from a couple of committed team members. However, if there is no business continuity manager, an expert in the IT unit or any other related department is assigned the task. In all, it’s only ideal for an experienced continuity professional to carry out the analysis. In order to get an objective perspective, a third-party consulting company may be hired to do the job or team up with the business continuity manager.

What are the types of BIA?

1. Capabilities: this involves abstracted business functions that can be mapped to organizational realities such as systems and processes. For instance, risk management is a high level capability for an investment bank.
2. Services: this involves examining a company as a series of services such as customer service and IT support.
3. Processes: this involves the repeated operational practices of an organization such as the process of an order from sales-to-billing.
4. Systems: this involves viewing IT services at the system level in order to manage disaster recovery.

Conclusion

In all, a business impact analysis helps to ensure that your business will continue to excel even in the event of disruptive external conditions that are beyond the control of the company. We hope this article has successfully eased your struggle with a BIA currently, and serves as a guide through the entire process.