Business Impact Analysis (BIA) is the first step in a business continuity program. For ensuring business continuity, it is essential to know and understand the adverse effects that disruption of the supply of products and services would have on the organisation and stakeholders. The impact of disruptions usually increases over time – it may be negligible immediately after a disruptive incident; however, the significance of the impact may gradually increase to a level where it becomes unacceptable to the organisation.
The magnitude of the impact and time dependence allows the organisation to prioritise products and services, processes and activities and set requirements (capacity, time, quality, etc.) for the renewal of these priority activities. It is essential to identify and understand the interrelationships and resource requirements needed to provide the activities.
Relationships between products, processes, activities, tasks and resources
The business impact analysis should initially include the definition of evaluation criteria, including types of impacts and timeframes to be considered. These parameters are based on the context and business objectives of the organisation and should take into account the needs of all stakeholders. For example, types of impacts can affect finances, an organisation’s reputation, compliance with laws, regulations and contractual obligations, business objectives, and more. The time when impacts become unacceptable may vary, depending on the time-sensitivity of products and services. They can range from seconds or minutes, hours or days, to weeks and months.
The products and services provided, or some activities may be time-dependent on the time of day, days of the week, periods of the month or a year. The assessment of the maximum possible impacts must be based on the assumption that the disruption will occur at the worst possible time.
The organisation’s senior management should identify impact thresholds that are unacceptable to the organisation. The time when the impacts become unacceptable can be described as “Maximum Tolerable Period of Disruption (MTPD)” or “Maximum Acceptable Outage (MAO)”. A minimum level of product or service delivery that is still acceptable to the organisation can be expressed as a “Minimum Business Continuity Objective (MBCO).”
The time frame for resuming process, activity or source to a specified minimum level / capacity is referred to as the “Recovery Time Objective (RTO)”. Determining the RTO may also require consideration of the dependence on related processes, activities or sources and the complexity of the recovery. Therefore, it may be necessary to set up more RTOs.
When considering the dependence of activities on information and data, the organisation should ensure that the information and data needed to ensure the continuity of activities are up to date. An organisation can use the “Recovery Point Objective (RPO)” parameter to achieve this goal. The RPO is a point in the past to which the information and data used in a given activity are restored so that it can function properly after the restoration. Backup frequencies can be derived from RPO values.
The business impact analysis (BIA) should also include the identification of the dependencies of priority activities that will enable the organisation to set strategies and address business continuity.
The business impact analysis process
Before starting a BIA, the organisation should take several steps, including determining the context of the organisation, the scope of the business continuity program, the roles and responsibilities of individuals and committees, the commitment of the organisation’s management, and the resources needed to implement the BIA.
Business impact analysis process (source ISO / TS 22317: 2015)
The implementation of BIA can be understood as a project with the application of project management procedures. Project management will ensure proper preparation, implementation and monitoring of BIA processes, reporting according to project requirements, a continuous adaptation of the BIA process and scope to the needs and expectations of relevant stakeholders, as well as lessons learned.
In the implementation of BIA, time goals, delivery levels and priorities of products and services are determined first, which predetermine the priorities of processes. If the complexity of the organisation does not require it, it may be decided to omit the prioritisation of processes and proceed directly to the prioritisation of activities.
An important step is an analysis of the information gathered and the processing of conclusions with the determination of the requirements for business continuity. BIA conclusions should be approved by senior management, including established priorities for products and services, processes, activities and resources.
Once the BIA conclusions are approved, the organisation should continue to design and select business continuity strategies and solutions that will enable an effective response to disruptions and serve as a basis for designing business continuity plans and procedures.