For businesses, risk is everywhere – from supply chains to cyberattacks to severe weather and the cost of living. What can businesses do to get ahead of the threats? They can start by getting their business continuity management house in order.
But how to do just that? Well, it doesn’t get more foundational than the business impact analysis (BIA).
What is the BIA? In this article, we define the term and lay out the eight steps to take to conduct an effective business impact analysis.
What is the business impact analysis?
So, what is it? The BIA is the business continuity management technique used to define the impact of a disruption over time.
BIAs help organizations determine:
- Their prioritized activities
- Associated recovery timeframes and resource requirements
Another way to think about the BIA is as a dashboard for asset protection and recovery action prioritization that will keep everyone from the CEO to the doorman on the same page, should disruption occur.
A diagnostic of a business’s internal dependencies and vulnerabilities, the business impact analysis provides the analytical baseline for developing business continuity planning materials and battle-readying business continuity management systems (BCMS) and processes.
What does it do? A good BIA achieves the following:
- Offers senior management a bird’s eye view of the critical business activities that generate the most money or benefits to the organization
- Details how badly those activities would be impacted by a disruption
- Offers insight into the pathways by which that impact would possibly take place
What is the point of the BIA process?
So, what else does the BIA aim to do?
Well, the BIA considers the products and services of an organization as well as those processes and activities, including resources and dependencies, that ensure the delivery of the products and services.
The BIA process, which we’ll summarize in the following sections, therefore aims to:
- Identify legal, regulatory, and contractual requirements
- Assess the impact over time of a disruption on the organization
- Identify the timeframes for the maximum tolerable period of disruption (MTPD)
- Set the recovery time objective (RTO) for the prioritized activities
- Identify resources needed to perform prioritized activities following a disruption
- Set the timeframes for the recovery point objective (RPO) regarding data and information
- Set the minimum business continuity objective (MBCO) for the minimum level of products and services that is acceptable to the organization
- Identify dependencies, including suppliers, partners, and other interested parties
- Identify the interdependencies of prioritized activities
- Reassess and validate the scope of the BCMS
In sum, the BIA process surfaces recovery requirements that are then used to develop strategies, solutions, and plans to mitigate the business’s unique vulnerabilities.
For example, if a data center estimates that any data losses of greater than four hours would mean the end of the business, yet data backups entail significant costs, the BIA might inform plans for data backups every hour rather than every second.
Roles and responsibilities involved in the BIA
Getting the right BIA outputs, however, depends on having the right BIA inputs. And one of the most important of those inputs is people.
For the BIA to be actionable, the right people have to be involved in the BIA process. Key roles tend to include:
- Senior management. Not day-to-day actors, senior leadership will ensure commitment to the process. Senior leadership will also allocate the necessary resources to the endeavor in addition to providing financial approval for costs and transmitting relevant communications within the organization.
- BC professionals. The BC team, on the other hand, is the day-to-day actor, playing a key coordination role across teams and levels. BC professionals will be responsible for preparing, planning, managing, delivering, and ensuring consistency throughout the BIA process.
- Activity owners. BC professionals likely don’t own the activities that are being assessed. Those will be owned by departments heads who will feed all the necessary information for the BIA to BC professionals, e.g., resources required, any workarounds, known dependencies, etc.
Methods and techniques for conducting the BIA
BIAs take different shapes and forms. However, the traditional methods and techniques for conducting the BIA include the following:
Workshops
Play a vital role in gathering information from individuals and teams, whether conducted in person or virtually. Workshops not only serve as an avenue to enhance awareness but also contribute to the improvement of the BC culture.
The identification of interdependencies, raising issues, and exploring solutions becomes possible through this interactive method, ensuring higher quality outcomes. Adequate preparation time is essential before conducting workshops.
Surveys and questionnaires
Offer another effective means of collecting information, whether on paper or electronically. Well-crafted questions can yield detailed insights and generate a substantial amount of data.
Electronic collection and analysis can prove beneficial for medium and large organizations, fostering increased awareness and supporting an enriched BC culture. This, in turn, facilitates the achievement of quality results.
Interviews
Conducted through conversations, interviews provide a valuable channel for collecting information from individuals or teams. BC professionals may leverage interviews to facilitate discussions on business-as-usual (BAU) operations, resource needs, obligations, and potential impacts in the event of disruptions affecting the team's capability to deliver prioritized activities and products or services.
Although interviews often uncover risks that should be documented in the RA, their effective execution demands quality and sufficient time to prevent misinterpretation of concepts and definitions that could impact results.
The challenges to conducting the business impact analysis
These techniques might seem rudimentary, in which case the question then turns to, why aren’t businesses conducting regular BIAs of the appropriate depth already?
One of the reported answers is that the alphabet soup of business continuity management acronyms and jargon can feel academic, abstract, and divorced from immediate business realities, even to BC professionals.
Compounding the challenge is the overwhelming amount of information to be sifted through and curated. This to find worksheets, templates, or questionnaires that are not only appropriate for a given industry or business size but also for different business lines within the same organization.
At times, the analysis required can also be site-dependent rather than unit-dependent, which requires a different approach and visualization capabilities.
What’s more, the data-capturing process, if done manually, is extremely labor-intensive, rife with opportunities for error. In fact, even if the data collection process is implemented flawlessly, without a cohesive synthesis of results at the end, senior management may find themselves with an overload of information without clear, actionable insights to go off of.
These challenges can lead organizations to cut corners on the BIA process. This is particularly dangerous given the dynamic pace of change across industries that can leave organizations blindsided in emergency situations.
8 steps to conduct an effective BIA
How to avoid the pitfalls? We recommend taking the following eight steps when conducting your BIA:
1. Know what you are trying to achieve
The first step to take is to review the context and scope of BIA. What are the parameters? The BIA should be strategic in nature and approved by top management.
2. Carefully consider roles and responsibilities
As mentioned, people are one of the most important BIA inputs. To that end, you will need to assign BIA roles and responsibilities within the organization to the right people who will help the process operate smoothly.
3. Create an implementation plan
Have a plan for action. Developing a Business Impact Analysis (BIA) implementation plan, here, involves outlining the approach and methodology for executing the BIA.
Why does it matter? Well, it’s crucial to adopt a uniform approach across the organization. The scalability of the process to align with each organization's unique needs is also important.
Evaluation may occur post-BIA stage or as part of the management review at the conclusion of the current BCMS cycle. The selected method must possess robustness to guarantee the consistency and impartiality of the collected information.
4. Determine priorities of products and services and the associated activities of the prioritized products and services
The types of impact considerations to determine these priorities could be financial, reputational, legal, customer, health and safety, operational, regulatory, and any other impact depending on the nature and type of the organization. It must be considered, though, that the impact from disruptions can come from within the supply chain or other external sources.
5. Determine necessary resources
Determine the resources required for continuity of activities following an incident, as well as all other dependencies and interdependencies.
6. Consolidate results
Perform a final analysis to consolidate BIA results.
7. Obtain top management approval of BIA results
Determining impacts over time should demonstrate to top management how urgently the organization needs to respond to a disruption.
8. Update
Periodically review the BIA as part of a continual improvement strategy
Role of digital technology in conducting the business impact analysis
If those steps sound overwhelming, they don’t have to. And that’s because business continuity management software can help streamline parts of the BIA. Which will leave BC professionals with more capacity to focus on the most important parts of their job, i.e. embedding resilience into their organization’s culture and activities.
What capabilities matter? Well, we at Noggin provide BIA tools that help simplify your BIA process and drive engagement across the organization.
Our BIA tools guide you through the process step-by-step, ensuring that your BIAs are rich with insightful data to help you truly understand how your business works.
But don’t take our word for it. Check out Noggin Resilience for yourself!