A Guide to Pragmatic Business Impact Analysis (BIA)for Continuity Professionals

The business risk forecast: expect the unexpected

The risk picture is deteriorating across major sectors of the economy. According to the World Economic Forum’s (WEF) 2020 Global Risks Report, more than three quarters of experts surveyed expect business risks in the form of international economic confrontations, domestic political polarization, and cyberattacks on infrastructure to increase this yearⁱ. 

Not just those, environmental disruptions, like the bushfires that ravaged large swathes of Australia in late 2019/early 2020, are likely to become more frequent. In fact, for the first time in the WEF report’s 13-year history, environmental risks top the list, including natural disasters, extreme weather, and human-made environmental disasters.

What can businesses do? Be prepared for the worst, for starters – and at the core of that preparation is the business impact analysis (BIA). In essence, the BIA grants an organization intimate understanding of how core business processes are impacted by crises, disasters, or disruptions, giving those organizations the insights needed to develop resilience in the face of uncertainty and disruption.

All too often, though, businesses fail to properly conduct BIAs. Why’s that? Well, for one, BIAs can be time consuming. Performed without the right approach and systems, they can also feel like academic, abstract, or worse, wasteful exercise with little real-world impact. 

Indeed, conducting a business impact analysis isn’t exactly easy. But it’s nonetheless critical to organizational resilience. What’s more, the costs of not completing one, i.e. being unprepared, are stark. For instance, each hour a business fails to respond to a crisis can jeopardize its future: in some industries, financial loss due to downtime can approach USD 2.8 million per hour, or USD 67 million per dayⁱⁱ. As many as three in every four organizations without a proper plan for business continuity fail within three years of a disasterⁱⁱⁱ. 

If the data servers at a hospice facility go down, for example, that’s one thing. But if the life-support system gets cut, it is more likely than not that that particular organization will be shutting its doors permanently. Similarly, for a financial institution, a total system downtime of four hours might be painful but manageable. However, a recovery time of 12 hours could mean the bank would never be able to open its doors again, posing knock-on risk to the banking system, more broadly^iv. 

As a result, certain jurisdictions (federal, state, and local) mandate that businesses in priority sectors develop robust business continuity plans and procedures as well as are able to produce evidence of proper documentation under audit. In the U.S., for example, the Health Insurance Portability and Accountability Act (HIPAA) lays out security rules for safeguarding patients’ data in the event of unforeseen business disruptions; those rules cover backup and recovery requirements^v. 

The BIA also features prominently in international best-practice standards, including in ISO 22301, which provides guidance on business continuity management, ISO 22313, which provides guidance on business continuity management systems, and ISO 31000, which provides guidance on risk management broadly speaking.

The case for undertaking a business impact analysis is clear. But the question remains: how to make the exercise actionable and achievable in your business? To answer how, the document will define pragmatic business impact analysis, addressing how to make it relevant to your organization’s broader resilience objectives.

The Business Impact Analysis lies at the core of data-driven Business Continuity Management

At the intersection of continuity planning and risk management lies the business impact analysis. A diagnostic of a business’s internal dependencies and vulnerabilities, the business impact analysis provides the analytical baseline for developing BCP materials, and battle-readying continuity management systems and processes. In essence, it acts as the dashboard for asset protection and recovery action prioritization, keeping everyone from the CEO to the doorman on the same page, should disruption occur – after all, a lot goes into moving a product, from internal dependencies, like employee availability, corporate assets, and support services, as well as external dependencies, like suppliers.

A good BIA offers senior management a bird’s eye view of the critical business activities that generate the most money or benefits to the organization, how badly those activities would be impacted by a disruption, as well as insight into the pathways by which impact would possibly take place. It is these interdependencies that the business impact analysis is particularly focused on identifying and quantifying, with the analysis itself serving as a necessary prerequisite for an informed prioritization of assets to protect and the relevant recovery actions to initiate in the case of an emergency. 

So how do organizations identify these interdependencies, and what’s the best way to quantify the risks inherent in them? Well, the process for developing a BIA often takes the form of workshops or questionnaires. Interview staff from across the organization identify internal and external dependencies critical to their unit’s operations, before quantifying the business impact that will happen if these operations are halted. 

Such analysis is oriented towards critical indicators that summarize the ‘breaking point’ for a business’s operations: the maximum amount of damage an operation can sustain before the business is functionally dead in the water, i.e. maximum acceptable outage, and the resources that would be required to return operations back to functional, i.e. strategies for recovery.

This process surfaces recovery requirements that are then used to develop strategies, solutions, and plans for the business’s unique vulnerabilities. For example, if a data center estimates that any data losses of greater than four hours would mean the end of the business, but data backups entail significant costs, the analysis might inform plans for data backups every hour rather than every second.

At the end of the day, a BIA can be described simply as a stock-taking exercise of where a business’s vulnerabilities lie, and a quantification of how bad things would have to get before the whole business gets dragged under water.

Key terminology for an effective Business Impact Analysis

Challenges to effective business impact analysis

The business impact analysis enables senior management to proactively set tangible, business-unit-specific targets, so as to ensure organizational resilience. But without the right approach, system, and procedures, the process gets overly complicated. 

It’s often reported that the alphabet soup of business continuity management acronyms and jargon can feel academic, abstract, and divorced from immediate business realities, even to continuity professionals, let alone risk, safety, crisis, and emergency managers. 

Compounding the challenge is the overwhelming amount of information to be sifted through and curated to find worksheets, templates, or questionnaires that are not only appropriate for a given industry or business size but also for different business lines within the same organization. At times, the analysis required can also be site-dependent rather than unit-dependent, which requires a different approach and visualization capabilities, as well. 

What’s more, the data-capturing process, if done manually, is extremely labor-intensive, rife with opportunities for error. In fact, even if the data collection process is implemented flawlessly, without a cohesive synthesis of results at the end, senior management may find themselves with an overload of information without clear, actionable insights to go off of.

These challenges can lead organizations to cut corners on the BIA process, which is particularly dangerous given the dynamic pace of change across industries that can leave organizations blindsided in emergency situations. 

In 2012, for example, Hurricane Sandy revealed how disaster recovery needs to be constantly adapted to new environmental realities. In that severe storm situation, areas that had never been flooded found themselves underwater for the first time, causing outages of far longer than the 48 hours that many local utilities had considered the upper limit in their disaster plans and exercises^vi. 

Technology can help streamline the business impact analysis process

How then to get the benefits of pragmatic business continuity management (more broadly) and business impact analyses (specifically) without wading through the morass? Invest in flexible innovations that conform to the specifics of your organization but evolve as dynamics change. 

Technology, especially, can streamline parts of the BIA, leaving continuity professionals more capacity to focus on the most important parts of their job, i.e. embedding resilience into their organization’s culture and activities. 

For one, integrated safety and security management software provider, Noggin, has developed solutions like next-generation business continuity software, Noggin Continuity, which simplify the varied requirements of performing a business impact analysis into a streamlined, user-friendly process. 

What, exactly, can you get from Noggin Continuity? Noggin Continuity has tools to simplify the most onerous parts of the BIA process. The tools themselves limit the time and effort required from users, reduce the potential for error, and streamline workflows - all in the service of improved organizational resilience, compliance, and preparedness. 

That’s not all. Noggin Continuity provides the tools needed to effectively assess the risk of business disruption and attendant impacts, coordinate response to disruptions, and manage incidents, including the following: 

• Automated workflows save time and effort:
  Assign and track business impact assessment and risk management activities for your organizational unit owners. Ensure timely notifications about critical events to staff and stakeholders via email, SMS, or in-app. 
• Customizable and best-in-industry resources out of the box. The system is designed with C-level executives, continuity professionals, and business unit managers in mind, with features relevant to different industries and user persona types, as well. The flexibility allows all kinds of users to report and manage business continuity incidents and issues within a single platform.
• High-quality data collected and easily turned into actionable insights. Unit specific dashboards and resources include well-formatted forms, lists, and processes with text guidance for proper use across different units to produce consistent and unbiased responses. These responses are then automatically harmonized into a global dashboard, giving executives the data-driven insights they need to set actionable priorities with confidence. 
• Streamlined compliance with international standards like ISO 22301. Audit logging of changes and approvals of plan template and recovery strategies. Get notifications for when exercises are due. Visualize all upcoming and recently completed exercises with action dashboards, as well as gaps in process or areas for improvement to identify high-risk activities with no recovery plans and strategies. 

Finally, pragmatic business impact analysis gives organizations the intimate understanding of core business processes they need to ensure resilience faced with inevitable disruption. But without the right plan of attack and underlying streamlined systems, the exercise can easily become cumbersome and overly academic. 

Fortunately, simplifying the BIA so it makes sense for your business is possible. Business continuity management functionality, like powerful workflows, give organizations the tools they need to simplify the most onerous parts of the process, limiting time and effort required by users, and ensuring resilience, compliance, and preparedness.

Citations

i WEF 2020: The Global Risks Report 2020. Available at http://www3.weforum.org/docs/WEF_Global_Risk_Report_2020.pdf.

ii Continuity Insurance & Risk & IBM: The Evolution of Business Continuity Management. Qtd. in Available at http://www.cirmagazine.com/cir/roundtables/IBMRoundtableCIRSept-2014.pdf.

iii Logan Sisam, Utah Division of Emergency Management: 75% of companies without business plans fail within three years after facing a disaster and or operational disruption. Available at https://www.utah.gov/beready/business/documents/newsletters/2015/november.pdf.

iv Kosutic, Dejan, How to implement business impact analysis (BIA) according to ISO 22301. Available at https://advisera.com/27001academy/ knowledgebase/how-to-implement-business-impact-analysis-bia according-to-iso-22301/.

v Rock, Tracy 2019: The Urgent Need for Healthcare Business Continuity Planning. Available at https://invenioit.com/continuity/healthcare-businesscontinuity-planning/.

vi PowerGrid International 2013, Utilities can Prepare for Disasters More Efficiently. Available at https://www.power-grid.com/2013/07/17/utilitiescan-prepare-for-disasters-more-efficiently/.