What is a Business Impact Analysis?
A Business Impact Analysis (BIA) is a method for analyzing how disruptions may impact an organization. The analysis considers the timescales of a disruption, as well as its intensity, and looks at the resulting impacts on important products and services; and the processes and activities that support these.
The BIA is an ongoing process, with analyses taking place periodically or when a significant change is made within the organization.
The outcomes of BIAs are:
- Mapping of impact types
- An assessment of cascading impacts as an incident develops
- Identification of tolerance for different impacts, including an assessment of the point in time where impacts would become unacceptable to the organization. (This is termed the MTPD – the maximum tolerable period of disruption – and is expressed as a timescale in minutes, hours, or days.)
- Establishment of recovery time objectives (RTOs) – the planned timescale within which impacted aspects of the organization need to be resumed
- Strategies for incident response and achieving resumption within the RTOs.
What is the purpose of a Business Impact Analysis?
Many organizations struggle to understand why a BIA is so important. However, when you think about business continuity as a long-term process, the BIA is the requirements gathering portion of the process. Just like a project manager wouldn’t start executing a project without clear requirements, the same is true for business continuity: a BIA should deliver clear requirements. Specifically, the business impact analysis:
Provides Confirmation of Business Continuity Program Scope
The BIA identifies the business activities and resources necessary to deliver the organization’s most important products and services. By understanding how the organization delivers its products and services, the BIA process may uncover activities or resources that were not originally in the program’s scope. Also, by understanding activity and resource impacts associated with disruption, the organization can identify which activities and resources need to be performed, regardless of circumstance, which may have an impact on the program’s scope.
Identifies Legal, Regulatory, and Contractual Obligations
Many organizations do not have a clear, unified understanding of obligations. In fact, it is very rare to see any entity within an organization that has a full grasp of what is required during a disruption, and what the implications are if the organization cannot meet those obligations. The BIA enables the organization to create a thorough understanding of these obligations and to enable the appropriate level of business continuity planning to achieve compliance.
Provides Clarity on Business Continuity Strategy Spend
One of the most valuable aspects of the BIA is the estimation of impacts tied to downtime. Understanding financial, reputational, contractual, legal/regulatory, operational, and other impacts enable the organization to develop the business case, with appropriate justification, to select, implement, and maintain business continuity strategies. With proper justification, the organization is set-up to identify and implement appropriate capabilities needed to meet recovery objectives – resulting in the appropriate spend.
Captures Preliminary Plan Content
The BIA process can be used to begin the data collection effort for business continuity plans. When performing the BIA, the organization can begin to collect business continuity plan content, such as existing controls and recovery strategies, team and staffing requirements, internal and external contact information, and other resource-specific information required for the business continuity plan. Once this information is collected, the organization can begin to populate the business continuity plan and present a starting point to those charged with creating and maintain the plans (as opposed to starting with a blank template).
Implications of Not Performing a BIA
When organizations choose not to perform a BIA, some of the most common problems that occur that affect the performance of the business continuity program include:
- Subjective Recovery Objectives and Confusion Regarding Recovery Priorities
Without a formal BIA process, the organization often lacks focus and objectivity in determining scope, establishing priorities and assigning appropriate recovery objectives. Without management-approved recovery objectives, different organizational entities may have different priorities, leading to confusion regarding what capabilities to invest in and prioritize for implementation. For example, IT will lack necessary data and justification for assigning recovery objectives and investing in disaster recovery capabilities.
- Capability Gaps and Inaccurate Program Scope
Lack of a top-down program scoping and BIA process leads to misalignment between management’s expectations and program performance. Implementing strategies and plans without approved requirements can lead to under-preparing and/or over-spending, which could lead to gaps in business continuity capabilities. In addition, without developing an understanding of the organization’s needs and priorities before determining and implementing strategies, the organization may gradually become aware of risks and gaps in business continuity capabilities as the program matures, leading to continuous, ad hoc scope increases – resulting in inefficiencies.
- Lack of Justification for Investments in Preparedness
Many organizations attempt to implement a business continuity program, but often struggle with connecting with management to gain necessary traction. The BIA begins to answer the questions that management is asking – what are our business continuity requirements, what do we need to do, and how much do we needed to invest to get there? Without the BIA, the organization simply cannot appropriately answer this question (and will certainly struggle to answer this question with confidence).
Business Impact Analysis and Risk Assessment
The BIA and risk assessment are often talked about at the same time, and that’s because many business continuity programs perform them together (or in close coordination). Here are the key distinctions between a BIA and a risk assessment:
- A BIA is particularly focused on establishing business continuity requirements, identifying resource dependencies, and justifying proposed business continuity requirements by estimating the impacts associated with downtime. A risk assessment focuses on understanding the likelihood and severity associated with a loss of the activity and resources with the objective of establishing a prioritized list of risk treatments to decrease the likelihood that the organization experiences a disruption to its ability to deliver products and services.
- Some organizations, and some other risk disciplines, perform risk assessments based on an evaluation of potential threats (commonly called hazard and vulnerability analysis – HVA); however, in business continuity, we conduct a risk assessment based on failure modes (this approach is sometimes called failure modes and effects analysis). The reason is simple – it’s hard to identify all the threats that could interrupt a business! It is more practical to look at core failure modes – specifically the disruption of resources needed to perform an activity.
So, the how-to instructions below will provide you a way to complete both a BIA and risk assessment together!
How to Conduct a Business Impact Analysis?
At Castellan, we have refined our processes and tools for performing BIAs over many years. We have established an effective process for executing the BIA that results in the delivery of clear, approved business continuity requirements. Additionally, our process allows us to obtain the information necessary to assess an organization’s business continuity-related risks, identify and implement response and recovery strategies, document meaningful plans, and provide assurances to key stakeholders.
Our process follows five key steps.
Step 1: Scope the Business Impact Analysis
The first step in performing a successful BIA is to ensure that the right business activities and resources are in-scope. Castellan does this by completing what we call the Frame meeting. During this meeting, we work with businesses to address the following four questions:
- Why are doing business continuity?
- What are we trying to protect?
- “How much” business continuity do we need?
- Who should be involved in the program?
The Frame meeting does several things for a business continuity program. Specifically, it aligns leadership on program objectives, determines the right program participants, and allows for tailored governance documentation. The most important output of this meeting, however, is identifying the in-scope products and services for an organization’s business continuity program. Identifying products and services allows the organization to focus the business continuity program on maintaining operations that support the most important aspects of the business during a disruption.
Once products and services are identified as in-scope, required departments (or business functions, depending on your organization’s nomenclature) and the subordinate activities should be identified for inclusion in the BIA process. A BIA should consider all departments that complete activities needed to deliver products and services to stakeholders, consistent with expectations.
To learn more about how to scope a business continuity program with executives, download our free executive support amplifier.
Step 2: Schedule Business Impact Analysis Interviews
After identifying in-scope departments and activities, schedule a one-hour meeting with each department’s leadership as well as any required subject matter experts. Include a meeting invite informing them of the purpose of the business impact analysis, meeting objectives, and required preparation.
Of note, it is important that meeting participants represent the department at the right level. Participants should have:
- An understanding of the organization’s key priorities (as they relate to products and services);
- A thorough understanding of the day-to-day activities completed by the department; and
- An understanding of the resource dependencies required to complete each business activity.
Step 3: Execute BIA and Risk Assessment Interviews
Interviews should determine the activities the department performs that supports the delivery of in-scope products and services. For each identified activity, it is important to capture the steps necessary to complete the activity, peak operation times, downtime impacts (i.e. reputational, contractual, operational), and the dependencies that are required to perform each activity.
The following dependency types should be documented:
- Third-party suppliers (vendors)
- Other Departments (interdependencies)
It is important that, for each dependency, a description of its use, manual workarounds or alternate suppliers (as appropriate and if known), and recovery time and recovery point objectives (if applicable) are captured. In addition, conduct the risk assessment by assigning a 1-10 value for the likelihood of loss and impact of loss for each dependency. Once all data is collected, these numbers can be multiplied together to provide a risk rating for every dependency.
In addition to dependencies, it is important to understand if the department has experienced any event that has prevented it from completing operations in the past. These are higher risk events that merit strong planning.
Step 4: Document and Approve Each Department-Level BIA Report
Following each department-level meeting, a documented report with the results of the meeting should be completed (Castellan recommends using a business continuity software to increase the efficiency of your program and the value proposition includes automation regarding analysis as well as functionality to enable future updates). These reports should contain all pertinent information that was captured during the interview, as well as recommendations based on the information collected. A great example is recommendations regarding recovery time objectives based on the impacts estimated.
After the report is drafted, distribute it to the meeting participants. The meeting participants will review the document, make any necessary edits or changes, and approve the report. Each department-level report is a “puzzle piece” necessary to establish organization-wide business continuity requirements for management’s review and endorsement
Step 5: Complete a BIA and Risk Assessment Summary
After all department-level meetings and reports have been completed and approved, it is time to complete an organizational-wide BIA and risk assessment summary to enable management’s review and approval. The purpose of this presentation (we prefer presentations as they are a more effective form of engagement) is to provide an overview of the key activities, resource requirements, and risks identified during the department-level meetings. Additionally, this report is used as an opportunity to make risk treatment-related recommendations related to key risks that were identified.
After coordinating the department-level BIA conclusions, the BIA and risk assessment results and recommendations should be presented to leadership (typically, the Business Continuity Steering Committee). While presenting to leadership, a focus should be placed on:
- Revisiting the products and services identified previously
- Verifying the requested recovery times and their alignment to products and services
- Presenting key risks and recommendations to address them
These recommendations should be prioritized for leadership by focusing on achieving the right level of resilience (based on the guidance provided during the Frame meeting) and the development of strategies to address the loss of necessary activities and resources.
What are the common challenges with a BIA?
The BIA is Too Time-Consuming
Root Cause: You’re conducting your business impact analysis manually.
For many organizations, the BIA becomes a laborious effort and conflicts with other priorities. For many BIA processes, the organization must dedicate hours upon hours to the BIA data gathering and reporting effort, often based on the need to complete long and complicated surveys. Castellan’s unique data gathering approach uses an organization’s time efficiently, as we engage with the organization through data gathering interviews (typically lasting 60 minutes) and produce a summary report that can be validated quickly. Castellan can also pair our consulting approach with our business continuity software tool, to better leverage information gathering and to automate parts of the analysis effort. Once Castellan compiles information using the tool, it is easy to update information in future BIA refreshes.
Inaccurate or Unrealistic Recovery Time Objectives
Root Cause: Recovery time objectives are assigned without adequate business justification.
An important BIA output is establishing business continuity requirements, which means activity and resource recovery priorities, objectives, and targets (which includes, but is not limited to, recovery time objectives and recovery point objectives). Establishing recovery objectives helps to identify the most time-sensitive business activities and resources, which leads to an appropriate order of recovery. However, organizations often assign RTOs without adequate business justification, such as by asking leadership representatives and SMEs their subjective opinion based on a limited understanding of their department’s capabilities or priorities, undermining conclusions and recommendations.
To ensure accurate and realistic activity and resource-specific RTOs, business continuity practitioners should confirm that:
- Department SMEs provide operational, customer/contractual, legal/regulatory, or other relevant impact information that justifies the proposed business continuity requirements.
- The proposed business continuity requirements reflect leadership-defined organizational priorities and align with pre-determined management expectations. For example, business continuity practitioners should ensure that activities not directly supporting organizational priorities do not have overly aggressive RTOs.
- Any upstream and downstream dependencies validate that the proposed RTOs meet their business requirements.
The BIA Doesn’t Evolve as the Organization Evolves
Root Cause: You aren’t conducting your business impact analysis frequently enough.
A BIA isn’t a “once and done” analysis – it must be updated as the organization changes. At Castellan, we leverage our business continuity software platform, to put the BIA into a format that is continually accessible and makes the BIA a living process. In addition, we work with our clients to make the BIA part of the organization’s change management and onboarding processes where needed, so that business continuity requirements evolve over time based on evolving needs, priorities and expectations. Finally, we work with our clients to implement good program management techniques that make the BIA process repeatable and pragmatic.
BIA Data is Too Overwhelming to Analyze
Root Cause: Incorrect BIA scoping – you’re trying to boil the ocean.
A key BIA objective is to gather data to answer two primary questions: (1) what business activities are necessary to perform business operations, and meeting organizational objectives and external obligations (e.g., customer, regulatory), and (2) how quickly do business activities and supporting resources need to be available before the disruption creates unacceptable impacts for the organization or its customers, and to what performance level? For simplicity, many business continuity practitioners choose to use organizational charts or facility lists to determine BIA scope. While it may seem logical to use these resources, practitioners may find that using this method results in too much data that is often difficult to analyze.
The most efficient scoping method is to identify the key organizational products and services —organizational outputs or offerings— and then interview or collect data from the departments that perform business activities delivering – or supporting the delivery of – these products and services. This method helps focus the BIA process’ scope and ensures that BIA participants only provide relevant data that supports critical business activities, making data analysis more straightforward.
BIA Data is Useless or Irrelevant
Root Causes: 1. Incorrectly identified BIA participants and 2. Ineffective data gathering methods.
1. Incorrectly Identified BIA Participants
Organizations often struggle with useless or irrelevant BIA data either because they engaged the wrong BIA participants or chose ineffective data gathering methods. As a result, the BIA data is ineffective in identifying appropriate business continuity requirements.
When identifying BIA participants, it is important to identify internal subject matter experts (SME) that can both understand the department’s role in the delivery of products and services, as well as speak to specific day-to-day departmental activities and supporting resources. Organizations that choose to only interview high-level executives may find that these individuals cannot speak to resource dependencies. Similarly, lower-level support staff usually do not have high-level organizational insight and cannot provide information regarding internal organizational dependencies and impacts, nor can speak to how the department contributes to organizational priorities. To avoid these issues, organizations should consider the following questions when choosing BIA participants:
- Does the SME have general departmental knowledge, including the department’s role in the context of the larger organization?
- Does the SME have the ability to identify and assign resources, as needed, to assist in the BIA effort?
- Can the SME provide details on departmental activities, such as activity inputs, outputs, and dependencies?
2. Ineffective Data Gathering Methods
The second root cause of “useless” BIA data is ineffective data gathering methods. Many business continuity professionals assume that a BIA is just a series of surveys. Although many think surveys are the quickest way to complete the BIA task because it takes the least amount of effort for the business continuity professional (side note, using surveys often takes the same amount of time, if not more), surveys do not allow for business continuity awareness-building with department SMEs, the ability to deliver guidance regarding BIA data requirements, a method to collect consistent information, or even the opportunity to collect additional data or ask clarifying questions when necessary.
Instead, Castellan recommends using data gathering interviews or a hybrid approach (where interviews and questionnaires are both used) to deliver actionable results in a time-efficient manner. In addition to following the recommended interview approach, organizations should ensure that BIA facilitators, or those who will be collecting BIA data and driving analysis and reporting efforts, are capable and knowledgeable in the organization and the BIA process (together with an understanding of the BIA outcomes). A knowledgeable BIA facilitator should not only be able to ask the right questions and capture data but should also understand when to go “off the script” to guide discussion and draw indirect information from the SMEs.
Root Cause: Business continuity practitioners do not effectively engage top management throughout the BIA process.
Top management involvement is essential in driving preparedness and program improvement, providing business continuity strategic direction, and sponsoring organizational changes in ways the business continuity team cannot. Without engaging and building top management business continuity awareness, business continuity practitioners may find that top management is disengaged, resulting in lost opportunity and poor business continuity program performance.
Specific to the BIA process, top management has a role in endorsing the BIA scope and the final BIA results. Business continuity practitioners should include leadership representatives, often a Business Continuity Steering Committee, during the BIA scoping process, particularly to confirm:
- Organizational priorities and the departments that support these priorities
- Management expectations for recovery, such as downtime tolerances for in-scope products and services
- Impact categories
- BIA participants
Once the BIA is complete, practitioners should develop a BIA summary presentation for top management review and approval. Through the summary presentation, top management should be able to understand:
- Department, activity, and resource-specific business continuity requirements
- Risks that lead to an increased likelihood of disruption, or risks that may make it difficult for the organization to recovery
- Gaps specific to preparedness (comparing current-state capabilities to approved business continuity requirements)
- Recommendations to address risks and enable successful recovery within approved objectives
To ensure top management engagement, practitioners should avoid:
- Reporting on non-strategic conclusions (for example, the number of BIAs conducted or how many printers are necessary for recovery)
- Providing BIA results without justification, especially communicating unsubstantiated “the sky is falling” results
- Providing a “data dump” of the BIA results that top management will need to analyze themselves
This template is designed to help you capture all the essential information for a departmental BIA. Downloads as a fully editable Word document.DOWNLOAD NOW
Frequently Asked Questions
How often do you perform a business impact analysis?
Castellan recommends, based on industry standards, updating and performing a business impact analysis on an annual basis (more or less frequent based on organizational change). Some organizations determine that a semi-annual refresh should be completed. In general, this determination should be made based on the speed in which your organization is changing and evolving. If an organization experiences significant changes often (i.e. the scope of each department, leadership, strategic initiatives, dependency shifts), it may be beneficial to conduct a BIA refresh on a more frequent basis than if an organization remains largely stagnant in terms of departments, activities, risks, and dependencies.
Who should be involved in the business impact analysis?
Different individuals and groups are required during different steps of the BIA process. First, the Business Continuity Steering Committee, Program Sponsor, and Program Manager should work collectively to determine the in-scope departments for the business impact analysis. For individual interviews, Castellan recommends having an interviewer and note taker during the BIA data gathering meeting. The interviewer will conduct the interview and the note taker will scribe. This method is a fast and accurate way to complete a department report. Additionally, department leaders and subject matter experts should be present for each interview. Lastly, the BIA and risk assessment summary report should be presented to the Business Continuity Steering Committee (typically, by the Program Manager).
Should I use a BIA Survey?
Castellan believes that an interview-based BIA data gathering approach is the most effective engagement technique because the conclusions are more accurate and complete. Survey design is extremely difficult to capture the nuances inside and between various departments. Additionally, surveys do not provide the context, depth, or additional information that may be required to accurately analyze the risks faced by a department. You should go and talk to departments.
What is in a business impact analysis report?
A department-level business impact analysis report summarizes the activities performed by the department, the estimated impacts associated with downtime, resource and organizational dependencies needed for each activity and business continuity requirements. Individual department-level reports are used to create an organizational-wide Business Impact Analysis and Risk Summary presentation that documents recovery times, organizational risks, and risk mitigation recommendations.
How do I start a business impact analysis?
The first step in completing a business impact analysis is scoping. In-scope departments for a business impact analysis should focus on operations that support the delivery of in-scope products and services. We have an entire guide available to get your program started, called the executive support amplifier.
Do I need software for a business impact analysis?
Yes and no. Small programs may find it possible to manage a business continuity program/business impact analysis without software (by small, we’re talking about organizations with less than 10 or 15 departments and less than 1,000 employees). However, software makes it significantly easier to manage a program and to automate elements of the analytic effort. For larger organizations, software is essential as the automation alone can replace the costs associated with one or more FTEs. For example, software allows a program manager to eliminate the need to manually follow up with department owners or establish a critical path of activities and resources to deliver a specific product or service. Software can also recommend recovery objectives based on automated interdependency analysis. With the time savings, the program manager can focus on stakeholder engagement and improving the organization’s ability to respond and recover. Obviously, we’re partial to Castellan Business Continuity Software.
Why is the business impact analysis important?
The business impact analysis is used to identify time sensitive activities and resources, the estimated impacts associated with a disruption, and dependencies for activities that relate to an organization’s in-scope products and services. This information is used to determine key risks and response/recovery capability gaps. Additionally, BIA outcomes help determine response and recovery strategies.