Conducting a Business Impact Analysis (BIA)
A Business Impact Analysis (BIA) provides the foundation for both business continuity strategy and business continuity planning. It identifies, quantifies and qualifies the impacts of loss, interruption, or disruption of critical activities of an organization and provides the data from which appropriate continuity strategies can be determined. A critical activity is any function or process that is essential for the organization to deliver its products and/ or services. It is a process of analyzing activities and the effect that a business disruption might have upon them.
The analysis can provide information on the short and long term effects of an incident or disaster by determining the organization’s recovery timescales and disruption tolerance levels, contributing to the identified process, priorities, and processes that deliver the most urgent products and services, and to determine the resources required for the continuity and recovery of these activities.
The purpose of a BIA is to pinpoint which business units or operations and processes are crucial to the continued delivery of products and services, and in some cases, uninterrupted delivery of critical services to the organization.
The BIA will identify and prioritize the urgency of each business activity undertaken by the organization by assessing the impact over time of an interruption to this activity on the delivery of products and services.
The BIA will look at the products and services that the organization delivers; the activities and dependencies that underpin those deliveries. For each product or service the purpose of a BIA is to:
- Identify critical functions/ activities that support the provision of products and services;
- Assess and document the impacts over time of not performing these activities;
- Identify the maximum tolerable period of disruption or outage;
- Determine the priorities for recovery, setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and
- Identify the dependencies and supporting resources (both internal and external) for these activities, including suppliers, outsource partners and other relevant interested key parties required to achieve agree service levels.
Once the results of the BIA are approved by Executive Management, the Business Continuity Plans can be developed using the identified essential and/or critical services and assets.
Approach and Methodology
The BIA is conduct based on best practices and standards tuned to the project requirement. We regularly review and utilize methodologies and best practices mandated by the Government of Canada, as well as those adopted by the industry.
The process will identify critical business assets, infrastructures, functions, processes, and resources as well as providing an evaluation of the potential damage or loss that may be caused to the organization resulting from a disruption; a process used to determine the effect of an interruption of services on each business unit and the organization as a whole.
The proposed BIA methodology is based on best practices, composed of the following three steps:
- Determine mission/ business processes and recovery criticality. Mission/ business processes supported by the business units are identified and the impact of an activity disruption to those processes is determined along with outage impacts and estimated downtime. The downtime should reflect the maximum that can tolerate while still maintaining its mission/ business processes.
- Identify resource requirements. Realistic recovery efforts require a thorough evaluation of the resources required to resume/ business processes and related interdependencies as quickly as possible.
- Identify recovery priorities. Based upon the results from the previous activities, resources can more clearly be linked to critical mission/business processes. Priority levels can be established for sequencing recovery activities and priorities.
Typically, a BIA is composed of five phases: project initiation, information acquisition, information analysis, findings documentation and report presentation to senior management.
To achieve these objectives, the scope of the activities will include, but not be limited to:
- Establish the Business Impact Analysis (BIA) work plan.
- Gain leadership and engagement on the BIA work plan, and the criteria to be used.
- Identify the criteria to be used to quantify and qualify the impact from events on the organization, product, service, employee and customers.
- Plan, coordinate and facilitate data gathering and analysis.
5. Analyze the data collected against the approved criteria to establish the recovery time objective (RTO) and recovery point objective (RPO) for each operational area and functions that supports them.
7. Document minimum resource requirements for recovery of core critical activities and support business functions and their escalation over time.
8. Consolidate findings, prepare and present the BIA results for feedback.
9. Prepare and submit a final BIA Report with findings and recommendations.
The BIA will provide the organization with a formal and documented evaluation process that will determine continuity and recovery priorities, objectives and targets; internal and external resource requirements for the continuity and recovery of the organization’s most critical functions/ activities that support the organization’s mission/ critical processes, products, services, employees and customers as follow:
Information gathered in the BIA will be used to:
- Determine the priority for restoring the critical essential functions.
- Determine the recovery time objective (RTO) for each business process.
- Determine the recovery point objective (RPO) for each business process.
- Identify critical resources required to support business recovery.
- Identify critical infrastructure requirements.
The success of a Business Impact Analysis (BIA) depends on management involvement and their commitment – especially the support for conducting the analysis/assessment and reporting the results. The BIA, “ownership” resides with the organization and its leadership, or the owners of the process or processes under consideration.
Business Impact Analysis Report
The production of a BIA Report is the final stage of a BIA process. The report will provide background information to bring senior management and managers / business leaders towards a common understanding, consisting of findings and major recommendation.
The BIA report will regroup and prioritize all critical essential services/ functions to the organization, their criticality and impact assessments, restoration priorities, and the Maximum Tolerable Downtime (MTD) assessment for each.
The information collected in the BIA will make it possible for the organization to determine how best to prepare to be able to manage disruptions which might otherwise seriously damage it.
The BIA will confirm business priorities and resources required for continuity and recovery at both resumption and return to normal operations. The Business Impact Analysis (BIA) will serve as the foundation to business continuity strategy and a business continuity plan.
The BIA will support the organization’s values “Services, Strength, Commitment Built In – To every product. To every service. To every employee. To every customer. Every single day.”