The Business Impact Analysis (BIA) is a cornerstone of the Business Continuity Management (BCM) Program. It is an activity that will identify mission-critical business functions, processes or services in your organization, and the resources required to timely recover those activities. A properly executed BIA will reduce overall operational and financial impacts, reduce potential losses and enhance the business operations of your organization.
How does the industry define a BIA?
The Disaster Recovery Institute International (DRII) defines it as an activity to “Identify and prioritize the entity’s functions and processes to ascertain which ones will have the greatest impact should they not be available.”
The Business Continuity Institute (BCI) definition of a BIA is a “Process of analyzing the business activities and the effects that a business disruption might have upon them.“
A simplified explanation – a BIA is a process that identifies your organization’s critical functions, processes and the resources required to restore business operations.
Regardless of which industry association or standard your organization decides to follow, this article will outline the importance of a BIA to Business Continuity Planning (BCP) efforts and introduce inputs and outputs which go into a typical BIA. The secondary goal of this article is to identify some potential challenges with BIA implementation and introduce successful BIA execution strategies in your organization.
BIA executed the “the right-way”
The BIA is an organization-wide activity. The BIA engagement will require a partnership with business stakeholders across all business units and departments. It will involve the senior leadership team (SLT). It will include every single business function and amplify the importance of your organization’s Information Technology (IT) department.
One of the main challenges impeding a successful BIA implementation is that the engagement must be sized and fine-tuned for each organization. If not executed efficiently, the organization’s stakeholders could quickly lose interest, and the BIA results could not meet your BCM Program requirements.
Although BIA execution has to follow industry-leading standards and methodologies, it has to be completed in a way that will leverage your organization’s size, culture, business style and operational resilience requirements.
BIA engagement inputs
To successfully start a BIA engagement, the BCM practitioners require essential organizational information such as:
- Business functions and process mapping – at larger organizations, this is completed by the Enterprise Architecture (EA) group.
- List of IT applications – internally and externally hosted IT and business applications mapped to the business functions and processes.
- Contact information – A responsibility of the Human Resources department (internal contacts) and the IT department (external applications contacts)
The above information is used to map out the BIA engagement, identify key business stakeholders and better understand the business’ complexity and its operations.
BIA engagement execution
The BIA starts with mapping out and leveraging the organizational inputs outlined above, which are used to develop a BIA execution plan and engagement toolset (e.g. spreadsheets, training materials, etc.).
Once the BIA engagement plan and toolset are developed, they will have to be validated and approved by the SLT, which will continually be required to provide direction and guidance during the BIA engagement.
Additionally, the BIA will leverage findings of the organizational Risk Assessment activity, which is sometimes executed as a part of the BIA engagement. The Risk Assessment can be completed by using a traditional Operational Risk Management (ORM) methodology, or an All-Hazards Risk Assessment (AHRA) approach. The AHRA is defined as “An approach for prevention, mitigation, preparedness, response, continuity, and recovery that addresses a full range of threats and hazards, including natural, human-caused, and technology-caused” – NFPA 1600 Standard.
The Risk Assessment activity will define the business functions and process risks and their impacts on business operations if disrupted.
A significant part of the BIA engagement execution is stakeholder training. The BIA training will ensure that the engagement approach, terminology and expectations are fully understood across the organization. It will provide the “quality” of captured data and, most of the time will remove the “guesswork” from the stakeholders. The training can typically be completed in-person meetings (smaller organizations) or over the video-conferencing technology (larger or distributed organizations).
BIA engagement outputs
The BIA engagement will produce a set of findings that will be used to develop recovery strategies, Business Continuity Plans and IT Disaster Recovery Plans. The developed BIA tools (in-house developed or leading BCM software platforms) should be used to capture the following information:
- The business function criticality, business recovery order and minimum service levels
- Availability of Standard Operating Procedures (SOPs) and manual workaround procedures for businesses processes
- Identification of compliance and regulatory fines and reporting requirements
- Alternate site and technology requirements (including the ability to work remotely)
- Business process essential records (electronic or paper files)
- External vendors, suppliers and Service Level Agreements (SLAs)
On the IT side, the BIA will define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) and business function application dependencies. These findings will be used to develop recovery strategies and to ensure the IT Disaster Recovery Plan alignment with the business requirements.
BIA – the letter “A” stands for analysis
The critical step of the BIA engagement is the analysis of captured data and the development of a Business Impact Analysis report to outline key findings and key recommendations to the senior organizational leadership.
The organization should use the key BIA report findings, observations, and guidance to further mature its Business Continuity Management Program. Some of the typical BIA report findings are as follows:
- Developing a Business Continuity Strategy aligned with the business requirements
- Identifying key personnel and providing cross-training for critical functions
- Ensuring that SOPs and manual workaround procedures are documented
- Aligning the IT Disaster Recovery Plan to the BIA findings
- Ensuring that vital electronic records are backed up to enable the recovery of business functions and processes
BIA findings might surprise you
Most of the time, a BIA will uncover some unintended facts, such as an inability to answer some critical questions, or IT findings that will surprise everyone. For example: where are IT Applications hosted, lack of organizational understanding of third-party service contracts and Service Level Agreements, the fact that Shadow IT exists, and that IT is not in charge of all business applications.
The bottom line is, the BIA can be complicated to execute, but it is a must-have process in your organization. If not executed properly, an organization can quickly lose interest, and the BIA findings will not meet long-term business objectives and goals.
As a part of your BCM Program maintenance regime, the BIA should be executed regularly due to changes to the organization’s stakeholders or the addition or removal of business functions and processes.