The Ultimate Guide to the Business Impact Analysis

WHAT IS A BUSINESS IMPACT ANALYSIS?

The Business Impact Analysis (BIA) is a process to establish business continuity requirements by identifying time-sensitive activities in an organization, based on the impact stemming from a disruption.  The process also includes identifying supporting resource dependencies and establishing recovery time targets.

The major outcomes associated with the BIA include:

• Prioritizing the in-scope products and services, which double as strategic business continuity priorities, that must be protected and how quickly product/service delivery must resume
• Inventorying business activities and resources to establish what needs to be protected and/or recovered following the onset of a disruption
• Establishing recovery timeframes that help the organization determine when resources need to be recovered and help in prioritizing risk treatment options and selecting response and recovery strategies. Recovery time objectives (or RTOs) should be established in such a way that, if achieved, would enable an organization to meet its strategic priorities.

WHAT IS THE PURPOSE OF A BUSINESS IMPACT ANALYSIS?

 Many organizations struggle to understand why a BIA is so important. However, when you think about business continuity as a long-term process, the BIA is the requirements gathering portion of the process.  Just like a project manager wouldn’t start executing a project without clear requirements, the same is true for business continuity: a BIA should deliver clear requirements. Specifically, the business impact analysis:

Provides Confirmation of Business Continuity Program Scope

The BIA identifies the business activities and resources necessary to deliver the organization’s most important products and services. By understanding how the organization delivers its products and services, the BIA process may uncover activities or resources that were not originally in the program’s scope. Also, by understanding activity and resource impacts associated with disruption, the organization can identify which activities and resources need to be performed, regardless of circumstance, which may have an impact on the program’s scope.

Identifies Legal, Regulatory, and Contractual Obligations

Many organizations do not have a clear, unified understanding of obligations. In fact, it is very rare to see any entity within an organization that has a full grasp of what is required during a disruption, and what the implications are if the organization cannot meet those obligations. The BIA enables the organization to create a thorough understanding of these obligations and to enable the appropriate level of business continuity planning to achieve compliance.

Provides Clarity on Business Continuity Strategy Spend

One of the most valuable aspects of the BIA is the estimation of impacts tied to downtime. Understanding financial, reputational, contractual, legal/regulatory, operational, and other impacts enable the organization to develop the business case, with appropriate justification, to select, implement, and maintain business continuity strategies. With proper justification, the organization is set-up to identify and implement appropriate capabilities needed to meet recovery objectives – resulting in the appropriate spend.

Captures Preliminary Plan Content

The BIA process can be used to begin the data collection effort for business continuity plans. When performing the BIA, the organization can begin to collect business continuity plan content, such as existing controls and recovery strategies, team and staffing requirements, internal and external contact information, and other resource-specific information required for the business continuity plan. Once this information is collected, the organization can begin to populate the business continuity plan and present a starting point to those charged with creating and maintain the plans (as opposed to starting with a blank template).

IMPLICATIONS OF NOT PERFORMING A BIA

When organizations choose not to perform a BIA, some of the most common problems that occur that affect the performance of the business continuity program include:

• Subjective Recovery Objectives and Confusion Regarding Recovery Priorities
  Without a formal BIA process, the organization often lacks focus and objectivity in determining scope, establishing priorities and assigning appropriate recovery objectives. Without management-approved recovery objectives, different organizational entities may have different priorities, leading to confusion regarding what capabilities to invest in and prioritize for implementation. For example, IT will lack necessary data and justification for assigning recovery objectives and investing in disaster recovery capabilities.
• Capability Gaps and Inaccurate Program Scope
  Lack of a top-down program scoping and BIA process leads to misalignment between management’s expectations and program performance. Implementing strategies and plans without approved requirements can lead to under-preparing and/or over-spending, which could lead to gaps in business continuity capabilities. In addition, without developing an understanding of the organization’s needs and priorities before determining and implementing strategies, the organization may gradually become aware of risks and gaps in business continuity capabilities as the program matures, leading to continuous, ad hoc scope increases – resulting in inefficiencies.
• Lack of Justification for Investments in Preparedness
  Many organizations attempt to implement a business continuity program, but often struggle with connecting with management to gain necessary traction. The BIA begins to answer the questions that management is asking – what are our business continuity requirements, what do we need to do, and how much do we needed to invest to get there? Without the BIA, the organization simply cannot appropriately answer this question (and will certainly struggle to answer this question with confidence).

BUSINESS IMPACT ANALYSIS AND RISK ASSESSMENT

The BIA and risk assessment are often talked about at the same time, and that’s because many business continuity programs perform them together (or in close coordination). Here are the key distinctions between a BIA and a risk assessment:

• A BIA is particularly focused on establishing business continuity requirements, identifying resource dependencies, and justifying proposed business continuity requirements by estimating the impacts associated with downtime. A risk assessment focuses on understanding the likelihood and severity associated with a loss of the activity and resources with the objective of establishing a prioritized list of risk treatments to decrease the likelihood that the organization experiences a disruption to its ability to deliver products and services.
• Some organizations, and some other risk disciplines, perform risk assessments based on an evaluation of potential threats (commonly called hazard and vulnerability analysis – HVA); however, in business continuity, we conduct a risk assessment based on failure modes (this approach is sometimes called failure modes and effects analysis). The reason is simple – it’s hard to identify all the threats that could interrupt a business!  It is more practical to look at core failure modes – specifically the disruption of resources needed to perform an activity.

So, the how-to instructions below will provide you a way to complete both a BIA and risk assessment together!

HOW TO CONDUCT A BUSINESS IMPACT ANALYSIS

At Avalution, we have refined our processes and tools for performing BIAs over many years. We have established an effective process for executing the BIA that results in the delivery of clear, approved business continuity requirements. Additionally, our process allows us to obtain the information necessary to assess an organization’s business continuity-related risks, identify and implement response and recovery strategies, document meaningful plans, and provide assurances to key stakeholders.

Our process follows five key steps.

Step 1: Scope the Business Impact Analysis

The first step in performing a successful BIA is to ensure that the right business activities and resources are in-scope. Avalution does this by completing what we call the Frame meeting. During this meeting, we work with businesses to address the following four questions:

1. Why are doing business continuity?
2. What are we trying to protect?
3. “How much” business continuity do we need?
4. Who should be involved in the program?

The Frame meeting does several things for a business continuity program.  Specifically, it aligns leadership on program objectives, determines the right program participants, and allows for tailored governance documentation. The most important output of this meeting, however, is identifying the in-scope products and services for an organization’s business continuity program. Identifying products and services allows the organization to focus the business continuity program on maintaining operations that support the most important aspects of the business during a disruption.

Once products and services are identified as in-scope, required departments (or business functions, depending on your organization’s nomenclature) and the subordinate activities should be identified for inclusion in the BIA process. A BIA should consider all departments that complete activities needed to deliver products and services to stakeholders, consistent with expectations.

To learn more about how to scope a business continuity program with executives, download our free executive support amplifier.

Step 2: Schedule Business Impact Analysis Interviews

After identifying in-scope departments and activities, schedule a one-hour meeting with each department’s leadership as well as any required subject matter experts. Include a meeting invite informing them of the purpose of the business impact analysis, meeting objectives, and required preparation.

Of note, it is important that meeting participants represent the department at the right level. Participants should have:

• An understanding of the organization’s key priorities (as they relate to products and services);
• A thorough understanding of the day-to-day activities completed by the department; and
• An understanding of the resource dependencies required to complete each business activity.

Step 3: Execute BIA and Risk Assessment Interviews

Interviews should determine the activities the department performs that supports the delivery of in-scope products and services. For each identified activity, it is important to capture the steps necessary to complete the activity, peak operation times, downtime impacts (i.e. reputational, contractual, operational), and the dependencies that are required to perform each activity.

The following dependency types should be documented:

• Applications
• Facilities
• Third-party suppliers (vendors)
• Equipment
• Personnel
• Other Departments (interdependencies)

It is important that, for each dependency, a description of its use, manual workarounds or alternate suppliers (as appropriate and if known), and recovery time and recovery point objectives (if applicable) are captured.   In addition, conduct the risk assessment by assigning a 1-10 value for the likelihood of loss and impact of loss for each dependency.  Once all data is collected, these numbers can be multiplied together to provide a risk rating for every dependency.

In addition to dependencies, it is important to understand if the department has experienced any event that has prevented it from completing operations in the past.  These are higher risk events that merit strong planning.

Step 4: Document and Approve Each Department-Level BIA Report

Following each department-level meeting, a documented report with the results of the meeting should be completed (Avalution recommends using a business continuity software to increase the efficiency of your program and the value proposition includes automation regarding analysis as well as functionality to enable future updates). These reports should contain all pertinent information that was captured during the interview, as well as recommendations based on the information collected.  A great example is recommendations regarding recovery time objectives based on the impacts estimated.

After the report is drafted, distribute it to the meeting participants. The meeting participants will review the document, make any necessary edits or changes, and approve the report.  Each department-level report is a “puzzle piece” necessary to establish organization-wide business continuity requirements for management’s review and endorsement

Step 5: Complete a BIA and Risk Assessment Summary

After all department-level meetings and reports have been completed and approved, it is time to complete an organizational-wide BIA and risk assessment summary to enable management’s review and approval. The purpose of this presentation (we prefer presentations as they are a more effective form of engagement) is to provide an overview of the key activities, resource requirements, and risks identified during the department-level meetings. Additionally, this report is used as an opportunity to make risk treatment-related recommendations related to key risks that were identified.

After coordinating the department-level BIA conclusions, the BIA and risk assessment results and recommendations should be presented to leadership (typically, the Business Continuity Steering Committee). While presenting to leadership, a focus should be placed on:

• Revisiting the products and services identified previously
• Verifying the requested recovery times and their alignment to products and services
• Presenting key risks and recommendations to address them

These recommendations should be prioritized for leadership by focusing on achieving the right level of resilience (based on the guidance provided during the Frame meeting) and the development of strategies to address the loss of necessary activities and resources.

WHAT ARE THE COMMON CHALLENGES WITH A BIA?

The BIA is Too Time-Consuming

Root Cause: You’re conducting your business impact analysis manually.

For many organizations, the BIA becomes a laborious effort and conflicts with other priorities. For many BIA processes, the organization must dedicate hours upon hours to the BIA data gathering and reporting effort, often based on the need to complete long and complicated surveys. Avalution’s unique data gathering approach uses an organization’s time efficiently, as we engage with the organization through data gathering interviews (typically lasting 60 minutes) and produce a summary report that can be validated quickly. Avalution can also pair our consulting approach with our business continuity software tool, Catalyst, to better leverage information gathering and to automate parts of the analysis effort. Once Avalution compiles information using Catalyst, it is easy to update information in future BIA refreshes.

Inaccurate or Unrealistic Recovery Time Objectives

Root Cause: Recovery time objectives are assigned without adequate business justification.

An important BIA output is establishing business continuity requirements, which means activity and resource recovery priorities, objectives, and targets (which includes, but is not limited to, recovery time objectives and recovery point objectives). Establishing recovery objectives helps to identify the most time-sensitive business activities and resources, which leads to an appropriate order of recovery. However, organizations often assign RTOs without adequate business justification, such as by asking leadership representatives and SMEs their subjective opinion based on a limited understanding of their department’s capabilities or priorities, undermining conclusions and recommendations.

To ensure accurate and realistic activity and resource-specific RTOs, business continuity practitioners should confirm that:

• Department SMEs provide operational, customer/contractual, legal/regulatory, or other relevant impact information that justifies the proposed business continuity requirements.
• The proposed business continuity requirements reflect leadership-defined organizational priorities and align with pre-determined management expectations. For example, business continuity practitioners should ensure that activities not directly supporting organizational priorities do not have overly aggressive RTOs.
• Any upstream and downstream dependencies validate that the proposed RTOs meet their business requirements.

The BIA Doesn’t Evolve as the Organization Evolves

Root Cause: You aren’t conducting your business impact analysis frequently enough.

A BIA isn’t a “once and done” analysis – it must be updated as the organization changes. At Avalution, we leverage our business continuity software platform, Catalyst, to put the BIA into a format that is continually accessible and makes the BIA a living process. In addition, we work with our clients to make the BIA part of the organization’s change management and onboarding processes where needed, so that business continuity requirements evolve over time based on evolving needs, priorities and expectations. Finally, we work with our clients to implement good program management techniques that make the BIA process repeatable and pragmatic.

BIA Data is Too Overwhelming to Analyze

Root Cause: Incorrect BIA scoping – you’re trying to boil the ocean.

A key BIA objective is to gather data to answer two primary questions: (1) what business activities are necessary to perform business operations, and meeting organizational objectives and external obligations (e.g., customer, regulatory), and (2) how quickly do business activities and supporting resources need to be available before the disruption creates unacceptable impacts for the organization or its customers, and to what performance level? For simplicity, many business continuity practitioners choose to use organizational charts or facility lists to determine BIA scope. While it may seem logical to use these resources, practitioners may find that using this method results in too much data that is often difficult to analyze.

The most efficient scoping method is to identify the key organizational products and services —organizational outputs or offerings— and then interview or collect data from the departments that perform business activities delivering – or supporting the delivery of – these products and services. This method helps focus the BIA process’ scope and ensures that BIA participants only provide relevant data that supports critical business activities, making data analysis more straightforward.

BIA Data is Useless or Irrelevant

Root Causes: 1) Incorrectly identified BIA participants and 2) ineffective data gathering methods.

1) Incorrectly Identified BIA Participants
Organizations often struggle with useless or irrelevant BIA data either because they engaged the wrong BIA participants or chose ineffective data gathering methods. As a result, the BIA data is ineffective in identifying appropriate business continuity requirements.

When identifying BIA participants, it is important to identify internal subject matter experts (SME) that can both understand the department’s role in the delivery of products and services, as well as speak to specific day-to-day departmental activities and supporting resources. Organizations that choose to only interview high-level executives may find that these individuals cannot speak to resource dependencies. Similarly, lower-level support staff usually do not have high-level organizational insight and cannot provide information regarding internal organizational dependencies and impacts, nor can speak to how the department contributes to organizational priorities. To avoid these issues, organizations should consider the following questions when choosing BIA participants:

• Does the SME have general departmental knowledge, including the department’s role in the context of the larger organization?
• Does the SME have the ability to identify and assign resources, as needed, to assist in the BIA effort?
• Can the SME provide details on departmental activities, such as activity inputs, outputs, and dependencies?

2) Ineffective Data Gathering Methods
The second root cause of “useless” BIA data is ineffective data gathering methods. Many business continuity professionals assume that a BIA is just a series of surveys. Although many think surveys are the quickest way to complete the BIA task because it takes the least amount of effort for the business continuity professional (side note, using surveys often takes the same amount of time, if not more), surveys do not allow for business continuity awareness-building with department SMEs, the ability to deliver guidance regarding BIA data requirements, a method to collect consistent information, or even the opportunity to collect additional data or ask clarifying questions when necessary.

Instead, Avalution recommends using data gathering interviews or a hybrid approach (where interviews and questionnaires are both used) to deliver actionable results in a time-efficient manner. In addition to following the recommended interview approach, organizations should ensure that BIA facilitators, or those who will be collecting BIA data and driving analysis and reporting efforts, are capable and knowledgeable in the organization and the BIA process (together with an understanding of the BIA outcomes). A knowledgeable BIA facilitator should not only be able to ask the right questions and capture data but should also understand when to go “off the script” to guide discussion and draw indirect information from the SMEs.

Disengaged Executives

Root Cause: Business continuity practitioners do not effectively engage top management throughout the BIA process.

Top management involvement is essential in driving preparedness and program improvement, providing business continuity strategic direction, and sponsoring organizational changes in ways the business continuity team cannot. Without engaging and building top management business continuity awareness, business continuity practitioners may find that top management is disengaged, resulting in lost opportunity and poor business continuity program performance.

Specific to the BIA process, top management has a role in endorsing the BIA scope and the final BIA results. Business continuity practitioners should include leadership representatives, often a Business Continuity Steering Committee, during the BIA scoping process, particularly to confirm:

• Organizational priorities and the departments that support these priorities
• Management expectations for recovery, such as downtime tolerances for in-scope products and services
• Impact categories
• BIA participants

Once the BIA is complete, practitioners should develop a BIA summary presentation for top management review and approval. Through the summary presentation, top management should be able to understand:

• Department, activity, and resource-specific business continuity requirements
• Risks that lead to an increased likelihood of disruption, or risks that may make it difficult for the organization to recovery
• Gaps specific to preparedness (comparing current-state capabilities to approved business continuity requirements)
• Recommendations to address risks and enable successful recovery within approved objectives

To ensure top management engagement, practitioners should avoid:

• Reporting on non-strategic conclusions (for example, the number of BIAs conducted or how many printers are necessary for recovery)
• Providing BIA results without justification, especially communicating unsubstantiated “the sky is falling” results
• Providing a “data dump” of the BIA results that top management will need to analyze themselves

FREE BUSINESS IMPACT ANALYSIS TEMPLATE

Download our free Business Impact Analysis template to get your BIA started quickly! This template is designed to capture all the essential information for a departmental business impact analysis, including:

• Activities, including recovery time objectives and data loss tolerance
• Dependencies (technology, people, facilities, suppliers and equipment)
• Staffing and equipment Requirements
• Risks

Click the button below to get immediate access to our Business Impact Analysis Template.

FREQUENTLY ASKED QUESTIONS