The Business Impact Analysis (BIA) is a process to establish business continuity requirements by identifying time-sensitive activities in an organization, based on the impact stemming from a disruption. The process also includes identifying supporting resource dependencies and establishing recovery time targets.
The major outcomes associated with the BIA include:
Many organizations struggle to understand why a BIA is so important. However, when you think about business continuity as a long-term process, the BIA is the requirements gathering portion of the process. Just like a project manager wouldn’t start executing a project without clear requirements, the same is true for business continuity: a BIA should deliver clear requirements. Specifically, the business impact analysis:
The BIA identifies the business activities and resources necessary to deliver the organization’s most important products and services. By understanding how the organization delivers its products and services, the BIA process may uncover activities or resources that were not originally in the program’s scope. Also, by understanding activity and resource impacts associated with disruption, the organization can identify which activities and resources need to be performed, regardless of circumstance, which may have an impact on the program’s scope.
Many organizations do not have a clear, unified understanding of obligations. In fact, it is very rare to see any entity within an organization that has a full grasp of what is required during a disruption, and what the implications are if the organization cannot meet those obligations. The BIA enables the organization to create a thorough understanding of these obligations and to enable the appropriate level of business continuity planning to achieve compliance.
One of the most valuable aspects of the BIA is the estimation of impacts tied to downtime. Understanding financial, reputational, contractual, legal/regulatory, operational, and other impacts enable the organization to develop the business case, with appropriate justification, to select, implement, and maintain business continuity strategies. With proper justification, the organization is set-up to identify and implement appropriate capabilities needed to meet recovery objectives – resulting in the appropriate spend.
The BIA process can be used to begin the data collection effort for business continuity plans. When performing the BIA, the organization can begin to collect business continuity plan content, such as existing controls and recovery strategies, team and staffing requirements, internal and external contact information, and other resource-specific information required for the business continuity plan. Once this information is collected, the organization can begin to populate the business continuity plan and present a starting point to those charged with creating and maintain the plans (as opposed to starting with a blank template).
When organizations choose not to perform a BIA, some of the most common problems that occur that affect the performance of the business continuity program include:
The BIA and risk assessment are often talked about at the same time, and that’s because many business continuity programs perform them together (or in close coordination). Here are the key distinctions between a BIA and a risk assessment:
So, the how-to instructions below will provide you a way to complete both a BIA and risk assessment together!
At Avalution, we have refined our processes and tools for performing BIAs over many years. We have established an effective process for executing the BIA that results in the delivery of clear, approved business continuity requirements. Additionally, our process allows us to obtain the information necessary to assess an organization’s business continuity-related risks, identify and implement response and recovery strategies, document meaningful plans, and provide assurances to key stakeholders.
Our process follows five key steps.
The first step in performing a successful BIA is to ensure that the right business activities and resources are in-scope. Avalution does this by completing what we call the Frame meeting. During this meeting, we work with businesses to address the following four questions:
The Frame meeting does several things for a business continuity program. Specifically, it aligns leadership on program objectives, determines the right program participants, and allows for tailored governance documentation. The most important output of this meeting, however, is identifying the in-scope products and services for an organization’s business continuity program. Identifying products and services allows the organization to focus the business continuity program on maintaining operations that support the most important aspects of the business during a disruption.
Once products and services are identified as in-scope, required departments (or business functions, depending on your organization’s nomenclature) and the subordinate activities should be identified for inclusion in the BIA process. A BIA should consider all departments that complete activities needed to deliver products and services to stakeholders, consistent with expectations.
To learn more about how to scope a business continuity program with executives, download our free executive support amplifier.
After identifying in-scope departments and activities, schedule a one-hour meeting with each department’s leadership as well as any required subject matter experts. Include a meeting invite informing them of the purpose of the business impact analysis, meeting objectives, and required preparation.
Of note, it is important that meeting participants represent the department at the right level. Participants should have:
Interviews should determine the activities the department performs that supports the delivery of in-scope products and services. For each identified activity, it is important to capture the steps necessary to complete the activity, peak operation times, downtime impacts (i.e. reputational, contractual, operational), and the dependencies that are required to perform each activity.
The following dependency types should be documented:
It is important that, for each dependency, a description of its use, manual workarounds or alternate suppliers (as appropriate and if known), and recovery time and recovery point objectives (if applicable) are captured. In addition, conduct the risk assessment by assigning a 1-10 value for the likelihood of loss and impact of loss for each dependency. Once all data is collected, these numbers can be multiplied together to provide a risk rating for every dependency.
In addition to dependencies, it is important to understand if the department has experienced any event that has prevented it from completing operations in the past. These are higher risk events that merit strong planning.
Following each department-level meeting, a documented report with the results of the meeting should be completed (Avalution recommends using a business continuity software to increase the efficiency of your program and the value proposition includes automation regarding analysis as well as functionality to enable future updates). These reports should contain all pertinent information that was captured during the interview, as well as recommendations based on the information collected. A great example is recommendations regarding recovery time objectives based on the impacts estimated.
After the report is drafted, distribute it to the meeting participants. The meeting participants will review the document, make any necessary edits or changes, and approve the report. Each department-level report is a “puzzle piece” necessary to establish organization-wide business continuity requirements for management’s review and endorsement
After all department-level meetings and reports have been completed and approved, it is time to complete an organizational-wide BIA and risk assessment summary to enable management’s review and approval. The purpose of this presentation (we prefer presentations as they are a more effective form of engagement) is to provide an overview of the key activities, resource requirements, and risks identified during the department-level meetings. Additionally, this report is used as an opportunity to make risk treatment-related recommendations related to key risks that were identified.
After coordinating the department-level BIA conclusions, the BIA and risk assessment results and recommendations should be presented to leadership (typically, the Business Continuity Steering Committee). While presenting to leadership, a focus should be placed on:
These recommendations should be prioritized for leadership by focusing on achieving the right level of resilience (based on the guidance provided during the Frame meeting) and the development of strategies to address the loss of necessary activities and resources.
Root Cause: You’re conducting your business impact analysis manually.
For many organizations, the BIA becomes a laborious effort and conflicts with other priorities. For many BIA processes, the organization must dedicate hours upon hours to the BIA data gathering and reporting effort, often based on the need to complete long and complicated surveys. Avalution’s unique data gathering approach uses an organization’s time efficiently, as we engage with the organization through data gathering interviews (typically lasting 60 minutes) and produce a summary report that can be validated quickly. Avalution can also pair our consulting approach with our business continuity software tool, Catalyst, to better leverage information gathering and to automate parts of the analysis effort. Once Avalution compiles information using Catalyst, it is easy to update information in future BIA refreshes.
Root Cause: Recovery time objectives are assigned without adequate business justification.
An important BIA output is establishing business continuity requirements, which means activity and resource recovery priorities, objectives, and targets (which includes, but is not limited to, recovery time objectives and recovery point objectives). Establishing recovery objectives helps to identify the most time-sensitive business activities and resources, which leads to an appropriate order of recovery. However, organizations often assign RTOs without adequate business justification, such as by asking leadership representatives and SMEs their subjective opinion based on a limited understanding of their department’s capabilities or priorities, undermining conclusions and recommendations.
To ensure accurate and realistic activity and resource-specific RTOs, business continuity practitioners should confirm that:
Root Cause: You aren’t conducting your business impact analysis frequently enough.
A BIA isn’t a “once and done” analysis – it must be updated as the organization changes. At Avalution, we leverage our business continuity software platform, Catalyst, to put the BIA into a format that is continually accessible and makes the BIA a living process. In addition, we work with our clients to make the BIA part of the organization’s change management and onboarding processes where needed, so that business continuity requirements evolve over time based on evolving needs, priorities and expectations. Finally, we work with our clients to implement good program management techniques that make the BIA process repeatable and pragmatic.
Root Cause: Incorrect BIA scoping – you’re trying to boil the ocean.
A key BIA objective is to gather data to answer two primary questions: (1) what business activities are necessary to perform business operations, and meeting organizational objectives and external obligations (e.g., customer, regulatory), and (2) how quickly do business activities and supporting resources need to be available before the disruption creates unacceptable impacts for the organization or its customers, and to what performance level? For simplicity, many business continuity practitioners choose to use organizational charts or facility lists to determine BIA scope. While it may seem logical to use these resources, practitioners may find that using this method results in too much data that is often difficult to analyze.
The most efficient scoping method is to identify the key organizational products and services —organizational outputs or offerings— and then interview or collect data from the departments that perform business activities delivering – or supporting the delivery of – these products and services. This method helps focus the BIA process’ scope and ensures that BIA participants only provide relevant data that supports critical business activities, making data analysis more straightforward.
Root Causes: 1) Incorrectly identified BIA participants and 2) ineffective data gathering methods.
1) Incorrectly Identified BIA Participants
Organizations often struggle with useless or irrelevant BIA data either because they engaged the wrong BIA participants or chose ineffective data gathering methods. As a result, the BIA data is ineffective in identifying appropriate business continuity requirements.
When identifying BIA participants, it is important to identify internal subject matter experts (SME) that can both understand the department’s role in the delivery of products and services, as well as speak to specific day-to-day departmental activities and supporting resources. Organizations that choose to only interview high-level executives may find that these individuals cannot speak to resource dependencies. Similarly, lower-level support staff usually do not have high-level organizational insight and cannot provide information regarding internal organizational dependencies and impacts, nor can speak to how the department contributes to organizational priorities. To avoid these issues, organizations should consider the following questions when choosing BIA participants:
2) Ineffective Data Gathering Methods
The second root cause of “useless” BIA data is ineffective data gathering methods. Many business continuity professionals assume that a BIA is just a series of surveys. Although many think surveys are the quickest way to complete the BIA task because it takes the least amount of effort for the business continuity professional (side note, using surveys often takes the same amount of time, if not more), surveys do not allow for business continuity awareness-building with department SMEs, the ability to deliver guidance regarding BIA data requirements, a method to collect consistent information, or even the opportunity to collect additional data or ask clarifying questions when necessary.
Instead, Avalution recommends using data gathering interviews or a hybrid approach (where interviews and questionnaires are both used) to deliver actionable results in a time-efficient manner. In addition to following the recommended interview approach, organizations should ensure that BIA facilitators, or those who will be collecting BIA data and driving analysis and reporting efforts, are capable and knowledgeable in the organization and the BIA process (together with an understanding of the BIA outcomes). A knowledgeable BIA facilitator should not only be able to ask the right questions and capture data but should also understand when to go “off the script” to guide discussion and draw indirect information from the SMEs.
Root Cause: Business continuity practitioners do not effectively engage top management throughout the BIA process.
Top management involvement is essential in driving preparedness and program improvement, providing business continuity strategic direction, and sponsoring organizational changes in ways the business continuity team cannot. Without engaging and building top management business continuity awareness, business continuity practitioners may find that top management is disengaged, resulting in lost opportunity and poor business continuity program performance.
Specific to the BIA process, top management has a role in endorsing the BIA scope and the final BIA results. Business continuity practitioners should include leadership representatives, often a Business Continuity Steering Committee, during the BIA scoping process, particularly to confirm:
Once the BIA is complete, practitioners should develop a BIA summary presentation for top management review and approval. Through the summary presentation, top management should be able to understand:
To ensure top management engagement, practitioners should avoid:
Download our free Business Impact Analysis template to get your BIA started quickly! This template is designed to capture all the essential information for a departmental business impact analysis, including:
Click the button below to get immediate access to our Business Impact Analysis Template.
Avalution recommends, based on industry standards, updating and performing a business impact analysis on an annual basis (more or less frequent based on organizational change). Some organizations determine that a semi-annual refresh should be completed. In general, this determination should be made based on the speed in which your organization is changing and evolving. If an organization experiences significant changes often (i.e. the scope of each department, leadership, strategic initiatives, dependency shifts), it may be beneficial to conduct a BIA refresh on a more frequent basis than if an organization remains largely stagnant in terms of departments, activities, risks, and dependencies.
Different individuals and groups are required during different steps of the BIA process. First, the Business Continuity Steering Committee, Program Sponsor, and Program Manager should work collectively to determine the in-scope departments for the business impact analysis. For individual interviews, Avalution recommends having an interviewer and note taker during the BIA data gathering meeting. The interviewer will conduct the interview and the note taker will scribe. This method is a fast and accurate way to complete a department report. Additionally, department leaders and subject matter experts should be present for each interview. Lastly, the BIA and risk assessment summary report should be presented to the Business Continuity Steering Committee (typically, by the Program Manager).
Avalution believes that an interview-based BIA data gathering approach is the most effective engagement technique because the conclusions are more accurate and complete. Survey design is extremely difficult to capture the nuances inside and between various departments. Additionally, surveys do not provide the context, depth, or additional information that may be required to accurately analyze the risks faced by a department. You should go and talk to departments.
A department-level business impact analysis report summarizes the activities performed by the department, the estimated impacts associated with downtime, resource and organizational dependencies needed for each activity and business continuity requirements. Individual department-level reports are used to create an organizational-wide Business Impact Analysis and Risk Summary presentation that documents recovery times, organizational risks, and risk mitigation recommendations.
The first step in completing a business impact analysis is scoping. In-scope departments for a business impact analysis should focus on operations that support the delivery of in-scope products and services. We have an entire guide available to get your program started, called the executive support amplifier.
Yes and no. Small programs may find it possible to manage a business continuity program/business impact analysis without software (by small, we’re talking about organizations with less than 10 or 15 departments and less than 1,000 employees). However, software makes it significantly easier to manage a program and to automate elements of the analytic effort. For larger organizations, software is essential as the automation alone can replace the costs associated with one or more FTEs. For example, software allows a program manager to eliminate the need to manually follow up with department owners or establish a critical path of activities and resources to deliver a specific product or service. Software can also recommend recovery objectives based on automated interdependency analysis. With the time savings, the program manager can focus on stakeholder engagement and improving the organization’s ability to respond and recover. Obviously, we’re partial to Catalyst Business Continuity Software.
The business impact analysis is used to identify time sensitive activities and resources, the estimated impacts associated with a disruption, and dependencies for activities that relate to an organization’s in-scope products and services. This information is used to determine key risks and response/recovery capability gaps. Additionally, BIA outcomes help determine response and recovery strategies.