A Business Impact Analysis Guide

A solid Business Impact Analysis is the cornerstone of a sound business continuity program. Read on for a concise overview of what the BIA is, why it matters, and how to conduct one.

Related on MHA Consulting: All About BIAs: A Guide to MHA Consulting’s Best BIA Resources

A Business Impact Analysis is, at its heart, a fact-finding mission. A good BIA helps you understand which of your business processes, if they experienced an outage, would cause the greatest monetary and non-monetary damage to the company. Knowing this tells you which processes you should protect and guides you in creating a reality-based business recovery strategy.

Below, you’ll find a guide in FAQ form that tells everything you always wanted to know about BIAs.

What is a Business Impact Analysis?

Here’s our Business Impact Analysis (BIA) definition: A BIA provides you with a clear picture of the criticality of your business operations based on the processes they perform, and helps you identify the dependencies (i.e., the computer systems, vital records, etc.) that must be in place for those processes to run. In essence, it serves as the foundation of any good continuity strategy. Once you understand which business processes are most critical to the livelihood of your company, you can then use this information to build an effective strategy that addresses only those areas that need to be recovered and the designated time frame in which to recover them.

Contrary to popular belief, the BIA is not intended to be scenario-specific. Tornadoes, city wide power outages, or computer viruses—the reason for disruption simply doesn’t matter. The point is to identify your company’s most critical processes and be prepared for continuity in those areas no matter what comes down the pike.

Who performs a Business Impact Analysis?

The answer to this question varies. In some cases, the company’s business continuity manager oversees the effort with the help of a few team members. In the absence of a business continuity manager, someone in IT or a related group might be appointed to the task. The ideal approach is for an experienced continuity practitioner to perform the analysis. Such professionals are more likely to understand how various business functions might impact the bigger picture, increasing the chances that the results of the BIA accurately represent the company.

Often, a third-party consulting firm is brought in to do the job (even if there is a business continuity manager on staff). A good consultant will have an objective point of view, extensive experience in conducting BIAs, and a thorough knowledge of best practices and standards, thus ensuring that the resulting analysis will be valid.

What’s involved in the BIA process?

BIAs are performed at the business unit level. Even at large organizations, it can be best to start with a fairly small number of units, such as between five to 10. Rather than trying to bail the ocean, it’s best to focus on the most mission-critical areas first.

Here’s a quick overview of the BIA process:

1. Identify which units will participate.
2. Configure the BIA setup, i.e., decide on such details as which impact categories, recovery time objectives (RTOs) and recovery point objectives (RPOs) will be used and the weighting of each category based on its importance to the company.
3. Conduct the prework with the in-scope business units (i.e., gather BIA questionnaire data and information to prepare for the BIA interview)
4. Perform the BIA interview with representatives of the in-scope business units.
5. Analyze and validate the BIA data. 
6. Produce the BIA report and present it to management.
7. Obtain management signoff of the BIA results.

The BIA process is designed to determine the dollar and non-dollar impact a disruption would have on each business unit (e.g., the call center, accounting) and its processes. Impacts should be projected over various periods of time, such as four hours, 24 hours, 48 hours, five days, greater than five days, and so on.

To estimate the dollar impact for each process, questions might include:

• What would the loss of revenue be?
• Would penalties and/or fines be incurred?
• Would there be increased operating costs?

Answers might be on a scale of one to five, with one being zero to $1 million and five representing a catastrophic amount.

In recent years, organizations have become increasingly concerned about the non-dollar impacts of outages. Non-dollar impacts for each process can be evaluated with questions such as:

• How would an outage impact our reputation and image?
• What would the impact to customer service be?
• How about the impact to operations?

Again, answers could be on a scale of one to five, with one being no impact and five being catastrophic.

In addition to assessing dollar and non-dollar impacts, don’t forget to identify and collect the following key information for each process in your questionnaire:

• Legal and regulatory requirements
• Service level expectations
• Dependent computer systems/applications
• Specialized equipment needs
• Internal and external dependencies
• Vital records

The prework is important. But in our experience, it is during the interview with key personnel that quality information begins to emerge. The best people to talk to in such interviews are employees who know the ins and outs of each process (rather than higher-level managers). Reviewing prework questionnaires with staff who do the job daily is the best way to obtain a full, detailed picture of a unit’s processes and system dependencies. This leads to a more accurate assessment of their criticality.

Ultimately, information gleaned from the questionnaire and interviews will allow you to assess the cumulative dollar and non-dollar impacts for each business unit over time. This lets you come to a realistic understanding of the relative criticality of the departments and their processes and dependencies.

Are there standards I can refer to when conducting a BIA?

Yes, there are—plenty, in fact! Business continuity standards providing guidance on conducting BIAs include International Organization for Standardization (ISO) 22301 and National Fire Protection Act 1600 (which is free and, we think, one of the best). Another top standard is the Federal Financial Institutions Examination Council’s (FFIEC) BCP standard, which is very rigorous and intended for use by financial institutions. All of these standards cover BIAs a bit differently, but the same key components are present in each, namely, how to cover the financial impact and non-financial impact of potential disruptions and identify resources and dependencies.

How long should the BIA process take?

Conducting a BIA for multiple business units varies depending on the number being evaluated. Doing a BIA for 15 to 20 business units might take anywhere from 45 to 60 days from pre-work to final presentation. 

In terms of the amount of time representatives of the various business units need to spend working on a BIA, anticipate around two to three hours. This typically include 45 minutes for the prework, one and half to two hours for the interview, and around 15 minutes for data validation. 

What should the results of a BIA look like?

Done properly, a BIA should show a limited number of units as critical to the livelihood of your business. If every business unit shows up as being equally critical to operations, it’s a sign that something’s gone awry.

Going into a BIA, you may have some sense as to how it will develop based on your industry. Most of us would assume that a hospital, for instance, has many critical processes involved in patient care, and a BIA will bear that out. In contrast, a construction firm might have several business units that are considered less critical for survival and which could go without recovery for three to five days before causing a significant impact.

What are the challenges of conducting BIAs?

In our experience, the top three challenges to successfully conducting a BIA are:

1. People who don’t take the BIA process seriously. If you or the people on your team are not truly invested in devoting time and resources to business continuity, or you simply don’t see the value in doing this foundational research step, then your BIA efforts are not likely to be accurate or objective. 
2. A lack of deep knowledge about the business. To combat this, it’s important to devote time to the BIA prep work and to make sure the right people are in the room when it’s time for one-on-one interviews. 
3. Management is not supportive. Many business executives are reluctant to engage fully with the BIA process. Senior leaders often assume they already know which processes are critical, or they might insist that all their processes are critical. Such attitudes can keep the BIA team from doing its job. It can also be difficult to get top managers to sign off on the BIA results. This makes it harder to win the cooperation of the business units.

What happens after the BIA?

The BIA is part of a larger process whose overall goal is to protect the organization and its stakeholders by making it less vulnerable to disruptions. After the BIA is complete, the next step is to devise recovery strategies, solutions, and plans for the critical business units and processes. Doing this typically involves activities such as contracting with third parties to ensure access to alternative resources in an emergency and finding a place where the employees can continue to work should location-specific services go down. 

 Want more information on what happens after your BIA?
Learn how to structure your BIA to ensure confidence in your findings – along with the evidence and explanations to back them up – to meet the challenge of getting that all-important management buy-in.

How often should a BIA be done?

The recommended interval for updating the BIA is every two years. For some businesses it might be longer (provided things don’t change much). For others it should be shorter (banks are required to do one every year). The BIA is a point-in-time analysis. Every organization and environment changes over time. BIAs need to be updated to make sure that the critical business processes continue to be protected as the company evolves.

Do a Business Impact Analysis the Easy Way

You work hard to make your business a success—shouldn’t that include protecting your most critical assets? A BIA is the first step to ensuring that your business will continue to thrive in the event of disruptive external factors beyond your control.

We’d like to help you take this first step. The BCMMETRICS BIA On-Demand (BIAOD) tool makes it easy for you to pinpoint the most critical units of your business. Running in a secure portal, the tool walks you through a full evaluation of your business processes, including dollar and non-dollar impact as well as recovery time objectives. In the end, it automatically calculates the level of criticality of each unit you’ve chosen to evaluate and produces a detailed report of the results.

Visit our website to schedule a demo of how the BIA On-Demand tool works or to get in touch with questions. If you’re struggling with a BIA currently or want guidance through the process, we’re here to help.

Further Reading

• All About BIAs: A Guide to MHA Consulting’s Best BIA Resources
• Lessons from Troubled BIAs: Learning from Other Companies’ Mistakes
• Skip the BIA: Four Cases Where a Formal BIA Is Optional
• After the BIA: Save Time and Money by Fine-Tuning Your Application RTOs
• BIA Blunders: 6 Common Mistakes Organizations Make When Conducting BIAs
• Like Lambs to the Slaughter: When BIA Beginners Present to Management
• The Big Decision: Choosing What Software to Use for Your BIAs