Business Impact Analysis Example: A Sample Assessment In BCMMETRICS

If you’ve been reading our blog for long, you know how much stock we place in the Business Impact Analysis (BIA). It’s the fact-finding mission at the heart of your business continuity program and the foundation of your recovery strategies. If it’s not done right, the plans you’ve made and the processes you’ve set are all built on faulty assumptions—and as a result, the safety net you thought you had may be full of holes.

At MHA we’ve done well over a thousand BIAs for companies of all sizes. We have the process down to a science, and we’ve put our methodology into an online tool you can use on your own, called BIA On-Demand (BIA^OD). An example of our business impact analysis tool is shown below.

With our tool, you can be completely confident that your BIA is an accurate assessment of your company’s most critical processes. It walks you through the very same process we use, and asks all the same questions we ask. All you need is a computer, an internet connection, and a facilitator to oversee the process and interact with key staff members.

Take a look at this BIA^OD business impact analysis sample, then sign up to see it in action.

BIA^OD Online: A Business Impact Analysis Example

Note: After you sign up for BIA^OD, we’ll give you login credentials you can use. Along with the product, we offer eight hours of consulting time, which can be used at any point, for help with using the tool and for advice on conducting your BIA.

Are you confident in your ability to craft a solid recovery plan based on your BIA? Download this free guide to writing plans that will assure your company’s survival.

The BIA tool has three main sections: ADMINISTRATION, ASSESS, and REPORTS.

ADMINISTRATION

The Administration section establishes parameters that will be used across the organization. The information must be established and approved by management in order to set up the tool.

This phase accomplishes the following:

• You’ll establish both dollar and non-dollar impact categories and the ranking of these impact categories.
• You’ll determine the scales that will be used to measure these impacts, as well as the RTO and RPO categories that will be used. These measurement categories provide consistent criteria that will be used throughout the BIA scoring process.
• You’ll start to prepare for BIA interviews at the business unit level by sending out questionnaires to participants ahead of time to gather basic information about the department.

Here are the specifics of what’s involved in the Administration portion of the BIA^OD tool:

1. Setup Division Categories

Setup Division Categories has four parts to complete.

1. Impact Categories—Here you’ll set the criteria that define the impact of all loss categories by asking management about the types of impact they are most concerned with. Answers should be both quantitative (loss of revenue, regulatory fines, etc.) and qualitative (damage to reputation, impact to customer service, etc.), and weighted based on the significance of each impact on the organization. (Later these weightings will be used behind the scenes as a multiplier, with scores that will be assigned during the assessment phase.) In the end, the weightings will dictate the criticality of business units/processes based on their disruptive impacts to the organization. Weightings will vary by company and industry; for example, losses that a financial institution weights high could be weighted very differently for a hospital.

2. Impact Category Ranges—Here you’ll set the parameters for impact categories. For impacts labeled “marginal,” for example, what does that label mean to your company in terms of dollar amount? Amounts will vary depending on the size of your company. For instance, an impact amount of $500,000 might be critical to a small company, but to a large one, it could be $5 million. Impact category ranges are key to the validity of your BIA, so have management sign off on these amounts before proceeding past this stage. These ranges of impact should mirror the CFO’s financial pain points.

3. Recovery Time Objective (RTO) Categories—Recovery time objective refers to the time in which a business process must be restored following a disruption. As part of the BIA you’ll need to designate RTO categories that will later be applied to your company processes to determine the criticality of each one. (As in, what would the impact to revenue be if a particular process was unavailable for 4 hours? 24 hours? etc.) Time categories vary by company—for some companies the shortest recovery time frame might be 24 hours, for example—but typical RTOs are:
   • RTO 0—24 hours or less
   • RTO 1—48 hours or less
   • RTO 2—5 days or less
   • RTO 3—Greater than 5 days

4. Recovery Point Objective (RPO) Categories—RPO refers to data loss. RPOs define the maximum acceptable data loss that a business process can tolerate before the process is critically impacted. These parameters will also be applied to each process to evaluate criticality. Three time frames are usually standard here, but they may vary from company to company:
   • RPO 0—no data loss
   • RPO 1—less than 4 hours data loss
   • RPO 2—24 hours data loss

2. Department & User Access

Here you’ll set up the divisions and departments that will be in scope for the BIA. (Remember that not every business unit is necessarily evaluated as part of a BIA.)

To help things along, it’s a good idea to send a set of basic questions to each interviewee before the interview—what we call “pre-work.” It cuts down on time if people provide some basic information about their departments and processes and have thought through some other things, including:

• All critical departmental business processes
• Current recovery time objectives (if available)
• Recovery point objectives (if available)
• Supporting computer systems and applications (the systems and applications they rely on for daily work)
• Specialized equipment (like a special printer, postal meter, bank token, etc.)
• Internal and external dependences
• Vital records
• Legal and regulatory requirements
• Manual workarounds

You can email a pre-work questionnaire to interviewees directly from the tool, and interviewees can complete and submit the information directly into the Assessment forms.

ASSESS

The Assess tab is where you conduct the evaluation of business units and their processes, and it is typically completed during BIA interviews. Some of the fields may be pre-filled if the information has already been supplied as part of the pre-work.

3. Setup

The Setup section ensures that all baseline information and evaluation parameters related to the department are in place, including:

• A Department Overview that covers general information about each department. It also asks simple questions about potential changes in the next 12 months, for instance: Is a reorganization taking place? Are you getting new computer systems or applications? Are you introducing the product into a new market? Will any new regulations soon be coming into effect?
• Strategic Business Unit. This section allows you to specify if this business unit is part of a bigger strategic business function such as Small Business Sales, etc.
• Markets. This section allows you to specify if this business unit is part of a specific market (southwest, northwest, etc.).

4. Common Information

Common Information covers all basic departmental information that applies across all the department’s processes, including:

• Office Name. Note here if the department has multiple building locations.
• Interviewees, including their names and contact information.
• Process Detail includes information about regulatory and legal requirements, service level expectations, and staff.

5. Processes

Now you’re ready to create new processes or revise any existing processes in the tool as needed. (If you sent a pre-work questionnaire as described above, processes and associated information will already be loaded into the tool.)

After entering some general information about the process, you can begin measuring the impact of a disruption. This section has four parts to complete.

1. Impacts—Here you’ll start scoring the impact of a disruption on each of the unit’s critical processes. For example, if a process cannot be performed in 4 hours or less, what’s going to be the impact to your company in terms of loss of revenue? Interviewees will use the parameters created early on in the BIA process to evaluate and assign scores and justify their answers. Score all impact categories across all time frames in both the quantitative and qualitative categories. Based on the impacts entered, the tool will calculate the RTO based on where the first significant impact occurs over time. The tool will display the calculated RTO.

2. Systems—Interviewees will identify the computer systems, applications, and specialized equipment they use to carry out their processes, whether it’s a payroll system, HR software, a claims payment system, etc. (It’s important to note that you should always have an IT representative in the room who knows about system interdependencies that other employees may not be aware of.) Then ask interviewees to evaluate their levels of reliance on those systems (high, medium, or low) and fill in the RPO; is there a tolerance for data loss here? You’ll also make note of existing workarounds and whether or not they are documented.

3. Dependencies—Ask your interviewees about external and internal dependencies, including vendor names, products or services they provide, the department’s level of reliance on them, and whether or not workarounds exist. All of that information is captured here.

REPORTS

Once the information in the first two sections of the tool has been filled out, it’s time to analyze it all with some insightful business impact analysis reports.

BIA^OD allows you to generate and share a variety of reports, including reports displaying information by company, by division, and by department.

Company-wide reports are often analyzed and shared in a BIA report that summarizes the results for management. Some of your options for company-wide reports are:

• Lists of all company business processes and corresponding RTOs by division.
• RTO business unit process reports that list all company processes by RTO, then by division within RTO.
• Lists of all company systems/applications by RTO.

The tool can also generate charts for use in Management Reports, including:

• Processes by RTO
• Internally-hosted systems and apps by RTO
• Externally-hosted (third party) systems and apps by RTO
• Systems and apps by RPO
• Internal/external dependencies by RTO

Sometimes you want to narrow down your reports by division or department. The tool allows you to easily create a wide variety of both types of reports, including:

• Business unit process RTO reports that list all company business processes and corresponding RTOs by division.
• RTO dependencies reports that list all company processes and their dependencies by RTO, then by division and department within RTO.

Department reports include:

• Department snapshot reports, which generate a summary department report, organized by process/RTO, with corresponding systems/applications, third parties, and RPOs.
• Department detail reports, which generate a complete version of the finished BIA questionnaire.
• Business continuity management reports, which generate a business recovery plan for the selected department.

Interested in seeing BIA^OD in action?

I encourage you to schedule a free demo of the BIA^OD tool to get a more in-depth look at its functionality and to ask any questions you have about it—just choose a time that works for you.

BCMMetrics™ tools have helped hundreds of companies successfully perform BIAs on their own, as well as evaluate their levels of standards compliance and residual risk.

Take a look at our website for a complete description of all our business continuity software, and get started on improving your program today!