Guide to Business Impact Analysis
Chris Vilim, President
February 28, 2013
www.CoreTech.us
Guide to Business Impact Analysis
Contents
Contents ......................................................................... 1
Business Impact Analysis Defined .................................. 2
Conducting BIA for Small to Midsize Businesses (SMB) . 2
10 Steps to Carry Out a BIA ............................................ 4
Appendix: Business Impact Analysis Worksheet ............ 6
© 2013 CoreTech, All Rights Reserved
February 25, 2013
1
Guide to Business Impact Analysis
Business Impact Analysis Defined
A business impact analysis (BIA) is the
cornerstone of a disaster recovery (DR)
strategy and plan. A BIA will identify the
processes, systems and functions that are
critical to the survival of your company.
Understanding these elements allows you
to allocate resources wisely to ensure
operations even with unexpected events
disrupting normal business operations.
The main focus of a disaster recovery (DR) plan is the technology, while a business impact
analysis (BIA) focuses on the business processes and the people who perform the processes.
A BIA defines the priorities of each business function and how soon they are required, what
dependencies they may have, as well as required staff levels. The BIA also defines what
timeframes are required for personnel, data, etc.
Some departments may have different priorities within their own functions. The business impact
analysis helps define the business process recovery, interaction between departments,
dependencies of departments, and required staff levels to perform these functions. Often when
compiling a business impact analysis, the first reaction is "everything is priority 1", then, as the
processes get defined, the BIA gets broken down into a manageable and more accurate list. Also
keep in mind that it is important to periodically review your BIA to determine if it accurately
reflects your current business focus.
Conducting BIA for Small to Midsize Businesses (SMB)
Conducting a business impact analysis (BIA) is often viewed as an exercise that is exclusive to
enterprise-class organizations with seemingly limitless funds for consulting services. Large
consulting firms often spend months mapping every business process and interviewing
numerous business unit representatives to come up with sophisticated financial loss projection
charts.
These projects are time-consuming and costly because of the complexity of large companies,
which rely on dozens of core functions and sometimes hundreds of support functions.
SMBs have the same requirements, albeit on a smaller scale; they must stay in business.
The recommended process to be followed for SMBs has five elements:
1. Identify core business functions
The first thing you need to do is identify the core business functions; these are the
functions that have the most impact on the revenue stream. You can then create a list
of support functions for those core functions. This is a business process mapping
© 2013 CoreTech, All Rights Reserved
February 25, 2013
2
Guide to Business Impact Analysis
exercise that is essential to gaining an understanding of how the business actually
works. At this point in the process, you must resist the temptation of downplaying the
criticality of a function because you already have a workaround in mind should that
particular function be interrupted. This is jumping ahead into "solution mode", which
comes later in the business continuity planning process as part of the recovery strategy.
2. Timing and Duration
Identify point(s) in time when interruption would have greater impact (e.g., season, end
of month/quarter, etc.)
Identify duration of the interruption when operational or financial impacts will occur
(minutes, hours, days, week, month, etc.)
3. Operational Impacts
Identify likely operational impacts resulting from interruption (lost sales, increased
expenses, etc.)
4. Financial impact
This is where most BIA efforts appear to stall for smaller organizations because it is
sometimes difficult to clearly establish financial losses in the event of an unplanned
interruption or disaster. For most companies, a single business function is rarely
responsible for generating the entire revenue stream. This is where your accounting
people can help by putting some revenue and cost perspective around business activity.
5. IT dependencies
This is where you map your IT infrastructure to the business functions it supports.
Understanding the relationship between a business function, the software application
necessary to keep that function running and the IT systems and component that support
the application will allow you to set recovery objectives for IT. These objectives are
known as recovery time objective (RTO) and recovery point objective (RPO), and are a
set based on the maximum tolerable losses resulting from an unplanned interruption or
disaster. These objectives also dictate the type of IT technology that must be deployed
to ensure the availability or recoverability of systems within the established timeframe.
6. Risk and probability of occurrence
Of course, when discussing the potential impact of an interruption on a business, the
next logical question is: "What is the probability of an interruption actually striking?"
Once the probability is known, the next question is: “what is the risk to our business of
the occurrence, regardless of probability”.
The objective is to identify those functions that, if interrupted, could devastate the
business, regardless of how improbable. So some planning to avoid and / or recover
© 2013 CoreTech, All Rights Reserved
February 25, 2013
3
Guide to Business Impact Analysis
from an interruption or disaster makes sense to do. Conversely, identify those probable
interruptions that are ‘nuisance’, requiring minimal planning for avoidance and
recovery.
10 Steps to Carry Out a BIA
To start, you need to understand the business operations of your company in detail. Here is a
simple step-by-step approach that will put you on your way to conducting a successful business
impact analysis:
1. Hold a kickoff meeting with the people responsible for the core business processes and
introduce the program goals, timelines and deliverables.
2. Collect data. Create a business impact analysis questionnaire, which you will distribute
at the meeting to all managers. Instruct each manager on how to complete the
document. Make it clear that you will be following up with each manager on an
individual basis to review the document. Appendix A includes a model BIA Worksheet.
Often it is useful to include an incident description for interviewees to use when
answering the questions. An example of such a situation is:
•
The business unit's portion of the building is completely destroyed;
•
All records, data files, technology, supplies, and other support systems are lost;
•
Some key personnel may not be available;
•
Primary business processes will be affected immediately and for at least 30 days;
•
The disaster occurs during a peak processing period for the business unit.
Incident descriptions help frame the interviewee's response so it will be in alignment
with specific risks and threats.
Ultimately, the BIA's purpose is to identify, prioritize and document the relative
importance of various business processes conducted by business units.
3. Document the gross revenue and net profit your organization generates per year. This
can be done at the appropriate business unit levels as well. The data sets the upper limit
for business losses related to the business operation. Include this on your presentations
to drive home the importance of the program.
4. Meet with each manager and review the data collected. If needed, block off a couple of
hours to help complete and refine the document with the manager.
5. Merge all the data into a spreadsheet or database for easy data analysis and reporting
capability.
© 2013 CoreTech, All Rights Reserved
February 25, 2013
4
Guide to Business Impact Analysis
6. Schedule and conduct a "BIA review and prioritization meeting" with all managers
participating in the program. Look for gaps not mentioned by the departments,
especially between departments. Prioritize each process based on impact to the
business, both direct and indirect as the process may be critical dependency for another
process. High, medium and low can be used as measures.
7. During the prioritization discussion you will need to document a recovery time objective
(RTO) for each process. The recovery time objective (RTO) is the duration of time and a
service level within which a business process must be restored after a disaster (or
disruption) in order to avoid unacceptable consequences associated with a break in
business continuity.
8. Create groups or bands of process RTOs. Start with the shortest allowable RTO first and
then define the upper limits not to exceed 24 hours. These items constitute the Tier 0
RTOs. The next band of RTOs is the Tier 1 group. This group generally extends from 24 to
48 hours. Recovery point objectives (RPOs) are different as they deal more with data
recovery and are used more in a "data protection strategy" context. They are also
usually measured in minutes to hours as in the case of a production database. It may
have an RPO of 20 minutes between scheduled replications.
9. Lastly, convene a summary meeting to present the results of the program to senior
management, managers and others core to the processes. You will want to present the
business processes in order of RTO and importance, along with the other process details
collected during the program. Issue a final report to meeting attendees to reinforce the
learning and memory of the participants. Make the report available in hard copy to use
in the event of an actual outage to help prioritize actions to resume operations.
The business impact analysis report ideally provides a foundation for the business
continuity plan that should follow this exercise. It can also provide an important input to
risk management programs that may follow, now that you have insights into where
business risk lives.
CoreTech, as your trusted partner, is available to help with you BIA:



We can conduct BIA and BC/DR planning for you
We can assist you with your conduct of these activities
We can, based on BIA data, develop specific BC/DR recommendations that meet
your business needs cost-effectively
© 2013 CoreTech, All Rights Reserved
February 25, 2013
5
Guide to Business Impact Analysis
6
Appendix: Business Impact Analysis Worksheet
Department
Function
Process
Operational and Financial Impacts
Timing / Duration
Operational Impacts
Financial Impact
IT Dependencies
Risk / Probability of
Occurrence
Considerations (customize for your business)
Timing:
Point in time when
interruption would
have greater
impact (season,
end of month,
payroll, etc.)
Duration: How long
before an impact –
< 1 hour
>1 hour but < 8
hours
> 8 hours but < 24
> 1 week
> 1 month
Operational Impacts:
Lost Sales / Income,
Negative Cash Flow,
Increased Expenses,
Regulatory Fines,
Contractual Penalties,
Customer Dissatisfaction
/ Defection
© 2013 CoreTech, All Rights Reserved
Financial
Impact:
Quantify
operational
impacts in
financial terms
IT Dependencies:
What system does
function use?
Where do systems
reside (on-premise,
cloud, etc.)?
How is function
accessed?
Probability:
Low (Unlikely to
never happen;
never has
happened before)
Medium (has
happened / likely
to again)
High (often
happens)
February 25, 2013
Risk:
Acceptable
(Interruption
tolerable, within
bounds)
Unacceptable
(No interruption
tolerable)