Business Impact Analysis Template
Date of BIA
Service / Department
Version
Date of review
Distributed to:
Name
Job Title
Organisation
Page 1 of 4
Impact criteria
Category
High
Core Service disruption
Serious and sustained loss of core
service.
Major impact on client / customer
service.
Reputation
Reputational damage having
significant impact on future work.
Prolonged national media
coverage.
Impact on organisation.
Legal / Regulatory
Serious and sustained breach of
legislation or contracts.
Criminal prosecution or
substantial fines imposed.
Potential for full public inquiry.
Major long-term consequences.
Serious disruption to department
core service
Repeated failures to meet servicelevel agreements
Medium
Loss of credibility and confidence
in service / organisation.
National press interest.
Noticeable loss of performance and
significant impact on client/
customer service.
Disruption affecting multiple
stakeholders.
Significant long-term consequences
Negligible service disruption.
Low
No impact on client / customer
service
Reputation damage affecting staff
only.
Impact absorbed by department
staff and no long-term
consequences.
Potential for local press interest.
Formal approach from
regulatory authorities.
Significant breach of service
level agreements.
Serious or sustained breach of
internal policies.
Potential for class action or
criminal prosecution.
Minor breach resolved internally
without referral to regulatory
authorities.
Escalation within line
management with isolated
complaints.
Potential for civil action.
Page 2 of 4
Health
Substantial and sustained
impact on health.
Multiple fatalities or
serious injuries.
Emotional injuries and long
term illness.
Significant and sustained
impact on health.
More than three-day
absence.
Semi-permanent injury /
emotional trauma.
Potential for one or more
fatalities
Minor incident. Some
minor injuries or illnesses
as a direct result of
operations.
Business Impact Analysis
#
Key services
Areas of
impact
(A-D see
below)
Impact over time
Up to 1 day
3-5 days
1-2 weeks
3-4 weeks
+
Recovery
Time
Objective
(RTO)
Minimum service level
Maximum
Acceptable
Outage
(MAO)
1-2 weeks
Must monitor email
inbox and have a
member of staff
answering and
prioritising phone calls.
1-2 weeks
e.g.
Admin
A&B
Low
Low
Medium
High
1
2
3
4
5
6
7
8
9
10
A- Core service disruption
B- Reputation
C- Legal / Regulatory
D- Health
Determining the Recovery Time Objective and Maximum Acceptable Outage timescales
A simple rule of thumb to derive the recovery time objective is to use the timescale of after the second “Medium” or before the first “High”.
The maximum acceptable outage should be at least one timescale after the recovery time objective to allow sufficient time to recover. The only exception to
this rule is if the process or activity is classed as “all or nothing”
Page 3 of 4
Resource Requirements
Note: This table should be completed for each location your service or business operates from.
Location:
Requirement over time
Business as
Resource Type
usual
Up to 1 day
3-5 days
1-2 weeks
3-4 weeks +
Staff
E.g. 30
7
15
25
30
Workstations (desk, PC &
telephone)
Remote working capability
Specialist IT applications
(please specify)
Specialist equipment (please
specify)
Internet access
Laptops
Mobile Phones
Fax Machine / Printer
Work Vehicles
E.g. 30
0
5
10
10
E.g. 20
20
20
20
20
#
1
2
3
4
5
6
7
8
9
10
Who do you depend on
What strategy or contingency
arrangements are in place to
manage the loss of this resource?
E.g. agreement with temp agency to
supply staff within 24 hours
E.g. all remaining staff to work from
home
Who depends on you
Page 4 of 4