Why Bother With A Business Impact Analysis? What is Business

Why Bother With A Business Impact Analysis?
Before jumping on the bandwagon because someone just heard about business impact analysis
you need to understand what it means, how to develop the analysis process, how to gather the
data and confirm the responses, what can do for the business, and the relationship to business
continuity. If anyone believes BIA is fast and furious it is “time to wake up.” Having been in
the “disaster recovery”, now business continuity business for 30 plus years I have learned that
over simplification of business continuity is common and rushing into things ends up costing
more than the value possibly gained. The business impact analysis (BIA) is one of the best
investments a business can make if they are developing or have a business or disaster recovery
plan. After all, how can you protect and recovery something if you don’t know what you have,
where it is in the business process and how much it is worth?
There are a number of ways that business approaches business impact analysis (BIA), one of the
most common methods is to ignore it and build contingency and recovery plans without the
advantage of accurate information, others choose to spend considerable effort but achieve only
marginal results. The intent here is to give guidance and insight into the focus areas of BIA to
reach a comprehensive understanding of the business function(s) in the scope of the business
continuity management program. As with other component analysis being conducted with a
business continuity project, the need to have professional and skilled business continuity analyst
or consultant managing the project is critical to the final results. Business impact analysis as
with all stages and steps in business continuity management must be a repeatable process and
conducted as the business changes or as technology may impact the ability to survive a serious
interruption or disaster.
What is Business Impact Analysis?
Definition:
Business impact analysis is the process of examining the components of the business to learn the
value and relationships necessary to keep the business operating and productive.
Business impact analysis results in the differentiation between critical (urgent) and non-critical
(non-urgent) organization functions/ activities. A function may be considered critical if the
implications of damage to the organization are regarded as unacceptable. This damage may be
financial or reputation. Perceptions of the acceptability of disruption may be modified by the
cost of establishing and maintaining appropriate business or technical recovery solutions. A
function may also be considered critical if dictated by law or is a vital link in operational flow of
the business. For each critical (in scope) function, two values are then assigned:

Recovery Point Objective (RPO) – the acceptable latency of data that will be recovered
1
Copyright 2012 William A. Million
All rights reserved
Recovery Time Objective (RTO) – the acceptable amount of time to restore the function
The recovery point objective must ensure that the maximum tolerable data loss for each activity
is not exceeded. The Recovery Time Objective must ensure that the Maximum Tolerable Period
of Disruption (MTPD) or Maximum Acceptable Down-Time (MADT) for each activity is not
exceeded.

Next, the impact analysis results in the recovery requirements for each critical function.
Recovery requirements consist of the following information:
 The business requirements for recovery of the critical function
 The technical requirements for recovery of the critical function
 The ability of the business function(s) to operate for a period without information
systems availability or supply chain availability
Understanding Business Impact Analysis
Business impact analysis plays a fundamental part in developing an organizations business and
disaster recovery plans, and is essential to the establishment of the Business Continuity
Management program. Executive management who understand the requirements of their
business are able to balance risk with the cost of prevention, mitigation, and contingency
solutions. Through the exploration of the components and relationships within the business it
becomes possible to identify the potential financial risk specific to those areas of the business
and the business in general. Impeding conducting and completing corporate business impact
analysis tend to be top executives who oppose the research as being unnecessary or too costly for
the organization’s makeup. Corporate spending in this area is often held back or too much is
spent in the wrong places by the perceived uncertainty about the severity of the impact posed by
security threats and budget factors. Skepticisms about potential consequences usually fade once
the green light is on to complete a BIA and the preliminary results are shown. When coupled
with the business continuity management program an effective BIA should be able to identify
costs linked to failures including those of loss of cash flow, replacement of equipment, salaries
paid during an interruption and those paid to catch up with backlogged work, loss of profits,
impact to business image, and other qualitative and quantitative concerns
BIA is should identify costs linked to failures, such as loss of cash flow, replacement of
equipment, salaries paid to catch up with a backlog of work, loss of profits, and more. A BIA
report quantifies the importance of business components and suggests appropriate fund
allocation for measures to protect them. The possibilities of failures are likely to be assessed in
terms of their impacts on safety, finances, marketing, legal compliance, and quality assurance.
Where possible, impact is expressed monetarily for purposes of comparison. For example, a
2
Copyright 2012 William A. Million
All rights reserved
business may spend three times as much on marketing in the wake of a disaster to rebuild
customer confidence.
BIA Objectives
The first need before starting this process is to assure that senior management is fully committed
to the project. If they understand that there is a return-on-investment they should have no trouble
announcing their support for the business continuity management program though creation and
implementation of corporate level policy, letters to managers and employees.
An assumptions backing BIA is that all parts of a business are dependent on some other part of
the business or an entity outside the business. Those dependencies may have such strong ties
that a small break in the chain will cause a cascade effect stopping a critical process or closing
the business for some period of time. Being aware of interdependencies, potential regulatory,
marketing, safety, product or service quality, and specific financial implications help to make the
disaster recovery plan and program stronger. Interruption or loss to the business may be
expressed monetarily for purposes of comparison and action focus.
BIA should accomplish at least four points:
1. Determining the financial value of each organization as it relates to the total business.
2. Determine the relationship of each organization to the total business.
3. Provide a basis for identifying the critical resources required by the business.
4. Establish the recovery order of the critical business functions as related to the total
business.
Each of the noted points is found in each step when building the BIA project. Therefore,
measuring the business must include; vulnerabilities, financial impact, operational impact, and
technology requirements, in order to map the business properly. This final mapping will set the
Recovery Time Objectives (RTO), Recovery Point Objective (RPO), Minimal Acceptable
Configurations (MARC) and Maximum Acceptable Down-Time (MADT).
The BIA may run concurrently with the hazard and threat analysis although the most important
concept will be the integration of findings when setting strategy. The amount of time and
resources necessary to complete the BIA will depend on the size and complexity of the
institution. All business functions and departments should be included in this process, not just
information technology.
3
Copyright 2012 William A. Million
All rights reserved
The BIA phase in business continuity planning is conducted to identify the potential impact of
uncontrolled, non-specific events on the business process. It should also determine what and
how much is at risk by identifying critical business functions and placing them in the dependent
working order of the business process. The responses should estimate the maximum allowable
downtime for critical business processes, recovery point objectives, backlogged transactions, and
all costs associated with downtime. Management must also establish recovery priorities for
business processes that identify essential personnel, technologies, facilities, communication
systems, vital records, and data. The BIA considers the impact of legal and regulatory
requirements such as privacy and availability of customer data and required notifications to the
regulators and customers when the process is interrupted or relocated.
Staff assigned to develop, conduct and analyze and report findings should apply uniform
interview questions that can be used on an enterprise-wide basis. Uniformity will improve the
consistency of responses and help the project compare and evaluate business process
requirements. The BIA project may initially prioritize business processes based on their reported
place in the business flow to the business’s strategic goals and support of safe and sound
practices. Prioritization should be revisited as the processes are compared to various interruption
and disaster scenarios so a workable business continuity plan(s) can be developed.
During the interview and questionnaire process the use of prioritization or critical or non-critical
terminology should avoid being used. There are few business units or staff that would consider
themselves and last in priority or non-critical. Use where are you in the business flow, who do
you support and who supports you as the means to identify in which order recovery will take
place.
Is there a BIA Methodology?
There are many options available to executives when setting the strategy and process for a BIA.
Since each organization must make a number of decisions and choices that depend on its
particular situation. A large to very large business usually finds it is difficult and costly to
perform a full depth and breadth detailed BIA. In lieu of the detailed process they may elect to
examine larger components of the business and consider broader controls and solutions. A
smaller business may have the option to conduct a full scale evaluation and be able to implement
more specific controls and solutions. Due to the variations of need one is likely to use
questionnaire and remote survey techniques while the other more personal interview and surveys
will apply. Both questions and responses may be both quantitative and qualitative. There will be
circumstances where a no dollar gain or loss may be seen as an intangible amount. These
situations, qualitative, should have a clear descriptive of the actual or potential impact to assist
the analyst in setting strategies and to permit inclusion in the summary results.
4
Copyright 2012 William A. Million
All rights reserved
When starting the BIA process as noted earlier, there are considerations and commitments that
must be in place. For example:
Action
Ensure executive management
commitment
Work through an enterprise BCDR steering committee
Identify what the deliverables
and contents should look like.
Develop the initial scope.
Description
A corporate policy has been enacted. Sponsorship notice
has been sent out. The project will be funded
Used to support the BCM Program and the BIA study.
Format should be based on company expectations and
standards.
The scope should define type of BIA to be performed,
the depth of research to gain the maximum amount of
detail
Identify the subject matter
These staff may be internal or external and will review
experts.
the first summaries, and help guide the development of
the survey questions. You cannot survey everone.
Develop the data collection plan The company will select tools, devise procedures and
inclusions for the data gathering.
Conduct the interviews,
Holding education sessions, workshops, interviews, and
surveys, workshops.
distributing and collection of data.
Conduct analysis and develop
Consolidating findings and key results. Prepare initial
conclusions
conclusions.
Validate findings with subject
This confirms the initial conclusions and that all key
matter experts.
areas have been included. Vulnerabilities, financial,
operations and technical impacts have been assessed.
Present validated findings to
This presentation is to gain executive backing to
executive management and
continue and that the program budget will be fully
approval to continue
approved.
Transition to strategy
A course of action for responding to a disaster and the
development
starting point for a recovery plan.
When the BIA project component is forced to stay at a minimal level the project coordinator may
choose to focus questions on the senior executive level and the finance organizations to
determine the key impact areas of the business. These groups are usually adept at knowing
where an impact is likely to cause the most financial or image harm to the company. The BIA
effort may then be re-presented with a narrower scope yet still have some value in providing
guidelines for mitigation and recovery strategies.
5
Copyright 2012 William A. Million
All rights reserved
A business that fails to consider the true value of business impact analysis exposes themselves to
experiencing continued lost dollars without knowing where controls will be most effective.
What Are BIA Questions?
When making the decision regarding a process to use the following questions, in some form,
should be considered: (listed in no particular order.)
 Provide a description of the department or function.
 Describe the customers served. The customer may be may be another department or
internal business function of the same company or external to the company.
 What are the key skills required to perform the identified critical functions?
 What is the estimated or actual revenue of the function?
 Are there penalties for interruption or loss of data?
 Is the process subject to compliance with laws or regulations?
 Is the process subject to specific service level agreements or contracts?
 What are the critical business cycles?
 What are the external dependencies of the business process/
 Have operational procedures been documented and are they used daily?
 What are the key software applications?
 What specialized equipment is required and how is it used?
The questions and data being sought are endless and for best results they need to be focused on
your business. There are as many questions to be considered as there are different businesses.
An examination of the business under examination will be the deciding factor when developing
the business impact analysis.
 At least always consider these categories of concern:
o Visibility, Liability, Revenue, Image, Process and Production
 Visibility – How soon will the public and stakeholders notice that there is
a problem?
 Liability – Are there laws or regulations that must be met?
 Revenue – What is the revenue loss from immediate to some time period?
 Image – Will the company’s long term image be tarnished?
 Process – What affect will an interruption have on the total product or
service the company offers?
 Production – How will production be maintained during an interruption?
6
Copyright 2012 William A. Million
All rights reserved
Tools
Software is readily available for Business Impact Analysis, but remember, you must be able to
easily customize it for your business and be simple enough to use without having to train every
survey taker. The potential complexity is a reason to understand the need to use skilled people in
this total endeavor. There is no monetary saving to a poorly designed and executed business
impact analysis project. The results are equal to the effort expended.
How-To Approach BIA
To this point the general concepts and a high level value of business impact analysis has been
pointed out. Getting started does require commitment, management backing, and the
cooperation of all who will be participants. There is little room for false starts and poor returned
information may lead to a catastrophic end in the midst of a possible future bad situation. In this
discussion area management and the planning professional should be working closely together
and mutually supportive. The stakes are high and the results worth the effort. It is best during
the investigative period to avoid use of the term PRIORITY, as all will want to be seen in the
realm of business as important, and priority implies importance. A safer way to approach the
need for either additional protections or speedier recovery is to ask for where a department or
process fits in the WORK OR BUSINESS FLOW. As noted the effect of a disaster on the
business can easily result in more than the short term loss of business and damage to property.
There are a number of areas which may be impacted by an adverse event:
 Financial results
 Good-will and reputation (via customer service, image, legal status, etc.)
 Compliance
 Health, Life & Safety
 Social impact at large (relations with the community, environment impacts, national security,
etc.)
 Examination of the company soul should point out strengths, unique components, core
business, revenue cycles, as well as offering a resource for strategies of prevention,
mitigation, recovery, and restoration.

Multiple BIA Support and Process Mechanisms
Tool sets are readily available for business impact analysis. Software, word files, excel files,
data bases, books, on-line, contractors, group sessions, interview guides, or create your own.
Pick up any copy of a Business Continuity or Disaster Recovery trade magazine in they are filled
with promises and advertisements. Remember, you must be able to easily customize it for your
business and be simple enough to use without having to train every survey taker. The potential
complexity is a reason to understand the need to use skilled people in this total endeavor. There
7
Copyright 2012 William A. Million
All rights reserved
is no monetary saving to a poorly designed and executed business impact analysis project. The
results are equal to the effort expended.
Since there is no one form or methodology to fit every company the following diagrams are
solely representative of the variety of approaches and BIA layouts.
Home Grown
8
Copyright 2012 William A. Million
All rights reserved
The Porter – Value Chain
9
Copyright 2012 William A. Million
All rights reserved
To perform BIA, one may want to look at the entire Michael Porter’s Value Chain. Building a
picture of the business using the Value Chain is worth the effort.
FIRM INFRASTRUCTURE
• Real Estate Services
• Legal
• Etc.
HUMAN RESOURCE MANAGEMENT
Insurance (medical, life, etc.)
Benefits Administration
Mobile Workforce Mgmt
Education & Training
Time & Attendance
Payroll & Personnel
Recruiting, Hiring, Retention, etc.
Etc.
IN
•
•
•
•
RG
•
•
•
•
MA
SUPPORT ACTIVITIES
• Corporate Office Mgmt
• Finance
• Accounting
TECHNOLOGY DEVELOPMENT
• Project Mgmt
• Etc.
• Engineering
• Programming
PROCUREMENT
INBOUND LOGISTICS
OPERATIONS
•
•
•
•
•
E-Commerce
Fulfillment
Distribution
Warehousing
Etc.
• Sales Automation
• Sales Force
Automation
• Advertising
• Bus. Intelligence
• Retail Services
• Etc
SERVICE
•
•
•
•
Service Mgmt
Help Desk
Call Center
Customer
Req’s
Mgmt
(CRM)
• Etc.
IN
ERP/MRP
Accounting
Ops Mgmt
Time Tracking
Reporting
Workflows
Prof. Services
Project Mgmt
Messaging
Productivity
Collaborative
Etc.
MARKETING & SALES
RG
•
•
•
•
•
•
•
•
•
•
•
•
OUTBOUND LOGISTICS
MA
• E-Procurement
• Warehousing
• Supplier
Relationship
Management
(SRM)
• Etc.
• E-Procurement, Etc.
PRIMARY ACTIVITIES
Every company’s business process (or processes) can be viewed using the Value Chain. We
simply need to look at what applies to the particular business process, specific to the industry and
function of the business. The best way to do so is to start with the analysis of the product. The
nature of the product will determine which Value Chain’s cells (containers) are included in its
production. Once diagramed the production path can be imagined being stopped at any point and
the effect on the following groups can be shown. There are processes within those critical cells
which can be easily drawn out as the result of a few interviews of the business’s personnel.
Once the high-level processes are identified, the sub-processes can be drawn as well and so on to
a certain level of detail where it may become obvious which components of business
infrastructure support these processes. There are a number of component areas of enabling
business processes:
 Technology
 Facilities
 People
 Knowledge (know-how)
 Data
 Money
 Client
 Stakeholder
10
Copyright 2012 William A. Million
All rights reserved

Porter model may help development of the questions to be asked and the areas of the
business to be included. A BIA provides the best results when it is executed as a structured
interview using a common set of questions tailored to the part of the business in focus. The
goal is quantitative results indicating the financial and supply chain impacts and qualitative
results indicating the physical requirements and potential image impacts.

The Value Chain presents the business picture as primary and support activities. The process
to define the questions may be best looked as a reverse engineering method. Since the
diagram indicates both key activities of every business function and those functions can be
cross related to any other function the result of the BIA needs to indicate the critical ties.
After a description of the process or function the questions change to critical paths and
dependencies on other functions.

Critical indications may be cyclic, financial, regulatory, supplier and image driven. As seen
in the diagram all are included. Following this road the questions begin to define themselves.
For example; asking who are your customers and where are they located provides the
geographic market, even if the customer in within the same company, which may be related
to areas under threat of natural disaster. This seasonal threat may have long lasting effect on
company revenue. Knowing this the final report may include the recommendation to expand
the marketing area or to accumulate a hedge against the downturn in business.

A requirement to be served may be based on a regulatory reporting requirement, such as
taxes, this would necessitate questions relative to cycles of business. These cycles may
overlap or remain segregated, but when the pattern is examined the protection and recovery
strategy may evolve to be a flat solution which is less expensive to initiate and can
incorporate a greater portion of the business.

Recovery Time Objective, Recovery Point Objective, Maximum Acceptable Down Time, all
identified in the investigative process must be considered as qualitative and valuable data.
Mitigation schemes, backup process, and recovery methodology and technology
implementation, and point of declaration of action will be derived from the reports. The
referenced processes are likely to drive some lesser reported needs into a higher demand
category. When a critical process has reliance on a declared lesser process then the second
process must be upgraded to match or move ahead of the process reporting the dependence.

Following the concept the series of needed responses drives the formation of the inquiry. The
responses when diagramed facilitate the identification of departments, processes, or even
vendors that are especially key to the continuation of the business.

With the questions identified and the response needs to be filled in the next step is to get the
nest step in the project, the actual interviews and reporting sessions underway. The kick off
meeting and the rally of management support may appear to be unnecessary yet it is the open
demonstration of management commitment that will assure participation. The quality of the
reported detail will likely be more accurate.
11
Copyright 2012 William A. Million
All rights reserved
Comprehending the results
Once the surveys and interviews have been completed and collected the BIA is yet to be
considered complete. Unless a final evaluation is conducted the ties and relationships within the
business are still to be confirmed. The quantitative values are still to be set and qualitative
impacts need to be documented in the reports.
The to-do list starts with:
 Review manager feedback and, where appropriate, revisit reported findings accordingly
or add to outstanding issues
 Prepare draft BIA report listing initial impact findings and issues
 Issue draft report to participating managers and request feedback
 Update the report.
 Create the business process and dependency map.
 described in the next few sub-chapters.
 Schedule a workshop or meeting with participating manager(s) to discuss initial findings,
when necessary
 Again update the BIA report to reflect changes arising from these meetings
 Prepare final Business Impact Analysis report according to organization or house
standards
 Formal presentation of Business Impact Analysis findings to peers and executive bodies
These few steps are representative of the iterations before presentation to senior management,
however, since the BIA results are critical to the continued success of the business and relative to
the next major project step, Risk Analysis, confirmation and support of the findings is crucial to
the success of the Business Continuity Management Program.
12
Copyright 2012 William A. Million
All rights reserved
Here are some survey findings from a moderate size business:
Application Use
The business unit list cross referenced to the application each uses
Business defined application criticality where 5 is very critical
13
Copyright 2012 William A. Million
All rights reserved
Business function recovery time requirements indicating a majority of the departments have a 12
hour or less recovery need.
Business function recovery point objective requirements indicating a majority of the departments
have a 12 hour or less data loss tolerance.
14
Copyright 2012 William A. Million
All rights reserved
Charted responses are easily created using Excel or PowerPoint and are very effective when
presenting summary results. Summaries need to be created with descriptive and the proofs.
When a process is initially claimed to be critical to the business verification is needed and further
investigation to determine the mitigations and funding needed for protection.
Define Criticality of Business Functions and Records, and Prioritize
The BIA responses now contain the needs business and the process flow. During the startup of
the BIA levels of criticality, recovery time objective levels or tiers should have been agreed to
and now processes and things will drop into the fields. Since business and the public have
become dependent and expectant it is very likely some processes will be reported with multiple
levels of criticality. The appropriate response is first to verify then to negotiate with
management single or multiple levels of criticality. When reaching the strategy phase of BCM
available solutions or what the business is willing to sponsor may set the final criticality level or
tier. “Tier” is a common term used to simply describe where in the recovery order something
falls.
Diagram Representations of BIA Results
Examine the next diagram displaying the mapping of the imaginary related group of BIA
surveys. Widget production and the process flow with the dependencies are shown in the
diagram. Creating a diagram of work flow and dependencies tied to declared critical times
allows a visual of the interdependencies and what is likely to happen if any given process is
taken out of the flow.
15
Copyright 2012 William A. Million
All rights reserved
These components or things are drawn on the same diagram with the processes and then the
preliminary analysis of potential business impact and criticalities may commence. The diagram
depicted provides insight into how this works using an example of a widget production.
This approach is very effective at identifying which processes depend on which “things” and
therefore it is possible to identify which processes will be mostly affected when certain ‘things’
fail. This will allow, based on business considerations, to design the strategy for ensuring
business continuity of said processes by enhancing the survivability of the things which are
critical to their activities. This process is performed best in a bottom-up fashion by tracing which
things support which processes.
On the other hand, this approach offers an opportunity for a top-down analysis. In this analysis,
critical processes are identified, marked, and then the sub-processes and things that support them
are identified in turn and earmarked for enhancements.
Other departments may have the same or be one of the cells in the chart. Depending on how
complex you care to make the diagram all interrelations can be displayed. By observation
eliminating any given cell in the diagram lends to seeing the implied interruption. Although the
diagram is shown with business implications the same type of diagramming is appropriate for
computer application and database relationship mapping. Since Business Continuity
Management is about disaster avoidance, mitigation and prevention, followed by recovery, focus
areas become evident when charted.
Impact Over Time:
There is an importance in understanding not only the instantaneous loss impact, but to
understand the impact of the incident changed with time. If a product is unavailable for one day
it is an inconvenience to the consumer, when it is unavailable for a week they will switch to
another product and likely not to switch back. Knowing what the time related impacts can do to
the business may be more important than the momentary financial loss. A well designed BIA
will ask the time questions. The time gap analyzed is up to the business to choose and may
extend to 30 or more days. Time impact is usually not linear in affect but will have periods
where the impact flattens, then rises sharply.
Time and Impact may be displayed graphically or numerically. Here again the image, when used
in a presentation is more effective than a list of numbers.
16
Copyright 2012 William A. Million
All rights reserved
Start to end impact:
Time Weighted Impact
17
Copyright 2012 William A. Million
All rights reserved
Priority Impact
Examination of priority impact against the same 6 items as the previous images shows that
product visibility to the customer and the ability to manufacture the product is top concern.
Priority is often confused with importance when in effect it should relate to order of recovery and
where mitigation controls are focused.
Priorities when overlapping or where indications exist to a dependency on a process rated at a
lower priority will cause the lesser rated process to be upgraded to an equal or possibly earlier
point in a recovery.
Summary
Well now that the pot has been stirred and the ingredients have mixed there is a lot in the stew.
Business impact analysis is a necessary and valuable work item but requires education,
commitment, funding and time. The involvement of the entire business top to bottom and side to
side is what makes the difference and becomes one of the main cornerstones of the Business
Continuity Program. How to accomplish the BIA is up to the business, use surveys and
interviews, flyers and on-line, software or do-it-yourself, you or a consultant or you with a
consultant whatever is selected complete the process.
18
Copyright 2012 William A. Million
All rights reserved