Business Impact Analysis (BIA): A key component of Business Continuity and Disaster Recovery Planning

A BIA is an analysis that assesses the quantitative impact of an incident or interruption on your organization in terms of financial loss & diminished levels of services or products you provide to your customers.

This BIA also measures the qualitative impact that occurs with these event in terms of your business to operate and workforce morale & retention, damage to your brand reputation, legal and regulatory jeopardy that might result.



A properly conducted Business Impact Analysis requires a serious review of what your business needs to operate, what risks it faces to surival and who can in your organization can be counted on to help it weather any potential storms


Business Impact Analysis:

BIA focuses on the effects or consequences of a possible interruption to critical business functions and systems

Though a thorough BIA involves considerable time to complete, the time spent during a properly conducted BIA can provide the structure that leads to solid and timely recovery from interruptions that often put other organizations out of business.

Business Impact Ananysis (BIA) and Risk Assessments (RA) help identify what threats you're facing and well as performing a comprehensive inventory of hardware, applications, suppliers and company personnel.

  • Scope: Identify what's critical and must be included, what can left for after recovery and in what order services get restored

    • Which offices and which departments are most critical and in which order they are restored

    Which network infrastructure & applications are mission critical for operations and how many in each department are needed initially to resume business operations

  • Goals: Provide executive management with a list of prioritized business functions and staff requirements

    • Provide executive management with a list of prioritized business functions and staff requirements

    Estimates of Maximum Tolerable Downtime (MTD), Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for each business critical process and service

  • Objectives: Using questionnaires from key personnel and data gathered from Risk Analysis, identify the following-

    • Critical business functions, critical hardware & software dependencies, impact of disruptions and critical resources including suppliers and other 3rd party services

With proper planning, testing and rehersal, an organizations coordinated response to an incident or disaster in an effective and timely manner can also minimize damage to company assests and reputation


Key components of the BIA:

MTD, RTO and RPO

These key components of the BIA process are so important that we have dedicated another seperate page to determining and then meeting these objectives.

The reason these goals are so vital to an effectiave BIA will become immediately apparent as you complete them.

  • Maximum Tolerable Downtime (MTD): The longest amount of time that a business unit can be unavailable before it threatens the survival of your business
  • MTD's can vary drastically depending on time of the year, season or holiday proximity
  • Ususally measured in hours or days, some business functions that have zero-tolerance for down-time, it can be measured in minutes
  • Recovery Time Objective (RTO): The maximum period of time that a business unit will be unavailable before you can restart it
  • The period of time for the RTO is always less than the more extreme MTD calculation
  • Recovery Point Objective (RPO): The acceptable amount of data loss measured in time, example: is a backup made every hour of the day or will a daily backup work..... does 1hr of lost work have such a negative impact on your organization that it has to be planned for and budgeted for

    • Additional terms and calculations to consider when evaluating existing systems or looking for new equipment:

  • Mean Time to Restore (MTTR): What is the average time to repair damaged or compromised proprietary equipment
  • Mean Time to Failure (MTTF): The is the expected lifetime of a product or system.....don't be the victim of a rude surprise when critical equipment is needed
  • Mean Time between Failures (MTBF): This is a often used calculation for older and high capacity Hard Drives and Storage devices
To ensure you have all facets of your business operations analyzed, we focus on these 5 categories of possible business impact: Systems, Services, Staff, Suppliers and Sites


The 5 facets of your BIA:

To ensure you have all areas of your business operations analyzed, we focus on these 5 categories of possible business impact: Systems, Services, Staff, Suppliers and Sites

  1. Systems: Implement redundant equipment and utilize secure backups to lessen the impact of a possible interruption to your organization's operations

    2. What systems will be brought back online first and in what order do you restore your equipment; what barebones network can be setup to resume operations

  2. Services: Explore ways to keep your organization operating in some capacity so as to diminsih negative impacts associated with interruptions

    3. What services will be restored first and in what order will the rest of your operations and departments be brought back online

  3. Staff: Appoint emergency contacts - Department heads, company managers and tech staff to implement plans in case of incidents or emergencies

    4. Your staff is also required to provide crucial data about your company's processes, priorities, applications and work flow details from each department in a questionnaire that is a must for the BIA process

    Designate Disaster Recovery Team: Assemble team to monitor plan and be resonsible for its' compliance

    What staff will be required during the restore period and as you bring your business back to full operation

  4. Suppliers: List crucial players in your Supply Chain and find alternate sources for supplies critical tour your operations; locate replacement equipment that can be kept on site or at satellite/remote office in case of emergencies in your area
  5. Sites: Increase security controls and power/internet/communications services at your organization's current site; select possible temporary secondary site for your office in case of disaster

For each of these “Five S” categories, mitigate the Business Impacts

  1. Describe the impact: How would an emergency or interruption impact your department and business as whole, what would be the hourly, daily or weekly financial impact to the business as a result
  2. Formulate a plan: How will each department handle an incident or interruption and then organization as a whole; designate where backups and original installation files are kept for critical applications stored; where are the secure credentials for cloud based applications stored in encrypted form; is this storage area safe during an incident or emergency
  3. Implement the solution: Implement hardware and backup solutions to safeguard data; strengthen security controls to prevent interruption
  4. Test it: Run simulations were systems fail and restore procedures are implemented; run mock drils were the building is evacuated or a late night call to make sure Emergency Response Staff have the Incident Response Plan materials and Emergency Contacts handy
  5. Embed it:Make these plans and newly adopted processes part of a regularly scheduled meeting, quarterly if not monthly; implement Change Management to get any new equipment or applications or changes in Emergency Response Team personnel reviewed and added to the BIA
  6. Sign it off and revisit it regularly: Certify that your department or organization has a solid plan in place, use Change Management to control additions to your infrastructure and systems, schedule compliance meetings and periodic tests of your plan