We’re struck by a crisis that affects many different aspects of our lives; our health, finances and social interactions. Most organisations have faced a situation in which they had to quickly react and adapt their way of working by authorising remote working five days a week instead of one day in the past. They had to ensure their business continuity, not a simple thing to do. A lot of work goes into building the right strategy, starting with a Business Impact Analysis (BIA). We want to reach out to you and give you some important insights in the article below.
What is a BIA?
It is a process that determines and evaluates the potential effects of an interruption of business operations, processes and systems by collection relevant data. It quantifies the operational and financial impacts resulting from the disruption of and risks to the service delivery, recovery time objectives (RTOs) and recovery point objectives (RPOs).
What could interrupt business operations?
Business operations may be interrupted by a disaster, an accident, an emergency, a pandemic, the failure of a supplier and so on.
Many scenarios should be considered and should be identified during a risk assessment, as described in a previous blog post. For example:
- Physical damage to a building
- Damage to or breakdown of machinery, systems or equipment
- Restricted access to a site or building
- Interruption of the supply chain including failure of a supplier or disruption of transportation of goods from the supplier
- Utility outage, for example an electrical power outage
- Damage to, loss or corruption of information technology including voice and data communications, servers, computers, operating systems, applications and data
- Absenteeism of (essential) employees
What could be the impact?
The timing of a disruptive event can have a major impact on the loss suffered by a business. If your store is damaged by a natural disaster before a big sale or large seasonal holiday, the impact is obviously greater than during a less busy period.
A power outage lasting a few minutes would be a minor inconvenience for most businesses but one lasting for hours could result in significant business losses.
Impacts to consider:
- Lost or delayed sales and income
- Increased expenses, e.g. overtime labour, outsourcing and expediting costs
- Regulatory fines
- Contractual penalties or loss of contractual bonuses
- Delay of new business plans
How to conduct a BIA?
There is no defined guide to conduct a business impact analysis. Depending on their size, nature and business environment, organisations often tailor their methodology to suit these variabilities.
You can use a BIA questionnaire to survey managers and others within the business, or you can interview them. The goal is to identify the potential impact if business functions or processes that they are responsible for are interrupted. The detailed questionnaire is developed by the business impact analysis team and features target questions that have been designed to get direct answers.
What are the different steps?
1. Get approval from senior management for the project
2. Define objectives, goals and scope of the BIA
3. Form a project team to execute the BIA: staff skilled and knowledgeable to conduct the BIA or outsource it to a third party
4. Consider which stakeholders you will interview: managers, team members, supervisors, business partners: those working outside the organisation but close enough to have an insight in and knowledge about its operations, others with knowledge on the processes
5. Gather the information you need for your analyses via interviews, questionnaires and surveys. All gathered data will be subjected to review, which means it must be documented in a coherent manner for easy accessibility for those who will perform the evaluation. Collected information should include the following:
- The name of the process
- A detailed description of where the process is performed: a department or division where it belongs and the actual location where it is performed
- All the inputs and outputs in the process
- Resources and tools that are used in the process, which includes human resources, such as workers directly and indirectly involved, facilities (like office and furniture), technologies like network, computers and software), and methodologies
- The users of the process, those who benefit from them. This will describe interdependencies across systems and processes
- The timing and maximum allowable or tolerable duration of disruption before the impact is felt. The questionnaire may also ask for an expected or estimated time frame for recovery
- The financial and operational impacts experienced during the disruption, with detailed descriptions of each impact. This includes estimates and approximations, e.g. the estimated costs to be incurred and estimated losses during the interruption
- Any regulatory, legal or compliance impacts that may arise during the disruption, with corresponding explanation and potential costs
- Historical data regarding past disruptions experienced by the company, with complete descriptions, associated impacts and responses
6. Review collected data and start the analyse, either automated using tools or manually
7. Output generated:
- Prioritised list of business functions or processes, with the most crucial ones on top
- Identification of human and technology resources needed to maintain optimal level of operations
- Establishment of a recovery timeframe or the length of time needed to recover the process or function and bring the business operations back to normal, or as close to it as possible
8. Document findings and prepare the report. The format of the report is not regulated but it often follows this structure:
- Executive summary
- Objectives and scope
- Methodologies used to gather data and perform evaluation
- Summary of findings
- A detailed finding on each department of the business including
- Most crucial processes
- Impact of disruption to the various areas of the business
- Acceptable duration of disruption
- Tolerable level of losses
- Estimated cost of recovery strategies
- Supportive documents for the findings: tables, charts, schedules and diagrams with brief explanations highlighting the potential losses that the business may sustain
- Recommendations for recovery, such as policies and activities that have to be implemented in order to bring the business back to its normal operational state, and how they will be prioritised
9. Presentation to the senior management. They will have the final word, take decisions and will rely on the contents of the BIA report when developing strategies for the company’s disaster recovery program, and even in the formulation of a continuity plan for the business
Let’s conclude
The business impact analysis operates under two assumptions: on the one hand, every part of the business is dependent on the continued operations of the other parts of the business. On the other hand, some parts of the business are more important than others, requiring more allocations when disruptions occur.
The BIA with allocation instructions will help you to:
- Prioritise which operations need immediate recovery and which ones can wait
- Develop strategies for the business to recover in the case of emergency
- Invest in prevention
- Set up solutions and plans to ensure business continuity, meaning building a Business Continuity Plan and Information Technology Disaster Recovery Plan
Note that the business impact analysis is not set in stone. Technology, tools and processes change and the business impact analysis must evolve with them. The BIA is also part of the ISO27001 implementation.