As a business leader, you’re no stranger to strategic thinking. Operational strategies, growth strategies, leadership strategies, and more—they are all critical to deciding your company’s ultimate success or failure. But what about your business continuity strategy? The number of potential external threats your company faces on a daily basis is very real, and your strategy for managing those threats should be as well-defined and carefully planned as any other.
As with the development of any strategy, you start with the facts. A Business Impact Analysis is, at its heart, a fact-finding mission. In the event of downtime, what would happen to your company? Do the analysis right and you’ll come to a deeper, more realistic understanding of your company’s current state of operations—and pave the way for creating a business recovery strategy that actually works. Below, you’ll find a complete Business Impact Analysis guide that has everything you need to know before you get started.
What is a Business Impact Analysis?
Here’s our Business Impact Analysis (BIA) definition: A BIA provides you with a clear picture of the criticality of your business operations based on the processes they perform, and helps you identify the dependencies (i.e., the computer systems, vital records, etc.) that must be in place for those processes to run. In essence, it serves as the foundation of any good continuity strategy. Once you understand which business processes are most critical to the livelihood of your company, you can then use this information to build an effective strategy that addresses only those areas that need to be recovered and the designated time frame in which to recover them.
Contrary to popular belief, the BIA is not intended to be scenario-specific. Tornadoes, city wide power outages, or computer viruses—the reason for disruption simply doesn’t matter. The point is to identify your company’s most critical processes and be prepared for continuity in those areas no matter what comes down the pike.
Who performs a Business Impact Analysis?
The answer to this question varies across the board. In some cases, the company’s business continuity manager oversees the effort with the help of a few dedicated team members. Or, in the absence of a business continuity manager, someone in IT or another related group is appointed the task. It’s not ideal, though, for anyone other than an experienced continuity professional to perform the analysis. Without a good understanding of how various business functions might impact the bigger picture, the results of the BIA are likely to be skewed.
Often, a third-party consulting firm is brought in to do the job (even if there is a business continuity manager on staff). The combination of an objective point of view, extensive experience in conducting BIAs, and a thorough knowledge of best practices and standards ensures that the resulting analysis will be valid.
What’s involved in the analysis process?
BIAs are performed at the business unit level—as many or as few as you prefer. Some companies choose to start by assessing only a few of their critical units, while others may evaluate 15-20 (15-20 is more typical, in our experience); still others choose to evaluate all of their business units.
The process begins with a questionnaire designed to determine the dollar and non-dollar impact on each individual unit and its processes—for instance, the call center, the accounting department, or operations—should a disruption occur. The impacts should be evaluated over time (24 hours, 48 hours, 5 days, greater than 5 days, etc.).
To estimate the dollar impact for each process, questions should include:
- What would the loss of revenue be?
- Would penalties and/or fines be incurred?
- Would there be increased operating costs?
Answers could be on a scale of 1-5, with one being zero to a million and five representing a catastrophic amount.
Non-dollar impact for each process could be evaluated with questions like:
- How would it impact our reputation and image?
- What is the impact to customer service?
- What is the impact to operations?
Again, answers could be on a scale of 1-5, with one being no impact and five being catastrophic.
In addition to assessing the dollar and non-dollar impacts, don’t forget to identify and collect the following key information for each process in your questionnaire:
- Legal & regulatory requirements
- Service level expectations
- Dependent computer systems/applications
- Specialized equipment needs
- Internal & external dependencies
- Vital records
But it’s more than just throwing a questionnaire at people. In our view, conducting a BIA is an art, and the real magic happens during one-on-one interviews with key department personnel who know the ins and outs of each process (we prefer that interviewees not be managers). Reviewing the questionnaires in person with those who do the job daily will give you a fuller, more detailed picture of the processes and system dependencies of a unit, leading to a more accurate criticality assessment.
Ultimately, information gleaned from both the questionnaire and the interviews will allow you to assess the cumulative dollar and non-dollar impacts for each business unit over time—and give you a realistic notion of respective department criticality and associated dependencies.
Are there standards I can refer to when conducting a BIA?
Yes, there are standards—plenty, in fact! They include International Organization for Standardization (ISO) 22301 (which is fairly expensive to gain access to), National Fire Protection Act 1600 (which is free and, we think, one of the best), and, specifically for financial institutions, the Federal Financial Institutions Examination Council’s (FFIEC) BCP standard. All of them cover the subject a bit differently, but the same key components are there: how to cover the financial impact and non-financial impact of potential disruptions and identify resources and dependencies.
How long should the BIA process take?
The time it takes to conduct a BIA for each business unit should take no more than 3.5 to 4 hours of their time. This includes a half-hour for pre-work, 2.5 hours for the BIA interview, and a half-hour for validation of results. The time it takes to conduct a BIA for multiple business units varies on the number being evaluated. Typically, end-to-end, in calendar time, 15-20 business units should take anywhere from 45 to 60 days, from pre-work to final presentation.
What should the results of a BIA look like?
Done properly, a BIA should show a limited number of units as critical to the livelihood of your business. If every business unit shows up as equally critical to operations, it’s a sign that something’s gone awry.
Going into a BIA, you may have some sense as to how it will develop based on your industry. Most of us would assume that a hospital, for instance, has many critical processes involved in patient care, and a BIA will bear that out. On the flip side, a construction firm may have several business units that are considered less critical for survival and could go without recovery for 3-5 days.
What are the challenges of conducting BIAs?
In our experience, the top three challenges to conducting a successful BIA are:
1. People who don’t take the BIA process seriously. If you or the people on your team are not truly invested in devoting time and resources to business continuity, or simply don’t see the value in doing this foundational research step, then your BIA efforts are not likely to be accurate or objective.
2. A lack of deep knowledge about the business. To combat this, we devote a considerable amount of time to BIA prep work and make sure we have the right people in the room when it’s time for one-on-one interviews.
3. Management is wary of the process. Business executives often have preconceived notions that every unit will prove critical. In fact, that will be the case—if you don’t set the right assumptions and criteria up front.
What happens after the BIA?
As you probably guessed, the BIA is part of a larger process. The next step is to devise recovery strategies, solutions and plans for the units deemed critical. That might mean anything from contracting with a third party for alternative services in an emergency to finding a place where your employees can continue to work should location-specific services go down.
How often should a BIA be done?
The BIA is a point-in-time analysis—your situation could change in a year or two. The recommended interval for updating your BIA is every two years; for some businesses it will be longer (if things don’t change much), and for others it will be shorter (banks are required to do one every year).
Do A Business Impact Analysis The Easy Way
You work hard to make your business a success—shouldn’t that include protecting your most critical assets? A BIA is the first step to ensuring that your business will continue to thrive in the event of disruptive external factors beyond your control.
We’d like to help you take this first step. The BIA On-Demand (BIAOD) tool makes it easy for you to pinpoint the most critical units of your business. Running in a secure portal, the tool walks you through a full evaluation of your business processes, including dollar and non-dollar impact as well as recovery time objectives. In the end, it automatically calculates the level of criticality of each unit you’ve chosen to evaluate and produces a detailed report of the results.
Visit our website to schedule a demo of how the BIA On-Demand tool works or to get in touch with questions. If you’re struggling with a BIA currently or want guidance through the process, we’re here to help.