Risk Management Blog | RiskWare - Enterprise Risk Management Software

How to Conduct a Business Impact Analysis

Written by Riskology | 03/12/19 22:27

Business Continuity Management is essential for every organisation in order to ensure that your business can survive even in the face of crises or disasters, and a Business Impact Analysis (BIA) is the foundation for any solid business continuity framework. A BIA is the step where you identify the processes that are most critical to your organisation. Often companies won't allocate an adequate amount of time or resources to properly identify these factors and instead jump straight into creating recovery strategies and plans. Start with a BIA, so you're covered. 

Upon completion of a BIA, you should know the following:

  • Your organisation's critical business functions 
  • The impact to your business if an interruption were to disrupt those functions
  • How long your business could survive without performing these activities

By knowing how long your business can survive, you'll be able to define your Maximum Acceptable Outage (MAO) period for each function. The MAO is the amount of time from when a crisis happens to the time when a critical business function must be fully operational in order to avoid serious financial loss. To identify all the above takes time and the input from the right people, so it's not as simple as sitting in a room one afternoon and smashing it out (unless, perhaps, your company is less than 5 people).

A Guide to Conducting a Business Impact Analysis

Step 1: Identify the scope of your BIA

Especially if your organisation is large, it may not be necessary to involve all parts of the company in your BIA initially, or at all. Before you start mapping out your organisation's critical business functions, determine which parts of the business are most critical and focus on those. Business 2 Community recommends keeping your scope small and manageable. For large companies, this means limiting your review to the most significant 7-10 business departments or units.

Once you have identified the departments you'll be covering, figure out the people you'll need to interview for the assessment. These should be the individuals who are doing the hands-on work and therefore are most knowledgeable of critical processes and vulnerabilities. They are the most likely to be able to give you the accurate detail you need. If and when there is technology involved in these parts of the company, make sure to include an IT person in addition to the person who does the job, because even if someone knows how to use the software, he or she may not know how it works on the back end. Lastly, set up a timeline for conducting and finalising your BIA. Not only will this keep you on track but it will also help with the next two steps. 

Step 2: Establish the value of the BIA with your management team. 

If you're conducting a BIA, hopefully that means that your organisation understands and supports the need for business continuity management and having a business continuity plan. However, they may not realise what goes into the BIA specifically, so once you've determined the scope, who will need to be involved and the timeframe, present your plan to your management team, so they realise the investment into the BIA process, the value that will stem from your work and have all the information upfront. 

Step 3: Schedule and prepare for your BIA interviews 

According to your timeline, set up time (allot about 2 hours) to interview those you've identified as the most knowledgeable about every process they handle and the potential impact it would have on the company should a disruption happen. Prior to the interview, try to gather basic information about the sector of the business you'll be reviewing such as number of people who work in it, an overview of their processes and systems and hours of operation. This will help make the interview be smooth and efficient. 

Step 4: Host your BIA interviews

In hosting meetings, your goal is to understand the critical functions of your organisation's core business departments and the potential impact if and when those processes or systems get disrupted. To reach this goal, you should be asking the following questions.


Following every meeting, you'll want to share a recap with the person you interviewed, so they have the chance to review and verify all the information is correct.

Step 5: Analyse the data and prepare a report

During this step, review all the data you've gathered and assess what functions are most critical as well as sort through any findings you aren't clear about. Compile your results into a report. This should include:

  • An overview of the BIA process
  • Your ranking of critical business functions
  • Any additional findings you think should be mentioned
  • An action plan to address the highest priority critical business functions
  • A conclusion
  • Appendixes with any supporting information (those you interviewed, summaries of your meetings, etc.)

Once you've created this report, share it with your management team and set up a time to review and address any questions. With their approval of either all or at least your most important recommendations, you and organisation will not be in the best position possible to build your recovery strategies and plans. 

For assistance with your company's business continuity management, software like RiskWare's Business Continuity Module can be incredibly helpful in facilitating and organising your business impact analysis process, among other elements of your BCM framework.

 

Ready to Learn how RiskWare can help?

Let's organise a time to speak to one of our Risk Specialists and you can learn why millions of users around Australia trust RiskWare to manage their organisations Risks.

 

 

To learn more about how RiskWare is making the world a little less risky, visit us at RiskWare.com.au.