The Two Goals of a Business Impact Analysis (BIA)

During the most recent Israeli-Palestinian conflict, the Crisis Management and Business Continuity Management teams of a large enterprise assembled in their US Emergency Operations Center as the first rockets struck Tel Aviv. Their primary concern was not the safety of their 500 employees in Israel. On their mind was the knowledge that, in the potential military response, as many as 60% of their employees might be drafted into the ensuing offensive. Their Business Continuity Planning mandate was to organize how their ‘limited resources’ (the remaining 40% of the staff, in this case) could best be deployed to continue the most critical business functions.

The resumption of a Business function (or process), and the allocation of available resources, has to be prioritized based on its impact on operations and sequenced to ensure that dependent functions are restored in the right order. This prioritization and sequencing of business functions for effective Business Continuity at time of disaster, is achieved thru a Business Impact Analysis (BIA)

Prioritization

A Business Impact Analysis (BIA) should identify the criticality of the business functions and use the current-state knowledge to rank them. This racking & stacking of business functions helps in prioritizing which business functions must be continued (or resumed, if interrupted) and how much resources will be allocated to the continuation of the process.

The priority of an individual business function may be determined by analyzing its Recovery Time Objective (RTO), financial impact (cost of downtime), customer impact, brand or reputational impact and operational impact. The resulting ranking may be expressed as a Recovery Tier (Tier 1, 2, 3, for example) or as a Criticality rating (High, Medium, Low). How the mix of determinants is stacked to create the ranking will vary – since each organization has its own organizational perspective. For some, financial impact will be a priority; for others it may be customer impact.

Sequencing

Business functions depend on many ‘assets’ (resources) – people, technology, work-areas, other functions, equipment and suppliers. The sequence in which those operations are resumed, and their dependent resources made available, is key to the restoration of business operations. Identifying the critical resources that each business function relies on should be an outcome of the Business Impact Analysis (BIA) process.

Understanding those upstream and downstream dependencies helps identify the causality chain and the true impact of any disruption. Additionally an accurate picture of dependencies helps uncover vulnerabilities in operations as part of risk-management efforts.

Traditionally the information for a Business Impact Analysis has been gathered through a survey or through an interview with the business function ‘owner’ – or both. The data gathered from these surveys and interviews are aggregated, sorted and ranked. That is followed by an analysis taking the sorted data, comparing it to the business objectives and – based on predefined thresholds – determining the criticality of each business function.

Understanding both the criticality and the impact on operations helps determine the priority of the business function in the resumption / recovery process.

Identifying the dependencies of the function or process automatically defines the sequence in which the operations must be restored. Because of the multitude of dependencies of each function (people, technology, locations, supplies and predecessors), the data linking them to the business function is multi-dimensional and as complex as the organization itself.

The traditional questionnaire approach to Business Impact (with its resulting spreadsheet analysis) may not be an adequate or effective method of addressing this multi-dimensional dilemma. But that’s a topic for another day, and another blog.

Ramesh Warrier

Ramesh Warrier

eBRP Founder and Chief Designer of eBRP Suite, Ramesh is a proponent of constant change, a visionary who believes that the practice of Business Continuity can deliver improved operational efficiency. Ramesh, B.Tech in Electrical Engineering, has nearly 30 years experience in Business & Technology roles. His thoughts are expressed in blogs, white-papers, frequent webcasts and speaking engagements at industry conferences.

Related Posts

Enterprise Resiliency: Navigating Through Disruptions

Enterprise Resiliency: Navigating T...

In today’s threat landscape, the ability of an organization to…
Orchestrating BC/DR Testing: Virtual – Emergency Operations Centers

Orchestrating BC/DR Testing: Virtua...

  Enhancing Planning and Logistics Management  Coordinating BC/DR tests involves…
Insights into creating a successful Disaster Recovery Test – Part 2: Preparation

Insights into creating a successful...

Insights into creating a successful Disaster Recovery exercise – Part 1: Objectives

Insights into creating a successful...

Aligning Cyber Incident Response Planning with Your BC/DR Program

Aligning Cyber Incident Response Pl...

Cyber disruptions – and their impact on both reputations and…
What Can You Do when your BCM software Relationship Falls Apart

What Can You Do when your BCM softw...

“This isn’t working.”  “I’ve changed.”  “I don’t see a future…
Aligning BC/DR to CSIRP Challenges

Aligning BC/DR to CSIRP Challenges

The immediate reaction to a cyber-security incident is the FUD…
Technology Modeling – the eBRP Way

Technology Modeling - the eBRP Way

Definition: Technology modeling is a point-in-time snapshot of an Enterprise’s…
eBIA – The eBRP Way

eBIA - The eBRP Way

Definition: A Business Impact Analysis (BIA) is the cornerstone of…
Threats, Impacts, BCPs

Threats, Impacts, BCPs

Within Business Continuity circles there is ongoing debate about the…