The format and exact content of a BIA vary from company to company. However, its implementation is usually always based on the following steps:
- Information gathering
- Evaluation of the information
- Summary of the results
- Presentation to management
A BIA report can be created internally or with the help of external resources. However, cooperation with your employees is usually essential, as they can provide valuable insights for the first step to identify all existing business processes and the relationships between individual functions and departments.
This kind of information gathering is often facilitated through face-to-face interviews or automated surveys. This makes it easier to classify business functions according to their importance and to assess the financial and non-financial effects in the event of a failure. When collecting the data for your analysis, it’s helpful to keep the following questions in mind:
- To what extent are individual departments dependent on certain system and business processes?
- What kind of risks do identified vulnerabilities entail?
- Who is responsible for service level agreements?
- Which and how many employees are required at a recovery location?
- What kind of resources/equipment will be needed in the event of an outage?
- How should cash management and liquidity be handled during the recovery phase?
Once you’ve dealt with these questions, you’ll quickly understand which type of data you require for your business impact analysis. In most cases, the following information is required:
- Name of processes and description
- Responsible department and location
- Human and technical resources involved in the process
- List of all inputs and outputs of processes
- List of all departments dependent on outputs
- Maximum downtime with no noticeable impact
- Operational and financial effects of outage
- External/legal effects of outage (e.g. clients, authorities, etc.)
- Description of previous outages and their consequences
- Description of recovery procedure or work displacement
In the second step, all collected information is validated with the help of auditors and then analyzed. When analyzing the data by computer or manually, it’s important to highlight the functions, systems, employees, and resources that are needed for the continuity of the business. This also highlights the time frame in which failed functions must be restored so that you can avoid late wage payments, damage to your image, fines or loss of customer satisfaction.
The next two steps are all about summarizing the results clearly and presenting a BIA report to management. The report can include charts and graphs to illustrate possible losses and recovery recommendations. In order to optimally support conclusions, you should add information on the procedure and detailed survey results in the appendix. Using the following instructions, you can create your own business impact analysis template and adapt it as required.