The business impact analysis

Every company has to protect itself from the effects of critical situations in order to maintain its capacity to contract during times of interruption. Incidents such as natural catastrophes, cyberattacks, or theft often happen unexpectedly, making it all the more important to identify risks and effective strategies well in advance. In that context, a business impact analysis (BIA) plays a central role because it is used to record the effects of a crisis on the company in the form of a BIA report. The prerequisites for successful risk management are to recognize connections and mutual dependencies within an organization.

A business impact analysis is a systematic process that consists of an explorative and a planning component. The explorative component encompasses the identification of potential risks that a company faces in the event of business disruptions. The main focus here is on the specific effects that certain events could have on the organization and areas such as finance, security, marketing or quality assurance.

The planning component consists of the development of strategies that are intended to minimize the risks. The result of such an analysis is a BIA report, which is an important part of contingency planning in addition to a crisis management plan. In the following, we detail the procedure and content of a business impact analysis.

The format and exact content of a BIA vary from company to company. However, its implementation is usually always based on the following steps:

1. Information gathering
2. Evaluation of the information
3. Summary of the results
4. Presentation to management

A BIA report can be created internally or with the help of external resources. However, cooperation with your employees is usually essential, as they can provide valuable insights for the first step to identify all existing business processes and the relationships between individual functions and departments.

This kind of information gathering is often facilitated through face-to-face interviews or automated surveys. This makes it easier to classify business functions according to their importance and to assess the financial and non-financial effects in the event of a failure. When collecting the data for your analysis, it’s helpful to keep the following questions in mind:

• To what extent are individual departments dependent on certain system and business processes?
• What kind of risks do identified vulnerabilities entail?
• Who is responsible for service level agreements?
• Which and how many employees are required at a recovery location?
• What kind of resources/equipment will be needed in the event of an outage?
• How should cash management and liquidity be handled during the recovery phase?

Once you’ve dealt with these questions, you’ll quickly understand which type of data you require for your business impact analysis. In most cases, the following information is required:

• Name of processes and description
• Responsible department and location
• Human and technical resources involved in the process
• List of all inputs and outputs of processes
• List of all departments dependent on outputs
• Maximum downtime with no noticeable impact
• Operational and financial effects of outage
• External/legal effects of outage (e.g. clients, authorities, etc.)
• Description of previous outages and their consequences
• Description of recovery procedure or work displacement

In the second step, all collected information is validated with the help of auditors and then analyzed. When analyzing the data by computer or manually, it’s important to highlight the functions, systems, employees, and resources that are needed for the continuity of the business. This also highlights the time frame in which failed functions must be restored so that you can avoid late wage payments, damage to your image, fines or loss of customer satisfaction.

The next two steps are all about summarizing the results clearly and presenting a BIA report to management. The report can include charts and graphs to illustrate possible losses and recovery recommendations. In order to optimally support conclusions, you should add information on the procedure and detailed survey results in the appendix. Using the following instructions, you can create your own business impact analysis template and adapt it as required.

The business impact analysis template below shows four tables that should be filled out as precisely as possible. The better you describe the processes, their relationships and implications, the better a contingency plan works.

• Column A: Business area – self-explanatory
• Column B: Number of employees – number of full-time employees within each business area
• Column C: Parent process – description of main function of individual business areas
• Column D: Priority classification – classification of the function(s) according to importance for processes in the respective business area
• Column E: Recovery time objective – required time to restore parent process after outage
• Column F: Recovery point objective – exact time when parent process should be restored
• Column G: Parent process dependent on – name of organization/processes that parent process depends on
• Column H: Parent process required by – name of organization/processes dependent on parent processes

• Column A: Sub-process – description of the supporting functions for which the respective business area is responsible
• Column B: Priority classification – classification of the function(s) according to importance for processes in the respective business area
• Column C: Recovery time objective – time required to restore the sub-process after an outage
• Column D: Recovery point objective – exact time when sub-process should be restored
• Column E: Sub-process dependent on – name of organization/process that are dependent on sub-processes
• Column F: Sub-process required by – name of organization/process that are dependent on sub-processes
• Column G: Quantitative effects – financial implications connected to the sub-process, for example, annual turnover

• Column A: Qualitative effects – non-financial effects, for example, damage to image
• Columns B-G: Required time to recover personnel – shows how much time is needed until staff can return to “Business almost as usual”

• Column A: Recovery strategy – describes the steps each business area must take to recover normal workflows, for example, home office, provisional office space, etc.
• Columns B-G: Required time to recover technologies and services – List of required network services or IT systems that must be provided for a defined period of time

A business impact analysis should not be confused with a risk assessment. Both are important components of a contingency plans which also includes crisis communication. A BIA is usually created before a risk assessment. It serves as a starting point for the management to devise strategies for business continuity based on well-founded results of the BIA report.

A BIA, therefore, focuses on the effects that incidents have on business processes and quantifies monetary and non-monetary costs. The risk assessment, on the other hand, tries to identify specific dangers such as fire, earthquakes, or other natural disasters. It evaluates to what extent employees, real estate, or the supply chain of a company are at risk of such crises.