Conducting a Business Impact Analysis (BIA) as Part of Your Organisation’s Business Continuity (BC) Planning

Does your organisation need BC if it survived COVID?

Since the pandemic, some organisations have questioned whether they still need to undertake BC planning, but we recommend adopting a ‘lessons learnt from COVID’ approach, rather than ‘we survived COVID so our business continuity capability must be ok’ approach.  The ubiquity of COVID meant that everyone was provided with more leeway than they would typically receive in a disruptive incident, and many organisations which struggled would have benefitted from a more robust BC approach.

Effective BC does not mean you have to be completely impervious to anything and everything you may be confronted with.  However, it does mean you already have a plan in place when disruptive incidents arise, have produced that plan through best practice methods i.e., a BIA, and have validated the plan through exercising and practice.  In doing so, you will know that you are doing everything you can to remain capable, or accept risks around not being able to do so.  

BIAs are the cornerstone of BC

Business impact analyses (BIAs) are undoubtedly the cornerstone of the BC planning process.  They allow you to identify the elements and processes that are essential for your organisation’s functionality and determine how your organisation will be impacted if those elements are disrupted.  Initially, this may seem like a moot exercise – you know your organisation and how it functions.  However, while you may have a strong understanding of the essential areas of your organisation in usual operation, the importance of different functions and activities will often shift during a disruptive, time-sensitive incident.  This is what BIAs aim to identify.

‍

The Importance of Conducting a BIA

BIAs are foundational to the development of effective BC management programs.  An effective business continuity plan (BCP) can only be constructed once you have an accurate picture of your essential requirements in a period of disruption, rather than relying on assumptions informed by business-as-usual operations.

In some cases, BIAs may function as a cost-saving exercise as they can identify excess in your existing BC infrastructure.  For example, you may be paying for a secondary disaster recovery location that can immediately accommodate more staff than you need at the beginning of the recovery process.  Without conducting a BIA, you may not identify areas that can be streamlined and continue to overinvest.

Benefits of conducting a BIA

BIAs can also improve decision making by enabling you to implement preventative measures and, in the event of disruption, by providing you with a straightforward route with which to navigate the incident.  They can help you meet compliance or regulatory requirements, particularly for organisations that need to remain compliant with the General Data Protection Regulation (GDPR) and have a specific window of time in which to notify the affected individuals and the Information Commissioner’s Office (ICO) of a data breach.  The recently updated International Standard for Information Security Management (ISO 27001:2022) also places a significant onus on organisations to ensure their business continuity planning is resilient and effective compared to the previous 2013 version of the Standard, and conducting a BIA is a key part of conforming to this.  

Ultimately, BIAs represent the best practice approach to developing effective business continuity plans (BCPs).  Every aspect of your organisation is important, but a BIA helps you to establish which aspects are the most important within the context of an acute disruptive incident.  BIA, and BC in general, allows you to prepare in advance of disruption, rather than coordinating a response at the time.

‍

What’s the First Step in Conducting a BIA?

The first thing you need to do is to establish a framework for conducting your BIAs, as this will help you achieve consistency across the different areas and functions of your organisation which you will need to engage with.  When asking various departments or individuals to collate information or answer potentially subjective questions, you will need to provide them with a rigorous and consistent framework to guide their decision-making process.

Impacts are not just financial

Your framework should identify and assess the potential impacts of disruption to various aspects of your organisation.  It’s important to note that the impacts you will be assessing won’t just be financial.  In the past, exclusively assessing through the lens of financial impact was often seen as the only standard practice, however, this is no longer the case.  Impacts can and often do arise from other sources or situations, such as operational, legal and regulatory, welfare and reputational.  You will need to establish what a critical impact looks like for each of these areas.

You will also need to establish which aspects of your organisation need to have the greatest resilience.  It may be that there are key products and services which would need to be recovered first in an incident, and the process of deciding what to include here will often be driven by customer or regulatory requirements.  Naturally, this means that other areas of your organisation will need to become a lower priority in a recovery situation, and at this point you will need to liaise with senior management to decide which elements are prioritised.  

Graduated periods of disruption

Within your framework, you should also identify your graduated periods of disruption, i.e., the different time periods over which the impact of the incident will be assessed.  These will vary depending on the nature of your organisation, however, in URM’s experience the most frequently used graduated periods of disruption are 1 hour, 4 hours, 1 day, 3 days, 1 week and 2 weeks.  Generally, you won’t go beyond the 2-week mark as it’s unsustainable to manage an organisation in crisis mode for longer than this.  By this point you will most likely be adapting to some form of ‘new’ business as usual and, as time progresses, it is likely that all elements of your organisation will reflect as being critical which will reduce the value in the exercise if nothing can be prioritised.

When selecting your graduated points of disruption, it is best to focus on quality rather than quantity.  While some of the data points you capture will be essential for understanding the gradient of escalation within an incident, trying to capture too many will take unnecessary effort.  Instead, you should focus on selecting timeframes that will be the most significant.  

Timeframes will differ across organisations

Organisations with large volumes of sensitive data once again represent a good example here.  If these organisations experience a data breach, the first 24-48 hours have a relatively insignificant impact.  However, if they fail to meet notification requirements within the 72 hours allocated by the GDPR, the impact dramatically escalates.  For these organisations, 3 days post-incident is therefore a key milestone, but a focus on the impact 2 days after the event would potentially be unnecessary.  You can apply this principle to the specific challenges your organisation would face in a crisis to identify the most important timeframes that should be focused on in your BIA.

Key terminology

The most important parameters to identify in your framework are the maximum tolerable periods of disruption (MTPDs) and recovery time objectives (RTOs) to be inputted into an impact matrix.  An MTPD is the timeframe in which the outage of a particular system or process becomes unacceptable and could compromise your organisation.  Establishing the MTPD for various systems allows you to delineate between the critical and the non-critical.  If the unavailability of a particular system for 2 weeks during a crisis has an unacceptable impact, that system is critical and needs to be given priority in the recovery process.  

However, you should not aim to recover that system or that service when you reach the MTPD, as this leaves you no margin for error.  Instead, you should have a target to achieve recovery somewhere between the onset of an incident and the point at which you reach the MTPD, and this target is your RTO.  To find this target, it can be useful to conduct exercises which trial the timeframes you are considering.  Your RTO does not need to be unnecessarily rapid – if a particular system doesn’t need to be back up and running in an hour, don’t spend extra time and resources implementing infrastructure that will achieve this.  It does, however, need to be significantly within the MTPD to such an extent as to allow for some contingency should the recovery plan encounter any problems.

Another key term you will come across in BIA is the Recovery Point Objective (RPO), which is a similar concept to MTPD and RTO, but is more data driven.  The RPO is the point at which information, used by an activity, must be restored to enable that activity to continue or operate.  If you hold data that is essential to ensure the continuation of a critical activity, it is important to know how much of that data can be lost before the impact is catastrophic.  This is the RPO.  An example of this key information may be a hospital patient’s medical diagnosis and associated medication they have been prescribed.  Were these records to be lost and irretrievable through system outage, it could have a critical impact upon the patient.  If these records are updated every hour, for example, the RPO would then need to reflect this.

‍

What Methods Can You Use to Conduct a BIA?

There isn’t a singular correct way to conduct a BIA.  You should choose a method that is suited to your organisation, which may be through interviews, workshops, or questionnaires.  Each approach comes with advantages and disadvantages.  Interviews can be time consuming and expensive in large entities, meanwhile questionnaires are the most resource efficient method, but can lead to unreliable and inconsistent responses.  In our experience, workshops are used most frequently, but you should select the most appropriate method for your organisation.  If needed, you can tailor your approach by utilising different methods for different areas or departments, or adopt a hybrid approach.

Importance of establishing interdependencies

Regardless of the method(s) you have selected, you will start your BIA by gathering information.  This includes establishing interdependencies between different areas of your organisation, as well as identifying the critical activities and processes that support your key products and services within the context of an acute disruptive incident.  You may find that while a certain department’s functions are critical during normal operation, only some or one of their functions is critical in a crisis, meaning you can plan for fewer staff members from that department to work during a disruptive incident.  Breaking down a department, function or division of your organisation into the activities it undertakes is therefore vital, as this enables you to establish which aspects of it are essential for the function of your organisation in a crisis. An example of this might be a human resources team that undertakes activities such as recruitment, training, grievance and disciplinaries, wellbeing support and payroll.  Of these, whilst all are important to an organisation, it is likely maybe only one or two, such as payroll and wellbeing support, are extremely time sensitive should the incident occur around payday or at a time when an employee is in need of support. Once these critical activities have been identified, you will need to establish the MTPD and RTO for each activity.  You should also determine which resources are needed to facilitate these activities, so you can then consider the resources you will need to recover or resume them, or how your organisation will be impacted if recovery isn’t possible.  These resources would usually be captured assuming skeleton or basic recovery needs across those graduated periods e.g., if there are twenty members of a customer support team, unless the disruption is directly customer facing, it is likely that just a few of the team would be able to manage for the first hour or two.  After a day or so, this would increase and by the time maybe a week has passed, the whole team would need to be in place.  

‍

Validating the Outputs From Your BIA

The outputs from a BIA include a solid understanding of what your critical activities are, the resources required to recover or maintain them in an incident, the interdependencies within your organisation, and your MAO, RPO and RTO.  Once the BIA is complete, you should be able to categorise your organisation’s activities into critical and non-critical in the context of an acute emergency.

As the information collated in a BIA is usually gathered by asking individuals potentially subjective questions about their own department, it can be difficult to guarantee full impartiality, so it’s important to validate the outputs from your BIA.  Often, this validation will be achieved through a presentation or walkthrough of outputs with senior members of the organization who can provide necessary impartiality.  Once the outputs from your BIA have been verified, they can be used to derive business continuity strategies, or make an informed decision to accept any risks you’re unable to respond to.  Note - it is following the strategies phase that the plan(s) or arrangements can be drawn up and implemented and finally validated through practice and exercising.

‍

The Role of Senior Management in the BIA

The value of a BIA decreases significantly if it is conducted without total buy-in from senior management.   If you engage senior managers, they can help define the context and framework, enabling the rest of your organisation to consider its responses in a consistent manner.  

Only senior management will be able to definitively answer important questions that will be raised during the BIA, such as which timescales are important and defining high, medium or low financial impacts.  By getting senior managers on board with the BIA, they are more likely to encourage full departmental participation in the exercise and support its outputs.  They can also make the final decision about how the recoveries of different departments are prioritised, often providing a more objective viewpoint than the departments themselves.

‍

The Role of IT in the BIA

IT plays a vital part in nearly every organisation, and the interdependencies between the IT department and other areas of an organisation are always crucial.  While IT does not necessarily need to be included in the BIA itself (unless it provides a front-facing, revenue-generating or customer-servicing function), it allows the IT function to discover what exactly is expected of it by other parts of the organisation, which can sometimes go uncommunicated during normal operations.  This gives the IT function the opportunity to set realistic expectations for what it can or can’t realistically achieve during an incident, allowing it to confirm or deny the achievability of RTOs and RPOs, and establish what is required to make them achievable.

Key Success Criteria

It’s important to define the scope of the BIA; if you know in advance that there are certain areas you won’t be able to recover, there’s no point in including them.

To conduct a successful BIA, you will need to ensure it is aligned with corporate business objectives, and that it has clear objectives outlined from the beginning.  

It is important to ‘sell’ the benefits of the BIA to stakeholders, and make sure they understand that the BIA is best practice, not a re-engineering exercise.

Seeking verification and feedback throughout the BIA, but particularly from your organisation’s senior management once all information has been captured and reconciled, is essential.

By taking account of the above criteria, your BIAs are more likely to achieve a successful outcome.

With our approach which is heavily aligned to the International Business Continuity Management System (BCMS) Standard, ISO 22301, URM can provide BIA guidance and assistance which is informed by recognised best practice as well as extensive practical experience.  Our business continuity consultants can help you establish your BIA methodology, providing you with a clear picture of what you will need to recover first, how quickly, and to what level in the event of disruption.  You can also make use of our business continuity BIA tool, Abriska® 22301.  This simplifies the BIA process by replacing multiple spreadsheets with a single database of BIA information and allowing users to easily input information through a secure web-based system.  

URM can also assist your organisation with improving its business continuity capabilities well beyond the BIA, offering a comprehensive range of business continuity services.   We can help you to develop and implement bespoke business continuity plans (BCPs) or incident management plans (IMPs), which are always developed with your ogranisation’s unique requirements in mind.  Once these have been developed, we can devise challenging, original and tailored scenarios to exercise your BCPs and IMPs and provide a report on your team’s response.  If you are looking to certify to ISO 22301, a URM business continuity consultant can guide you through the entire process, from conducting gap analysis to providing implementation and remediation support, and prepare you for a successful assessment.

‍