ISO 22301, the International Standard for Business Continuity Management, aptly defines business continuity as the “capability of an organisation to continue the delivery of products and services within acceptable timeframes at pre-defined capacity during a disruption”. A critical component in fulfilling this capability and developing a sound business continuity management system (BCMS) is conducting a business impact analysis (BIA) and a risk assessment.

With a BIA, the organisation is seeking to identify the priorities for recovering disrupted activities (business processes) in terms of timescale, level of activity and required resources. The central concept of BIA is that recovery priorities should be based on the impact that would be sustained in the event of a business disruption.

With a risk assessment, the organisation is seeking to identify events that could cause a business disruption and then determine which of these are unacceptable and, therefore, areas where further treatment is required. These treatments include improving business continuity (BC) capabilities as well as other risk reduction measures, for example an IT risk could be reduced by implementing further redundancies within your own infrastructure or migrating to a Cloud IT infrastructure. The process should consider your organisation’s risk appetite, the basis of risk evaluation and acceptance decisions.

The outputs from the BIA and risk assessment provide the foundation for the development of response strategies and the BC plans designed to deliver the optimal resumption of activities.

What are the BIA and risk assessment requirements
of ISO 22301?

In addition to the existence of a BIA and risk assessment process, ISO 22301 specifically requires that:

The determination of risks requiring treatment is based upon their analysis and evaluation
The BIA includes a determination of the:
– ‘Maximum tolerable period of disruption’ (MTPD) for each activity
– ‘Prioritised timeframe’ for resuming disrupted activities
– Specified ‘minimum capacity’ of resumed activities
– Required resources for each activity and their interdependencies.

What role can business continuity BIA
and risk assessment software play?

BIA and risk assessment software can support the organisation by automating some of the processes involved in:

Identifying the organisation’s key products and services, critical activities and required resources interrelated areas, processes and resources. Specialist software will help replace multiple spreadsheets and supporting documents and can aggregate information from multiple sources
Identifying, analysing and evaluating the risks which could either cause a disruption or could affect the recovery of the organisation.

As such, specialist software can help you better understand what is critical to your business and to treat identifiable risks to improve your business continuity response.

‍

Download Abriska 22301 Product Sheet

We have been using Abriska to support us in carrying out the risk assessment that underpins our ISO27001 certification for some years now. It helps us to easily group and organise our assets, identify threats and vulnerabilities and determine justifiable risk scores. It centralises all of our risk assessment documentation and offers a range of useful extracts such as a statement of applicability and risk register that take much of the work out of the risk assessment process and allow us to focus on remediation.

Frontier Economics

Economic Consultancy

Solutions