Business Impact Analysis (BIA) - the foundation of business continuity

Business Impact Analysis (BIA) is the act of identifying and prioritising an organization’s services (internal and external) that should be up and running in the event of disaster. Combined with maximum tolerable period of disruption(MTPOD), return time objective (RTO), return point objective (RPO) and minimum service levels, it gives the business continuity management/CEO the ‘requirement’ for continuity. Once done efficiently, thus enables ‘cost-benefit analysis’ for the Business continuity budget as well as any associate decision.

Note that this is not IT strategy, it is business strategy first.

Here are some of the outcomes/business benefits of BIA:

1. Business impact analysis (BIA) Helps to identify organisation into services or activities. ISO 22301 calls it mission critical ‘activities’.

2. Business impact analysis (BIA) helps define organization into 3 or more logical set of services. Examples are revenue generating services (RGS), essential infrastructure services (EIS) and delayed start services (DSS). You may replace RGS with your own set of mission critical terms. A hospital may replace RGS with key patient support services or any other suitable terminology.

3. Business impact analysis (BIA) helps you identify which strategy is best for you, which is not (Strategies are (Build, Buy or Rent) working from home, intra-city, intercity, out-of-country, out-of-continent) using a monetary and non-monetary approach.

4. Business impact analysis (BIA) helps formulate single or multiple Incident management Plans(IMPs) and Business Continuity Plans(BCPs) against individual threats (fire/floor/earthquake/tsunami, pandemic) and impacts (site outage, network outage, people outage)

5. Business impact analysis (BIA) can be performed relatively quickly compared to strategy and Incident management plan (IMP) or the business continuity plan (BCP) formulation/implementation.

6. For those seeking ISO 22301 compliance, BIA is mandatory. BIA forms the basis of other associated processes such as risk assessment, strategy formulation, selection of choice.

7. Last but not the least, if you are not sure of the scope of business continuity management, do BIA. It will help bring everyone on the same page; if you have a BCP without a BIA, getting a BIA helps management align with the BCP.

Coral eSecure provides consulting and certification support for ISO 22301.