The Business Impact Analysis (BIA) is aimed at ascertaining the risk consequences with low probability of occurrence and high impact on the business process (calamity risks). The BIA provides an insight into the financial and non-financial impact per process, division or business unit.

In many organisations, the execution of a Business Impact Analysis (BIA) is the first real obstacle in organising BCM. After all, the calamity risk impact cannot always be quantified accurately. It is considered complicated to express damage in terms of money. And, in the event of non-financial damage, it proves difficult to interpret the reputation damage factor. If, however, the procedural step Policy is of a sufficient quality, the strategic level provides the basis to be able to handle these insecurities, issued from the BIA results. In other words, the organisation itself determines
the degree of acceptance for the BIA results.

The BIA provides insight and transparancy as to the calamity impact and what organisational vulnerabilities exist, as well as their location.

BIA starts with the question “what damage consequences occur in case of process failure.” As the nature of the calamity is not primary important, it is not absolutely necessary to execute a risk inventory, preceding the BIA. Risk inventory can also take place after the BIA.

BIA step-by-step

  • Step 1 – Determining the scope (demarcation)
    To be able to handle the survey, it may be advicable to exclude business processes from the BIA. For instance by putting , before any other thing, the primary processes through a test. In a following iteration, the scope can be extended to additional primary and/or secondary processes.
  • Step 2 – Preparations for the BIA
    Determining the (critical) business processes and show these in a structural manner. Defining dependences within the process or interdependences between processes and determining which employees or means are necessary for executing the process in the business as usual.
  • Step 3 – Execution of BIA
    Determining the calamity impact on critical business processes by executing structured interviews with process owners or process managers, based on predefined questionnaires. Hereby, the ‘Worst Case Calamity’is assumed. By doing so, all calamities of a smaller scale are covered within the scope of measures. Document the quantitative and qualitative impact per process.

Determine the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO) per process. The Recovery Time Objective is the available time for executing all recovery tasks, including the reconstruction of lost data. The Recovery Point Objective is the point in time until which data must be able to be restored.

Analyse to what extend requirements can be met at this moment and quantify the improvement potential of preventive and repressive measures which are to be taken.

  • Step 4 – Reporting
    In the report, the results of the BIA are reproduced. This is input for the Business Case & Benefit Logic.