The business impact analysis

Every company has to protect itself from the effects of critical sit­u­a­tions in order to maintain its capacity to contract during times of in­ter­rup­tion. Incidents such as natural cat­a­stro­phes, cy­ber­at­tacks, or theft often happen un­ex­pect­ed­ly, making it all the more important to identify risks and effective strate­gies well in advance. In that context, a business impact analysis (BIA) plays a central role because it is used to record the effects of a crisis on the company in the form of a BIA report. The pre­req­ui­sites for suc­cess­ful risk man­age­ment are to recognize con­nec­tions and mutual de­pen­den­cies within an or­ga­ni­za­tion.

A business impact analysis is a sys­tem­at­ic process that consists of an ex­plo­rative and a planning component. The ex­plo­rative component en­com­pass­es the iden­ti­fi­ca­tion of potential risks that a company faces in the event of business dis­rup­tions. The main focus here is on the specific effects that certain events could have on the or­ga­ni­za­tion and areas such as finance, security, marketing or quality assurance.

The planning component consists of the de­vel­op­ment of strate­gies that are intended to minimize the risks. The result of such an analysis is a BIA report, which is an important part of con­tin­gency planning in addition to a crisis man­age­ment plan. In the following, we detail the procedure and content of a business impact analysis.

The format and exact content of a BIA vary from company to company. However, its im­ple­men­ta­tion is usually always based on the following steps:

1. In­for­ma­tion gathering
2. Eval­u­a­tion of the in­for­ma­tion
3. Summary of the results
4. Pre­sen­ta­tion to man­age­ment

A BIA report can be created in­ter­nal­ly or with the help of external resources. However, co­op­er­a­tion with your employees is usually essential, as they can provide valuable insights for the first step to identify all existing business processes and the re­la­tion­ships between in­di­vid­ual functions and de­part­ments.

This kind of in­for­ma­tion gathering is often fa­cil­i­tat­ed through face-to-face in­ter­views or automated surveys. This makes it easier to classify business functions according to their im­por­tance and to assess the financial and non-financial effects in the event of a failure. When col­lect­ing the data for your analysis, it’s helpful to keep the following questions in mind:

• To what extent are in­di­vid­ual de­part­ments dependent on certain system and business processes?
• What kind of risks do iden­ti­fied vul­ner­a­bil­i­ties entail?
• Who is re­spon­si­ble for service level agree­ments?
• Which and how many employees are required at a recovery location?
• What kind of resources/equipment will be needed in the event of an outage?
• How should cash man­age­ment and liquidity be handled during the recovery phase?

Once you’ve dealt with these questions, you’ll quickly un­der­stand which type of data you require for your business impact analysis. In most cases, the following in­for­ma­tion is required:

• Name of processes and de­scrip­tion
• Re­spon­si­ble de­part­ment and location
• Human and technical resources involved in the process
• List of all inputs and outputs of processes
• List of all de­part­ments dependent on outputs
• Maximum downtime with no no­tice­able impact
• Op­er­a­tional and financial effects of outage
• External/legal effects of outage (e.g. clients, au­thor­i­ties, etc.)
• De­scrip­tion of previous outages and their con­se­quences
• De­scrip­tion of recovery procedure or work dis­place­ment

In the second step, all collected in­for­ma­tion is validated with the help of auditors and then analyzed. When analyzing the data by computer or manually, it’s important to highlight the functions, systems, employees, and resources that are needed for the con­ti­nu­ity of the business. This also high­lights the time frame in which failed functions must be restored so that you can avoid late wage payments, damage to your image, fines or loss of customer sat­is­fac­tion.

The next two steps are all about sum­ma­riz­ing the results clearly and pre­sent­ing a BIA report to man­age­ment. The report can include charts and graphs to il­lus­trate possible losses and recovery rec­om­men­da­tions. In order to optimally support con­clu­sions, you should add in­for­ma­tion on the procedure and detailed survey results in the appendix. Using the following in­struc­tions, you can create your own business impact analysis template and adapt it as required.

The business impact analysis template below shows four tables that should be filled out as precisely as possible. The better you describe the processes, their re­la­tion­ships and im­pli­ca­tions, the better a con­tin­gency plan works.

• Column A: Business area – self-ex­plana­to­ry
• Column B: Number of employees – number of full-time employees within each business area
• Column C: Parent process – de­scrip­tion of main function of in­di­vid­ual business areas
• Column D: Priority clas­si­fi­ca­tion – clas­si­fi­ca­tion of the function(s) according to im­por­tance for processes in the re­spec­tive business area
• Column E: Recovery time objective – required time to restore parent process after outage
• Column F: Recovery point objective – exact time when parent process should be restored
• Column G: Parent process dependent on – name of or­ga­ni­za­tion/processes that parent process depends on
• Column H: Parent process required by – name of or­ga­ni­za­tion/processes dependent on parent processes

• Column A: Sub-process – de­scrip­tion of the sup­port­ing functions for which the re­spec­tive business area is re­spon­si­ble
• Column B: Priority clas­si­fi­ca­tion – clas­si­fi­ca­tion of the function(s) according to im­por­tance for processes in the re­spec­tive business area
• Column C: Recovery time objective – time required to restore the sub-process after an outage
• Column D: Recovery point objective – exact time when sub-process should be restored
• Column E: Sub-process dependent on – name of or­ga­ni­za­tion/process that are dependent on sub-processes
• Column F: Sub-process required by – name of or­ga­ni­za­tion/process that are dependent on sub-processes
• Column G: Quan­ti­ta­tive effects – financial im­pli­ca­tions connected to the sub-process, for example, annual turnover

• Column A: Qual­i­ta­tive effects – non-financial effects, for example, damage to image
• Columns B-G: Required time to recover personnel – shows how much time is needed until staff can return to “Business almost as usual”

• Column A: Recovery strategy – describes the steps each business area must take to recover normal workflows, for example, home office, pro­vi­sion­al office space, etc.
• Columns B-G: Required time to recover tech­nolo­gies and services – List of required network services or IT systems that must be provided for a defined period of time

A business impact analysis should not be confused with a risk as­sess­ment. Both are important com­po­nents of a con­tin­gency plans which also includes crisis com­mu­ni­ca­tion. A BIA is usually created before a risk as­sess­ment. It serves as a starting point for the man­age­ment to devise strate­gies for business con­ti­nu­ity based on well-founded results of the BIA report.

A BIA, therefore, focuses on the effects that incidents have on business processes and quan­ti­fies monetary and non-monetary costs. The risk as­sess­ment, on the other hand, tries to identify specific dangers such as fire, earth­quakes, or other natural disasters. It evaluates to what extent employees, real estate, or the supply chain of a company are at risk of such crises.