Having a business continuity plan or any proactive plan to protect your business in the event of a disruption is a critical component in your overall business strategy. But in order to plan for a disruption you have to know what risks your business actually faces. This is where a business impact analysis comes into play. A business impact analysis (BIA) is the first step in any true business continuity planning process. A BIA helps determine and evaluate the potential effects disruptions, accidents, or emergencies can have on both the critical and non-critical functions of a business.
These effects include:
- Lost/delayed sales or income
- Increased or unexpected expenses
- Regulatory fines
- Contract failures or penalties
- Dissatisfied or lost customers
A business impact analysis is performed under two assumptions that help reveal vulnerabilities, establish planning strategies, and minimize the risk associated with disruptions.
Assumption 1: Each part of the business depends on the continued operations of all the other parts of the business.
Assumption 2: Some functions of the business are more important than others and will need more resources, and to be addressed faster than other functions in a disruption scenario.
A BIA should always be done at the start of the business continuity planning process. If you’ve never created a business continuity plan, the time to do so is now! But, if you have a business continuity plan and you have done a BIA in the past you’re not necessarily off the hook forever. As yourself, and your coworkers these questions:
- Has this ever been done before?
- Was our last BIA performed over a year ago?
- Has the company gone through any major changes recently?
- Do the current department heads know all the possible risks and what to do in a disaster scenario?
If the answers to questions two-four are yes, yes, no, it’s time to do another BIA and update your business continuity plan.
Why is a Business Impact Analysis Important?
A business impact analysis gives leadership and the entire organization a good overall view at possible risks to the company, and not only helps plan the recovery process but also gives insight into new ways to be proactive today to minimize the disruption risk.
The following are the benefits of this analysis:
- Provides management with all the necessary information to make quick and informed decisions in times of crisis.
- Gives everyone insight into the most vital company functions and how to allocate resources and prioritize in the event of a disruption.
- Instructs employees on their roles in the recovery efforts until the company is fully operational.
- Identifies all non-operational impacts to the company that will need to be addressed as soon as a certain level of operational functionality is restored.
Performing and Communicating your Business Impact Analysis
This is just a general outline or process for performing a business impact analysis, if your company has a certain way to conduct things like this, definitely use that! But, for those who have never done this before we want to make sure you have a general idea of what the process looks like.
Approval and Senior Leadership Buy In
The first step in any major project like this is to ensure that senior leadership is on board. As with anything in business, if senior leadership doesn’t portray something as worthwhile and communicate that to the rest of the company getting other employees to buy in can be difficult.
Once you’ve obtained approval and buy in, this is the time to work with leadership to establish the goals, objectives, timeline and scope of the project. This discussion should also include any thoughts on engaging an outside professional, if that’s something your team thinks is necessary.
This is typically done through interviews and questionnaires with managers, senior leadership, team leaders, and anyone with critical knowledge of any specific or unique functions your business performs. Remember that this may also include outside vendors or business partners.
For each business department or critical function you will need to have the following information:
- The “functional parent” of the process, this may be a department or location
- The process name and a detailed description
- List of all inputs and outputs from the process
- Maximum allowable disruption time before impact occurs
- Descriptions of the financial and operational impact from a disruption
- Human and technology resources needed to support the process (including computers, networks, offices, people, etc.)
- A description of the customer impact of external facing or inward facing processes, and a list of departments that depend on the process outputs
- Explanation of any legal or regulatory impacts that may result from a disruption
- Description of past disruptions and impacts from each
- Description of workaround procedures or work shifting options to other departments or remote workers
Review and Synthesize Data
Now that you have all the data it’s time to bring the team back together and compile all the data in an easy to read format. From all the information collected you should be able to:
- Prioritize the most important business functions
- Identify all necessary resources for each function and department for all possible risk scenarios
- Determine recovery processes and time frames for all functions and risks
Build the Report
All the information and any conclusions or plans resulting from it should be compiled into an easy to read and reference document for future use. Here is a general outline of what a completed BIA report looks like:
- Executive Summary
- Objectives and Scope
- Methodologies for Information Gathering
- Analysis and Summary of Results
- Individual Department Section Details
- Department Specific Processes
- Disruption Impact
- Disruption Duration Timelines
- Tolerable Loss Levels
- Options and Costs for Various Recovery Strategies
- Relevant Supporting Documents from the Review Stage
- Overall Recovery Recommendations
- This should include the prioritization of functions and processes to get the business back to full functionality.
Present to Management and Employees
Once the report is finished it’s time to present it to management and communicate the details to all employees.
Management and leadership will obviously have the final say and decision making power, so before any final touches are put on it’s important to run through the entire analysis with them. Once that is finished it’s time to go through the plan with the entire company. While leadership will be making the overall decisions on recovery options and efforts, each employee has a role to play and it’s important that they know what that role is.
And just like that you’re done with your business impact analysis and one step closer to having a complete business continuity plan!