Key Steps in Business Impact Analysis

Leading a business means deciding which risks are worth taking, and a business impact analysis (BIA) provides a critical resource for making informed risk management decisions. This blog explains how to conduct an effective business impact analysis that will point you toward the right investments for your overall risk assessment strategy. 

Let’s start with a few fundamentals: At the basic level, your risk management goal is identifying the likelihood and impact of any given risk. You’re looking for answers to questions such as, “How likely is it that our ERP platform could go down? How long would it take us to restore operations? How much does it cost us every hour that our ERP is down?” 

A risk assessment helps you identify your vulnerabilities. With that information in hand, you can then conduct a business impact analysis to help you determine what will happen to your organization if you actually take a hit in a vulnerable area. The business impact analysis assigns actual costs to each risk, which then guides creation of plans and policies that let you prepare accordingly. 

Your budgeting process becomes much more clear when the business impact analysis puts a price tag on specific operational interruptions and points to whether you should invest in preventing or mitigating those interruptions. (For help making sense of all the terms used in the realm of incident response, read this blog summarizing the relationships among incident response, disaster recovery and business continuity.) 

Disruptions to Consider 

Your team assigned to the business impact analysis will need to set their minds to “glass half empty” mode. Think about all the bad things that could befall your organization. Common scenarios include: 

• Hackers encrypting your data in a ransomware attack or shutting down your system with a DOS attack. 
• A natural disaster shutting down your facility or preventing employees from reporting to work. 
• A key employee quitting immediately and unexpectedly. 
• Losing a key application or service that is mission-critical to your overall business. 
• A supplier failing to deliver critical components because they get hit with something on this list. 

For each disruption, you should account for special timing that could amplify the situation’s impact. Think about your critical production times in any given year, or even in a given week or day. An issue that shuts you down for two hours at midnight on a holiday weekend is one risk level. It’s quite another if that shutdown hits at 1pm on a weekday. 

Also be sure to consider dependencies within your organization. Identify where problems will start cascading to other areas, ramping up the business interruptions and costs. 

Costs to Consider 

Now that you’re thinking about worst-case scenarios, stay in the zone and start calculating the costs from the various disruptions on your list. Account for factors such as: 

• Financial penalties for failure to meet service level agreements (SLAs) in your contracts. 
• Lost revenue both in the short term (because you aren’t delivering product/services) and in the long term (because customers leave you for another vendor). 
• Hard costs to restore data or physical facilities. 
• Additional interest/fees accrued because you couldn’t pay your bills. 
• Regulatory penalties for data breaches, etc. 

Knowing the costs will help you start to establish recovery time objectives (RTOs) and recovery point objectives (RPOs) in each risk area. The RTO sets expectations for how quickly you need to get running again in a specific area. The RPO identifies how far back in time you must go to recover the data you need. For data such as training materials, an RPO of a week or even a month ago may be fine. For other situations, such as market-driven financial data, your RPO may be more like 30 minutes. 

How to Conduct a BIA 

Your business impact analysis team will follow these common steps: 

• Get Executive Buy-In – You’ll need widespread participation to conduct an accurate analysis. Talk with top leaders to win their support and then have them communicate that they expect others to do their part to make the business impact analysis effective. 
• Assign a Team to Conduct the Analysis – If you don’t have the internal expertise for this work, you can hire a third-party partner like HBS to guide you. Along with adding experience in this area, an outside consultant helps make up for any blind spots or inherent biases that come with evaluating your own risks. 
• Establish the Scope – Determine whether your business impact analysis will address one department, the entire organization, etc. 
• Gather Information – To fully assess various interruptions, you’ll need input from a variety of stakeholders throughout organization. Gathering insights from department leaders, managers, etc. will help you discover threats you hadn’t thought about and get more accurate estimates of what interruptions can cost you. The U.S. Department of Homeland Security offers a simple BIA questionnaire you can use as the starting point for your surveys. Most teams follow up on the questionnaires with in-person interviews. 
• Analyze the Information – This is the heavy-lifting stage. The team will designate each business process as critical or non-critical, rank processes by priority for restoration, indicate costs of interruptions and restorations, etc. 
• Issue a BIA Report – This document summarizes all the areas discussed above in clear, quantifiable terms so that your organization’s leaders can make informed decisions. It also provides supporting documentation for readers who want to take a deep dive. 
• Develop Plans – With clear analysis of risk, likelihood and remediation costs, you can start planning your activities and spending. 

Take Action 

For help with BIA and all other aspects of risk assessment and incident response, contact us today.