Business Impact Analysis (BIA) and Risk Assessment Data Gathering Worksheet

Background

Department Name

Department Owner
(Director/Manager)
P&S #1
Products and Services Directly or P&S #2
Indirectly Delivered by This P&S #3
Department P&S #4
P&S #5

Department Overview

The following table captures key department characteristics that may influence the assignment of recovery objectives and the selection of recovery strategies.

Department Narrative Description

Customers and Outputs (Internal or External) 

Peak Operating Periods or Seasonality 

Impact Analysis and Recovery Requirements

The following table describes each department’s activity and the possible impact should it fail to operate.

Proposed RTO
Activity Description Impact of Downtime (Over Time)
(hours/days)
Financial:
Regulatory, Legal
and/or Contractual:
Reputational:
Operational:
Health/Safety:
Financial:
 Proposed RTO
Activity Description Impact of Downtime (Over Time)
(hours/days)
Regulatory, Legal
and/or Contractual:
Reputational:
Operational:
Health/Safety:
Financial:
Regulatory, Legal
and/or Contractual:
Reputational:
Operational:
Health/Safety:

Critical Records
The following table summarizes the various informational needs necessary to operate – both electronic and hard-copy.

Record / Data Name Description Location Backed Up? Offsite (if yes, list location)
Yes
No
Partial

Key Threats, Vulnerabilities and Risk Treatment Options

The section of the BIA data gathering worksheet is used to “link” the department’s inputs to current-state business continuity risk mitigation efforts (controls),
summarize alternate procedures and manual workarounds, estimate impact and likelihood of failure, and identify other possible risk treatments.

Loss of Key Roles/Personnel

The following table summarizes key roles and/or personnel in order to understand their importance and potential impact on department.

Description
Impact of Loss Probable Impact of Estimated Risk Treatment
Role (Responsibilities Existing Controls
Described Loss Likelihood of Loss Options
and Activity)
Catastrophic Certain
Major Probable
 Description
Impact of Loss Probable Impact of Estimated Risk Treatment
Role (Responsibilities Existing Controls
Described Loss Likelihood of Loss Options
and Activity)
Moderate Possible
Minor Unlikely

Loss of Key Facility or Equipment

The following table summarizes the facilities used and equipment needed for the operation of this department.

Risk Treatment
Existing Controls,
Options
Recovery Strategies Impact of Loss Probable Impact of Estimated
Facility / Equipment Description of Use (Alternate Sites,
Alternate Described Loss Likelihood of Loss
Contingent
Procedures
Sourcing, etc.)
Catastrophic Certain
Major Probable
Moderate Possible
Minor Unlikely

Loss of Key Technology

The following table summarizes the key technology (i.e. systems and applications) necessary for the operation of this department.

Existing
Technology Requested
Controls Impact of Estimated
Technology Source Description Probable Requested Data Loss Risk Treatment
or Manual Loss Likelihood of
Name (IT, 3rd of Use Impact of Loss RTO (hours) Tolerance Options
Work Described Loss
Party, etc.) (hours)
Arounds
Catastrophic Certain
Major Probable
Moderate Possible
Minor Unlikely
Loss of Key Supplies/Vendors
The following table summarizes the key supplies or services provided to the department that are necessary to maintain operations.

Existing Controls
Estimated
Description of (Safety Stock, Impact of Loss Probable Impact Risk Treatment
Supply or Service Source(s) Likelihood of
Use Alternate Described of Loss Options
Loss
Supplier, etc.)
Catastrophic Certain
Major Probable
Moderate Possible
Minor Unlikely

Recovery Requirements

The following tables summarize various resource requirements and when they are needed following the onset of a disruptive event.

Staffing Resource Requirements

The following table summarizes the quantities, work-from-home capabilities and recovery requirements for those key roles identified above.

Total
Normal Current Work From Week Week Week (needed
Role < Day 1 Day 1 Day 2 Day 3 Day 4 Day 5
Level Location Home* 2 3 4 by role for
recovery)

Equipment/Supply Requirements
The following table summarized the quantities, offsite availability and recovery requirements for the key equipment and supplies identified above.
 Currently
Normal
Resource Available Off- < Day 1 Day 1 Day 2 Day 3 Day 4 Day 5 Week 2 Week 3 Week 4 Total
Level
Site?
Yes
No
Ratings Definitions
Estimated Likelihood

Rating Name Description

Certain: More than one failure per
Failure is almost inevitable more than once annually.
year
Probable: Failure once every 1 or 2
This process or similar processes have often failed at least once over a two year period.
years
Possible: Failure once every 3 to 5 This process or similar processes have experienced occasional failures, but not in major proportions (no more than
years every three to five years).
Unlikely: Failure once every 6 years
Isolated failures associated with similar processes, often occurring once every six or more years.
or more

Probable Impact

Rating Name Description

Failure affects safety or involves noncompliance with customer or regulatory requirements. May endanger personnel.
Catastrophic Most likely will result in serious disruption to customer operations and / or other operational, financial or reputation
issues.
High degree of customer dissatisfaction due to the nature of the failure. Failure does not involve safety or government
Major regulation. May result in serious disruption to customer-facing operations and / or other operational, financial or
reputation issues.
Failure causes some customer dissatisfaction which may include discomfort or annoyance. Customer will notice
Moderate
performance issues and deterioration. The event may result in product or service delivery delay.
Due to the nature of this failure, the customer experiences only slight annoyance. Customer will probably notice slight
Minor deterioration of the process or system performance or a slight inconvenience with a subsequent process, i.e. minor
rework.