Business Impact Analysis (BIA) and Risk Assessment Data Gathering Worksheet

TEMPLATE

Business Impact Analysis (BIA) and Risk

Assessment Data Gathering Worksheet

1
© Riskonnect
Business Impact Analysis (BIA) and Risk Assessment Data Gathering Worksheet

Background

Department Name

Department Owner
(Director/Manager)
P&S #1
Products and Services Directly P&S #2
or Indirectly Delivered by This P&S #3
Department P&S #4
P&S #5

Department Overview
The following table captures key department characteristics that may influence the assignment of recovery objectives and the selection of recovery
strategies.

Department Narrative Description

Customers and Outputs (Internal or External) 

Peak Operating Periods or Seasonality 

2
© Riskonnect
Business Impact Analysis (BIA) and Risk Assessment Data Gathering Worksheet

Impact Analysis and Recovery Requirements

The following table describes each department’s activity and the possible impact should it fail to operate.

Activity Description Impact of Downtime (Over Time) Proposed RTO

(hours/days)
Financial:
Regulatory, Legal
and/or Contractual:
Reputational:
Operational:
Health/Safety:
Financial:
Regulatory, Legal
and/or Contractual:
Reputational:
Operational:
Health/Safety:
Financial:
Regulatory, Legal
and/or Contractual:
Reputational:
Operational:
Health/Safety:

3
© Riskonnect
Business Impact Analysis (BIA) and Risk Assessment Data Gathering Worksheet

Critical Records
The following table summarizes the various informational needs necessary to operate – both electronic and hard-copy.

Record / Data Name Description Location Backed Up? Offsite (if yes, list location)
Yes
No
Partial

4
© Riskonnect
Business Impact Analysis (BIA) and Risk Assessment Data Gathering Worksheet

Key Threats, Vulnerabilities and Risk Treatment Options

The section of the BIA data gathering worksheet is used to “link” the department’s inputs to current-state business continuity risk mitigation efforts
(controls), summarize alternate procedures and manual workarounds, estimate impact and likelihood of failure, and identify other possible risk
treatments.

Loss of Key Roles/Personnel

The following table summarizes key roles and/or personnel in order to understand their importance and potential impact on department.

Description
Impact of Loss Probable Impact Estimated Risk Treatment
Role (Responsibilities Existing Controls
Described of Loss Likelihood of Loss Options
and Activity)
Catastrophic Certain
Major Probable
Moderate Possible
Minor Unlikely

Loss of Key Facility or Equipment

The following table summarizes the facilities used and equipment needed for the operation of this department.

Existing Controls, Risk Treatment

Recovery Options
Facility / Description of Impact of Loss Probable Impact Estimated
Strategies (Alternate Sites,
Equipment Use Described of Loss Likelihood of Loss
Alternate Contingent
Procedures Sourcing, etc.)
Catastrophic Certain
Major Probable
Moderate Possible
Minor Unlikely

5
© Riskonnect
Business Impact Analysis (BIA) and Risk Assessment Data Gathering Worksheet

Loss of Key Technology

The following table summarizes the key technology (i.e. systems and applications) necessary for the operation of this department.

Existing
Technology Controls Requested
Impact of Estimated Requested
Technology Source Description or Probable Data Loss Risk Treatment
Loss Likelihood RTO
Name (IT, 3rd of Use Manual Impact of Loss Tolerance Options
Described of Loss (hours)
Party, etc.) Work (hours)
Arounds
Catastrophic Certain
Major Probable
Moderate Possible
Minor Unlikely

Loss of Key Supplies/Vendors

The following table summarizes the key supplies or services provided to the department that are necessary to maintain operations.

Existing
Controls Estimated
Supply or Description of Impact of Loss Probable Impact Risk Treatment
Source(s) (Safety Stock, Likelihood of
Service Use Described of Loss Options
Alternate Loss
Supplier, etc.)
Catastrophic Certain
Major Probable
Moderate Possible
Minor Unlikely

6
© Riskonnect
Business Impact Analysis (BIA) and Risk Assessment Data Gathering Worksheet

Recovery Requirements

The following tables summarize various resource requirements and when they are needed following the onset of a
disruptive event.

Staffing Resource Requirements

The following table summarizes the quantities, work-from-home capabilities and recovery requirements for those key roles identified above.

Total
(needed
Normal Current Work From Day Day Day Week Week Week
Role < Day 1 Day 2 Day 4 by role
Level Location Home* 1 3 5 2 3 4
for
recovery)

Equipment/Supply Requirements
The following table summarized the quantities, offsite availability and recovery requirements for the key equipment and supplies identified above.

Currently
Normal Week Week Week
Resource Available < Day 1 Day 1 Day 2 Day 3 Day 4 Day 5 Total
Level 2 3 4
Off-Site?
Yes
No

7
© Riskonnect
Business Impact Analysis (BIA) and Risk Assessment Data Gathering Worksheet

Ratings Definitions
Estimated Likelihood

Rating Name Description

Certain: More than one failure
per year
Probable: Failure once every 1
or 2 years
Possible: Failure once every 3
to 5 years
Unlikely: Failure once every 6
years or more
Failure is almost inevitable more than once annually.
This process or similar processes have often failed at least once over a two year period.
This process or similar processes have experienced occasional failures, but not in major proportions (no
more than every three to five years).
Isolated failures associated with similar processes, often occurring once every six or more years.

Probable Impact

Rating Name Description

Failure affects safety or involves noncompliance with customer or regulatory requirements. May endanger
Catastrophic personnel. Most likely will result in serious disruption to customer operations and / or other operational,
financial or reputation issues.
High degree of customer dissatisfaction due to the nature of the failure. Failure does not involve safety or
Major government regulation. May result in serious disruption to customer-facing operations and / or other
operational, financial or reputation issues.
Failure causes some customer dissatisfaction which may include discomfort or annoyance. Customer will
Moderate
notice performance issues and deterioration. The event may result in product or service delivery delay.
Due to the nature of this failure, the customer experiences only slight annoyance. Customer will probably
Minor notice slight deterioration of the process or system performance or a slight inconvenience with a subsequent
process, i.e. minor rework.

8
© Riskonnect
Business Impact Analysis (BIA) and Risk Assessment Data Gathering Worksheet

Need help?

If you're looking for help with

building your unique business
case, please book a meeting
with our team today.
Riskonnect is the leading integrated risk management software solution
provider. Our technology empowers organizations with the ability to anticipate, +1 770 790 4700
manage, and respond in real-time to strategic and operational risks across the
extended enterprise.

More than 2,000 customers across six continents use our unique risk-
correlation technology to gain previously unattainable insights that deliver
better business outcomes. Riskonnect has more than 800 risk management
experts in the Americas, Europe, and Asia.

To learn more, visit riskonnect.com.

9
© Riskonnect