Professional Documents
Culture Documents
Business Impact
Analysis
Step by step
Most organisations develop contingencies in case of failures as a simple matter of BIA vs risk assessment
doing business. A head of IT implements backups and purchases uninterruptible
For those unfamiliar with it, BIA may sound like a variant of a risk assessment. And
power supplies, an office manager schedules regular tests for fire suppression
understandably so, as the two processes have several things in common. Both ensure
equipment, managers make sure that all expertise does not reside with just one
a consistent and structured approach to business continuity management, and both
person, and so on. These measures are often based on guesswork and experience,
play a major role in identifying business requirements and making sure these are
rather than a systematic, organised methodology.
addressed.
Although common, such an intuitive, subjective approach is risky. Not having formal,
However, there are some important differences. For instance, each looks at a
tested plans or processes in place may mean that when business really is disrupted,
different type of impact:
response decisions are not made quickly or well. Not formally listing all your key
activities or functions may lead to oversights. And not taking a consistent approach – BIA focuses on how impacts caused by disrupting individual business activities
particularly when multiple people are involved – makes it difficult to determine the (or losing access to certain resources) increase with time.
organisation’s overall recovery priorities.
Risk assessment focuses on the total, accumulated impact from a particular risk
Business continuity management is the discipline dedicated to making sure the scenario, should it materialise.
organisation can continue to function in the face of adversity. Among several other In other words, where the BIA helps to work out how quickly an activity or resource
key practices, business impact analysis (BIA) and risk assessment play critical parts in needs to be recovered in the event of disruption, the risk assessment determines how
making sensible business continuity decisions, ensuring that processes, targets and likely it is that the activity or resource will need to be recovered at all. The BIA does
expectations are in line with the resources available, business needs and objectives, therefore not consider factors such as:
and legal requirements.
• The specific incidents/scenarios that can affect each activity/resource;
• How likely these incidents are;
In line with ISO 22301:2012, the international standard for business continuity
• How severe these incidents might be for the organisation overall; or
management, this paper assumes you aim for recovery, rather than delivering the
• What mitigation controls to use to reduce the impact or likelihood of a
outputs of the disrupted activities in a different way.
given incident.
IT GOVERNANCE GREEN PAPER | DECEMBER 2018 3
All these points are considered by the risk assessment, and are essential parts of Common abbreviations in business continuity
business continuity best practice, but are not relevant to the BIA itself – which is only
interested in whether specific business activities are interrupted or not, and if so, for Business continuity management system (BCMS)
how long. How the activity is interrupted does not affect the impact on the business. A management system that implements, maintains and improves business
continuity practices.
1. Identify key activities and resources Maximum tolerable period of disruption (MTPD)
2. Establish impact criteria How long an organisation can reasonably carry on without its key activities and
3. Determine the impact over time resources.
4. Establish points of unacceptable impact
5. Determine recovery priorities Minimum business continuity objective (MBCO)
6. Feed outputs into the recovery strategy The minimum resources or level of activity acceptable to cover the period of
In the overall business continuity management process, the BIA and risk assessment disruption.
are conducted after establishing stakeholders’ expectations and needs, as well as the
organisation’s business objectives. These play important roles in, for example, Recovery point objective (RPO)
determining when the impact becomes ‘unacceptable’. The point to which information must be restored for an activity to operate.
The risk assessment and BIA are related but independent processes, which is Recovery time objective (RTO)
highlighted in Clause 8.2.1 of ISO 22301: “There are various methodologies for The period during which a disrupted activity must be resumed or a lost resource
business impact analysis and risk assessment which will determine the order in which recovered.
these will be conducted.” We recommend conducting the risk assessment first, as that
gives you the opportunity to reduce the impact of certain risk scenarios, which can
subsequently affect the BIA results and recovery priorities.
IT GOVERNANCE GREEN PAPER | DECEMBER 2018 4
The criteria in this example could be translated to corresponding values, such as loss
B E of business.
After establishing the criteria, you must decide how to determine the acceptability of
Figure 1: An example dependency map
a given impact. There are several ways of doing this – you could, for instance, decide
Such a map allows you to easily spot how different activities are linked, and therefore that anything above a certain level is unacceptable, regardless of the impact type.
identify critical dependencies and resources. It can also help identify indirect business Alternatively, you could go by financial impact only, or take the average of all the
impacts, which can help determine overall impact more accurately. different types of impact. Each method is valid, as long as it is consistently applied.
IT GOVERNANCE GREEN PAPER | DECEMBER 2018 5
As a result, the total recovery periods and therefore RTOs may have to be more
lenient. Alternatively, you could make more resources available in order to meet the
objectives.
IT GOVERNANCE GREEN PAPER | DECEMBER 2018 6
Naturally, the RTOs suggest an order of recovery, but you should also keep an eye on
your resources. If it is feasible to meet each RTO (several of which will likely overlap)
with the resources available, establishing the priorities will be a straightforward
process. If current resources will not suffice, you will have to adjust the RTOs and
priorities, and/or provide additional resources.
The BCP should also detail the prioritised RTOs and the actions/steps and resources
necessary to achieve these, as well as internal and external dependencies and
interactions, and how these might impact one another in the event of disruption.
The BCP naturally needs to contain more information than that provided by the BIA.
However, the information the BIA does provide is critical to ensuring key decisions
concerning recovery priorities and activities are well-informed and ultimately cost-
Speak to an expert
effective.
IT GOVERNANCE GREEN PAPER | DECEMBER 2018 7
ISO 22301 – A Pocket Guide Certified ISO 22301 BCMS Foundation Training Course
Understand international business continuity best This one-day course provides a comprehensive
practice, and receive guidance on the best way to introduction to ISO 22301 and its requirements. Among
implement a BCMS tailored to your organisation’s needs other topics, the course will cover the principles of risk
and requirements. assessment and BIA.
A Manager’s Guide to ISO 22301 Certified ISO 22301 BCMS Lead Implementer Training
Course
Practical guidance for developing and implementing a
BCMS based on the international standard, ISO 22301, Comprehensive and practical coverage of how to
including performing a risk assessment and BIA. achieve effective business continuity management,
including performing a risk assessment and BIA.
IT Governance solutions
IT Governance is your one-stop shop for cyber security and IT governance, risk Training
management and compliance (GRC) information, books, tools, training and
We offer training courses from staff awareness and foundation courses, through to
consultancy.
advanced programmes for IT practitioners and certified lead implementers and
auditors.
Our products and services are designed to work harmoniously together so you can
benefit from them individually or use different elements to build something bigger
Our training team organises and runs in-house and public training courses all year
and better.
round, as well as instructor-led and self-paced online training courses, covering a
growing number of IT GRC topics.
Books
Visit www.itgovernance.co.uk/training for more information.
We sell sought-after publications covering all areas of corporate and IT governance.
Our publishing team also manages a growing collection of titles that provide practical Consultancy
advice for staff taking part in IT governance projects, suitable for all levels of
knowledge, responsibility and experience. We are an acknowledged world leader in our field. Our experienced consultants, with
multi-sector and multi-standard knowledge and experience, can help you accelerate
Visit www.itgovernance.co.uk/shop/category/itgp-books to view our full catalogue. your IT GRC projects.
IT Governance Ltd
@ITGovernance
/it-governance
/ITGovernanceLtd