IT GOVERNANCE | GREEN PAPER

Business Impact
Analysis

Step by step

Protec Protect Comply Thrive

IT GOVERNANCE GREEN PAPER | DECEMBER 2018
Introduction
In an increasingly competitive business world and faced with rapidly diversifying
threats, business continuity management is a critical competence. Whatever the
circumstances, an organisation must be able to rely on a few constants, one of which
is that key activities and resources will be available and reliable.
Most organisations develop contingencies in case of failures as a simple matter of
doing business. A head of IT implements backups and purchases uninterruptible
power supplies, an office manager schedules regular tests for fire suppression
equipment, managers make sure that all expertise does not reside with just one
person, and so on. These measures are often based on guesswork and experience,
rather than a systematic, organised methodology.
Although common, such an intuitive, subjective approach is risky. Not having formal,
tested plans or processes in place may mean that when business really is disrupted,
response decisions are not made quickly or well. Not formally listing all your key
activities or functions may lead to oversights. And not taking a consistent approach –
particularly when multiple people are involved – makes it difficult to determine the
organisation’s overall recovery priorities.
Business continuity management is the discipline dedicated to making sure the
organisation can continue to function in the face of adversity. Among several other
key practices, business impact analysis (BIA) and risk assessment play critical parts in
making sensible business continuity decisions, ensuring that processes, targets and
expectations are in line with the resources available, business needs and objectives,
and legal requirements.
In line with ISO 22301:2012, the international standard for business continuity
management, this paper assumes you aim for recovery, rather than delivering the
outputs of the disrupted activities in a different way.
2
What is BIA?
BIA is a process that involves identifying your key business activities and resources,
and determining how quickly, in what order, and what resources you need to restore
them to minimum functionality or availability in the event of a disruption.
BIA vs risk assessment
For those unfamiliar with it, BIA may sound like a variant of a risk assessment. And
understandably so, as the two processes have several things in common. Both ensure
a consistent and structured approach to business continuity management, and both
play a major role in identifying business requirements and making sure these are
addressed.
However, there are some important differences. For instance, each looks at a
different type of impact:
BIA focuses on how impacts caused by disrupting individual business activities
(or losing access to certain resources) increase with time.
Risk assessment focuses on the total, accumulated impact from a particular risk
scenario, should it materialise.
In other words, where the BIA helps to work out how quickly an activity or resource
needs to be recovered in the event of disruption, the risk assessment determines how
likely it is that the activity or resource will need to be recovered at all. The BIA does
therefore not consider factors such as:
• The specific incidents/scenarios that can affect each activity/resource;
• How likely these incidents are;
• How severe these incidents might be for the organisation overall; or
• What mitigation controls to use to reduce the impact or likelihood of a
given incident.
IT GOVERNANCE GREEN PAPER | DECEMBER 2018 3

All these points are considered by the risk assessment, and are essential parts of Common abbreviations in business continuity
business continuity best practice, but are not relevant to the BIA itself – which is only
interested in whether specific business activities are interrupted or not, and if so, for Business continuity management system (BCMS)
how long. How the activity is interrupted does not affect the impact on the business. A management system that implements, maintains and improves business
continuity practices.

The BIA process Business continuity plan (BCP)

There are six steps in a BIA: A plan for continuing business in the event of disruption.

1. Identify key activities and resources Maximum tolerable period of disruption (MTPD)
2. Establish impact criteria How long an organisation can reasonably carry on without its key activities and
3. Determine the impact over time resources.
4. Establish points of unacceptable impact
5. Determine recovery priorities Minimum business continuity objective (MBCO)
6. Feed outputs into the recovery strategy The minimum resources or level of activity acceptable to cover the period of
In the overall business continuity management process, the BIA and risk assessment disruption.
are conducted after establishing stakeholders’ expectations and needs, as well as the
organisation’s business objectives. These play important roles in, for example, Recovery point objective (RPO)
determining when the impact becomes ‘unacceptable’. The point to which information must be restored for an activity to operate.

The risk assessment and BIA are related but independent processes, which is Recovery time objective (RTO)
highlighted in Clause 8.2.1 of ISO 22301: “There are various methodologies for The period during which a disrupted activity must be resumed or a lost resource
business impact analysis and risk assessment which will determine the order in which recovered.
these will be conducted.” We recommend conducting the risk assessment first, as that
gives you the opportunity to reduce the impact of certain risk scenarios, which can
subsequently affect the BIA results and recovery priorities.
IT GOVERNANCE GREEN PAPER | DECEMBER 2018 4

1. Identify key activities and resources 2. Establish impact criteria

First, identify and list your key activities and resources. The best way of doing this is to To ensure consistency across the organisation, the impact criteria must be clearly
talk to various people in different parts of the organisation. Getting the level of detail defined – it is otherwise hard to guarantee that comparable impacts are treated
right on this list is one of the most challenging parts of the BIA. It has to contain equally.
enough detail to not end up grouping activities that have different needs for recovery,
but not so detailed that you end up overcomplicating the BIA. As a rule of thumb, if The criteria should not just be aligned to financial damage – although this is generally
the activities can be performed independently from one another, list them separately. the easiest to measure and most widely understood – but also translated to other
corresponding values, such as reputational damage.
After listing all activities and resources, determine what level of activity (or how much
of the resource) you need in order to cover the period between the disruption and The easiest way of ensuring both consistency and comprehensiveness is by creating a
starting the recovery. This will depend on the nature of your business, but also on the criteria table:
previously established stakeholder expectations and business objectives.
Level Name Financial Reputational
Finally, decide what resources are necessary for recovering the identified activities 1 Insignificant £100 – £500 One customer complaint
and resources to the level you have determined. One way of working this out is by 2 Minor £501 – £2,500 Multiple customer complaints
compiling an activity and resource dependency map: 3 Moderate £2,501 – £10,000 Losing one customer
4 Major £10,001 – £50,000 Losing multiple customers
5 Catastrophic >£50,000 Losing most customers

A D Figure 2: An example multi-type criteria table

The criteria in this example could be translated to corresponding values, such as loss

C of productivity (which might be measured in working hours) or service level reduction

(expressed in percentages). Naturally, the values for each level depend on the
organisation, but the highest level should assume the worst-case scenario: going out

B E of business.

Figure 1: An example dependency map
Such a map allows you to easily spot how different activities are linked, and therefore
identify critical dependencies and resources. It can also help identify indirect business
impacts, which can help determine overall impact more accurately.
After establishing the criteria, you must decide how to determine the acceptability of
a given impact. There are several ways of doing this – you could, for instance, decide
that anything above a certain level is unacceptable, regardless of the impact type.
Alternatively, you could go by financial impact only, or take the average of all the
different types of impact. Each method is valid, as long as it is consistently applied.
IT GOVERNANCE GREEN PAPER | DECEMBER 2018
3. Determine the impact over time
You need another consistent, systematic approach to measure the impact over time.
The easiest way to do this is to establish a timeline. To determine the points of the
timeline, ask yourself the following questions:
• At what point in time does the impact become measurable?
• At what time intervals does the impact change?
Plot these points on the timeline, and use the same points for each activity/resource
to help ensure consistency. Next, determine the business impact at each point on the
timeline for each activity/resource.
Note that you may have to create multiple timelines to account for seasonality and
other variations in levels of activity, such as within several weeks of winning a
contract.
Operational management should review the impact you have determined for each
activity/resource at each point on the timeline. Management’s experience and
position of oversight can prove valuable for identifying possible errors or room for
improvement in the impact analysis.
5
4. Establish points of unacceptable impact
Completing the first three steps correctly will make the remaining steps of the BIA
relatively straightforward. At this stage, you have already:
• Established a timeline;
• Determined, for each key activity or resource, the size of the impact after
disruption at each point on the timeline;
• Defined the business impact criteria; and
• Decided how to determine whether the impact is acceptable or not.
You can combine all these elements to work out when – on the timeline – the impact
becomes unacceptable for each activity (i.e. the maximum tolerable period of
downtime or MTPD). You can then use these periods to establish the recovery time
objectives (RTOs).
Some activities require another consideration: the recovery point objective (RPO),
which describes the minimum level of information necessary for an activity to resume.
With today’s reliance on technology, these activities will typically be information
systems.
A system is of limited use without its data; it is therefore important to make sure it
can be restored in the event of disruption. Determine how many hours of work you
can afford to lose, then set the RPOs to when the loss would be otherwise
unacceptable. In practice, this will likely be managed through backups.
As a result, the total recovery periods and therefore RTOs may have to be more
lenient. Alternatively, you could make more resources available in order to meet the
objectives.
IT GOVERNANCE GREEN PAPER | DECEMBER 2018 6

5. Determine recovery priorities

Having established the RTO for each activity and resource, it is time to determine the
order of recovery.

Naturally, the RTOs suggest an order of recovery, but you should also keep an eye on
your resources. If it is feasible to meet each RTO (several of which will likely overlap)
with the resources available, establishing the priorities will be a straightforward
process. If current resources will not suffice, you will have to adjust the RTOs and
priorities, and/or provide additional resources.

6. Feed outputs into the recovery strategy

The outputs of the BIA – especially the recovery priorities – provide key information
for your business continuity plan (BCP). Right at the start of your plan, you should
stipulate its purpose and scope; this includes information such as the people and
locations covered, and the scenarios in which the BCP may be used. The BIA provides
the other critical information for this part of the plan: which activities and resources
have to be recovered and to what level, what the recovery timescales are and what
the recovery sequence should be.

The BCP should also detail the prioritised RTOs and the actions/steps and resources
necessary to achieve these, as well as internal and external dependencies and
interactions, and how these might impact one another in the event of disruption.

The BCP naturally needs to contain more information than that provided by the BIA.
However, the information the BIA does provide is critical to ensuring key decisions
concerning recovery priorities and activities are well-informed and ultimately cost-
Speak to an expert
effective.
IT GOVERNANCE GREEN PAPER | DECEMBER 2018
Useful business continuity resources
IT Governance offers a unique range of business continuity products and services, including books, standards, pocket guides, training courses and
professional consultancy services.
ISO 22301:2012 Standard
ISO 22301:2012 specifies the requirements to plan,
establish, implement, operate, monitor, review, maintain
and continually improve a best-practice BCMS.
ISO 22301 – A Pocket Guide
Understand international business continuity best
practice, and receive guidance on the best way to
implement a BCMS tailored to your organisation’s needs
and requirements.
A Manager’s Guide to ISO 22301
Practical guidance for developing and implementing a
BCMS based on the international standard, ISO 22301,
including performing a risk assessment and BIA.
Everything you want to know about Business Continuity
This book shows you how to develop an effective
response to the risk landscape and for interruptions to
your key activities, minimising the impact on your
bottom line, reputation and credibility.
7
ISO 22301 BCMS Toolkit
A complete set of easy-to-use and fully customisable
templates, including those necessary for risk assessment
and BIA, incident response procedures and BCPs, to
ensure your organisation’s survival during an incident.
Certified ISO 22301 BCMS Foundation Training Course
This one-day course provides a comprehensive
introduction to ISO 22301 and its requirements. Among
other topics, the course will cover the principles of risk
assessment and BIA.
Certified ISO 22301 BCMS Lead Implementer Training
Course
Comprehensive and practical coverage of how to
achieve effective business continuity management,
including performing a risk assessment and BIA.
View all our business continuity
products and services
IT GOVERNANCE GREEN PAPER | DECEMBER 2018 8

Other papers you may be interested in

Business Continuity Management – The nine-step approach COVID-19 – A challenge to business

IT GOVERNANCE GREEN PAPER | DECEMBER 2018
IT Governance solutions
IT Governance is your one-stop shop for cyber security and IT governance, risk
management and compliance (GRC) information, books, tools, training and
consultancy.
Our products and services are designed to work harmoniously together so you can
benefit from them individually or use different elements to build something bigger
and better.
Books
We sell sought-after publications covering all areas of corporate and IT governance.
Our publishing team also manages a growing collection of titles that provide practical
advice for staff taking part in IT governance projects, suitable for all levels of
knowledge, responsibility and experience.
Visit www.itgovernance.co.uk/shop/category/itgp-books to view our full catalogue.
Toolkits
Our unique documentation toolkits are designed to help organisations adapt quickly
and adopt best practice using customisable template policies, procedures, forms and
records.
Visit www.itgovernance.co.uk/documentation-toolkits to view our toolkits.
9
Training
We offer training courses from staff awareness and foundation courses, through to
advanced programmes for IT practitioners and certified lead implementers and
auditors.
Our training team organises and runs in-house and public training courses all year
round, as well as instructor-led and self-paced online training courses, covering a
growing number of IT GRC topics.
Visit www.itgovernance.co.uk/training for more information.
Consultancy
We are an acknowledged world leader in our field. Our experienced consultants, with
multi-sector and multi-standard knowledge and experience, can help you accelerate
your IT GRC projects.
Visit www.itgovernance.co.uk/consulting for more information.
Software
Our industry-leading software tools, developed with your needs and requirements in
mind, make information security risk and compliance management straightforward
and affordable for all, enabling organisations worldwide to be ISO 27001-compliant.
Visit www.itgovernance.co.uk/shop/category/software for more information.
 IT Governance is the one-stop shop for cyber security, cyber risk
and privacy management solutions. Contact us if you require
consultancy, books, toolkits, training or software.

t: +44 (0)333 800 7000

e: servicecentre@itgovernance.co.uk
w: www.itgovernance.co.uk

A GRC International Group plc subsidiary

Unit 3, Clive Court, Bartholomew’s Walk

Cambridgeshire Business Park, Ely
Cambs., CB7 4EA, United Kingdom

IT Governance Ltd

@ITGovernance

/it-governance

/ITGovernanceLtd

© 2003–2020 IT Governance Ltd | Acknowledgement of Copyrights | IT Governance Trademark Ownership Notification