Chapter 31 - Business Impact Analysis

Abstract

This chapter focuses on the process of business impact analysis. Risk assessment looks at the various threats the company faces, and business impact analysis looks at the critical business functions and the impact of not having those functions available to the firm. These two assessments look at the company from two different angles. The risk assessment starts from the threat side, and the business impact analysis starts from the business process side. Planning for business continuity as an outgrowth of disaster recovery makes more sense to understand the full picture regarding risks and threats and then looks at business impact. Both outputs—from the risk assessment and the business impact analysis phases—are used as input to the mitigation strategy development. The fundamental task in business impact analysis (BIA) is to understand which processes in your business are vital to your ongoing operations and to understand the impact that disruption of these processes would have on your business. Data can be gathered using questionnaires, interview, workshops, documents, and research. There are pros and cons to each approach. Since each company is unique, there is no “one size fits all” template one can use to delineate all critical business processes for all companies. The output for each process and function includes criticality assessment, financial impact analysis, operational impact analysis, recovery objectives, dependencies, and work-around procedures. When this is documented for each business function and key business process, one will have a comprehensive look at the company and a solid business impact analysis.