Reading Time: 4 Minutes
Written by Aaron Nolan
A Business Impact Analysis (BIA) is one of the first steps any company should go through before or soon after becoming operational. The analysis is conducted to bring clarity to the financial and operational impact that a disruption could cause.
Moreover, the Business Impact Analysis’ importance goes beyond providing clarity. It serves as an essential activity to build a Business Continuity Plan and in the risk management discipline.
The goal of Business Continuity Planning (BCP) is the ongoing performance of the business in a time of disaster until normal business conditions are back in place. Planning for business continuity is vital to maintain continuous operations of the organisation in the event of an emergency.
A Business Impact Analysis should be implemented by the Management Structure within an organisation. It should include senior management and representatives from all departments of the business.
The first step in a Business Impact Analysis is choosing the right members within the organisation to represent each team. Each person will view their risk and their department’s risk differently.
Therefore, every team must be represented in the assessment, as risk is objective, and any risk is relevant.
It makes it even more critical that Senior Management is part of the analysis, as it is their task to independently quantify and qualify each risk after the review has taken place. Legal representation would also be advised throughout or at least at the end of the BCP process to ensure you have covered your organisation for legal and regulatory requirements.
As Business Continuity Planning is not a once-off event, the need for ongoing resources is required. The duty to continually train staff, purchase new hardware and software, maintenance of documentation and processes in keeping the plan live will need to be budgeted for each year.
Once you have your team in place and have an idea of cost involved in maintaining your Business Continuity Plan, you should then identify your scope. Your scope should cover all assets within your organisation, including hardware, software, information, premises and people.
The easiest way to identify the scope of your business is to complete an asset register. All the previously mentioned assets should be addressed and recorded on the register. You may not have to go into great detail with people by listing each member of staff, but you should list critical positions of the team and ensure succession planning is addressed.
Learn how to build your Asset Register in the article
Building your Asset and Risk Register to Manage Technology Risk
The key priority of every organisation is the protection of its people. Human life should be prioritised over every other asset. An organisation may then choose to prioritise the security of its hardware over its information, but this will depend on which sector the company is in.
Once a company has identified its assets the next step is the risk assessment and risk analysis of these assets. Although many times risk assessment and risk analysis are used interchangeably, they are different things.
Risk Assessment is the identification of all threats to its Assets, whereas Risk Analysis is the likelihood of the vulnerability of these exploits being exposed. These concepts could prove relevant for you when attempting to understand and calculate our risks, so read our article Understanding and Calculating Organisational Risk for more details.
Once you have identified your risk, the organisation should document its acceptance or mitigation control and cost of these risks, which will then be presented for final approval by the CEO, stakeholders and board members.
There are different approaches to addressing different types of risk. To get more insight and our best suggestions on that, read Developing an Action Plan to Address Technology Risk.
The final step in Business Continuity Planning is the Plan Approval by the CEO, Stakeholders and board members. It is essential to have buy-in from the top level for BCP to succeed. Once the plan has been approved, and the resources provided, the implementation and maintenance of the program can start.
A Business Continuity Coordinator and one alternative person should be trained in all parts of the Business Continuity Process. They, in turn, should put a BCP committee together to ensure the process stays live. It is the committee’s job to ensure the training and education of all employees are complete, documentation is up to date, and goals are being met.
Documentation like a Statement of Importance, Statement of Priorities and the Outline of the Organisational Responsibilities should be deployed from the C-Level to all employees to ensure buy-in from the top down.
Once your Business Continuity Plan is live, the most critical part is ensuring that it stays there. Therefore you should test your plans on a regular basis to ensure you can address potential crisis scenarios effectively. While doing this, it’s crucial to keep your Maximum Tolerable Downtime (MTD) limit in mind.
The purpose of everything is to ensure your business stays within its MTD, even in disaster situations. That’ll keep your operations and employees safe, and your company can resume activities quickly, without suffering considerable damage.
To illustrate the extent of financial damage a business could suffer within a few hours of Downtime, we have created a Downtime Calculator. Use it and calculate how much your business would lose for every hour in which operations are disrupted.
If the continual operations of our organisation have stopped, then business processes have stopped and therefore the organisation is no longer in BCP mode, but in Disaster Recovery (DR) mode. Read our article explaining the difference, or visit our Business Continuity page for more information.