Business Impact Analysis (BIA)
A BIA is an objective, management-level analysis tool that uses data provided by business function managers.
Think of a BIA as your yearly medical checkup, and a business continuity plan as a prescription. Your doctor would not write you a prescription for medication before conducting an assessment and confirming a diagnosis. For the same reason, an organization should never write a business continuity plan before conducting a business impact analysis.
During a BIA, an organization is analyzed to identify all business processes, determine the time-criticality of those business processes (based on impact) and identify the dependencies that enable them to occur.
Once approved by Executive Management, BIAs provide the data and assumptions upon which recovery strategies are based and Business Continuity Plans are written.
A BIA should answer the following questions:
- What is the time-criticality of business processes in an organization?
- What are those processes’ Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)?
- Are there any Revised Operating Levels (ROLs) that are acceptable to the organization?
- What is the potential magnitude of financial, operational and reputational impacts and exposures?
- How do they change and escalate over time?
- What are the business function dependencies (internal & external)?
- What resources and technology infrastructure are needed to support processes and operations?
- How much financial “pain” can each function endure?
- When does each function reach that level?
- What are the possible “single points of failure” as they relate to business continuity and recoverability.
A BIA should provide process mapping, prioritization of recovery and validation that dependencies will be in place to support business processes at the right time.
Recovery Time Objective (RTO)
An RTO is a timeframe in which a process must resume a level of operational functionality that will prevent unacceptable financial, legal or reputational impacts from being incurred. RTOs are expressed in fixed periods of hours, days and weeks.
Recovery Point Objective (RPO)
Based upon the organization’s information backup strategy, the RPO reflects the age and currency of data that can be recovered. For example, if data is backed up daily the shortest RPO that can be acheived with certainty is 24 hours.
Revised Operating Level (ROL)
An ROL is a compromised level of productivity that is acceptable as an interim solution while full recovery is being implemented. The ROL often reflects and supports commitments made in existing service level agreements.