A Business Impact Analysis (BIA) is a process which is carried out to assess how an interruption or sudden stoppage of the critical operations of a business, due to an unforeseen accident, emergency or disaster would have an impact on that business. It is necessary, when creating an organization’s business continuance plan, to know what a BIA is and how it should be performed.
Many project managers, especially those who have not been heavily involved in risk assessment or disaster recovery planning, can find themselves asking “What is a business impact analysis?” when asked to add a BIA to their disaster recovery plan. If you’re finding yourself in the same situation, here we’ll explain everything you need to know about business impact analyses.
What is a Business Impact Analysis?
There are several components that make up a BIA and the best way to approach the creation of a BIA is by systematically going through each of them.
The elements that need to be considered:
- Each critical business process
- What emergency or accident could disrupt them
- What the impact would be on the business
- How the effects can be ameliorated
- Identify Critical Business Processes
There are certain functions of a business which are more important than others, without which the organization ceases to function in an effective way. These are known as “critical business processes”. For example, an online clothing retailer could deal with its accounting department all getting the flu for three days or its distribution centre being snowed in for a week, but if its online sales portal got hacked and went offline for a day it could break the company. The first two emergencies are bad and will cause huge delays, but the latter event would cause the company to stop functioning.
- Note the events (i.e. accidents or emergencies) that could stop or disrupt them
With each of the critical processes there are certain events which they will be vulnerable to at varying degrees. To create an effective business impact analysis, it is important to identify these and to rate the level of risk for the event occurring. For example, for the online clothing retailer’s sales portal, a malicious hack, power cut, or server issues would be major risks, whereas weather or the price of wool would not.
- Assess the impact this disruption would have on the business
For each accident, emergency or disaster, how much it will affect the business will vary. At this stage it can be good to list all the possible effects and their estimated extent, such as:
- Lost sales: $30,000/day
- Cancelled orders: $15,000/day
- Lost customers: 60% reduction in normal daily traffic
- Overtime: $3,000
- Outsourcing: $2,000
This can help to give a better idea of how much such an event will cost, so as to better evaluate the value of a prevention plan.
- Estimate the time the disruption will last for
Some emergencies, such as a virus or system crash are in your hands, while others, like a local power cut, are not. For each of the possible disruptions, estimate how long they are expected to go on for, which could range from half an hour for a power cut to several days for a crashed server.
- Create a plan for how these effects can be lessened
The business impact analysis forms part of your disaster recovery plan so it is important to also brainstorm solutions to each of the events disrupting your critical processes. Some crises can have their chances of occurring lowered to basically zero, while with others the best that can be hoped for is damage limitation.
To ensure all of your important project documents, such as the business impact analysis and disaster recovery plan, are easily accessible for all project stakeholders, Clarizen’s cloud-based software is the perfect solution.