Risk Management Process- Part 2: Business Impact Analysis
The Critical Role of Business Impact Analysis
In the first part of our miniseries on risk management, we introduced the operational risk management process and outlined its different parts. This time, we are exploring one of those key parts: the business impact analysis (BIA) process.
In today’s increasingly complex business landscape, organizational leaders must understand the total cost of downtime, including negative impacts to finances, reputation, contracts, legal and regulatory standing, and operations, to name a few. When leaders clearly understand how these impacts arise during and after a disruption, they can begin the appropriate level of business continuity planning.
BIA is an essential component of risk management and business continuity planning efforts. Let’s look at what it takes to go through the BIA process.
Business Impact Analysis Overview
A BIA predicts the consequences of disruptions on business functions, quantifying their impact. It identifies potential loss scenarios and the resources required to ensure operational continuity and resilience during and after a disruptive event. The outputs of a BIA, as shown in figure 1, provide the basis for risk management and recovery strategies.
Our “Business Impact Analysis” article provides an opportunity to explore BIA itself in depth. But here, we are going to focus on the steps involved in the BIA process.
The Steps of a BIA
BIAs are shaped by a variety of factors. An organization’s size, structure, industry, processes, products, and service offerings—as well as its legal and stakeholder requirements—all influence a BIA. But regardless of the organizational particulars, every successful BIA contains three basic steps.
1. Identify Key Business Functions and Processes
Completing a BIA for every business process can be challenging, especially for large organizations. To avoid this challenge, you should first identify and focus on the essential departments and business units. To do this, conduct a thorough assessment of these units and gather information to identify a comprehensive list of vital business functions, their level of criticality to the overall organization, and their resource dependencies. This process should include a review of essential software solutions, hardware, database and network systems, and other IT infrastructure.
2. Gather Information: Both Qualitative and Quantitative
There are several ways to gather information about an organization’s critical processes and vulnerabilities. Thoroughly gathering information means combining qualitative and quantitative data.
In-person interviews, questionnaires, and group interviews with customers and vendors are great ways to gather qualitative data. These interviews should target division heads, departmental managers, and key employees from across the organization, people who are acquainted with how the organization generates revenue, maintains new and existing customers, tracks sales, and executes critical business processes. Because these personnel are directly involved in executing the various business functions, they can reliably assess the criticality of the underlying processes.
Quantitative information comes from databases, finance systems, and ERP tools. These systems provide the BIA team with concrete data about the organization’s business process, which helps quantify disruption cost and identify critical dependencies between processes.
3. Analyze the Information
The previous two steps produce a comprehensive list of the company’s critical processes and the key roles, expertise, and knowledge needed to carry out those processes. Next, we need to identify the resources required to optimally operate these critical processes.
Critical business functions have both internal and external dependencies and also correlate to IT systems. We can identify these dependencies by analyzing the information gathered in steps 1 and 2, which then informs the scope and direction of risk mitigation efforts for each critical business function/process. It’ll also help estimate the time and resources needed to cost-effectively facilitate recovery efforts.
Creating the BIA
Although there’s no standardized format, a thorough draft BIA should detail essential business functions, the maximum tolerable downtime assessment of each, and the criticality and impact assessments. A comprehensive BIA report includes:
- Key functions and processes
- Resource and process interdependencies
- IT dependencies
- Service-level agreements
- Financial, legal, HR, and operational impacts
- Competitive, investor, and market impact
- Customer perception impact
- Workaround procedures
- Recovery resources and time requirements
- Key roles, knowledge, and expertise required for recovery
Once the BIA report draft is complete, you should conduct a draft review meeting with all stakeholders and key personnel to resolve any conflicts, data gaps, and ambiguity. The draft suggestions from this meeting will finalize the document.
External BIA Considerations
Business disruptions can have serious regulatory and PR consequences. Since these are external to the organizations, the BIA team must quantify and include these impacts in the BIA report. Let’s take a look at some of these external considerations.
Legal Impacts
The legal impacts of business disruptions include failure to comply with regulations, force majeure, breach of warranties, and failure to fulfill contracts. There may also be quality and safety impacts such as environmental damage, compromised worker safety, and inability to maintain product/service standards.
Strategic Impacts
Strategic impacts include reduced resources for innovation, decreased focus on new business opportunities, and delays in new business initiatives.
Intangible Impacts
Though intangible, these elements have very real consequences. Intangible impacts include loss of staff morale and diminished value of intellectual property, damage to brand value and loyalty, negative business reputation, and decreased customer satisfaction that leads to customer defection.
Upstream and Downstream Impacts
Upstream and downstream losses are some of the indirect impacts that organizations can suffer from disruptions. Upstream losses occur when a key supplier is affected by a disaster. If your business processes depend on the delivery of certain components, products, or services from third-party companies, your organization may experience upstream losses if any of these companies fail to deliver.
Conversely, downstream losses occur when a disaster affects key customers, employees, or people who are essential to critical business functions, operations, and financial stability. Because modern supply chains are global, disasters in a foreign country could impact your supply or value chain and cause upstream/downstream losses.
ISO 22317: A Standard for BIA
ISO 22317 is the first and the only international standard detailing technical specifications and guidance on how to implement and establish a BIA process. Designed to complement ISO 22301 and 22313 (which address business continuity), ISO 22317 helps organizations comprehend the concepts, techniques, tools, methods, and regulatory and contractual requirements required for maintaining a BIA process. While the standard doesn’t specify a universal process for conducting a BIA, it does provide guidelines on how to design and effectively implement a BIA process.
ISO 22317 is a very helpful tool for individuals and teams in charge of conducting a BIA for their organization.
The Bottom Line about Business Impact Analysis
The inputs for BIA are key business functions, processes, and IT systems and infrastructure. The outputs include financial impact analysis, criticality assessment, operational impact analysis, dependencies, recovery objectives, and work-around procedures. Once these outputs are outlined for each input metric, you will have a comprehensive BIA report in hand.
The business impact analysis is possibly the largest data gathering and most time-consuming aspect of business continuity planning. It involves stakeholders from across the entire organization; it shouldn’t be done by just the business continuity (BC)/disaster recovery (DR) team. You will have to gather and analyze vast reams of data, predict “unpredictable” events, measure the impacts of these events on your business, and come up with a feasible recovery strategy in case these events happen. BIA is as critical for BC/DR planning as it is for risk assessment because the quality of the BIA will set the bar for an organization’s risk management process outcome.
While there is no set template for BIA, you can follow the steps outlined in this blog, along with ISO 22317 guidance, to begin risk management with confidence. In our next installment, we are going to move to the next major phase of the risk management process for operational risks: risk assessment. We will cover the three essential steps involved in that stage.