Understanding your Organisation’s Priorities By Undertaking a Business Impact Analysis (BIA)
This post is the first in a series of posts that provide a deep dive into each step covered in our earlier Blog, “The 5 Key Stages to Business Continuity Planning”. In this article, we are going discuss the Business Impact Analysis (BIA) process. We will describe what a ‘good’ BIA looks like and how it ensures that subsequent plans help to protect the value-add elements of your business.
The BIA is the starting point in developing a Business Continuity Plan (BCP). A BIA is important because it provides the foundations and direction to build your BCP from; this is especially so if you are developing a BCP from scratch. There are two phases that must be followed, these are:
- Phase 1 – Identify
Consider the important operational functions, or priorities, of your organisation and then identify what the affects would be if these were affected by, for example, a loss of IT systems, loss of workplace, or loss of staff availability. Then, you need to consider how quickly you need to recover from the interruption. To do this we need to go through a process to answer a straightforward question, “What is it we get paid for?”, or for non-profit organisations this could be, “How do we support our beneficiaries?” The key here is understand what goes on in your company that generates revenue and creates satisfied customers. It is important to concentrate on products, services and customer “touch points”, and then look to mitigate any risks of these being compromised.
- Phase 2 – Analyse
Now that the operational priorities are established it is time to understand what the consequences would be to the company if they were disrupted. These could be, for example:
- Loss of revenue
- The loss of customer goodwill – how long will your customers tolerate unavailability?
- Contractual commitments – Are there contractual SLAs in place and are there any associated penalties?
- Legal and Regulatory – would a disruption to service or delivery expose you to litigation or regulatory action?
Once this is accomplished then you have achieved the first milestone of setting the scope and objectives of a BCP. It is then time to engage with other areas of the business and assess their business continuity capabilities.
Undertaking this exercise ensures that the detailed planning activities are aligned with the overall operational priorities of the business. It is important that this information is available in a format that can be easily shared within the organisation during future stages of the BCP development, for example, a well-designed spreadsheet will probably suffice. The following diagram provides an example of a completed priority and tolerance assessment (the first stage of any BIA)
This first part, undertaking a BIA has created a foundation to build upon. The next stage needs to understand what your organisation has in place, what is needed if operational disruptions occur, and whether there is the capability to recover without incurring the related exposures.
This will all be discussed in the next Blog, Phase 2 – Understand your current capabilities & available resources.