How to conduct a Business Impact Analysis (BIA) – step by step

A business impact analysis (BIA) helps a business prepare for unexpected events by predicting potential disruptions and the different levels of consequences they may have on the business. The BIA also includes the information needed to develop a recovery strategy. A BIA is necessary for the successful development of a Business Continuity Plan (BCP).

Step 1: Conduct interviews

Interview managers and employees to determine what innate risks exist in their area and how outside risks may impact their area of the business. This should include anything from minor delays to a complete shutdown of their department. Or even how a company-wide shutdown might have specific to their department or vendors.

The best way to conduct these interviews is with a BIA questionnaire that outlines the operational and financial impacts.

Step 2: Identify the critical functions

Once the interviews are complete, the business should have clear insight into the key business areas that must stay running to some degree in order to keep the business functioning as close to normal as possible.

Step 3: Identify the dependencies

Identifying the key resources required for the critical functions will help ensure that the business understands which resources must always be available for the success of the function and the business. These resources may include everything from products and supplies to employees and roles. Knowing these necessary resources will also ensure that the business thinks through its options for what to do in advance of these resources becoming unavailable.

Step 4: Calculate functions survival time

Knowing how long the critical functions can survive without their key resources creates a healthy sense of urgency for having quick solutions and workarounds in place. It also helps the business prioritize its functions by survival time so that during a time of crisis/disruption, the business knows which functions need to be addressed immediately and which are less urgent.

Step 5: Identify vulnerabilities & threats

Understanding key functions, their dependencies, and their survival time is one piece of the puzzle. The other piece is understanding the ways in which the business is vulnerable to situations where these key functions and resources may be challenged or lost.

Identifying the threats and vulnerabilities can help businesses close those gaps when possible and prepare in advance for those that cannot be avoided.

Step 6: Calculate the risk

Calculating the risk for each function helps the business understand the likelihood and cost of these threats and vulnerabilities occurring. Knowing how these risks could operationally and/or financially affect the critical business functions includes understanding some of the following impacts (and more):

  • Customer dissatisfaction
  • Delayed or lost sales or income
  • Increased expenses due to additional labor, marked up prices on goods or services, the cost of outsourcing, etc.
  • Regulatory fines

It’s equally important to evaluate the timing and duration of a disruption to truly understand its potential impact and consequences depending on when the event occurs.

It’s critical to consider that the timing of an event drastically changes how much of an impact that event will have on the business. For example, an event occurring during the business’s down season may not have much of an impact. But an event occurring in the beginning or middle of the busy season is likely to have a very high impact.

For duration, you must evaluate the different durations of time that an event could last (from an hour to several days) to understand the potential business impact. For example, an event that lasts a couple minutes or an hour may just be a minor inconvenience. But an event that lasts several days could create significant business losses.

Step 7: Create a report from the interview data

Once all the information from the previous steps is collected, it should all be organized and documented in a BIA report. This report should outline all the critical functions, their dependencies, how long they can survive without those resources, the occurrences that could put these functions and resources in jeopardy, and the likelihood and cost of them occurring.

With the BIA report fully completed (and saved/backed up in multiple places), the business will be more prepared to handle risk and disaster events. Now, you are ready to start developing your BCP.

2 thoughts on “How to conduct a Business Impact Analysis (BIA) – step by step”

Leave a Comment

Your email address will not be published.

Have Questions?

Want to find out more about how Resilience3™ security, risk, and compliance solutions will improve your business resiliency?