5 Best Practices for Doing a Business Impact Analysis (BIA)

What is a Business Impact Analysis (BIA)?

A Business Impact Analysis (BIA) is an important step in a company's overall Risk Management Program and Business Continuity Plan (BCP)

A proper business impact analysis tells you what could happen to your company in the face of various disasters and hazards. It identifies your company’s vulnerabilities and enables staff to plan for risk management. The business impact analysis quantifies the cost of situations that negatively affect your company, from the business revenue lost to the less direct effects such as increased wages if a problem results in overtime.

The Elements of a Good Business Impact Analysis ( BIA)

A well-executed BIA offers a number of benefits, including:

1. Setting the foundation for an effective continuity program
2. Helping your organization gain competitive advantages
3. Providing insight into physical, operational, and systemic risk
4. Bridging the gap between IT and business decision-makers

Business Impact Analysis Steps- Getting Started with your BIA:

1. Identify critical business functions and processes.
2. Identify critical dependencies that support those functions, such as staff, vendors, systems, and equipment.
3. Rank the criticality levels of processes/systems and analyze impact over time.
4. Identify customers downstream from critical functions and processes.
5. Set the scope for building your organization’s business continuity plans.

Why is it important to conduct a Business Impact Analysis (BIA)?

Your business is only as strong as your business impact analysis. Why? Because this is the road map that will lead you out of any problem, large or small. If it is a well-made map, you can navigate with ease. If it is out of date, incomplete, or otherwise compromised, however, you will not be able to get back to business as usual without a lot of hassle. The business impact analysis quantifies the cost of situations that negatively affect your company, from the business revenue lost to the less direct effects such as increased wages if a problem results in overtime.

What is the difference between a Business Impact Analysis (BIA) and a Disaster Recovery Plan?

The business impact analysis isn’t a full risk assessment, nor is it a disaster recovery plan, but it informs these next steps. What is the difference between a Business Impact Analysis ( and Business Continuity Plan (BIA and BCP)?

BIA and BCP are part of an overall DRP ( Disaster Recovery Plan).  

Specifically, a BIA ( Business Impact Analysis) e identifies the potential risks that would cause your business to be interrupted or your systems to fail in certain scenarios like a power outage, flood, or terrorist attack.  

A BCP (Business Continuity Plan) is the set of operating procedures that a business or disaster recovery team may take in order to ensure the business can function without hindrance or downtime during one of these events.  

What are some of the best practices of a Business Impact Analysis (BIA) and BCP (Business Continuity Plan)?

To make sure you have a strong foundation for your business, follow these best practices when completing your business impact analysis. ( Business Impact Analysis Steps):

1. Give Yourself Enough TimeA BIA should not be rushed. A realistic timeframe is the best way to start this process. It is likely not something that can be done in a day, but you also don’t want to stretch it out for so long that it is obsolete before it is ever finished. Take the time to thoroughly examine the business, conduct interviews, and understand the systems in place, while making sure that the completion of the BIA is enough of a priority that it will get done.
2. Think About More than FinancesOf course, the financial impact is at the forefront of many people’s minds. If you lose money, your company will clearly be in worse shape than it was before a negative incident. But there are more impacts to consider than just those on the financial side of things. What about your company reputation, customer satisfaction and retention, and employee morale, to start? All of these things can have a financial impact too, but they can also reach wider than dollars and cents.
3. Don’t Forget to be Thorough and Analyze the ResultsSimply completing a business impact analysis isn’t enough — you have to get to the analysis part! This is where you will identify what parts of your business operations are the most crucial, so you can determine what resources are needed to keep them going or recover them quickly if something happens. Analyze your Single Points of Failure- (SPOF) on your physical, logical, and administrative domains and figure out what is crucial from a recovery point objective (RPO).
4. Revisit and Update your BIA RegularlyBusiness impacts change as your business changes, whether internally or externally. Your analysis needs to adjust, too. If your BIA is outdated, it will not be of much help. Any time your company changes operations, staff, physical resources, or functions, take a look at your BIA and change it as needed.

Change Control Impact:

Did a critical piece of network infrastructure just get changed? Did you update your BIA to reflect and account for that change and its effect on your SPO and RTO?

Regular Reviews: It is a good idea to check your BIA report on a regularly scheduled basis, just to make sure that it is still accurate and effective. Taking the time to revisit and update your BIA now could save you a lot of heartache in the future.

‍Run Table-Top exercises ( with a stopwatch) to simulate your disaster scenarios and determine how long it takes you to get to the first actionable steps. Do all your staff have ready access to the tools, documentation, resources, vendor contacts, warranty serial numbers, emergency contacts, etc.? How accessible are they

‍Determine your Single Points of Escalation (SPOE) in your business.

For example, do you have to get approval to call someone, or approval to get an order processed for an RMA or overnight delivery? Is that person on vacation when a disaster occurs?These analyses let you put together an ideal timeframe for restoration, quantify the potential loss of resources or income, and make recommendations and plans for the future.The findings of the BIA should be presented to senior management and other stakeholders. After all, with all of the work and effort involved, it only makes sense to make sure that the results are heard. From here you can move forward with disaster recovery and business continuity planning.

5.  Consider Outsourcing Your BIA ( Avoiding Internal BIAS)

‍When you’re deeply tied to a company it can be hard to separate your observations as objectively as an outside auditor would. Sometimes it is a good idea to outsource your business impact analysis to a neutral, skilled third party who can objectively look at your business and the situations that might impact it. Of course, outsourcing your BIA doesn’t mean that your own opinions and experiences don’t matter. The provider conducting the assessment will survey staff for important information.

While you have the firsthand knowledge that informs a lot of your thinking, a third party can uncover situations you might not have considered. While staff has the company’s best interests in mind, it can sometimes lead to preconceived notions and bias, that can make a BIA unreliable.

‍