How Does A Business Impact Analysis Actually Work?

Have you read "What You Need To Know Before You Start Your Business Impact Analysis?" The next step is to understand how BIA works.

How does a Business Impact Analysis (BIA) work?

A BIA is essentially an exercise that compares business functions and ranks them according to their "criticality."

For the BIA to be comprehensive, it is typically conducted across the organization, involving most, if not all, business units.

Each business function is then examined for the impact caused by a disruption at various intervals, e.g. if a disruption continued for 8 hours, 24 hours, two days, etc.

An impact profile can then be derived for that business function from which the threshold time, called the Recovery Time Objective (RTO), could be determined.

Recovery should be targeted to be completed before reaching this threshold, and recovery after this time would incur significant losses or impact. Hence, it is possible to determine and assign RTOs to each business function by examining the impact severity of a functional disruption over time.

After that, these business functions are ranked according to their RTOs. The shorter the RTO, the more time-sensitive or critical that business function is deemed to be. Hence, the recovery priority for business functions during a disaster is determined.

How are CBFs determined?

CBFs or Critical Business Functions are business functions that are core to achieving the organization's mission and, hence, must be recovered during a disaster. There are several ways to decide whether a business function is critical. Example are:

• business functions that are necessary to fulfil the Minimum Business Continuity Objective (MBCO), e.g. trading services in an investment bank
• business functions that meet conditions set by a regulator, e.g. business functions with RTOs of less than 4 hours
• business functions that meet internal guidelines set by the organization, e.g. business functions involving payment
• business functions with RTOs of less than a predetermined period, e.g. business functions with RTOs of less than seven days

Because so much of business continuity planning revolves around the recovery of CBFs, we must recognise the criteria used to determine what exactly constitutes a CBF for the organization and document this.