Understanding the consequences of business disruption is a fundamental requirement of an effective Business Continuity Management System (BCMS).
Under ISO 22301:2019, organisations are required to systematically analyse the impacts that interruptions to activities, products, and services may have on their ability to meet strategic, operational, regulatory, and stakeholder obligations.
This chapter focuses on Part 2: Impact Area of Business Functions, a critical component of the Business Impact Analysis (BIA) process.
Building on the identification of business functions in Part 1, this section requires organisations to evaluate what would happen if a business function were disrupted, rather than how the disruption might occur.
The emphasis is on understanding the severity and types of impact, and the organisational consequences across both financial and non-financial dimensions.
By completing this template, organisations establish a structured and consistent approach to identifying impacts related to financial loss, operational failure, regulatory non-compliance, reputational damage, and stakeholder confidence.
This analysis forms the foundation for determining Minimum Business Continuity Objectives (MBCOs), Maximum Tolerable Periods of Disruption (MTPDs), and ultimately, the prioritisation of recovery and continuity strategies.
This chapter, therefore, serves as a bridge between business function identification and recovery decision-making, ensuring that continuity planning is driven by impact-based evidence in line with the requirements of ISO 22301 Clause 8.2.
The “Impact Area of Business Functions” template supports the Business Impact Analysis (BIA) required by ISO 22301:2019 Clause 8.2 – Business Impact Analysis and Risk Assessment.
The objectives of completing this template are to:
Identify and evaluate the consequences of disruption to each business function, as required by ISO 22301 Clause 8.2.2(a), by analysing impacts over defined impact areas.
Determine the severity and nature of impacts (financial and non-financial) arising from loss of activities, products, or services, supporting ISO 22301’s requirement to understand consequences over time.
Provide a structured, repeatable impact assessment method that ensures consistency and traceability and supports ISO 22301 Clause 7.5 (documented information).
Support the determination of Maximum Tolerable Period of Disruption (MTPD) and Minimum Business Continuity Objective (MBCO) by clearly linking impacts to organisational objectives, as required by ISO 22301 Clause 8.2.2(c).
Enable prioritisation of business functions based on the significance of impacts, forming a critical input to continuity strategies under ISO 22301 Clause 8.3 (Business Continuity Strategies and Solutions).
Demonstrate regulatory, contractual, and stakeholder impact awareness, fulfilling ISO 22301 expectations for understanding legal, regulatory, and reputational consequences of disruption.
The template captures impact evidence for each business function identified in Part 1 of the BIA.
Ensures traceability between activities, products, and services, as required by ISO 22301, Clauses 4.2 and 8.2.
Supports consistent referencing across the BCMS.
To categorise the type of consequences that arise if the business function is disrupted.
Financial
Operational / Process
Legal & Regulatory
Reputation & Brand
Customer & Stakeholder Confidence
People (health, safety, welfare)
Technology, Information, and Assets
Social or public responsibility
Addresses Clause 8.2.2(a): understanding the consequences of disruption.
Supports the identification of both tangible and intangible impacts, which ISO 22301 expects organisations to consider.
Hard impact: Direct, measurable financial loss
Soft impact: Indirect or non-financial consequences that may escalate over time
Quantifies financial consequences over the defined planning horizon (e.g. daily, weekly).
Required where financial impacts are applicable.
Supports evidence-based prioritisation and strategy selection under Clause 8.3.
Demonstrates understanding of the economic consequences of disruption.
Documents assumptions and calculation logic (e.g. lost revenue, penalties, additional costs).
Enhances auditability and repeatability.
Supports Clause 7.5 (documented information) and management review expectations.
Identifies which organisational or functional MBCO would not be met if the function is disrupted.
Explains how failure to meet the MBCO affects:
Customers
Regulatory compliance
Strategic objectives
Organisational viability
Directly supports Clause 8.2.2(c), which requires understanding the time-related impacts and defining continuity objectives.
Creates a clear link between impact severity and recovery expectations.
Used to capture impacts not expressed in monetary terms, including:
Regulatory sanctions or licence risks
Breach of contractual obligations
Reputational damage
Customer dissatisfaction or churn
Employee morale, safety, or welfare impacts
Cascading effects on other business functions or third parties
Aligns with Clause 4.2 (needs and expectations of interested parties).
Completion of the Impact Area of Business Functions template:
Provides objective BIA evidence required for ISO 22301 audits and certification.
Feeds directly into:
Impact over time analysis
MTPD and RTO determination
Continuity strategy selection
Demonstrates compliance with:
Clause 8.2 – Business Impact Analysis
Clause 8.3 – Business Continuity Strategies
Clause 7.5 – Documented Information
Ensures continuity planning decisions are risk-informed, impact-driven, and defensible.
The Impact Area of Business Functions analysis is a pivotal step in translating business knowledge into actionable continuity priorities.
By systematically documenting both financial and non-financial consequences of disruption, organisations gain a clear, defensible understanding of why certain business functions must be protected, restored, or prioritised over others.
When completed effectively, this template provides objective input into the determination of MBCOs, recovery time expectations, and the selection of a continuity strategy, ensuring alignment with organisational objectives and stakeholder expectations.
It also strengthens compliance with ISO 22301:2019, particularly in demonstrating that impact analysis has been conducted in a structured, documented, and repeatable manner.
Importantly, this section encourages organisations to look beyond immediate financial loss and consider regulatory obligations, reputational exposure, customer confidence, and people-related impacts, all of which can have long-term consequences on organisational resilience.
The outputs from this chapter feed directly into subsequent BIA activities, including impact-over-time assessment and recovery prioritisation, and ultimately support the design of robust, proportionate, and risk-informed business continuity strategies.
As such, Part 2 plays a vital role in ensuring that the BCMS is not only compliant but truly effective in enabling the organisation to withstand and recover from disruptive incidents.
To learn more about the course and schedule, click the buttons below for the BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].
|
Please feel free to send us a note if you have any questions. |
||