Business Impact Analysis

Project Planning and Approval

IT organizations can apply project management methods to business impact analysis, especially when the BIA will be treated as a project with its own resources, budget, and a defined start and finish. The project planning stage can include steps like:

• Defining a scope for the BIA process or determining which applications, services, or departments should be included,
• Communicating expectations,
• Establishing roles and responsibilities for the BIA team,
• Creating a project plan or timeline, and
• Allocating project resources.

It’s also crucial to secure participation, buy-in, or approval from executive management as needed to ensure the project is effectively prioritized and seen through.

Service Discovery and Data Collection

The next step in conducting a business impact analysis is process discovery and data collection. The IT organization should start by conducting a thorough discovery process and creating an inventory of all applications and services that fall within the scope of the BIA. 

Next, the IT organization should collect data about each service that will be used to measure the business impact of a disruption to that service. This data should include:

• Service Name/Identifier - The name of the application or service. A unique identifier code may be applied when the BIA includes multiple deployments of the same service or multiple services with similar names.
• Service Owner - The name of the individual, team, or department that operates the service.
• Service Description - A basic description of the service, including its essential functionality, who uses the service, and how frequently it is used.
• Service Requirements - A listing of the essential people, processes, technology, and facilities needed to support and deliver the service.
• Service Dependencies - A listing of relationships between the service and any other applications or services that must be operational for the service to function.
• Service Level Agreements (SLAs) - A description of any contractual obligations the organization has with respect to SLAs for the application or service.
• Legal/Regulatory Considerations - A description of any legal or regulatory obligations tied to the application that could be impacted by a service disruption.

Data collection often requires input and cooperation from multiple stakeholders. Understanding SLAs for specific applications and services might require a review of active customer contracts, while understanding regulatory considerations might require input from legal/compliance teams. IT personnel may need to communicate with service owners across multiple departments to better understand how applications are being used.

Information Review and Analysis

Once the IT organization has collected data on the applications and services covered by the BIA, it’s time to review the data and complete a business impact analysis. 

For each service, the IT organization should think about answering a few key questions:

• How critical is this application or service to our mission?
• What other services support this service? What other services does this service support? How could a disruption to this service impact other services?
• How much downtime can we afford for this service before the impact is considered unacceptable?
• How much data loss can we afford for this service before the impact is considered unacceptable?
• What would be the impact of an unplanned service interruption that disrupts the availability of this service?

When quantifying or describing the impact of a service disruption, the IT organization should consider the following impact categories:

• Financial - lost market share, lost revenue, fines and penalties.
• Reputational - brand damage or degraded customer opinion.
• Legal - litigation liability.
• Contractual - liability for breaching contractual obligations.
• Business - inability to achieve business objectives or exploit competitive advantage. 

BIA Report Creation and Presentation

Following a thorough analysis of the data, the IT organization should create a BIA report and presentation detailing the results. 

This material may be submitted or presented to executive management to inform decision-makers about the potential impact or consequences of business disruption, establish risk management priorities, and secure buy-in for the implementation of business continuity and disaster recovery protocols to enhance business resilience.

Business Continuity Strategy Development and DR Planning

IT organizations can use the results of a business impact analysis (often combined with the results of a risk assessment) to inform the business continuity strategy development and disaster recovery planning. 

From a business continuity perspective, IT organizations should determine which applications or services are truly mission-critical and create a strategy to ensure that those services can continue to be delivered at an acceptable level following a service disruption.

From a disaster recovery perspective, IT organizations should establish a Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for each application or service. From there, IT organizations can develop and implement disaster recovery protocols to meet those targets and avoid unacceptable negative consequences of operational downtime or data loss.