How to Create A Business Impact Analysis (BIA)
We discuss business impact analysis definition, steps, and provide templates from NIST.
Join our newsletter:
What is a Business Impact Analysis?
A business impact analysis (BIA) is a document that identifies important business processes, their associated resource requirements (e.g, servers that support a project), what the effect on the organization would be if a business process were to fail, and which business processes are most critical. This helps companies understand the consequence of certain systems or resources becoming unavailable.
Business Impact Analysis Steps
The steps for creating a business impact analysis are: assembling your BIA team, identifying business procesesses and missions, sorting business processes and missions based on criticality, identifying the resources supporting your business, and identifying which resources are the most important.
Assemble Your Team
The first step is to assemble a team that will work together to create the BIA. Make sure to include staff from IT, executive leadership, and program or project managers as needed. They don’t need to be involved during the entire process but you will need to reach out to them at different points for the information needed to build your business impact analysis.
Identify Your Business Processes & Missions
A business process is something your business does to achieve a goal. An example of a business process is human resources management, IT operations, and accounting. After identifying your business process identify any missions your business has. Examples include services you provide your clients such as a call center you manage for them.
Determine Which Business Processes & Missions are the Most Critical
You need to think about which business processes and missions are most important to your company. In the event these business processes or your ability to achieve a mission are inhibited which ones will expend resources on to re-establish first? This is where knowing what resources support your business processes and missions comes into play.
Identify Resources Supporting Business Process & Missions
After identifying your business processes and missions you need to identify what resources support them. This includes things such as staff, servers, workstations, infrastructure, and other resources. Think about where failures can occur. Do all of your business processes require electricity to function? If so, what is your plan for when the power goes out? Should your company install a generator? This is why identifying resources supporting your missions is important. You start thinking about the consequences of your resources becoming unavailable.
Identify The Most Critical Resources Supporting Your Business
After you have identified the resources used to support your business processes and missions you need to determine which are the most critical. In the event of a disaster or other service interruption you will know where to prioritise your recovery efforts. Does your business rely on its online store for a large portion of its sales? Then recovering the web server hosting that site should be given priority over less important systems. Identifying your critical systems can also help you prioritize where you focus your security controls. You can spend hours and money where it counts most.
Calculate Maximum Tolerable Downtime (MTD), Recovery Time Objective (RTO), and Recovery Point Objective (RPO)
You need to determine how long your business can accept or tolerate a system or business process being out of action. You need set objectives for restoring those business processes, and you need to determine the point to which you must return your services. These are all abbreviated as MTD, RTO, and RPO. You will determine these in your business impact analysis report for which we have a template down below.
Maximum Tolerable Downtime (MTD): The MTD represents the total amount of time leaders/managers are willing to accept for a mission/business process outage or disruption and includes all impact considerations. Determining MTD is important because it could leave continuity planners with imprecise direction on (1) selection of an appropriate recovery method, and (2) the depth of detail which will be required when developing recovery procedures, including their scope and content.
Recovery Time Objective (RTO): RTO defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD. Determining the information system resource RTO is important for selecting appropriate technologies that are best suited for meeting the MTD.
Recovery Point Objective (RPO): The RPO represents the point in time, prior to a disruption or system outage, to which mission/business process data must be recovered (given the most recent backup copy of the data) after an outage.
What to Include in a Business Impact Analysis Report
We put together a Business Impact Analysis template for you. It is based on guidance from NIST for conducting a Business Impact Analysis. The business impact analysis report template is available here:
Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:
Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.
Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.
Supply Chain Verifier
Trust is everything. Verify, monitor, and support subcontactor compliance.