Business

Impact
Analysis

EXAMPLE

1
Business Impact Analysis

BUSINESS IMPACT ANALYSIS

Introduction
The Business Impact Analysis (BIA) is a fundamental activity within any Business Continuity programme. Before
developing Business Continuity Plans and strategies, it is important to fully understand the organisation, and therefore
what needs to be protected and where recovery efforts need to be placed.

Objectives
The objectives of the BIA are to fully understand the organisation; this is done by:
l Identifying the most important functions / departments / services from across the organisation.
l Identifying the different activities and processes that make up the above functions / departments / services.
l Identifying the critical resources / dependencies for each of the above activities and processes.
l Assessing the impacts if the activities / processes and resources / dependencies are disrupted.
l Determining how quickly these need to be recovered to minimise the impact on the organisation.

How to complete a BIA

It is important to interview Function / Department Leads or individuals who understand the different activities and
resources used to complete the critical activities and processes.
It is good to aim for between 5 – 8 activities (if they exist), for each of the different functions / departments.
The template below will serve as a useful tool to structure a BIA (including interview questions and what information to
include within the template).
The function / department leads should sign off the output to ensure it reflects their priorities.

How often to update the BIA

The BIA should be updated and reviewed every year, or whenever there is significant change to parts of the
organisation.

Principles to follow for the BIA

The principles for the BIA are:
l Includes the views and opinions of function / department leads.
l Is concise and easy to assess and understand.
l Serves as an effective tool to help create the Business Continuity Plans.
l Provides clarity on the priorities across the organisation.
l The critical resources / dependencies include people, premises, technology, data and third parties.
l Identifies known risks and vulnerabilities.

What to do after the BIA is complete

l Consolidate all the BIAs to get an overall view of the priority functions, activities and resources.
l Develop Business Continuity Plans to ensure you can recover the critical activities and resources.
l Share the technology and data dependencies with IT so they can build resilience across the systems.
l Escalate risks and vulnerabilities if it is clear that recovery strategies and capability cannot meet the recovery
objectives.

2
 Business Impact Analysis:
[insert department name] [date of completion] [function / department lead] [date of next update]

Recovery Time Critical dependencies Known risks /

• Activities • Description • Impact if disrupted*
Objective People Premises Technology and data Third parties vulnerabilities
[Name of activity] [Describe the activity] [What is the impact if [How quickly does [Which roles are [Which premises are [Which technology [Which third parties
the activity is the activity need to needed to complete needed to complete and data is needed are needed to
[Insert any known
disrupted? e.g. be recovered to the activity?] the activity?] to complete the complete the
risks and / or
Finance, Legal, minimise the impact activity?] activity?]
vulnerabilities to the
Operations, on the business?]
activity or
Customers,
dependencies]
Reputation] – {low,
medium or high]

* When considering the impact of a disruption, refer to the Impact Matrix on the next page to help validate the decision. This will help to determine the impact based on impacts
to Finance, Legal, Operations, Customers, Reputation etc.).

3
Business Impact Analysis

Impact Matrix

Use an example of the below Impact Matrix to help determine the level of impact that a disruption could cause to the business.

Low impact Medium impact High impact

A significant impact to our financial
A material impact to our financial performance
A minimal impact to our financial performance. performance which requires immediate, senior
Finance which requires response from departments.
e.g. Range of £X - £Y impact on sales. level response.
e.g. Range of £X - £Y impact on sales.
e.g. Range of £X - £Y impact on sales.

Minimal legal impact and requires no A material legal impact which requires legal A significant legal impact which requires
Legal
response. support. regulator communications and legal support.

A significant impact on our operations;

A minimal impact to critical activities and A material impact to our overall operations and
Operations business continuity plans are required to
departments. Operations can be delayed. the service we provide to customers.
recover services as quickly as possible.

Few customers are impacted. The number of An intolerable level of customers are
Customer A high number of customers are impacted.
customers impacted is not material. impacted.

There could be some significant local / national

There will be limited reputation damage; There may be some local coverage which could
Reputation coverage which would impact our internal and
mainly internal. impact our reputation in the short term.
external reputation for the long term.

[Other impacts] [Insert other impact criteria if necessary] [Insert other impact criteria if necessary] [Insert other impact criteria if necessary]