The Business Impact Analysis (BIA) is the backbone of the entire business continuity exercise or, at least, it should be if handled correctly. Even so, it cannot stand alone and without full support, approval and backing from the highest level of management, the exercise will not achieve its full potential. A well-executed BIA can make the difference between a fully developed, robust business continuity plan, and a mediocre one.

The BIA can be adjusted to cover any specific client requirement but it does have a fundamental theme at its core. The purpose is to identify the effect of many different external and internal impacts upon the various parts of your organization in times of crisis. It will show which parts of your organization will be most affected by an incident and what effect it will have upon the company as a whole. In other words, we will use the BIA to establish which are the most critical business functions to your company's survival. Each organization has hundreds of operations in its overall business but only a percentage will be key to its survival and it is these that we need to build business contingencies for. Of course, we will not ignore the remainder but because they are less critical, we can prepare recovery plans for them instead.

Risk analysis involves identifying the most probable threats to an organization and analyzing the related vulnerabilities of the organization to those threats. Risk assessment involves evaluating existing physical and environmental security and controls and assessing their adequacy relative to the potential threats of the organization.

Business impact analysis involves identifying the critical business functions within the organization and determining the impact of not performing the business function beyond the maximum acceptable outage. Types of criteria that can be used to evaluate the impact include: customer service; internal operations; legal/statutory and financial.

There are many different ideas regarding the definition of risk analysis and whether it should be done before or after the BIA. Consider however, that if you knew before hand which functions where the most critical to the business, how much easier it would be to establish the internal and external risks to the business.

Effectively, we are looking to interview line, production, or function managers who are the middle management of the business. Those who understand the objectives of the business but also have a good understanding of the operations they are responsible for. This is probably the one opportunity you will have to sit down with all of the function heads of the organization. They are busy people so make sure that you take advantage of the time they give you. Have the BIA questionnaire completed and use the first meeting to give an overview of the BIA and expectations, such as deadlines. Discuss the BIA document and answer any questions that the team may have. Follow-up interviews, for clarification of answers, can be conducted once the BIA is returned and should be done with each function head individually. Once all BIA documents are returned and follow-up interviews are complete, the results of the BIA should be evaluated and functions of the business prioritized. After initial prioritization, the team should be brought together one more time to discuss and agree upon the final priority list that will be submitted to senior management.

The following items should be considered when developing your BIA questionnaire and follow-up interviews:

• Function description - A brief description of the function being performed.
• Dependencies - A brief description of the dependencies of the function. What has to happen or needs to be available before the function can be performed?
• Impact profile - Is there a specific time of day, day of the week, week of the month, month of the year that the function would be more vulnerable to risk/exposure or the impact to the business would be greater if the function is not performed?
• Operational impacts - When would operational impact to the business be realized if the function was not performed? Describe the operational impact.
• Financial impacts - When would financial impact to the business be realized if the function was not performed? Describe the financial impact.
• Work backlog - At what point will the backlog of work start to impact the business?
• Recovery resources - What kind of resources are needed to support the function, how many are needed, and how soon are they needed after a disruption (phones, desks, PC, etc.)?
• Technology resources - What software and/or applications are needed to support the function?
• Standalone PCs or workstations - Does the function require a standalone PC or workstation?
• Local area networks - Does the function require access to the LAN?
• Work-around procedures - Are there currently manual workaround procedures in place that would enable the function to be performed in the event that IT is unavailable? If so how long could these workarounds be used to continue the function?
• Work-at-home - Can the function be performed from home?
• Workload shifting - Is it possible to shift workloads to another part of the business that might not be impacted by the disruption
• Business records - Are there business records needed to perform the function and if so, are they backed up? How? What frequency?
• Regulatory reporting - Are regulatory documents created as a result of the function?
• Work inflows - What input is received, either internally or externally, that is needed to perform the function?
• Work outflows - Where does the output go after it leaves the functional area or in other words who would be impacted if the function was not performed?
• Business disruption experience - Has there ever been a disruption of the function and if so, a brief description.
• Competitive analysis - Would there be a competitive impact if the function was not performed, when would the impact occur, and when would a potential loss of the customer occur?
• Other issues and concerns - Any other issues relevant to the success of performing the function.

After the BIA has been completed by all functional areas of the business, the BC team should be able to assign Recovery Time Objectives (RTO) to each function based on the responses. The RTO is the time at which the function must be back in operation or impact to the business will result. Once an RTO is established for each function, a prioritization of the functions can take place. Time bands or tiers should then be created by the BC team based on the functional RTO. Time bands are arbitrary time slots developed to fit each business and functional recovery. If you have functions that have an RTO from 24 hours and go on for 96 hours, you may want to consider the example shown.

Tier 1 (0-24 hours)
Tier 2 (24-48 hours)
Tier 3 (48-72 hours)
Tier 4 (72-96 hours)

All of the functions that needed to be recovered within 24 hours would be considered a Tier 1 function and so on. Again, the Tier ratings should be customized to your company. A Tier 1 of 0-5 hours could be valid in one company while another company might have a Tier 1 of 48-72 hours.