Business impact analyses (BIA) should be conducted in order to establish appropriate response priorities in business continuity plans. Identifying the implications of a sudden loss for each business unit can determine process dependencies required to maintain operations of critical business processes. The BIAs should be used to evaluate critical recovery time objectives (RTO) for each unit and establish a comprehensive understanding of core business needs.
The ability to identify and quantify which critical business processes that, when not functional, may damage a company’s reputation or ability to operate, is a critical stage in the business continuity planning process. Overall resilience capabilities should be prioritized to mitigate any interruption. Operational and process managers should explore and quantify the following aspects to initiate the BIA process:
Timing: Identify critical operational time periods when an interruption would have greater impact (seasonal, end of quarter, specific month, etc.). Priorities should be determined if an interruption during high-output timeframes creates amplified operational and financial impacts.
Likelihood Level: Indicate how likely each specific threat could occur, considering existing capabilities, mitigation measures, and history.
Duration: Identify the duration and point in time when an interruption would impair operational processes and have financial impact. Estimate the maximum allowable downtime for each specific business function: Typical durations may include:
- Less or greater than 1 hour
- Less or greater than 8 hours or a typical single shift
- Greater than 24 hrs
- Greater than 36 hours
- Greater than 72 hours
- Greater than one week
- Greater than one month
Staffing minimums: Identify staffing level needs (including contractors or suppliers) to meet typical daily, as well as recovery time objectives.
Operational Impacts: Identify the effects associated with a business unit interruption, considering existing mitigation measures. These may include, but are not limited to:
- Lost sales and income
- Negative cash flow resulting from delayed sales or income
- Increased expenses due to overtime, outsourcing or other operations that increase costs
- Regulatory fines and legal implications
- Contractual penalties or loss of contractual bonuses
- Customer dissatisfaction or withdrawal
- Delay of business plan execution or strategic initiatives
Recovery Time: Identify the time frame necessary to recover specific critical processes under existing capabilities and, if possible, potentially altered conditions.
Financial Impact: Determine and quantify impacts in financial terms considering existing mitigation measures. Critical functions that have the highest financial impacts should be prioritized in business continuity plans.
Within each business unit, additional business functions should be considered and evaluated. By identifying cross business unit dependencies, the need for integrated risk mitigation solutions can be highlighted and proactive measures taken. Access to these additional functional requirements may be necessary if operations are moved to offsite locations. A workflow analysis may prioritize those business functions and processes that must be recovered. Functions within each business unit may include, but are not limited to:
- Finance
- Contracts
- Supply and Trading
- Personnel and Payroll
- Benefits
- Accounts Payable
- Environmental Health and Safety
- Information technology
Adverse information technology (IT) conditions may affect numerous company departments, units and functions. IT components may include networks, servers, desktop and laptop computers and wireless devices. The ability to utilize both office productivity and enterprise-wide software may be essential to restore normal operations. Therefore, time critical recovery strategies for information technology, such as exercised data backup and restoration procedures, should be developed in order to limit the effects of interruptions across multiple business units.
If a business continuity incident affects two or more critical business processes, the incident has a greater potential for impact. Interoperable communication and coordination among departments must be exercised for a swift recovery. The effects of a multi-tiered business continuity event can extend beyond the facility borders to affect personnel, multiple critical business processes, vendors or suppliers, and customers. Utilizing business impact analyses can create effective business continuity plans, ensuring a faster state of recovery.