Guide

Business continuity and crisis management

Business impact analysis

Business impact analysis, or BIA, is typically one of the first steps in developing a business continuity plan. It is a process of understanding which functions are critical to your business and how a disruption could affect them.

How to conduct a business impact analysis

To carry out a business impact analysis, you will typically follow several steps:

  • identify all business processes and functions
  • prioritise those that are critical to your business operations
  • analyse the potential losses
  • select recovery solutions
  • determine if any interdependencies exist – eg with IT systems
  • evaluate operational impacts of disruption – eg on people, processes and technology
  • evaluate financial and legal impacts
  • develop recovery time requirements

The output of this work is the business impact analysis report. This report:

  • assumes worst-case scenarios
  • considers the amounts your business stands to lose in a crisis event
  • recognises the magnitude of financial and operational impacts from disruptions

The types of impact you can expect from a potential business crisis or the loss of business functions include:

  • lost sales or income
  • higher costs and expenditures – eg overtime, outsourcing, etc
  • regulatory fines or contractual penalties
  • loss of customers and greater customer dissatisfaction
  • decline in business reputation

What is the purpose of a business impact analysis?

The BIA will help you understand how your business would cope during downtime. It will also help you calculate recovery time objectives for your services and understand the resources you need to keep those functions running. This information will form the basis of your disaster recovery and will help you create your business continuity plan.

Difference between business impact analysis and risk assessment

Both BIA and risk assessment are business continuity tools. However, BIA doesn't focus directly on the likelihood of events. Instead, it assumes worst-case scenarios.

Risk assessment analysis, on the other hand, helps you to map out the potential internal and external risks and threats, the likelihood of them happening and the possible impact they can cause.

While you can carry out a BIA without risk assessment, you generally can't conduct a risk assessment without some form of business impact analysis. Risk assessment should use BIA to quantify and prioritise the risks it finds. See how to evaluate business risks.