Successful businesses are built upon informed decisions and well-timed actions. While risk is always on the horizon, there are ways to prepare and one of these is conducting a business impact analysis.
Basically, business impact analysis is a tool that can help businesses predict potential disruptions and their consequences by gathering data and developing strategies to recover and continue doing business.
In this article, we will dive deeper into the importance of business impact analysis, how it is conducted, and some tips to do it right. Whether you’re looking to comply with the requirements of ISO 22301 or beginning your Business Continuity Management System journey, this article should get you started on the right foot.
Why Conduct Business Impact Analysis?
Business impact analysis identifies the most critical operational activities and the necessary resources to maintain business continuity. It also assesses the potential risk scenarios and quantifies the impacts of such disruptions. From these pieces of information, the business will develop plans and solutions for mitigation, prevention, and recovery.
The reason why it’s important to conduct business impact analysis is that it’s a way to minimize risk. Whatever the nature or size of a business, operations can be disrupted by accidents and emergencies.
It’s important to note that business impact analysis is not a one-off activity, but rather a regular activity that maintains resiliency.
Who Are Involved in the Process?
Some companies outsource the task to consulting providers, while others prefer doing it in-house. When doing it in-house, a trusted team must be appointed to conduct the analysis.
These may include a business continuity manager, representatives from the IT department, a business analyst, and subject matter experts with the relevant system or application expertise. Whether a risk can affect the whole company or a single department, the developed plans and solutions for recovery in the event of any kind of business disruption will allow the business leaders to determine what to focus on first.
Stakeholders involved in the information gathering phase will also be involved in the review of these plans and processes. These include the upper management, department heads, IT managers, as well as representatives from finance and compliance.
How Business Impact Analysis is Performed
While there is no set method for performing a business impact analysis, the process generally goes like this:
- Getting Approval
The very first step is to get approval from the senior management. Objectives, scope, and the goals of the business impact analysis must be established, and a project team must be formed to execute the process. The team can be existing employees or the task can also be outsourced to professionals skilled in business impact analysis.
- Gather Information
Once the process has been initiated, the next step is the collection of relevant data and information through interviews or questionnaires with targeted questions that can help assess the potential impacts of business disruptions.
Managers, team members, supervisors, business partners, or anyone knowledgeable about the business processes must be involved in the information-gathering phase. The following basic related information shall be gathered at the minimum:
- Product/service prioritization
- Process prioritization
- Activity prioritization
- Resources necessary to complete a business activity (People, IT, Equipment, Information etc.)
- Dependencies/ interdependencies
- Impact areas/ categories
- Supply chain & vendors
- Review Information
The documented data must be reviewed and then analyzed. It can be done manually or automated by a computer. Through the review, a list of the resources required to maintain operations, critical business functions, and the recovery time frame will be identified.
- Create the Business Impact Analysis Report
The findings will be documented in a business impact analysis report and presented to the senior management. While there is no set format, it should include the following:
- Objectives and Scope
- Methodologies used to collect and analyze data
- Summary of findings
- Supporting documents
As technology, tools, and processes evolve, business impact analysis must also be conducted regularly and new reports must be prepared to reflect the changes.
- Obtaining senior management approval
Once the report has been created, it’s time to share the findings with the senior management team for their review. Ultimately, it is up to leadership to act on it.
They may sign off on it and relevant parties can implement the recovery strategies and solutions when necessary. However, if the management is not prepared to approve, it’s important to address any questions or concerns they may have and make the necessary updates and changes, especially for the most critical recommendations.
Tips for Successful Business Impact Analysis
Here are some ways to ensure success in your business impact analysis:
- Prepare the questionnaire thoroughly. A well-thought-out questionnaire will lead to more accurate results. It is also important to consider combining both quantitative and qualitative questions to identify the impacts of disruptions to be able to effectively plan for recovery.
- Define the impact criteria clearly. It’s important to establish business criticality or the impact criteria through brainstorming sessions of core business continuity members or working committee. The questionnaire should reflect the impact criteria clearly for the members to determine the impact level and priority. If it involves asking them to answer questions by assigning values, make sure to explain what the values mean in relation to the established impact criteria.
- Gather data by interacting with the people involved. The most valuable insights can be acquired by interviewing the people responsible for critical processes and functions instead of simply sending out questionnaires and waiting for them to get back to you. This provides an opportunity to clear up questions and clarify or elaborate answers. If this is not feasible, a workshop for all participants where they can ask or bring up concerns must be conducted.
- Set the recovery time objective after determining all interdependencies among critical activities. For instance, if the tolerable period of disruption for Critical Business Activity A is two days, and the maximum tolerable period for Critical Business Activity B is one day but it can’t return to normal operations without Critical Business Activity A, the recovery time objective for Critical Business Activity A should be one day and not two days.
The most effective way to get you prepared for potential issues that could strike your organization is through business impact analysis. If you want to learn more about how business impact analysis can benefit your organization, contact us today for a consultation!
As the industry leader in Business Continuity Management (BCM) Practitioner training and Business Continuity Management System Lead Implementer training, we have been helping companies across the world succeed in achieving greater risk resilience. Get in touch with us today and take the first step in keeping your business prepared and protected from potential disruptions.