What is Business Impact Analysis (BIA)?

Published on 29th February 2024 Author: Alan McDermott

Did you consider a flaming shark tsunami tornado in your Business Impact Analysis?

You fell flat on your face in the first board meeting of the year because you didn’t have a Business Impact Analysis…

You were presenting to the board of directors. A question, not on the agenda, comes from the board: “Where should you invest to make your organization more resilient?”

You stammer an answer, smile awkwardly, and depart knowing that you did not impress.

With pandemics, cyber attacks, and supply chain disruptions fresh on everybody’s minds these last few years, businesses are becoming very interested in the topic of resiliency.

Boards want to know: what events could bring business to a standstill? What can be done to mitigate the interruption?

How do you know that you’re focusing your limited resources (People, Time, and Money) on the right risks?

The best place to start this conversation is with a Business Impact Analysis.

What is Business Impact Analysis (BIA)?

A business impact analysis (BIA), also known as a business impact assessment, is a critical tool that helps you understand the potential impact of an interruption to your business operations. It is the first step in developing any incident response plan.

By identifying your most critical business functions and processes, you can quantify and prioritize plans to minimize the impact of an outage and get your business back up and running as quickly as possible.

A BIA’s deliverables are typically:

A description of the organization’s critical business functions, processes, and key stakeholders. This alone is a big win for most organizations as there are a lot of important things that may not be visible to decision-makers.
An assessment of the potential impact of an interruption to each critical business function or process. This includes revenue streams and operations as well as contractual and compliance obligations.
A prioritized list that programs, projects, and response plans Senior Management and Stakeholders can align on.

If you are thinking “This sounds like a Business Continuity or Disaster Recovery Plan,” I understand why! But they are different and important. We need to take a step back and highlight the differences between them.

“This sounds like a Business Continuity or Disaster Recovery Plan!” I hear you say. “ I’ll give it to IT to handle!” This is where we need to take a step back and highlight the differences and where they all fit. They are all important but different.

Example of a Business Impact Analysis

Please find an example of a business impact analysis below:

Foo Inc. – A Battery Manufacturing Company

Foo Inc. manufactures batteries for electric vehicles. It’s a complex business with many moving parts. How would Foo Inc. understand where the greatest risk to business lies? A business impact assessment would help lay out everything the business does, and where its greatest exposures lie.

Foo Inc.’s customers operate a lean just-in-time (JIT) inventory program, They require batteries to be available to them within two hours, which means Foo Inc. needs a constant supply of trucks and drivers on hand to ensure commitments are met. They have a contract with a capable trucking company for the shipments, but it’s a unionized shop and there is a risk of a strike that would directly affect Foo Inc., resulting in contract penalties if shipment times are missed, potentially up to the loss of their contract.

The battery production process is automated, allowing for many efficiencies and great scale, but it is reliant on computer and network systems to function. As part of research for the BIA, the Foo Inc. team learned of a competitor who had recently been hit with an operational technology ransomware attack that shut down their production line for two weeks. The attack cost them millions in lost revenue, lawyers, specialized incident response, contract penalties for missed shipments, and at least one lost contract Foo Inc. is aware of.

The batteries themselves require a rare metal called cobalt. Unfortunately, 70% of cobalt mined globally comes from the Democratic Republic of Congo which is unstable. There are risks to supply chains in terms of civil war, corruption, and government expropriation. Given the demand and limited supply of cobalt globally, it would be exceedingly difficult and expensive to source in the event the Congo’s supply becomes inaccessible. Without cobalt, production shuts down.

All the issues are material to the company and worthy of being on executives’ radars, but which is a higher priority?

Foo Inc.’s BIA would lay out all of the potential business interruptions, calculate how much money is at stake, the most likely cause of an issue, and any other relevant pieces of information. Finding the answer requires specialized knowledge and a deep understanding of Foo Inc.’s business.

Once a BIA is complete, Foo Inc. can start to plan how it would respond to the highest priority scenarios. That’s where the Disaster Recovery Plan comes into play!

Business Impact Assessment Steps

To conduct a Business Impact Assessment, you need to identify critical business functions and the risks that threaten them – cyber and otherwise. Then, you’ll analyze them to determine which risks must be prioritized.

Step 1 – Identify

Get ready to make a lot of lists! It is vital to examine every part of your business’s operations for things that could go wrong, the impact of things going wrong, and how long they can function when things go wrong before they become unsalvageable.

Ask yourself these questions:

What are all the business lines?
What are the main processes for each line?
What do the processes do?
Who are the main stakeholders?
What are the impacts if the process isn’t available?
- Fines?
- Lost revenue?
- Lost customers?
- Reputational damage?
Recovery Time Objectives (RTO) – how long can this process be unavailable before material impacts are realized?
Recovery Point Objectives (RPO) – how current does the data need to be?

Step 2 – Determine what is and isn’t important.

Now that all of that data has been collected, it needs to be carefully reviewed and analyzed. You only want to focus on the really important items.

Do the following:

The output from step 1 should be reviewed by senior management needs and rank the most important processes based on their criteria.
Plans should be drawn up for each process in the event it’s unavailable.
Resources and planning should be allocated based on priority (thus creating the Business Continuity Plan)

Step 3 – Business Continuity Plan (BCP)

Prioritizing the most important items, create plans on how your company will respond in each situation.

The business owners of each process identified in BIA should have a plan on what to do in the event it’s not available.
This plan should include;
- Who needs to be notified
- RTO/RPO’s that will impact the business
- A plan on how to keep the business going
This plan will need to be overlaid with the prioritized list in step 2. Resources are scarce and not all processes are equally valuable.
Any gaps between business impacts and capabilities should be documented and reviewed by resource managers.
If resources are available to fix the gap then a plan should be created. If not, expectations will need to be adjusted.
An annual TableTop exercise should be carried out regularly to identify gaps and update the plan.

Step 4 – Disaster Recovery Plan (Get Technology Working)

When developing your BCP, you will likely find a need for new IT resources your company does not currently have access to.

The BCP should identify technical requirements in terms of the RTO and RPO.
IT will need to determine if current capabilities meet these requirements.
If current solutions are not able to support their requirements discussions need to happen to either change the requirements or upgrade capabilities.
Resources should be allocated based on business priorities identified in the BIA.
If a system has been identified as not meeting business objectives and business chooses not to change the objectives and no resources are allocated to fix it. IT has done its part.
A Disaster Recovery test should be conducted annually to identify gaps in capabilities or planning that are not seen otherwise.

What are the benefits of a Business Impact Analysis?

A Business Impact Analysis (BIA) helps an organization judge risks more impartially by ranking their importance with common criteria. It will allow a business to be clear on what is important and what isn’t so that scarce resources can be allocated to meet business needs in the most effective manner.

Barriers Businesses May Face in Prioritizing a BIA

Business Impact Assessments are time-intensive activities. They carry an opportunity cost, and if not driven by senior management, departments may not see the importance or value – yielding low-quality or incomplete information.

The BIA is fundamental to the allocation of costs in terms of time, people, and money through business continuity planning, disaster recovery, and internal projects. If you don’t know what’s important to the business, how do you know you’re working on the right things?

For the time they require, they can provide a high ROI.

How a BIA Helps Your Organization in the Long Run

Businesses must be prepared for risks that can materially impact them. There are costs to being prepared, so understanding which risks matter and which don’t is something only the business can decide. You want a lot of high-quality information to ensure you make the right decisions!

Sometimes it can be difficult to know where to start or appear impartial when discussing competing business processes. While many companies can complete BIAs on their own, they can be challenging and time-intensive if nobody has expertise with them.

This is where organizations such as Fractional CISO can help. We have the skills, experience, and tools to help your organization prepare and come up with a plan that will ensure your business is properly prepared in the event of a disruption.

Conclusion

You walked out of the first board meeting of the year feeling like a star.

You were presenting to the board of directors. A question, not on the agenda, comes from the board: “Where should you invest to make your organization more resilient?”

Referring to the Business Impact Assessment you had completed last year, you were able to quickly describe a potentially high-impact risk scenario and the investment needed to fix it. The board directed you to make reducing the risk a priority, and granted you additional to get it done.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Alan McDermott, CISSP, CIPP/C, CISA

As a Virtual CISO, Alan provides strategic guidance to executive teams. He is a skilled communicator, capable of helping key stakeholders make the best security decisions for their organization. Alan has over a decade of experience serving as a CISO in a number of industries, including insurance, IT data, and fintech. Alan has an MBA from Wilfrid Laurier University and two undergraduate degrees in computer science and commerce. Alan is based in Toronto, Canada, and boasts CISSP, CIPP/C, and CISA among his many security certifications.