Business Impact Analysis

Business Impact Analysis 

Overview

The business impact analysis (BIA) is the basis upon which the organization’s entire business continuity management model is mounted. The commercial impact on an enterprise’s assets, resources, business units and processes due to business disruptions and hazardous occurrences are identified and dissected across a wide array of qualitative and quantitative parameters. Contextually relevant strategies are devised based on the data gathered from this exercise.
The business impact analysis can be further segregated across the three managerial dimensions as follows:

  • Strategic – the extent to which a business disruption can impact the enterprise’s ability to honor commitments towards product, service or solution delivery. This assessment is crucial in determining the scope of the business continuity management model
  • Tactical – how business disruptions can hamper in-house or external tasks and processes which has a direct impact on product, service and solution delivery. This information is a valuable input while determining appropriate responses to restore business continuity and their corresponding resource needs
  • Operational – the impact of a business disruption on specific tasks, activities and processes is gauged to decide on an appropriate recovery plan

Preliminary Tasks

The backing of senior management and leadership teams is necessary to conduct a comprehensive business impact analysis. The management strata are more likely to cooperate in the business impact analysis exercise when the upper echelons of the organization’s hierarchy have extended their full support to the BIA initiative.

Even before the business impact analysis exercise has begun, the enterprise might have already shortlisted products, services and solutions that are to be included within the scope of the business continuity management module. This list would have been further confirmed through written BCM policies. However, the business impact analysis can assist organizations in deciding which of its merchandize are to be included in the BIA module’s scope by assessing the commercial implications of disruption to production and delivery of its merchandize.

An array of tasks and activities collectively make the delivery of each product, service or solution possible. Some of these tasks and activities that are usually within the operational level of management are more likely to impact delivery than others. These high priority tasks and activities include direct interaction with clients and external business associates. However, they are also supported by other internal and external business processes that also need to be taken into consideration during assessment.

Sample Activities at the Strategic Level

  • Supervisory control
  • Overseeing Project Execution
  • Preparation Based on Foresight and Forecasting Techniques

Sample Activities at the Tactical Level

  • IT Systems
  • Human Resource Management
  • Avaliability of Utility Services

Sample Activities at the Operational Level

  • Attending to client queries
  • Revenue generation through customer orders
  • Development of products, services and solutions
  • Transferring residual discharge from production activities to treatment centers
  • Internal and external communication procedures

Objective

The prime objectives of a business impact analysis are as follows:

  • Elaborate written records on the implications and repercussions on every task, activity, workflow and process when a disruptive event occurs
  • Prioritize recovery measures based on the Maximum Tolerable Period of Disruption (MTPD)
  • Evaluate workarounds for internal and external interdependent tasks

Experts highly recommend the use of business impact analysis as a forecasting tool that prognosticate the implications well in advance of an expected event, such as:

  • Launch of new goods and merchandize
  • Change or Modification in Area of Operations
  • Corporate Reorganization at a Structural Level
  • A Business Opportunity with a major client

Theories

Maximum Tolerable Period of Disruption (MTPD) – This is a timeframe within which business activity must be resumed for the organization to avert losses in revenue, reputational damage and similar negative impacts.

A number of factors are taken into consideration while calculating an enterprise’s MTPD timeframe such as:

  • Health and safety concerns of employees and personnel
  • Inability to comply with statutory or regulatory norms
  • Impact on market perception of a company
  • Impact on cost of production and delivery of merchandize
  • Impact on qualitative and production metrics
  • Environmental hazards
  • Enterprise Specific Concerns

The MTPD is never constant and varies significantly between departments and divisions within the same company. Seasonal changes are also an influencing factor. For instance, the accounting department would have to work around marginal MTPD timeframes during the financial year end. Similarly, business divisions within an enterprise that are contractually obliged to deliver goods and merchandize to a major client during the course of a one year standalone agreement would have to cope with extremely narrow MTPD timeframes during that period.

Some organizations use the terms incident management plan and crisis management plan interchangeably, even while interacting with the press. But it should be noted that, even in generic terms, the implications of a crisis are a lot more severe than those of an incident. Hence, it is highly recommended that the communication an enterprise’s media spokesperson shares with the public be carefully worded in order to avoid misleading and inaccurate inferences of the situation.

Terminology

Care must be taken while describing specific, disruptive scenarios and the impact they can have on the organization’s commercial objectives. Documentation must carefully establish the difference between terms such as critical and important. Inaccurate and inconsistent usage can lead to varied understandings of the severity of the business disruption which in turn can severely hamper the effectiveness of the business continuity plan.

After establishing the MTPD timeframes, business tasks and activities with similar recovery prerequisites are clubbed into groups. Recovery measures for activities should always be described in time related terms such as time critical, time sensitive, priority, urgent and so on.

Suppositions

  • Organizations can get a clearer picture of the interdependencies and complexities within business processes when tasks and activities are analyzed separately
  • Alternate options, such as backup assets, resources and locations, are available and fully functional

Inaccuracies tend to creep in while calculating MTPD timeframes for seasonal activities. In such cases, experts suggest that organizations calculate MTPDs for the most disruptive period during these seasonal phases.

Outsourcing is a growing presence in present day business operations. However, emergency teams might not be able to extensively assess the impact of a business disruption on external vendors.

Data Confidentiality

A lot of business information cannot be disclosed in the best interests of the organization’s commercial objectives and this could constrain the accuracy of the assessment. This is a ground reality that business continuity executives should be prepared for.

Execution Methodology

Magnitude and extent of operations

  • Detect relationships between different entities within the enterprise to facilitate a more accurate MTPD calculation
  • Determine the maximum range of impact a business disruption can cause in the case of multiple business locations and the extent to which the organization can tolerate a slowdown in production. This assessment should be put down in writing and enforced through a business continuity management policy. Contributing factors include:
  1. Geographic regions covered
  2. Legal requisites and compliance norms
  3. Commercial obligations to clients
  4. Market specific business model
  • Carry out the assessment in phases by focusing on specific segments at a time. This is especially relevant in the case of large organizations with multiple locations, the entire business impact analysis exercise would span over an extended period of time
  • Obtain approval for the operational extent and constraints of the business impact analysis

Business Impact Analysis

  • Keep a record of all the commercial tasks and activities carried out by the enterprise
  • Identify the executives in charge of business processes
  • Reach out to key personnel from different departments who can provide valuable insights
  • Take stock of the implications of a business disruption
  • Establish the maximum tolerable period of disruption (MTPD) for each business activity

Reporting

  • Obtain process validation from deciding authorities on the contextual relevance of the business impact analysis methodology that has been adopted
  • Reinforce the conclusions of the BIA report through approvals from senior management and leadership teams

Approaches and Methodologies

Data Gathering

The methodologies adopted while gathering data during the business impact analysis largely depends on the industry, specific customer demands and various other factors. Nevertheless, some foundational guidelines have been listed below:

  • Gathering relevant data during the business impact analysis allows organizations to decide on the best suited business continuity strategy based on the time constraints of all tasks, activities, workflows and processes
  • The format to be used for gathering data depends on the manner in which is the data is to be presented
  • Factors that determine the extent to which the proper execution of tasks and activities are given priority include:
  1. The time taken to carry out the task from start to finish
  2. The infrastructural capabilities of the facility where the activity is executed
  3. The dependence of other activities on this activity and the implications during a business disruption
  4. The maximum tolerable downtime for this activity
  5. Alternate options
  6. Time specific or industry specific factors such as compliance norms and peak season activity
  7. The timeframe within which the activity has to be brought up and running again. this is determined by:
  • Production quantity
  • SLAs, contractual obligations, delivery commitments, statutory requisites and compliance

The methodologies and approaches for executing a business impact analysis include:

  • Interactive group activities – Interactive group activities such as workshops can speed up the desired outcome and give participants the opportunity to get involved in the exercise. Nevertheless, there should be participation across all departments and divisions so that all relevant points of view have been taken into consideration
  • Questionnaires and feedback forms – Business continuity executives can get their hands on huge volumes of data through this approach. Nevertheless, data quality and consistency issues frequently tend to creep in if the process is not monitored properly
  • One on one session – One on ones produce good quality and reliable data. However, gathering information through this approach is a slow process and spans over extended periods of time. Issues such as varying levels of detail and format consistency are not uncommon

Organizations can also design a hybrid formula that mixes and matches the above three techniques in varying degrees provided the amount of detail and data format are standardized across the process. This approach comes with a variety of benefits.

Software

While a number of BIA software options are available in the market, enterprises should look for a product that facilitates ease of analysis, storage and reporting.

Reporting

Each enterprise adopts a reporting methodology that suits its business model. This is usually decided while working towards establishing the scope of the business impact analysis in order to ensure consistency during data gathering, collation, analysis and presentation.

Takeaways and Evaluation

The primary takeaways from a business impact analysis are as follows:

  • A group of activities that collectively contribute to the delivery of products, services and solutions
  • The maximum tolerable period of disruption (MTPD) for each activity along with its validation
  • Internal and external interdependent workflows

Year on year BIA reviews are highly recommended although the frequency should be higher during:

  • Significant business transformation
  • Organizational restructuring
  • Implementation of new technology
  • Commencing operations in a new facility
  • Rapidly evolving market trends and business ecosystem

The complete business impact analysis need not be repeated during further reviews. Enterprises can limit the exercise to business processes that will be in the line of impact when a future event occurs.

See for yourself how the application works
Witness our cloud based platform’s security capabilities in action
Play around with the software and explore its features
Compare and choose a solution that’s relevant to your organization
Consult our experts and decide on a pricing mechanism

Request a Demo

Disasters

[carousel id=’1780′ items=’4′ items_desktop=’3′ margin_right=’5′ navigation=’false’] [item img_link=”https://www.stayinbusiness.com/wp-content/uploads/2016/02/Chemical-Spills-Discharges.jpg” href=”https://www.stayinbusiness.com/resource/disaster-recovery/chemical-spills-and-discharges/”][item img_link=”https://www.stayinbusiness.com/wp-content/uploads/2016/02/Riots-Public-Disturbances.jpg” href=”https://www.stayinbusiness.com/resource/disaster-recovery/riots-and-public-disturbances/”][item img_link=”https://www.stayinbusiness.com/wp-content/uploads/2016/02/Terrorism.jpg” href=”https://www.stayinbusiness.com/resource/disaster-recovery/terrorism/”] [item img_link=”https://www.stayinbusiness.com/wp-content/uploads/2016/02/worst-product-recall.jpg” href=”https://www.stayinbusiness.com/resource/disaster-recovery/product-recall/”] [/carousel]

Request a Demo
Stay In Business