Annex D

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex D

(informative)

D. Business Impact Analysis

Elimination of all risk is not possible. The risk assessment provides a thorough analysis of the levels of risk and the treatment methods required to bring risk to a level that is as low as reasonably practical. The costs and benefits of treating a risk and the potential to exploit opportunities will affect the determination of what treatment methods will bring risk to a level that is as low as reasonably practical. Residual risks need further consideration to develop contingency plans.

A business impact analysis (BIA) provides a structured approach to gaining information about the critical activities, functions, and processes of the organization and the associated resources necessary for an organization to mitigate the impacts of undesirable and disruptive events. The BIA identifies the likely and potential impacts from undesirable and disruptive events on the organization or its processes and the criteria to be used to quantify and qualify such impacts.

The criteria to measure and assess the financial, operational, customer, regulatory and/or reputational impacts need to be defined, accepted and used consistently to establish the recovery objectives for each organizational process. The result of this analysis is to identify time sensitive processes and the requirements to recover them in an acceptable timeframe. The BIA:

Evaluates critical activities, functions, and processes and their role in achieving organizational objectives;
Determines the most critical activities, functions, and processes and the resources (assets) that are needed to achieve the desired outcome;
Prioritizes the critical activities, functions, and processes that must be operational to maintain an acceptable level of business functionality during and immediately following an unacceptable business interruption; and
Determines the time frames and resource requirements to maintain critical activities, functions, and processes following a risk event to restore operations to the level required to meet organizational objectives.

The organization may conduct a BIA on critical activities, functions, and processes related to its residual risk and develop contingency plans. The purpose of the BIA should be to determine:

Criticality - Every critical business function is identified (with related dependencies and interdependencies) and the impact of an undesirable or disruption event determined.
Maximum Downtime - Estimate the maximum downtime that can be tolerated while still maintaining viability. Management should determine the longest period of time that a critical process can be disrupted before recovery becomes unlikely.
Resource Requirements - Realistic recovery efforts require a thorough evaluation of the resources required to resume critical operations and related interdependencies as quickly as possible.

Timeframes and recovery objectives should consider:

The maximum period of time that an organization can tolerate the loss of capability of a critical business function, process, or asset.
The period of time a business’ activities and resources must be recovered to an acceptable capability after a disruptive event, often defined in hours or days.
The point in time to which products, organizational activities, or data in a known, valid or integral state, can be restored from. Often viewed as the maximum amount of loss tolerance and defined in hours or days.

The output also includes:

Timeframe when the organization requires 100% of operational capability;
Prioritization of recovery resources;
Content for response and recovery strategies; and
Reset of product/service acceptable disruption periods, as needed.

The methodology should be tailored to the decision-making needs of the organization and achievement of organizational objectives. The following three figures present a generalized approach to conducting a business impact analysis.