Skip to content

Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex D


D. Business Impact Analysis

Elimination of all risk is not possible. The risk assessment provides a thorough analysis of the levels of risk and the treatment methods required to bring risk to a level that is as low as reasonably practical. The costs and benefits of treating a risk and the potential to exploit opportunities will affect the determination of what treatment methods will bring risk to a level that is as low as reasonably practical. Residual risks need further consideration to develop contingency plans.

A business impact analysis (BIA) provides a structured approach to gaining information about the critical activities, functions, and processes of the organization and the associated resources necessary for an organization to mitigate the impacts of undesirable and disruptive events. The BIA identifies the likely and potential impacts from undesirable and disruptive events on the organization or its processes and the criteria to be used to quantify and qualify such impacts.

The criteria to measure and assess the financial, operational, customer, regulatory and/or reputational impacts need to be defined, accepted and used consistently to establish the recovery objectives for each organizational process. The result of this analysis is to identify time sensitive processes and the requirements to recover them in an acceptable timeframe. The BIA:

  • Evaluates critical activities, functions, and processes and their role in achieving organizational objectives;

  • Determines the most critical activities, functions, and processes and the resources (assets) that are needed to achieve the desired outcome;

  • Prioritizes the critical activities, functions, and processes that must be operational to maintain an acceptable level of business functionality during and immediately following an unacceptable business interruption; and

  • Determines the time frames and resource requirements to maintain critical activities, functions, and processes following a risk event to restore operations to the level required to meet organizational objectives.

The organization may conduct a BIA on critical activities, functions, and processes related to its residual risk and develop contingency plans. The purpose of the BIA should be to determine:

  • Criticality - Every critical business function is identified (with related dependencies and interdependencies) and the impact of an undesirable or disruption event determined.

  • Maximum Downtime - Estimate the maximum downtime that can be tolerated while still maintaining viability. Management should determine the longest period of time that a critical process can be disrupted before recovery becomes unlikely.

  • Resource Requirements - Realistic recovery efforts require a thorough evaluation of the resources required to resume critical operations and related interdependencies as quickly as possible.

Timeframes and recovery objectives should consider:

  • The maximum period of time that an organization can tolerate the loss of capability of a critical business function, process, or asset.

  • The period of time a business’ activities and resources must be recovered to an acceptable capability after a disruptive event, often defined in hours or days.

  • The point in time to which products, organizational activities, or data in a known, valid or integral state, can be restored from. Often viewed as the maximum amount of loss tolerance and defined in hours or days.

The output also includes:

  • Timeframe when the organization requires 100% of operational capability;
  • Prioritization of recovery resources;
  • Content for response and recovery strategies; and
  • Reset of product/service acceptable disruption periods, as needed.

The methodology should be tailored to the decision-making needs of the organization and achievement of organizational objectives. The following three figures present a generalized approach to conducting a business impact analysis.

Figure 3 - Annex D.png

Figure 3: Business Impact Analysis (BIA)

Figure 4 _ Annex D.png

Figure 4: Example of BIA Methodology

Figure 5-Annex D.png

Figure 5: Typical BIA Activities


Next: Annex E

Table of Contents

ORM Standard Home

  • Scope
  • Normative References
  • Terms and Definitions
General Principles
  • Leadership and Vision
  • Governance
  • Factual Basis for Decision Making
  • Outcomes Oriented
  • Needs Oriented Taking Human and Cultural Factors into Account
  • Overall Organizational Risk and Business Management Strategy
  • Systems Approach
  • Adaptablility and Flexibility
  • Managing Uncertainty
  • Cultual Change and Communication

Establishing the Framework

  • General
  • Context of the Organization
  • Needs and Requirements
  • Defining Risk Criteria
  • Scope of the Management System
  • General
  • Management Commitment
  • Policy
  • Organizational Roles, Responsibilities, and Authorities for the ORMS
  • Legal and Other Requirements
  • Risk Assessment
  • Objectives and Plans to Achieve them
  • Actions to Achieve Risk and Business Management Objectives

Structural Requirements

  • General 
  • Organizational Structure
  • Financial and Administrative Procedures
  • Insurance
  • Outsourcing
  • Documented Information

Operation and Implementation

  • Operational Control
  • Resources, Roles, Responsibilities, and Authority
  • Competence, Training, and Awareness
  • Communication
  • Prevention and Management of Undesirable or Disruptive Events

Performance Evaluation

  • General
  • Monitoring and Measurement
  • Evaluation of Compliance
  • Exercises and Testing
  • Internal Audit
  • Management Review

Continual Improvement

  • General
  • Nonconformities, Corrective and Preventative Action
  • Change Management
  • Opportunities for Improvement

Annex B: Examples of Incident Prevention, Preparedness, and Response

Annex C: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization 

Annex D: Business Impact Analysis

Annex E: An Integrated Management Systems Approach

Annex F: Qualifiers to Application

Annex G: Bibliography

Annex H: References