Skip to content

Risk Assessment

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex G


G. Business Impact Analysis

Elimination of all risk is not possible. The risk assessment provides a thorough analysis of the levels of risk and the treatment methods required to bring risk to a level that is as low as reasonably practical. The costs and benefits of treating a risk and the potential to exploit opportunities will affect the determination of what treatment methods will bring risk to a level that is as low as reasonably practical. Residual risks need further consideration to develop contingency plans.

A business impact analysis (BIA) provides a structured approach to gaining information about the critical activities, functions, and processes of the organization and the associated resources necessary for an organization to mitigate the impacts of undesirable and disruptive events. The BIA:

  • Evaluates critical activities, functions, and processes and their role in achieving organizational objectives;

  • Determines the most critical activities, functions, and processes and the resources (assets) that are needed to achieve the desired outcome;

  • Prioritizes the critical activities, functions, and processes that must be operational to maintain an acceptable level of business functionality during and immediately following an unacceptable business interruption; and

  • Determines the time frames and resource requirements to maintain critical activities, functions, and processes following a risk event to restore operations to the level required to meet organizational objectives.

The organization may conduct a BIA on critical activities, functions, and processes related to its residual risk and develop contingency plans. The purpose of the BIA should be to determine:

  • Criticality - Every critical business function is identified (with related dependencies and interdependencies) and the impact of an undesirable or disruption event determined.

  • Maximum Downtime - Estimate the maximum downtime that can be tolerated while still maintaining viability. Management should determine the longest period of time that a critical process can be disrupted before recovery becomes unlikely.

  • Resource Requirements - Realistic recovery efforts require a thorough evaluation of the resources required to resume critical operations and related interdependencies as quickly as possible.

Timeframes and recovery objectives are typically defined in terms of:

  • Maximum Allowable Outage: Represents the maximum period of time that an organization can tolerate the loss of capability of a critical business function, process, or asset.

  • Recovery Time Objective: The period of time a business’ activities and resources must be recovered to an acceptable capability after a disruptive event, often defined in hours or days.

  • Recovery Point Objective: The point in time to which products, organizational activities, or data in a known, valid or integral state, can be restored from. Often viewed as the maximum amount of loss tolerance and defined in hours or days.

The output of a business impact analysis typically includes:

  • Recovery time objectives and associated justification
  • Recovery point objectives and associated justification
  • Recovery capacity or performance at the recovery time objective
  • Timeframe when the organization requires 100% of operational capability
  • Prioritization of recovery resources
  • Content for response and recovery strategies
  • Reset of product/service acceptable disruption periods, as needed

Many methodologies exist for conducting a BIA. The methodology should be tailored to the decision-making needs of the organization and achievement of organizational objectives. The following three figures present a generalized approach to conducting a business impact analysis.

Annex G- BIA.png

Figure 16: Business Impact Analysis (BIA)

Annex G- BIA_methodology.png

Figure 17: Example of BIA Methodology

Annex G - BIA Process.png

Figure 18: Example of BIA Process

Next: Annex H

Table of Contents

RA Standard Home

  • General
  • Definition of Risk Assessment
  • Quantitative and Qualitative Analysis
  • Managing Organizational and Specific Risk Assessments
  • Plan-Do-Check-Act Model


  • Scope
  • Normative References
  • Terms and Definitions
  • General
  • Impartiality, Independence, and Objectivity
  • Trust, Competence, and Due Professional Care
  • Honest and Fair Representation
  • Responsibility and Authority
  • Consutative Approach
  • Fact-Based Approach
  • Confidentiality
  • Change Management
  • Continual Improvement
Managing A Risk Assessment Program
  • General
  • Understanding the Organization and Its Objectives
  • Establishing the Framework
  • Establishing the Program
  • Implementing the Risk Assessment Program
  • Monitoring the Risk Assessment Program
  • Review and Improvement
Performing Individual Risk Assessments
  • General
  • Commencing the Risk Assessment
  • Planning Risk Assessment Activities
  • Conducting Risk Assessment Activities
  • Post Risk Assessment Activities
  • General
  • Competence

Annex A: Risk Assessment Methods, Data Collection, and Sampling

  • General
  • Types of Interactions
  • Assessment Paths
  • Sampling

Annex B: Root Cause Analysis

  • General
  • Applying Root Cause Techniques
  • Ten Steps for Effective Root Cause Analysis

Annex C: Background Screening and Security Clearances

  • General
  • Background Checks
  • Interviews
  • Privacy Protection

Annex D: Contents of the Risk Assessment Report

Annex E: Confidentiality and Document Protection

Annex F: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization

  • General
  • Prevention and Mitigation Procedures
  • Response Procedures
  • Continuity Procedures
  • Recovery Procedures

Annex G: Business Impact Analysis

Annex H: Bibliography