ATTENTION: This page is intended to be viewed online and may not be printed or copied.
G. Business Impact Analysis
Elimination of all risk is not possible. The risk assessment provides a thorough analysis of the levels of risk and the treatment methods required to bring risk to a level that is as low as reasonably practical. The costs and benefits of treating a risk and the potential to exploit opportunities will affect the determination of what treatment methods will bring risk to a level that is as low as reasonably practical. Residual risks need further consideration to develop contingency plans.
A business impact analysis (BIA) provides a structured approach to gaining information about the critical activities, functions, and processes of the organization and the associated resources necessary for an organization to mitigate the impacts of undesirable and disruptive events. The BIA:
Evaluates critical activities, functions, and processes and their role in achieving organizational objectives;
Determines the most critical activities, functions, and processes and the resources (assets) that are needed to achieve the desired outcome;
Prioritizes the critical activities, functions, and processes that must be operational to maintain an acceptable level of business functionality during and immediately following an unacceptable business interruption; and
Determines the time frames and resource requirements to maintain critical activities, functions, and processes following a risk event to restore operations to the level required to meet organizational objectives.
The organization may conduct a BIA on critical activities, functions, and processes related to its residual risk and develop contingency plans. The purpose of the BIA should be to determine:
Criticality - Every critical business function is identified (with related dependencies and interdependencies) and the impact of an undesirable or disruption event determined.
Maximum Downtime - Estimate the maximum downtime that can be tolerated while still maintaining viability. Management should determine the longest period of time that a critical process can be disrupted before recovery becomes unlikely.
Resource Requirements - Realistic recovery efforts require a thorough evaluation of the resources required to resume critical operations and related interdependencies as quickly as possible.
Timeframes and recovery objectives are typically defined in terms of:
Maximum Allowable Outage: Represents the maximum period of time that an organization can tolerate the loss of capability of a critical business function, process, or asset.
Recovery Time Objective: The period of time a business’ activities and resources must be recovered to an acceptable capability after a disruptive event, often defined in hours or days.
Recovery Point Objective: The point in time to which products, organizational activities, or data in a known, valid or integral state, can be restored from. Often viewed as the maximum amount of loss tolerance and defined in hours or days.
The output of a business impact analysis typically includes:
- Recovery time objectives and associated justification
- Recovery point objectives and associated justification
- Recovery capacity or performance at the recovery time objective
- Timeframe when the organization requires 100% of operational capability
- Prioritization of recovery resources
- Content for response and recovery strategies
- Reset of product/service acceptable disruption periods, as needed
Many methodologies exist for conducting a BIA. The methodology should be tailored to the decision-making needs of the organization and achievement of organizational objectives. The following three figures present a generalized approach to conducting a business impact analysis.
Figure 16: Business Impact Analysis (BIA)
Figure 17: Example of BIA Methodology
Figure 18: Example of BIA Process
Next: Annex H