Published in Continuity Central, January 2022
The Business Impact Analysis is central to establishing a resilient organisation, yet it remains a contested and misunderstood methodology. At its simplest, the BIA should be used to analyse the impact over time of a disruption on the organisation and orientate it around what is critical to its continued survival. In this way resources can be prioritised and allocated to develop capabilities and mitigations that, in the event of a disruption, will allow the organisation to continue to deliver its outputs at a pre-defined minimum level within a set time frame. In this regard, it is a planning tool that sets recovery objectives and codifies what must be recovered, in what order, across an organisation.
One of the main areas of contention is the degree of detail needed to conduct a BIA, establish the recovery timeframes and set minimum levels of output. ISO 22310:2019 (Business Continuity Management Systems) requires organisations to “implement and maintain systematic processes for analysing the business impact and assessing the risks of disruption,” but is not prescriptive as to how this should be achieved. To address this, the Business Continuity Institute in its Good Practice Guidelines has sought, over several iterations, to provide a ‘how to guide’ to practitioners, however in trying to provide utility to the spectrum of organisations and their differing requirements, the Good Practice Guidelines has perhaps complicated matters by describing four different processes but calling each a Business Impact Analysis.
This article argues that one simple BIA process comprising a series of deductive steps conducted to a level of detail sufficient to allow an organisation to prioritise its activities and allocate resources may be a better approach: often this will be inherently subjective.
Ultimately, the BIA remains an essential analytical tool to understand what is critical to an organisation, upon which adaptive contingency plans and crisis response mechanisms can be built.