How many days can payroll be down before it impacts your business?
What about the servers that power customer networks? Or that internal VPN employees use to work remotely?
An hour? A day? A few weeks?
If you’re like many companies we talk to, you may not know how long your business could survive without critical systems and business processes.
For that reason, a thorough business impact analysis (BIA) is one of the most important steps we take when working with new clients.
Here’s what a business impact analysis is, why it’s important, and what you’ll learn by doing one.
What Is a Business Impact Analysis?
Here’s the formal definition of a business impact analysis from the ISO 22301 Standard:
- The process of analyzing the impact over time of a disruption on the organization.
To say it more clearly: A business impact analysis is a thorough examination that exposes the likely impact a business disruption will have on the revenue, expenses, operations, and reputation of your company.
Here’s an example of what an impact analysis report looks like, including the impact over time across six different factors.
For example, we’ve worked for several years with a company that sells cloud-based software as a service (SaaS).
If its product goes offline for even a minute, it will experience an increase in expenses and a negative reputational impact as customers begin to complain — often using social media to do so.
A prolonged outage will cost revenue as well — in the form of lost business and refunds to calm angry customers.
These are some of the issues we look at when conducting a business impact analysis.
Key to those questions is establishing a recovery time objective (RTO) for each critical system and business process.
Recovery Time Objectives
Business disruptions aren’t usually isolated.
If a hurricane knocks your data center offline, your customers might be locked out of their systems, payroll might be down, the internal intranet might be inaccessible, and lots more.
Over and over, we’ve seen companies make the same mistake in this situation: They try to recover every system and every process all at once. And it’s a mistake that can easily cost a company millions of dollars.
That’s why recovery time objectives (RTOs) are so important.
Some systems and processes need to be recovered now — usually, these are the ones that generate revenue: customer products and records, sales pages on an eCommerce website, or similar systems.
Every minute these systems are down, they cost you money.
Other systems need to be recovered, but they don’t necessarily have to be recovered immediately.
Payroll, for example, needs to be recovered quickly — but not necessarily ahead of revenue-generating systems.
A business impact analysis looks at each critical system in your business and assigns it an RTO.
With recovery time objectives in place, we can build a prioritized list of systems and processes to recover during a disruption — a key first step when creating a business continuity plan.
Implications of Not Performing a Comprehensive BIA
I once worked with a company to examine over a dozen key areas of their business as we developed a new set of continuity plans.
The executive leadership team came to me with the areas they thought were critical, and I did my best to create plans that addressed those areas.
A year later, the same company asked for a company-wide business impact analysis, which we completed on their behalf.
Our analysis identified over 25 teams and dozens of processes as “critical” for recovery in the aftermath of a disruption, far more than the executive team asked us to work on when they first engaged with us.
Unfortunately, this is a common story, and many areas you might think are critical for recovery might not be the ones that are the most critical.
In addition, without a comprehensive business impact analysis, you might have the following struggles:
1. No method for prioritizing recovery efforts
When dozens of systems and processes go down, which ones should you work to recover first?
If you don’t know, you’ll spend hours and days trying to figure out what to prioritize, a mistake that could easily cost a large company millions in expenses, lost revenue, or a damaged brand reputation.
2. Lack of executive support
I often talk with leaders who would like senior management to invest more in business continuity. But they sometimes struggle to communicate the value of resilience or the specific costs and other impacts the business might face during a disruption.
This is a sign the company probably hasn’t conducted a thorough BIA. Without one, operations leaders might lack the concrete, detailed financial estimates and qualitative data needed to convince senior leadership to invest in resiliency. And they struggle to earn support for their program as a result.
How a Business Impact Analysis Is Conducted
Here’s the process we follow when conducting a business impact analysis:
1. Scope the Need
Each BIA is different because each business is different. For that reason, our first step is to scope the need and determine what areas we need to look at.
A non-profit will have different resiliency needs than a major utility or a healthcare network, so we customize our approach to each situation.
2. Schedule BIA Interviews and Assign Prework
In step two, we identify everyone we need to interview and send them prework to complete before our conversation.
Usually, the prework includes basic questions about their responsibilities and their history with previous business disruptions. That way they come to the interview with a clear idea of what we’ll be discussing.
3. Conduct BIA Interviews
The interviews are the most important part of the process — because this is where we uncover the strengths and weaknesses of your systems and processes.
Most interviews go for one to two hours, depending on the complexity of the system or process.
We discuss systems, their impact on the business, dependencies on technology, third-party services, suppliers, facilities, and anything else relevant to business continuity in their area.
4. Prepare and Present a BIA Report
When all the interviews are complete, we aggregate everything we’ve learned, including the impact of a disruption to revenue, expenses, and reputation in every area we’ve examined.
Our report also includes our analysis of key systems and business processes, along with recovery time objectives for every area. The report also captures the interdependence of operations within your organization.
This is a report you can take to your senior management to present our results, and our staff can join you to present our findings if needed.
The Value of a Business Impact Analysis
Years ago, I was invited to speak with the board of directors of a large corporation that wanted to strengthen its business continuity program.
I joined them for a meeting and started asking questions about their efforts.
They had a wealth of documentation, including a full business continuity document. I was encouraged by their efforts—because it showed they were invested.
But then, I asked to see their business impact analysis.
“We don’t have one of those,” they told me.
Sure enough, after we completed a full BIA for them, we identified a host of systems and processes that were critical to their business — but weren’t part of their business continuity plans.
A Business Impact Analysis Is the Foundation of a Quality Business Continuity Program
Without a BIA, you’ll lack the data to properly prioritize your business continuity plan. In the worse case, you may even be overlooking critical systems and processes you never thought to include in the first place.
Without a BIA, you’re blind to the full impact a disruption could have on your revenue, expenses, and reputation.
With a BIA, you’ll have the data you need to plan a business continuity program that protects the most critical systems and processes first — and gives you a roadmap for recovering everything else in order of importance.
We can help
Do you need advice or guidance in your business continuity planning or your business impact analysis? We’ve built the processes and programs for many Fortune 500, complex non-profit, and public sector organizations.