1. Running head: BUSINESS IMPACT ANALYSIS 1
Business Impact Analysis
John Intindolo
August 30, 2014
ISSC490- Business Continuity
Dr. Ronald Booth
American Public University
2. BUSINESS IMPACT ANALYSIS 2
A Business impact analysis is perhaps the most significant opening research segment of business
continuity planning. It is where questions are formulated, the lists of individuals desired to be
interviewed are arranged, interviews are conducted, and the results of said interviews are then
thoroughly analyzed. The significance of those results is to help an organization identify the areas of
the business that are the most critical, and the impact that a loss of those areas would have on the
organization financially. The BIA performed ranges depending on both the size of the organization
and what sector the organization falls under. A BIA for a small to medium sized business will differ
from a large consulting firm for example. Additionally, a BIA in the Private Sector will differ than
one performed in the Public Sector.
Regardless of the size or sector of the organization there are options such as BIA companies
who will perform a BIA for the organization, or having a BIA team on the company payroll who will
use software tools, and decide the best practices for a successful BIA. A successful BIA is one that
enables the organization to effectively recover its business operations no matter what the
circumstance may be. Furthermore, it will help to identify both direct (such as the immediate cost of
a disruption in service) and indirect (such as the loss of customer goodwill and the cost associated
with restoring it) costs. Then once the BIA has been performed, analyzed, and the shown to the
executives of the company what the financial impact of losing a critical component of the company
is, they can see why it is reasonable to spend more money on preventing a disruption.
Since a BIA is a part, and perhaps the most important part, of business continuity planning it is a
good idea to first have knowledge of BCP, its history, and the regulatory compliance associated
with it. BCP was at one time merely a method for operations managers to simply protect an
organization’s data, but over the years it has evolved to become a comprehensive approach to
3. BUSINESS IMPACT ANALYSIS 3
ensure that critical business functions remain available in the event of a disaster. After the 9/11
attacks, the Federal Reserve Board, U.S. Securities and Exchange Commission, and Office of the
Comptroller or the Currency (OCC) developed the Interagency Paper on Sound Practices to
Strengthen the Resilience of the U.S. Financial System, which required all financial institutions to
upgrade their DRP/BCP and allowed the OCC to take punitive actions against financial institutions
that were non-compliant (Thomasson, 2014). Some of the improvements included annual testing of
their BCP, a Recovery Time Objective (RTO), and a Recovery Point Objective (RPO).
RTO defines the maximum time that a process will remain down, while the RPO details what is
an acceptable restore point. The surge in business continuity regulations and standards after 9/11
did not only apply to financial institutions however. Prior to 9/11 hospitals did not have well-
thought-out disaster plans implemented, and were ill-equipped to suitably respond to large-scale
events. In order to improve upon hospitals’ response capabilities, President Bush developed the
Hospital Preparedness Program or HPP in 2002 (Hartwell, 2012). Some of the improvements
made include preparing for surge capacity, working with other local agencies, preparedness for
chemical/bioterrorist attacks, making different systems and areas of hospitals collaborate in
communications, training and practicing drills with first respondents, and re-evaluating the standards
of care.
Some of the other major regulatory standards that have been updated are the Sarbanes-Oxley
Act of 2002 (SOX), National Institute of Standards and Technology (NIST) Special Publications,
and the Control Objectives for Information and related Technology (COBIT). SOX is applied to
publicly traded companies and is meant to protect investors from financial fraud, while NIST SP
800-37 is a standard published by the U.S. government specifically for computer systems that they
4. BUSINESS IMPACT ANALYSIS 4
own or operate (Wallace & Webber, 2011, pp. 481, 239). COBIT is a list of best practices for IT
management, and can help to develop appropriate IT governance and control within an
organization. Noncompliance may result in fines and/or legal fees. It is the responsibility of the
organization to comply with the laws and regulations and not the enforcement agency, therefore it is
important to make inquiries if unsure of any laws.
Now that the history of BCP and regulatory compliance has been discussed, it is time to move
on to the topic of a Business Impact Analysis. The BIA “predicts the consequences of disruption of
a business function and process and gathers information needed to develop recovery strategies”,
and in doing so allows the higher ups in the organization to determine how much money will be
invested in recovery strategies, disaster prevention, and mitigation strategies (“Business impact
analysis,” 2014). It will show what the critical business operations (that must be functional to
maintain business continuity) are, the cost associated with keeping them functional, and the priority
level of maintaining their functionality based upon their cost. In other words, if a disruption of service
will be high, then it makes sense to put more resources into preventing the outage from occurring.
When speaking of a BIA there are several terms that need to be understood and play a key
role. First is the maximum acceptable outage or MAO which is defined as the amount of time that is
able to pass before a disruption in service becomes intolerable (“Plain english iso,” 2014).
Therefore, if the MAO is two hours, that means that a failed systems needs to be restored within
two hours before it affects normal business operations. Two other important terms of a BIA are
RPO and RTO which were both discussed earlier. The RPO describes what needs to be done in
order to restore a system following a disruption. The RPO must fall within the MAO timeframe in
5. BUSINESS IMPACT ANALYSIS 5
order to maintain business continuity. Meanwhile, the RTO describes the amount of time it takes to
recover from a disruption, and once again must be within the MAO.
The last two terms of focus are critical business functions (CBFs) and critical success factors
(CSFs). CBFs are any functions that are vital to the organization that upon failing will cause essential
operations to cease, and CSFs are anything that is necessary to maintain business continuity
(Gibson, 2010, p. 311). If for instance, a Verizon Wireless Sales department was down due to a
power outage, then they would be unable to sell to their customers. Therefore, the Verizon Wireless
Sales department can be considered a CBF of Verizon Wireless. An example of a CSF would be a
company’s network infrastructure, because if it fails so will all other business functions. So what are
the benefits of a BIA?
The next area of a BIA to be discussed is the benefits and importance of a BIA. A BIA can
provide many benefits to an organization some which have already been discussed previously. Some
of those benefits include the following: identifying and prioritizing the most critical business functions
that are in need of protection, determining the impact of a loss of a critical function and its
associated costs, determining the MTO, RTO, and RPO of critical business functions, and
recognizing the critical resources required for the operation of business functions. For example, the
people or equipment that operates them.
The significance of conducting a BIA varies as well. One way that a successful BIA can show
its importance is that it illustrates to executive management where the organization is vulnerable.
Additionally, a disruption of a system or function can negatively impact an organization monetarily;
therefore, a BIA is important because it can help to mitigate these disruptions. These disruptions can
have both a tangible and an intangible effect on the organization’s financial well-being. The following
6. BUSINESS IMPACT ANALYSIS 6
is a list of tangible items that could negatively impact the business fiscally: loss of revenue because
items cannot be shipped or services are unable to be delivered, penalties imposed by customers
because they are late or lost, and legal penalties for noncompliance of government regulations
(Shannon, 2010, p. 18). Intangible losses include: loss of customer goodwill, damage to the
organization’s image, and reduced assurance that the organization is a dependable merchant. The
next area of focus is conducting a BIA.
Performing a BIA is not a simple manner, and requires a well-thought out and executed plan
(that stands as its own assignment within the overall disaster recovery plan) in order to be deemed a
success. The very first step in a BIA is to appoint a sponsor. The sponsor should be an executive
within the organization because the BIA will deal with every aspect of the organization. Having an
executive sponsor will help to ensure the BIA’s success and will get other departments within the
organization to cooperate as well as place a priority on the BIA (Hogan, 2014). The role of the
sponsor is to select the project manager, ensure communication between other departments of the
BIA’s importance of participation, address any inquiries about the BIA, and to approve the BIA
report to be submitted to the higher ups within the organization.
The project manager of the BIA is going to be the centerpiece of the entire BIA. This person
will be the moderator for all discussion amongst the different department heads about the actual
value of each department to the organization. This can sometimes be a highly contested debate
between department heads as to which department has a greater value to the company.
Furthermore, it is the project manager’s responsibility to assemble a BIA Team, and create a formal
plan for the project (that outlines the duties of the individuals within the BIA team). If choosing a
project manager from within the organization that person has the advantage of knowing the inner
7. BUSINESS IMPACT ANALYSIS 7
workings of the organizational structure, but could also be swayed by in-house relations that they
may have with department heads. Choosing a person from outside of the organization will keep that
from being an issue, but also exposes any possible company issues to a third party. Once a project
manager has been chosen they will begin to form a BIA team.
The BIA team is consisted of several business analysts who will report directly to the project
manager. Once the BIA team has been created, the process of BIA data collection may begin.
Finding out the most vital functions within an organization can differ depending on who is being
asked; therefore, having every department head within the organizational (based on the
organizational flow chart) take a questionnaire that will help to put a quantifiable value on each
function’s financial and legal impact to the organization. The data collection process is performed in
the following manner: identify who will be given the questionnaire, develop the questionnaire to
collect data from each department, provide training on how to properly respond to the
questionnaire, follow up with each department to ensure the questionnaire has been completed in a
timely fashion, review unclear or incomplete responses with those given the questionnaire, conduct
review meetings with each department to discuss their responses, and finally compile and summarize
the BIA data so that they may be reviewed by the various executives within the organization
(Wallace & Webber, 2011, p. 27).
Once the data is collected, each process is assessed for how critical they are to the
organization’s ability to maintain business operations. This is also where the Maximum Acceptable
Outage, Recovery Time Objective, and Recovery Point Objective are all determined. The process
of a BIA varies depending on the size of the business. When dealing with a small to medium-sized
business versus a large business the biggest variant between the two is the frequency of exercising
8. BUSINESS IMPACT ANALYSIS 8
and reviewing business continuity management. In a larger business that sees a high rate of change
the exercising will be more frequent, for example. The following four exercises will help to ensure
that the organization has a reliable and proven to work BCP: testing different elements of the plan,
discussion based exercises for training purposes and to validate a new plan, table-top exercise to
validate plans and rehearse the BCP with key staff, and live exercise such as a fire evacuation
(“Business continuity management,” n.d.). What about the difference between the private sector and
public sector?
All organizations no matter what sector they fall under are at risk of an incident causing a
disruption in service. A disruption could be simply a small inconvenience that only lasts for a short
period of time, or it could something massive enough to bring the organization crumbling down
altogether. The differences between the public sector and private sector vary depending on the
situation. For instance, in accounting in the private sector, financial managers and accountants must
comply with the Generally Accepted Accounting Principles (GAAP) methodology for accounting,
while in the public sector financial managers may use these methods, but are not necessarily bound
by accrual accounting methods (Lewis, 2014).
Additionally, when it comes to profits those in the private sector are motivated to maintain a
bottom line while the public sector is more concerned with completing tasks and not maintaining a
specific margin of profit. The two sides have a negative perception of what the other one is such as
the private sector viewing the public sector as overstaffed, overpaid, over-pensioned and grossly
inefficient; meanwhile, the public sees the private sector as ruthless, uncaring, overpaid, and who
only care about how much money they can make as rather than people (Wright, 2011, p. 402).
9. BUSINESS IMPACT ANALYSIS 9
There are many companies that can do the work for an organization, and be hired to perform a
BIA. Three of those companies are Avalution Consultants, Ongoing Operations, and iCi Digital.
Avalution Consulting is one of the most prominent providers of business continuity and IT disaster
recovery consulting, outsourcing, and software solutions to both the public and private sectors.
According to their web their reasons for conducting a BIA are to enable the proper money to be
allocated to business continuity strategies and capabilities, have clear unified understanding of
external stakeholder business continuity requirements, to confirm or modify the business continuity
program scope, and to be leveraged as a method to start the data collection process for business
continuity plans (Rupert, 2014). Business continuity and IT disaster recovery is the only thing that
Avalution Consultants does and would be a great company to consult if looking for outside help.
Ongoing Operations has business continuity solutions intended for financial institutions that
require exceptional security and dependability. Additionally, Ongoing Operations offer a cloud
support team consisting of highly trained technicians in the U.S. iCi Digital has decades of
experience working with enterprise technologies and offer strategic assessments to some of the
leading multifaceted organizations across the globe. Each offers its own benefits and no matter
which one is chosen, an organization can rest knowing they are getting a well-respected and
experienced company. What are some of the software tools that can be used when conducting a
BIA?
When performing an organization does not want a third party to perform their assessment and
decides to go internally to perform a BIA there are a number of tools that can be used to assist the
BIA team. Some vendors will include spreadsheet formats, document templates, etc. Deciding
which format spreadsheets or documents works best for the organization is the first step in deciding
10. BUSINESS IMPACT ANALYSIS
10
which vendor will be chosen. Talend Enterprise Data Integration is built on open standards with
over 800 connectors and components, offers swift integration, better collaboration than ever before,
and is the “only integration platform natively optimized to deliver the highest performance”
(“Talend*,” 2014).
Another reputable BIA Software tool is BIA Professional from SunGard which can be used as
a standalone application or be ported into SunGard’s Continuity Management Solution platform to
formulate an organization’s plans. Furthermore BIA Professional streamlines the survey process in
the following ways: question sequencing to prompt survey respondents to only answer relevant
questions to their duties, question validation to direct respondents to provide the most needed
responses, question library to manage questions for future use and reference, and allows responders
to work through a web-based interface which provides instant feedback when data is unanswered
or answered incorrectly (“Sungard bia,” 2011).
The best practices for business continuity can be done in many different ways. There is no one
single way that is going to guarantee the continuity of business operations, and in fact it should
constantly be updated to account for necessary changes, new regulations and policies, and new
risks. There is however some measures that may be taken to assure that everything possible is being
done to keep the organization’s disaster recovery planning up to date. Some of the best practices
that will ensure this are: adopting a systematic approach to risk tracking, outlining the critical actions
necessary if an incident affects the company or its partners, understanding how susceptible the
organization is to disasters, conducting a BIA that addresses any gaps within the recovery plan,
integrating business continuity with other areas such as emergency preparedness, crisis management,
11. BUSINESS IMPACT ANALYSIS
11
and incident response (Redmond & Sinha, 2014). The best course of action is to combine all of
those elements into one common view of governance, risk, and compliance management, which will
make the entire disaster recovery plan more successful for the entire organization.
Now knowing everything from the benefits and importance of a BIA, to how one is performed,
and all the way to the best practices it is time to illustrate what the future holds for BIA in relation to
business continuity planning. The future of BIA is contingent upon a unified and comprehensive
methodology to government and business protection. In other words, it is going to have to coincide
with similar disciplines such as physical and information security, facilities and emergency
management, and homeland security. As a matter of fact according to Kirvan, “It must earn the
respect and acceptance of business and government leadership, the same as other professions like
engineering and accounting” (2014). Failure to do so will risk the continued growth of business
continuity planning and more specifically the business impact analysis aspect of it.
Performing a BIA can serve both negative and positive effects on an organization. Its results can
also help an organization by detailing the most critical elements of the business, and by quantifying
the financial impact that losing those elements would have on a company. No matter if it is for a
small to medium sized business or a large corporation, a BIA is an integral part of business
continuity planning as it shows the executives within the organization what aspects are the most
important to the business and does so by putting a dollar value on its loss.
Whether an organization decides to use a company to perform their BIA (such as Avalution
Consultants) or decides to hire their own BIA Team, the bottom line is that following the best
practices illustrated above will ensure that the organization will be able to recover its business
12. BUSINESS IMPACT ANALYSIS
12
operations no matter the circumstance. Furthermore, the BIA will provide the business with ways to
increase cost-effectiveness. This makes the need for BIA more feasible to executives within the
organization who may not value the importance of business continuity over other areas.
13. BUSINESS IMPACT ANALYSIS
13
References
Business continuity management for small to medium-sized businesses. (n.d.). Retrieved from
http://www.normit.org/documents/Business Continuity Plan.pdf
Business impact analysis. (2014, January 29). Retrieved from http://www.ready.gov/business-
impact-analysis
Gibson, D. (2010). Managing Risk in Information Systems. Sudbury, MA. Jones & Bartlett
Learning. ISBN-13: 978-0-7637-9187-2 ISBN-10: 0763791873
Hartwell, C. (2012, August 28). The effects of 9/11 & katrina on hospital preparedness.
Retrieved from http://www.continuityinsights.com/articles/2012/08/effects-9/11-katrina-
hospital-preparedness
Hogan, M. K. (2014). What are the 5 elements of a business impact analysis?. Retrieved from
http://smallbusiness.chron.com/5-elements-business-impact-analysis-44844.html
Kim, D. & Solomon, M. (2012). Fundamentals of Information System Security. Information
Systems & Security Series. Sudbury, MA. Jones & Bartlett Learning
Kirvan, P. (2014, January 03). Business continuity: Business continuity, a history of challenges.
Retrieved from http://survivalinsights.com/modules.php?name=News&file=article&sid=6
Lewis, J. (2014). What are the fundamental differences between public and private sector
financial management?. Retrieved from http://smallbusiness.chron.com/fundamental-
differences-between-public-private-sector-financial-management-37395.html
Plain english iso 22301 2012 business continuity definitions. (2014). Retrieved from
http://www.praxiom.com/iso-22301-definitions.htm
14. BUSINESS IMPACT ANALYSIS
14
Redmond, M., & Sinha, S. (2014, August 19). Planning for resilience- best practices for
developing reliable disaster recovery plans. Retrieved from
http://www.continuityinsights.com/articles/2014/08/planning-resilience-best-practices-
developing-reliable-disaster-recovery-plans
Rupert, J. (2014, March 10). Establishing the business case for the business impact analysis.
Retrieved from http://perspectives.avalution.com/2014/establishing-the-business-case-for-
the-business-impact-analysis/
Shannon, H. F. (2010, April 30). The importance of business impact analysis. Retrieved from
http://www.slideshare.net/Timothy212/the-importance-of-business-impact-analysis
Sungard bia professional. (2011). Retrieved from http://www.sungardas.com/Documents/bia-
professional-SEL-111.pdf
Talend*. (2014). Retrieved from http://www.talend.com/landing-trial/enterprise-big-
data?device=c&utm_source=google&utm_medium=cpc&utm_campaign=TLD:Brand
Search:NA&src=GoogleAdwordsOD_US&kid=null&utm_term=talend&utm_content=tale
nd - phrase&lang=en
Thomasson, W. (2014). The evolution of business continuity and disaster recovery. Secondary
Marketing Executive, 28(4), Retrieved from
http://www.mortgageorb.com/issues/SME1403/FEAT_03_The-Evolution-Of-Business-
Continuity-And-Disaster-Recovery.html
15. BUSINESS IMPACT ANALYSIS
15
Wallace, M., & Webber, L. (2011). The disaster recovery handbook: A step-by-step plan to
ensure business continuity and protect vital operations, facilities, and assets. (2nd
ed.). New York, NY: AMACOM
Wright, T. (2011). Can business impact analysis play a meaningful role in planning a cost-saving
programme?. Journal Of Business Continuity & Emergency Planning, 5(1), 400-408.