BIA - Business Impact Analysis

BIA - Business Impact Analysis

Resources are the oxygen of your company...

Resources - the oxygen of your company

„Humans can survive without food for about 40 days, without drinking for almost five days, and without oxygen for only a few minutes. If there is no oxygen supply to the brain, dizziness and increasing loss of consciousness occur after just a few seconds, and permanent brain damage after four minutes.“ (Dr. Hans Morschitzky).

How long can your company survive if a time-critical process fails for ten minutes, an hour or even three days due to a serious event?

At what point does your company lack vital oxygen?
The answer is provided by a Business Impact Analysis (BIA). Through qualified compilation of information on business processes and collection of further core information, it is a suitable instrument to determine (potential) impacts on business processes, their interaction effectiveness and restart times after serious events. It determines which business processes and resources are needed to ensure the survival of your company.

In addition to documenting impacts on business activities, services and products, the BIA determines key figures and target values for business continuity, which serve as the basis for contingency planning. The Recovery Time Objective (RTO), for example, defines the target time for the resumption of business processes or other service provision. The Maximum Tolerable Period of Distribution (MTPD), on the other hand, determines the maximum permissible duration of a failure. In addition, internal and external dependencies are recorded.

In the event of significant changes in the structure of business activities, such as the introduction of a new product or manufacturing process or a change of location, the BIA can be used as a helpful tool to weigh up unusual events in the event of significant changes and, if necessary, to limit their negative effects. In this way, a high level of resilience of your company is ensured even in the case of major changes.

When carrying out a business impact analysis, we are guided by the three essential steps:

1.Determine the prerequisites for conducting a business impact analysis (BIA)
2. Conducting the Business Impact Analysis (BIA)
3. Cyclical updating of the Business Impact Analysis (BIA)

Prerequisite for conducting a BIA

A promising BIA is an important part of Business Continuity Management and involves considerable effort throughout the entire process. However, time and capacity are well invested in preparation. Carefully chosen parameters that are defined according to needs and described precisely, as well as meaningful damage criteria (e.g. financial, reputational, regulatory and operational) are a good basis. The involvement of further experts and the use of specialised software tools ensure a high quality of the BIA result.

In preparation for the interviews to be conducted with the business departments in the context of the BIA, documentation and information from thematically related areas such as IT, risk and supply chain management should be consulted. In this way, a considerable reduction in the burden of collecting the required data can be ensured and multiple data collection can be avoided. The use of different methods for data collection in the departments, such as workshops, questionnaires and interviews, clarifies the steps of BCM and thus ensures transparency. The purpose and objective of a BIA are also made clear.

A clearly defined scope set by management, the so-called BIA scope, is very time-consuming to determine in advance, but guarantees the focus on critical business processes and consequently leads to generally less survey effort. The definition of the BIA scope can also be based on the products or services, irrespective of the business processes. The products and services to be prioritised are those that must be operated or delivered in an emergency because they generate a high sales volume. Time-sensitive customer segments must be considered separately here.

Conducting the Business Impact Analysis

At the beginning of the business impact analysis, its scope was defined. This clarifies which organisational units and business processes are considered particularly time-critical and which can be neglected in an emergency. Some areas of the company do not need to be considered in the BIA due to their small size or relevance. Although the different components of the enterprise are all interdependent, some processes are more likely to be neglected or dispensable in an emergency operation than others. For the maintenance of the company in an emergency operation, the focus is therefore primarily on the time-critical core processes.

The scope (products or services) to be taken into account is determined by the management in the context of a strategic BIA in accordance with ISO Standard 22317. The time-critical processes required for the provision of products and services and their process dependencies, measures and restart requirements are identified in the tactical BIA.

The operational BIA is used to determine the resource requirements. These include, for example:

  • Number of required emergency workstations
  • IT applications with restart parameters
  • Service providers
  • Personnel resources
  • skills and permissions
  • Individual data processing and physical documentation
  • Infrastructure - technical equipment and materials

That is followed by the conceptualisation phase for the BIA. In this phase, the impacts are defined in impact categories, the scope of resources as well as the period of consideration and the business process levels. Existing resource catalogues, such as the IT service catalogue, or lists of service providers can be used.

In this step, the appropriate scope and methodology for data collection in the departments is selected. The definition of responsibilities as well as the designation of process owners and their information is of particular importance. The designated process owners have the task of fully enabling data collection with the help of subject matter experts from their business areas.

A BIA questionnaire prefabricated by BCM and individually tailored to the needs of the company analyses the status quo in a workshop or interview with the business unit. The structure and content of the questionnaire should focus on the monetary and non-monetary relevance of the business processes under consideration. During the BIA interview, special care should be taken to ensure that the participants are aware that an extraordinary event is being analysed with the perspective of a worst case on the business activities of the department.

Once all the information has been gathered conclusively, the testing can begin. Here, the special requirements for emergency operation crystallise and are documented. In the following quality assurance by the BC manager, the BIA questionnaire is checked for completeness and comprehensibility of the assessments by the department and cross-cutting issues, such as inheritance of the restart times to upstream processes, are consolidated. The determination by the BIA shows how high the criticality and recovery time of the resources of the time-critical business processes are. The results are presented to management for approval in the form of a BIA report.

The BIA result brings together the know-how of the different departments in a well-structured BIA process and shows their results. The collected data from the IT service catalogue, for example, can be compared with the IT application and individual data processing surveys from the BIA and better assigned to the business processes. These specific IT requirements are then, after consolidation, passed on to IT Service Continuity Management. The ITSCM lifecycle is then started there. In this way, existing dependencies on service providers and physical documentation can be identified and are transparent for BCM and management with the help of the BIA. This provides starting points for efficient interface management and the use of synergy effects.

The BIA reveals the target state of the restart times of time-critical resources. This is followed by an assessment of the available solution options and risk-minimising measures. These are presented in a solution concept.

Cyclical update of the BIA

The first professional BIA involves a lot of effort. The detailed collection of data, good preparation and the linking of interfaces and other information carriers are the foundation for a promising implementation.

For subsequent BIAs, existing results can be built on or linked to in order to determine an updated result. Consequently, the process does not have to be repeated in its entirety for each audit; it is sufficient to thoroughly review the critical business processes affected by an organisational development and to compare others with the previous results on a sample basis. The affected department should always be closely involved. The updating effort decreases, saving time and capacity in the following years.

Conclusion

With a well conducted business impact analysis, you will always know when and how much "oxygen", "water" and "food" you need for the functioning of your business.

A well-prepared and professionally conducted BIA, which is regularly adapted to changing framework conditions, creates reliable transparency for your company management and the departments. The insights gained about time-critical business processes, their vulnerabilities and possible measures to increase resilience represent a significant added value of the BIA. Since relevant factors in the company can change over time, a cyclical or ad hoc update is necessary.

This way you always have an overview of how long your company can exist without its oxygen. So: How long will you survive?