Welcome » IT Booklets » Business Continuity Planning » Appendix F: Business Impact Analysis Process
Business Impact Analysis Goals
The purpose of a business impact analysis is to determine what impact a disruptive event would have on a financial institution. As such, a BIA has three primary goals:
There are generally four cyclical steps included in the BIA process:
Gathering Information
The first step of the BIA is to identify which departments and business processes are critical to the recovery of the financial institution. The Business Continuity Planning Committee and/or Coordinator should review organizational charts, observe daily work flow, and interview department managers and employees to identify critical functions and significant interrelationships on an enterprise-wide basis. Information can also be gathered using surveys, questionnaires, and team meetings.
As information is gathered and critical operations are identified, business operations and related interdependencies should be reviewed to establish processing priorities between departments and alternate operating procedures that can be utilized during recovery.
Performing a Vulnerability Assessment
A vulnerability assessment is similar to a risk assessment; however, it focuses solely on providing information that will be used in the business continuity planning process. The goal of the vulnerability assessment is to determine the potential impact of disruptive events on the financial institution's business processes. Financial industry participants should consider the impact of a major disruption since they play a critical role in the financial system. As part of the vulnerability assessment, a loss impact analysis should be conducted that defines loss criteria as either quantitative (financial) or qualitative (operational). For example, quantitative losses may consist of declining revenues, increasing capital expenditures, or personal liability issues. Conversely, qualitative losses may consist of declining market share or loss of public confidence. While performing a vulnerability assessment, critical support areas and related interdependencies, which are defined as a department or process that must be properly functioning to sustain operations, should be identified to determine the overall impact of a disruptive event. In addition, required personnel, resources, and services used to maintain these support areas must also be identified. Critical support areas and interdependencies should include the following, at a minimum:
The steps needed to perform a vulnerability assessment include the following:
Analyzing the Information
During the analysis phase of the BIA, results of the vulnerability assessment should be analyzed and interpreted to determine the overall impact of various threats on the financial institution. This analysis process should include an estimation of maximum allowable downtime (MAD) that can be tolerated by the financial institution as a result of a disruptive event. MAD estimates that may be used include the following:
Each business function and process should be placed in one of these categories so that management can determine applicable solutions to ensure timely recovery of operations. Management should then determine which business functions represent the highest priority for recovery and establish recovery objectives for these critical operations. The Business Continuity Planning Committee or Coordinator should discuss the impact of all possible disruptive events, instead of focusing on specific events that may never occur. For example, the impact of a disruptive event could result in equipment failure, destruction of facilities, data corruption, and the lack of available personnel, supplies, vendors, or service providers. Once the impact of a disruption is determined, management should estimate MADs.
After completing the data analysis, the results should be reviewed by knowledgeable employees to ensure that the findings are representative of the true risks and ultimate impact faced by the financial institution. If notable gaps are identified, they should be recognized and incorporated into the overall analysis.
Documenting the Results and Presenting the Recommendations
The final step of the BIA involves documenting all of the processes, procedures, analyses, and results. Once the BIA is complete, a report should be presented to the board and senior management identifying critical departments and processes, significant interdependencies, a summary of the vulnerability assessment, and recommended recovery priorities generated from the analysis.