Risk is not optional and is an evitable part of business growth. Every organisation must deal with change and shifting priorities, and therefore will confront risks at some point in the future. Yet, many organisations do not pursue “best practice” and fail to realise the most value from their efforts – the topic of growing importance for enterprise architects is the use of a Business Impact Analysis.
As your business grows, potential business disruptions will increase in both frequency and harm potential. It is not possible to foresee every risk, but the way an organisation chooses to navigate transformation as their industry evolves and new initiatives arise can make all the difference to business survival. Nonetheless, a Business Impact Analysis can help you plan for and mitigate the potential impact of unforeseen events threatening your organisation.
So, how does a Business Impact Analysis functionally serve your business? It presents a clear picture of the impact a crisis will have on your organisation’s day-to-day business processes, provides clarity into departmental processes, and an overview of how these processes interact – providing business intelligence insights into the most vital processes for keeping your organisation operational (should disaster strike) and quickly implement recovery strategies.
3-Key components of the Business Impact Analysis
Disruptions can come in many forms. Most disruptions are unexpected or out of your control, but when an emergency arises then your organisation must be prepared for them. As a critical component of the foundation of a Business Continuity Plan, a Business Impact Analysis is an all-important preliminary step and is comprised of three (3) key components.
1. Business Impact
Determine the most critical business functions based on cost to your organisation
A Business Impact Analysis determines an organisation’s most important functions — its comprehensive set of business processes, the resources needed to execute these processes, and the IT systems required. Due to disruption, the potential ($) cost associated for each business function can be measured, such as loss of revenue, regulatory compliance penalties, contractual penalties due to missing Service-Level Agreements (SLAs), and increased operational costs.
To assess the financial impact on the organisation, one (1) approach is to use a Questionnaire and with an Answers rating scale (from 1 to 5). For example:
- What is the value of the potential loss in revenue if this business function was inoperable?
- What fines and penalties would the organisation incur?
- What increase in operating costs would the organisation experience?
But there could also be other costs (not only $) to the business as well. These include reputation damage and loss of goodwill. Your Questionnaire could also include:
- What would be the potential damage to the business’ reputation?
- What would be the impact on customer service?
- How to identify potential threats to these functions?
Once your Business Impact Analysis identifies the critical business functions, it also determines the risks associated with them and the conditions that may trigger a business process outage and the probability of the recurrence of the same risk.
2. Timeframes
Measurement of the three (3) timeframes that must be addressed
Recovery Point Objective (RPO)
- The maximum acceptable amount of data loss after an unplanned data-loss incident, expressed as an amount of time.
Recovery Time Objective (RTO)
- The maximum acceptable amount of time for restoring a network or application and regaining access to data recovery (from backup) after an unplanned disruption.
Maximum Allowable Downtime (MAD)
- The absolute longest amount of downtime an organisation can tolerate before facing serious repercussions, including loss of business or reputational damage.
3. Dependencies
Determine the critical priority of your recovery process
A Business Impact Analysis should determine the dependencies and relationship between business processes and IT systems. This helps prioritise the systems that need recovery first and the order in which lost functions or processes must be restored. Simply, this means that an internal business function that has more processes relying on its capacity to be operational will always have a higher priority in the recovery process (than other functions).
There are also the inter-dependencies regarding certain vendors that will need to be engaged to restore various systems and functions; and should be documented in your Business Impact Analysis.
What are the 4 types of Business Impact Analysis?
When implemented correctly, a Business Impact Analysis can be a powerful Risk Management tool with helping businesses control the impact of the disruption.
Due to the complexity and breadth of the information that goes into conducting a Business Impact Analysis, there is a requirement to plan at different levels within the business. The types of impact analysis can be categorised under the following four (4) types:
1. Initial Analysis
- This high-level analysis is critically important and since it helps set the foundation for more comprehensive analyses in the future.
2. Product Analysis
- This type of Business Impact Analysis focuses on identifying the organisation’s products and services and in particular, their vulnerability to disruption.
3. Process Analysis
- This type of Business Impact Analysis focuses on the business processes, workflows, and systems that support the creation (and delivery) of the organisation’s products and services.
4. Activity Analysis
- This type of Business Impact Analysis provides a granular Risk Assessment of the activities required to provide products and services to the organisation’s customers.
Why there is a key relationship between Business Impact Analysis and Business Forecasting?
In many ways, a Business Impact Analysis and a Business Forecast share similar goals and objectives.
Both methods attempt to predict specific future outcomes but based on different variables within and outside the organisation. However, the integration of risk and impact assessments into business forecasting and planning has allowed organisations to have a transparent evaluation of disruptive events – helping to create forecasts that consider the volatile conditions organisations can find themselves in (at any given point in time).
The use of Business Impact Analysis makes it possible for organisations to go beyond simply predicting budgets, sales, and inventory based on historical performance (and future conditions). Now, Executive Management Teams can also take the necessary steps to ensure that, even if a disruptive event happens, the business is still operating efficiently for previous forecasts to be reliable.
Business Impact Analysis vs. Business Risk Assessment
A Risk Assessment analyses potential threats and the likelihood of potential business risks. The focus is on the severity of risks, prioritise the identified risks, and then create mitigation strategies to solve them.
A Business Impact Analysis measures the severity of those threats and how they would affect business operations and the financial implications. It is essentially an extension of a Risk Assessment Report – but more specific as it focuses on the Business Continuity requirements by identifying potential risks, resource availability, and measures the impact of a business disruption.
Business Impact Analysis vs. Project Risk Management
Project Risk Management is focused on predicting and responding to roadblocks within a specific project. It is the process of identifying, analysing, and responding to potential project risks that could cause failure – by delaying the project timeline, overloading your project budget, impact with project resources, or reducing performance.
A Business Impact Analysis is broader in scope and doesn’t focus on a single project, but rather the overarching business functions and processes of an organisation.
Business Impact Analysis vs. Business Continuity Planning
Business Impact Analysis is a component of business continuity planning because it provides important data metrics for a Business Continuity Plan. It is conducted to determine the most critical business processes, the impact of business disruption to these same processes, the resources needed to restore them, and reduce the overall disruption to business operations.
These are all fundamental variables to factor in when creating a Business Continuity Plan, which determines the course of action to be taken and thereby to ensure that an organisation will be able to recover from a business disruption.
Business Impact Analysis vs. Disaster Recovery Planning
Whilst there are similarities to the relationship between Business Impact Analysis and business continuity planning, the Business Impact Analysis is a useful management tool when creating a Disaster Recovery Plan.
The Business Impact Analysis identifies failure modes and the costs (operational and financial) associated with them. The information obtained from the Business Impact Analysis report is then used to provide input and context to create your Disaster Recovery Plan.
Summary
Gaining business intelligence insights into – What’s next? – for your business plays a role in organisational accountability and reduces the risks that can impact your security, reputation, operational, and financial health.
No matter what type of event (planned or unexpected) an organisation is preparing for, the Business Impact Analysis is one of the most crucial components when conducting Risk Assessment and an important piece of any Business Continuity Plan. Your organisation’s ability to recover from a disruption event – e.g., a cyber security breach, IT outage, natural disaster, or public relations issue – will either preserve or harm your business reputation, but does allow answers to the following questions:
- “What does Business Impact Analysis stand for when it comes to measuring the financial impact of a change?”
- “How can we make our organisation as resilient as possible against a variety of impact types?”
Nevertheless, the basis of Change Management is to take pre-emptive action to reduce the damage associated with a crisis. By adapting to changing framework conditions, this creates reliable transparency for your Executive Management Team into the insights gained about time-critical business processes, their vulnerabilities, and possible measures to increase resilience with implementing a broader Risk Management strategy.
Need some guidance on your next steps? Let’s start a conversation…