Best Practice Principles for Business Impact Analysis

madunixExecutive IT Director
CERTIFIED EXPERT
I know some stuff, and I do some things.
Published:
Edited by: David Draper
The outline of this article is to help readers understand analyzing impact over time in an Enterprise group. The impact analysis of a disruption to the activity over time, commonly known as the Business Impact Analysis. The BIA is an essential source for determining resiliency and contingency plan.

Introduction:



By a Business Continuity Plan (BCP), we mean: All procedures and action plans which, in the case of an incident, allow the activity to be continued, possibly under "business recovery management" conditions, and then resumed in a planned manner. When drawing up a BCP, the main concern is that it must be practical and operational. Authorized personnel must have easy access to business recovery information when an incident occurs to mobilize incident management resources in place.


The Business Continuity Plan (BCP) must ensure that, in the event of unforeseen occurrences disrupting work activities, business operations may continue in a normal or minimally disrupted manner, and risks and damages can be mitigated. A Business Continuity Plan (BCP) aims to document the solutions that ensure Business Continuity for one or more activities. At the same time, the BCP provides crisis management principles for a variety of significant crises that have been identified.

 

Business impact analysis (BIA) is one component of the BCP. The BIA is an analytical process used to assess the consequences of an incident and the change over time of the quantitative (financial) impact and the qualitative (non-financial) impact resulting from the interruption of activity. The results of the BIA are necessary to define the Business Continuity Strategy. It is essential to consider interdependencies between systems, business processes, and Group entities. The BIA's purpose is to correlate the system with the critical mission/business processes and services provided. Based on that information, characterize the consequences of a disruption. 



 

Time scale:


The key concept introduced by the BIA is time. To make analysis results comparable between all Group's entities in the Enterprise group, all or part of the points on the timescale and the criteria below must be commonly shared (H=Hours, D=Day, WK=Week).

 

 

 

For example, in the above, the time scale is based on the proposed ten points. It is possible to use a smaller scale, selecting from the ten reference points shown above. In this case, we consider that:

  • the impact is nil below the first point on the time scale, and
  • the level of impact is constant beyond the last point on the time scale.

 

The points on the time scale are chosen according to:

  • imperatives for resumption defined by the regulators (in local and internationally),
  • best industry practices and
  • based on Information System switchover and provision of recovery solutions.



Example:
For a scale with 4 points: [H+2; H+4; D+1; D+1week]; When the change to the impact over time has been assessed, we can deduce that below the first point (H+2) on this scale, there is minimum impact (therefore, in the example, impact at H "low/non-applicable") and that beyond the last point (D+1week), the level of impact is constant (therefore, in the example, the impact at D+3weeks would be approximately identical to the level of impact at D+1week.


Impact categories:


Five impact categories make up the reference categories for conducting the BIA: the financial impact, regulatory impact, legal or judicial impact, impact on image or reputation, impact on other activities

 

  • Financial impact:

All financial losses are borne by the entity resulting directly from its inability to manage its risks (operational, counterparty, market, liquidity, etc.), following disruption to an activity; either from loss of income (unrealized turnover), or from definitive loss of opportunity (a transaction that could have taken place if the activity had not been interrupted following the incident).

 

  • Regulatory impact

Consequences of the inability to meet regulatory obligations.

 

  • Legal/judicial impact

Consequences of the inability to meet legal obligations or honour contractual commitments.

 

  • Impact on image/reputation

Damage caused to the credibility of the entity or the Group in relation to its clients, investors, shareholders, employees, rating agencies, or the media, potentially leading to loss of opportunity

 

  • Impact on other activities

Risk of the impact being extended to other activities. This type of impact is related to interdependencies between various activities (internally or externally – systemic risk).




 

Measurement scales:


The five impact categories must be reviewed. If one of the impact categories is not

quantifiable or qualifiable for the analyzed activity, then the level "Low/Not applicable" will be applied to all points on the time scale.

 

The development of each category of impact is assessed on a scale of four levels. Each entity defines a relevant scale concerning financial impacts, allowing it to consistently and coherently determine its potential financial losses. These losses are expressed:

  • either in currencies based on the accounting data for the activity studied,
  • or via risk indicators (e.g., using value at risk (VAR)).

 

The reference scale indicating the loss thresholds is defined at the level of each entity. This is the scale that will be used to define objectives and decide on the priorities for recovery.

 

The tables below detail, for each category, the four corresponding levels of impact.

 

 

 

 

 

 

It is now possible to proceed with the BIA based on the time scale, the categories, and the impact levels. For each activity, a complete table specifying the levels of impact (Very High, High, Medium, Low/Not Applicable) on each point on the time scale and for each category of impact:

 

 

For example - Business Impact Analysis for activity Z. In this example, the BIA shows:

  • The first impact category that reaches a maximum level of impact ("Very high") is the category "Financial impact".
  • The interruption of activity Z has no legal impact and does not impact downstream or client’s activities.

 


 

Conclusion:


Business impact analysis (BIA) refers to a document that identifies present organizational risks and determines the impact of ongoing, business-critical operations if such risks actualize. The BIA tries to measure the potential loss and escalating losses over time to provide Management, Board Directors, and Shareholders with reliable data to identify critical services and sufficient data for decision making. The BIA will help you understand what will happen to your organization if you lose your data, permanently or even temporarily. Would you go out of business for a few days? Would you be able to function at all? You should implement your enterprise security based on that knowledge with all this in mind. 

 

 

References:

https://www.experts-exchange.com/articles/34731/The-Importance-Of-Business-Continuity-Planning.html

https://www.experts-exchange.com/articles/34871/Benefits-of-Business-Continuity-Testing.html

https://www.experts-exchange.com/articles/33973/Introduction-to-Business-Continuity-Management-BCM.html

https://www.experts-exchange.com/articles/33009/Disaster-Recovery-Solution-Design.html

https://www.experts-exchange.com/articles/36691/IT-Risk-Management.html

https://csrc.nist.gov/glossary/term/business_continuity_plan

 

1
80 Views
madunixExecutive IT Director
CERTIFIED EXPERT
I know some stuff, and I do some things.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community