By a Business Continuity Plan (BCP), we mean: All procedures and action plans which, in the case of an incident, allow the activity to be continued, possibly under "business recovery management" conditions, and then resumed in a planned manner. When drawing up a BCP, the main concern is that it must be practical and operational. Authorized personnel must have easy access to business recovery information when an incident occurs to mobilize incident management resources in place.
The Business Continuity Plan (BCP) must ensure that, in the event of unforeseen occurrences disrupting work activities, business operations may continue in a normal or minimally disrupted manner, and risks and damages can be mitigated. A Business Continuity Plan (BCP) aims to document the solutions that ensure Business Continuity for one or more activities. At the same time, the BCP provides crisis management principles for a variety of significant crises that have been identified.
Business impact analysis (BIA) is one component of the BCP. The BIA is an analytical process used to assess the consequences of an incident and the change over time of the quantitative (financial) impact and the qualitative (non-financial) impact resulting from the interruption of activity. The results of the BIA are necessary to define the Business Continuity Strategy. It is essential to consider interdependencies between systems, business processes, and Group entities. The BIA's purpose is to correlate the system with the critical mission/business processes and services provided. Based on that information, characterize the consequences of a disruption.
The key concept introduced by the BIA is time. To make analysis results comparable between all Group's entities in the Enterprise group, all or part of the points on the timescale and the criteria below must be commonly shared (H=Hours, D=Day, WK=Week).
For example, in the above, the time scale is based on the proposed ten points. It is possible to use a smaller scale, selecting from the ten reference points shown above. In this case, we consider that:
The points on the time scale are chosen according to:
Five impact categories make up the reference categories for conducting the BIA: the financial impact, regulatory impact, legal or judicial impact, impact on image or reputation, impact on other activities
All financial losses are borne by the entity resulting directly from its inability to manage its risks (operational, counterparty, market, liquidity, etc.), following disruption to an activity; either from loss of income (unrealized turnover), or from definitive loss of opportunity (a transaction that could have taken place if the activity had not been interrupted following the incident).
Consequences of the inability to meet regulatory obligations.
Consequences of the inability to meet legal obligations or honour contractual commitments.
Damage caused to the credibility of the entity or the Group in relation to its clients, investors, shareholders, employees, rating agencies, or the media, potentially leading to loss of opportunity
Risk of the impact being extended to other activities. This type of impact is related to interdependencies between various activities (internally or externally – systemic risk).
The five impact categories must be reviewed. If one of the impact categories is not
quantifiable or qualifiable for the analyzed activity, then the level "Low/Not applicable" will be applied to all points on the time scale.
The development of each category of impact is assessed on a scale of four levels. Each entity defines a relevant scale concerning financial impacts, allowing it to consistently and coherently determine its potential financial losses. These losses are expressed:
The reference scale indicating the loss thresholds is defined at the level of each entity. This is the scale that will be used to define objectives and decide on the priorities for recovery.
The tables below detail, for each category, the four corresponding levels of impact.
It is now possible to proceed with the BIA based on the time scale, the categories, and the impact levels. For each activity, a complete table specifying the levels of impact (Very High, High, Medium, Low/Not Applicable) on each point on the time scale and for each category of impact:
For example - Business Impact Analysis for activity Z. In this example, the BIA shows:
Business impact analysis (BIA) refers to a document that identifies present organizational risks and determines the impact of ongoing, business-critical operations if such risks actualize. The BIA tries to measure the potential loss and escalating losses over time to provide Management, Board Directors, and Shareholders with reliable data to identify critical services and sufficient data for decision making. The BIA will help you understand what will happen to your organization if you lose your data, permanently or even temporarily. Would you go out of business for a few days? Would you be able to function at all? You should implement your enterprise security based on that knowledge with all this in mind.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.