A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk assessment. Operations may also be interrupted by the failure of a supplier of goods or services or delayed deliveries. There are many possible scenarios which should be considered.
Identifying and evaluating the impact of disasters on business provides the basis for investment in recovery strategies as well as investment in prevention and mitigation strategies.
Consider the Impact
The BIA should identify the operational and financial impacts resulting from the disruption of business functions and processes. Impacts to consider include:
- Lost sales and income
- Delayed sales or income
- Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.)
- Regulatory fines
- Contractual penalties or loss of contractual bonuses
- Customer dissatisfaction or defection
- Delay of new business plans
Timing and Duration of Disruption
The point in time when a business function or process is disrupted can have a significant bearing on the loss sustained. A store damaged in the weeks prior to the holiday shopping season may lose a substantial amount of its yearly sales. A power outage lasting a few minutes would be a minor inconvenience for most businesses but one lasting for hours could result in significant business losses. A short duration disruption of production may be overcome by shipping finished goods from a warehouse but disruption of a product in high demand could have a significant impact.
Conducting the BIA
Use a BIA questionnaire to survey managers and others within the business. Survey those with detailed knowledge of how the business manufactures its products or provides its services. Ask them to identify the potential impacts if the business function or process that they are responsible for is interrupted. The BIA should also identify the critical business processes and resources needed for the business to continue to function at different levels.
The BIA report should document the potential impacts resulting from disruption of business functions and processes. Scenarios resulting in significant business interruption should be assessed in terms of financial impact, if possible. These costs should be compared with the costs for possible recovery strategies.
The BIA report should prioritize the order of events for restoration of the business. Business processes with the greatest operational and financial impacts should be restored first.
Next steps: Business Continuity Plan and Information Technology Disaster Recovery Plan
Business Disruption Scenarios
- Physical damage to a building buildings
- Damage to or breakdown of machinery, systems or equipment
- Restricted access to a site or building
- Interruption of the supply chain including failure of a supplier or disruption of transportation of goods from the supplier.
- Utility outage (e.g., electrical power outage)
- Damage to, loss or corruption of information technology including voice and data communications, servers, computers, operating systems, applications, and data
- Absenteeism of essential employees
1-Critical Impact/System Down (Severity One)
Production application down or major malfunction resulting in a product inoperative condition. Users unable to reasonably perform their normal functions. The specific functionality is mission critical to the business and the situation is considered an emergency.
2-Significant Impact (Severity Two)
Critical loss of application functionality or performance resulting in high number of users unable to perform their normal functions. Major feature/product failure; inconvenient workaround or no workaround exists. The program is usable but severely limited.
3-Normal/Minor impact (Severity Three)
Moderate loss of application functionality or performance resulting in multiple users impacted in their normal functions. Minor feature/product failure, convenient workaround exists/minor performance degradation/not impacting production.
4-Low/Informational (Severity Four)
Minor loss of application functionality, product feature requests, how-to questions. The issue consists of “how-to” questions including issues related to one or multiple modules and integration, installation and configuration inquiries, enhancement requests, or documentation questions.