Business impact analysis is one of the most critical activities in the business continuity process. It identifies the various consequences (primarily in terms of economics, oversight, and reputation) related to the workflow’s disruption resulting from an internal or external event.

This activity aims to identify and evaluate business processes related to business continuity and assess the effects of scenarios that may threaten the ordinary course of business.

Join us to get acquainted with the steps of BIA and how to do it thoroughly.

What is Business impact analysis_

What is Business impact analysis?

Continuing the company’s activity and business, in the event of a major disaster or even small events, is a basic need for an organization. Because it reduces the risk of disruption, supports the well-being and safety of employees and the credibility of the organization, and provides the ability to lead and continue core activities.

BIA is a systematic process created to determine and evaluate the potential effects of an interruption in a critical situation. This method can be classified as a qualitative analysis of business processes.

Objectives of business impact analysis

Business impact analysis is an exploratory component to detect any vulnerabilities and is a risk minimization strategy. One of the BIA’s fundamental assumptions is that every element of the organization depends on all other components’ ongoing performance. Still, some of them are more important than others and will require more resources after an accident. For example, a business may continue to operate more or less as usual when the cafeteria closes. But if its information system crashes, it will stop completely.

The BIA report measures the importance of business components and suggests adequate funding to protect them. The likelihood of failures is assessed in terms of their impact on areas such as safety, finance, marketing, business reputation, legal compliance, and quality assurance. For example, a business may need three times more marketing after a disaster to rebuild customer trust. 

Business Continuity Management System: Impact Analysis

Impact analysis is based on a set of information about company processes. Different organizational units intervene in their actual implementation through the implementation of activities under their responsibility.

Each process owner is responsible for conducting business impact analysis and will be responsible for ensuring that the study follows the defined method and that the results are presented uniformly.

Four strategic areas can be identified in the business cycle:

  1. Sales area
  2. Procurement
  3. Operations – Production of goods and services
  4. Administrative and financial

In four major areas, organizational programs are identified, including the company’s management and partners, s well as to validate different levels of risk and business operations.

For example, if administrative activities’ performance may be reduced, production operations should usually be kept constant to ensure the production necessary for continuity.

 Each level will have different approaches to protecting workplace safety.

To analyze the changing scenario we are in, we adapt the budget forecast and reprogram the treasury management.

An organization must be confident and have a plan for continuing its operations in any situation. According to ISO 22301 guidelines, a suitable business continuity procedure should identify potential threats that may affect the company and prevent their potential impact on its operations.

First of all, the right approach is to reduce the risks, prevent accidents from turning into disasters, and create an operational structure that allows the company’s core operations to continue operating in the worst possible conditions.

To do this, the organization must conduct a Business Impact Analysis (BIA) that aims to determine and assess the potential impact on the business of a catastrophic event:

What can happen to a particular production site if, suddenly, that site is not available?

What happens if a company’s strategic supplier fails to deliver materials unexpectedly and without warning?

What happens if the company’s core customer fails or turns to another supplier?

These are all scenarios that could happen daily in the business environment. We can avoid these issues through impact analysis; the primary purpose is to highlight potential vulnerabilities, address them adequately, and Manage and solve them. 

 It is necessary to evaluate the possible strategies adopted to continue the company’s ethical business. First of all, it is essential to outline the following critical processes:

Another critical point is staff training.

Those who need to perform remedial measures must be adequately trained and aware of the necessary actions in an unexpected event. If something does not work during the tests, it can be immediately managed, evaluated, implemented, or corrected.

As a result, essential processes must be identified in this way:

Identify possible alternatives

Define development plans and delegate appropriate powers

Training, appropriately, to personnel who have been identified as potential substitutes for unusable resources.

Provide all the tools of smart work to those in the lead role.

 and again:

Arrange quick staff activation with recruitment agencies.

Make sure people are aware of their roles and responsibilities in emergencies.

Update personnel management policies in an emergency to manage absenteeism, illness, travel, closure of the company structure, and recall personnel from emergency areas.

Permission to work remotely

And evaluate potential alternative sites.

Define communication channels with employees to provide and receive information in an emergency.

Evaluate travel restrictions.

Use appropriate channels (SMS, email, phone, call, schedule, etc.) to prepare and verify employee contacts for use if you need extensive information.

Preparation of video conferencing systems and remote access to systems (Industry 4.0)

Get ready to get back to normal by using the tools used.

Another aspect to consider is the breakdown of logistics chains. Border blockades, strikes, cut-offs can seriously jeopardize logistics chains.

The business impact analysis should thoroughly assess which of the leading supply chains are for business continuity, not only transportation but also primary or secondary warehouses through risk and opportunity management

 with the aim of:

  • Identify alternative but more expensive logistics providers.
  • Modify production plans to manage modified procurement.
  • Evaluate stock buffer properly in warehouses, especially if it is secondary.
  • Continuously monitor the critical situation to act as soon as possible.
  • Evaluate the activation of special transport agents.
  • Limit the geographical density of warehouses at a crucial point through appropriate analysis.

At this stage, all possible steps must be taken to activate a Business Continuity Program (BCP):

  • Activate alternative providers (recognize communication and activation methods).
  • Involve partners to increase stocks near delivery points to activate each secondary warehouse in target markets.
  • Warn logistics officials to commit to essential customers and prevent the scattering of strategic customers.
  • Increase stock buffer in case of early warning of possible crises.
  • Consider the availability of “cash” if public suppliers are activated.
  • Focus on delivering to essential customers as mobility decreases.
  • If different logistics methods may cause a problem, contact the customer in advance.
  • Always assess whether restrictions are being triggered by local or national authorities through ongoing media reviews or contact with local customers or partners when alerted to potential crises.
  • Evaluate alternative routes with suppliers.

Possible steps for the Business Continuity Program:

  • Determining priorities in the production of products and services;
  • Definition of stock buffer for final products, raw materials, vital components when forecasting emergencies;
  • Define plans to move workers and critical machinery to and from other sites.
  • Use different production sites.
  • Schedule to enable backup providers
  • Ensuring the existence of economic resources used immediately in emergencies;
  • Evaluate different powers to employees in the short term

steps for the Business Continuity Program

Check the activation mode

  • Remote control of work and production;
  • Identify the minimum need for human resources and activate appropriate backup;
  • Predefine media communication management guidelines;
  • Predetermine the relevant stakeholders in the emergency communication guidelines;
  • Define production logic (including shifts) in emergencies.

After the emergency, it is necessary to predict the steps to return to normal correctly.

This return is unpredictable, but it could include repairing the pre-emergency situation and consolidating a whole new state of normalcy.

It is not always possible to anticipate what steps to take, but it is essential that, as the crisis draws to a close, appropriate assessments are made to define the next steps and integrate the actions taken.

Finally, it must be remembered that business continuity is an integral part of the broad corporate compatibility that every company must adhere to.

As long as these activities are understood as commitments and are not shared and actively accepted, they remain only on paper.

A more accurate and complete description of the analysis steps is as follows:

Impact analysis is performed through two levels of in-depth research and data collection:

The first level of impact analysis is performed to determine the critical processes of the company. Vital functions are those processes that, if interrupted unexpectedly, will have a severe impact on business operations (analyzed at various intervals). The recovery requirements of these processes in the specified periods and the acceptable level of services are determined in this stage. The priority of emergency recovery processes should also be specified here. As a result, the set of critical levels that the company thinks does not include those that recover in an emergency (risk assumption) should be limited and declared.

The second-level impact analysis is performed on critical processes to the first-level study and can, therefore, be retrieved in an emergency. Operational information should be collected about the company’s operations (recovery requirements) related to the scenarios predicted by the organization. It is used to determine the improvement interventions reflected in the business continuity strategy and design the essential solutions presented in the business continuity plan.

Two tools are used to perform impact analysis:

  1. Matrix for collecting significance analysis data
  2. Questionnaire to collect recovery needs

Business continuity plan impact analysis in Continuity Strategy 

The business continuity strategy, by collecting the data performed in the impact analysis and the possible scenarios identified in the previous phase, determines the system that enables the recovery of vital business processes, minimizing the negative impacts.

The company’s organizational units, which are specifically identified based on the results of impact analysis, have the task of defining continuity strategies with executable support functions.

They should ensure that the proposed solutions are complete and analyze possible synergies that could result from the strategies defined by each performance. Also, cyber and technology scenarios and processes are controlled by IT performance.

This activity includes doing the following:

Continuity strategies for the following types of scenarios:

  • Scenarios are affecting the infrastructure on which the company’s critical operations take place.
  • Scenarios affecting the programs, infrastructure, or equipment or communication lines needed to perform critical operations;
  • IT scenarios that can stop critical operations by affecting one or more types of resources, such as servers (HW), applications (SW), end-user computers, databases, and so on. For example, data availability due to cyber-attacks, malware infection, etc.
  • Scenarios affecting the public, leading to a temporary lack of access or loss of key personnel who support the company’s critical operations;
  • Scenarios are affecting key services/suppliers. As specified incorporate agreements with third parties, in controlling the supplier model and certification policy, the necessary controls must be in place to ensure that all suppliers supporting critical processes are selected.

Selection of sustainability strategies: The strategic options identified in the previous point should be evaluated and selected based on:

  • Efficiency: technical specifications (complete and quality of the solution) and operational characteristics (impact on existing processes and options speed in the recovery process)
  • Residual risk: the level of risk (for the recovery process) resulting from the use of each specified option
  • Investment: The economic impact of option implementation
  • Synergy: Level of compatibility with different evaluated solutions for other recovery elements; This is a fundamental step in creating a global solution to the whole emergency scenario

Procedure

The first step is to have accurate process mapping available, called a processing model. Mapping should describe the sub-processes and actions for each process, and for each sub-process, the process manager should be identified.

Impact analysis must be performed at the sub-process level to achieve the set goals defined as “elements of analysis.”

This method involves conducting business impact analysis at two levels:

Level 1, review of all “elements of analysis” related to the following processes belonging to the process model, with the aim of:

Identify the economic, regulatory, and reputational implications of the complete unavailability of the so-called “analysis” element. Identify “analytics elements” for corporate businesses based on which you perform the in-depth analysis referred to in Level 2.

Level 2, the most in-depth analysis of the most relevant “elements of analysis” with the aim of:

Identify the same characteristics, according to recovery in the event of a disaster.

Identify the feasibility of the considered scenarios.

The content of business impact analysis also considers what has been achieved about business continuity through IT outsourcing, primarily where their processes are related to the firm’s critical operations.

Correlation is significant in terms of recovery time and rearrangement of processes to natural conditions.

Identify the reference process model (process model)

Execute data collection document for impact analysis

Level 1:

  1. Define the structure of the document
  2. Compilation of a form;
  3. Implement a questionnaire card to analyze the impact

 Level 2:

  1. Defining the structure of the questionnaire:
  2. Fill out the questionnaire
  3. Merge two previously developed databases.

For each sub-process in the process model, the following is done:

Perform level 1 impact analysis;

Approve Level 1 Analysis

As well as for any by-products that are identified as critical:

The collection of information about the “elements of analysis” should be done through the process managers’ data in the process mapping. The data collected through the questionnaire mentioned above card should be in the document after completing the impact analysis. “BIA – and tools for level 1 and 2 impact analysis” are available.

The final document on business impact analysis should be divided into two separate sections (related to two levels of study):

The first section collects information about the impact: economic, regulatory, and credit, due to the complete unavailability of the “analysis element” and how the effect evolves (from the moment of unavailability). This section must be completed for all process model subprocesses used: so each subprocess represents an “analysis element.”

The second part should apply only to the most relevant “elements of analysis” resulting from Level 1 analysis: it uses information about methods and situations to execute processes and is useful for operational continuity purposes. 

This section (by filling out a questionnaire, structured in “question cards” under the process of analysis) is divided into the following macroblocks:

  1. General Information: General information about the “element of analysis” intended ( process name, contact with the person/process manager, etc.);
  2. Specific features: The characteristics of the analytics element considered (e.g., timeliness, peak periods, input processes, etc.) Necessary, for analysis purposes, in which the information is used to identify the maximum time. That the intended element of analysis must be restarted (based on anticipated limitations) and beyond that data loss;
  3. Resources: Information about the resources usually considered in the analytics element (e.g., location, personnel, IT methods, documentation, etc.) to identify the minimum resources needed to perform the activity or ensure operational continuity.

Business Impact Analysis: Evaluating Results

At this stage, we can evaluate the results of both Level 1 Impact Analysis and Level 2 Impact Analysis.

Level 1 analysis:

This begins with a qualitative assessment of the effects.

  • The economic effect, for each element of the analysis, the economic impact must be evaluated because the time is different from the moment of stopping,
  • Classifies it based on the following values ​​scale:
  • Top: It has consequences that can significantly affect the company’s financial result, which can be achieved over several years.
  • Medium: It has significant implications for its economic performance, although it can be completed in the reference year.
  • Low: has no significant effect on the company’s financial performance.

Regulatory impact. For each element, the regulatory effect of the complete unavailability of its sub-process must be assessed.

Classify it according to the following scale of values:

  • High: The risk of suspension of a particular activity or non-compliance is particularly significant.
  • Medium: There are administrative/contractual penalties.
  • Low: No penalties / non-compliance

Impact of credit for each element of the analysis; the item to be analyzed must be specified over time.

Finally, we can continue to classify the elements of analysis (sub-processes).

Identifying and classifying the elements of the analysis with Level 1 Impact Analysis and identifying the items for further research and insight through Level 2 Impact Analysis is done according to the following:

Impact assessment: economic, regulatory, and credit;

The existence of analytical elements is related to infrastructure impacts.

The following “critical classes” are then analyzed and defined based on the evaluation of impacts (economic, regulatory, and credit) and their evolution over time with each process:

  • Class A: Comes with analysis elements that at least one of the effects (economic, regulatory, or credit), due to their complete unavailability in the first inaccessibility band, is rated as high.
  • Class B: Comes with analytical elements, at least one of which is highly rated in the second time inaccessibility band.
  • Class C: Comes with analytical elements, at least one of which is highly rated in the third time inaccessibility band.
  • Class D: Comes with analysis elements, at least one of the effects of which is highly rated in the fourth time zone of inaccessibility.
  • Class E: Associated with analytical elements with at least one of the effects of the fifth inaccessibility time band.
  • Class F: Comes with analysis elements in which at least one of the effects in the sixth time zone of inaccessibility is rated as high, or none of the impact (economic, regulatory, or credit) due to their complete inaccessibility are assessed. Has not been “up.”

Level 2 Impact Analysis:

Also, in this case, the whole process of analysis can be structured in different stages.

It starts with analyzing crisis scenarios.

The primary Samples of scenarios:

Unavailability of places where the process takes place

Staff unavailability

Lack of availability of services provided by suppliers and outsiders

Unavailability of IT methods (software) including:

Data alteration or unavailability of systems as a result of attacks from outside via telematic networks.

Serious damage to employees

Lack of availability of necessary information and documents.

Disconnection of support services (electricity, telecommunication networks, telephone lines, other items).

Unavailability of equipment used to perform process activities (laptop / desktop computer, smartphone);

Unavailability of special devices used to perform process activities (server, electrical panel, UPS, machine room equipment.

 

Result

An emergency that creates a new crisis is defined as “a problem, an event, or a series of events with potential strategic consequences.”

The business continuity plan prevents these accidents’ potential damage and arms the company to deal with it and avoid its economic losses.

But first, there must be an analysis impact that examines and identifies the consequences and has different stages.

Take care of your business and credit by following the steps above.