2.7 Business Impact Analysis (BIA) 69
Chapter 2
resources to reduce and correct potential losses. For this reason, some peo-
ple prefer to address the threat/vulnerability pairs as observations instead of
findings in the risk assessment report. A suggested report format is shown
in Appendix A.
2.7 Business Impact Analysis (BIA)
A business impact analysis is a process of identifying the critical business
functions and the losses and effects if these functions are not available. It
involves talking to the key people operating the business functions in order
to assess the impact an event would have on business operations. The pur-
pose of the BIA is to correlate specific system components with the critical
services that they provide and, based on that information, to characterize
the consequences of a disruption to the system components. The BIA pro-
cess must begin with executive sponsorship of the effort and the support
and involvement of senior management, because a good BIA will involve an
unprecedented study of the organization. The BIA is a collective undertak-
ing with those whose continuity is sought and those who are major contrib-
utors to the various business processes and are intimately involved in the
assessment of their value. The results of a BIA will rank, order, and position
each business and support function in an order for recovery based on orga-
nizational knowledge. Results from the BIA should be appropriately incor-
porated into the analysis and strategy development efforts for the
organization’s COOP, BCP, and BRP.
Effective analysis is essential in plan development, strategy selection, and
reduction of recovery costs. Impact analysis involves the owner/business
function/program manager’s input to understand precisely what the agency
risks losing, should there be a disruption or disaster. While overall responsi-
bility lies with the business functional unit leader, information needed for
recovery comes from all levels of management. The IS organization alone
cannot provide that information. The effort needs to be a “meeting of the
minds” that results in identifying, qualifying, and quantifying the terms
“critical” and “intolerable impacts.” Only the owner can identify, quantify,
and qualify these impacts. Impact analysis ensures the intolerable impacts
are the main consideration in defining the direction, scope, and appropriate
recovery strategies for plan development. Simply put, the shorter the time
in which the impacts become intolerable, the hotter the strategy (most
resources in place, ready to use). Conversely, if the impacts are tolerable for
two weeks or more, then a colder strategy (resources identified, but not in
place) is indicated.