BIA’s acronym refers to Business Impact Analysis
A BIA is carried out within the activities of a Business Continuity Management System (BCMS). Its formal definition is: “Process of analyzing the impact over time of a disruption on the organization”(ISO 22301: 2019, 3 Terms and definitions, 3.5).
In a BIA, the organization’s business processes are analyzed to know what impact is produced in the event of an incident that causes the interruption of these processes. The objective is to identify which are the most critical processes for the company.
Business continuity should focus on those processes in which availability is vital, i.e., in the event of being interrupted, the impact caused to the organization may not be acceptable in a short period of time.
For example, the service of the web portal of an entity for the sale of products over the Internet, which must operate 24 × 7, is not as critical as the marketing and advertising service of a beverage company, whose delivery of results is not continuous.
The BIA is carried out for all company processes, using a common methodology, in order to be able to compare the results and classify them by criticality.
How do you perform BIA?
Obviously, there is no single valid form that works for any organization. Each one must define their methodology.
It is necessary to consider different types of impacts that may occur as a consequence of the interruption of a process, some of them may be the following:
- Operational impact, that prevents obtaining the product or result of the service to which the process belongs.
- Economic impact due to additional costs, loss of income, penalties, etc.
- Reputation impact, due to loss of brand image by not being able to provide the service normally to customers.
- Legal and contractual impact, by interrupting a specific process, the organization may be in breach of a legal or contractual requirement that may have serious consequences.
Each organization must establish the impacts to be considered and the form and criteria in which each one must be considered.
The next element to have into account is time. Usually a time scale is used to compare the impact in different interruption intervals It is possible that a process has a high impact from the first moment interruption occurs, such as the one in the online store example mentioned above, but there will be other processes whose impact will not be high until a certain period of time has elapsed, like 24 hours or even several days.
Time scale to be used must also be established in a particular way by each organization. They can be temporary milestones, depending on the type of business.
Processes with the greatest impact in the shortest interruption time will be the most critical for organization. This must be the output or the result to be obtained from the BIA.
We recommend using specific BIA software, which makes it easy to carry out, as well as the organization and calculation process of all the data that this type of analysis contains.
Who does BIA?
The person in charge of business continuity of the organization must define the methodology to be used. This must be validated and approved by the competent body that has been established in the organization as the highest authority on business continuity. Normally, it is a committee with representation from the main departments and with the presence of the management in order to have the appropriate entity and value.
Once you have the methodology defined, and the processes of the organization identified. it must have the participation of the departments involved for data collection or assessment as appropriate. In short, it is the departments that carry out the processes that know in detail the consequences that may occur in the event of an interruption.
BIA’s result must be validated and agreed by management of the organization or by the corresponding committee or body.
Do you need help to carry out BIA?
The advisory team of GlobalSuite Solutions has extensive experience in the realization of BIA and in the implementation of business continuity plans in all types of organizations of different sectors, sizes and needs.
Likewise, we propose the use of the GlobalSuite® software, developed entirely by our team, which allows the configuration of your BIA methodology, the preparation of questionnaires for the departments and the management of the information and results obtained after the completion of the BIA.
- How to use GlobalSuite® to manage your risks 31 August, 2022
- ISO 27036 – Information security for supplier relationships 11 August, 2022
- The Compliance Officer and the Compliance Committee 9 August, 2022