The Business Impact Analysis (BIA) is a foundational element of any good business continuity program—according to the FFIEC, it is the first step in the business continuity process. Because its purpose is to identify those processes most critical to the livelihood of your company, it sets the stage for creating recovery strategies that will prepare your company to continue delivering on its promises through any situation—no matter what type of disruption should occur.

Having conducted hundreds of BIAs up to this point, here’s something that I’ve noticed many companies get wrong from the start: They try to make the BIA into something that it’s not. It’s not a recovery strategy or a recovery plan. It is simply a means of identifying what’s critical to your organization, for purposes of building strategies and plans. With that in mind, let’s take a look at the steps involved in the BIA process—with some tips and advice you might find useful.

A Step-By-Step Business Impact Analysis Guide

Step 1: Meet with management.

Business executives are often wary of the BIA process, but without their full support, it won’t be a success. Make sure management clearly understands the purpose of the BIA (including what it does and doesn’t do), and your plans for conducting it, including your questionnaire. Ask for their help and support to unite the relevant parties, and give them all the information upfront, so there are no surprises at any point during the process.

Step 2: Identify the scope of your BIA, and the subject matter experts who will be involved.

Most BIAs don’t involve every business unit in the company, so determine the units you believe are most critical and focus on those. Trying to do more complicates the process. Also, identify subject matter experts for each of the units you choose. (These are the people you’ll actually be interviewing later on.) Ideally, they should be individuals who actually do the job daily—not managers—because those doing the hands-on work are the most knowledgeable about processes and system dependencies and will provide the most accurate criticality assessment.

Tip: If it’s your first time doing a BIA, keep it small. For large companies, limit it to what you believe are the most significant 7-10 business units.

Step 3: Secure an IT representative to be present at each interview.

It’s helpful to have someone from IT present during BIA interviews to help clarify the names of computer systems and applications in case your SMEs don’t know. (You’d be surprised what employees don’t know about the applications they use daily.) Involve IT upfront to ensure accuracy.

Step 4: Determine the operating parameters of your BIA.

Before going into the BIA, you’ll need to set a few things straight (and, of course, clear it with management):

  • What are the financial and non-financial impact categories I’ll use to assess the impact of a process that cannot be performed? (Disaster Recovery Journal lists the following impact considerations, among other things: impact on customer service, noncompliance with government regulations or contractual obligations, increased operating costs, penalties, loss of stockholder confidence, and loss of competitive edge.)
  • Will I assign weighting factors to these categories to help assess the impact? Weighting factors are used to define the level of importance of each criteria.
  • What data will I be gathering? (This may include data regarding required systems/applications, dependencies, vital records, specialized equipment needs, etc.)

Step 5: Schedule your BIA interviews.

Schedule BIA interviews with each participant to talk about every process they perform and the potential impact it would have on the company should one or more of those processes be disrupted. Each interview should take between 2 and 2.5 hours. At the same time, schedule conference rooms and/or tools for conducting remote interviews if necessary. Your goal is to make the process comfortable for interviewees and as easy as possible for everyone to attend.

Tip: Never do more than three BIA interviews in one day; it’s simply too draining for the facilitator. Also, prepare your interviewees for the process ahead of time. If possible, schedule a kickoff meeting to explain what a BIA is, how it’s done, and outline the roles and responsibilities of those involved. If that won’t work, send out written communication instead. Determine the right course of action based on the culture of your company.

Step 6: Gather data before the interview (pre-work).

We find it helpful to gather basic information from each business unit before the interview concerning processes, department overviews, hours of operation, and processes and systems. We’ve found that such pre-work helps speed the actual interviews along, though not everyone chooses to perform this step.

Step 7: Prepare yourself to facilitate the interview.

Make sure you’ve worked out well in advance what questions to ask, and be mindful of asking them in the same way every time, for each interview. Consistency helps ensure that all the data aligns across business units, making it easier to compare.

Step 8: Conduct the BIA interviews.

Strive to complete each interview within 2.5 hours. Use prescribed questions, and be consistent. Your goal at each interview: to leave with a good understanding of that business unit’s critical processes, required systems and applications, and critical and noncritical dependencies.

Tip: It helps if the BIA facilitator is enthusiastic and energetic. Interviews can be long and draining, and outgoing personalities do better with holding interviewees’ attention and drawing out more detailed responses.

Step 9: Send participants the completed BIA.

For each interviewee, ask for comments, revisions, and/or updates to the information that is already stated on record. Give them one week to review the completed BIA and validate it, or provide comments for revision.

Step 10: Aggregate the data and analyze it.

Gather all the data from every interview and assess what’s critical from a process and business unit standpoint. If a particular business unit criticality or recovery time objective doesn’t seem to make sense, review the results with the group and reassess. Look for anomalies and address them. This step is important if you expect management to take the results seriously.

Step 11: Create a management report.

Create a BIA report to share your results with management. Your report should include:

  • A general overview of the BIA process
  • The business process criticality ranking
  • Additional findings
  • An action plan to address the most critical items
  • A conclusion
  • Supporting information (names of participants, tables summarizing business processes, etc.)

Step 12: Send the report to senior management.

In a perfect world, management reads the report and signs off on it—that being the directive for relevant parties to get to work implementing recovery strategies and solutions. If management isn’t prepared to sign off, however, try getting approval for some recommendations you deem most critical. This solution reduces the cost and effort involved and will still protect your business to a large degree.

Step 13: Work on recovery strategies.

Based on the recovery time objectives and recovery point objectives for processes, systems, and applications, work on crafting recovery strategies and solutions for the most critical units. Strategies should include alternate work capabilities and concise, executable instructions to ensure the usefulness of the plan in the event it’s needed.

Following this Business Impact Analysis guide will ensure that you do the BIA correctly—and is the first step in creating a business continuity program that works. But it’s well worth the time and effort involved. In the end, your organization will be that much closer to surviving—and thriving—no matter what the situation.

Will your business recovery plans work when you need them? Here’s everything you need to know about how to create and implement a business recovery plan successfully.