BIA – How to Structure the Resource Analysis for a Business Impact Analysis


One of the processes within the Business Continuity Management System (BCMS) is the development of a Business Impact Analysis. I have experienced several companies that are struggling with this process and this concept. In this article, I will explain the structure of one of the sections within the BIA process. This structure is analysing the resources required to ensure that the product or service is delivered, with the minimum impact on the business.

Business Impact Analysis

What is a Business Impact Analysis? This is defined as:

  • process of analysing activities and the effect that the business disruption might have upon them (ISO 22300 Link)

The BIA process analyses the effects of a disruption on the organization. The outcome is a statement and justification of business continuity priorities and requirements.

The first step in the BIA is the prioritization of products and services, which is followed by several

  • process BIAs (optional) and
  • activity BIAs.

The scope of each of these BIAs can be limited, but together they should cover the entire BCMS scope.

Organizations should review and perform the BIA process on a periodic basis (e.g. annually) and whenever there are significant changes within the organization or its context.

1.1.  Understanding the BIA Process

To understand the BIA, the process, results, and outcomes, one needs to map this in a step-by-step approach. The following 8 steps are defined:

  • Step 1: Plan your BIA
  • Step 2: Agree on the approach for undertaking the BIA process
  • Step 3: Determine the products and services with Top Management
  • Step 4: Determine the prioritised activities
  • Step 5: Determine resources and dependencies
  • Step 6: Analyse and consolidate the BIA results
  • Step 7: Obtain Top Management approval of BIA results
  • Step 8: Review the BIA

4 Steps in resources required analysis

Step 1: Identify resources

During the BIA process, you need to determine the prioritized activities. You should obtain a detailed understanding of day-to-day resource requirements, to identify the resources necessary to recover or maintain prioritized activities. These include, but are not limited to:

  • people.
  • information and data (including vital records).
  • physical infrastructure such as buildings, workplaces or other facilities and associated utilities.
  • equipment (e.g., office equipment, manufacturing equipment, special tools, spare parts, and components) and consumables (e.g., raw materials).
  • information and communication technology (ICT) systems (e.g., applications, cloud services, remote access).
  • transportation and logistics.
  • finance.
  •       partners and suppliers.

Step 2: Resource requirements

For the resources identified, the following information should be collected:

  • Quantity, i.e., the amount or number of resources needed over time, and based on the activity RTO, the activity owner can determine to start their activity with the following:
    • a decrease in the number of resources, e.g., recognizing that the activity can recommence with a reduced capacity; the activity owner must then increase the number of resources over time so that the activity eventually returns to its business as usual;the business-as-usual quantity.
    • an increase in the number of resources, e.g., to resolve the backlog accumulated over the period that the business activity was disrupted or to respond to an anticipated spike in demand; consideration should be given to estimate the period of time the supplemental quantity of resources is to be released to return the activity to its business-as-usual level;
  • time frame(s) in which the resources need to be available.
  • characteristics of the resource: the information to be gathered in this case depends on the type of resource, e.g.: for staff and contractors, the minimum acceptable level for required service, knowledge, skills, authority or qualifications required should be defined.
  • specification of IT equipment.
  • current location.
  • maximum tolerable data loss (MTDL) for information resources (the RPOs should not exceed the maximum tolerable data loss).
  • dependencies on other resources.
  • applicable legal or regulatory requirements.

Limitations imposed on resources, e.g., by logistics, should be considered when defining requirements. During the resources requirements analysis, Single Points of Failure (SPoF) [1]can be discovered and should be documented and reported appropriately

Step 3: Analyse and consolidate BIA results

While analysis occurs throughout the BIA process, the organization should perform a final analysis (or consolidation of analyses). This involves reviewing validated and approved information gathered from all levels of the BIA process and drawing conclusions that lead to business continuity priorities and requirements.

You should choose the appropriate quantitative and qualitative analytical approach(es), which can be influenced by the type, size, or nature of the organization and resource and skill constraints. The approach(es) selected will also depend on the type of information gathered. Regardless of approach, you should challenge and check the information to ensure that it is:

  1. correct: sufficiently accurate and reliable.
  2. credible: reasonable and justifiable.
  3. consistent: comparable, clear and repeatable.
  4. current: up to date and available in a timely manner.
  5. complete: comprehensive.

The consolidation can reveal incompatible or inappropriate recovery objectives that need to be reviewed with the activity owner and resolved. Furthermore, it can be necessary to adjust the RTO of predecessor activities to ensure successor activities can meet their set RTOs.

The results of analysing and consolidating information are the business continuity priorities and requirements

Step 4: Obtain top management approval for BIA results

As the BIA leader, you should seek management approval of BIA results, including the prioritization of products and services, business processes (if applicable), activities and resources.

You should provide the following key BIA results to top management for their review, amendment (if necessary) and approval before moving on to the next steps:

  • product and service prioritization.
  • business process prioritization (if undertaken);
  • activity prioritization.
  • confirmation of the original, or endorsement of the modified, BIA scope.

The approval of the BIA results by top management should be documented. Some organizations can choose to seek approval via a report or presentation to top management. A presentation should be chosen if the organization would benefit from debating the BIA results before approving or proposing an alternate conclusion. A report can be appropriate as a pre-read to a presentation or as the primary method of seeking approval if recommended business continuity priorities and requirements and their justification are straightforward and likely not to require discussion.

The BIA results identify and select business continuity strategies and solutions.


The BIA process is a critical deliverable for the understanding of the impacts on the products and services of a company.

The BIA process empowered the company to understand its vulnerabilities, grow and mature its preparedness and readiness and plan for exercises and testing activities to validate and continuously improve.

Through these processes, the enterprise risk (ISO 31000) is optimised, and the enterprise builds its resilience (ISO 22300)

[1]single point of failure (SPOF) is a part of a system that, if it fails, will stop the entire system from working.[1] SPOFs are undesirable in any system with a goal of high availability or reliability, be it a business practice, software application, or another industrial system. Single point of failure - Wikipedia

Enquire Now

Want to know more? Contact us today for any questions.

We will use this information to contact you about this enquiry only and not for marketing purposes.


Leave a Reply

Table of Contents

Enquire Now

Interested in this course? Let's help you get started.
We will use this information to contact you about this enquiry only and not for marketing purposes.
Click here to download this article.

More Quality Articles

What is risk? There’s a lot of research into all types of risk, but in my experience, I have found that most people and organisations don’t completely gras…
There are 7 Critical Steps to Pass Audits. Carina takes your through these steps.
Introduction Enterprise Risk Management (ERM) is describing a Risk Matrix (ERM Risk Matrix) as a tool for ranking and displaying risks by defining ranges for consequ…
What is a Compliance Management System (CMS)? For organizations seeking growth and long-term success, adhering to compliance obligations is not an option, is a must…
What is ISO 18788? ISO 18788 specifies the requirements and provides guidance for organizations that conduct or contract security operations.Moreover, it provide…
Information Security Management Network segregation is the tool used for dividing a network into smaller parts which are called subnetworks or network segments. Yo…
Information Security Management The popularity of the terms “data controller” and “data processor” has sharply increased in recent years. In part because of the sig…
The ability to predict what the future holds and choosing effectively among varying alternatives lies at the centre of contemporary societies and organizations. Ri…
“Food Safety” refers to the prevention, elimination and control of foodborne diseases at the stage of consumption. In a globalized world, the impact of food safety ha…
Six Sigma Benefits Reducing Waste Improving Time Management Increase Customer Loyalty Boost Employee Motivation Higher Revenues and Lower Costs Six Sigma has prov…
As the threat of energy-resource depletion has emerged, the global demand for energy is increasing constantly. Provided that billions of people still have no access…
Is your Business protected against a breach of data and software? Are you Internationally Certified to be able to prevent hackers from stealing your organization’s v…
The education industry has gone through tremendous changes over the last decades in terms of educational opportunities, teaching methods, availability of reading…
The Three P(’s)illars of Sustainability The concept of the “triple bottom line” was firstly introduced in 1994 by John Elkington, with the idea of organizations pre…
A politically inclined attack or just a ‘simple’ lack of security awareness? Whatever the case, the cyber-attack that hit Marriott was huge. This was the joint second…