BIA – How to Structure the Resource Analysis for a Business Impact Analysis

Table of Contents

Enquire Now

Got questions? Let's help you find the answers.
By clicking "Submit" you agree to have read the Privacy Policy and agree to the terms. You can unsubscribe at any time by clicking the link in the footer of our emails.
BIA - Business Impact Analysis

Introduction

One of the processes within the Business Continuity Management System (BCMS) is the development of a Business Impact Analysis. I have experienced several companies that are struggling with this process and this concept. In this article, I will explain the structure of one of the sections within the BIA process. This structure is analysing the resources required to ensure that the product or service is delivered, with the minimum impact on the business.

Business Impact Analysis

What is a Business Impact Analysis? This is defined as:

  • process of analysing activities and the effect that the business disruption might have upon them (ISO 22300 Link)

The BIA process analyses the effects of a disruption on the organization. The outcome is a statement and justification of business continuity priorities and requirements.

The first step in the BIA is the prioritization of products and services, which is followed by several

  • process BIAs (optional) and
  • activity BIAs.

The scope of each of these BIAs can be limited, but together they should cover the entire BCMS scope.

Organizations should review and perform the BIA process on a periodic basis (e.g. annually) and whenever there are significant changes within the organization or its context.

1.1.  Understanding the BIA Process

To understand the BIA, the process, results, and outcomes, one needs to map this in a step-by-step approach. The following 8 steps are defined:

  • Step 1: Plan your BIA
  • Step 2: Agree on the approach for undertaking the BIA process
  • Step 3: Determine the products and services with Top Management
  • Step 4: Determine the prioritised activities
  • Step 5: Determine resources and dependencies
  • Step 6: Analyse and consolidate the BIA results
  • Step 7: Obtain Top Management approval of BIA results
  • Step 8: Review the BIA

4 Steps in resources required analysis

Step 1: Identify resources

During the BIA process, you need to determine the prioritized activities. You should obtain a detailed understanding of day-to-day resource requirements, to identify the resources necessary to recover or maintain prioritized activities. These include, but are not limited to:

  • people.
  • information and data (including vital records).
  • physical infrastructure such as buildings, workplaces or other facilities and associated utilities.
  • equipment (e.g., office equipment, manufacturing equipment, special tools, spare parts, and components) and consumables (e.g., raw materials).
  • information and communication technology (ICT) systems (e.g., applications, cloud services, remote access).
  • transportation and logistics.
  • finance.
  •       partners and suppliers.

Step 2: Resource requirements

For the resources identified, the following information should be collected:

  • Quantity, i.e., the amount or number of resources needed over time, and based on the activity RTO, the activity owner can determine to start their activity with the following:
    • a decrease in the number of resources, e.g., recognizing that the activity can recommence with a reduced capacity; the activity owner must then increase the number of resources over time so that the activity eventually returns to its business as usual;the business-as-usual quantity.
    • an increase in the number of resources, e.g., to resolve the backlog accumulated over the period that the business activity was disrupted or to respond to an anticipated spike in demand; consideration should be given to estimate the period of time the supplemental quantity of resources is to be released to return the activity to its business-as-usual level;
  • time frame(s) in which the resources need to be available.
  • characteristics of the resource: the information to be gathered in this case depends on the type of resource, e.g.: for staff and contractors, the minimum acceptable level for required service, knowledge, skills, authority or qualifications required should be defined.
  • specification of IT equipment.
  • current location.
  • maximum tolerable data loss (MTDL) for information resources (the RPOs should not exceed the maximum tolerable data loss).
  • dependencies on other resources.
  • applicable legal or regulatory requirements.

Limitations imposed on resources, e.g., by logistics, should be considered when defining requirements. During the resources requirements analysis, Single Points of Failure (SPoF) [1]can be discovered and should be documented and reported appropriately

Step 3: Analyse and consolidate BIA results

While analysis occurs throughout the BIA process, the organization should perform a final analysis (or consolidation of analyses). This involves reviewing validated and approved information gathered from all levels of the BIA process and drawing conclusions that lead to business continuity priorities and requirements.

You should choose the appropriate quantitative and qualitative analytical approach(es), which can be influenced by the type, size, or nature of the organization and resource and skill constraints. The approach(es) selected will also depend on the type of information gathered. Regardless of approach, you should challenge and check the information to ensure that it is:

  1. correct: sufficiently accurate and reliable.
  2. credible: reasonable and justifiable.
  3. consistent: comparable, clear and repeatable.
  4. current: up to date and available in a timely manner.
  5. complete: comprehensive.

The consolidation can reveal incompatible or inappropriate recovery objectives that need to be reviewed with the activity owner and resolved. Furthermore, it can be necessary to adjust the RTO of predecessor activities to ensure successor activities can meet their set RTOs.

The results of analysing and consolidating information are the business continuity priorities and requirements

Step 4: Obtain top management approval for BIA results

As the BIA leader, you should seek management approval of BIA results, including the prioritization of products and services, business processes (if applicable), activities and resources.

You should provide the following key BIA results to top management for their review, amendment (if necessary) and approval before moving on to the next steps:

  • product and service prioritization.
  • business process prioritization (if undertaken);
  • activity prioritization.
  • confirmation of the original, or endorsement of the modified, BIA scope.

The approval of the BIA results by top management should be documented. Some organizations can choose to seek approval via a report or presentation to top management. A presentation should be chosen if the organization would benefit from debating the BIA results before approving or proposing an alternate conclusion. A report can be appropriate as a pre-read to a presentation or as the primary method of seeking approval if recommended business continuity priorities and requirements and their justification are straightforward and likely not to require discussion.

The BIA results identify and select business continuity strategies and solutions.

Summary

The BIA process is a critical deliverable for the understanding of the impacts on the products and services of a company.

The BIA process empowered the company to understand its vulnerabilities, grow and mature its preparedness and readiness and plan for exercises and testing activities to validate and continuously improve.

Through these processes, the enterprise risk (ISO 31000) is optimised, and the enterprise builds its resilience (ISO 22300)


[1]single point of failure (SPOF) is a part of a system that, if it fails, will stop the entire system from working.[1] SPOFs are undesirable in any system with a goal of high availability or reliability, be it a business practice, software application, or another industrial system. Single point of failure - Wikipedia

Comments

Leave a Reply

More Quality Articles

Strategic Risk Assessment: Navigating ISO/IEC 27001:2022 and ISO 31000:2018

Strategic risk assessment is a critical component of an organization’s risk management framework.

What is a Combined Assurance Matrix?

Unlock the power of effective risk management with a Combined Assurance Matrix (CAM)!

10 Reasons to Acquiring the ISOLTX GRC-A Software System

Discover how the ISOLTX GRC-A Software System can enhance operational efficiency, streamline compliance, and foster collaboration among your…

Unlocking Success: How Internal Audit Strengthens Risk Management for Strategic Goals

Internal Audit verifies and enhances Risk Management’s role in achieving strategic objectives.

Conducting Internal Context Analysis: A Guide to ISO/IEC 27001 and ISO 31000 Integration

Internal context analysis is crucial for effective risk management and information security in organizations.

Continuous Evolution: Implementing Continual Improvement in Your ISMS

Continual improvement is a fundamental principle of effective Information Security Management Systems (ISMS).

Driving Continuous Improvement: Implementing Management Review for Effective ISMS Performance

Management review is a critical process within the performance phase of an Information Security Management System (ISMS).

Ensuring Compliance and Continuous Improvement: Implementing Internal Audits in ISMS Performance

Internal audits are a critical component of the performance phase in the management of an Information Security Management System (ISMS).
Receive our latest news

Subscribe To Our Newsletter

Get notified about GRC-A training, advisory, auditing and software.