In This Guide
What is Business Impact Analysis?
Business Impact Analysis (BIA) is the process of analysing activities and the effect that a business disruption might have on them. It is a foundational requirement of ISO 22301 (Clause 8.2.2) and drives all subsequent business continuity planning.
The BIA helps organizations understand:
- Which activities are critical to organizational survival
- How quickly each activity must be recovered after disruption
- What resources are needed to perform each activity
- What dependencies exist between activities
- What the consequences of not recovering in time would be
Key Terms Explained
Maximum Tolerable Period of Disruption (MTPD)
The time after which the organization's viability will be irrevocably threatened if the activity is not resumed. MTPD represents the outer boundary for recovery - beyond this point, the organization cannot survive.
Recovery Time Objective (RTO)
The target time within which a business activity must be resumed after disruption. RTO must always be less than MTPD to provide a safety margin. RTO drives recovery strategy selection and resource allocation.
Recovery Point Objective (RPO)
The maximum acceptable data loss measured in time. RPO determines how frequently data must be backed up or replicated. An RPO of 4 hours means you can tolerate losing up to 4 hours of data.
Minimum Business Continuity Objective (MBCO)
The minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during a disruption.
| Term | Question It Answers | Example |
|---|---|---|
| MTPD | How long until we fail as a business? | 72 hours |
| RTO | How fast must we recover? | 24 hours |
| RPO | How much data can we lose? | 4 hours |
| MBCO | What's the minimum acceptable service level? | 50% capacity |
BIA Process
Step 1: Identify Business Activities
Create a comprehensive list of all business activities/processes. Group them by department or function. For each activity, identify:
- Process owner
- Purpose and outputs
- Customers (internal/external)
- Peak periods
Step 2: Assess Impact Over Time
For each activity, assess what happens if it stops. Evaluate impact at different time intervals (e.g., 1 hour, 4 hours, 1 day, 3 days, 1 week). Consider impacts across multiple categories.
Step 3: Determine Recovery Requirements
Based on impact assessment, determine:
- MTPD - when impacts become unacceptable
- RTO - when recovery must complete
- RPO - acceptable data loss
- MBCO - minimum acceptable service level
Step 4: Identify Dependencies
Document what each activity depends on:
- Internal dependencies (other departments, systems)
- External dependencies (suppliers, utilities, partners)
- Technology dependencies (applications, infrastructure)
- People dependencies (key personnel, specialists)
Step 5: Identify Minimum Resources
For each critical activity, document the minimum resources needed to operate at MBCO:
- Number of staff and roles
- Equipment and technology
- Workspace requirements
- Information and records
- Third-party services
Impact Categories
Assess impacts across multiple dimensions:
| Category | Examples |
|---|---|
| Financial | Lost revenue, penalties, additional costs, lost productivity |
| Reputational | Customer confidence, media coverage, brand damage |
| Regulatory/Legal | Compliance violations, fines, license conditions |
| Operational | Backlog, quality issues, supply chain effects |
| Contractual | SLA breaches, penalty clauses, contract termination |
| Health and Safety | Staff safety, public safety, environmental |
Prioritization
Based on BIA results, categorize activities:
| Priority | RTO | Description |
|---|---|---|
| Critical | 0-4 hours | Must continue or recover immediately |
| Essential | 4-24 hours | Must recover within one day |
| Important | 1-3 days | Must recover within 72 hours |
| Standard | 3-7 days | Can wait up to a week |
| Non-critical | 7+ days | Can wait until normal operations resume |
Dependencies
Dependency mapping is crucial for effective BC planning:
Internal Dependencies
- Which other departments/activities must be running?
- What information flows are required?
- What shared resources are needed?
External Dependencies
- Critical suppliers and service providers
- Utilities (power, water, internet)
- Regulators and government services
- Financial services (banking, payments)
Create a dependency matrix showing which activities depend on which systems, suppliers, and other activities. This reveals hidden single points of failure and helps sequence recovery efforts.
BIA Documentation
Document BIA results in a structured format including:
- Activity name and description
- Process owner
- Impact assessment by time interval
- MTPD, RTO, RPO values
- Dependencies (internal and external)
- Minimum resources
- Priority classification
- Review date
BIA Review
BIA must be reviewed and updated:
- At least annually
- After significant organizational changes
- After incidents that reveal new information
- When new critical activities are introduced