Business impact analysis (BIA) is a systematic process to evaluate or design the needed countermeasures to put in action in order to neutralize the potential effects of an interruption to critical business operations. To neutralize means ‘to reduce to a level that is no more financially dangerous for the company’, meanwhile interruptions are intended as results of a disaster, accident or emergency.
Since BIA is the starting component of the Business Continuity Plan, aimed to develop a Strategy reducing Money-Loss, it is based on some simplifications that make the analysis easier. In fact, it analyzes only consistent financial outcomes as a result of main eventual disasters applied to essential business components:
- Relevancy: consistent outcomes are those making the company not more solvable, comparable to earning (e.g. x% of EBIT). Risk Appetite is the maximum amount of loss sustainable by company
- Emergency: main disasters are very huge in consequences. Probability is not more needed (e.g. no Annual Rate of Occurrence)
- Criticality: essential components are a restricted number of overall ones (e.g. 4-5)
The 3 analysis dimensions should be treated by 3 different sights (Business, Operation and Risk), in order to provide the needed parameters for resiliency: RTO (Recovery Time Objective) and RPO (Recovery Point Objective):
- Business: characterization of the company business: Revenue/EBIT, (possible) Disaster or Accident, Risk Drivers (e.g. no earning, customer escape, reputational risk)
- Operation: characterization of company internals: Risk Appetite (usually 2%), Outages caused on company premises by identified emergencies, Processes involved by applicable Risk Drivers
- Risk: characterization of company risk: Money Loss ($/time, coming from outages of an application), Countermeasures (technical solution to counter-effect outages), IT Applications (technical premises surrouding identified processes)
These could be arranged in a 3x3 quadrant:
Relevancy Emergency Criticality
Business Revenue/EBIT Disaster/Accident Risk Drivers
Operation Risk Appetite Outages Processes
Risk Money Loss Countermeasures IT Applications
For each identifies IT Application, for every eventual emergency, there should be in place countermeasures that assure that Money Loss are not up to Risk Appetite. Thus, RTO and RPO calculation is straightforward:
- RTO <= Risk Appetite / Money Loss
- RPO >= Delay introduced in Processes in treating data