Business Impact Analysis (BIA)

---

Business impact analysis (BIA) is a systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations.

• aka business impact assessment
• involves identifying and assessing the impact of various unplanned threat scenarios on the business
• part of business continuity
• enable to proactively create recovery strategies to minimize the impact of disruptions
• ensure operational resilience

Identifying Critical Systems

• crucial to perform an identification of critical systems
  • compiling an inventory of business processes and the assets that support them
• Asset types:
  • People
    • employees, visitors, and suppliers
  • Tangible assets
    • buildings, furniture, equipment and machinery (plant), Information and Communication Technology (ICT) equipment, electronic data files, and paper documents
  • Intangible assets
    • ideas, commercial reputation, brand, etc.
  • Procedures
    • supply chains, critical procedures, standard operating procedures

Mission Essential Functions

A mission essential function (MEF) is a business or organizational activity that is too critical to be deferred for anything more than a few hours, if at all.

• means must be performed as close to continually as possible
• must be restored first in case of service disruption
• important to reduce the number of dependencies between components
  • identified by performing a business process analysis (BPA) for each function
    • identifies:
      • Inputs
        • the sources of information for performing the function
        • including the impact if these are delayed or out of sequence
      • Hardware
        • particular server or datacenter that performs the processing
      • Staff and other resources supporting function
      • Outputs
        • data or resources produced by the function
      • Process Flow
        • step-by-step description of how the function is performed

Info

Functions that act as support for the business or an MEF, but are not critical in themselves, are referred to as primary business functions (PBF).

• analysis of MEF is governed by 4 metrics:
  • Maximum tolerable downtime (MTD)
  • Recovery time objective (RTO)
  • Work recovery time (WRT)
  • Recovery point objective (RPO)
• MTD and RPO help to determine
  • which business functions are critical
  • and to specify appropriate risk countermeasures
• KPIs used to measure the reliability and efficiency of systems, processes, and equipment:
  • Mean time between failures (MTBF)
  • Mean time to repair (MTTR)