The Business Impact Assessment (BIA) describes the impact that a disaster has on business operations. The impact includes quantitative and qualitative elements. The quantitative impact is generally financial, such as loss of revenue or output of production. The qualitative impact has more to do with the delivery of goods and/or services and things such as the following.
Often a BIA includes a Vulnerability Assessment that’s used to get a handle on obvious and not-so-obvious weaknesses in business critical systems. Like a Risk Assessment, a Vulnerability Assessment has quantitative (financial) and qualitative (operational) sections.
Instant Answer The purpose of a Vulnerability Assessment is to determine the impact - both quantitative and qualitative - of the loss of a critical business function.
Quantitative losses include
Loss of revenue
Loss of operating capital
Loss because of personal liabilities
Increase in expenses
Penalties because of violations of business contracts
Violations of laws and regulations
Qualitative losses include loss of
Competitive advantages
Market share
Prestige and reputation
The Vulnerability Assessment identifies critical support areas, which are business functions that, if lost, would cause irreparable harm to the business by jeopardizing critical business processes or the lives and safety of personnel. Critical support areas should be studied carefully in the Vulnerability Assessment to identify the resources that they require to continue functioning.
Instant Answer Quantitative losses include an increase in operating expenses attributable to any higher costs associated with executing the contingency plan.
The BCP team should inventory all high-level business functions (for example, customer support, order processing, returns, accounts receivable, and so on) and rank them in order of criticality, and also describe the impact of a disruption of each function on overall business operations.
Essential to the Criticality Assessment is an analysis of the impact of a disruption based upon its duration. You can see the vast difference in business impact of a disruption lasting one minute compared with one hour, one day, one week, or longer. Generally, the criticality of a business function depends upon the degree of impact that its impairment has on the business.
Although you can consider a variety of angles when evaluating vulnerability and criticality, commonly you start with a high-level organization chart (hip people call this the org chart). In most companies, the major functions pretty much follow the structure of the organization.
Following an org chart helps the BCP project team to consider all the steps in a critical process. A walk through the org chart, stopping at each manager’s or director’s position and asking, “What does he do?” and “What does she do?” will help to jog your memory and to better see all the parts of the organization’s big picture.
Tip When you’re cruising an org chart to make sure all areas of the organization are covered, you may easily overlook outsourced functions that might not show up in the org chart. For instance, if accounts payable (A/P) functions are outsourced, you might miss this detail if you don’t see it on an org chart. Okay, maybe this is a bad example because the absence of all of A/P would probably be noticed. But if part of A/P - say, a group that detects and investigates A/P fraud (looking for payment patterns that would suggest the presence of phony payment requests) - were outsourced, that vital function would probably not be on the org chart.
An extension of the Criticality Assessment is a statement of Maximum Tolerable Downtime (MTD) for each critical business function. Maximum Tolerable Downtime is the maximum period of time that a critical business function can be inoperative before the company fails to be viable.
Here’s an illustration: Imagine your favorite online merchant - a bookseller, an auction house, or an online trading company - being down for an hour or a day or a week. At some point, you have to figure that a prolonged disruption will literally sink the ship and that the business won’t survive. This is what MTD is all about.
The Maximum Tolerable Downtime assessment should be a major factor that determines the criticality - and priority - of business functions. A function that can only withstand two hours of downtime obviously has a higher priority than another function that can withstand several days of downtime.
Instant Answer Maximum Tolerable Downtime is a measure of the longest period of time that a critical business function can be disrupted without threatening the survivability of the organization.
The Resource Requirements portion of the BIA is a listing of the resources that are required to continue operating each critical business function. In an organization with finite resources (which is pretty much everyone), the most critical functions are going to get first pick, with the lower priority functions getting the leftovers.