Business Impact Analysis in ITIL – Know what’s important

So, you claim you know your services and you are aligned with the business. Let me ask you a question – do you know how your services are supporting business services? Which IT service(s) support each particular business service? In other words, when a particular IT service fails – which of the business services (and its users) will be affected? Tough question, isn’t it?

What is Business Impact Analysis?

Business Impact Analysis (BIA) is your set of activities that will help you understand business services, their importance, and their dependencies. Once you develop your own methodology, BIA will be a useful tool to understand your business and the criticality of (your) IT services.

To understand your services sounds simple. Certainly, one would say that the people running IT services understand them. But I don’t mean what they accomplish, or the technical background. What I mean is – how do they support the business, i.e., which business services? Take, as an example, a “simple” service like storage. Storage, as a service, supports many other services, e.g., file system, e-mail, collaboration services, enterprise resource planning (ERP), etc. Failure in storage service would impact many other services.

Some of the above-mentioned services could be critical. That’s the importance of that service for the business. It could be stated in financial terms, as well as in non-financial (e.g., frequent interruption of the core banking system can cause customers to move to another bank). BIA is an excellent method to define Vital Business Functions (VBF), i.e., parts of the business process that are critical to the business. By defining VBF, you will also define the acceptable outage of the services.

While performing BIA, it is important to include dependencies of the (business) service on resources, processes, other business services, related IT services, etc. Since BIA serves as an input for IT Service Continuity Management (ITSCM), efficient BIA will provide a sound basis to define continuity requirements of IT services. Additionally, BIA can define capacity and availability requirements for the service. Take the example we already mentioned – core banking service. BIA will define core banking service as a VBF and set requirements like workload (e.g., number of transactions) or availability (e.g., immediate recovery as an option to secure required availability).

Content of the BIA

There is no checklist for the BIA content. The point is that BIA has to define consequences of the unavailability of the service (or its partial availability). And that gives you the right to reach for all needed parameters. Let me give you a few hints about your BIA’s content:

  • Consequences – describe consequences in as much detail as possible. It would be ideal if that could be stated in financial terms (e.g., loss in profit). But, some other descriptions are good enough, like number of lost customers, legal violations, etc.
  • IT service analysis – the connection between business and IT services.
  • Continuity definitions – define minimum service level in case of service unavailability, the time within which this level must be reached, and maximum acceptable outage time.
  • Priority – define priorities regarding how the services should be recovered. Talk to the business and let them tell you about the priorities of the business services. If you know the connection between business services and IT services, you will get a priority list of the IT services.
  • Resources – define resources for (at least) VBF and other important services.

Value of the BIA

BIA will define your approach to the IT Service Continuity Management (ITSCM). If some service is critical to the business of the company, you have to treat it that way in your IT service continuity plan (that’s why you have BIA). But, that’s not all. BIA should be performed as early as possible in the Service Design stage (according to ITIL) of the service lifecycle. This means that BIA will provide valuable input to other processes as well, e.g., Capacity, Availability, Information Security, and Service Level Management. Even beyond Service Design – incident management may change the process used to treat incidents in the IT services related to VBF.

Basically, BIA is one of the ways in which IT services integrate with business. This means that IT will become more familiar with business services and how IT supports them. Usually, IT has some kind of ITSCM. But, as I often experienced, businesses rarely document their continuity management. And Business Continuity Management (BCM) should be integrated with IT Service Continuity Management and serve as a trigger for IT Service Continuity plans and activities. Regularly performed BIA stands between BCM and ITSCM – it uses inputs from BCM and creates outputs into ITSCM.

Business conditions change, and so do related IT processes and activities. Consequently, BIA is a living document and as such it creates a lively connection between business and IT services. Lively also means agile, responsive, and active. Therefore, wisely used BIA can help you understand, align, and integrate IT and business services and make life easier both in peacetime, and after the beginning of a continuity event.

To get more insight into BIA content, download a free preview of this Business Impact Analysis and Recovery template.

Advisera Branimir Valentic
Branimir Valentic
Branimir is an expert in IT service management (consultancy, training and tools), IT governance (training and consulting), project management and consultancy in IT and telecommunication. He holds the following certificates: ITIL Expert, ISO 20000, ISMS Lead Auditor and PRINCE2.