{"id":4815,"date":"2010-06-10T15:59:19","date_gmt":"2010-06-10T15:59:19","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/010\/06\/10\/five-tips-for-successful-business-impact-analysis\/"},"modified":"2025-07-08T14:13:53","modified_gmt":"2025-07-08T14:13:53","slug":"five-tips-for-successful-business-impact-analysis","status":"publish","type":"post","link":"https:\/\/advisera.com\/27001academy\/blog\/2010\/06\/10\/five-tips-for-successful-business-impact-analysis\/","title":{"rendered":"Five Tips for Successful Business Impact Analysis"},"content":{"rendered":"<p>You have probably wondered why you have to perform <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-22301-premium-documentation-toolkit\/?rel=business-continuity&amp;doc=business-impact-analysis-questionnaire\" target=\"_blank\" rel=\"noopener\">business impact analysis<\/a> (BIA) once you already did the risk assessment. You identified all the risks, didn\u2019t you? Spent quite a lot of time analyzing your company, why then yet another analysis?<\/p>\n<p>Well, the purpose of BIA is different. In business continuity everything is about time \u2013 it doesn\u2019t matter if you can recover your business activities if it isn\u2019t achieved in reasonable time. \u201cReasonable\u201d is what the BIA has to determine \u2013 its main purpose is to find out what the recovery time objective is for each critical activity within an organization.<br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><\/p>\n<p>This kind of analysis is often taken lightly \u2013 first, the company is usually not aware that wrong results could incur unnecessary expenses or create an inadequate <a href=\"https:\/\/advisera.com\/27001academy\/blog\/2010\/03\/15\/can-business-continuity-strategy-save-your-money\/\">business continuity strategy<\/a>, but also the effort needed to perform BIA is underestimated.<\/p>\n<p>Therefore, here are some tips that will make your business impact analysis more effective:<\/p>\n<p><strong>Treat it as a (mini) project.<\/strong> Define the person responsible for its implementation and his or her authority; define the scope, objectives, and time frame.<\/p>\n<p><strong>Do your homework, prepare a good questionnaire<\/strong>. A well structured questionnaire will save you quite a lot of time, and will make the results more accurate. BS 25999-1 and <a href=\"https:\/\/advisera.com\/27001academy\/what-is-bs-25999\/\" target=\"_blank\" rel=\"noopener noreferrer\">BS 25999-2<\/a> standards will give you a fairly good idea about what it must contain \u2013 among other things, you have to identify impacts resulting from disruptions and determine how these vary over time, identify the resources needed for recovery etc. It is a good practice to use both qualitative and quantitative questions to identify impacts.<\/p>\n<p><strong>Define clear criteria.<\/strong> If your interviewees have to answer questions by assigning values for instance from 1 to 5, be sure to explain exactly what each of these five marks means. It is not uncommon that the same event is evaluated as catastrophic by the lower-level employees, while top management assesses its impact as moderate.<\/p>\n<p><strong>Collect data through human interaction<\/strong>. The best results are achieved when someone skilled in business continuity performs an interview with the person responsible for a critical activity. That way a lot of unresolved questions are cleared, and well-balanced answers are achieved. If interviews are not feasible, do at least one workshop with all the participants so they can ask everything that is troubling them. In other words, don\u2019t just send them the questionnaires and scold them if they didn\u2019t send them back in time.<\/p>\n<p><strong>Determine the recovery time objectives only after you have identified all the interdependences.<\/strong> For instance, through the questionnaire you might conclude that for critical activity \u201cA\u201d the maximum tolerable period of disruption is 2 days; however, the maximum tolerable period of disruption for critical activity \u201cB\u201d is 1 day and it cannot recover without the help of critical activity A. This means that the recovery time objective for \u201cA\u201d will be 1 day instead of 2 days.<\/p>\n<p>In my experience, the results of BIA are often unexpected \u2013 usually the recovery time objective is longer than it was initially thought, and BIA reveals dependencies on some resources that are actually a single point of failure. But the best thing of all, business impact analysis is the most effective way to get people thinking about the unexpected \u2013 by creating such awareness, you increase the chances of your company\u2019s survival.<\/p>\n<p><em>To implement ISO 22301 easily and efficiently, use our<\/em>\u00a0<a href=\"https:\/\/advisera.com\/27001academy\/iso22301-documentation-toolkit\/\" target=\"_blank\" rel=\"noopener\">ISO 22301 Documentation Toolkit<\/a>\u00a0<em>that provides step-by-step guidance and all documents for full ISO 22301 compliance.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>You have probably wondered why you have to perform business impact analysis (BIA) once you already did the risk assessment. You identified all the risks, didn\u2019t you? Spent quite a lot of time analyzing your company, why then yet another analysis? Well, the purpose of BIA is different. In business continuity everything is about time &#8230;<\/p>\n","protected":false},"author":26,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[554,566,586,611,612,668],"class_list":["post-4815","post","type-post","status-publish","format-standard","hentry","category-blog","tag-business-impact-analysis","tag-recovery-time-objective","tag-critical-activity","tag-bs-25999-2","tag-business-continuity-strategy","tag-maximum-tolerable-period-of-disruption"],"acf":[],"_links":{"self":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4815","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4815"}],"version-history":[{"count":3,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4815\/revisions"}],"predecessor-version":[{"id":104275,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4815\/revisions\/104275"}],"wp:attachment":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4815"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4815"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4815"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}