The purpose of a Business Impact Assessment (BIA) is to produce a document that outlines the resources that are critical to the continued sustainability of the organization, existing vulnerabilities that could compromise those resources, probability that those threats will occur and sustained impact on the organization. Adverse effects could be financial or operational. A vulnerability assessment is a vital element of the BIA process, and has three primary objectives:
- Criticality Prioritization – involves the specification and execution of critical business unit processes and assessment adverse effects from unforeseen disruption to these processes.
- Downtime Estimation – assists in evaluating Maximum Tolerable Downtime (MTD) that the organization can afford and still remain viable. Often the discovery is that MTD is much shorter than expected; and the organization can only tolerate a very brief period of interruption than was speculated.
- Resource Requirements – involves pinpointing the resource requirements for the critical processes. Here the most time-sensitive processes should receive the most resource support.
Priority and Risk Identification
The first BIA task is recognizing those business priorities that are most vital to daily operations of the organization. This entails producing a detailed list of business processes and ranking them in order of importance. One approach is to split up the task among team members where each person drafts the list that identifies important functions within their department. Each list can be merged into a master prioritized list for the entire organization. Priority identification is a qualitative method that helps establish business priorities.
Another step would be for the BCP team to draft a list of organization assets and then attach an asset value (AV) in monetary terms to each. These figures will be used in the final BIA steps to create a financially based BIA. The BPC team should also establish the maximum tolerable downtime (MTD) for each business function.
The next phase of the Business Impact Assessment is risk outlining, the outlining of both the natural risks and man-made risks the organization is vulnerable to.
- Natural risks include: hurricanes, tornadoes; earthquakes; mudslides and avalanches; and volcanic eruptions.
- Man-made risks include: terrorist acts, wars, and civil anarchy; theft and vandalism; fires and explosions; power outages; building collapses; transportation failures; and labor unrest.
The Likelihood Assessment
The next phase of the Business Impact Assessment is the likelihood assessment: identifying the probability of each risk occurring. The assessment formulation is based on an annualized rate of occurrence (ARO) that indicates the number of occasions the organization expects to experience a disaster each year. There should be an ARO applied to each known risk. These calculations should be estimated according to corporate history, experience, and advice from experts, such as meteorologists, seismologists, fire prevention professionals, and other consultants.
The Impact Assessment
In the impact assessment, the BPC team should carefully study the data gathered during risk identification and likelihood assessment then try to evaluate the repercussions each of the identified risks would have upon the viability of the organization if it were to occur. There are three metrics the BPC team would need to examine:
- The exposure factor (EF) – the cumulative damage a risk poses to the asset, expressed as a percentage of the asset’s value.
- The single loss expectancy (SLE) – assessment of monetary loss incurred each time the risk materializes.
- The annualized loss expectancy (ALE) – the monetary loss that the business expects to see as a result of the risk impacting the asset over the course of a year.
The BPC team should also factor in the non-monetary consequences an interruption would have on the organization. This could include loss of goodwill among the organization’s client base, loss of employees after prolonged downtime, the social and ethical responsibilities to the community, and negative publicity.