Skip to content

Best Practices for Creating a Business Impact Analysis (BIA)

Business Continuity and IT Disaster Recovery Blog

Best Practices for Creating a Business Impact Analysis (BIA)

In business, preparing for even the worst eventualities is important to sustaining performance. Business is never a straight line; there are always peaks and troughs. With that in mind, your business must be prepared for the best and worst-case scenarios. In the best case, how do you sustain growth at such high levels? In the worst case, how do you mitigate the risk as best you can?

Regarding the latter, forming a Business Impact Analysis (BIA) is critical. These analyses help your business to be prepared for when the worst situations occur. Not only does your BIA formulate a recovery plan, but it allows you to put in place barriers to shield you from the worst impacts.

Why Does Your Business Need An Business Impact Analysis?

A BIA will provide your business with critical information about:

  • The most important business processes in your chain: what do you need to be functional?
  • The likely disruptions that could take place and what impact they might have on performance
  • The steps that need to be taken to ensure you can recover from these impacts ASAP
  • The impact of timing: when are the ‘best’ and ‘worst’ times for such an incident?
  • What essential functions do you need to sustain the impact without shutting the business down?

BIAs are critical in ensuring your business is robust enough to sustain a worst-case scenario. They provide that your business can continue functioning – even at a reduced level – until things can be fully operational. Essentially, any worthwhile BIA helps you understand where you should be prioritising efforts in a major incident.

Creating An Effective Business Impact Analysis

  1. The first step in creating a worthwhile BIA plan is identifying your business’s most important functions. Some of your services/features might be extraneous to your main business operations. What, though, can you not open the doors of your business without?
  2. Next, determine the most important resources your business depends on. That could be a specific supplier, a staff member, an IT system, or a function such as the internet. Every business is different: what are your business’s main cogs of operation?
  3. You should also list priorities regarding the most important systems and processes for your business. Over time, you should analyse its impact on your business when – or all – of these functions are inhibited in any way, shape, or form.
  4. Determine who needs to be informed in the event of an incident that delays or stops your business from operating. Speak with your staff and determine who you need to be in contact with. Is it a supplier? A partner? Your colleagues?

Effective Best Practice In Crafting Your Business Impact Analysis

It would be best to consider implementing the following functions to create the most useful BIA. This will help to determine that your BIA is as robust and effective as possible:

Make IT A Foundation Of Any Business Impact Analysis

Even if your business is not IT-focused, you will likely still have key IT systems for data storage and communications. As such, you should ensure that your IT systems are prioritised from the beginning.

If your IT team is unaware of the priority issues that need to be addressed to get your business up and running, you could have some problems. IT can help to create a realistic measurement of the issues you face and what has to be addressed. So, ensure that your IT department is part of the analytical bedrock of your Business Impact Analysis development.

Ensure Executives Are Involved, Also

The best form of Business Impact Analysis will involve full buy-in from everyone, including the highest executive level. For example, if your company has a Chief Financial Officer (CFO), they should be involved in analysing the financial impact when services/functions are lost.

Your Human Resources (HR) department can also play a big role in ensuring you understand the impact on this side of your business during a disaster. Ensuring your business has senior buy-in from the most important decision-makers will ensure your BIA can work as effectively as possible.

Use Fact, Not Opinion

Many BIAs fall flat because they are built upon opinion instead of empirical data. Ask any department in your business how important they are, and they will answer very. So, do not rely upon the opinion of management staff in each department: let the facts, figures, and analysis of your business guide the way.

Every member of staff believes their functions are critical to business functionality. While it would be nice if that were true, it is often untrue. So, you should ensure that your ranking of service functionality is based on data instead of simply asking each staff member what they think.

There Is More To Business Than Finance

Yes, the reason for a company to exist is profitability – that is fair. However, the impacts discussed in any BIA have to go much further than simply financial results. Your company has to look at other critical factors, including your company’s reputation.

Ensure that your BIA considers the impact that loss of service/function would have on your staff, your company reputation, and the opinion of your business that your customers hold. Losing money is never good, but your business can recover in time. Are you losing the goodwill of your staff or your clientele? That is much harder to recover from.

Update And Modernise Your BIA

The last key factor when building a suitable BIA is ensuring it does not feel set in stone. As the world and your business evolve, so should your impact analysis preparation. New threats will arise, and new problems will come into contention. You should be sure that your BIA takes this into account.

If your BIA sits on a shelf for years and the problems occur, you might find you are ill-equipped to counter the problems. Make sure your BIA is updated whenever your company changes or upgrades in terms of staffing, locations, and services/functions.

Creating The Best Business Impact Analysis Is Critical

Using the above, you can hopefully see why your BIA is so important to the long-term health of your business. This plan will play a critical role in ensuring you can come out the other side comfortably – or with the least long-term impact.

If you are unsure how to implement proper Business Impact Analysis, we can provide your team with the required training. We offer courses and education on this subject matter. You can learn the best practices and how to implement them and ensure your business jolts into action as soon as an incident occurs. Look at our Business Impact Analysis training modules today and see how you can be better prepared in even the worst-case scenarios.



BRCCI – Business Resilience Certification Consortium International (

We are thankful to the author for allowing us to post this insightful article on our website. BRCCI provides a comprehensive training and certification program in business resiliency, continuity and IT disaster recovery planning:

1. 3-day CBRM (Certified Business Resilience Manager) is a comprehensive, all-in-one, 3-day Business Continuity Planning and Management Training and Certification course which is designed to teach practical methods to develop, test, and maintain a business continuity plan and establish a business continuity program.

2. 3-day CBRITP (Certified Business Resilience IT Professional) is a comprehensive training on how to assess, develop, test, and maintain an information technology (IT) Disaster Recovery Plan for recovering IT and telecommunications systems and infrastructure in the event of a disaster or business disruption. The training provides a step-by-step methodology to ensure a reliable and effective IT disaster recovery and continuity plan consistent with the industry’s standards and best practices.

3. 2-day CBRA (Certified Business Resilience Auditor) It provides 2 days of intensive, Business Continuity Audit training to enable students to determine the effectiveness, adequacy, quality and reliability of an organization’s Business Continuity Program. Students will learn an audit methodology to evaluate compliance of Business Continuity and IT Disaster Recovery Programs with the current industry’s best practices and standards including:

  • ISO 22301: Business Continuity Management Systems – Requirements
  • NFPA: Standard on Disaster/Emergency Management and Business Continuity Programs
  • ITIL: Information Technology Infrastructure Library

For information on the above program, please contact BRCCI (, 1-888-962-7224).

On Key

Related Posts

ICR Standard

ICR Standard Author: Dr. Akhtar Syed Download PDF Section 1.0 – Introduction The Integrated Continuous Resiliency (ICR) standard, developed by BRCCI (, is a comprehensive

What is ISO 22301 standard?

What is ISO 22301 standard? Author: Andrea Patricia Sanchez Dominguez Download PDF 1. Introduction The Standard ISO 22301 was proposed in 2012 as a new