Business Impact Analysis and Risk Assessment Can Help You Prepare

By Tracy L. Hall


Recovering from a business interruption requires planning ahead to keep focus during the aftermath of an outage. Companies can prepare for the possibility of adverse events that interrupt their operations by developing a business impact analysis (BIA) and conducting a risk assessment (RA).


Developing a business impact analysis

Documenting the recovery effort in advance can save crucial time during the critical hours of potentially losing business following an event. Undergoing a BIA involves taking an inventory of current business functions, prioritizing them and then determining what is needed to keep them going in the event of a business interruption.

The first step to conducting a BIA is to list all business functions and determine how important they are to normal daily operations. Next, it is important to figure out how long a company can wait after a business interruption before getting these crucial processes up and running again. This involves documenting what impact the company would experience during the time these functions were not recovered. Would the company suffer significant financial consequences? Would there be regulatory fines imposed? What reputational risk would the company endure if they were not able to operate under “business as usual” circumstances? The processes that would incur the most impact if not recovered would be prioritized as the first to be recovered after a business interruption.

Performing a BIA also documents the critical resources that support these processes, including people, systems, forms, supplies and equipment.

Companies that want to conduct this process effectively might consider utilizing a BIA questionnaire. Running through the questions contained in a BIA questionnaire allows a firm to investigate how it could be affected by a major event. This questionnaire is answered most thoroughly when a company meets with people who have insight into the key operations of the firm.


Conducting a risk assessment

Before a BCP is created, a firm must conduct a risk assessment in order to identify the areas of exposure and all possible threats that could potentially cause a business interruption.

Types of threats that should be considered include natural, manmade, technological, loss of utilities, and pandemic in nature. Threats should be analyzed to determine the likelihood of their occurrence and the level of impact to the organization if they were to occur. Consideration should also be given to what mitigation steps have been taken to lessen the likelihood of occurrence and/or impact.

Threats that result in high risk ratings should be reviewed with management to determine the need for additional mitigation strategies to lessen the possibility of the threat causing a business outage.


Business continuity plan

Companies that want to be well-prepared in the event that their operations run into significant challenges will benefit from having a formalized business continuity plan (BCP) in place.

A BCP contains a detailed outline of the processes that a company should implement following an outage, including:

  • How to respond to specific situations
  • The best way to assess damages
  • Deciding whether to declare an emergency
  • Communicating internally and externally during and following an event
  • How to recover business operations in an efficient, prioritized fashion
  • How to restore to business as usual

The BIA and RA act as the foundation of the BCP. The RA will help identify what types of scenarios a company should consider while documenting response strategies. Threats that have the highest risk ratings are most likely to cause a business interruption. The BIA will help with documenting recovery procedures for the most critical of processes and the resources that support them. It allows the company to properly document a prioritized recovery.

The Federal Emergency Management Agency (FEMA) has provided best practices, available on its website, on the steps that should be taken once a BCP has been developed. The organization has advised that companies distribute the plan’s information to members of management, and also compose a business continuity team among the staff.

It has also been recommended by FEMA that institutions hold several copies of the plan in an emergency operations center to ensure that their staff has access to all the information they need to execute the plan if an emergency arises.


Common operational challenges

There are a wide range of financial and operational issues that can occur as a result of a business interruption. Expenses could skyrocket – or alternatively, both sales and revenue could come to a halt.

While these are the types of challenges that will show up on a balance sheet, numerous other problems can happen in the event that a natural disaster or other business interruption occurs. For example, the customer base of an institution could easily be damaged if the company fails to deliver on its contractual obligations. The reputation of a firm could also suffer in the event that the organization is not adequately prepared to respond to a business interruption. While the impact of this particular exposure may not be immediate, it can be substantial over time. Completing a BIA, RA and a BCP in advance will help identify areas of exposure and potential challenges, saving money and time during the recovery process in the event that a business interruption occurs.


Tracy L. Hall, MBCP, is IT assurance manager with Wolf & Co. For more information, email or call (413) 726-6884.