What would happen if your business were unable to operate due to a fire, a cyber-attack, severe weather, or a contagious illness incapacitating 75% of your employees? That's an impossible question to answer accurately without knowing how long the business would be unable to operate, but it best explains the purpose of a business impact analysis - to understand the potential consequences of a negative event.
Once you understand the potential consequences of a negative event, measures can be taken to mitigate the consequences. For example, you could install a sprinkler system to mitigate the consequences of a fire, or backup data and applications off-site to mitigate the consequences of a cyber-attack. The choice of threat-mitigation efforts will likely depend on the extent of the consequences and how cost-effectively the threats can be mitigated.
A Business Impact Analysis is the Backbone of Disaster Recovery Planning
A business impact analysis should not only be a risk assessment identifying the threats to your business and how you can mitigate them. It should also be the backbone of disaster recovery planning inasmuch as, once you understand the potential consequences of a negative event, you can plan how to recover from them. In this respect, business impact analyses are the foundation for business continuity planning and business impact reports should be prepared with this in mind.
If tackled in a comprehensive manner, a business impact analysis is very much like a SWOT analysis to determine your business's strengths, weaknesses, opportunities, and threats. It may reveal some serious weaknesses in corporate emergency preparedness, but it might also uncover some opportunities to help the business improve. Therefore, there are potential benefits to conducting a business impact analysis in addition to mitigating threats, expediting recovery, and enabling business continuity.
The Seven Stages of Preparing a Business Impact Report
No two businesses are identical, so it would be impractical to describe the business impact analysis process for Business A, because it would likely be irrelevant to Businesses B and C. Instead it is more helpful to list the seven stages of preparing a business impact report as recommended by the Business Continuity Institute, and to demonstrate where the analysis fits in the business continuity and disaster recovery planning process.
- Identify key business processes and functions.
- Establish requirements for business recovery.
- Determine resource interdependencies.
- Determine impact on operations.
- Develop priorities and classification of business processes and functions.
- Develop recovery time requirements.
- Determine financial, operational, and legal impact of disruption.
The important item to note in the above diagram is the arrow heading back from Business Continuity and Disaster Plan Maintenance to Risk Assessment. Because a business impact analyses is the backbone of disaster recovery planning, it needs to be an ongoing process. Events that could influence emergency preparedness - such as staff joining/leaving - occur almost daily, and elements of the analysis and disaster recovery plan may have to be updated continuously.
Why You Should Pay Special Attention to Regulatory Compliance
Most businesses are subject to legal requirements relating to how data is secured against unauthorized disclosure, and the failure to comply with industry regulations can result in substantial fines - sometimes even without a data breach occurring. However, according to a 2017 report by Discovery Recovery Journal (PDF), more than a third of declared business disasters are attributable to IT failures - which usually results in IT processes being moved to manual systems.
During these times, data is at greater risk from unauthorized disclosure due to a lack of technical safeguards. Therefore any business operation that includes the collection, processing, or storage of personally identifiable information (PII) should be given the highest priority. The attention paid to maintaining the integrity of PII during a disaster may also have benefits to regulatory compliance in non-emergency situations - one of the potential opportunities mentioned above to help a business improve.
Also Give Consideration to Internal Communication during an Emergency
A second potential opportunity to help a business improve can be found in how it conducts its internal communications - both in emergency and non-emergency situations. Often emergency notifications systems are put in place for when a disaster occurs (i.e. a fire alarm or PA system). But, if these systems are not regularly used in non-emergency situations, employees may not be familiar with how to use them - or how to respond to emergency notifications - when a disaster happens.
Implementing a multimodal emergency notification system with two-way communication capabilities - and using it in non-emergency situations - not only familiarizes employees with their use and how to respond to notifications, it helps improve internal communications. Businesses can use such a system to share corporate news, promote social activities, and announce job vacancies. The system can also be used to enhance collaboration between individuals, groups, and departments.