The BIA is the task of understanding the potential impact resulting from disruption of business functions and processes.
Potential disruptions should be identified during a threat/risk assessment. A threat/risk assessment is the task to identify potential threats and analyze what could happen if a threat occurs.
A Business impact analysis (BIA) distinguishes between critical and non-critical processes in your organization.
Critical functions/processes are those whose disruption is regarded as unacceptable. Scenarios resulting in significant business interruption should be assessed in terms of financial impact, if possible. These costs need to be compared with the costs for possible recovery strategies. A function may also be considered critical if dictated by law. For each critical function/process two values are then assigned (in my example RPO for data):
Recovery Point Objective (RPO): the age of content (files/folders, e.g.) that must be recovered from backup for normal or near-normal operations to resume.
RPO may also refer to the maximum tolerable period in which data might be lost.
This usually refers to databases or lengthy documents. Is it tolerable to lose 2 hours or 3 hours of work, or maybe a whole day? How much can you afford to lose?
The recovery point objective must ensure that the maximum tolerable data loss for each activity is not exceeded.
The RPO for your business is elemental for determining the frequency of your backups.
Recovery Time Objective (RTO) – Agree upon what is acceptable downtime. How quickly you need to recover will determine the level of preparations that are necessary. The shorter the downtime the more
The BIA report prioritizes the order of functions/activities for restoration of the business. Those with the greatest operational and financial impact should be restored first.
: Casualties, Property damage, Business interruption, Loss of clients/customers, Financial loss, Environmental contamination, Loss of confidence in the organization, Fines and penalties, lawsuits.