This post was originally published on September 13, 2019, and updated most recently on April 20, 2021.
All businesses face disruption, whether that’s something minor, like an employee phoning in sick — or something major, like a cyberattack, natural disaster, or labor dispute. The key to minimizing impact is to plan ahead: A response formulated in the middle of a situation is likely to be far less effective than one carefully planned during calmer times.
No business is immune to risk, and crafting an all-encompassing, effective risk management strategy is all part of conducting your due diligence as a manager. It not only shows you’re prepared, but it also gives management more confidence in your responses should something go wrong.
Risk management is a broad-reaching term, but generally, it encompasses the following areas:
- Business impact analysis (which includes risk assessment, a mitigation plan, and recovery strategy)
- A contingency plan
- A crisis strategy
Today, we’re going to look at the business impact analysis — or BIA for short.
What is a business impact analysis?
A business impact analysis (BIA) is a way to predict how much disruption an event will have on a business. First, the organization maps out loss scenarios as part of a risk assessment strategy. Then it uses this information to develop mitigation and recovery plans.
A loss scenario is essentially any conceivable event that could potentially have a negative impact on the business.
A mitigation plan is geared toward stopping scenarios before they happen. And a recovery plan is all about dealing with issues and disasters when they do happen.
What kinds of things does a BIA cover?
Because problems can take many forms and every business is different, there’s no exhaustive list. This is part of what makes conducting a business impact analysis so challenging: Surprises and unforeseen events do and will happen. There are, however, common issues that often arise as a result of an event – so, at the very least, these should be on your radar:
- Delays in service
- Lost or delayed sales and income
- Increased expenses (including labor and outsourcing)
- Customer dissatisfaction or loss
- Regulatory fines
- Loss of bonuses
- Employee dissatisfaction
Timing is another factor to take into account when assessing your businesses’ risks as part of your BIA. For example, a disruptive event such as a delayed delivery or a website failure will have a much bigger impact during busy periods than if it’d happened during a slower period.
How to conduct a business impact analysis
Before you get started, it’s important to understand two key facts. One: that every part of the business is interlinked and is dependent on the continued functioning of other parts of the business. And two: that some departments have greater priority than others and may require more resources if a disruption does occur.
1. Get approval
Before you invest time and resources into formulating your BIA, you first need to get buy-in from management. Spend a little time up-front mapping out your project’s goals and scope, as well as your estimated budget and team requirements, then put all of this information into a project proposal.
2. Draft your plan
Next, you need to start formulating your analysis. No one person can fully understand all risks and impacts associated with a business, no matter how long they’ve worked there or how senior they are. So first, you need to start collecting information.
There are a number of ways to do this and, to receive the fullest response, you should try a variety of ways. Team brainstorming sessions, one-on-one interviews, online surveys, emails, and direct messaging via a team chat app are all good options. Give people the opportunity to respond in a way that’s most comfortable to them.
Remember to keep your questions focused on the effects of disruption to the business, and be prepared to delve a little deeper to get the fullest answers possible. Everyone’s specific requirements will be different, but a few key things you should find out include:
- The name of the process they’re involved in
- A description of where and when this process is performed
- Resources and tools they use or need
- The users or recipients of this process
- The financial and operational impacts
- Any regulatory, legal, or compliance impacts
It’s also important to cast the net as widely as possible so you cover all areas of the business. This includes interviewing everyone from the CEO, stakeholders, and delivery drivers, right through to the intern. You really can’t be too thorough here.
3. Assess your findings
Next, it’s time to review all your findings and pull everything together into a cohesive report. How you do this is dependent on preference and budget. Some people like to employ the help of an external analyst. Others prefer to use an automated system on a computer, while others like to roll up their sleeves and do it manually. Reliability and practicality should guide your choice.
If you are doing this stage manually, you’ll need to organize your data. First, put your business functions in a list and sort them according to priority. Then work out what resources and budget you’ll need to keep everything operating in the event of an incident, as well as a timeframe for resuming normal service.
4. Create the report
There’s no set way to create the BIA report, but you should at a minimum include the following sections:
- The summary including the scope and key objectives
- Methodologies and approaches including how information was gathered, how you analyzed it, and any assumptions you made
- Summary of findings including which business units are most critical, their dependencies, recovery timeframes, costs, and tolerable levels of losses
- Additional information such as other useful business-related tidbits discovered during the interviews
- Action plan, i.e, your proposed routes for recovery, including timeframes
- Supporting documents including names of participants
Once your report has been approved, make sure it’s signed by management. If they aren’t prepared to sign it, then work with them to get partial approval for the most critical areas. That means that in the event of a problem, your business should still be able to continue functioning.
Once approved (or partially approved), share the final version with all relevant parties and properly communicate it throughout the organization, so it can be swiftly implemented in the event of an emergency.
5. Revisit the plan
Businesses, markets, employees, technology, and resources change. Be sure to visit your plan periodically to ensure it’s fully up to date. You should also use this opportunity to check for any new threats or opportunities and fine-tune your mitigation and recovery strategies. You don’t need to start from scratch, think of it more as a health check.
Conducting a business impact analysis is an integral part of showing due diligence as a manager. Investing the up-front time may feel like a luxury, but in the event of an emergency, it will provide the framework to help keep your business running. And if you don’t need it? Then you’ll still look like an experienced manager who knows how to plan ahead.
Using the right tools can help your BIA run smoothly. Taking advantage of cloud-based project management software means you can create your strategy and house it right alongside your projects. Wikis are an excellent and easily accessible place everyone can access — no matter where they’re working from. And, in the event that you need to spring into action with a plan B, you’ll be able to track changes and monitor progress in real-time.