No Idea

BUSINESS IMPACT ANALYSIS
Business Continuity Coordinators:
This document is intended to be used to conduct the Business Impact Analysis (BIA) for your agency. It is recommended that
you start by meeting in person with staff who will be asked to answer the BIA questions. In that meeting, you should describe
the purpose of business continuity planning, and explain that conducting a BIA is a key first step in developing a business
continuity plan. Provide staff with a hard copy of this document (minus these first two pages), and use this document during
the meeting to describe the different elements of a BIA. Discuss each page, and explain that the staff of different
divisions/sections need to answer these questions, because they will be the only people with the knowledge of the detail of
their own programs.
This packet of information includes a three-page introduction to share with staff, as well as the necessary BIA forms. The
introduction includes an overall description of a BIA, as well as a brief summary of the different BIA elements. This summary
section is copied from the “Model BCP Process” document. The forms that follow include the questions that need to be
answered to provide you, as the BCP Coordinator, with the detail needed to complete your agency’s business continuity plan.
At the end of the meeting, provide a deadline for staff to fill out these forms. In choosing a deadline, remember that it will
probably take considerable time for staff to answer all of the questions, given the substantial detail required, and competing
workload issues. Let staff know that you will be checking in periodically to see how they are progressing.
Following the initial meeting, send the participants this same information by e-mail, so that they can fill out the forms
electronically, if they choose and again remind them of the assigned deadline. Then, on a periodic basis, send the
participants e-mails asking about their progress in filling out the forms. Work with your BCP Sponsor to ensure that
management also sends occasional e-mails that stress the importance of this process, and encourage staff to complete the
BIA as quickly as possible.
It will likely take many e-mails, as well as phone calls, to remind staff of the deadline and prompt them to complete this work.
Be as kind as possible, while still being firm about the need to complete this work. Staff have had this responsibility added to
their existing workload, and will likely need considerable time to answer the BIA questions.
Once you have collected these forms from all participants, follow the steps described in the “Model BCP Process” to continue
the work necessary to complete your agency’s business continuity plan.
1
BIA Participants
Date of Interview:
Business Unit:
Division:
Division Location:
Address and Floor
Unit Manager:
Phone and Email Address:
Interviewee/Title:
Interviewee/Title:
Phone and Email Address
Interviewee/Title:
Interviewee/Title:
2
BUSINESS IMPACT ANALYSIS
Purpose:
Completing a “Business Impact Analysis” (BIA) is a key step in developing a “Business Continuity Plan” (BCP) for your agency.
The BIA will identify critical business functions and describe what would be necessary to recover these functions, in the event of a
disaster or disruption in service. Gathering this information will help your agency develop a BCP and will allow for the
prioritization of available equipment and resources, were an event to occur. You are being asked to answer these BIA questions
for your section because of your knowledge of your section and its processes and resources.
The objectives of the BIA are as follows:

 To identify business processes and prioritize them according to criticality.
 To identify the Recovery Time Objective (RTO) associated with each critical business process.
 To identify the Recovery Point Objective (RPO) associated with each critical business process.
 To identify the key computer systems, equipment, and applications associated with each critical business process.
 To identify the quantitative and qualitative impacts that will be incurred should a disruption occur.
 To identify critical interdependencies associated with the business unit and its processes.
For the purpose of answering the BIA questions, assume the following:
 Worst-case scenario is defined as a total outage for an extended period of time during peak processing.
 No current disaster recovery capability exists; pretend you are working with a “blank slate” as you answer questions.
 Don’t focus on immediately restoring ALL services; instead, you are trying quickly to restore enough function to provide basic
essential services.
The completed BIA will provide each section with the following information:
 Ranking of critical and non-critical business processes.
 Assignment of RTOs and RPOs for each business process.
 Document listings of key vendors, systems, and vital records.
 Estimates of the qualitative and quantitative impact impacts of an event, based upon duration of unplanned disruption. (e.g.
24 hours, 48 hours, 5 days, etc.)
 An overview of what would be necessary to recovery the functions of the section or program.
3
Summary of Business Impact Analysis Questions:
The following chart is from the “Model BCP Process” provided by the Enterprise BCP program. This is an overview of the
information that needs to be collected as part of the BIA process. The rest of this document provides the forms for recording the
detailed BIA information.
Step Description
 List the key processes which are necessary to continue the identified critical business function.
 Describe each process in a single phrase, if possible.
Key Processes  Prioritize these processes – note those that are the most important.
 Note that these processes can include internal operations as well as operations within other agencies,
outside vendors, etc.
 What is the average work volume (e.g., number of businesses registered, number of audits completed,
number of timesheets entered, etc.) processed by this program?
Volume of Work
 Does the program have a peak volume or other critical timeframes? (e.g., elections are held in
November, payments are processed at the end of the month, etc.)
 Identify the RTO for each key process.

o RTO is defined as how quickly the process must be restored following a disaster; this is an
Recovery Time
estimate of how long the process can be unavailable.
Objectives (RTO)
 List the RTO by hours, days or weeks, as appropriate – decide how long the process could be “down”
before you would have a serious problem functioning.
 Where does this critical function occur? Provide address and directions if necessary.
Facilities  List applicable job titles and contact numbers of staff responsible for this facility.
 List any other facilities necessary for this function.
 Who is the key staff position responsible for this function? Provide the job title and contact information.
 List the approximate number of staff involved in this business function. List applicable job titles and
Staff contact numbers.
 What are the program’s normal work hours?
 Provide a description of the function or type of work key person/ persons perform.
4
Step Description
 What services from within your agency or an external organization do you need in order to restore this
Key
function?
Dependencies
 In order to provide this service, what other resources or information have to be provided?
Manual “Work  Can this function be performed manually, if necessary?

Around”  If yes, how can this be done and for how long?
Computer
 What computer systems/applications are required to perform this process?
Systems
 Describe the vital record(s) required and the location where these records can be found. Provide
Vital Records address and directions, if necessary.
 Include all types of records – electronic, paper, microfilm, etc.
 Describe the pieces of equipment or supplies required. If a purchase is required, method of payment
Equipment and should be specified.
Office Supplies  Describe the location where these items can be found or acquired. Provide address and directions if
necessary.
 List the agency’s key suppliers which may need to be contacted in the event of an emergency.
 List the key goods or services provided by these vendors.
Suppliers/Vendors
 List the usual contact information for these vendors, as well as emergency contact information.
 If possible, list the name and contact information for alternate suppliers/vendors.
 Where applicable, relate work volume to dollars or revenue. (Revenue going out, revenue retrieved
Budget from registration fees, etc.)
Considerations  If you had to store data files, hard copy documents, or supplies off-site, do you know the costs of
various off-site options?
5
1. Business Unit Overview
Provide a brief description of your

unit/division’s functions.
What are the unit’s normal work

hours? How many personnel
currently work in the department?
What is the average work volume

(e.g. number of business
registered, number of audits
completed, number of timesheets
entered, etc.) processed by the
unit?
Where applicable, relate work
volume mentioned above to dollars
or revenue. (Revenue going out,
revenue retrieved from registration
fees, etc.)
Does the unit have a peak volume
or other critical time frames? If yes,
when are these periods? (e.g.
Elections happen in November,
payments processed at the end of
the month, etc.)
6
2. Key Business Processes
Identify and describe the key business processes of the unit/division. For each process, identify its Recovery Time
Objective (RTO). RTO is defined as how quickly the process must be restored following a disaster. The Recovery Time
Objective is an estimate of how long the process can be unavailable. Also identify a Recovery Point Objective (RPO) for
each process. RPO is the determination of how much data loss, in terms of time, is tolerable before a process is significantly
impacted. If the process can be performed manually, please use Attachment A to explain. Use multiple pages if needed.
Can this be
Recovery Recovery
performed Computer Systems/Applications
Key Business Process Time Point
manually? For required to perform this process
Objective* Objective**
how long? ***
* Recovery Time Objective in terms of hours, days, or weeks

** Recovery Point Objective in terms of hours, days, or weeks
*** If process can be performed manually, list manual processes in Attachment A
7
Can this be
Recovery Recovery
performed Computer Systems/Applications
Key Business Process Time Point
manually? For required to perform this process
Objective* Objective**
how long? ***
8
3. Quantitative & Qualitative Impact Estimates
For each process listed in “Section 2 - Key Business Processes,” enter the process name on the next page and complete one
page per item. First, quantify the estimated dollar loss incurred as a result of a disruption of the business process listed.
Second, identify the intangible business interruption impacts incurred as a result of a disruption of the business process. Use
the scoring numbers (0-4) provided in the legend below.
For the purposes of this questionnaire, assume it is midway through the budget cycle (June). If the quantitative or
qualitative impact will vary at different points in the biennium cycle, please use the “Comments” section to explain how and
why the impact will change, as well as what will trigger the change.
Examples:
 If a server system had to be replaced at the beginning of the biennium, it would have a lower impact than if it had to be
replaced near the end of the biennium when funds are lower.
 A disruption to business processes in the Elections division would have catastrophic qualitative impacts on Election
Day in November, but no to low impact most of the time.
QUANTITATIVE IMPACT ESTIMATES

Scoring Low Range High Range Impact to Business or Operations
0 0 < $500,000 No to Low
1 $500,000 But < $1,000,000 Low to Moderate
2 $1,000,000 But < $3,000,000 Moderate
3 $3,000,000 But < $6,000,000 Moderate to High
4 $6,000,000 And greater High to Catastrophic
QUALITATIVE IMPACT ESTIMATES

Scoring Impact to Business or Operations
0 No to Low
1 Low to Moderate
2 Moderate
3 Moderate to High
4 High to Catastrophic
9
BUSINESS PROCESS NAME: ____________________________________________________
$ Impact
$ Impact $ Impact $ Impact $ Impact
Category of Quantitative Loss 3 weeks to 1
0 to 1 week 1 to 2 weeks 2 to 3 weeks 1 month +
month
Loss of Current Business
Loss of Future Business
Increase in Operating Costs
Increase in Interest Income Loss
Non-Performance Penalties
Delay in Billing or Payments
Cash Flow Impact to Agency
Potential Liability Cost
Loss of Productivity
Impact
Impact Impact Impact Impact
Category of Qualitative Loss 3 weeks to 1
month
Degraded Customer Service
Degraded Public Confidence or Image
Noncompliance with Government Regulations
Noncompliance with Contracts and SLA’s
Degraded Quality of Work
Loss of Stakeholder confidence
Delay Delivery of Internal Products/Services
Delay Delivery of External Products/Services
Comments:
10
$ Impact
month
Impact
month
Comments:
11
$ Impact
month
Impact
month
Comments:
12
$ Impact
month
Impact
month
Comments:
13
$ Impact
month
Impact
month
Comments:
14
$ Impact
month
Impact
month
Comments:
15
4. Identification of Regulatory, Legal, or Service Level Requirements
Briefly describe any regulatory, legal, or customer service level requirements (e.g. ORS, OAR, Accreditation, State Licensing,
etc.) associated with the business processes identified in “Section 2 - Business Processes” that would be impacted if a
disruption interrupted business unit operations.
Regulatory Requirement, Legal, Service Level

Key Business Process Impacted
Expectation, etc.
16
5. Business unit Inter-dependencies (work received and work sent)
List any internal business units, in-house central computer systems, data processing service bureaus, or other external
entities from which your department receives work and/or sends work to in performing its key business processes. Use
multiple pages if needed. If a workflow has been documented for a business process, attach as Attachment B.
Business Process WORK INPUTS RECEIVED FROM WORK OUTPUT SENT TO

Receiving and Sending the Type of Work/Data Business Unit, Computer Type of Work/Data Sent, Business Unit, Computer
Work Received, Frequency System, or Organization Frequency Sent System, or Organization to
Received from which the Work is which the Work is Sent
Received
Example: What goes into it? Who do you get it from? What do you do with it? Who does it go to?
“The Process” How often? How often?
Process contract Request for services, SOS staff Bid requests, final Service providers,
requests varies contracts, varies contractors
17
6. Identification of Vital Records
A vital record is any information required to support key business processes in daily operations. Vital records are essential to
the operation and recovery of a business unit, division, or business location. Vital records can be in many forms, i.e. tapes,
CD-Rom disks, microfilm/fiche, hardcopy, reports, reference materials, etc. Use multiple pages if needed.
Type of Media
E = Electronic Location of the Vital Record
Key Business Process Name Vital Records Required P = Paper (e.g. 10th floor file room, system
M = Microfilm/Microfiche name, off-site storage, etc.)
O = Other
18
7. Potential Changes Anticipated Over the next 12 months
What anticipated changes could affect business impacts
identified above? When answering, consider the following:
 New federal, state regulations
 Re-organizations
 Computer Systems, Networks, etc.
 Changes to distribution network
 New business partnerships
How would financial and operations business impacts

change under any of the above conditions? Consider:
 Budgets
 Lost Revenue
 Employee morale
 Stakeholder confidence
8. Other BIA Related Discussion Issues

(e.g. data backup, dependence on key staff, new applications, etc.)
19
ATTACHMENT A – Manual Processes
Key Business Process Identify Manual Process Used in Event of Disruption (include forms and locations)
20
ATTACHMENT B – Business Process Workflows
21
ATTACHMENT C – Vendor Contact Information
Vendor Name Contact Information Usage
22

No Idea

Uploaded by

Copyright:

Available Formats

No Idea

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

No Idea

Uploaded by

Copyright:

Available Formats

BUSINESS IMPACT ANALYSIS

Business Continuity Coordinators:

Phone and Email Address:

Phone and Email Address:

Phone and Email Address

Phone and Email Address:

Phone and Email Address:

The objectives of the BIA are as follows:

 Identify the RTO for each key process.

Manual “Work  Can this function be performed manually, if necessary?

Provide a brief description of your

What are the unit’s normal work

What is the average work volume

* Recovery Time Objective in terms of hours, days, or weeks

QUANTITATIVE IMPACT ESTIMATES

QUALITATIVE IMPACT ESTIMATES

Regulatory Requirement, Legal, Service Level

Business Process WORK INPUTS RECEIVED FROM WORK OUTPUT SENT TO

How would financial and operations business impacts

8. Other BIA Related Discussion Issues

Vendor Name Contact Information Usage

You might also like