III.A Business Impact Analysis
Management should develop a BIA that identifies all business functions and prioritizes them in order of criticality, analyzes related interdependencies among business processes and systems, and assesses a disruption’s impact through established metrics. The BIA should define recovery priorities and resource dependencies for critical processes.
Examiners should review the following as part of the BIA process:
- Identification of critical business functions.
- Identification of interdependencies across business units.
- Identification and analysis of disruptive events.
- Reasonableness of recovery objectives.
- Communication of BIA results throughout the entity.
- Comprehensiveness of management’s BIA review.
A BIA is the process of identifying the potential impact of disruptive events to an entity’s functions and processes. A BIA allows management to identify and analyze gaps in critical processes that would prevent the entity from meeting its business requirements. The BIA generally lists recovery priorities and resources on which critical processes depend (e.g., work flow analysisThe work flow analysis can assist in documenting interdependencies among critical operations, departments, personnel, and services.). Through the BIA process, management should identify interdependencies among critical operations, departments, personnel, services, and the functions with the greatest exposure to interruption. Management should identify resources on which these functions and processes depend and exposures that would warrant further protective measures. Furthermore, the BIA should include financial and other resource costs (e.g., the loss of business, and exposure to legal and regulatory consequences) needed to recover and restore business functions and processes.
The time and resources to complete the BIA depends on the entity’s size and complexity. Complex entities may have multiple BIAs for various business lines, subsidiaries, or other organizational separations. Information from the ERM, such as business processes and risk appetites, may facilitate the BIA development.
III Risk Management
III.A.1 Identification of Critical Business Functions