What is a Business Impact Analysis (BIA) and how does it work?

Is your financial institution prepared to weather the storms ahead with a business impact analysis (BIA)?  

We’ve all heard the phrase, “Hope for the best and prepare for the worst.” For financial institutions, preparing for the worst isn’t just good advice; it’s essential to the safety and security of the organization, its employees, its investments, and its customers.  

Conducting a business impact analysis is the first step to preparing for business interruptions and disruptions by identifying how they could impact your financial institution. 

Table of Contents 

• What is a business impact analysis?  
• Why is a business impact analysis important? 
• Business impact analysis vs. risk assessment  
• Business impact analysis vs. disaster recovery plan  
• BIA as a part of continuity management 
• How to create a business impact analysis  
• How BCM software can help 

What is business impact analysis?

A BIA, which is also referred to as a business impact assessment, evaluates and analyzes the potential effects of an interruption in business operations. An interruption can result from an internal or external disaster, accident, or emergency.  

Financial institutions must be prepared for business interruptions – everything from power outages and cybersecurity incidents to natural disasters and in-person threats, such as a gunman in the branch location or nearby. A BIA proactively analyzes the risks associated with these internal and external events so that your institution can prepare ahead of time and have the information it needs to respond promptly and thoroughly.  

Why is a business impact analysis important?

A BIA establishes and analyzes risks that could impact an institution’s operations and functions. It then leverages the information to strengthen the FI’s larger risk management strategy. Some of the ways a BIA can be helpful include:  

• Ensuring effective business continuity management. Business continuity management (BCM) evolved from the term “business continuity planning” (BCP) and is the process of maintaining resilient operations across an entire enterprise. In the BCM lifecycle, BIAs identify critical functions (high-level operations or capabilities essential to the organization’s objectives), analyze interdependencies, and assess organizational impacts.  
• Enhancing decision-making. Once a BIA has been conducted, the results can inform strategic planning and resource allocation across the institution. When you know where risk is greatest, you can make better decisions about deploying limited resources.  
• Complying with regulatory requirements. It’s not enough for FIs to consider the implications of interruptions on their operations. They also must adhere to evolving regulatory guidance on how to prepare for interruptions. By analyzing an institution’s current vulnerabilities and risk mitigation strategies and aligning them with regulatory expectations, BIAs can help institutions stay compliant.  

Business impact analysis vs. risk assessment 

While BIAs and risk assessments can work together, they serve different purposes.  

A risk assessment provides an understanding of threats and opportunities in a specific risk area, such as operational or credit risk, and the controls in place to mitigate their impact. It asks questions such as: 

• What are the potential risks we face? 
• How likely are these risks?  
• How severe could their impact be?  

Put simply, risk assessments are tools to help FIs quantify risk and ensure their risk exposure is aligned with strategic objectives and risk tolerances. 

Related: Risk Management 101: Risk Assessments for Financial Institutions 

While a risk assessment analyzes a specific risk area, a BIA takes the evaluation a step further by measuring the potential outcome and how it would impact business operations and finances. It asks questions like: 

• What functions are critical to our business? 
• How long can they be down without causing severe damage? 
• What are the consequences if these functions are disrupted? 

Once your institution understands the impact of disruptions, it can define recovery requirements for critical functions such as Maximum Tolerable Downtime (MTD) Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) and impact of loss, guiding the development of business continuity and disaster recovery plans. 

Related: Key Resilience and Business Continuity Indicator | Ncontracts 

Business impact analysis vs disaster recovery plan

While BIAs and disaster recovery (DR) plans are both tools for fostering organizational resilience, they play different roles. A DR plan is a comprehensive roadmap that outlines how a financial institution will regain critical systems which support critical functions and resume normal operations following an unforeseen incident. It answers the questions: 

• How do we restore our IT systems and data after a disaster?  
• What steps, resources, and personnel are needed for a swift recovery? 

An FI’s disaster recovery plan should address a wide range of potentially adverse events, including security controls and protocols, procedures for restoring backlogged activity or lost transactions, and instructions to access critical information and other resources “when primary systems are unavailable,” according to The Federal Financial Institutions Examination Council (FFEIC) IT Examination Handbook. This comprehensive approach ensures that FIs are secure and prepared for any eventuality. 

Within a DR plan, the BIA can identify costs linked to failures, such as loss of cash flow, replacement of equipment, salaries paid for employees to catch up on work, loss of profits, and more. Once this is established, the BIA suggests the funding that should be allocated. 

A business impact analysis is not a substitute for a disaster recovery (DR) plan. Still, a BIA can play a vital starting point for a disaster recovery (DR) plan. For instance, critical business process owners and leadership should identify essential systems that support critical business processes. Furthermore, critical business process owners and leadership should define recovery requirements such as maximum tolerable downtime (MTD), recovery time objectives (RTOs), recovery point objectives (RPOs), and resources and materials needed for business continuance. This process is vital for information technology professionals as they develop recovery and resiliency solutions based upon these recovery objectives. 

Related: Business Continuity Planning vs. Disaster Recovery: Understanding the Difference 

BIA as a part of continuity management

In 2019, the Federal Financial Institutions Examination Council (FFIEC) updated its Business Continuity Management  booklet to emphasize the role of business continuity in the risk management lifecycle, not just in post-event recovery operations. The update also emphasized the importance of conducting a BIA. 

BCP has a broad scope, looking at the enterprise as a whole and what it must do to maintain resilient operations. The BIA analyzes the critical systems, business functions, and services (and the elements that support them) to determine the potential impact of a business interruption. 

The BIA is one of the initial steps in the BCP lifecycle once management aligns the BCM goals.  

Related: Business Resiliency: Your Guide to Business Continuity Management 

How to conduct a business impact analysis

You may be wondering: How does BIA work, and how can I conduct a business impact analysis for my organization?  

Below is a business impact analysis sample that outlines what your organization should review when conducting a business impact analysis. Leveraging best practices and guidance from the FFIEC, here are some recommended steps your financial institution can take when conducting a BIA across your organization. 

Determine subject matter experts and decision-makers

Who are the “go-to” people within your organization? Who knows the critical business process best? Who can be held accountable for making important decisions on the organization’s behalf during recovery efforts? Note these individuals and ensure they are engaged immediately following an incident.  

List vendors and services responsible for critical business operations 

What vendors and services support your organization’s critical business processes? What would be the impact if a vendor suffered a disruption? Make sure you have updated contact information for those vendors and that you know how to reach them during a disruption. 

Determine the level of vendor reliance 

Using a scale is helpful when rating vendor reliance. For example: 

• High: The vendor is virtually irreplaceable during an event.  
• Medium: The department has reliable manual workaround strategies and an alternate vendor/service to use. 
• Low: The vendor can be quickly and easily replaced.  

Identify your organization’s required critical functions 

First, what makes a function critical? Your organization will need to develop this standard. For instance, many organizations define a critical business process or function as one that cannot be down for more than 24 hours without irreputable harm or a Maximum Tolerable Downtime (MTD) of 24 hours or less. Most departments have 10 to 20 critical business processes. Ask each department to identify and share their critical functions or business processes so that your organization has a priority list established for what needs to be done to keep operating. 

From there, you can set the balance of recovery requirement expectations based on how the function supports the organization’s critical processes. Include: 

• Maximum Tolerable Downtown. MTD again is the longest period the function can be unavailable before causing a significant impact on a department’s processes. To allow time for crisis management, most processes should not have an MTD or RTO of less than four hours.  
• Recovery Time Objective. RTO is the time goal for the restoration and recovery of the function (department, business process, application, etc.) In many cases, the RTO is half of the time of the MTD. For example, if the MTD is 48 hours, the RTO is 24 hours.  
• Recovery Point Objective. RPO is the point in time at which data must be recovered after an outage. For example, if the RPO is 24 hours, the last complete backup was 24 hours before the interruption.    

Determine the impact of loss and workarounds for critical functions

Now define the impact of loss and develop a manual workaround for each critical function or business process.  

Questions to consider: What does the function do, and who/what does it support? Why is the function essential to the department/institution? What could the function’s downtime result in? Create a narrative that describes this information so others not familiar with the business process or function may understand.  

Next, develop in detail any approved or tested manual workaround. Key word is MANUAL. In this day of cyber-crime, ransomware may render the system supporting the critical business process inoperable for a period of time. So, what can you do manually until the system is restored? Document this manual workaround. For example, the accounting department may have a manual workaround for paying vendors when the accounts payable system is down. If there is no manual workaround, ensure it is clearly stated in the BIA. 

Identify recovery team members across departments

Each department should assign a team to handle recovery for each critical department. Specify the leader, alternate leader, and team members. The recovery team will need to have decision making authority for the critical business processes they are responsible for recovering. 

Assign support for critical operations

Identify staffing needs required to support critical operations during recovery efforts. Provide location information, the average number of staff working in that role, and the minimum number needed on the first day of recovery efforts post-incident. For example, the average number of accounting staff could be three, but one is the minimum required.  

If applicable, provide the ramp-up time needed to increase the number of staff from the minimum to the number needed to recover the department’s critical processes.  

Establish resource needs

Provide the resources (software, equipment, etc.) required for each department to perform its critical processes. For instance, the accounting department may need computers, access to software, printers, copiers, telephones, etc. 

As you did in the previous section, provide the average number and minimum number of resources needed to operate during the recovery period. Include the ramp-up time if applicable.  

Note incoming and outgoing workflows

List the critical workflows that come into and are sent from your department, such as requests, alerts, reports/data, and transactions. 

Name the workflow and provide: 

• The type and source name. The type and source name identifies who receives the workflow. Internal workflows originate from other departments, whereas external workflows come from third parties, applications, or customers. 
• The delivery method. How does each department receive/complete the workflow? Email? System? In person? Make a note of these processes. 
• Frequency. Provide how often the workflow is received/completed.  

Create an Impact Profile for each function  

Consider the normal operations across your FI today. If there was an interruption, what time frames would have a higher impact? Some examples include payroll processing periods, tax season, and exam and audit periods.  

Rate the potential severity of an outage on a scale. For example, accounting might mark the weeks in late January to mid-April as having a “high” impact because of tax season.  

Identify work backlogs across departments

A department might have a backlog of work when an interruption occurs. Backlogs can occur because of high transaction or request volume, a lack of resources, and/or staffing challenges. 

Encourage departments across the organization to note any backlogs, how the backlog(s) are handled, and whether there are any regulatory requirements associated with them. 

Organize workload shifting

Can any of your department’s critical business processes be performed by an alternate provider, such as another department (bandwidth permitting) or a third-party service provider, during a disruptive event? All workload-shifting strategies should be approved by leadership and reliable, with no additional training required during an event.  

Organize vital records

Identify critical physical and electronic documents which have the potential for loss during an incident. Examples include mortgages, collateral, auto titles or critical policies, procedures, forms, and reports. Note vital records, the media type, and the storage location.  

Prioritize reporting requirements 

Among the most important sections in a BIA are regulatory notification requirements, as agencies vary in how quickly they must be notified of incidents. For example, the FDIC, Federal Reserve, and OCC require a banking organization to notify its primary federal regulator of any significant computer security incident as soon as possible and no later than 36 hours after the banking organization determines that a cyber incident has occurred. Credit unions must notify the NCUA within 72 hours if they believe a cyber incident has occurred.     

Note which departments are responsible for sending reports/updates to regulatory agencies. Include details like a report description, the recipient agency, reporting frequency, the penalties for reporting failures, and other important info.  

Include a financial impact analysis (h3)  

If a department cannot perform its critical processes, at what point (hours or days) will it have a high impact on your financial institution? 

List the type of interruption, the risk exposure (financial, operational, and regulatory risks, to name a few), the significance of the economic impact on a rating scale, and the corresponding threshold levels. For example, the financial implications for an accounting department’s critical operations would quickly escalate over three days. 

Did you know? Many of these data points—and more—can be accessed in the Ncontinuity BIA questionnaire.  

How BCM software can help

Conducting a BIA as a start to the development of your business continuity plan and program is a significant task. Thankfully, business continuity management software is available and valuable for helping FIs prepare for interruptions and manage risks across the organization effectively. However, while BCP solutions can be helpful, they can also be overly complicated.  

That was the case for Montecito Bank & Trust in Santa Barbara, California. Once it switched from an overly complicated business continuity solution to Ncontinuity, a more flexible, scalable, and secure online banking continuity management solution, the bank benefitted from automated process for conducting their business impact analysis and having a playbook for crises that everyone on the team could access. Working with Ncontinuity empowered Montecito Bank to conduct BIAs and build, update, and test its business continuity plans, allowing the bank to measure and document results for assured compliance. 

A BIA is essential for keeping your business safe during a disaster. Look into creating one for your company to protect it from risks involving accidents, disasters, emergencies, and more. 

Does your FI have the tools to successfully navigate business interruptions? Ncontracts business continuity software, Ncontinuity, can help.