• IS security
  • Personal Data Protection Security Project
  • Security Project for Technical Device Designed for Work with Classified Information
  • Risk Analysis and CRAMM Risk Analysis
  • Personal Security
  • Business Continuity Management - BCM
  • Business Impact Analysis - BIA
  • Network Security
  • Protection Against Malicious Code
  • Security Incident Monitoring and Management
  • Access Control
  • Security Policy Enforcement
  • Security Control Documents
• Technical and object security
• IT solutions
• SW solutions

Business Impact Analysis - BIA

Business Impact Analysis (BIA) is performed in an organization during the first stage of the business continuity management process. BIA goal is to identify processes, and to determine their criticality and subsequently potential impacts resulting from unavailability of such process, e.g. from disruption of production or provision of services.

Potential Impacts:

• direct financial losses
• loss of customers and suppliers
• loss of good reputation
• breach of legal obligations and regulations
• breach of directives issued by superior bodies
• environmental pollution
• impacts on personnel

BIA is a tool that facilitates giving answers to fundamental questions concerning an organization:

• What are the organization’s business objectives?
• In what way does the organization intend to achieve its business objectives?
• What are the products and services provided by the organization?
• What persons/entities (each person/entity – both internal and external) are involved in the processes intended to achieve the business objectives?
• What time segments are relevant for the delivery of products and services?

BIA is an activity running across the entire organization, comprising the following steps:

• gathering of requested information from respondents
• information evaluation
• preparation of a report and its submission to the management for approval

Questionnaires and meetings with people in person are used to gather the following information:

• description of the organization’s business function and activity
• business function dependencies (both internal and external)
• key assets necessary for the business function operation (employees, ICT equipment, premises etc.)
• potential impacts
  • financial (quantitative)
  • non-financial (qualitative – legal, reputation loss etc.)
• time sensitivity
• recovery requirements
  • minimum required level for a function after recovery
  • time-relevant data
• current level of the recovery ability

The most important step in the information gathering process is the business function description, the business function being perceived as an integral process running in the organization. Description of the business function and activity means:

• end-to-end description
  • raw materials, resources
  • production and services
  • products
• dependencies
  • key suppliers and customers
  • internal organizational units and teams
• resources required for operation
  • key records
  • major assets
  • sensitive vulnerability points
• time sensitivity
  • daily hours
  • day in month
  • year-quarter
• current ability to recover

Evaluation of answers will provide basic information for further business continuity management stages:

• list of critical business functions
• internal and external business function dependencies
• determined quantitative and qualitative impacts after disaster has occurred
• recovery requirements
• time-related recovery requirements
• minimum resources (necessary for recovery) providing for continuity of basic activities and services
• function prioritization – order in which functions are to be recovered following a disruption
  • logical sequence of functions
  • impact level
  • time-related requirements

The output document intended for the organization’s top management is the BIA report – a standard summary of the accomplished analysis, containing the following:

• the organization’s intentions, objectives
• the organization’s critical processes
• financial and non-financial impacts caused by loss, disruption or interruption of one or more critical processes
• BCM goals for each critical process
• minimum requirements for resources necessary for the critical process recovery to the pre-defined minimum continuity level
• important records
• key clients list
• list of key suppliers – both internal and external
• all restrictions within which the organization’s critical processes must operate
• time schedule specifying business activity priorities for recovering critical processes
• specification of priorities and investments in the field of organization’s business continuity
• recovery profile for resources necessary for recovering critical processes
• multilevel impact analysis criteria (both financial and non-financial)