BCLE 2000

Lesson 3: Business Impact

Analysis

Canadian Participant’s Guide

This four-day course has been developed by
DRI International and DRI Canada to provide a
comprehensive understanding of The Professional
Practices for Business Continuity Management and
their proper application within a business continuity
program. It is designed for the business continuity
professional with less than two-years’ experience.

© 2019 DRI International & DRI Canada. All rights reserved.

© 2019 DRI International & DRI Canada. All rights reserved.
BCLE 2000: Canadian Participant’s Guide Lesson 3: Business Impact Analysis

The Professional Practices for Business Continuity Management

1. Program Initiation and Management
2. Risk Assessment
3. Business Impact Analysis
4. Business Continuity Strategies
5. Incident Response
6. Plan Development and Implementation
7. Awareness and Training Programs
8. Business Continuity Plan Exercise, Assessment, and Maintenance
9. Crisis Communications
10. Coordination with External Agencies

Professional Practice Three: Business Impact Analysis

Objectives
• Identify and prioritize the entity’s functions and processes in order to ascertain which ones will have the
greatest impact should they not be available
• Assess the resources required to support the business impact analysis process
• Analyze the findings to ascertain any gaps between the entity’s requirements and its ability to deliver
those requirements

Professional’s Role
1. Identify the qualitative and quantitative criteria to be used to assess the impact to the entity as the result
of an event
2. Gain leadership agreement on business impact analysis (BIA) methodology and the criteria to be used to
establish the BIA process and methodology
3. Plan and coordinate data gathering and analysis
4. Establish the criteria and methodology used in conducting the BIA process
5. Analyze the collected data against the approved criteria to establish a recovery time objective (RTO) and
recovery point objective (RPO) for each operational area and the technology that supports those areas
6. Prepare and present the BIA results to leadership. Gain acceptance of the RTO and RPO.

3
BCLE 2000: Canadian Participant’s Guide Lesson 3: Business Impact Analysis

1. Identify the Criteria to Assess Quantitative and Qualitative Impacts

1.1 Define and obtain approval for criteria to be used to assess the impact on the entity’s operations, which
may include, but is not limited, to the following activities:
• Customer impact
• Financial impact
• Regulatory impact
• Operational impact
• Reputational impact
• Human impact
Quantitative:

Qualitative:

Customer Impact
Possible customer impacts include:
a. How quickly customers will learn that a problem exists
b. The likelihood that they will take their business elsewhere
c. Concern about meeting existing agreements and service levels
d. The impact to the customer’s supply chain
e. Whether there were any injuries or deaths as a result of the event

Financial Impact
Possible financial impacts include:
a. Loss of revenue
b. Loss of profits
c. Impact to cash flow
d. Impact to market share
e. Impact to the share price of stock (if applicable)
f. Contractual fines or penalties
g. Losses resulting from required payments for fixed costs
h. Increased overtime costs

4
BCLE 2000: Canadian Participant’s Guide Lesson 3: Business Impact Analysis

Regulatory Impact
Possible regulatory impacts include:
a. Fines
b. Penalties
c. Requirements to recall products
d. Revocation of license permits
e. Termination of business

Operational Impact
Possible operational impacts include:
a. Discontinued or reduced product and/or service levels
b. Workflow disruptions
c. Supply chain disruptions

Reputational Impact
Possible reputational impacts include:
a. Negative
• Media attention
• Social media commentary
• Community perception
Example: Wells Fargo – California suspends its relationship with the bank (a major financial loss to
Wells Fargo)
b. Loss of shareholder confidence

Human Impact
Possible human impacts include:
a. Loss of life and injury
b. Impact to the community
c. Short and long term emotional damage

Group Activity: Organizational Impacts

List at least two types of impacts that would be detrimental to your entity:
1.

2.

5
BCLE 2000: Canadian Participant’s Guide Lesson 3: Business Impact Analysis

2. Establish the Business Impact Analysis Process and Methodology

2.1 Identify and obtain leadership support and/or identify the responsible party for the BIA activity
2.2 Define objectives (below) and scope for the BIA process
2.3 Choose an appropriate BIA planning methodology or tool (next page)
2.4 Choose an appropriate BIA data collection methodology (next page)

BIA Objectives:
1.
2.
3.
4.
5.
6.

BIA Planning Methodology or Tool

To summarize, determine the following:
• The prioritization of functions and processes based on the level of criticality and time sensitivity
• The recovery objectives for core and support functions and processes
• The order of the recovery for the core and support functions, processes and systems based on parallel
and interdependent activities

3. Plan and Coordinate the Data Gathering and Analysis

Data collection is accomplished by the following activities:
3.1 Questionnaires
3.2 Interviews
3.3 Workshops (immediate data validation)
3.4 Identify the major areas of the entity, including potential third-party service providers, with the support of
the responsible party for the BIA
3.5 Using the selected methodology, conduct the data collection necessary to support the BIA process

4. Establish Criteria and Methodology for the BIA Process

4.1 Identify and obtain agreement on the quantitative evaluation methods for potential financial and non-
financial impacts in each impact area
4.2 Identify and obtain agreement on the requirements for the qualitative evaluation methods in each impact
area
4.3 Create a schedule for the business impact analysis process

5. Analyze the Data to Establish Recovery Objectives

5.1 Determine the prioritization of processes and services
5.2 Document any dependencies that exist between each business process and the supporting infrastructure
(data systems and related technology, supply chain management, third-party providers, and other
resources)
5.3 Determine the order of recovery for business functions and technology using collected data
6
BCLE 2000: Canadian Participant’s Guide Lesson 3: Business Impact Analysis

Recovery Objectives
Recovery Time Objective (RTO)
Time goal for the restoration and recovery of functions or resources based on the acceptable down time and
acceptable level of performance in case of a disruption of operations

Recovery Point Objective (RPO)

Point to which information used by an activity must be restored to enable the activity to operate on resumption.
Also referred to as “maximum data loss”

6. Prepare and Present the BIA Results to Leadership

Prepare the BIA report and gain acceptance of the RTOs and RPOs:
6.1 Prepare a draft BIA report using the initial impact findings and highlighting identified gaps
6.2 Prepare final BIA report
6.3 Prepare and submit formal presentation of the findings in the final BIA report to the leadership
6.4 Gain acceptance of the RTO and RPO for each operational area as defined by the findings in the final
BIA report
…and proceed with: ________________________________________

Group Activity: Recovery Objectives

List at least two functions or processes in your entity and their RTOs (if known):
Function or Process RTO RPO
1.

2.

3.

4.

7
BCLE 2000: Canadian Participant’s Guide Lesson 3: Business Impact Analysis

RTO and RPO

Restoration Schedule

8
BCLE 2000: Canadian Participant’s Guide Lesson 3: Business Impact Analysis

Dependencies
1. List the other areas, departments, vendors, and external resources the function will need to perform.

2. Between processes and technology

• Intradepartmental
• Interdepartmental
• External dependencies (supply chain)
Evaluate each external dependency (vendor) to determine:
• Components supplied
• Corporate liabilities:
• Dun & Bradstreet rating
• Outstanding litigation
• Financial issues – bankruptcy filing, poor financial performance
• Location vulnerabilities
• Component vulnerabilities

BIA Findings and Internal Dependencies

Sample BIA Findings by Functional Area

Discrepancies?

9
BCLE 2000: Canadian Participant’s Guide Lesson 3: Business Impact Analysis

Resource Requirements
Determine the minimum resource requirements in the following categories:
• Internal and external
• Owned versus non-owned
• Short term versus long term

Existing Resources and Additional Resources Required

Personnel
• Special skills, training, licences
Equipment
• What kinds of equipment do you need to do the job (e.g., off the shelf, long lead time)?
Data
Raw materials
Other resources needed:
Sole source What is the
Single source difference?

Just in time (JIT) What is the

Safety stocks difference?

Enterprise resource planning (ERP)

Lead times

Common Vital Records

• Articles of incorporation
• Corporate charter
• Accounting records
• Engineering information and trade secrets
• Documentation
• Anything with a signature
• Legal documents
• Operating plans
• Software manuals
• Information Technology (IT)
• Database backups
• Server backups
• Business continuity and contingency plans
• Any records required for business continuity, recovery and resumption

10
BCLE 2000: Canadian Participant’s Guide Lesson 3: Business Impact Analysis

BIA Process Overview

1. Develop the BIA questionnaire / interview guide / workshop material
2. Conduct the kickoff meeting
• Explain the BIA process
• Review the questionnaire / interview guide / workshop material
3. Schedule and conduct interviews, workshops / distribute and collect questionnaires
4. Analyze data collected, prepare preliminary BIA report
5. Conduct follow-up meetings to review questionnaire / interview / workshop BIA results
6. Meet with the BCM and IT staff to review
current capabilities
• Time, resources, data
7. Prepare the gap analysis
8. Finalize BIA report, including gap analysis
9. Present BIA report for approval

BIA Gap Analysis Process

11
BCLE 2000: Canadian Participant’s Guide Lesson 3: Business Impact Analysis

Defining the Gaps

Resource Relocation Gap Analysis

12
BCLE 2000: Canadian Participant’s Guide Lesson 3: Business Impact Analysis

Document BIA Gap Analysis

Gap: ________ Hours Gap: _______ Workspaces

Backup and Data Retention Data Gaps

• Impact should determine the frequency of backups
• The greater the impact from lost data (data gap) the more frequently backups should be completed
• Create effective off-site storage
• Recovery vs. data restore

13
BCLE 2000: Canadian Participant’s Guide Lesson 3: Business Impact Analysis

Important Concepts
Business Impact Analysis Objectives

Entity function/process and time sensitivity

Dependencies

Losses/impacts over time (qualitative and quantitative)

Resources needed for recovery and resumption

Recovery objectives (RTO/RPO)

Vital records

14
BCLE 2000: Canadian Participant’s Guide Lesson 3: Business Impact Analysis

Class Exercise
• Work in assigned teams
• Develop a prioritized list of:
• Functions/processes (at least 3)
• Recovery Time Objective (RTO)
• Order the list by ascending value of RTO
• Select a team presenter to report to the class

Business Function/Process RTO

15
BCLE 2000: Canadian Participant’s Guide Lesson 3: Business Impact Analysis

Knowledge Checks
Professional Practice Three: Business Impact Analysis
Circle the best choice for each question below. There is only one correct answer for each question.

1. What is the result of conducting a business impact analysis?

a. The identification of the essential functions, processes, operations, their critical dependencies, and gaps
b. To gain leadership’s approval for the recovery strategies
c. The implementation of the technology and workspace needs in a recovery
d. The identification of threats from sabotage and/or terrorism and the implementation of controls to
eliminate those threats

2. What phrase best describes the reason for establishing recovery point objectives?
a. To establish the time frame in which processes must be restored to prevent an unacceptable impact to
the entity
b. To determine the level of risk and potential loss that leadership is willing to accept
c. To determine the amount of data that will be lost in the event of the data destruction of a storage device
d. To obtain a qualitative estimate of the impact of a threat

3. What phrase best describes the reason for establishing recovery time objectives?
a. To establish the timeframe in which processes must be restored to prevent an unacceptable impact to the
entity
b. To determine the level of risk and potential loss that leadership is willing to accept following an event
c. To determine the point in time when the entity’s EOC must be opened after a disaster is declared
d. To determine the point in time in which transactions and data must be recovered after an outage

4. What is the desired result of the business impact analysis presentation to leadership?
a. Obtaining leadership’s approval for the relative ranking of processes, their RTOs, and resource gaps
b. Obtaining leadership’s approval for implementing recovery strategies
c. Obtaining leadership’s approval for implementing additional controls
d. Obtaining leadership’s approval on reducing the recovery time objective for identified processes

Canadian Resources
Public Safety Canada - Resources
https://www.publicsafety.gc.ca/cnt/rsrcs/index-en.aspx

16