All about Business Impact Analysis: A Step-by-Step How-To

By Joe Weller | April 29, 2019 (updated August 17, 2021)

Business impact analysis (BIA) predicts how a potential crisis will affect business operations, so you can prepare. Learn about BIA and risk categories from experts, and find step-by-step instructions to create your own effective BIA.  

Included on this page, you'll find details on how to write a business impact analysis, the best tools to conduct a BIA, the most common mistakes made when conducting a BIA, as well as a BIA categories cheat sheet.

What Does Business Impact Analysis Mean?

Business impact analysis(BIA) is a process that identifies and assesses the effects that accidents, emergencies, disasters, and other unplanned, negative events could have on a business. The BIA (sometimes also called business impact assessment) predicts how a business will be affected by everything from a hurricane to a labor strike.  

Business impact analysis focuses on events that disrupt operations. In today’s business parlance, the term “disruptive” refers to innovations that anticipate consumers’ unstated needs in a way that remakes a sector. But, BIA tackles the old-fashioned issue of disruption — when business cannot proceed normally due to a negative incident, such as fires or sudden shortages of raw materials.

Types of Problems that Business Impact Analysis Anticipates

Business impact analysis seeks to anticipate anything that could go wrong. These events include occurrences that affect entire countries or regions as well as issues that may be specific to a single location, organization, or industry:

  • Natural Disasters: Hurricanes, tornadoes, wildfires, earthquakes, volcanic eruptions, droughts, snowstorms, etc.
  • Accidents: Environmental mishaps, toxic emissions (like oil leaks and chemical spills), equipment malfunctions or breakdowns (including those that injure workers), plant fires, explosions, product contamination, human mistakes, errors, and omissions
  • Emergencies: Power or other utility outages, computer hacking attacks, data loss or corruption, labor disputes, absenteeism, systems breakdowns (including computing infrastructure), disruptions of supply chains, shortages of raw materials, failure by a service provider, problems with transportation networks, loss of communications,  political crises (like riots and civil wars), and regulatory interventions (such as a factory closure after failing an inspection or a product recall) 

In a risk assessment phase, you will determine the types of threats that a business faces and then quantify the risks. There is some debate as to whether risk assessment should follow or precede business impact analysis, but the consensus among experts tilts toward doing the risk assessment first. That way, the BIA process can focus on the most likely risks first.

You should customize your analysis to meet your specific organization’s needs. For example, a factory located on the ocean coast faces a risk of flooding, and historical patterns suggest a high probability of this event reoccurring. A similar factory in the desert would face a far lower probability of flooding. So, the coastal company would focus more of its BIA efforts on flooding, while the desert-based company would give planning for drought a higher priority.  

Business impact analysis looks at the consequences of each threat for every aspect of an organization. The BIA team answers questions like the following:

  • If a flood did occur, what would the impact be on manufacturing, distribution, customer support, and management?
  • How high would floodwaters have to be to prevent orders from being shipped?
  • Is power likely to be shut off to the assembly line during a flood?
  • What would the effect be on products in mid-production? Would workers be stranded?
  • How long could the company continue to fulfill orders from its other warehouses?

Two baseline assumptions shape business impact analysis:

  • All elements of a business depend on the continued operation of its other parts.
  • Some aspects of a business are more critical than others and should receive more spending when a disruption takes place in order to minimize the impact or speed recovery.

Why Do Business Impact Analysis?

Business impact analysis enables a company to prepare, so it can respond rapidly and decisively to a crisis. BIA helps an organization reduce the financial costs, downtime, harm to its reputation, and other damage from a disaster.

While it might seem pessimistic to focus on all the ways things could go wrong, underlying the BIA process is the understanding that preparing for negative events can equip an organization to react in the most effective way. Usually, business impact analysis is conducted with an eye toward worst-case scenarios to help a company prepare itself as much as possible. With this knowledge, you can develop systematic, logical recovery plans.

If a crisis strikes, you will feel much more secure about your decisions because your business impact analysis provides solid evidence to back up those decisions. Your actions will be informed by a strong understanding of the most essential components of your business, and scarce resources can be allocated where they will be most beneficial.

The outcome of business impact analysis is a report that often serves as the first step in business continuity planning (BCP), or business continuity, the process of figuring out how to keep operations running as much as possible in an emergency. In this way, BIA lays the groundwork for the development of measures to prevent or reduce the chances of a negative event happening. It also provides the foundation for recovery planning and spending on related measures.

Some added potential benefits of BIA include reduced insurance premiums, greater organizational stability, improved safety for staff and clients, decreased legal liability, improved asset security, and less dependence on key personnel.

International standards such as ISO 22301 and 22313 (which address business continuity) and ISO 22317 (which focuses on business impact analysis) guide this work. These standards replace earlier standards for conducting BIA, specifically those that were issued by the British Standards Institution under BS 25999, parts one and two.

Who Conducts Business Impact Analysis?

A company may hire a specialist consultant or expert outsider to conduct a BIA. Or, a BIA team may consist of a mix of internal and external individuals — this guarantees that the process includes both specialized expertise and deep knowledge of the business. Large organizations may have a staff person or department that knows business impact analysis, and it may run the exercise.  

At the start of a business impact analysis process, you need to lay the foundation for the project by forming a team and defining its scope and objectives. The methodology for BIA can vary and be tailored to your organization’s needs. You may want to have an education session for key stakeholders to explain what your team will be doing and how they will be called upon to assist.


Key Steps in Business Impact Analysis

How to Conduct Business Impact Analysis

Executing a business impact analysis involves four main phases: gathering information, analyzing that information, documenting your findings, and presenting the findings. In this article, you’ll find free downloadable templates for the key parts of business impact analysis, including a BIA template for banks and a risk assessment template.

The Business Continuity Institute, a professional organization focused on helping companies prepare for emergencies, says in its good practice guidelines that there are four main types of BIA:

  • Initial BIA: This is a high-level analysis that serves as a framework for more detailed BIAs.
  • Product and Service BIA: This identifies a business’ most important products and services and the impacts they would face.
  • Process BIA: This analysis identifies the processes or workflows that are needed to deliver the most important products and services.
  • Activity BIA: This identifies the activities that deliver the most urgent products and services.

In the following sections, we’ll explore in detail the four main steps in a business impact analysis methodology.

Step 1: Gathering Information

Al Martinez, Senior Advisor at Fusion Risk Management, says that BIA should examine four key supports for operations: people, facilities, tools (including things like equipment and computing infrastructure), and materials/suppliers. He recommends focusing on a company’s top 10 to 15 most important processes and how a disruption would affect the four key supports for each.


Al Martinez

“There’s a tendency sometimes to overcomplicate things,” Martinez notes. “In reality, we want to look at what the requirements are for a business, what should be done for recovery purposes, and how long a company can survive” during a disruption, he says.

During this first phase of conducting the BIA, you identify the most important aspects of an organization’s operations and look at how they would be affected by the most likely negative events. The BIA team gathers both qualitative and quantitative information. The team must understand how the business runs, so it can properly assess the impact of various events on the operations.

BIA Looks at Qualitative and Quantitative Data

For qualitative data, the two most popular tools are the questionnaire and the in-person interview. Using these tools, the team seeks to identify critical business processes and the relationships between them. The team typically uses the questionnaire, either paper or electronic, with managers. With highly experienced staff, the team generally conducts interviews, as seasoned veterans usually possess deep knowledge of operations and the potential business impacts — both in their own area and downstream — if their work is interrupted.

Frame your information-gathering within the context of your company culture, Martinez advises.  For example, when he formerly conducted BIA for General Mills (the maker of Wheaties cereal), he would speak in the common language of the organization (for instance, he would ask how a disruption would impact “championship performance”).

Quantitative information generally comes from enterprise resource planning systems, finance systems, and databases. The BIA team is looking for concrete measures concerning the company’s business processes — everything from the labor costs to manufacture a product to time to build a product and revenue per day from each model of a product. This data helps the BIA team determine the costs of disruption and identify critical dependencies between business functions.


Paul Kirvan

Paul Kirvan, a fellow at the Business Continuity Institute, says that past events are the best source of information about what impact a disruption would have. But, if you have not had a previous disruption, he recommends talking to your insurance carrier, who may be able to provide actuarial data, and also conducting online research to find the financial impacts of disasters elsewhere.

The trend toward big data collection has increased the scope of harvestable data. If a business has actually experienced an adverse event at some point, the data from that event can be very useful to the BIA team.

Key Metrics in Business Impact Analysis

One key metric that the BIA seeks to determine is maximum tolerable outage (MTO), the maximum amount of time a system, resource, or facility can be unavailable before unacceptable impact occurs. In IT, this metric is sometimes called maximum allowable downtime. Along with recovery time objective (RTO) and recovery point objective (RPO), which we will discuss later, these measures help you identify the “critical path” for recovery, those systems and processes that need the most urgent attention.

Sometimes, a company discovers that it is missing data that would improve its BIA. In that case, the organization can begin collecting the figures and plug them in later. Or, it can buy data that is similar enough to serve as a proxy for the missing information, such as production information from a similar manufacturer in another part of the country. Lastly, the team can make estimates. Usually, the team uses a combination of these solutions, making further iterations of the BIA process more accurate.

Martinez says that the BIA needs to take a holistic view of business risk and how to reduce it. Sometimes, a BIA team will overlook key risks such as legal, reputational, investment, or environmental factors, he notes. For large public companies, review the risks detailed in descending order of importance in the annual 10-K filing with the Securities and Exchange Commission, and make sure those risks are addressed in the BIA, Martinez recommends.

Step Two: Analyzing Information

During the second phase of conducting a BIA, the team analyzes the information it gathered in the first phase, sometimes using computer applications and modeling to assist with the work. The team aims to accomplish several objectives:

  • Determine the Resource and Process Interdependencies: The BIA team establishes how the company’s processes and workflows affect one another. For example, a warehouse can keep shipping while it still has inventory, but at some point a halted assembly line will force the warehouse to stop filling orders. A software-as-a-service (SaaS) company may need a certain number of cloud servers to fulfill customers’ service-level agreements (SLAs) that specify application availability and data quality. The resource requirements and the interdependencies help a business figure out whether and how it can keep running at suboptimal levels.
  • Identify the Resource Requirements for Optimal Operation: This answers the question of what it takes to keep the business running under normal circumstances and includes variables like raw materials, power, staff, equipment, suppliers, vendors, capital, and more.
  • Determine the Impact of Disruption: Here, the BIA team seeks to quantify the impact of an adverse event. (Of course, different events will have different impacts.) Lost sales are relatively easy to tally. But, there are other impacts that are more difficult to measure, such as lost data or damage to reputation. Assign dollar values to impacts wherever possible. Look at both the internal impact on intermediate processes and the external impact from customer-facing activities. Don’t forget to add in costs, such as overtime, that you may have to pay to catch up with a backlog once operations resume. Determine the maximum time an outage can continue before the business impact occurs. (For example, frozen food may remain safe in closed freezers for up to two hours after a power outage, but then have to be discarded. The maximum time in this case would be two hours.)
  • Prioritize Business Functions: The BIA team determines which functions and components of the business have the greatest impact on operations, finances, and legal obligations. In a crisis, resources should be allocated according to where they will have the greatest benefit. Understanding the most important functions also enables the BIA team to assign an order for steps to recover and restore the business, focusing on mission-critical functions first. A BIA for information technology infrastructure would identify the programs and hardware that support core business functions.
  • Estimate the Time and Resources Needed to Recover: The BIA team will figure out the costs of recovery, including time as well as staff, space, assets, and supplies. A power outage lasting a few hours will have fewer impacts than a major catastrophe. Consider questions such as the following: If your facility becomes inaccessible, where will you establish temporary operations and at what cost? How will you communicate if your network is down for an extended period of time? Do you need a redundant system? Describe workarounds or ways to reallocate the workload during an event. During certain situations (such as the loss of a factory), an interim solution may need to work for months or years, and the costs may be extensive. Necessary resources may include facilities and liquid cash that the company can easily access. Compare the cost of the business impact to the cost of recovery and mitigation strategies, and assess the costs of those strategies by comparing them to one another.
  • Set Parameters: For IT planning, the BIA team will establish a recovery point objective (RPO) and recovery time objective (RTO). An RPO refers to how much data can be lost before serious damage to the business occurs, and is expressed as the time interval between the last data backup and the failure. The RTO describes the length of time an IT system can be down without causing serious disruption to the business. Rank  applications and systems by priority; those that are critical will get the most resources. The priority categories are sometimes called tiers (tier one is the most critical and tier three is noncritical). The BIA team at a bank may determine that the system that records transactions has an RTO and RPO of nearly zero, making failover systems essential.
  • Identify the Vulnerabilities, Ways to Minimize Impact, and Recovery Strategies: The business impact analysis will shine a spotlight on any major vulnerabilities and failure points, and the team can make recommendations for the most cost-efficient ways to minimize risk and impact. These can include strategies for avoiding the disruption in the first place, fixing or mitigating vulnerabilities, and rapidly recovering if the problem occurs.

Step Three: Documenting Your Findings

At this point, the team will start to review and refine its findings. You may want to go back to some of the key people you interviewed early in the process to discuss your outcomes with them. Then, the BIA group will write a report. A BIA report contains some standard elements:

  • Executive summary
  • Objectives and scope
  • Description of methodologies
  • Detailed discussion of findings
  • Recommendations
  • Supporting documents

The BIA report includes both an exploratory component, which reveals crucial business processes and business impacts, and a planning component, which suggests strategies to respond to these impacts.

The report describes the company’s main activities and processes along with their “owners” within the organization (such as the department they belong to or their geographic location). The detailed findings outline the impact of disruption on specific business processes and identify the most crucial of these processes. The BIA team should also establish an acceptable duration of downtime and tolerable losses, as well as a plan for recovery. In addition, the report should weigh the costs of disruption against those of investing in recovery.

Step Four: Presenting Your Findings

The BIA team presents its findings to senior management. Sometimes, you present the findings and distribute the full report simultaneously. Other times, you deliver the report in advance, so leaders can digest it and ask questions at the presentation.

At the presentation, the BIA team highlights the most significant business impacts from disruptions and offers its recommendations.

BIA experts stress the importance of getting senior management support for the BIA and recommend keeping the presentation high level and focused on the most important operational processes. Make detailed data available if requested, but avoid burying top leaders in numbers. “You want to get their quick and easy buy-in, so everyone is on the same page… Be respectful of people’s time,” Martinez advises.

What Business Impacts Should a BIA Consider?

When we talk about the negative consequences of an outage, we usually picture financial impact, and, certainly, economic losses can be devastating to a business. But, companies can suffer harm in other ways — to their reputation, morale, customer loyalty, employee well-being, and more. There can also be fines or punishments from regulators or contractual penalties if the outage causes a delivery to be late.

While direct financial losses are straightforward to tally, most other impacts incur financial costs as well, even if they are sometimes indirect. Say, for example, a fire burns down a warehouse and you lose the value of the product stored there. That cost is obvious. Suppose you have an important order to deliver, so now you have to run overtime shifts at another factory to meet that delivery date. Those extra labor costs are an indirect result of the fire.

The intensity of an impact can vary significantly based on the duration, extent, and timing of a disruptive event. Think of a power outage in a retail outlet. A couple minute-long power cut on a slow day is much less impactful than one that stretches for several hours on a busy holiday shopping day in December. That said, a long outage is less likely to occur than a short one, so that factor adds another nuance to the analysis. Your organization should be well prepared for an event that occurs with regularity, even if the impact is not catastrophic.

Martinez of Fusion Risk Management suggests focusing 80 percent of your effort on the most likely scenarios and anticipating both localized and broader events. For example, in doing BIA for a credit union with 100 branches, his team matched branches into pairs, so they could assist each other with staff or operations if one had an outage. The BIA team also identified a backup location 50 miles away in case of an event that affected many branches.

Going through this exercise will identify workarounds for your most likely problems, and this preparation will often help, even if something that you didn’t plan for occurs. For example, Martinez worked with a manufacturer that prepared for the risk of a supplier being unable to ship raw material by identifying a backup supplier. But, when the scenario actually occurred, the backup vendor was affected by the same shipping problem, so the manufacturer quickly lined up a third supplier. While the fix wasn’t quite as seamless, the time and effort invested in designing a workaround enabled the manufacturer to respond more quickly.

This table summarizes some of the most important business impact analysis categories to consider. You can also download the table as a Word or PDF file below, and use it as a checklist when you conduct your own BIA.

Business Impact Analysis Categories

Financial Impacts

  • Delayed sales or income
  • Contractual penalties
  • Regulatory fines
  • Increased expenses
  • Lost sales or income
  • Loss of market share

Infrastructure Impacts

  • Delayed construction
  • Restricted access to facilities
  • Machinery/equipment damage
  • Building damage

Resource Impacts

  • Absenteeism
  • Data loss/corruption
  • Supply chain interruption
  • Loss of power

Intangible Impacts

  • Decreased customer satisfaction
  • Customer defection
  • Negative business reputation
  • Harm to brand
  • Diminished value of intellectual property
  • Loss of staff morale

Quality and Safety Impacts

  • Ability to maintain product/service standards
  • Compromised worker safety
  • Environmental damage

Legal Impacts

  • Failure to fulfill contracts
  • Breach of warranties
  • Force majeure
  • Failure to comply with regulations

Strategic Impacts

  • Delay in new business initiatives
  • Decreased focus on new business opportunities
  • Reduced resources for innovation


BIA Business Impact Analysis Categories Cheat Sheet Template

Download BIA Categories Cheat Sheet

Word | PDF

What Is an Impact Analysis Tool?

Traditional information-gathering tools like questionnaires and face-to-face interviews are two of the most commonly used tools in BIA, but they’re not the only ones. There are also a variety of digital tools available, from the humble spreadsheet in which you record responses and perform basic quantitative analyses to purpose-built business impact analysis applications.

BIA software can help you collect information, establish process interdependencies, identify impacts, compute their costs, prepare reports, and update your BIA. If you’re considering a BIA software solution, ask the following questions:

  • Is the software designed to address all the threats that are relevant to your business?
  • Does it gather the information that is relevant to your business and industry?
  • Does the BIA software integrate with other business continuity management systems?
  • Does the application allow you to assess different units and geographies separately?
  • Does the software meet industry standards, such as ISO 22301?
  • Is the application secure and will it be accessible in a disaster?

Alex Fullick, Founder of business continuity consulting firm StoneRoad, says that the right BIA tools or methodology depends on the size of the organization, its financial resources, its timelines to deliver the BIA, and the project scope (e.g., a single location vs. multiple locations, single or multiple operating units, and a local, state/provincial, or international focus).


Alex Fullick

“If the scope is rather small in scale, it might be quicker and easier to perform a BIA using a manual approach, leveraging documents and spreadsheets,” Fullick says. “If the scope is large and the funds are available, it will be much easier to manage a BIA initiative using software.  But, software comes with its own challenges,” he points out.

BIA team staff must learn the software, and the IT department may need to configure the software to work with organizational systems. Additional time might be needed to customize the questions in the software for the company conducting the BiA, Fullick finds.

How to Apply a Business Impact Analysis

Once senior management signs off on the BIA, review the recommendations with each department and division, highlighting the aspects that impact each of them most directly. Your company also needs to develop plans to implement BIA recommendations as part of its broader business continuity effort. Then, you need to test the measures.

Next, perform a gap analysis to identify areas in the company that need work in order to be business impact ready. Following the analysis, you should devise a strategy for closing those gaps.

Companies in highly regulated industries like healthcare, financial services, and pharmaceuticals may need to get regulator approval of their BIA and continuity management plans.

Then, the organization should develop a protocol for using the BIA and other plans in an actual emergency. This means making sure that all key staff members have hard copies of the documents and can also access them electronically.

Kirvan stresses that the BIA is not an end point: “Performing a BIA by itself is not enough. It is one of the precursors to completing a business continuity plan as well as a technology disaster recovery plan (DRP). Once you complete the BIA, the existing BC/DR plans should be reviewed and updated based on results from the BIA.”  

Consider Communications and the Chain of Command when Implementing Crisis Response

Create a communications plan that envisions all possible scenarios, such as if cell phones don’t work or an event occurs in the middle of the night. Make sure key personnel know how to contact one another. The communications plan should include such points as the following:

  • Who from each department or division will be on the crisis team? Who will be their backups?
  • How or where will the crisis team meet (e.g., on a conference call, in a safe location, etc.)?
  • How frequently will the team check in?
  • How will the team ascertain the safety and whereabouts of other staff?

Similarly, make arrangements for a chain of command. Who will manage the process in real time? You do not want to lose valuable recovery time because of a power vacuum. Designate alternates in the event that staff members are incapacitated or absent. Those on the ground need to have power to make decisions during a crisis or your careful planning will be wasted.

You may need to provide extra training. For example, if your plan for a labor strike calls for managers to run the assembly line, make sure those managers have adequate and regular training on how to work the machinery.

Conduct drills and rehearsals of these plans. Then, do an assessment of your business impact analysis by documenting where problems occurred. Adjust your planning accordingly.

How BIA Fits into Business Continuity Planning

Business continuity planning comprises a business’ efforts to safeguard itself against threats and recover from the effects of unavoidable events. You can think of business continuity planning as involving two related but distinct types of planning: backup planning, which keeps operations running at an acceptable level, and recovery planning, in which you return operations to a desired optimal level.

The focus of this planning is business disruption, which occurs when normal optimal operations suffer a significant adverse effect, usually due to an outside event.

Business impact analysis is one crucial element of business continuity planning. Another is risk assessment. People often think these two processes are synonymous, but, as we explain below, there are key differences between them.

Business Impact Analysis vs. Risk Assessment

Business disruption occurs when a business risk becomes a reality. Generally, it’s a threat that causes a risk to evolve into a reality. A business risk may be characterized by the absence of important resources such as staff, materials, data, or facilities. The threats or hazards that cause a risk to manifest are diverse: They can be anything from a pandemic to a tsunami. (See the list of possible disasters, accidents, and emergencies we discussed earlier.) Importantly, the mere presence of a threat does not necessarily mean that the business risk will be realized. For instance, if a flu pandemic is spreading but all your employees have been immunized, they can continue working without realizing the risk of contracting the flu.

The business impact analysis and risk assessment are the initial steps in the business continuity planning process. BIA tells you how a business might be affected by a disruptive event and spells out the protocols for initiating recovery efforts. In the process, the BIA team will also predict which assets are at risk and whether these are people, property, brands, relationships, IT resources, or the supply chain. The analysis also identifies specific weak points that make assets more vulnerable.

Risk assessment focuses on classifying both the impact and likelihood of specific disruptive events — from hurricanes to cyber-attacks — so that recovery planning and resources can first zero in on those events with both heavy consequences and a high probability of taking place.

If it is possible to mitigate the risks of certain events — perhaps via investment — then the risk assessors will consider that mitigating course of action and make a recommendation using the findings in the BIA report.

Recovery planning follows BIA and risk assessment. Planners develop a recovery strategy and then compare the company’s current recovery capabilities to the desired ones. Next, document a recovery plan and conduct testing and practice exercises for recovery efforts.

Business Impact Analysis for Information Technology: BackUp vs. Recovery

In business impact analysis for information technology, experts note that disaster recovery planning involves much more than simply backing up data. A backup plan might entail copying and storing a company’s data every day, so it can be accessed if any information is lost or corrupted. A recovery plan is much broader and assumes the failure of all IT infrastructure. A full recovery plan would require setting a recovery time objective, creating a duplicate IT system at another site that is available if needed, planning for how to bring systems back online, and conducting ongoing testing of recovery systems.

What Are the Most Common Mistakes People Make in Business Impact Analysis?

BIA experts say certain mistakes are common, especially when companies are new to business impact analysis. Martinez says he sees the following missteps most frequently: overcomplicating BIA with an excessive focus on data-crunching formulas, looking at too many potential impacts, and planning for too many different adverse events.

Kirvan of the Business Continuity Institute says, “Mistakes most often made in performing a BIA revolve around the need to complete the BIA quickly, as opposed to thoroughly. BIAs can take weeks or even months to complete. This [time-consuming aspect] often serves as a deterrent to doing BIAs, and what develops instead is the need to take shortcuts in order to save time and money.”

Here are the errors that Fullick says he sees most often in BIA processes:

  • Lack of Management or Executive Support: BIA requires resources to be effective, and if resources are not allocated to the process, the resulting plans will be lackluster. Moreover, BIA staff members need training and skills to manage the effort.
  • Poor Follow-Up: Some organizations make a big effort on BIA, but then fizzle when it comes to fully implementing the subsequent recovery strategies and plans.
  • Lack of Clarity on Scope or Level of Detail: The right scope or level of detail differs among organizations, but within a company’s BIA, the parameters should be uniform. Often, BIA will be ultra-detailed for some units and very broad for others. There needs to be a consensus on what level of scope and detail will accomplish the company’s objectives.
  • Wrong Participants: An organization might call upon people without the right level of expertise or knowledge of operations to provide information for the BIA if the process does not have adequate support or the crisis team doesn’t clearly convey its objectives.
  • Weak Data Collection: Questionnaires need to capture all the needed information and also be straightforward, so respondents can complete them quickly and easily. For in-person information-gathering, BIA analysts may lack strong interview skills and fail to glean insights.
  • Focusing on Tools over Process: The BIA team can become overly focused on the tools it uses for collecting and analyzing data and lose sight of the underlying process.
  • Insufficient Analysis: Poor or incomplete analysis can undermine the value of the information you’ve gathered. “Analysts need to look for trends, patterns, relationships, and discrepancies among and within the data to ensure a thorough and meaningful analysis,” Fullick urges.
  • Poorly Presented Findings: The BIA may be well executed but poorly communicated. The presentation may be unclear or provide too much detail for senior managers to extract the key points.
  • Too Time Consuming: Fullick says that BIAs frequently take too long. If the process spans many months, other organizational changes may occur, rendering the BIA out of date and therefore irrelevant.


When Should You Review a Business Impact Analysis?

Review your business impact analysis at least annually. If your business processes change sooner, update the BIA to reflect these revisions.  

Your first BIA will likely be a lengthy process. However, updates generally go relatively quickly, unless there have been extensive organizational changes in the interim.

Most importantly, make sure that the analysis remains comprehensive and recovery strategies remain viable. To check, ask a few questions:

  • Have processes, especially critical ones, changed significantly?
  • Are resource requirements for processes the same as they were during the last BIA?
  • Have the interdependencies between processes changed?
  • Has the vulnerability of specific processes to emergency events changed?

Fullick of StoneRoad says that infrequent review of the BIA can cause problems. “If we only review and update on an annual basis, or even less frequently, it can take a long time… and sometimes will feel as if you’re (nearly) starting the BIA over from the beginning. When that happens, it means that continuity-related plans and processes aren’t fully representing the organization as it is — they are representing the organization as it was,” he explains.

Resources to Learn More about Business Impact Analysis

To learn more about BIA and strengthen your skills, you can continue learning on your own, take classes, or attend formal training programs. Here are some recommended resources:

What Is Impact Analysis in Software Testing?

Some people confuse business impact analysis with impact analysis in software testing, but these two processes are unrelated. Impact analysis in software testing looks at the impact of changes on already-deployed software and is a standard part of managing software. Unlike BIA, this process does not concern disaster preparedness.

Improve Business Impact Analysis with Real-Time Work Management in Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.




Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

Try Smartsheet for Free Get a Free Smartsheet Demo