Business Impact Analysis

Risk Management

Business Impact Analysis

There will often be many active pieces within an organization. Some may be critical for the organization’s infrastructure, and others may be not as essential for the survival of the company. When conducting a business Impact Analysis (BIA) one needs to consider what is it, that brings actual value to the company. A company’s wealth and value is not only decided upon by its monetary value, but its cultural and social values as well. By first off, we need to establish ‘what value are we creating’ and thereafter ‘who do we create value for’ in order to get an idea of the organization’s output and paint a picture of the overall process.

By reviewing the following steps, we can in a systematic way review relevant elements for our company’s value creation. The steps are as follows:

  1. Value creation: Who are we creating value for? To understand this business model, we need to identify potential hazards that can cause disruption to our operations. In this step, you can use models such as Porters Value Chain and Business Model Canvas.
  1. Identification of critical activities: In this step we pool in a bunch of processes, which together constitute an activity. For example, the production line makes value for us, so we need to recognize where potential disruptions within this productionline would be critical for our operations.
  1. Mutual dependencies: Which activities rely on each other to function? In this part, it is also relevant to consider how dependent we are on our suppliers. Do we have an alternative suppliers, in case our Tier 1 is unable to perform their part?
  1. The robustness of critical activities:  How do we test our robustness? In this step we test the minimal operative level. For example, if the power is out, can we still keep an overview of our logistics on paper rather than electronics? The system’s robustness is defined by being able to absorb disruptive activities, whilst keeping our operative integrity? An analysis can be conducted by doing the following:
  2. Identifying vulnerabilities/minimum operational levels.
  3. Identify where an increase in resources can strengthen our robustness.
  4. Different types of exercises can also help in this phase (e.g. contingency plans).
  1. Internal and external ressources: The ressources that the company is reliant on, such as:
  2. Infrastructure; roads, stand-alone systems.
  3. Physical ressources; storage/inventory, equipment,
  4. Intellectual ressources; skills, employees educational background, capabilities.
  1. Maximum Tolerable Downtime (MTD): MTD describes the point where an organization is unable to keep their operational integrity after a disruptive event (post-crisis). The costs of restoration is so high that it would not be worth it.
  1. Recovery Time Objective (RTO): RTO describes when management wishes for an activity to be back up and running. RTO requires resources and therefore an allocation of economic funds. The RTO can be influenced by mitigating intervention, by having Risk Management as an integral part of the organization.

This figure can help illustrate what the MTD and RTO means during a disruptive event.