Completeness and timeliness: The list of all business impacts considered must be complete. In day-to-day business, the focus is primarily on operational details. The overall view is thus lost to a certain extent. In the strategic dimension of Business Impact Analysis (BIA), it is very important not to overlook assets or risks. Without a complete list of all processes involved, it is not possible to describe all risks and dependencies. It is crucial not only to consider the existing documentation situation, but also to make a target/actual comparison between documentation and reality. Undocumented processes such as “shadow IT” can represent an incalculable risk – those who do not include them in their business impact analysis have white spots on their map. Even outsourced processes must be considered. The same is true for up-to-dateness. The processes listed in the Business Impact Analysis must be up to date. Depending on the company’s development speed, following this process progress can pose major challenges. Also outsources processes should be considered. If these suppliers are not able or willing to deliver the required information for various reasons, the BIA may be delayed or even fail.
Dependencies: To penetrate the network of mutual dependencies of risks and impacts is a complex task. This depends on the completeness of the assets. Working out the dependencies, e.g. of a larger IT infrastructure, requires in-depth knowledge of the structure and is often only possible by means of several expert workshops. While the development and introduction of structures focuses on the function, the Business Impact Analysis focuses on what happens if the function fails. This point of view is unusual – for both users and developers. Only in recent years have more and more companies opened up to this perspective and introduced transparent error documentation. The interfaces to outsourced processes must also be considered here – even the best internal BIA is of little use if integral processes are influenced by a failure of service providers. The elaboration of internal and external interdependencies in great detail is a time-consuming but necessary step in BIA.
Risk readiness and risk reduction plans: In an idealized view, one would want to set the risk readiness close to zero and would develop a risk reduction plan and emergency plan for every conceivable impact. In a realistic view, the company finds itself in a field of tension between the financial expenditure for risk reduction plans / contingency plans and the difficulty of determining comparative values for probabilities of occurrence for a high level of detail in risk appetite. In order not to overstretch the BIA effort, standardized (industry-standard) reference scenarios should be used. The company’s willingness to take risks should be determined and documented comprehensively and as far as possible in the broadest possible consensus in order to achieve a common, equal mental understanding among all parties involved.
Inclusion of non-monetary impacts: Not all business impacts can be measured directly and with a monetary equivalent. Impacts on factors such as corporate reputation or communication behaviour are difficult to predict, sometimes impossible to influence and sometimes dependent on a pinch of luck or misfortune. Nevertheless, the Business Impact Analysis should try to describe these possible impacts in order to enable a holistic risk assessment.
Prioritization of risk reduction plans and continuous improvement process: When introducing a Business Continuity Management according to ISO 22301 for the first time, the possible implementation of risk reduction plans should be prioritized in order to not reduce the financial compliance for BCM by a large investment expenditure. Therefore, the business impact analysis should take this into account, prioritize measures and start a continuous improvement process. When prioritizing, not only rarely occurring risks with high damage extent should be considered, but also frequently occurring risks.