What a BIA is and why you need it
A Business Impact Analysis (BIA) assesses how the stoppage of each process hits the company over time and in money. The BIA answers three questions: which processes are critical, what their downtime costs and how quickly they must be restored. Without a BIA, a continuity plan is built by guesswork.
Key metrics: RTO and RPO
- RTO (Recovery Time Objective) — the maximum acceptable time to restore a process. "How fast the function must be back for losses to stay acceptable."
- RPO (Recovery Point Objective) — the acceptable amount of data loss. "How much recent data can be lost without critical consequences."
- MTPD — the maximum tolerable period of disruption, after which damage becomes irreversible.
How to run a BIA: the procedure
- List the processes (see the critical process register).
- Assess the impact of downtime for each process over time: after 1 hour, 1 day, a week — what is lost (revenue, fines, customers, reputation).
- Rank the processes by criticality.
- Set RTO and RPO for the critical processes.
- Identify recovery resources: people, IT, suppliers, sites.
What comes next
BIA results feed the business continuity plan (BCP) and are a mandatory element of the ISO 22301 standard. Without a BIA you cannot set recovery priorities.
See how resilient your business really is
13 questions, 5 minutes, free — results on screen and by email.
FAQ
How is a BIA different from a risk assessment?
A risk assessment answers "what can happen and how likely." A BIA answers "how painful it is if a process stops and how fast it must come back." In BCM they are used together.
What are RTO and RPO in plain language?
RTO is how fast to restore a process. RPO is how much data can be lost. The first is about time, the second about the data rollback point.
Can a small company run a BIA?
Yes. Take 3–5 key processes, assess the impact of their downtime over time and set target recovery times. This can be done in a single working day.
