How-to
How to conduct a Business Impact Analysis (BIA)
A business impact analysis (BIA) tells you what to protect first and how fast you must recover. This guide gives you a repeatable method that produces consistent, comparable results.
The trick to a useful BIA is consistency: score every process the same way, so the results are comparable and the derived objectives are defensible.
How to conduct a business impact analysis
- 1List your business processes
Identify the processes the organisation runs, each with an owner and the assets and vendors it depends on.
- 2Define impact categories and a scale
Use consistent categories — financial, operational, legal/regulatory, reputational — and anchor a 0–5 scale with written definitions.
- 3Score impact across time horizons
Rate each category at 1h, 4h, 24h, 72h and 1 week. Disruption almost always hurts more the longer it lasts.
- 4Derive recovery objectives
From the matrix, set MTPD (first horizon at which impact is severe), RTO (just before that), and RPO (data-loss tolerance, never larger than RTO).
- 5Tier and record
Convert the scores into a criticality tier, record dependencies and assumptions, and write the objectives back onto each process.
Frequently asked questions
- What is the output of a business impact analysis?
- A BIA produces, for each process, its recovery objectives (RTO, RPO, MTPD), a criticality score and tier, and a record of dependencies — the inputs to continuity strategy and planning.
- Who should be involved in a BIA?
- Process owners provide the impact judgement; a continuity lead ensures consistency of scoring across processes. Tooling that derives objectives from the scores removes spreadsheet errors.
Keep reading
Get audit-ready before your next due-diligence questionnaire.
Start free — no credit card. 14-day trial with a sample workspace preloaded.