Business Impact Analysis and Continuity Risk Management

Business continuity risk and impact analysis

Business continuity is the discipline of preparing the organisation to keep operating, or recover quickly, when something disrupts normal activity. ISO 22301 is the dedicated standard but every other ISO management system standard expects business continuity to be considered through risk-based thinking. Disruption affecting service delivery is a quality risk; disruption affecting workforce safety is an occupational health and safety risk; disruption affecting information availability is an information security risk. The disciplines overlap and a single business continuity approach usually serves all of them.

Two pieces of work sit at the heart of business continuity risk management. The first is business impact analysis - working out which activities matter most, what depends on what, and how quickly recovery is needed. The second is disruption risk assessment - identifying the events that could cause disruption, scoring them, and deciding what to do about them. The two come together in the continuity plan that says how the organisation will respond when disruption occurs.

Business impact analysis

Business impact analysis (BIA) starts from the activity, not the threat. The question is: if this activity stopped, what would the impact be, and how long could the organisation function without it. Working through every significant activity produces a structured map of what really matters and where recovery effort should be concentrated.

Each activity in the analysis is described with a few key attributes:

• Criticality - how important is this activity to the organisation's overall ability to deliver and meet its obligations
• Maximum tolerable period of disruption (MTPD) - the longest the activity can be unavailable before unacceptable damage occurs
• Recovery time objective (RTO) - the time within which the activity should be restored, set within the MTPD with margin
• Recovery point objective (RPO) - for activities involving data, the maximum data loss that is tolerable, expressed as a time
• Dependencies - the people, systems, suppliers, premises and information the activity relies on
• Minimum service level - the level at which the activity needs to operate during disruption to avoid the unacceptable damage

The analysis is not pure speculation. Past incidents, near-misses, customer impact assessments and operational data inform the answers. Activities that have caused trouble when they have failed in the past, and customer-facing activities where impact is most visible, usually emerge as the most critical.

Critical functions and dependencies

Most organisations find that a relatively small number of activities account for most of the operational risk. Identifying these critical functions early focuses the rest of the work.

A typical small to mid-sized organisation might have five to ten genuinely critical functions - service or product delivery, customer-facing communications, payment processing, key supplier relationships, core systems, and the people who run them. Each of these will have dependencies that themselves need consideration: the service delivery function depends on certain systems, those systems depend on certain infrastructure, that infrastructure depends on power and connectivity.

Mapping dependencies surfaces single points of failure. A single supplier providing all of a critical input, a single person holding institutional knowledge, a single system without redundancy - all become entries on the disruption risk register and inputs to the continuity plan. The discipline of dependency mapping often reveals risks the organisation had not previously considered.

Disruption risk identification

Disruption risks fall into several categories that are useful as identification prompts:

• Premises and infrastructure - fire, flood, building damage, utility failure, environmental incident at or near the site
• People - illness, pandemic, key person departure, industrial action, transport disruption preventing access
• Technology - system failure, cyber incident, data loss, communications failure, third-party service outage
• Suppliers - supplier failure, delivery disruption, quality failure, financial collapse
• External - severe weather, civil disorder, regulatory action, geopolitical event, public health emergency

Each category is worked through against the critical functions identified by the BIA. Where a category contains a credible risk to a critical function, an entry on the disruption risk register results. The number of entries is usually moderate - twenty to forty for most organisations - because the focus is on disruption to identified critical functions, not on every conceivable bad event.

Scoring disruption risk

The 3 by 3 matrix used elsewhere works for disruption risk with the consequence axis rephrased as impact on activities:

• Little Impact - workarounds available, no perceptible impact on customers, recovery within hours without effort
• Some Impact - service degraded for a recoverable period, some customer impact, recovery requires structured effort
• Major Impact - critical services suspended, customer obligations breached, recovery requires significant effort and may exceed the maximum tolerable period

Likelihood is normally framed as the probability of disruption events affecting the organisation in any given year. The Tolerable / Moderate / Substantial bands then drive treatment decisions the same way as elsewhere on the strategic register.

Some organisations add a continuity priority rating that combines criticality of the affected activity with the disruption likelihood and impact. This produces a focused list of where investment in continuity arrangements is most worthwhile, distinct from the operational risk position.

Treating disruption risk

The four standard treatments apply to disruption risk:

Avoid - eliminate the source of disruption where possible. Moving away from a flood-prone site, replacing a single-source supplier with multiple sources, removing a single point of failure from a system architecture.

Reduce - the most common treatment for disruption risk. Resilience measures (backups, redundancy, alternative suppliers, cross-trained staff, diverse infrastructure), preventive measures (maintenance, monitoring, early warning), and recovery preparation (continuity plans, exercises, recovery procedures).

Transfer - business interruption insurance is the most common form, covering financial consequence of specific disruption events. Outsourcing critical functions to providers with stronger continuity capability is another form of transfer though accountability remains with the organisation.

Accept - low-likelihood disruption with low-consequence impact, where preparation cost exceeds the expected benefit. Acceptance is rarer for business continuity than other risk types because the impact when disruption occurs tends to be visible and customer-affecting.

The continuity plan

The continuity plan is the documented response to disruption. It does not need to be elaborate. The minimum content is who does what, when, in the first hours and days of a significant disruption, and how the organisation communicates with staff, customers, suppliers and regulators.

For most organisations the plan covers:

• Activation criteria - what triggers the plan
• Roles and responsibilities during the response
• Initial actions for the first hour, four hours, twenty-four hours
• Communication arrangements - who tells whom what, when
• Recovery procedures for each critical function with their RTO and RPO
• Resources required and where they are located
• Contact information for staff, suppliers, customers, regulators

The plan is exercised at planned intervals - tabletop walkthroughs at least annually, with full or partial live exercises where the criticality justifies them. Exercising surfaces gaps in the plan and builds the response muscle that pays off when real disruption occurs.

Connecting to the strategic register

Disruption risk is recorded on the dedicated disruption register. Where a particular disruption risk has strategic implications - a major supplier failure that could threaten the business, a cyber event that could trigger regulatory action - a corresponding entry on the strategic register keeps top management visibility. The strategic entry references the operational disruption register where the detail sits.

Business continuity arrangements feed into management review under Clause 9.3, where the effectiveness of continuity preparation is evaluated. Exercises, real incidents and near-misses provide the evidence for that evaluation.

UK Legislation relevant to business continuity

UK law does not impose a general legal duty to maintain business continuity arrangements, but several sector-specific obligations apply. Financial services firms face Operational Resilience requirements from the Financial Conduct Authority and Prudential Regulation Authority. Critical national infrastructure operators face requirements under the Network and Information Systems Regulations and sector-specific legislation. Public bodies face Civil Contingencies Act duties. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.

• Civil Contingencies Act 2004
• Network and Information Systems Regulations 2018
• Data Protection Act 2018

Further Resources

• Risk and Opportunity Management
• Identifying Risks and Opportunities
• Risk Assessment - Likelihood and Consequence
• Backup, Business Continuity and ICT Recovery
• Emergency Preparedness
• ISO 22301 Overview