Back to Resources

How to Conduct a Business Impact Analysis

A step-by-step guide to identifying your critical business functions, assessing impact, and setting recovery priorities.

What is a Business Impact Analysis?

A Business Impact Analysis (BIA) is the foundation of any business continuity program. It's a systematic process to identify your organization's critical functions, understand what happens when they're disrupted, and determine how quickly they need to be recovered.

The BIA answers three fundamental questions: What are our most important activities? What's the impact if they stop? How quickly do we need to get them back?

Why it matters: Without a BIA, you're guessing about priorities. A proper BIA ensures you focus recovery efforts on what actually matters most to your business.

Step 1: Define Scope & Objectives

Before diving in, establish what you're analyzing and why. Consider:

  • Which departments, locations, or processes are in scope?
  • What timeframes are you analyzing (24h, 48h, 1 week, 1 month)?
  • Who needs to be involved in providing information?
  • What's the deadline for completing the BIA?

Step 2: Identify Business Functions

Create an inventory of all business functions — the activities your organization performs. Work with department heads to ensure nothing is missed.

For each function, capture basic information:

Function Information to Collect:

  • • Function name and description
  • • Department/business unit owner
  • • Key personnel involved
  • • Systems and applications used
  • • Upstream/downstream dependencies
  • • Peak periods (seasonal, daily, monthly)

Step 3: Assess Impact Over Time

For each function, analyze what happens if it's unavailable. Consider impact across multiple dimensions:

Financial Impact

Lost revenue, penalties, extra costs, contractual damages

Operational Impact

Productivity loss, backlog accumulation, cascading failures

Customer Impact

Service disruption, satisfaction, customer loss, complaints

Regulatory/Legal

Compliance violations, legal exposure, reporting failures

Reputational Impact

Brand damage, media coverage, stakeholder confidence

Safety/Health

Employee safety, public safety, environmental impact

Assess impact at different time intervals (e.g., 4 hours, 24 hours, 72 hours, 1 week) to understand how impact escalates over time.

Step 4: Determine Recovery Objectives

Based on your impact assessment, establish recovery objectives for each function:

RTO (Recovery Time Objective)

The maximum acceptable time a function can be offline. "We need this back within X hours."

RPO (Recovery Point Objective)

The maximum acceptable data loss measured in time. "We can afford to lose X hours of data."

MTPD (Maximum Tolerable Period of Disruption)

The absolute maximum time before business viability is threatened. The point of no return.

Step 5: Identify Dependencies

Map what each function depends on to operate:

  • IT Systems: Applications, databases, networks
  • Vendors: Suppliers, service providers, utilities
  • Facilities: Offices, warehouses, equipment
  • People: Key personnel, specialized skills
  • Other Functions: Internal dependencies

Step 6: Prioritize & Document

Categorize functions by criticality based on your analysis:

Critical Must be recovered immediately (RTO < 4h)
Essential Recovery within business day (RTO 4-24h)
Important Recovery within a few days (RTO 24-72h)
Deferrable Can wait until after crisis (RTO > 72h)

Document everything in a BIA report that can be shared with stakeholders and used to inform your business continuity planning.

Ready to Start Your BIA?

InstaBCM guides you through the entire process with smart questions and automatic prioritization.

Start Free BIA