To have an effective Business Continuity Plan (BCP), recovery plans must be based on a Business Impact Analysis (BIA). According to the FFIEC’s Business Continuity Management booklet, BIA is “the process of identifying the potential impact of disruptive events to an entity’s functions and processes.” There are a lot of elements to capital BIA, but for the purpose of this article, we are going to focus on the conceptual lowercase business impact analysis. This analysis will help you make informed decisions about when certain processes can be restored and help you determine appropriate Recovery Time Objectives (RTO).

Prepare the Definitions

The first step in simplifying a BIA is to define ratings, categories, and labels of any kind. Definitions are foundational to an effective analysis process.

Criticality Levels

Criticality Levels are necessary for defining which processes require more immediate attention than others. Consider creating a set of levels such as Critical, Urgent, Important, Normal, and Nonessential. If you work for a smaller institution, you may find you need fewer level options.

The definition of each criticality level is its corresponding Maximum Tolerable Downtime (MTD). This is the amount of time your business can tolerate without the process. For Critical processes, you may only tolerate minutes, but for Nonessential processes, you might tolerate weeks.

Business Impact Categories

When considering downtime of a business process, consider the ramifications this downtime may have on your organization. The kind of impacts which concern you will determine your categories. At a minimum, you should consider the Compliance, Financial, Operational and Reputational impacts to your organization, should a process be unavailable.

For each category, provide clear definitions for each rating. For example, consider the following impact level definitions for the Compliance category:

• Insignificant: Negligible compliance, contractual, regulatory or legal concerns.
• Low: Potential for compliance, contractual, regulatory or legal issues with minor implications.
• Medium: Confirmed compliance, contractual, regulatory or legal issues with moderate implications.
• High: Major penalties and/or costs related to compliance, contractual, regulatory or legal issues.
• Extreme: Extreme penalties related to compliance, contractual, regulatory or legal issues (e.g., jail time for employees, closing of the institution, etc.)

Analyze Impact

Make a list of your business processes. Business processes are a combination of the people, resources, and procedures that achieve a goal, such as Accounting, Information Technology, Lending Operations, Cash Management, and Regulatory Reporting.

Review one process at a time. Gather a group of people who deeply know and understand the process and how the lack of the process could impact the institution in different ways over different periods of time. Identifying the impact level for each category at each timeframe allows you to determine the MTD for this process.

Example Analysis

Let’s look at an example business impact analysis with the Mobile Deposit Capture process and the Reputational impact category. If a disruption to this process occurred, what impact would this have on the organization? Don’t spend too much time thinking about why the process is unavailable. Knowing why a process is unavailable is irrelevant to how long your organization can tolerate going without it before the missing piece begins to affect the organization’s mission, customer experiences, other business functions or compliance requirements.

After one hour, the institution may have a few unhappy customers, but the impact would overall be Insignificant. Even after one day, the impact might still be Low. If the process was down for three days, clients may start to notice and could be upset (Medium). After one week, the organization would likely have to do a lot of work to regain trust (High). If the process was unavailable for 60 days, the impact might be Extreme, as clients could be lost and our reputation would be damaged with the community. See the image for an example of what the ratings could look like.