A BIA (Business Impact Analysis) is used to identify the critical business functions and states the impact of the loss associated with this. A BIA should help you to:
- Identify activities that are critical to the Directorate/School/University;
- Identify the key internal and external dependencies (e.g. suppliers, funding bodies, IT systems etc.);
- Assess how long we can continue without the activity in the event of disruption; and
- Identify the impact on the business.
The University of Dundee has a BIA template for all Schools and Directorates to use. The BIA template does not specify the nature of the incident; the focus is on the impact of certain activities not occurring. The loss of function and interference to normal business, irrespective of whether this is caused by a flood/power outage/plague of insects etc, and prioritisation of recovery, is what the BIA seeks to identify.
To carry out a BIA, the following steps should be taken:
- A risk analysis should be carried out to identify the operational risks faced by the Directorate/School. A BIA may, in a sense, act as an output from your risk register. Where your risk register identifies key strategic and operational risks, the BIA identieis the impact on activities if these risks come to fruition.
- Identify key activities/services in the Directorate/School.
- If adversely impacted, what is the result of this? Is there a financial, operational and/or reputational impact? How significant would this impact be?
- Once completed, the BIA should the be used to priorities the resumption of activities/services.
Below is the template the University uses to carry out a BIA:
|Critical Activity||e.g. Undergraduate teaching, research activity, placements|
|What IT systems support this activity||e.g. My Dundee|
|Immediate impact if this activity cannot occur||e.g. impact on students, health & safety risk, impact on relationship with partner institution|
|Level of impact||High, Medium or Low|
Recovery Point Objective for minimal activity
This is the point at which the activity could take place at the 'bare minimum' level - for example, delivering all teaching via MyDundee (assuming this is available)
|How long could you manage with no activity?||This will depend on the kind of impact and level of impact|
|What is the maximum tolerable period with minimal activity?||How long with the Recovery Point Objective for minimal activity be acceptable?|
|What is the maximum tolerable period to achieve normal activity?||How long can the Directorate/School last before it needs to be back to business as usual? This would not mean coping with minimal activity as services would improve during this period.|
|In current BCP?||Is this covered in the existing Business Continuity Plan?|
|Owner||Who is responsible for the delivery of this activity?|
|Further information, e.g. critical time periods||
e.g. examinations, matriculation