Business Continuity Blog

With significant experience in business continuity management consulting, Inoni consultants share their insights.

Business Impact Analysis vs Risk Assessment

Posted by John Robinson on November 17, 2015

business impact analysis vs risk assessment

For any ISO-compliant organisation that seeks to protect itself against threats and hazards, both Business Impact Analysis (BIA) and Risk Assessment are imperative to business continuity management.

However, with the introduction of the BIA-focused ISO 22317, there's a risk that some business continuity professionals may be struggling to distinguish between these two related disciplines.

At a large organisation, either analysis may be the responsibility of a distinct person, team or department, or at a smaller business, just one person may perform both assessments either intenally or as a business continuity consultant.

Either way, it’s vital that BIA and risk assessment are understood as different, yet linked practises, in order to keep a clear sense of what they contribute to a business continuity programme.

Find out about our IT Disaster Recovery Planning Service

What is Business Impact Analysis?

Business Impact Analysis (BIA) assesses the amount your organisation stands to lose (or perhaps even gain) under defined circumstances. The analysis assumes worst-case scenarios and involves understanding the type and rate of expected loss under fixed conditions. BIA is used to recognise the magnitude of financial and operational impacts that derive from disruptions. It enables you to understand how your business would cope during downtime and calculate Recovery Time Objectives (RTOs) for your services.

What is Risk Assessment?

A risk assessment identifies all of the risks that have the potential to impact your organisation’s operations. It seeks to quantify both the impact and the forward likelihood of potential events. A risk assessment is therefore greatly concerned with the possible causes of disruption, from which likelihood is then derived. It’s a valuable tool for recognising threats and taking action to minimise risks to an acceptable level.

What’s the difference between BIA and Risk Assessment?

A core difference between the two business continuity tools is that BIA does not directly focus on the likelihood of events, rather, it assumes worst-case scenarios.

The differences that stem from this are summarised in the table below.

BIA

Risk Assessment

An outward-looking analysis of the impacts that may arise when stakeholders are deprived of products and services, as well as an inward analysis of necessary recovery timeframes, tolerances and levels.


An outward-looking assessment, focused on all potential risks and their likelihood, as well as inward-looking, focused on failure modes, the potential impact of events and the existing controls and strategies to mitigate the impact of risks.


A reflection of your organisation's whole-environment situation and what it stands to lose in major disruptions.


Generally gives rise to an ongoing treatment programme, systematically managing the risks you face.


Draws upon information from high-level sources, such as company accounts, market data, plus legal, human, environmental and other impact types, expressed as sources of loss. Analyses dependency to allow impact assessment at granular and deeper levels.

Draws upon the same high-level information and techniques as BIA to determine the impact of events, but also looks much deeper, potentially at all areas of threat, causality, failure, error, omission and so on.

 

BIA and Risk Assessment in Context

Whereas BIA can be conducted without risk assessment, risk assessment can’t reasonably occur without some form of BIA: risk assessment should use BIA to quantify and prioritise the risks it finds.

The ‘siloing effect’ of ISO and other standards that are being adopted by organisations worldwide can result in confusion. Business continuity managers are faced with the artificial exclusivity demanded by compliance on the one hand and the overlapping integrated reality that is business.

ISO 22317 provides valuable best practises for the BIA process, without reiterating any of the points in ISO 22301. However, as it provides information from a generalist perspective, practitioners may find they need to create a workable roadmap  or use business continuity software that is more appropriate to the size and scale of their organisation.

With this in mind, we've created a whitepaper that helps to contextualise the BIA guidelines for business continuity professionals for you to download.

Find out about our IT Disaster Recovery Planning Service

 

Tags: Risk, Business Impact Analysis, Small Business