Skip to main content


How to Gain Additional Value from Your BIA

How to Gain Additional Value from Your BIA

There has been a lot of talk around Business Continuity Planning this past year. With the update to the Business Continuity Management Booklet made in November of 2019, the uptick of ransomware, as well as the COVID-19 pandemic, many organizations currently are in the process of improving their Business Continuity Plans or have plans to do so. And the most critical component of any good Business Continuity Plan is the Business Impact Analysis (BIA), or your organization’s business process risk assessment. The goal of a valuable BIA is to help you identify your most important business processes and prioritize their recovery accordingly.

We have covered Business Impact Analysis in a previous blog post, diving into information on what should be included within a good BIA. While the creation of a proper Business Impact Analysis is important, something that many organizations can improve is the utilization of the Business Impact Analysis and the results pulled from this assessment. While your BIA needs to meet regulatory expectations, it’s even more important that your BIA and the business process information you build out is used to mitigate additional risk for the organization.


Business Impact Analysis

The primary function of the  Business Impact Analysis is to identify your business process recovery priorities (example below). However, a ton of data is input to receive such a report, and certainly more can be gleaned from the process than a simple prioritization list. Much of the data that you can use to make better decisions and mitigate additional risk is going to come from business process dependencies. As a reminder, the TRAC process takes into account other business processes, vendors, and IT assets that a business process relies on to function, which can be pretty valuable information.

BIA Analysis Report Sample


Using Dependency Data

The three (3) variables considered as part of our dependencies are all important; however, we can take more valuable data from some than others. For example, identifying the business processes that rely on one another is incredibly important for determining priority, but the use of that data outside of priority calculation can be pretty limited. Vendor and IT asset dependencies, on the other hand, are a very different story. So, after enumerating all the IT assets that each of your business processes require to function, how can you use this information to mitigate additional risk?

  1. Testing Schedule: If the most critical IT assets can be identified for each business process, this information can be used to develop a testing schedule. This information can show what assets are consistently required for business operations and which assets should be prioritized in live disaster recovery testing, tabletop testing, or backup testing.
  2. Redundancy Planning: Identifying IT asset redundancy becomes easier when you can see how many processes an asset is associated with. Even more, if one of your critical IT assets cannot be purchased, configured, and placed online in a secure and complete manner before reaching the Max Allowable Downtime timeframe, this may be an indication that the noted IT asset is a prime candidate for redundancy.
  3. Procedure Development: Depending on size and complexity, many organizations do not have a recovery procedure built out for every application and system used. Identifying your most critical IT assets can assist in determining which applications and systems should have a system and application recovery procedure documented. Your most critical IT assets can be identified by seeing which assets are assigned for our top priority business process in conjunction with how many other processes require that asset.

BIA Asset

With vendors being a major part of your Business Continuity Plan, it’s not just IT assets that organizations need to plan around. You can use vendor dependency information in a very similar manner as the IT asset dependencies were used; however, there are going to be some differences.

  • Contact List Development: Any vendor that a business process is dependent upon should be added to your contact list and included in your Business Continuity Plan.
  • Tabletop Testing Development: Service Provider Unavailability is not only a great threat to have included within your BCP risk assessment, it is also frequently one of the more inherently risky threats noted in a risk assessment, due to its higher probably and significant impact. If one of your critical vendors is unable to provide you with a service your organization (and your customers) relies on, the impact to your organization can be enormous. When planning for your BCP tabletop scenarios, take some of your most frequently-listed vendor dependencies and develop a testing scenario around one of those vendors being unavailable for an extended amount of time. For example, many internet service providers, internet banking providers, and even core processors (looking at you, Finastra) have experienced cyber-incidents, outages, or bandwidth issues during this COVID-19 pandemic. How have these situations impacted your organization?
  • Redundancy Planning: In the same way you plan for maintaining redundant IT assets, you need to consider the potential for redundant vendors. A common example is your internet service provider (ISP). If a vendor’s unavailability has a widespread impact across all or most of your business processes, depending on the vendor in question, a backup service provider could be a huge risk mitigation.

BIA Priority

Beyond BIA’s Core Purpose

When an organization puts effort into gathering so much data to create a valuable Business Impact Analysis, the idea that you are only going to use that data to get a listing of most-important to least-important business processes can be pretty disappointing.

The good news is that you are only limited by your creativity when it comes to how you can use your BIA to both create and improve the business continuity planning process. Even more so, with the amount of detail that goes into building a proper BIA, organizations often run into other areas of the Information Security Program that can be improved. When going through your dependencies, you may find an IT asset that hadn’t been properly added to the IT risk assessment. Perhaps you’ll identify a vendor whose availability rating may need to be increased, or maybe even a vendor that was missed in your vendor management process.

If you are a user of TRAC, you will notice that IT asset and vendor data is automatically pulled from your other modules, such as the IT Risk Assessment and Vendor Management module, populating BIA dependency lists. This is not only an efficient way to use work that had already been built out, but also allows you to check that work from an entirely different perspective.

Ultimately, you’re going to put in a lot of effort to build out a Business Impact Analysis that properly appeases your regulators. You might as well make sure you are using that information to benefit your overall Business Continuity Plan, help you mitigate additional risk to your organization, and make better business decisions. In the end, that is the real reason those BIA requirements are there in the first place.



Written by: 
Cole Ponto
Information Security Consultant - SBS CyberSecurity, LLC 


SBS Resources: 
SBS CyberSecurity has been helping organizations identify and understand cybersecurity risks to make more informed business decisions since 2004. If your organization is looking to better understand your cyber risk; build, maintain, or test your cybersecurity program; and make smarter, more informed cybersecurity business decisions, SBS can help.

  • {Blog} What Does a Good BIA Look Like?: When creating a BIA, there are going to be three (3) main components that you should address to get the best results, including 1) Impacts, 2) Timeframes, and 3) Dependencies. This article will cover each of these BIA components, along with a little information on your business processes themselves. Read blog.
  • {Service} Business Continuity Planning: A key piece to any Information Security Program is a high-quality Business Continuity Plan (BCP). Let SBS help design and test a comprehensive plan that encompasses four areas: Business Impact Analysis, Business Continuity, Disaster Recovery, and Pandemic Preparedness. A well-structured plan can help mitigate the negative effects of a natural disaster, unexpected power outage, widespread illness, and many other unexpected events. Learn more.


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Business Continuity Professional  

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Tuesday, June 23, 2020
Categories: Blog