What is Business Impact Analysis (BIA)?

A business impact analysis (BIA) is a process to determine the criticality of business operations and evaluate the effects of an interruption to critical functions to maintain operational resilience and business continuity during and after an interruption (Al-Essa & Al-Sharidah, 2018). The BIA quantifies the impact of a disruption to business operations on service delivery, the risk associated with service delivery, impact analysis, the recovery time objective (RTO) and recovery point objectives (RPO), critical third-party vendors and suppliers, recovery technologies, communication protocols, contingency management amongst others. These components of the business impact analysis are taken into consideration when developing strategies, solutions, and plans to ensure business continuity and disaster recovery (Rezaei Soufi et al., 2019). Thus, BIA identifies a business’s critical systems, functions, and processes and places a numeric value on how quickly these have to be recovered or restored in the event of a disruption. As a result, the business continuity plan (BCP) and disaster recovery plans (DRP) are derived from the business impact analysis (BIA).

What is a Business Continuity Plan (BCP)?

A business continuity plan (BCP) outlines the processes, and procedures, implemented to preserve core business operations in the event of a disruption on critical systems, functions, and processes. The main objective of a BCP is to keep the business running even during disruptions of business operations; thus, critical operations continue to function even under unusual circumstances.

What is the Role of Business Impact Analysis (BIA) and Risk Assessment (RA) in a Business Continuity Plan (BCP)?

Business impact analysis (BIA) and risk assessment (RA) are the two major processes used in designing an effective business continuity plan. BIA and RA identify the organization’s critical functions and processes that could disrupt core business operations in the event of a disaster (Rezaei Soufi et al., 2019). As a result, BCP prioritizes the use of critical vulnerabilities, functions and resources identified in the BIA to manage, maintain and recover in the event of a disruption of critical functions and operations (Păunescu et al., 2018). The BCP plan focuses on the business as a whole but concentrates on specific business functionalities that have high operational risks. It also provides contingency plans that details how the business will continue to operate even if processes were moved to an alternate location. A comprehensive BCP also addresses the needs of third-party vendors and partners that are critical to business continuity. Thus a BCP helps organizations prepare and protect against disasters, reduce the likelihood of these events occurring,  respond and recover from them when they do occur (PĂUnescu & Argatu, 2020). A typical BCP usually contains sections for contact details of key recovery personnel, plan objectives, risk assessment, impact analysis, prevention techniques, response, communication protocols, contingency management and areas for improvement.

What is a Disaster Recovery Plan (DRP)?

On the other hand, a Disaster Recovery Plan (DRP) is a more focused part of a business continuity plan that involves a set of procedures, and tools, to regain functionality and access to information technology (IT) resources after a disruption to business operations. A DRP includes consistent actions taken before, during, and after a disaster. Most disaster recovery plans include alternate sites (hot, warm, and cold sites), with redundant data centers, multiple telecommunication links, and take into consideration disaster insurance, and legal liability (Faisal, 2018). The DRP encompasses recovery procedures, technologies, protocols, third parties, recovery time objective (RPO), the desired time for completing recovery, and recovery point objective (RPO), the desired point for restoring data from backups. The components of a DRP plan are derived from performing a business impact analysis and risk assessment. Thus, to ensure that the DRP plan continues to be effective in a disaster, the plan must be tested using any of the following testing techniques; paper testing, walkthrough, simulation, parallel testing, or cutover testing. The plan must also be updated regularly to ensure it remains accurate and ready for use when a disaster strikes.


Al-Essa, H. A., & Al-Sharidah, A. H. (2018, 1-3 Oct. 2018). An Approach to Automate Business Impact Analysis. 2018 IEEE International Systems Engineering Symposium (ISSE),      

Faisal. (2018). The backup recovery strategy selection to maintain the business continuity plan. In (Vol. 229). Les Ulis: EDP Sciences.

PĂUnescu, C., & Argatu, R. (2020). CRITICAL FUNCTIONS IN ENSURING EFFECTIVE BUSINESS CONTINUITY MANAGEMENT. EVIDENCE FROM ROMANIAN COMPANIES [Article]. Journal of Business Economics & Management, 21(2), 497-520. https://doi.org/10.3846/jbem.2020.12205

Păunescu, C., Popescu, M. C., & Blid, L. (2018). Business impact analysis for business continuity: Evidence from Romanian enterprises on critical functions. Management & Marketing. Challenges for the Knowledge Society, 13(3), 1035-1050. https://sciendo.com/pdf/10.2478/mmcks-2018-0021    

Website | + posts