Get AI summaries of any video or article — Sign up free
How to perform a Business Impact Analysis and Risk Assessment thumbnail

How to perform a Business Impact Analysis and Risk Assessment

Citation ISO Certification ·
5 min read

Based on Citation ISO Certification 's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Start the ISO 22301 BIA by listing business activities and assessing the impact of disruption, including the maximum tolerable period of disruption.

Briefing

A business impact analysis (BIA) under ISO 22301 is used to pinpoint which operations matter most during disruption—and then translate that insight into a risk assessment with clear recovery expectations. The core workflow starts by listing business activities and judging how severe the impact would be if each activity failed, including the maximum tolerable downtime and the recovery time objective (RTO). Criticality is then determined using a priority-for-recovery scale: activities with a priority rating greater than two are treated as “critical” and become the focus of the continuity strategy.

The transcript walks through a practical example: 24/7 Managed IT services. If those services are disrupted, the impact is framed as serious—core service provision would be interrupted, breach of SLA penalties could be triggered, and clients could be lost. The maximum tolerable period of disruption is set to 1 hour, while the RTO is 30 minutes, meaning restoration to an acceptable client-facing level (not necessarily full peak performance) is the target. Recovery priority is rated on a 1-to-5 scale, with a score of five indicating the highest urgency. This activity is also checked for dependencies—external suppliers whose failure could undermine recovery. The example names fictitious dependencies such as Hardware Support Services Limited (for hardware failure) and Telecom Services Limited (for network failure), with guidance to avoid single-supplier dependency by having multiple suppliers for critical activities.

Dependencies aren’t just listed; they must be managed. The approach is to put business continuity management arrangements in place with suppliers, typically by requiring them to provide their own business continuity plans for review before onboarding. The BIA also specifies how recovery would happen: in the example, switching to a mirrored data center in Scotland if issues can’t be resolved within the 30-minute RTO. Stakeholder management is addressed too, including who would coordinate decisions during disruption—either the CEO or the COO, depending on the scenario. Finally, the BIA identifies the resources needed to resume operations within the RTO, such as the Chief Technical Officer and relevant technical staff working with the named suppliers.

Once critical activities are defined, the process moves to risk assessment. For each critical activity, the organization identifies plausible incidents that could disrupt it—examples given include severe weather and epidemic influenza. Likelihood is assessed using estimates based on experience. Each risk is then assigned a risk response category: tolerated (accepted with no additional action beyond acknowledgment), treated (mitigated through specific actions), transferred (handled via third parties such as outsourcing or insurance), or terminated (ending the activity when risk is too high). The final step is to document the proposed risk treatment for every identified risk, ensuring continuity planning is tied directly to measurable recovery needs and realistic threat scenarios.

Overall, the method links business impact to operational recovery targets and then to risk treatment decisions, so continuity strategy isn’t built on assumptions—it’s built on prioritized activities, dependencies, and defined tolerances for disruption that drive concrete mitigation choices.

Cornell Notes

The ISO 22301 business impact analysis (BIA) process starts by listing business activities and evaluating disruption impact, including the maximum tolerable period of disruption and the recovery time objective (RTO). Activities are classified as critical using a recovery priority scale; in the example, a priority rating greater than two makes an activity critical. The BIA also documents dependencies (external suppliers), recovery approach (e.g., switching to a mirrored data center), stakeholder involvement (CEO/COO), and resources needed to restore service within the RTO. After critical activities are identified, a risk assessment is performed for those activities by identifying incidents, estimating likelihood, and selecting risk responses: tolerated, treated, transferred, or terminated. The result is a continuity plan grounded in measurable tolerances and specific risk treatments.

How does the BIA determine whether an activity is “critical” for business continuity planning?

Each business activity is assessed for disruption impact and assigned a priority for recovery on a 1-to-5 scale. The transcript defines a critical activity as one with a priority rating greater than two on that scale. Those critical activities then become the focus of the continuity strategy and the subsequent risk assessment.

What’s the difference between the maximum tolerable period of disruption and the recovery time objective (RTO) in the example?

For the 24/7 Managed IT services example, the maximum tolerable period of disruption is set to 1 hour—how long the business can endure disruption before unacceptable consequences occur. The RTO is 30 minutes, meaning the activity should be restored to a tolerable/acceptable level from a client perspective within 30 minutes, even if full peak operational performance isn’t reached.

Why do dependencies matter in the BIA, and how are they handled?

Dependencies are external businesses the organization relies on for survival and recovery. The example lists Hardware Support Services Limited (hardware failure) and Telecom Services Limited (network failure). The guidance is to avoid relying on a single supplier for critical activities and to put business continuity management arrangements in place—often by requiring suppliers to provide their own business continuity plans for review before they’re accepted.

What recovery and stakeholder actions are documented for a critical activity?

The BIA specifies how recovery will happen and who will manage decisions. In the example, recovery involves switching to a mirrored data center in Scotland if issues can’t be resolved within the RTO. Stakeholder management is documented as either personal involvement of the CEO or the COO, depending on the situation.

How does the risk assessment decide what to do with each identified risk?

For each critical activity, plausible incidents (e.g., severe weather, epidemic influenza) are identified and likelihood is estimated. Then each risk is categorized into one of four responses: tolerated (accepted with no action beyond acknowledgment), treated (mitigated through specific actions), transferred (outsourced or insured via third parties), or terminated (risk is high enough that the activity must be ended). The organization also records the proposed risk treatment actions.

Review Questions

  1. In the example, why is restoring to an “acceptable level” within the RTO considered sufficient even if peak performance isn’t achieved?
  2. List the four risk response categories used in the risk assessment and give an example of when each might apply.
  3. What information must be included in the BIA for a critical activity beyond impact and downtime tolerance?

Key Points

  1. 1

    Start the ISO 22301 BIA by listing business activities and assessing the impact of disruption, including the maximum tolerable period of disruption.

  2. 2

    Set a recovery time objective (RTO) for each critical activity, defining how quickly service must return to a tolerable or acceptable level.

  3. 3

    Use a recovery priority scale to classify critical activities; in the example, a priority rating greater than two makes an activity critical.

  4. 4

    Document dependencies for critical activities, and manage them by reviewing suppliers’ business continuity plans before onboarding.

  5. 5

    Define the recovery method for each critical activity (e.g., switching to a mirrored data center) and specify who leads stakeholder decisions during disruption.

  6. 6

    Perform risk assessment for critical activities by identifying plausible incidents, estimating likelihood, and selecting a risk response: tolerated, treated, transferred, or terminated.

  7. 7

    Record the proposed risk treatment actions for every identified risk so continuity planning links directly to mitigation decisions.

Highlights

A critical activity is defined using a recovery priority scale: any activity rated greater than two becomes the focus for continuity strategy and risk assessment.
The example distinguishes maximum tolerable disruption (1 hour) from the RTO (30 minutes), emphasizing acceptable client-facing restoration rather than full peak performance.
Dependencies must be managed proactively—suppliers should provide their own business continuity plans for review, and single-supplier dependency should be avoided.
Risk response options are explicit: tolerated, treated, transferred, or terminated—each tied to documented treatment actions.

Topics

  • Business Impact Analysis
  • Risk Assessment
  • ISO 22301
  • Recovery Time Objective
  • Supplier Dependencies

Mentioned

  • ISO 22301
  • BIA
  • RTO
  • SLA

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library