GUIDELINES TO CONDUCT BIA

BUSINESS IMPACT ANALYSIS (BIA):

BIA is the process of identifying, evaluating, and analyzing the potential effects of an interruption or
stoppage of critical operations, and processes of a business due to any foreseen or unforeseen exigencies.
This builds a case of consequences in a worst-case scenario.
There is no thumb rule or fixed guidelines to conduct a BIA. The BIA process can be tailor made
considering the field/department/location/operations and the business environment/product/ service
interrupted. We have adopted Business Impact Analysis as laid-out approach for identification of critical
processes and relevant activities that interrupts business product/service caused by financial impact,
regulatory/legal impact, reputation & image impact, environmental impact, safety & security impact that
assessed & classified as per BIA matrix.
BIA APPROACH:

Phase-I: BIA process Kickoff

Define objectives, goals, and scope of BIA
Form BIA team
Communicate to Business Continuity Plan owner and Dept head/Asset Head
Phase-II: Information Gathering
Identify impact areas, process owners & impact stakeholders.
Collect information by document review, interviews, questionnaire/surveys & workshop.
Phase-III: Impact Assessment
Assess the criticality of the business functions and the processes by calculating the impact on
factors: Financial, regulatory/legal, reputation & image, environment, safety & security and
ranking as Extreme, High, and Medium w.r.t BIA matrix.
Assessment of historical data of any past disruptions with associated impacts & responses
Phase-IV: Analyze
Analyze gathered information & impact assessment to:
a. Generate a priority list
b. Identify human or technology resources required to maintain optimal level of operation
c. Estimate a recovery timeframe (RTO, RPO & MTPD)
Phase-V: Documentation
Fill & sign BIA templates/forms.
BIA report prepared & submitted Business continuity plan owner.
BIA RATING MATRIX:
Regulatory &
Level Environment Safety & Security Financial Reputational
Legal

No medical
No significant treatment required. Some attention
Rectifiable damage to local from minor
breaches with no environment, can Verbal threat/small stakeholders / little
Insignificant procession near < $ 10 MM
consequence to the be reversed with to no publicity.
company. some clean-up location with no Resolved by routine
intervention. damage/threat to processes.
assets/personnel.

Localized damage, Injury (or injuries)

requiring medical Minor one-off
no medium- or
Breaches resulting treatment. negative local
long-term
in exposure to legal publicity or visible
Minor consequences. May Minor injuries, < $ 30 MM
action but fairly dissatisfaction by
require some minor impairment
unlikely. local stakeholder
cleanup of core functions groups.
intervention. and processes.

Breaches causing
threat of (i) legal Limited negative
action, (ii) Serious Injury (or publicity covered
investigation / Recoverable injuries) resulting in by regional / other
inquiries, (iii) damage to an lost time. media or short-term
Moderate registration, environment Injuries, < $ 60 MM damage to the Co's
licenses or permits requires cleanup impairment of core reputation at the
being revoked or intervention. functions and provincial level,
(iv) adverse processes. resulting in internal
comments in inquiry.
reports.

Negative publicity
Injury resulting in or damage to the
permanent Co's reputation at
Breaches resulting Extensive damage disability. the national /
in (i) penalty of > to an environment provincial level
Rs 0.5MM, (ii) involving Loss of life/serious covered by
Major warning to prolonged recovery injuries, damage to < $ 100 MM mainstream media,
company/ period require the Company resulting in
management, (iii) significant cleanup assets, impairment ministerial inquiry,
ministerial inquiry. intervention. of core processes CEO's involvement,
and functions for loss of public
extended period. confidence in the
company.

Extreme Breaches resulting Permanent and Fatality(ies). >= $ 100 Considerable

in (i) penalty of > extensive damage MM negative publicity
Rs 1MM, (ii) to the environment Extensive loss of or damage to the
imprisonment, (iii) life, widespread Co's reputation at a
revocation of severe injuries, total global / national
registration, loss of primary level with wide
licenses or permits services, core media coverage,
or (iv) closure of processes or resulting in
multiple services. functions. government/
 ministerial censure,
resignation of
senior management,
damage to public
confidence in the
company.

BIA OUTCOME:
Business Impact Analysis Identifies:
• Critical business functions and resources
• Critical business functions and dependencies
• Impact of and recovery from a sudden disruption
• Impact of and recovery from a gradual disruption
• Impact of disruption on critical business functions over time
• Impact of disruption on critical business functions at recovery time objective (RTO)
• Impact of disruption on critical business functions at maximum tolerable period of disruption (MTPD)
• Resources to recover business from disruptive event over time
• Options to recover business based on time & impact
• Optimal recovery option in terms of time & cost