Business Impact Analysis identifies various categories of organizational processes based on their criticality, their interdependencies, and analyzes potential consequences (damage/losses) over different durations of critical situations. It defines the Maximum Tolerable Outage (MTO), Minimum Business Continuity Objective (MBCO), Recovery Time Objective (RTO), and Recovery Point Objective (RPO).

BIA is an integral part of the Business Continuity Management process, which identifies potential impacts resulting from possible operational disruptions and aims to establish procedures and conditions that ensure continuity of operations within a predefined scope and a return to normal organizational functioning in the event of a crisis.

Under Act No. 69/2018 Coll. on Cybersecurity, BIA is part of the required security documentation. The results of the impact analysis serve as input for the development of the business continuity plan.

During the impact analysis, it is necessary to identify:

  • the critical period,
  • the volume of work performed during the critical period,
  • the minimum acceptable volume of work immediately after the crisis,
  • whether a defined type of crisis could cause process interruption.

Critical situations may include:

  • unavailability of IT systems and/or data,
  • unavailability of operational facilities,
  • unavailability of critical human resources (employees),
  • failure of a key external service provider.

Functional impacts are qualitatively assessed in the following areas:

  • soss of reputation,
  • loss of clients/customers,
  • impact on other organizational activities,
  • impact on health, safety, and the environment.

Functional impacts are assessed separately for different durations of the crisis. The durations for which impacts are evaluated are defined in meetings with process owners.

Financial impacts quantify the direct financial effects of a crisis in areas such as:

  • direct financial damages,
  • regulatory fines,
  • contractual penalties or claims for damages from business partners,
  • costs associated with returning to normal operations.

The financial impact is determined separately for different durations of a crisis. The specific durations for which impacts will be assessed are defined in meetings with process owners. The financial impact is expressed as a monetary value in EUR.

Data loss is qualitatively assessed to determine the potential impact of losing information in a crisis. Maximum amounts of data that could be lost are evaluated for:

  • applications and databases,
  • electronic data not stored in databases (e.g., data on CDs, USB drives, etc.),
  • paper documents.

Impacts are assessed for varying amounts of lost data based on the volume generated in recent time periods. Each time period for evaluation is defined in meetings with process owners. For each database, application, or identified information, the maximum amount of data that could be lost must be assessed.

A properly designed BIA helps identify the most critical processes in your organization and their interdependencies, allowing you to anticipate potential losses under various security scenarios.

Identification of resources for process recovery is performed only for processes that have a significant impact on organizational continuity. These processes are identified in the BIA based on their RTO. Resources to identify include:

  • people,
  • applications/databases,
  • electronic data not included in applications/databases,
  • paper-based data,
  • IT and communication devices,
  • communication channels,
  • other equipment,
  • facilities and infrastructure,
  • working capital.

After collecting and validating all input data, a final analysis and evaluation are performed. The output of the BIA is a final report containing:

  • overview of activities, including activity name, definition, owner, MTO, and MBCO,
  • list of processes, including (where possible) process name, type, owner, RTO, and RPO (the data used to determine RTO and RPO is also included),
  • specifications of essential resources and means for ensuring business continuity.

SOMI Systems a.s. offers the preparation of a comprehensive Business Impact Analysis.

For more information on effectively managing cybersecurity, do not hesitate to contact us.

Submit your request via obchod@somi.sk or through the contact form provided below.