Business Impact Analysis (BIA) Procedure ([RES-PROC-004])
1. Purpose
To define the methodology for conducting the annual Business Impact Analysis (BIA) to identify critical business functions and establish recovery objectives.
2. Scope
This procedure applies to all business units and departments within the organization.
3. Overview
This procedure outlines the annual process for identifying and prioritizing critical business functions, assessing the impact of a disruption to these functions, and defining their Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
4. Procedure
| Step | Who | What |
|---|---|---|
| 1 | Business Continuity Manager | Distribute BIA questionnaires to all Business Unit Leaders at the start of the annual BIA cycle. |
| 2 | Business Unit Leaders | Complete the questionnaires, identifying critical business processes, their dependencies (technical and non-technical), and the potential impact of a disruption. |
| 3 | Business Unit Leaders | For each critical process, determine the maximum tolerable downtime (Recovery Time Objective - RTO) and the maximum acceptable data loss (Recovery Point Objective - RPO). |
| 4 | Business Continuity Manager | Collect and analyze the completed questionnaires, compile the findings into a formal BIA report, and present it to the BCDR Steering Committee for review and approval. |
5. Standards Compliance
| Procedure Step(s) | Standard/Framework | Control Reference |
|---|---|---|
| 1-4 | SOC 2 | A1.1 |
| 1-4 | HIPAA Security Rule | 45 CFR § 164.308(a)(7) |
6. Artifact(s)
A formally approved Business Impact Analysis (BIA) Report.
7. Definitions
Recovery Time Objective (RTO): The maximum tolerable length of time that a computer, system, network, or application can be down after a failure or disaster occurs.
Recovery Point Objective (RPO): The maximum acceptable amount of data loss an organization can tolerate, measured in time.
8. Responsibilities
| Role | Responsibility |
|---|---|
| Business Continuity Manager | Manages the overall BIA process, including questionnaire distribution, analysis, and report creation. |
| Business Unit Leaders | Are responsible for accurately identifying critical processes, dependencies, and recovery objectives for their respective areas. |
| BCDR Steering Committee | Reviews and formally approves the final BIA report. |