What do you think are some of the things included in a BIA conducted for business continuity purposes?

Mission Continuity Resources and Tools: Business Impact Analysis (BIA)

What is a Business Impact Analysis (BIA)?
A business impact analysis (BIA) predicts the consequences of a disruption or outage of a business function, system or process and gathers information needed to develop recovery strategies.  A function refers to an organization's purpose or goal; for example, one function of a School is teaching.  A system refers to an IT system; an example of a system is Penn0365 e-mail.  A process is a group of activities or tasks performed to accomplish a goal; one example of a process is conducting payroll.

Why do we do BIA?
BIA allows us to understand the impact of outages or disruptions across the institution.  This information supplements the Business Continuity (BCP) plans already in Shadow-Planner to give us a better understanding of how different Schools, Centers and departments of the University need to respond to outages or disruptions.  It will also allow internal and external partners to have a better understanding of the priorities for recovery and continuity.

Finally, it allows us to define priorities, based on which functions, systems or processes need to be recovered most quickly to resume the University's operations in the wake of an outage or disruption.  The two key concepts in BIA are:  priorities (the order in which we need to restore lost functions, systems or processes) and dependencies (what those critical functions, systems and processes depend upon to work properly).

How does this relate to my Business Continuity (BCP) plans?
BCP plans describe what steps to take in the event of an outage or disruption pertaining to a critical system, function or process, whereas the BIA identifies what our critical systems, processes and functions are and how quickly they need to be recovered or restored in the event of an outage or disruption.  The BIA also allows us to identify priorities and dependencies among these critical items, so we know which are the most crucial to carrying out the mission of the University, and what these crucial items rely upon in order to continue operations.

How do I create or update a BIA?
To create a BIA, or to update existing BIA information, go into the BIA module in Shadow-Planner.  Training on using the BIA module is available on Knowledge Link.

New Technology processes
Have you added a new Technology system in your BIA that you would like to make available so other University organizations can use it as well?  Please complete this form and return it to .  We will make sure it appears in Shadow-Planner so that other people can note they have a dependency on it.  To retire an existing system, just send an e-mail to the same address, naming the system and making the request to retire it.

Key concepts in conducting a BIA
Two key items in the BIA are Recovery Time Objective (RTO) and Recovery Point Objective (RPO).  The RTO asks the question:  how long can we operate without this function, system or process being in place?  The RPO asks the question:  how much data can we afford to lose in an outage of this function, system or process?  For example, if you can stand to lose a day's worth of e-mail due to an outage, your RPO is 1 day.  If you cannot stand to lose any e-mail due to an outage, your RPO is 0.  NOTE:  RPO is only done on Technology systems.

Questions? Contact the Mission Continuity Program (MCP) at .

Glossary of BIA terms

ART – The Achievable Recovery Time is an estimate of when we think we can actually recovery and restore a system, process or function. Whereas RTO (see below) is the desired recovery time, ART is the estimated actual recovery time. NOTE: In Shadow-Planner, only the owner of a Technology system (very often ISC) enters information into this field.

ARP – The Achievable Recovery Point is an estimate of how much data we think we can restore in the event of an outage in a Technology system.  Whereas RPO (see below) is the desired amount of data that can be lost, ARP is the actual amount of data projected to be lost.  NOTES:  In Shadow-Planner, only the owner of a Technology system (very often ISC) enters information into this field.  Like RPO, this is ONLY applicable for Technology items.

BIA -- A Business Impact Analysis is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of an outage or emergency.

BAU -- Business as usual

Critical process, system and function -- a process, system or function that directly supports the University's mission of teaching, research, service and clinical work, or that directly supports the functioning of the University as an organization.

Disaster Recovery (DR) -- plans for recovering IT systems when they have gone down due to an outage or disruption.  These should be stored in Shadow-Planner as part of the T (Technology) section of the BETH3 model within the BCP.

Function -- refers to an organization's purpose or goal; for example, one function of a School is teaching..

Process -- a critical function or activity an organization performs in support of the University's mission.  Examples include:  Process payroll; Instruct students; Conduct laboratory research; Maintain supply inventory

RPO -- The Recovery Point Objective (RPO) is the maximum targeted period in which data might be lost from a process or system.  NOTE:  this applies to Technology systems only.

RTO -- The Recovery Time Objective (RTO) is the time when the disruption or outage of a process becomes critical and recovery of that process must be initiated. This document provides guidance on how to select a particular item in the drop-down list for the RTO.

System -– an IT application; on example is 0365 e-mail.

1. What do the acronyms BIA and BCP mean, and what's the difference between them?

BIA stands for Business Impact Analysis, which is a way for the University to determine its critical processes and functions, and to help leadership determine priorities among those processes and functions in the event of an outage or disruption.

BCP stands for Business Continuity Planning, which we at Penn call Mission Continuity Planning. These are the plans you've already created and stored in Shadow-Planner.

2. Should I do the BIA on my own?

You are strongly encouraged to engage your colleagues, including leadership, to help determine priorities and critical processes and functions. We expect that leadership in your organization will approve the priorities you have designated.

3. How do I get help from the MCP program with my BIA?

The Mission Continuity team is happy to help. Just send an e-mail to .

4. How do I determine my organization's critical processes and functions?

One way is to gather a group of colleagues together – perhaps the group that participated in your tabletop exercise this past year – and brainstorm about your organization's critical processes and functions. You may also (at this meeting, or separately) wish to use the Pre-Planning Questionnaire (PPQ), especially the first two questions. Many of the processes and functions you identify for the BIA may already be included in your organization's BCP plans.

5. What's the relationship between my BCP plans and my BIA information?

The processes you identify (see question above) are most likely the same processes and functions you identified as critical when you created your BCP plans. However, the information for your BIAs on those processes will be different from, and will supplement, the information stored in the BCP module in Shadow-Planner.

6. What if my organization is made up of several sub-organizations? Do I need to do a BIA for each sub-organization?

If an organization conducted a separate BCP planning process (and a separate tabletop exercise), it will conduct a BIA. Once BIAs are completed for all the sub-organizations, they will be rolled into a cross-organizational view. For assistance in doing this, please contact .

7. How do I handle a process that could fit into multiple elements within the BETH3 model?

To resolve these issues, please contact the MCP team at . In order to ensure consistency across organizations, decisions about assigning processes to specific process types will be made centrally and communicated to users. Examples include: Maintain computing hardware (which could fit into either Equipment or Technology or 3rd-party vendor); Conduct laboratory research (which could fit into Human Resources or Buildings or Equipment).

8. Once my BIA information is loaded into Shadow-Planner, can I pull reports on it?

Yes, you can do reporting on your BIA information. Please see the BIA reporting guidelines on the Training page on this website.

9. How should I start doing a BIA?

Gather together a group of people from your organization who need to give input into this process (maybe include some people who have participated in your tabletop exercises) and make three lists: 1) what are your organization's critical processes and functions? what is your organization responsible for that is critical to the University's mission? 2) what technology systems do you use to support those critical processes or functions? and 3) what, if any, third-party vendors or partners are needed to support these critical processes or functions?

10. How do I complete the BAU Headcount (FTE) field?

BAU stands for Business As Usual, so this is the total number of people who work on a particular process, function or system under normal circumstances. This needs to be a whole number, not a fraction or percentage.

11. How is Third-party vendor or partner defined?

Third-party vendors or partners only includes external organizations, i.e., those who are not part of Penn.

12. For the RTO, should the desired recovery time be during a business peak time (if there is one) or during a non-peak time?

It should be during the business peak time, to reflect the shortest desirable time for the process to be restored.

What should be included in BIA?

What is BIA in business continuity?

What are the components of business impact analysis BIA?

What is included in a business impact analysis?