(913) 396-8321

What is a Business Impact Analysis?

What is a Business Impact Analysis? Image

A Business Impact Analysis (BIA) is a process that identifies and evaluates the possible and likely effects of natural and man-made incidents on clinical and/or business operations. The analysis determines patient care and business operation needs so that logical and effective choices can be both planned for and made in the midst of an emergency.  The BIA is a critical component of an overall Business Continuity Management (BCM) Strategy.  An important goal for the BIA is to bring attention to gaps between a department’s expectation for recovery and IT’s ability to deliver.   The holistic components of a BCM include:

  1. Program management
  2. Policy
  3. Assurance
  4. Strategy
  5. BCM Process
  6. Risk Analysis
7.Business Impact Analysis (BIA)
  1. Business Continuity Tools
  2. BCM Training and Awareness
  3. Disaster Recovery Plans (DRP)
  4. Disaster Recovery (DR)
  5. Business Resumption
  6. Contingency Planning
  7. Emergency Response
  8. Plan Exercise
  9. Plan Maintenance
  10. Audit
A BIA gathers information needed to develop recovery strategies from the business/clinical perspective (not from the Information Technology (IT) perspective).  Potential loss scenarios identified during the assessment should include the loss of:
  • Technology
  • Facility
  • People
  • Key Vendor(s)

Potential Impacts of Disasters and Disruptions

Identifying and evaluating the impact of disasters on healthcare providers and businesses provides the basis for investment in recovery strategies as well as investment in prevention and mitigation tactics.  Possible negative effects of a disaster include:
  • Loss of the ability to provide adequate patient care
  • Loss or delay of income/revenue
  • Increased expenses (e.g., overtime labor, outsourcing, expediting costs, alternate facilities, etc.)
  • Regulatory fines and scrutiny
  • Contractual penalties or loss of contractual bonuses/incentives
  • Patient dissatisfaction
  • Loss of workforce, medical staff, vendors
  • Loss of reputation
  • Delay of new business plans

Different Types of Disasters 

There are many different types of disasters that businesses face, each of which has its own unique attributes.  Each disaster may affect a business's operations in a different manner. A cyber-attack, for example, may only affect a hospital or business's data – or access to the data, while leaving its physical hardware and equipment intact.  A fire, on the other hand, may physically destroy the business's computers and equipment.  The list below includes examples of natural and man-made types of disasters that should be planned for:
  • Loss of a facility due to a fire or power outage
  • Loss of HVAC, electricity, and plumbing
  • Inability to gain access to a facility
  • Inability or unwillingness for staff to work
  • Data Center or IT systems failure
    • Ironically, human error is the most common root cause of IT failure
  • Failure of a critical vendor to deliver their goods or services
  • Environmental problems (storms, wildfire, tornado, hurricane, flood, etc.)
  • Flu or Pandemic


Importance of a Business Impact Analysis (BIA)

There are regulatory and business drivers for performing a BIA, as follows:

  1. A regulatory requirement for a BIA is outlined in HIPAA:
    1. 45 CFR § 164.308(a)(7)(ii)(E) Applications and data criticality analysis (Addressable); “Assess the relative criticality of specific applications and data in support of other contingency plan components.” 
  2. Some Business Drivers for a BIA include:
    1. Acknowledging that if IT alone establishes the Recovery Time Objective (RTO) (aka maximum allowable downtime) and Recovery Point Objective (RPO) (aka acceptable data loss for the business in a vacuum) – they may only “get it” partially correct; the wrong time to confirm the recovery order and timeline is during a crisis.  Capturing the customer’s perspective on the RTO/RPO of critical applications and departments forms the basis for the executive-endorsed high availability and recovery plan.
    2. Learning the relative importance of each function and process as they relate to the other functions and resources in the organization
    3. Focusing on the most critical systems to restore; The data center (and the systems it hosts) was built-out over decades.  In a disaster, the same person or team is often responsible for many more systems than can be recovered at once.  The BIA provides a well-vetted recovery order that is easier to justify.
    4. Learning the consequence to the organization resulting from the absence of a function or resource over time, an organization will confirm its relative importance to daily operations and criticality to sustaining the mission.
    5. Pre-planning to put into place the preparations to appropriately respond to an interruption that affects any function or resource at its height of criticality to the organization. 
    6. Continuing to assure that an organization is defining its requirements for business continuity based on a sound rationale. 

All healthcare providers and businesses can benefit from a BIA. With this detailed document, business owners will have a better understanding of the potential impact of disasters, dependencies, and potential gaps in recovery or continuity capability. Neglecting to prepare for disaster scenarios is a serious mistake that leaves businesses vulnerable. 

Typical Information Gathered in a Business Impact Analysis (BIA)

  • Clinical and Business Processes
  • Applications Inventory
  • Application Recovery Order
  • Maximum Allowable Downtime (aka RTO)
  • Recovery Point Objective (Maximum Allowable Data Loss)
  • Equipment Needs (during a disaster)
  • Personnel Needs (during a disaster, how many staff are needed to support critical functions?)
  • Continuity Strategy (where will clinical and business functions be performed?)
  • Cost of downtime
  • RTOs and RPOs
  • Order of recovery
  • Recovery timeline
  • Minimum resources needed in recovery mode (equipment, people, vital Records, etc.)
  • Documents the business expectations by identifying critical processes and the technology needed to automate the processes
  • Single points of failure (technology and key people)
  • Critical vendors​       

A properly conducted Business Impact Analysis will positively contribute to the sustainability of the business. 

This article was brought to you by tw-Security - Dedicated to helping healthcare organizations protect their information resources by creating and managing information security programs. For more information security news, updates, and more on our services, please visit our website.

Oct 12, 2017

follow us in feedly