Use a business impact analysis questionnaire to get critical data

Why are BIAs important?

Business impact analyses present a clear picture of the material effects of disruption on a company, in terms of both the potential problems and the likely costs.

A BIA questionnaire can help an organization identify the following:

• Mission-critical processes that must not be interrupted.
• Systems and networks that support those processes.
• Recovery metrics, such as recovery point objective and recovery time objective.

Organizations can use this information to determine the priority of recovery for each mission-critical process and the associated systems and to identify any interdependencies among business units.

Using BIA questionnaires to gather data

Business impact analysis questionnaires help discover potential vulnerabilities and areas of concern by providing different departments with a uniform set of questions about business functions they perform or oversee.

Candidates for questionnaires should include key members of each business unit. Organizations can modify questionnaires for specific departments to address unique attributes, such as a trading department or an HR department.

The individuals or teams in charge of the BIA process then enter the responses to the business impact analysis questionnaire into a suitable repository for analysis, such as a spreadsheet.

The table below presents the kinds of information that might be obtained during a BIA. Prior to the BIA, the organization should conduct a risk assessment. That will enable the organization to identify specific threats or vulnerabilities that it faces. Data captured from the BIA questionnaire will then help identify the affected business functions, potential operational and financial losses, and the minimum time needed to recover operations.

Key BIA questionnaire topics

The initial step in preparing a business impact analysis questionnaire is to define the topic areas for developing questions.

IT is a key component of BIAs since it must be integrated into the organization's overall strategic direction. In a BIA, members of the IT department should be interviewed to learn how they intend to respond to specific situations affecting mission-critical business units.

BIA questionnaires should address the following topics:

• Understanding how each business unit operates.
• Identification of critical business unit processes that depend on IT.
• Identification of required IT resources.
• Financial value of critical business processes.
• Dependencies on internal departments and business units.
• Dependencies on external organizations.
• Minimum time needed to recover mission-critical data to the previous state of use and availability.
• Minimum technology and system requirements needed to conduct mission-critical business processes.
• Minimum time needed to return to normal or near-normal operations following an incident.
• Maximum amount of time the company can tolerate a mission-critical function disruption before its performance and reputation are damaged.
• Minimum number of staff required to conduct business following a disruption.
• Minimum office space required to conduct business following a disruption.
• Minimum office supplies and services needed to conduct business following a disruption.

To help shape your own business impact analysis questionnaire, download this free list of sample questions.

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.