Question: Has a Business Impact Analysis (BIA) been conducted to identify critical activities, RTOs, and RPOs?
Why This Matters
The BIA quantifies impact of disruptions and prioritizes resources for recovery planning.
Maturity
No BIA performed.
Partial impact noted by functions.
BIA template approved and executed for core departments.
All critical processes have documented RTO/RPO.
BIA results inform risk register and continuity plans.
Automated BIA updates linked to process changes.
How to Level Up
| From → To | Actions | |—|—| | 0 → 1 |Identify critical processes and dependencies. | | 1 → 2 |Develop and approve BIA template. | | 2 → 3 |Complete BIA for all departments. | | 3 → 4 |Map RTO/RPO to risk and recovery plans. | | 4 → 5 |Integrate BIA with change management system. |
Enablers
- People: BCM Coordinator, Department Leads
- Process: Identify → Analyze → Validate
- Technology: Survey tool, BCM database
Evidence
- Completed BIA reports
- RTO/RPO register
- Validation meeting records
KPIs
- Number of critical processes with defined RTO/RPO
- Average recovery time target
- Update frequency of BIA reports
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes | |—|—|—| | Templates | Google Sheets | Custom BIA form | | Tracking | Airtable | Critical process register | | Visualization | Metabase | Impact heatmap |
Common Pitfalls
- RTO/RPO values not validated
- Outdated BIA after org changes
- Limited management involvement
Compliance Mapping
| Standard | Clauses / Notes | |—|—| | ISO 22301 | 8.2 (BIA) | | ISO 27001 | A.5.30 | | NIST CSF 2.0 | ID.BE / RS.RP | | NIRMATA Mapping | BC-Q02 quantifies business impact for prioritized resilience. |