Enhanced Business Impact Analysis Methodology

Technology Insights

With the emergence and escalation of COVID-19 as a global pandemic, organisations have been required to implement strategies that respond, adapt, and protect core business functions and their employees.

As intensive restrictions and lockdown protocols begin to unwind, many companies are faced with the opportunity to retrospectively analyse what happened and ask the question of what is, and how to transition into, new business as usual (BAU). All of this whilst ensuring they are preparing themselves for the potential occurrence of a similar disruptive event in the future.

Enhanced business impact analysisbusiness continuity planning

A Business Impact Analysis (BIA) reviews the consequences of sustained disruptive incidents such as COVID-19 on an organisation’s critical functions, activities, and responsibilities and looks to predict the impact which future disruptions may have. The reasons for undertaking a BIA include, but are not limited to the following:

  • Validating the content of the Business Continuity Plan (BCP), IT Disaster Recovery Plan (IT DRP) and Crisis Management Plan (CMP) and providing assurance that the identified strategies can provide response and recovery results within the required timeframes and appropriately limiting the potential loss
  • Highlighting areas for improvement including where capabilities may not align to business continuity and IT disaster recovery requirements
  • Providing critical hands-on lessons learnt to the personnel responsible for the response and recovery activities to encourage high performance and develop confidence

In light of the significant challenges overcome by foreign and Australian businesses alike, the importance of undertaking a post-disruptive event BIA, within a timeframe where the analysis and results would be most impactful, has never been more prevalent.

Organisational Benefits and Value

Whilst we will work with each organisation to determine your own individual and tailored objectives, the value you can expect to generate from undertaking an enhanced BIA could include:

  • Assessment and classification of defined ‘critical business functions’ in the wake of a live disruptive incident
  • Identification and capitalisation of process improvements and lessons learned
  • Assurance over the achievability of recovery time objectives
  • Improvement opportunities within the organisations response and recovery strategies

Enhancements to response and recovery strategies to better prepare the business for future disruptive incidents.

Development and implementation process

At RSM, our approach for facilitating and capitalising on an enhanced BIA revolves around the following four material categories which are identified as critical by best practice and globally accepted standards such as ISO 22301:2019 - Business Continuity Management Systems and ISO 22317:2015 - Guidelines for Business Impact Assessment:

business impact development process


In order to effectively maintain a fit-for-purpose and valuable Business Continuity Management System, best practice guidelines such as ISO 22317:2015 - Guidelines for Business Impact Assessment recommend the facilitation of a comprehensive BIA during both the development and continuous improvement phases of an organisation’s approach to mitigating and managing the impacts of disruptive incidents. The diagram below captures the recommended process flow by RSM for the utilisation of an enhanced BIA:business impact methodology

Key areas of focus

The key areas of focus which will be assessed across the four material categories are as follows:

  • Assessment of internal and external factors such as dependencies and market conditions
  • Whether roles and responsibilities are defined and communicated throughout disruptive incidents
  • Whether a formal communication strategy which covers internal and external stakeholders have been developed and stress testing conducted
  • Provision of support and guidance throughout the forced utilisation of working from home conditions;
  • Strategies undertake to adapt to the evolving Information Security risks
  • Identification and transitioning of services and processes which can be automated and digitised, using technology such as Intelligent Automation and Cognitive Solutions, to improve efficiency, reduce costs, maximise revenue and mitigate risks

How can we help?risk consulting

RSM can help your business assess the robustness and effectiveness of its disruptive event-related response and recovery strategies as well as identify opportunities, design and implement improvement solutions to reduce costs, increase efficiency and maximise revenue.

Key capabilities

  • Internal audit
  • Business continuity and crisis management
  • Pandemic preparedness and de-escalation planning
  • Culture, governance, and risk
  • Effectiveness and efficiency

For further information

If you have questions or require assistance in relation to your business continuity plan or performing an enhanced business impact analysis, please get in touch with us.

Click here to download the PDF version


Jeremy Elman
Partner - Sydney

Subscribe to Risk Insider to stay up to date with the latest in Technology, Fraud and Security.