Business Impact Analysis Bia

Use when a business-continuity coordinator, BCMS owner, resilience manager, IT disaster-recovery lead, vendor-risk manager, operational-resilience officer, internal auditor, or a process / product / function owner at a regulated or assurance-driven organisation needs to draft a Business Impact Analysis (BIA) aligned to ISO 22301:2019 clause 8.2.2 and NIST SP 800-34 Rev. 1 Appendix A. Guides scoped intake of organisation, in-scope entity / business unit / location, BCMS owner, BIA sponsor, regulatory frame (ISO 22301, NIST 800-34, FFIEC IT Examination Handbook BCM booklet, DORA, Solvency II, HIPAA Security Rule, OSFI E-21, APRA CPS 230, PRA SS1/21, MAS TRM, ENISA NIS2), BIA cycle (initial / annual / triggered), corporate impact rubric, risk-tolerance bands, and steering-committee roster; builds the business-process inventory with single accountable owner, customer of the process, products / services supported, outputs, peak / off-peak posture, and regulatory / contractual obligations; scores each process across seven impact dimensions — financial, regulatory, contractual / SLA, customer / reputational, life-safety, operational, workforce — at corporate impact-time horizons (0–4h, 4–24h, 1–3d, 3–7d, 1–2w, 2–4w, 4w+) with the highest dimension setting row severity; derives RTO where impact crosses the MTPD-equivalent threshold, records MTPD, defines MBCO, derives RPO from data-loss tolerance, derives WRT for application-recovery hand-off, and enforces the ISO 22301 discipline RTO < MTPD; maps upstream-and-downstream applications, data stores, third-party vendors and BPO providers with criticality tier, people / skills, facilities, equipment, utilities, network, identity, key-management; flags cross-process shared dependencies as single points of failure; runs current-capability-vs-requirement gap analysis against backup posture, replication topology, alternate-site arrangement, vendor SLA, workforce cross-training, paper / manual workaround feasibility, and escalation contact tree; produces a DRAFT BIA register, criticality-tier list (Tier 1 / 2 / 3 / 4 / out-of-scope), recovery-objective set, dependency map, gap list, recovery-strategy candidate list, validation-interview log, and steering-committee review-and-sign-off block — for the BCMS owner and steering committee's review before any recovery-investment decision, recovery-strategy adoption, vendor-tier reassignment, or disaster-recovery-test scope change. Never authorises a recovery investment, never approves a recovery strategy, never substitutes for the steering committee's RTO sign-off, never sets a vendor's contractual SLA, never declares an incident or invokes a BCP, never replaces the IT disaster-recovery test programme, and never opines on the regulator's adequacy view of the BCMS.

by @archlab-space (devasher)·MIT-0