Skip to content

BIA in BCM – Assessment (Processes & Objectives)🔗

In the BIA Assessment you analyse how critical a process is and which recovery objectives (e.g. RTO, MTPD) should apply to it.

You combine:

  • The house rules defined in the Configuration,
  • The processes linked within the scope,
  • Their dependencies (assets, service providers, other processes).

Getting Started with the BIA Assessment🔗

  1. Open the BIA – Assessment tile.
  2. Select the scope you want to examine.
  3. You receive a list of the processes linked within the scope — possibly already with a pre-filter classification (critical/non-critical).

You can then navigate to a detail view for each process.

Assessing Impact Over Time🔗

In the detail view of a process you assess, per damage scenario (e.g. financial, legal, reputation):

  • How the damage develops over the defined time horizons in case of failure,
  • From which point the impact becomes "medium", "high", or "very high".

Practical steps:

  1. Select the scenario (e.g. "financial impact").
  2. Assess what damage arises at each time horizon.
  3. Enter the corresponding damage potentials.

Example:

  • Up to 2 hours: damage low
  • From 4 hours: damage medium
  • From 8 hours: damage high
  • From 24 hours: damage very high

The BIA view typically displays this as a table or curve.

Setting Recovery Objectives (RTO, MTPD, Emergency Operating Level)🔗

From the assessment you derive recovery objectives, in particular:

  • RTO (Recovery Time Objective)
    → The timeframe within which the process must be operational again.

  • MTPD / MTBD (Maximum Tolerable Period of Disruption)
    → The maximum tolerable downtime before existentially threatening or unacceptable damage occurs.

  • Optional: Emergency operating level
    → The performance level acceptable during emergency operations (e.g. 50% of normal throughput).

You document these targets per process in the BIA. They are subsequently decisive for strategies and plans in BCM.

Dependencies and Single Points of Failure🔗

The BIA assessment also frequently displays a process's dependencies:

  • Linked assets (hardware, software, infrastructure),
  • Linked service providers,
  • Upstream and downstream process chains.

Typical activities:

  • Checking whether an asset or service provider is a Single Point of Failure (SPOF),
  • Flagging particularly critical dependencies,
  • Deriving requirements for redundancy or alternative processes.

This information later feeds into both risk management and strategies and plans.

Documentation and Traceability🔗

For each assessment you should record a rationale, for example:

  • Why a process has a certain criticality level,
  • What assumptions you are making regarding customers, regulations, or internal SLAs,
  • What limitations can be accepted during emergency operations.

This helps with:

  • Audits,
  • Subsequent revisions (e.g. after organisational changes),
  • Handovers to other responsible persons.

Relationship to Pre-filter and Configuration🔗

  • The pre-filtering reduces the scope by determining which processes need to be assessed in detail.
  • The configuration (damage scenarios, time horizons, potentials) provides the framework for how the assessment is conducted.
  • The assessment itself is the professional core where you work through process by process.

The results serve as the foundation for the Target/Actual Comparison & Reporting as well as for BCM risk management.