Kozue Connor
Kozue Connor Kozue is an expert in the field of Risk, Business Continuity and Cyber Security Management. She has developed management systems for numerous clients

BCMS4: BIA is not a Risk Assessment

BCMS4: BIA is not a Risk Assessment

One of the most common but critical misconceptions around Business Continuity Management is confusion of Business Impact Analysis (BIA) with Risk Assessment. Both are key elements of the Business Continuity Management System (BCMS). Without a proper understanding of the difference between the two, you may limit your BCMS capability.

Risk Assessment is normally started from Risk Identification. You firstly list risks around you, then analyse the consequence and likelihood of each risk. In the analysis, you may consider the impact “for” each business; that is only a part of the risk assessment, not BIA.

On the other hand, for BIA, you firstly list your business activities. There are several approaches but the simplest method should be to align with the organizational structure. Organizational separation can be a guidance for listing business activities. Another example is starting from products/services; you can list business activities behind each product/service. Based on the business activity list, you can analyse the disruption of each business activity and assess the impact. In this assessment, you should not consider which risk may disrupt the business, nor the probability of the business disruption. This is the main difference with Risk Assessment.

Risk Assessment BIA
List Risks
e.g. ransomware, flood, pandemic
Business activities
e.g. recruitment (HR), employee training (HR), communication with the retailers (Sales)
Key question What risks are there? How often will the risk exposure? What will happen if each risk will exposure? What business activities do we have? What will happen if each business activity will be disrupted?
Key information Impact and likelihood of each risk Impact of disruption of each business activity
Supporting information (example) Impact for business activities Recovery Time Objective (RTO), supporting activities, dependencies

As one of the common international business continuity standards, ISO22301, states: BIA is “the process for analysing business impacts to determine business continuity priorities and requirements”. Risk Assessment is important but it is impossible to predict the risks perfectly. Even in a crisis that we do not predict all now, BIA will guide you to prioritize the response/recovery actions. That is the reason I explained in the first article of this series (BCMS Part 1: Business Continuity Management is crucial for any type of hazard) that BCMS is an all-hazard approach.

ISO 22301:2019(en) Security and resilience — Business continuity management systems. (as of 16 Apr 2020, some ISO (International Organization for Standardization) standards including ISO 22301:2019 are freely accessible to support global efforts in dealing with the COVID-19 crisis) ISO 31000:2018 Risk management – Guidelines.