Business Impact Analysis and Risk Assessment for ISO 22301 Business Continuity

ISO 22301 Clause 8.2

This sub-clause requires systematic processes to analyse business impact and assess the risks of disruption, used to determine continuity priorities and recovery requirements.

ISO 22301 Clause 8.2 - Business Impact Analysis and Risk Assessment

Clause 8.2 is the analytical engine of ISO 22301. The decisions taken at every later clause - which strategies to adopt, which plans to write, which arrangements to test, which resources to set aside - all flow from the work done here. The clause is in three parts: a general requirement to have systematic processes, a detailed specification for the business impact analysis (BIA), and a detailed specification for the risk assessment.

What ISO 22301 Clause 8.2 Requires

Under Clause 8.2.1, the organisation must implement and maintain systematic processes to analyse business impact and assess risks of disruption, and must review the BIA and risk assessment at planned intervals and when there are significant changes within the organisation or its operating context.

Under Clause 8.2.2, the BIA process must define the impact types and criteria relevant to the organisation, identify the activities that support the provision of products and services, use the impact types and criteria to assess impacts over time arising from disruption, identify the time frame within which the impacts of non-resumption would become unacceptable, establish prioritised time frames for resuming activities at a specified minimum acceptable capacity, identify prioritised activities, determine the resources needed to support them, and determine the dependencies including partners, suppliers and interdependencies between activities.

Under Clause 8.2.3, the risk assessment process must identify the risks of disruption to prioritised activities and their resources, analyse and evaluate the identified risks, and determine which risks require treatment.

The Business Impact Analysis in Practice

The BIA is where the organisation works out which activities really matter. The product or service is sold to a customer, but behind every product or service is a chain of activities that have to keep going for delivery to happen. The BIA identifies that chain, assesses the impact over time of losing each activity, and works out how quickly each activity has to come back. The output is a list of prioritised activities, each with a recovery time objective (the time within which it must be restored) and a minimum acceptable capacity (the level it must be restored to).

Impact types vary by organisation. Common impact types include financial impact, regulatory impact, reputational impact, operational impact and safety impact. The criteria attached to each impact type set the thresholds at which an impact moves from acceptable to unacceptable.

The Continuity Risk Assessment

The risk assessment is narrower than a general enterprise risk assessment. The focus is on risks of disruption to prioritised activities and the resources they depend on. A flood in the warehouse only matters if the warehouse is supporting a prioritised activity. A loss of a particular IT system only matters if that system is needed within the recovery time objective of an activity that depends on it. The risk assessment connects threats to prioritised activities and identifies which risks have to be treated to make the recovery time objectives achievable.

The trick with 8.2 is keeping the BIA and the risk assessment in the same place so the chain is visible. A business continuity register that lists each prioritised activity, its recovery time, the resources it needs, and the risks of disruption to those resources, is a much more useful artefact than a separate BIA report and a separate risk register that nobody cross-references.

I look for evidence that the organisation has thought about its impact types, identified the activities that support its products and services, established recovery time objectives, and identified the risks that could prevent recovery within those objectives. Then I check that the strategies and plans at 8.3 and 8.4 actually deliver on what the BIA says is needed. Where the BIA says a four-hour RTO and the plan assumes a working day, that is a finding.

The number of activities in a BIA grows quickly with the size of the organisation. For a small business it might be ten or fifteen activities; for a multi-site operation it can run to several hundred. The discipline is staying focused on activities that genuinely support delivery, rather than listing every task anyone in the business does.

Practical Compliance Guidance

The ER16 Business Continuity Risk Register holds the BIA and the continuity risk assessment together, with prioritised activities, impact analysis, recovery time objectives, resource requirements and the risks that could disrupt them. Where activities need deeper analysis, the F-Q92 Business Critical Function Appraisal is used. The F-IMS21 Business Continuity Register summarises the overall arrangements.

alphaZ document	How to use it
ISO 22301 Toolkit	The full set of policies, procedures, registers and plans that build a BCMS to the requirements of the standard.
ER16 Business Continuity Risk Register	The register that holds the BIA and continuity risk assessment - prioritised activities, impact analysis, recovery time objectives, dependencies and risks of disruption.
F-IMS21 Business Continuity Register	The summary register that captures the overall continuity arrangements, including monitoring and testing of the analysis.
F-IMS23 Opportunities and Risks Register	The strategic risks and opportunities register from Clause 6.1 that complements the continuity-specific risk assessment.

Subscribers to alphaZ have access to all of these documents and supporting material. Find out more about the alphaZ subscription.

Frequently Asked Questions

What is the difference between a BIA and a risk assessment?

The BIA looks at what would happen if an activity were disrupted - how bad and how quickly. The risk assessment looks at what could cause an activity to be disrupted in the first place. The BIA sets the recovery time objectives; the risk assessment identifies the threats that have to be treated to make those objectives achievable.

What is a "prioritised activity"?

An activity that supports the provision of products and services and that the organisation has identified as needing to continue or recover within a defined timeframe. Prioritised activities are the things the BCMS protects.

How often should the BIA and risk assessment be reviewed?

The standard requires review at planned intervals - typically annually - and when there are significant changes within the organisation or its operating context. New products, new sites, new suppliers and significant changes to the threat landscape all trigger a review.

Does ISO 22301 prescribe a particular BIA methodology?

No. The standard requires the process to be systematic and to cover the listed elements (impact types, prioritised activities, time frames, dependencies, resources). Beyond that, the methodology is for the organisation to choose. ISO 22317 provides additional guidance specifically on BIA.

Further Resources