A Business Impact Analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations. The two most fundamental data types required from business unit leaders are the identification of critical processes (F) and the quantification of the costs associated with downtime (C) for those processes. Identifying critical processes is the foundational step, establishing what the BIA will analyze. Quantifying the financial and operational costs of a disruption (e.g., lost revenue, penalties, reputational damage) is the core of the "impact" analysis, which is essential for prioritizing recovery efforts and defining Recovery Time Objectives (RTOs).

A. Inventory details: This is a component of asset management or a technical risk assessment, not a primary input from business leaders for a BIA, which focuses on processes and impact.

B. Applicable contract obligations: While important, these obligations (like SLAs) are a component of the overall impact, which is more comprehensively captured by the total costs associated with downtime.

D. Network diagrams: These are technical artifacts used in the subsequent disaster recovery planning phase to design solutions, not a primary business-level input for the BIA itself.

E. Contingency plans: These are an output of the business continuity process. They are created after the BIA has been completed to address the identified risks and impacts.

1. NIST Special Publication 800-34 Rev. 1

Contingency Planning Guide for Federal Information Systems.

Section 3.2

Business Impact Analysis (BIA)

Step 1 (Page 16): "The first BIA step is to identify the organization’s mission/business processes and determine their recovery criticality." This directly supports the selection of F. Critical processes.

Section 3.2

Business Impact Analysis (BIA)

Step 2 (Page 17): This step involves identifying outage impacts. The guide states

"Impacts may include... financial

loss of revenue..." This directly supports the collection of data on C. Costs associated with downtime.

2. Herbane

B. (2010). The evolution of business continuity management: A historical review of practices and drivers. Business History

52(6)

978-1002.

Page 985: The article describes the BIA process as involving the identification of "the critical processes which are essential for survival" and assessing "the business impact of a failure of these processes

which is usually measured in financial terms." This supports both F. Critical processes and C. Costs associated with downtime as central to the BIA. DOI: https://doi.org/10.1080/00076791.2010.511185

3. University of Illinois at Urbana-Champaign

CS 461/ECE 422: Computer Security I

Lecture 23: Business Continuity.

Slide 6

"Business Impact Analysis": The lecture material defines the BIA as the process to "Identify critical business functions" and "Determine tangible and intangible impact of the loss of that function." Tangible impacts are explicitly listed as financial losses

directly corresponding to F. Critical processes and C. Costs associated with downtime.