The Business Impact Analysis (BIA) is the formal and foundational process within Business Continuity Management used to identify an organization's critical products, services, and their supporting activities. It analyzes the impacts of a disruption to these activities over time. The primary outputs of a BIA are the prioritization of activities, the determination of maximum tolerable periods of disruption (MTPD), and the establishment of Recovery Time Objectives (RTOs), which define the required recovery timeframes. The BIA also identifies the minimum level of resources (e.g., people, technology, facilities, suppliers) needed to achieve recovery.

A. A risk assessment identifies and analyzes potential threats and vulnerabilities, not the time-sensitive impact of a disruption on specific business activities.

B. An exercise is conducted to validate and improve existing business continuity plans and capabilities, not to initially determine requirements and priorities.

D. A meeting with owners of product and services activities is a data-gathering technique used during a BIA, but it is not the comprehensive analysis process itself.

1. Business Continuity Institute (BCI), Good Practice Guidelines (GPG), 2018 Edition.

Section 4.3, Business Impact Analysis (BIA): "The BIA is the process of analysing the business activities and the effect that a business disruption might have upon them... The BIA process enables the organization to: quantify the impacts of a disruption...; identify the priority for the recovery of products and services and their supporting activities and resources; [and] determine the RTO for each activity..."

2. ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements.

Clause 8.2.2, Business impact analysis and risk assessment: This clause mandates that the organization's BIA process shall "a) identify the products and services... and the activities that support their provision;" "b) determine the time frames for resuming disrupted activities... at a specified minimum acceptable level;" and "c) identify the dependencies and determine the resources required by the prioritized activities..."

3. Hiles, A. (2011). The Definitive Handbook of Business Continuity Management (3rd ed.). Wiley.

Chapter 12, The Business Impact Analysis Stage: "The BIA is the process that identifies the critical business processes of an organization, the resources required to support them, and the impact of a failure of these processes over time... The BIA will provide the data from which the appropriate continuity strategy can be determined." (Paraphrased from concepts throughout the chapter).