What’s the difference between a risk assessment and a business impact analysis?

Whether you’re creating a disaster recovery or business continuity plan, you must conduct a risk assessment and a BIA (business impact analysis).

These processes inform your decision making and are often grouped together because they tackle similar issues, but don’t think you can get away with doing only one.

Think of them instead as two parts of a whole. Let us explain.


Risk assessments

The risk assessment process should be familiar to most organisations. In the context of business continuity and disaster recovery, a risk assessment helps organisations determine:

  • Specific threats to their business operations;
  • How likely it is that those scenarios will occur; and
  • How severe the damage of each scenario could be.

You should begin by creating a list of every conceivable way your organisation might be disrupted.

There are plenty of examples of risks, which usually fit into one of six categories, but not all will be applicable to your organisation.

For example, if your offices are in a warm climate, there’s no need to include snowstorms.

When the list is complete, you should assign a ‘risk score’ to each scenario.

The score is calculated on a risk matrix, with one axis representing the probability of the scenario occurring and the other representing the damage the scenario will cause.

Example of a risk assessment matrix

Your scoring system doesn’t need to be exact here. You should have a general idea of the likelihood and damage of each scenario, and can score them relatively to each other.

With a score assigned to each threat, the next step is to determine your ‘risk appetite’, i.e. the level of risk you are willing to accept.

Anything above a certain score will need to be considered in your plan and anything below that score can be disregarded.

We’ve colour-coded this matrix to give you an idea of an ideal risk appetite. The threshold should generally be within the yellow or orange area, depending on the resources at your disposal.


Business impact analysis (BIA)

The BIA is where you delve deeper into the ways your organisation will be affected by each threat.

Your aim is to identify your critical business areas and estimate whether they will be damaged in each of the scenarios that fall beyond your risk threshold.

This will be done by conducting questionnaires, surveys or interviews with staff and documenting critical business processes, resources and relationships between systems.

To do this, you should consider asking:

  • What principal activities the organisation performs;
  • How staff would rank the importance of specific processes;
  • How disruption to certain functions will affect the organisation financially and logistically;
  • Which staff are required to recover crucial systems; and
  • How long it will take for the organisation to recover following certain disruptions.

This information will form the basis of your disaster recovery and/or business continuity plan.


Want to know more?

You can find out more about risk assessments and BIAs by reading  Disaster Recovery and Business Continuity.

You’ll learn how to establish disaster recovery and business continuity plans, and discover the major causes of IT failures that you need to prepare for.

Take a look