Business Impact Analysis & Threat and Risk Assessments (TRA)

Click to explore


As part of the business impact analysis recovery time and recovery point objectives not already assigned will be assigned to the critical processes/activities to help determine the basic recovery requirements. The recovery time objective (RTO) is the time from when an incident happens to the time that the critical business activity must be fully operational in order to avoid damage to the business and the Recovery Point Objective describes the interval of time that might pass during a disruption before the quantity of data or production etc lost during that period exceeds maximum allowable threshold or “tolerance.”

BIA Considerations

  • Critical business processes, including key services, resources, and staff.
  • Potential disruptions that could impact affect the business.
  • Critical business processes essential for continued service or production and that without being functional the business could not operate.
  • The records and documents used every day
  • The resources and equipment needed to operate
  • The access needed to the premises
  • The skills and knowledge of staff needed to run the business
  • External stakeholders relied on or who rely on the business
  • The legal obligations required to be met
  • The impact of ceasing to perform critical business activities
  • How long the business can survive without performing these activities.

Output from the BIA

The potential impacts of a disruption to critical business sub processes / activities because of a disaster, accident, or emergency

  • Names of organisations and/or sub-processes / activities the critical sub process / activity depends on for normal operations
  • Quantitative Impacts - Financial amount associated with the critical sub process / activity, e.g., annual revenue generated by the process and potential losses
  • Qualitative Impacts - Non-financial impact to the company, e.g., loss of reputation, loss of customers 


  • Implementation of threat and risk assessment, business continuity planning and stakeholder engagement management.

A Threat and Risk Assessment (TRA) is conducted to analyze the impact on the business to determine the magnitude of the exposure to threats.  This part of the process builds on those processes and activities identified in BIA that are critical to the operation of the business and the speed at which the impact of their loss will be felt and within what timescale. 

TRA Considerations

  • The importance of critical processes to the business
  • The amount of control over the risk
  • Potential losses to the business (see Output from the BIA set out above)
  • Benefits or opportunities presented by the risk

The risks are ranked in order of priority and decisions taken regarding which methods will be used to treat unacceptable risks and incorporate in the Risk Management Plan.

Output from the TRA

  • Potential threats - Power Outage (Regional Blackout), IT System crash etc.
  • Information types affected - Accounting records - invoices, bills, accounts, Supplier contracts etc.
  • Risk decisions – inherent and residual and preventive actions (Proposed controls)
  • Whether there is adequate insurance coverage for the loss of income if customers affected by a disaster stop ordering products or services
  • Whether appropriate insurance is in place to cover other related issues such as on-site injuries to staff or visitors, or for loss of customers' goods or materials
  • Whether there is adequate insurance coverage regarding supplier/s affected by a disaster that are unable to deliver necessary supplies for the business
  • Coverage for workers' compensation obligations in case any of staff being injured in a crisis.
  • Concurring where BCP’s (Business Continuity Plans) are required

Information gathering methods

Obtaining the information needed for the BIA and the Risk Assessments from relevant areas of the organisation is a complex process for which we utilize 2 methods:

  • Interviews: in this method the BIA/RISK information is collected personally by interviewing the process/activity owners.  The questions are aimed at each process/activity concerned.  This method is accurate and minimizes the possibility of misinterpreting the questions.
  • Workshops: this method allows a group of people strategically chosen to work together to provide the BIA/RISK information needed. A large amount of data is generated in a short period of time with this method. This technique also allows the activity owners to have a systematic view of the BIA process and to clear out any misunderstanding regarding the BIA process.  An important advantage associated with this method is the teamwork spirit it helps to create among owners of critical processes/activities.


Disaster recovery process business continuity plans

  • Develop testing criteria and procedures.
  • Perform testing: Checklist tests, Simulation tests, Parallel tests. Full recovery / interruption tests
  • Determining the feasibility and compatibility of backup facilities and procedures
  • Identifying areas in the plan that need modification
  • Providing training to the team managers and team members
  • Providing motivation for maintaining and updating the business continuity plan
  • Evaluating the adequacy of the third party’s business continuity plan
  • Ensure that the company’s business continuity plan is compatible with the respective third party’s plan
  • Approve and Implement Plan
  • Provision of ongoing BCP and Disaster Recovery Process assessments at pre-determined frequencies (i.e. quarterly, half-yearly, annually) to ensure the continuity of services and the updating of the BCP where required.
  • Develop procedures to review the impact of new processes, systems, and technology on a regular basis. (i.e. quarterly, half-yearly, annually)
  • Documenting of all changes to the original business continuity plan