This Enterprise wide BIA Template can be used by any organization.
The purpose of this document is to help businesses conduct a Business Impact Analysis (BIA), which identifies the business’s critical processes, required resources for each process and the order in which processes need to be recovered. This document provides guidance on how to conduct the BIA, analyze the information that is collected, and report the findings of the assessment. The following documents are available to help the business complete the assessment:
The Business Impact Analysis is only a part of the overall Business Assessment. A Business Assessment is separated into two constituents, Risk Assessment and Business Impact Analysis (BIA). The Risk Assessment is intended to measure present vulnerabilities to the business’s environment, while the Business Impact Analysis Plan evaluates probable loss that could result during a disaster. To maximize the Business Impact Analysis, a Risk Assessment should also be completed.
BUSINESS IMPACT ANALYSIS
Objectives of the Business Impact Analysis
Developing the Project Plan
BIA Process Steps
PHASE ONE – PROJECT DEVELOPMENT
Objectives and Deliverables
Method of Collection
PHASE TWO – GATHER DATA
PHASE THREE – APPLICATION & DATA CRITICALITY
PHASE FOUR – ANALYZE THE DATA
Review Business Unit BIA
Report the Results
FINAL REPORT & PRESENTATION
Creation of Executive Report
Appendix A: Business Impact Analysis Short Template
Appendix B: Business Impact Analysis Long Version Template
Appendix C: Application & Data Criticality Analysis Template
Appendix D: Final Business Unit Report Template
Appendix E: Final Executive Report Template
Appendix F: Sample BIA Questions
Appendix G: Examples of Impacts
Due to HIPAA Security Rule regulations, organization must implement Contingency Planning Practices to ensure the protection of ePHI (electronic Protected Health Information). In order to accomplish this undertaking, there are several steps that organization will be completing to identify critical business functions, processes and applications that process ePHI and to understand the potential impact to the business if a disruptive event occurred.
The first step of implementing the Contingency Program for organization is to conduct a Business Impact Analysis (BIA). This questionnaire will help each business unit identify their critical business functions and recovery requirements as well as estimating the impact of a disaster (or prolonged outage) to the business unit. Once the survey is completed, the BIA Project team will review the data, analyze and create a prioritized recovery strategy to present to senior management.
For the purpose of this BIA, answer each question based on the “worst-case scenario”. This means your workplace and all records; files and equipment in it are inaccessible. The priority of this questionnaire is to identify any business process or application that currently contains ePHI. However, please answer all questions regardless of ePHI status. By completing all questions to the best of your knowledge, a recovery strategy that best meets the need of the business can be established.
Some questions will be directly related to a specific process where as other questions are about the business unit in general. Some sections contain an additional “Notes” area to amplify or explain your responses. While this is not a requirement, it can be useful in helping the Project Team understand the nature of your business unit operations.
Business Unit / Department Information
ePHI (electronic Protected Health Information)
Business Unit Vulnerability
Process Criticality & Frequency
Process Unavailability Impact
Manual Work – Around Procedures for Processes
Alternate Facilities / Work-load shifting
Internal Received Dependencies (Same Company)
Internal Sent Dependencies (Same Company)
External Received Dependencies (Outside Provider)
External Sent Dependencies (Outside Provider)
Specialized Supplies and Clerical Type Resources
Customer & Operational Impact
Legal & Regulatory Impact
The intent of the Business Impact Analysis (BIA) was to help our organization identify which business units, operations and processes are crucial to the survival of the business. The BIA has identified the time frames in which essential business operations must be restored to full functionality following a disruptive event. It has defined the business impact of not performing critical business operations based on a worst-case scenario. The BIA has also identified the resources required to resume business operations to a functioning level.
A worst-case scenario assumes that the physical infrastructure supporting each respective business unit has been destroyed and all records, equipment, etc are not accessible within 30 days.
The objectives for this BIA were:
The RTO is the maximum allowable time a process can be inoperative following an outage / disruptive event.
These timeframes may have to be re-evaluated to meet the requirements of the Technology capabilities. If the capabilities of technology do not meet the requirements of the business unit, a gap exists. These gaps must be mitigated to prevent extended outages and impact to your organization.
Department Responses and Findings
BUSINESS UNIT RESULTS
SUMMARY OF FINDINGS
Combined Financial Impact
Combined Customer/Operational Impact
Combined Legal and/or Regulatory Impact
Recovery Personnel Requirements
Recovery Time Objectives for Business Processes
Manual Work-Around Processes
Work Backlog Processing
Recovery Complexity for Business Units
|Location of Department:|
|Participant:||Date of Report:|
The interview was conducted by on .
The department is responsible for
The Business Impact Analysis (BIA) Policy document establishes the activities that need to be carried out by each Business Unit, Technology Unit, and Corporate Units (departments) within the organization.
All departments must utilize this methodology to identify the processes they perform, the required resources to perform those processes, the timeframes in which those processes need to be recovered, any supporting dependencies, resources, facilities, etc, and the potential financial, operational, and legal/regulatory impact for the processes.
Table of Contents
I. POLICY OVERVIEW
C. Ownership Roles & Responsibilities
D. Review Process
E. Reporting Process
F. Update Frequency and Annual Review
II. BIA REQUIREMENTS
A. BIA Completion
B. Business Process Identification
C. Business Process Recovery Time Objective
D. Financial Impact
E. Operational Impact
F. Legal and Regulatory Impact
G. Manual Work-Around Procedures
H. Required Resource
III. BIA RESULTS
A. Overall RTO for Department
C. Retention of BIA Survey
APPENDIX A: BUSINESS IMPACT ANALYSIS STANDARDS
To view specific section of this document, please contact us at Bob@training-hipaa.net or call us at (515) 865-4591.