What is a business impact analysis (BIA)?

The exercise that works out which parts of a business matter most when disruption hits.

By Kat Korson · Last reviewed May 2026

Eaglepedia mascot

A business impact analysis, or BIA, is the exercise that identifies an organisation's most important activities and works out the effect of disruption on each one. It shows which functions matter most, how quickly they need to be restored and what they depend on, giving continuity planning the evidence it needs.

What a business impact analysis is

A BIA is the fact-finding step that comes before any continuity or recovery planning. It asks a simple question about each business activity: if this stopped working today, how bad would the damage be and how fast would it get worse?

The answers are what make a recovery plan useful. Without them, priorities are guesswork. ISO 22301, the international standard for business continuity management, places the BIA at the heart of continuity planning precisely because it grounds every decision in evidence about the business itself.

The BIA does not try to prevent disruption. It accepts that things will go wrong and works out what matters most when they do, so a response can be fast, targeted and proportionate.

A BIA is typically carried out when an organisation is writing or refreshing its business continuity plan, after a disruptive incident that exposed gaps in preparedness, or when a client, insurer or regulator asks for evidence of resilience planning. Any of those triggers is a good reason to start.

What a BIA looks at

A thorough BIA works through each significant activity in the organisation and captures four things for each one.

  • The impact of losing it over time. Some disruptions are minor for a day but catastrophic by the end of a week. The BIA maps how the damage grows, so the team knows when a recovery becomes urgent.
  • What the activity depends on. People, IT systems, suppliers, premises and data are the usual categories. Knowing the dependencies reveals what needs to be recovered first and what can wait.
  • How quickly it needs to be back. This is where the maximum tolerable period of disruption is established, and where RTO and RPO targets come from.
  • The recovery priority order. When everything has gone wrong at once, the BIA tells the team what to fix first.

The Business Continuity Institute's Good Practice Guidelines describe this scoping work as the foundation on which every other continuity decision rests.

How a BIA shapes continuity and recovery planning

The output of a BIA feeds directly into two related plans. The business continuity plan uses the BIA's priority ranking to set out how critical activities will keep running during disruption. The disaster recovery plan uses it to sequence the restoration of systems and data.

A BIA and a risk assessment answer different questions. A risk assessment asks how likely a threat is and what might cause it. A BIA asks how damaging the outcome would be if a failure actually occurred. Both are necessary and they work best together, but they shouldn't be confused with one another. See the entry on IT risk management for more on that distinction.

For teams building a wider incident response capability, our blog article on building a robust incident response plan shows how BIA outputs connect to the broader response structure.

Doing a proportionate BIA in a smaller business

A BIA doesn't need to be a large formal project. In a smaller business, a focused half-day workshop with the people who know each part of the operation can produce something genuinely useful. The goal is clarity about what matters most, not a lengthy report.

Start with the activities that, if they stopped, would affect customers, revenue or legal obligations. Work through the dependencies for each and agree a rough recovery priority order. Even a simple spreadsheet capturing that information is a meaningful step forward.

Review the BIA whenever the business changes significantly. A new service line, a change of key supplier or a move to cloud systems can all shift which activities are most critical and what they depend on.

Turn your BIA into a workable plan Red Eagle Tech helps growing businesses run a proportionate BIA and build it into a continuity and recovery plan that's practical to use. Find out how our IT operations service can support you.

Frequently asked questions

A BIA asks: if this activity stopped, how bad would the damage be? A risk assessment asks: how likely is this threat to happen? They complement each other, but they answer different questions. A BIA is about consequence; a risk assessment is about probability and cause.

A BIA produces a ranked list of the organisation's critical activities, the maximum tolerable downtime for each, the resources each depends on and the order in which things must be recovered. That output feeds directly into a business continuity plan and a disaster recovery plan.

In larger organisations a business continuity manager leads the process, but a BIA works best when the people who actually run each business function take part. In a smaller business the owner or a senior manager can conduct a focused workshop with department leads and get a useful result.

The BIA is where RTO (recovery time objective) and RPO (recovery point objective) targets are set for each critical activity. It works out how long a function can be down and how much data loss is tolerable before the damage becomes unacceptable, so the recovery targets reflect real business need.

Most guidance, including that from the Business Continuity Institute, recommends reviewing the BIA at least annually and whenever a significant business change occurs - such as a new service, a major supplier change or a restructure. An outdated BIA can produce recovery plans that no longer match the business.
Kat Korson - Company Director at Red Eagle Tech

About the author

Kat Korson

Company Director

Company Director at Red Eagle Tech, leading our mission to make enterprise-grade technology accessible to businesses of all sizes. With a background spanning marketing, operations, and business development, I understand firsthand the challenges businesses face when trying to leverage technology for growth.

Read more about Kat

Discovery call

A friendly 15-minute video call with Kat to understand your needs. No preparation needed.

  • Discuss your project
  • Get honest advice
  • No obligation
Choose a time
Kat Korson, Founder of Red Eagle Tech

Kat Korson

Founder & Technical Director

Our team has 10+ years delivering software solutions for growing businesses across the UK.

Send us a message

Your information is secure. See our privacy policy.

Microsoft Partner Network certified technology partner badge
DesignRush Top AI Company award badge
Clutch Top Company award badge
Secure payment methods accepted: Visa, Mastercard, American Express and more

Find us