Business Impact Analysis (BIA) — Complete 2026 Guide
7-step method, worked exercises, free Excel template, automatic RTO/RPO calibration. The cornerstone of your BCMS — compliant with ISO 22301, NIS2, DORA.
7-step methodology
From scope definition to yearly review — each step is a deliverable.
Define scope and objective
Which business processes? What aggregation level (business line, BU, application)? What purpose (feed BCP, DRP, ACPR audit)? Executive sponsor identified.
Map processes and their dependencies
Inventory processes → applications → infrastructure → suppliers → key people. Granularity depends on maturity (5–50 processes for a starter).
Evaluate impacts (4 axes)
For each process, in case of outage at H+1, H+4, H+24, H+72: financial impact (€ lost), regulatory impact (penalties), operational impact (customers), reputation impact (brand).
Calibrate RTO, RPO, MTPD
From impacts, derive targets: RTO (max downtime), RPO (acceptable data loss), MTPD (absolute ceiling). See our [RTO/RPO guide].
Identify minimum critical resources
How many minimum staff, what degraded infrastructure acceptable, which fallback suppliers? RCM is the BCP foundation.
Get business management validation
BIA is not an IT deliverable. The business director signs criticality, RTO/RPO and minimum resources. Without signature, no enforceable BIA.
Periodically review
Yearly cadence minimum, or at each major change (acquisition, new business line, disaster). ACPR / ISO 22301 audit = documented review.
Frameworks covered
BIA frequently asked questions
What is a Business Impact Analysis (BIA)?
Business Impact Analysis (BIA) is the analysis measuring the consequences of an interruption of each business process on the organization. It produces quantified criticality per process and recovery objectives (RTO/RPO/MTPD). It is the mandatory foundation of an ISO 22301 Business Continuity Management System (BCMS).
What are the BIA planning steps?
7 steps: (1) define scope and objective, (2) map processes and dependencies, (3) evaluate impacts on 4 axes (financial, regulatory, operational, brand) at H+1/4/24/72, (4) calibrate RTO/RPO/MTPD, (5) identify minimum critical resources, (6) get business management validation, (7) periodically review (yearly + on major change).
Are there worked BIA exercises and answers?
Yes, ResiPlan provides a library of worked BIA exercises across various sectors (bank, hospital, e-commerce, manufacturing). Each exercise presents a realistic case with processes, dependencies, impacts to compute; the answer shows the step-by-step method. Available on free signup.
Which free BIA Excel template?
ResiPlan freely provides an ISO 22301-compliant BIA Excel template, with 5 tabs: scope, processes, dependencies, impacts (4-axis matrix), RTO/RPO. The template is immediately usable to start a BIA even without a platform. Download link after free signup.
How long to perform a BIA in an SME?
For an SME of 50–250 staff with 10–30 business processes: 5 to 10 person-days spread over 4 to 6 weeks. With ResiPlan and AI enrichment, drop to 2–4 person-days (AI proposes processes, dependencies, impacts to validate). First usable deliverable in 2 hours.
Is BIA mandatory under NIS2 and DORA?
Yes implicitly. NIS2 Article 21(c) requires "business continuity management" without imposing a formal BIA, but without one you cannot justify the RTO/RPO. DORA Article 11 explicitly requires per-CIF traceability with calibrated RTO/RPO/MTPD — that's a BIA. For ACPR/ANSSI/BaFin regulators, missing BIA is a deal-breaker.
How to link BIA to BCP / DRP / IRP?
BIA is upstream: it says WHAT to protect and at WHAT level (RTO/RPO). The plans (BCP business continuity, DRP disaster recovery, IRP incident response) say HOW. Without BIA, plans lack prioritization. ResiPlan automatically links each BIA process to relevant plans and alerts if a plan misses the RTO.
First BIA deliverable in 2 hours with ResiPlan
Free 14-day trial. Guided wizard, AI for process/impact enrichment, automatic RTO/RPO calibration, Excel + PDF export.