Book A Demo Today

How do BIAs and Risk Assessments work together?

Published on June 07, 2019

Business impact analysis (BIA) and risk assessments are information gathering techniques used to identify critical functions within a business and the potential hazards or incidents that would affect normal operations. Within each process there is an analysis and evaluation stage where the identified risks and the loss of vital business components are prioritised, and control measures and continuity strategies put in place.

Combined a BIA and Risk Assessment make up two vitally important and distinct steps within a business continuity plan.

So, what comes first?

In general, it could be said a BIA would usually be completed first, before a risk assessment. Due to the importance of identifying critical business functions and the impact the loss of those functions would have on the business, before looking at the hazards or events (extreme weather, cyber-attacks...etc) that might cause the loss of those functions should they occur.

Armed with the knowledge of the consequences caused by an interruption and the financial implications that would have on the business, you can then look at the risks and prioritize those risks based on the likelihood of the risk to occur and those that would have the greatest impact on critical business functions as identified in the BIA.

You can see how this would be a cyclical process with new activities and functions being added to the business, would bring new potential hazards and impacts that would have to be assessed for criticality and prioritised again and again.

Who carries out the BIA and Risk Assessment?

A BIA can be performed internally by creating a project team from existing departments or by using specifically trained Business Continuity personnel, either internally or external to the company.

Those responsible would communicate with every department of the business to identify all business functions and asses those which are critical to the normal operations of the business and document the findings.

These findings can then be reviewed by senior management to devise a business continuity plan and disaster recovery strategy that takes into account maximum permissible downtime for important business functions and acceptable losses in areas such as data, finances and reputation. Senior managers need to review and update the BIA periodically and as business operations change.

Risk Assessments don’t necessarily need specialised trained individuals to carry them out. However, an employer must appoint someone competent to help meet health and safety duties. A competent person is someone with the necessary skills, knowledge and experience to manage health and safety and carry out a risk assessment.

A risk assessment identifies potential hazards such as a hurricane, earthquake, fire, supplier failure, utility outage or cyber-attack and the probability/likelihood of those hazards to occur to your business.

The assessment is then able to analyse those threats and evaluate key areas of vulnerability and measure the potential impact.

Assets put at risk can include people, property, supply chain, information technology, business reputation and contract obligations.

Points of weakness that make an asset more prone to harm are reviewed and a mitigation strategy may be developed to reduce the probability that a hazard will have a significant impact.

A brief history of Risk and BIAs

As humans go, we have always assessed risks, but it is believed that the modern terms for managing risk arose after World War II. It is believed the discipline mostly began as a study of using insurance to manage risk.

Later, from the 1950s to the 1970s, risk managers began to realize that it was too expensive to manage every risk with insurance, so the discipline began to expand to alternatives methods. For example, training and safety programs were brought in to mitigate those identified risks and hazards.

With more and more companies accepting the risks themselves (risk retention) now rather than risk transfer (insurance) - it’s all about weighing it up and determining what’s best for the company i.e. which is most cost effective.

The first Business Impact Analysis (BIAs) were brought into the practice in the 1980s, due to a gradual progression within Business Continuity towards some consideration of protecting other elements of the organisation than just the large technology elements, which were deemed to be the most important at the time.

A closer look at other business processes then began, however the market was still majorly concentrated toward the functionality of a business in terms of its hardware and systems until the 1990s when it became more inclusive of other business functions including its employees. You can read more on this subject in our ‘development of business continuity management blog’.


In review, the BIA and Risk Assessment are separate processes implemented together to form an effective Business Continuity Management System.

Each have their own standards and requirements, but each can also provide great value to the other.

  • The BIA can provide a better understanding of critical business functions and the infrastructure and resources required to support these.
  • The Risk Assessment can provide a better view of emerging threat and a systematic approach of monitoring and managing risk.

In a world where business disruptions are an everyday occurrence, it's critical to make sure you have business continuity plans in place to ensure your organisation can recover to its full working capacity as quickly as possible.

Continuity2 has been helping organisations achieve complete resilience for the past 16 years, we know this discipline inside-out, and our CEO even helped standardise it! But don't just take our word for it, book a demo today and see for yourself.