Module 20: Business Impact Analysis (BIA)

CRISC Domain 2 — IT Risk Assessment Section B 10–12 min read
You cannot prioritize recovery if you don't understand impact.

Business Impact Analysis (BIA) identifies:

  • Critical business processes
  • Dependencies
  • Maximum tolerable disruption
  • Financial and operational consequences
  • Recovery priorities

BIA supports risk analysis by clarifying what truly matters.

What the exam is really testing

When BIA appears, CRISC is asking:

  • Have critical processes been identified?
  • Is impact measured in business terms?
  • Are recovery objectives defined?
  • Is prioritization aligned with business value?
  • Are dependencies understood?

BIA informs risk prioritization and response — not just continuity planning.

What BIA identifies

A mature BIA includes:

  • Critical business processes
  • Supporting systems and assets
  • Internal and external dependencies
  • Financial impact
  • Operational impact
  • Regulatory impact
  • Reputational impact
  • Maximum Tolerable Downtime (MTD)
  • Recovery Time Objective (RTO)
  • Recovery Point Objective (RPO)

CRISC expects conceptual understanding — not memorization of every term.

MTD vs RTO vs RPO (high-yield distinction)

These are frequently confused.

Maximum Tolerable Downtime (MTD)

The longest time a business process can be unavailable before unacceptable impact occurs.

This is a business decision.

Recovery Time Objective (RTO)

The targeted time to restore a system or process after disruption.

RTO must be less than or equal to MTD.

Recovery Point Objective (RPO)

The maximum acceptable amount of data loss measured in time.

Example:

  • “No more than 4 hours of data loss.”

CRISC expects you to understand these relationships.

The most common exam mistakes

Candidates often:

  • Treat BIA as purely technical
  • Confuse MTD and RTO
  • Focus only on IT systems instead of business processes
  • Ignore dependency mapping
  • Assume highest revenue process is always highest priority

CRISC emphasizes business impact over technical importance.

Example scenario (walk through it)

Scenario:
A payment processing system supports daily revenue transactions. The business determines that interruption beyond 24 hours would cause severe financial and reputational damage.

What does the 24-hour threshold represent?

A. RTO
B. RPO
C. MTD
D. Residual risk

Correct answer:

C. MTD

MTD represents the maximum tolerable downtime before unacceptable impact.

Slightly harder scenario

A system has an MTD of 48 hours. The recovery team sets an RTO of 72 hours.

What is the governance issue?

A. Excessive tolerance
B. RTO exceeds MTD
C. Weak threat modeling
D. Poor asset classification

Correct answer:

B. RTO exceeds MTD

RTO must not exceed MTD.

If it does, recovery planning fails business requirements.

BIA and risk assessment

BIA informs:

  • Impact scoring
  • Risk prioritization
  • Control investment
  • Disaster recovery planning
  • Incident response planning

Without BIA, impact estimation becomes subjective.

CRISC prefers structured impact analysis.

Dependency analysis

Critical processes depend on:

  • Applications
  • Infrastructure
  • Vendors
  • Data
  • Personnel
  • Facilities

If dependencies are not mapped, recovery planning may be incomplete.

CRISC often tests overlooked dependencies — especially third-party reliance.

Regulatory & contractual impact

BIA must consider:

  • Legal obligations
  • Service-level agreements
  • Regulatory reporting deadlines

Business impact is not just financial — it includes compliance exposure.

BIA vs risk assessment

BIA focuses on:

  • Impact of disruption

Risk assessment focuses on:

  • Likelihood × Impact of a specific risk event

BIA informs the impact component of risk assessment.

CRISC expects you to understand their relationship.

Quick knowledge check

1) What is the primary purpose of a Business Impact Analysis?

A. Identify threats
B. Estimate likelihood
C. Determine impact of business process disruption
D. Deploy recovery controls

Answer & reasoning

Correct: C

BIA focuses on impact, not threat likelihood.

2) If RTO exceeds MTD, what does this indicate?

A. Acceptable risk
B. Strong governance
C. Misalignment between recovery planning and business tolerance
D. Excessive mitigation

Answer & reasoning

Correct: C

Recovery objectives must align with business tolerance.

3) Which factor is MOST critical when conducting a BIA?

A. Firewall configuration
B. Business process criticality
C. Encryption algorithms
D. Vulnerability scanning frequency

Answer & reasoning

Correct: B

BIA begins with understanding business process importance.

Final takeaway

Business Impact Analysis:

  • Identifies critical processes
  • Defines acceptable disruption
  • Informs prioritization
  • Supports recovery planning
  • Strengthens impact scoring in risk assessment

MTD defines tolerance.
RTO defines recovery target.
RPO defines data loss tolerance.

CRISC rewards candidates who keep BIA business-focused — not technology-focused.

Next Module Module 21: Inherent and Residual Risk