Domain 2: Risk Assessment Module 20 of 61

Module 20: Business Impact Analysis (BIA)

CRISC Domain 2 — IT Risk Assessment Section B 10–12 min read
You cannot prioritize recovery if you don't understand impact.

Business Impact Analysis (BIA) identifies:

  • Critical business processes
  • Dependencies
  • Maximum tolerable disruption
  • Financial and operational consequences
  • Recovery priorities

BIA supports risk analysis by clarifying what truly matters.

What the exam is really testing

When BIA appears, CRISC is asking:

  • Have critical processes been identified?
  • Is impact measured in business terms?
  • Are recovery objectives defined?
  • Is prioritization aligned with business value?
  • Are dependencies understood?

BIA informs risk prioritization and response — not just continuity planning.

What BIA identifies

A mature BIA includes:

  • Critical business processes
  • Supporting systems and assets
  • Internal and external dependencies
  • Financial impact
  • Operational impact
  • Regulatory impact
  • Reputational impact
  • Maximum Tolerable Downtime (MTD)
  • Recovery Time Objective (RTO)
  • Recovery Point Objective (RPO)

CRISC expects conceptual understanding — not memorization of every term.

MTD vs RTO vs RPO (high-yield distinction)

These are frequently confused.

Maximum Tolerable Downtime (MTD)

The longest time a business process can be unavailable before unacceptable impact occurs.

This is a business decision.

Recovery Time Objective (RTO)

The targeted time to restore a system or process after disruption.

RTO must be less than or equal to MTD.

Recovery Point Objective (RPO)

The maximum acceptable amount of data loss measured in time.

Example:

  • “No more than 4 hours of data loss.”

CRISC expects you to understand these relationships.

The most common exam mistakes

The most frequent mistake is treating BIA as a technical exercise. It is not. If you see an answer that focuses on IT systems without mentioning business processes, that is probably wrong. Other traps: confusing MTD with RTO, ignoring dependency mapping, and assuming the highest-revenue process is automatically the highest priority. CRISC emphasizes business impact over technical importance.

Example scenario (walk through it)

Scenario:
A payment processing system supports daily revenue transactions. The business determines that interruption beyond 24 hours would cause severe financial and reputational damage.

What does the 24-hour threshold represent?

A. RTO
B. MTD
C. RPO
D. Residual risk

Correct answer:

B. MTD

MTD represents the maximum tolerable downtime before unacceptable impact.

Here's where it gets tricky

A system has an MTD of 48 hours. The recovery team sets an RTO of 72 hours.

What is the governance issue?

A. Excessive tolerance
B. Weak threat modeling
C. RTO exceeds MTD
D. Poor asset classification

Correct answer:

C. RTO exceeds MTD

RTO must not exceed MTD.

If it does, recovery planning fails business requirements.

BIA and risk assessment

BIA informs:

  • Impact scoring
  • Risk prioritization
  • Control investment
  • Disaster recovery planning
  • Incident response planning

Without BIA, impact estimation becomes subjective.

CRISC prefers structured impact analysis.

Dependency analysis

Critical processes depend on:

  • Applications
  • Infrastructure
  • Vendors
  • Data
  • Personnel
  • Facilities

If dependencies are not mapped, recovery planning may be incomplete.

CRISC often tests overlooked dependencies — especially third-party reliance.

Regulatory & contractual impact

BIA must consider:

  • Legal obligations
  • Service-level agreements
  • Regulatory reporting deadlines

Business impact is not just financial — it includes compliance exposure.

BIA vs risk assessment

BIA focuses on:

  • Impact of disruption

Risk assessment focuses on:

  • Likelihood × Impact of a specific risk event

BIA informs the impact component of risk assessment.

CRISC expects you to understand their relationship.

Quick knowledge check

1) What is the primary purpose of a Business Impact Analysis?

A. Determine impact of business process disruption
B. Identify threats
C. Estimate likelihood
D. Deploy recovery controls

Answer & reasoning

Correct: A

BIA focuses on impact, not threat likelihood.

2) If RTO exceeds MTD, what does this indicate?

A. Acceptable risk
B. Strong governance
C. Misalignment between recovery planning and business tolerance
D. Excessive mitigation

Answer & reasoning

Correct: C

Recovery objectives must align with business tolerance.

3) Which factor is MOST critical when conducting a BIA?

A. Firewall configuration
B. Encryption algorithms
C. Vulnerability scanning frequency
D. Business process criticality

Answer & reasoning

Correct: D

BIA begins with understanding business process importance.

Final takeaway

Business Impact Analysis:

  • Identifies critical processes
  • Defines acceptable disruption
  • Informs prioritization
  • Supports recovery planning
  • Strengthens impact scoring in risk assessment

Remember the relationship: MTD sets the outer boundary (how long can the business survive without this process?), RTO is the target you aim for within that boundary, and RPO tells you how much data loss is acceptable. All three are business decisions, not technical ones.

Related Modules

CRISC Domain 2 — Risk Assessment Inherent and Residual Risk CISM Domain 4 — Incident Management Business Impact Analysis (BIA)
Next Module Module 21: Inherent and Residual Risk