Let’s talk about the BIA that lives in your shared drive.
The one where IT filled in the impact ratings on a Tuesday afternoon, sent it to the BC manager for “review,” and nobody touched it again until the auditor asked.
You know the one.
The columns are all “High.” Or all “Medium.” Nobody remembers what the thresholds mean. There’s no RTO. No MTPoD. No system dependencies. No contingency column, because nobody thought about what happens after the spreadsheet gets approved.
And when the actual disruption hits? Nobody opens the BIA. Because the BIA doesn’t tell them anything useful.
That’s the BIA we’re replacing.
Why Most BIAs Fail
A BIA isn’t a form. It’s a conversation. And most organisations skip the conversation and go straight to the form.
Here’s what goes wrong:
- IT does it alone. A BIA is a business exercise. If the CFO, Head of Ops, and Head of Sales haven’t been in the room, your BIA is a guess in a spreadsheet.
- Impact levels have no definition. “High” means nothing if you haven’t defined what “High” looks like in euros, in customers lost, in regulatory exposure.
- It covers systems but forgets people. Your ERP being down is one problem. Your entire finance team being unable to work is a different problem.
- It covers systems but forgets locations. If your head office is inaccessible, does your contingency actually work?
- There’s no time dimension. Losing email for 4 hours is annoying. Losing email for 10 days is catastrophic. A BIA without an impact-over-time matrix is a snapshot, not an analysis.
- RTO and MTPoD are missing. If you don’t define how fast a system needs to be restored and how long the business can tolerate the disruption, your DR team is guessing.
What We Built
We built the BIA template we actually use in ISO 22301 consulting engagements. Then we made it free.
Three assessment sections. One impact definition framework. Zero ambiguity.
Section 1: People
ColumnWhat It CapturesDepartment / FunctionEvery business unit, not just ITPriorityHigh / Medium / Low, the department’s criticality rankingHead of DepartmentNamed owner, not “the responsible person”Staff CountFull-time, part-time, contractors, headcount affects recoveryWork From LocationWhere they operate from, drives alternate site planningImpact Over Time4-tier matrix: 0–1 days, 2–4 days, 5–10 days, >10 daysSystem DependenciesWhat systems this team can’t function without
This isn’t just a list of departments. It’s a map of how your business breaks down when people can’t work.
Section 2: Systems
ColumnWhat It CapturesWhat It DoesPlain language, not the vendor product nameWhat It Is CalledThe actual system nameWho Uses ItWhich teams depend on this systemRTORecovery Time Objective, how fast it must be restoredMTPoDMaximum Tolerable Period of DisruptionImpact Over TimeSame 4-tier matrix: escalation from Low to CatastrophicDependenciesPeople, functions, departments that rely on itContingencyWhat you deploy when this system goes down
Pre-populated with common systems: core application, accounting, HR, email, file storage, website, web hosting, source code management, CRM, plus blank rows for yours.
Section 3: Locations
ColumnWhat It CapturesLocation NameHead office, branch offices, data centresWhere Is ItPhysical addressWho Uses ItWhich teams are based thereRTOHow fast the location needs to be operational againMTPoDMaximum tolerable period without this locationImpact Over TimeSame 4-tier escalation matrixDependenciesTeams and functions affectedContingency“Remote working” isn’t always the answer, what’s yours?
“Most BIAs skip locations entirely. Then the flood hits and nobody knows which teams are affected, what systems were hosted there, or where people should go.”
Impact Level Definitions
The template includes a dedicated sheet defining four impact levels:
LevelFinancial ThresholdWhat It MeansCatastrophic>£100,000Risk to life. Business can’t meet legal obligations. May cease trading.High£30,000–£50,000Exceptional damage. Potential loss of customers and contracts.Medium£10,000–£30,000Internal damage felt. Low risk to trading. Low customer impact.Low<£10,000Little to no impact.
“Customise the thresholds to your organisation, but keep the structure. The point is that when someone selects “High,” everyone in the room knows exactly what that means.”
Who This Is For
- BC managers running their first BIA, or redoing a bad one
- CISOs and risk managers who need to connect IT disaster recovery to business impact
- ISO 22301 implementers who need documented BIA evidence for certification
- NIS2-affected organisations , Article 21 requires business continuity measures, and a BIA is where they start
- DORA-regulated entities , Articles 11–12 require ICT continuity testing grounded in impact analysis
- Consultants tired of building BIA templates from scratch for every client
How to Use It
- Start with People. Get department heads in the room. Not IT alone. Fill in priorities, headcount, locations, and impact over time together.
- Move to Systems. For each system, define RTO and MTPoD. Fill in the impact matrix. Document the contingency, “we’ll figure it out” is not a contingency.
- Cover Locations. Every physical site. What happens if it’s unavailable for a day? A week? Two weeks?
- Calibrate with the Impact Levels sheet. Make sure everyone agrees on what “Catastrophic” means before anyone starts rating things.
- Review quarterly. A BIA that’s 12 months old is fiction. Systems change, people move, priorities shift.
Download It
Customise the financial thresholds, add your departments and systems, and you’ve got a working BIA in an afternoon. Not a perfect one, a real one. Perfect comes later.
👉 Download the Business Impact Assessment Template, Free
Want to Go Further?
A BIA is step one. The methodology, the workshops, the case studies, that’s what turns a spreadsheet into a programme.
- ISO 22301 Lead Implementer, BIA methodology, BC strategies, exercise design
- ISO 27001 Lead Implementer, because information security and business continuity are inseparable
- DORA Lead Manager, ICT continuity for financial entities
- NIS2 Lead Implementer, for essential and important entities under NIS2
All trainings: Certified or Refunded.
Cyber Academy, cyberacademy.net
We don’t teach theory. We teach survival.
