New Disruption Risk / Threat Entry
Assess the disruption risk. Risk Score = Likelihood ร Impact. High-significance risks must be addressed in the BC strategy and BCP.
Define the time-based recovery objectives for the affected function or service. These drive BC strategy selection and BCP content.
Business Impact Analysis โ ISO 22301:2019 Clause 8.2
The BIA is a structured process to identify and quantify the impacts of disruptions over time. It determines the prioritisation of activities, informs RTO/RPO/MTPD objectives, and drives BC strategy selection.
Time-Based Impact Escalation
The BIA assesses how the impact of a disruption increases over time. A function that can tolerate one day of disruption (MTPD = 1 day) has a much shorter acceptable recovery window than one tolerating weeks. Impacts should be assessed at multiple time points: 1hr, 4hrs, 1 day, 3 days, 1 week, 1 month.
RTO vs MTPD
MTPD (Maximum Tolerable Period of Disruption) is the threshold beyond which unacceptable consequences occur. RTO (Recovery Time Objective) must always be less than MTPD to provide a safety margin. If RTO = MTPD, there is no buffer โ any delay in recovery will cause irreversible harm.
RPO & Data Recovery
RPO (Recovery Point Objective) defines the maximum acceptable data loss in time. An RPO of 4 hours means no more than 4 hours of data transactions can be lost. RPO drives backup frequency, replication strategy and data governance controls.
MBCO โ Minimum Continuity
MBCO (Minimum Business Continuity Objective) is the minimum level of service below which it is unacceptable to operate. E.g., "process at least 20% of normal order volume". MBCO informs what resources are needed in recovery mode and what can be temporarily deferred.
Activity Prioritisation
The BIA output enables prioritisation of activities for recovery. Not all functions need to be recovered simultaneously โ some can be deferred. Prioritisation drives resource allocation in the BCP and crisis response. Mission-critical activities must be recovered first.
Dependencies Mapping
Activities depend on resources: people, premises, technology, information, suppliers. The BIA must map resource dependencies to understand which resources must be available first. A cascade failure occurs when the loss of one resource disables multiple activities.
Recovery Strategy Options โ ISO 22301:2019 Clause 8.4
Clause 8.4 requires the organisation to determine recovery strategies and solutions to meet recovery time and point objectives. Strategies should be proportionate to the MTPD, cost-effective, and regularly tested to ensure they remain viable.
Remote / Home Working
Staff work remotely using VPN, cloud systems and collaboration tools. Effective for people and process disruptions. Requires: laptops/devices, remote access, cloud-hosted systems, secure communications.
Best for: Loss of premises, pandemic, denial of access events.
Alternative Site (Hot/Warm/Cold)
Hot: Fully equipped, operational immediately. Warm: Configured but needs activation (hours). Cold: Space available but needs full fit-out (days). Cost increases with readiness.
Best for: Primary site loss, fire, flood, long-term premises unavailability.
Cloud / Hosted Recovery
Data and systems replicated to cloud environment. Can be activated rapidly. Disaster Recovery as a Service (DRaaS) enables near-zero RTO/RPO. Requires: tested failover, access controls, comms plan.
Best for: IT and data disruptions, cyber attacks, hardware failure.
Reciprocal / Mutual Aid Agreement
Formal agreement with another organisation (sister company, industry peer) to share resources during disruption. Must be tested and regularly reviewed. Capacity limitations common.
Best for: Lower-frequency events, sector-specific mutual aid networks.
Manual Workaround
Paper-based or simplified processes to continue critical functions without normal systems. Requires documented procedures, trained staff, and stockpiled materials (forms, logs, etc.).
Best for: IT failures, short-duration outages, last-resort fallback.
Stockpiling / Pre-positioning
Strategic inventory of critical materials, equipment or supplies. Protects against supply chain disruption. Carrying cost must be weighed against disruption risk. Safety stock levels based on lead times and MTPD.
Best for: Supply chain risks, sole-source dependencies, logistics disruptions.
ISO 22301:2019 โ Key Clause Guidance
6.1 โ Risks & Opportunities
Determine risks and opportunities relevant to the BCMS. Consider those that could affect the organisation's ability to achieve continuity of its prioritised activities. Address through actions proportionate to potential impact.
8.2 โ Business Impact Analysis
Identify business functions, determine impact of disruption over time, set MTPD for each, establish minimum acceptable continuity levels (MBCO), and identify resource requirements for recovery.
8.3 โ Risk Assessment
Identify and assess threats to the organisation's ability to achieve its continuity objectives. Assess likelihood and impact, determine risk treatment and document results. Review at planned intervals.
8.4 โ BC Strategy & Solutions
Determine BC strategies based on BIA and risk assessment outputs. Strategies must address resource requirements: people, premises, technology, information and third parties. Evaluate and select solutions.
8.5 โ BC Plans
Develop documented Business Continuity Plans (BCPs) and crisis communications plans. BCPs must cover: activation criteria, roles/responsibilities, escalation procedures, recovery procedures, communication templates and resource lists.
8.6 โ Exercising & Testing
BC plans must be regularly exercised and tested. Exercises must have defined objectives. Results must be documented. Lessons learned must be incorporated into plan updates. Frequency should reflect the risk profile.
1โ4: Low โ monitor, basic controls 5โ9: Medium โ action plan needed 10โ16: High โ BCP required 17โ25: Critical โ immediate treatment