Business Impact Analysis (BIA) Template
Aligned with NIST SP 800-34r1 and FCA operational resilience expectations.
Document Version: 1.0 | Owner: Security & Resilience Lead | Review Cycle: Annually or Post-Change
General Information
BIA ID
BIA-YYYY-XXX
Business Unit
(e.g., Data Engineering, Payments, Customer Support)
Prepared By
(Name, Role, Date)
Reviewed By
(Name, Role, Date)
Business Function Overview
Business Function Name
(e.g., Payment Gateway, Data Lake Access)
Description
(Brief summary of the function/process)
Owner
(Name, Department)
Stakeholders
(List relevant teams or external parties impacted)
Criticality Assessment
Is this a critical function?
[Yes / No]
Regulatory or Legal Impact if disrupted?
(Yes/No – if yes, list applicable laws or FCA references)
Is there customer-facing impact?
[Yes / No]
Is there financial impact?
[Yes / No – provide estimates below]
Impact Analysis
Operational Impact
(Describe expected issues)
Financial Loss (£)
(Estimate if applicable)
Reputational Damage
(High/Medium/Low – rationale)
Regulatory/Legal Breach
(Yes/No – include description if Yes)
Recovery Objectives
Maximum Tolerable Downtime (MTD)
(e.g., 24 hours)
Recovery Time Objective (RTO)
(e.g., 4 hours)
Recovery Point Objective (RPO)
(e.g., 15 minutes of data loss acceptable)
Dependencies
Systems
(e.g., AWS, CI/CD, ERP)
Applications
(e.g., Salesforce, Jira)
Data Sources
(e.g., Customer DB, Logs)
3rd Parties / Vendors
(e.g., Stripe, AWS)
Existing Controls and Gaps
Backup Procedures
Redundancy
DR/Failover Procedures
Monitoring/Alerting
Recommended Improvements
(e.g., DR testing)
Sign-off
Business Owner
IT Continuity Lead
Risk & Compliance
Notes
Update the BIA after significant system or organizational changes.
Link this template to your Recovery Plan (Step 4 & 5 of SP 800-34r1).
You may attach a risk register entry or impact matrix as supporting documentation.
Last updated