search

Business Impact Analysis (BIA) Template

Aligned with NIST SP 800-34r1 and FCA operational resilience expectations.

Document Version: 1.0 | Owner: Security & Resilience Lead | Review Cycle: Annually or Post-Change

  1. General Information

Field
Description

BIA ID

BIA-YYYY-XXX

Business Unit

(e.g., Data Engineering, Payments, Customer Support)

Prepared By

(Name, Role, Date)

Reviewed By

(Name, Role, Date)

  1. Business Function Overview

Field
Description

Business Function Name

(e.g., Payment Gateway, Data Lake Access)

Description

(Brief summary of the function/process)

Owner

(Name, Department)

Stakeholders

(List relevant teams or external parties impacted)

  1. Criticality Assessment

Factor
Response

Is this a critical function?

[Yes / No]

Regulatory or Legal Impact if disrupted?

(Yes/No – if yes, list applicable laws or FCA references)

Is there customer-facing impact?

[Yes / No]

Is there financial impact?

[Yes / No – provide estimates below]

  1. Impact Analysis

Impact Type
0–4 Hours
4–24 Hours
1–3 Days
3–7 Days
>7 Days

Operational Impact

(Describe expected issues)

Financial Loss (£)

(Estimate if applicable)

Reputational Damage

(High/Medium/Low – rationale)

Regulatory/Legal Breach

(Yes/No – include description if Yes)

  1. Recovery Objectives

Field
Description

Maximum Tolerable Downtime (MTD)

(e.g., 24 hours)

Recovery Time Objective (RTO)

(e.g., 4 hours)

Recovery Point Objective (RPO)

(e.g., 15 minutes of data loss acceptable)

  1. Dependencies

Type
Description

Systems

(e.g., AWS, CI/CD, ERP)

Applications

(e.g., Salesforce, Jira)

Data Sources

(e.g., Customer DB, Logs)

3rd Parties / Vendors

(e.g., Stripe, AWS)

  1. Existing Controls and Gaps

Control Type
Description
Effective? (Y/N)
Comments

Backup Procedures

Redundancy

DR/Failover Procedures

Monitoring/Alerting

  1. Recommended Improvements

Area
Recommendation
Priority (High/Med/Low)
Target Date

(e.g., DR testing)

  1. Sign-off

Role
Name
Date
Signature

Business Owner

IT Continuity Lead

Risk & Compliance

hashtag
Notes

  • Update the BIA after significant system or organizational changes.

  • Link this template to your Recovery Plan (Step 4 & 5 of SP 800-34r1).

  • You may attach a risk register entry or impact matrix as supporting documentation.

PreviousDocumentation TemplatesNextDisaster Recovery Runbook

Last updated