Structured workflows for Business Impact Analysis

  • Release version: Xanadu
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Structured workflows for Business Impact Analysis

    Business Impact Analysis (BIA) helps ServiceNow customers predict the consequences of disruptions to business processes or functions, which are essential for delivering services or products. By identifying and prioritizing critical processes, quantifying impacts, and recognizing recovery dependencies, BIA supports organizations in mitigating risks to revenue, legal compliance, workforce, and reputation. Performing BIA annually on critical processes is recommended to maintain effective recovery strategies.

    Show full answer Show less

    Impact Ratings and Recovery Time Objective (RTO)

    The Business Continuity Management (BCM) administrator defines impact ratings and their tolerability for various impact categories, such as Revenue, Legal, or Regulatory impacts. These ratings guide BIA owners in assessing disruption timelines and impacts.

    • Multiple impact ratings per category may exist, each with tolerable or non-tolerable thresholds set by the BCM administrator.
    • The recovery time objective (RTO) is calculated based on the first non-tolerable impact rating's disruption duration, reflecting the maximum allowable downtime before significant impact occurs.
    • Scenarios illustrate how different non-tolerable impact levels (Low, Moderate, High) determine the RTO, with tolerable impacts defaulting to a maximum RTO value defined in the template.

    Impact Category Scoring and Overall Assessment

    For impact categories contributing to the Recovery Point Objective (RPO), each impact analysis question is evaluated, and the highest value is recorded as the category score. The overall BIA RTO is dynamically updated based on the lowest tolerable downtime among all impact categories, influencing the organization's Recovery Tier classification (ranging from Immediate to Non-Essential, with corresponding RTOs from immediate to one month).

    Practical Application for ServiceNow Customers

    • Create a BIA within ServiceNow to gather necessary information for recovery planning and establish recovery time objectives for critical assets.
    • Assess impact categories to understand the severity and tolerability of disruptions on business processes.
    • Identify dependencies across applications, technology, and vendors to inform recovery strategies.
    • Use calculated RTOs and impact scores to prioritize assets and processes during continuity planning.

    By leveraging structured workflows for BIA in ServiceNow, organizations can systematically evaluate disruption impacts, define recovery priorities, and develop effective business continuity and disaster recovery plans aligned with organizational tolerance levels.

    Business impact analysis helps you to predict the consequences of a disruption on a business process or business function.

    A business process is a set of tasks done by a business organization to deliver a business service or product to customers. When a business process in disrupted, the impact to the organization can be huge in terms of revenue and reputation. Business impact analysis (BIA) is performed to identify and prioritize critical processes, quantify or qualify the impacts, and identify recovery dependencies. Ideally, business impact analysis on critical processes must be performed annually.

    The assessment of a business critical process disruption helps you to estimate the consequential impact on your business revenue, legal issues, workforce disruption, or business reputation. It also enables you to identify the dependencies of your business process on business applications, technology, or vendors that might be affected. This analysis gathers the information needed to develop recovery strategies.

    Figure 1. Business impact analysis overview
    Business impact analysis overview

    Impact ratings for your business impact analysis

    The Business Continuity Management (BCM) administrator of your organization defines the impact ratings for your business impact analysis (BIA) and decides if the impact is tolerable for your business process. For more information on the impact ratings, see Configure an impact rating to assess an impact category. According to the configuration set up by the BCM administrator, the questions are displayed in the RTO Impact Assessment tab.

    Consider the following example where the BCM administrator has configured an intolerable impact rating for the Revenue impact category. The BCM administrator has defined what qualifies to be an intolerable impact. As a BIA owner, you must identify the timeline at which the revenue impact may go beyond $1M.BIA impact rating.

    Multiple impact ratings for an impact category

    If your BCM administrator has configured the assessment questionnaire to include multiple impact ratings for an impact category, the impact category ratings are displayed in the Impact Category view as shown in the following example.Administrator view for the impact category.

    The BCM administrator can specify a threshold of non-tolerance for the impact ratings, per impact category. The disruption duration for the first non-tolerable impact category is selected for the recovery time objective (RTO). The impact ratings have the following specified values:
    • Low = 1
    • Moderate = 2
    • High = 3
    See the following example for the sample RTO calculation.
    Figure 2. Example to show the calculation of impact category
    An example to show the calculation of impact category results.
    Table 1. Sample RTO calculation
    Scenario Non-tolerable impact Description
    Scenario 1 In the Impact Ratings table, the Tolerable field is set to false.

    If the administrator has specified that Low regulatory impact is non-tolerable, its corresponding disruption duration is set as the recovery time objective (RTO).

    In this example, the disruption duration for the 01 - Low impact rating is set to 4 hours. Therefore, the recovery time objective (RTO) for the impact category is above 4 hours.

    Even if the moderate impact disruption duration is shorter, the calculation will select the value from the first alphanumerically sorted impact rating that has the Tolerable field set to false.
    Scenario 2 In the Impact Ratings table, the Tolerable field is set to false.

    If the administrator has specified that Moderate regulatory impact is non-tolerable, its corresponding disruption duration is set as the recovery time objective (RTO).

    In this example, the disruption duration for 02 - Moderate impact is set to 24 hours. Therefore, the recovery time objective (RTO) for the impact category is above 24 hours.
    Scenario 3 In the Impact Ratings table, the Tolerable field is set to false.

    If the administrator has specified that High regulatory impact is non-tolerable, its corresponding disruption duration is set as the recovery time objective (RTO) as shown in the following example. Administrator view for the impact category.

    In the tabular example, the disruption duration for 03 - High impact is set to 72 hours. Therefore, the recovery time objective for the impact category is above 72 hours.
    Scenario 4 The Tolerable field for the Low, Moderate, and High impact ratings is set to true.

    If the administrator has set all the impact ratings as tolerable, the value specified in the Maximum RTO value field in the template is selected as the recovery time objective (RTO).

    In the following example, the administrator has set all the impact ratings as tolerable. Therefore, the recovery time objective (RTO) is one month as per the value specified in the Maximum RTO value field.Maximum RTO value.
    Calculation of category score from impact analysis questions for an impact category that contributes to Recovery Point Objective (RPO)

    If the impact category contributes to RPO, then evaluate each impact analysis question in that RPO category based on the value of your data like business critical, operation critical, business essential, or operation essential. The maximum value among all the questions of that RPO is considered as the Category Score of that Impact Category and stored in the Impact Category Results table [sn_bia_category_result].

    Calculation of overall impact assessment result for a BIA

    When you update the Disruption Duration of an impact category, the RTO of the BIA is automatically updated. The RTO of the BIA is set as the lowest tolerable downtime from each impact category.

    For example, consider a BIA having four impact categories – Legal, Reputation, Workforce, and Regulatory. When you update the disruption duration value of the legal impact category, then the RTO value of the BIA is recalculated based on the lowest tolerable disruption duration from each impact category. The Recovery Tier varies from organization to organization and is set based on the recalculated RTO value.

    RTO value Recovery Tier
    Immediate Mission Critical
    1 Hour Mission Critical
    4 Hours Mission Critical
    8 Hours Business Critical
    24 Hours Business Critical
    72 Hours Essential
    1 Week Essential
    2 Weeks Non-Essential
    1 Month Non-Essential