In this blog – part of a series from Databarracks’ business resilience consultants – Jamie Lees explores how the strategic business impact analysis (SBIA) gives business continuity programmes their essential foundation – establishing what the organisation truly can’t afford to lose.
When do impacts become “unacceptable” to an organisation? It’s the fundamental question that shapes maximum tolerable periods of disruption (MTPDs), drives impact criteria, and determines where business continuity ends and crisis management begins. Too often though, it’s answered at an operational level rather than a strategic one.
Business continuity professionals naturally focus on operational detail. What needs to be restored, how quickly and with what resources. This focus is essential, but without strategic foundations, it can lack the direction that comes from top management articulating the consequences of losing critical outcomes, and when this is truly unacceptable.
To provide that direction, Top Management must answer fundamental questions. What outcomes does the organisation deliver that it genuinely cannot afford to stop delivering? What would fundamentally damage the business strategy or threaten the organisation’s position? These are strategic judgements, not operational ones, and they need answering before diving into process dependencies and recovery timeframes. This is where the strategic business impact analysis becomes valuable.
The “unacceptable” problem
Without strategic input, “unacceptable” tends to be defined operationally. It’s based on what feels reasonable given day-to-day pressures or what seems convenient within current resource constraints. These judgements aren’t necessarily wrong, but they may not reflect what’s truly unacceptable from a strategic standpoint.
Many organisations conduct BIAs that capture excellent operational detail. They know what products and services, processes or activities are critical, what resources are needed, how systems depend on each other. They answer the “how” comprehensively. But they often skip the “why”. Why are we recovering? What outcomes are we protecting and what consequences are we trying to avoid? Why does this matter strategically?
Without that foundation, MTPDs can look entirely reasonable on paper but become negotiable during a real incident. The call for dynamic BIAs often emerges from this gap. It’s not that the operational analysis was wrong – it’s that it wasn’t framed by explicit strategic direction about the critical outcomes the organisation delivers and cannot afford to lose.
“Unacceptable to the organisation” is fundamentally about what threatens viability and integrity. It’s about where an incident crosses the line from business continuity to crisis. Only top management can make this call because they hold accountability for the organisation’s strategic direction and survival.
Strategic thresholds defined this way are more stable. They’re informed judgements rather than perfect predictions, but they should remain relatively constant, needing refreshing as the organisation evolves rather than with every incident.
Once organisations understand which consequences top management consider unacceptable, they’ve established the limits within which the business continuity programme operates. The strategic BIA sets those outer thresholds. The traditional BIA identifiesthe processes, dependencies and recovery objectives needed to stay safely within them.
Operational teams may set tighter recovery objectives based on their requirements or adjust them during a live incident based on the reality at hand, but those objectives cannot exceed the strategic thresholds. Within those boundaries, recovery targets and tactical priorities can flex as needed.
What makes a strategic BIA different?
A strategic business impact analysis isn’t just a BIA conducted with top management. It’s a separate exercise with a fundamentally different purpose.
The traditional BIA is essential work. It identifies critical processes and activities, establishes recovery timeframes, determines resource requirements. But to be truly effective, it should operate within a framework that answers why certain outcomes matter strategically.
The SBIA is also distinct from a product and services BIA, which identifies and prioritises the organisation’s products and services. The strategic BIA may identify those critical outcomes or build upon them if already identified, but its primary purpose is different. It establishes what would happen if the organisation could no longer deliver those outcomes and defines at what point those consequences become strategically unacceptable. It asks top management to make strategic judgements about consequences and thresholds. Would failure to deliver damage strategic position, market credibility, regulatory standing or stakeholder confidence beyond acceptable limits? At what point does disruption cross from manageable to unacceptable? These are questions only top management can meaningfully answer, and they form the strategic boundaries that guide all business continuity planning.
This isn’t about strategic risk in the abstract, nor is it concerned with individual disruptive events like cyber attacks or supply chain failures. SBIA focusses on the consequences of disruption and their effect on market position, regulatory standing or financial sustainability. The question isn’t whether the organisation loses capability, but what fundamental strategic threats emerge if critical outcomes cannot be delivered. Those answers become strategic thresholds.