DRII/BCI Professional Practice Narrative:

• Identify the impacts resulting from disruptions and disaster scenarios that can affect the organization and techniques that can be used to quantify and qualify
such impacts. Establish critical functions, their recovery priorities, and interdependencies so that recovery time objective(s) and recovery point objective(s)
can be set.

Generally Accepted Practices (GAP) Notice:

• This document is to serve as a repository of knowledge which is to be applied across various verticals
• This document contains a conceptual basis for Program development vs. an auditable checklist

Subject Area 3 – Business Impact Analysis

Sub-Topic #1

EXECUTIVE # What How Points of Reference

SPONSORSHIP
1 Gain executive Dialog with management on communication process within the Depending on the
Executive management buy- organization and expectations. Consider setting expectations with complexity and
Sponsorship in executive management, “The Board of Directors”, business unit size of the
managers, regulators, auditors (internal and external), state organization, you
government departments and the BCP steering committee as may want to
appropriate. consider
• Make sure that the project scope statement sets forth the separating the risk
terms, timeframe for completion, guidelines for determining assessment and
the types of questions to ask on the BIA and the the business
value/benefit of the data collected. Ensure that all impact analysis
stakeholders, employees, regulators, auditors, managers , into two separate
those funding the BIA, are in agreement over the ultimate efforts. In general
value of the BIA questions, expectations are agreed upon the smaller the
and how results will be used to move forward in the process. organization the
easier to combine
• Ensure the success of the project initiative; detail a process them and the
that will involve stakeholders and document agreed upon larger the
expected results. Typically BIA results are used to validate organization the
funding of a recovery strategy and/or recovery solution(s). more efficient it
• Ask executive management at what level will the BIA may be to
process gain the most accurate data. separate them.
• Determine specific, repeatable, testable, clear, and concise
questions on the BIA that will yield expected results.

Page 1 of 17 DRJ GAP – Subject Area 3 Business Impact Analysis (3.0) August 2007
Consistency Review –Version 2.1
 Subject Area 3 – Business Impact Analysis
Sub-Topic #1

EXECUTIVE # What How Points of Reference

SPONSORSHIP
• Be prepared to show the benefits and value of the BIA
process upfront (beyond the BCP). Executive management
will gain a more objective view of the threats and risks to
operations. Based upon this knowledge, management can
make an informed decision on the risk tolerance it will
accept.
• Oftentimes, there are hidden benefits in conducting a BIA
initiative. Be prepared to identify and communicate these
benefits to executive management. (Examples: some hidden
benefits might include:
Identifying outdated technologies, unrealistic spending,
integration issues with other organizational groups, business
process improvement, redundancy of effort, outsourcing
issues)
• Develop appropriate executive management reporting
avenues to report status, activities, risks, constraints and
bottlenecks.
• Conduct abbreviated executive level workshops.
• You absolutely must have executive/senior management
buy-in or you will have been set-up for failure in completing
a successful BIA.
• Consider the most appropriate manner to gain approval of
the BIA results. Consider for your organization if it is
appropriate to circulate the BIA results by meeting with each
executive manager individually to present results, or
distributing written draft results to each line of business
manager.
• Give examples of what might happen if the company does
NOT conduct a BIA.

Page 2 of 17 DRJ GAP – Subject Area 3 Business Impact Analysis (3.0) August 2007
Consistency Review –Version 2.1
 Subject Area 3 – Business Impact Analysis
Sub-Topic #1

EXECUTIVE # What How Points of Reference

SPONSORSHIP
2 Request • Consider writing a sample memo for executive management
executive level explaining the BIA initiative and their support of it.
support be Emphasize that the BIA is the cornerstone, the foundation
communicated for that all recovery strategies will be based on and the
the BIA initiative importance to obtain the highest quality results (i.e. both
accurate and timely) that gives a fair representation of the
impacts to the organization at all levels.
• Recommend to executive management both the audience
and the appropriate level to distribute the BIA support
memo.
• Offer to attend staff meetings to explain the BIA initiative if
appropriate.
• Consider using the organization’s intranet website and other
communication vehicles in support of the BIA initiative.

Page 3 of 17 DRJ GAP – Subject Area 3 Business Impact Analysis (3.0) August 2007
Consistency Review –Version 2.1
 Subject Area 3 – Business Impact Analysis
Sub-Topic #2

UNDERSTAND # What How Points of Reference

THE
ORGANIZATION
1 Identify business • For each part of your organization, request updated
Understand the processes / organizational charts (if in existence), workflow diagrams,
Organization functions basically any documentation that may assist in
understanding the organizational structure.
• When determining how best to conduct the BIA interviews,
stay as close to the organization of management currently in
place (i.e. follow the organizational chart that accurately
reflects the division of responsibilities). Determine if it makes
good business sense to conduct BIAs through a
geographical analysis depending on the types and number
of buildings, at a departmental level, and/or at a
process/function level.
• The term process is often used synonymously with the word
function. In general, a BIA is completed for each business
process/function. Where processes/functions provide
distinctly different products, services, or outputs, separate
BIAs may be appropriate especially if operational and
financial impacts of a loss will be significantly different for
each process. (For example, a separate BIA should be
completed for Revenue Billing, Remittance Processing,
Telemarketing, etc.)
• Consider the appropriateness of polling executive
management for a list of time critical processes/functions to
focus on if there is little time to complete a detailed BIA
process. Determine what executive management wants
covered if time is of the essence.
• Poll executive management as to any known pitfalls or
issues that may impede your progress to conduct and
complete the BIA process.

Page 4 of 17 DRJ GAP – Subject Area 3 Business Impact Analysis (3.0) August 2007
Consistency Review –Version 2.1
 Subject Area 3 – Business Impact Analysis
Sub-Topic #3

BIA TOOLS # What How Points of Reference

1 Design a custom • Spend time upfront to customize the BIA for the
BIA TOOLS tailored business organization. Design a questionnaire that is written
impact analysis specifically for the organization keeping in mind its business
questionnaire language and culture. Update a prior BIA for the
organization based on previous learnings.
• Define report format. (Moved from Section 5-2)
• The BIA is not an exercise in “Yes” and “No” answers; the
purpose is to draw information from the source that is useful
to the BIAs stated objectives.
• Consider the purpose for requesting information on the BIA
questionnaire and then re-consider possible related
subsequent follow-up questions. Avoid continually going
back and asking for data from BIA participants.
• Identify the impact categories that are important and
peculiar to your specific organization. Assess your current
industry setting when custom tailoring your BIA
questionnaire.
• Consistently use the same timeframes to measure impacts
over time for both financial and operational impacts. By
using the same time measurements, it allows BIA results to
be consistently compared across the organization.
• Be consistent with the scale used to measure impacts to the
organization.
• It is important to capture both the quantitative (i.e. tangible)
and the qualitative (i.e. intangible) impacts to the
organization.
• If one on one and/or face to face interviews are conducted,
guidelines should be provided and reviewed with the BIA
team before BIA interviews are conducted.
• Lobby not to add questions to the BIA questionnaire that
support another management initiative if it is inappropriate to
do so (avoid scope creep).

Page 5 of 17 DRJ GAP – Subject Area 3 Business Impact Analysis (3.0) August 2007
Consistency Review –Version 2.1
 Subject Area 3 – Business Impact Analysis
Sub-Topic #3

BIA TOOLS # What How Points of Reference

BIA TOOLS 2 Determine the • It is important to quantify the operational impacts to an Examples of
operational impact organization resulting from a business process/function tangible impacts
over time of a being unavailable. Often, the significance of a business may include, but
disruption to each process/function is overlooked because there may be no not be limited to:
process/function direct financial impact. However, the operational impact to ¾ Legal/Regulato
the organization may be just as or even more significant to ry/Contractual
the organization. Measure whatever is important to your
¾ Operational
specific organization.
¾ Customer
• Choose impact levels using the most significant peak period Service
for each business process/function. This may be at the end (Internal and/or
of a month, quarter or year, or according to seasonal trends External
in the business process. customers)
• A detailed definition of each of the impact levels must be ¾ Financial
established based on the specific industry.
• A scale for quantifying the operational impacts must be
Examples of
established in order to ensure all process/functions are
intangible impacts
measured the same. For example, a scale of 1 – 4 could be
may include, but
used with the following definitions: 1 = no impact, 2 =
not be limited to:
moderate impact, 3= serious impact and 4 = severe impact.
Another scale example to consider would be using a Low ¾ Market Share
(L), Medium (M) or High (H) Impact scale for quantifying the ¾ Reputation
impacts over each time period. Another scale example
might be, Essential, Necessary Desirable.
• Where possible, contracted service level agreements and
any associated penalties should be identified, along with
legal or regulatory penalties. Force majeure clauses should
be reviewed as part of the review.
• Consider SOX- Section 409 Material event) can also be
used to gain CXO (i.e. CEO, CFO, CIO,) level support for
initiative.

Page 6 of 17 DRJ GAP – Subject Area 3 Business Impact Analysis (3.0) August 2007
Consistency Review –Version 2.1
 Sub-Topic #3 3 Determine the • Financial impacts to the organization as a result of process Examples financial
financial impact unavailability can be directly or indirectly applied to each impacts may include,
BIA TOOLS over time of a process/function. The BIA seeks to identify both direct and indirect but not be limited to:
disruption to each financial impacts. Measure whatever is important to your specific ¾ Lost revenue
process/function organization.
¾ Property damage
• Choose impact levels using the most significant peak period for
¾ Deferred income
each business process/function. This may be at the end of a
month, quarter or year, or according to seasonal trends in the ¾ Penalties and
business process. Fines
• The same time periods used to measure operational impacts ¾ Lawsuits
should be used to measure the financial impacts. If you do not ¾ Cost of
consistently use the same timeframes to measure impacts, it duplicating
makes it impossible to compare BIA results consistently across the inventory
organization.
• A scale for quantifying the financial impact over each time period Refer to Appendix A
must be established based on the organization’s size and the (ED: Additional
specific industry. Reference is needed
• Determine if the financial impacts over time are cumulative. for this item.)
• Determine the cumulative financial impact for each category of
financial impacts.
• Consider the many types of revenue loss for the organization as
some revenue may not truly be a loss. Consider revenue loss
measurements versus revenue that is truly deferred income.
• Financial impacts vary by industry; do not overlook favorable
trends (intangible impacts).
• Make sure that financial impacts to downstream processes are not
recorded and double counted in the financial cost to the
organization.
• Identify the intangible impacts that make up the significant risks
and exposures to the organization. One intangible impact may be
that the organization will lose employees and jeopardize recovery
efforts if employees aren’t paid in a timely manner.
• A contract may state penalties for missed deadlines or
deliverables, or it may not be specific to the exact recourse the
organization has.
• Some operational impacts are intangible. If data is lost that cannot
be restored, it may be an intangible impact as it can’t be attached
to a direct sum of money.

Page 7 of 17 DRJ GAP – Subject Area 3 Business Impact Analysis (3.0) August 2007
Consistency Review –Version 2.1
 Sub-Topic #3 4 Determine • Based upon the financial and operational impacts,
recovery time determine the RTO. The RTO is the period of time within
BIA TOOLS objectives which systems, applications, or functions must be recovered
(RTOs), Maximum after an outage (e.g. one business day). RTOs are often
Allowable used as the basis for the development of recovery
Downtime/Outage strategies, and as a determinant as to whether or not to
(MAD/MAO) and implement the recovery strategies during a disaster
Recovery Point situation. Similar Terms: Maximum allowable downtime.
Objective (RPO) • Determine the minimum acceptable level of operations that
are required for this business process/function within the
RTO. For example, if the RTO is 4-7 days, does this
business process/function need to be restored at 100% of
production capability? Could the business process/function
be recovered in stages? Ask how long can the organization
live with the process at less than a normal production
capacity (i.e. a reduced level of operations while in recovery
mode? Could 50% of the production capability be recovered
in 4-7 days and the remaining 50% be recovered in 31+
days? Remember also that in a disaster situation, it is not a
business as usual environment.
• A BIA tool should never force an RTO for a business
process/function. Forced recovery time objectives do not
take into consideration changes of roles at time of disaster
and impacts to downstream business processes and/or
dependencies. If a BIA tool is used that assigns an RTO
based on any sort of risk rating, there must be a process in
place to override an RTO upon management review.
• The RTO is used by corporate support teams to assess
possible recovery strategies for the business
process/function.
• Assume total loss to ensure an apples-to-apples comparison
of impacts. At this stage of the BIA, it is a natural step for the
interviewer and the interviewee to discuss possible recovery
strategies. Do not launch into recovery strategy discussions
at this point; consider no recovery capability exists when
determining where in time the process must recover.
Determine what the point in time should be for the business
process to recover.

Page 8 of 17 DRJ GAP – Subject Area 3 Business Impact Analysis (3.0) August 2007
Consistency Review –Version 2.1
 Sub-Topic #3 5 Determine both • RTOs should be supported by the operational and financial Examples of internal
internal and impacts and ratings. If the RTO is not supported by the and/or external
BIA TOOLS external business impact ratings, then the cause must be determined (i.e. Did business dependencies
dependencies you miss something? Do roles change at time of disaster? ) include, but are not
The RTO must pass a reality check by several levels in the limited to providers of:
organization. Be prepared to backup the RTO with the
impacts and the ratings assigned.
¾ Forms
• Each company should explicitly spell out their MAD, RTO ¾ Raw materials
and RPO definitions. e.g. Is the RTO from the incident until
applications are ‘up’; or from the declaration until systems ¾ Sub assembly
are turned over to users; or is it from incident until customer points
information is current? ¾ Inventory
• Consider the most appropriate method to document both ¾ Courier service
internal and external dependencies. Determine if there is a ¾ Customer
need to separate internal dependency impact information service
from external dependency impact information.
• Identify supply chain links to other internal departments,
Information technology infrastructure (internal and external
applications, systems, voice and data network data, etc.),
processes, or other third parties. Examples of third parties
could be vendors, business partners, customers, etc.
• Consider the loss to your organization should an outsourced
service provider(s) not be able to meet your business
requirements. Consider any service level agreements and/or
contractual requirements in place (include international
contractual relationships that may exist).
• What are the inflows? When is it needed? From whom does
the process/function receive information, data, requests,
etc.? What does the process/function depend on for the
information or resources to perform the process/function?

Page 9 of 17 DRJ GAP – Subject Area 3 Business Impact Analysis (3.0) August 2007
Consistency Review –Version 2.1
 Sub-Topic #3 5 Determine both • What are the outflows? When is it needed? Whom does the
internal and business process/function provide information to? What do
BIA TOOLS external business others depend on from this business process/function?
dependencies • As part of the BIA, it is important to understand what
happens to your organization if a source the business
process relies on is unavailable for any reason. Measure
how fast and severe the impact is (i.e., operational impact).
These exposures or gaps should be addressed as part of
the Risk Assessment and risk mitigation process.
• Consider completing business process maps to document
the inflows and outflows.
Sub-Topic #3 6 Determine central • Determine how BIA data will be used ongoing. Consider
repository for BIA reporting requirements for your organization ongoing.
BIA TOOLS data • Determine where to house BIA data and how to update data
ongoing (i.e. via a database, a spreadsheet, a specific
software package, etc.).
• Ensure that the BIA data and artifacts be stored in a secure,
backed up environment.

Page 10 of 17 DRJ GAP – Subject Area 3 Business Impact Analysis (3.0) August 2007
Consistency Review –Version 2.1
 Subject Area 3 – Business Impact Analysis
Sub-Topic #4
# What How Points of Reference
BIA PROCESS

BIA PROCESS 1 Gather BIA • Ensure that all participants receive proper training and Examples of how
information using understand the value, importance and need for the BIA. BIA data can be
the most • Prior to kicking off the BIA process, those individuals gathered:
appropriate responsible for conducting the business impact analysis ¾ One-on-one
method for your should jointly review the BIA process to: interviews
organization.
1. Ensure the BIA is interpreted properly; it is ¾ Management
important for those involved in /supervisor
gathering/conducting the BIA to mutually workshops
understand the questions being asked on the BIA ¾ Conference calls
questionnaire. BIA questions can be interpreted ¾ Electronic (not
differently within the BIA team members. The recommended)
joint review will help to eliminate any
misunderstanding of the data that needs to be ¾ Questionnaire
collected.
2. Review the message to convey (such as the
importance of the BIA to the organization) and the
interview techniques that are to be used to gather
the data needed to complete the BIA.
• Consider partnering your business/function managers with
their IT counterparts during the data gathering process as
the quality of the information gathered with them together
will almost always be better than the data gathered from
them separately.
• Prior to gathering the BIA data, consider sending out the BIA
questionnaire and questionnaire guidelines (i.e. how to
interpret each question on the BIA). Questionnaires that are
sent out and completed without the assistance of a Business
Continuity Professional will yield results that cannot be
reasonably compiled and compared (i.e. rather than
gathering an apples to apples comparison, the results
compare more like apples to tractors) . Individual
managers may not know the impact they have on the

Page 11 of 17 DRJ GAP – Subject Area 3 Business Impact Analysis (3.0) August 2007
Consistency Review –Version 2.1
 organization as a whole. Additionally, BIA questions will be
interpreted differently by each interviewee.
Sub-Topic #4 • As appropriate, schedule a meeting with the
business/function manager to collaboratively complete the
BIA PROCESS BIA questionnaire. Send out BIA questionnaire in advance
so that the recipients can review it with others and get
complete answers.
• Explain the purpose of the BIA initiative to the interviewees.
Make it clear that management has no hidden agenda such
as having interviewees justify their jobs via the BIA process.
It is helpful to explain that every department/ employee is
important to the organization. One of the objectives is for
executive management to learn what business
process/function is time critical should a disaster occur.
• Conduct interview and complete the questionnaire. Ensure
consistency in interviewee(s) understanding of questions
throughout the process.
• Design and conduct follow-up interviews. If information is
still missing after the interview, follow-up with the
interviewee and request it be provided (e.g. financial dollar
impacts may need to be provided by a finance department
that supports the business process/function and not readily
available).

Page 12 of 17 DRJ GAP – Subject Area 3 Business Impact Analysis (3.0) August 2007
Consistency Review –Version 2.1
 Subject Area 3 – Business Impact Analysis
Sub-Topic #5
# What How Points of Reference
BIA FINDINGS

BIA Findings 1 Obtain approval • Depending on the size and complexity of your organization,
for individual BIA consider the appropriate level(s) of approval for the BIA
results results. For example, it may be appropriate for some
organizations to obtain at least two levels of approval for the
BIA results that involve both 1. the business process
owner/manager and 2. the next highest level of
management.
• Consider the appropriateness of using a sign off form of
some kind to formally indicate the appropriate level
management has reviewed and approved the BIA results.
• It is important to note that information contained in the
approved BIA will be communicated to others with
supporting roles in planning for the recovery of the
process/function such as Facilities, Telecom, IT, etc.
2 Prepare analysis • Consolidate the individual BIA information to determine the
of BIA results organizational priorities for recovery over time. The
recovery time objectives should drive the priorities for
business process recovery including its technical
components.

Page 13 of 17 DRJ GAP – Subject Area 3 Business Impact Analysis (3.0) August 2007
Consistency Review –Version 2.1
 Subject Area 3 – Business Impact Analysis
Sub-Topic #6

GAIN MGT # What How Points of Reference

APPROVAL OF BIA
RESULTS

Gain 1 Obtain executive • Gain approval of BIA results from all appropriate levels of
Management management management before presenting the final results to the
Approval of approval of BIA executives as a group.
BIA results summary and • Develop a final summary presentation that easily shows the
recovery priorities for recovery and the RTOs to management.
prioritizations
• Determine what type of formal sign-off is required to move to
the next phase of planning.
• Be prepared to answer detailed BIA questions from the
executive managers (have the detailed BIA questionnaire
results available should a detailed question arise)
2 Prepare executive • A summary report is prepared and presented to executive
management management.
presentation • The presentation should be a formality at this point. There
should be absolutely no surprises on the summary
presentation for executive management.
• Executive management should clearly be able to understand
the impacts to the organization should processes/functions
be unavailable; this data will support the recovery time
objectives required by the process/function.
3 Be prepared to • BIA data can quickly become outdated. Once the BIA results Subject Area 2: Risk
Evaluation and Control
discuss next steps and priorities for recovery are approved, it is extremely
important to act quickly and begin work on developing
recovery strategies.

Page 14 of 17 DRJ GAP – Subject Area 3 Business Impact Analysis (3.0) August 2007
Consistency Review –Version 2.1
 Subject Area 3 – Business Impact Analysis
Sub-Topic #7
# What How Points of Reference
BIA LIFECYCLE

BIA Life Cycle 1 Determine BIA • Determine how often BIA results need to be reviewed for the
review and update organization (i.e. annually, semi-annually, etc). There may
requirements. be legal and/or regulatory requirements that dictate how
often a BIA must be reviewed and updated. Consider if your
organization is required by any internal or external auditing
authority to complete specific tasks and any associated
timeframes for completion.
• Depending on your organization’s dynamics, consider
implementing a tickler system to ensure updates occur as
planned.
• Communicate BIA review cycle to executive management
and other management levels as appropriate.
• Determine audit trail for updates and a records retention
schedule.

Page 15 of 17 DRJ GAP – Subject Area 3 Business Impact Analysis (3.0) August 2007
Consistency Review –Version 2.1
External References: Standards, Guidelines & National Practice Publications
ANSI / NFPA 1600:2007 – Standard on Disaster/Emergency Management and Business Continuity Programs. National Fire
Protection Association, March 2007. (Source: http://www.nfpa.org.)

AS/NZS 4360:2004 – Risk Management. Standards Australia /Standards New Zealand, August 2004. (ISBN: 0-7337-5904-1.
Source: http://www.saiglobal.com.)

BS 25999-1: 2006 – Business Continuity Management – Part 1: Code of Practice. BSI Business Information, November 2006.
(ISBN: 0 580 49601 5. Source: http://www.bsi-global.com.)

Federal Information System Controls Audit Manual (FISCAM), January 1999. GAO.
(Source: http://www.gao.gov/special.pubs.)

FEMA 141: Emergency Management Guide for Business and Industry. FEMA, October 1993.
(Source: http://www.fema.gov/pdf/library/bizindst.pdf.)

FEMA IS-700: An Introduction to the National Incident Management System (NIMS). FEMA Independent Study Program.
(Source: http://www.training.fema.gov/emiWeb/IS/is700.asp.)

FFIEC – Business Continuity Planning Booklet. Federal Financial Institutions Examination Council (FFIEC), March 2003.
(Source: http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continuity_plan.pdf.)

Federal Information System Controls Audit Manual. General Accounting Office (GAO), July 1999. (Source:
http://www.gao.gov/special.pubs/mgmtpln.pdf)

HB 292: 2006 – Practitioners Guide to Business Continuity Management. Standards Australia /Standards New Zealand, June 2006.
(ISBN: 0-7337-7472-5. Source: http://www.saiglobal.com.)

HB 293: 2006 – Executive Guide to Business Continuity Management. Standards Australia /Standards New Zealand, June 2006.
(ISBN: 0-7337-7488-1. Source: http://www.saiglobal.com.)

ISO/IEC 27002:2005 (ISO/IEC 17799:2005) – Information Technology Security Techniques - Code of Practice for Information Security
Management. International Standards Organization, June 2005. (Source: http://www.iso.org.)

Page 16 of 17 DRJ GAP – Subject Area 3 Business Impact Analysis (3.0) August 2007
Consistency Review –Version 2.1
ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems -- Requirements.
International Standards Organization, October 2005. (Source: http://www.27001.com/.)

NARA – Primer on Disaster Preparedness, Management, and Response for Paper-Based Materials. National Archives and Records
Administration (NARA), October 1993.
(Source: http://www.archives.gov/preservation/emergency-prep/disaster-prep-primer.pdf.)

NIST 800-30 – Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology (NIST),
July 2002. (SP 800-30. Source: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.)

Open for Business, Disaster Planning Toolkit for Small to Mid-Sized Business Owners. Institute for Business and Home Safety
(IBHS), January 2005. (Source: http://www.ibhs.org/docs/OpenForBusiness.pdf.)

PMBOK: 2004 – Project Management Body of Knowledge, 2004 Edition. Project Management Institute.
(ISBN: 1-930699-45-X. Source: http://www.pmi.org.)

RiskWatch - RiskWatch Information Security product Suite includes software for vulnerability assessments, risk analyses and
compliance reviews of information systems specifically for ISO/IEC 27002:2005), GLBA-FFIEC, HIPAA, and SOX.
(Source: http://www.riskwatch.com/.)

TR 19: 2005 – Technical Reference for Business Continuity Management. SPRING Singapore, 2005.
(ISBN: 981-4154-13-X. Source: http://www.spring.gov.sg.)

Page 17 of 17 DRJ GAP – Subject Area 3 Business Impact Analysis (3.0) August 2007
Consistency Review –Version 2.1