How to set up and run a BIA in Kertos
Last updated: April 21, 2026
This guide walks you through the complete BIA workflow in Kertos - from initial configuration to completing your impact assessments and interpreting the results.
If you're unfamiliar with BIA concepts like MTPD, RTO, or impact categories, read this first.
Before you start
To run a BIA in Kertos, you need:
Business processes added as primary assets. BIA is performed at the business process level. If you haven't added your business processes yet, go to Inventory → Assets and create them first.
Linked supporting assets and systems. For the most useful results, your business processes should be linked to the systems and supporting assets they depend on. This lets you compare your BIA results (MTPD) against the recovery capabilities (RTO/RPO) of the underlying infrastructure.
Admin access for BIA settings. Configuring impact categories, levels, and time frames requires admin permissions.
Step 1: Configure your BIA settings
Before any assessments can be performed, you need to set up your BIA configuration. This is a one-time setup, though you can adjust it later as needed.
Navigate to BIA in the left sidebar, then open the Settings tab.
Define your impact levels
Impact levels describe the severity scale you'll use during assessments. By default, Kertos provides four levels (Low, Medium, High, Critical), but you can adjust this to anywhere between 3 and 5 levels.
For each level, you can customize the name to match the terminology your organization already uses. The order matters - levels are ranked from least to most severe.
Set your Maximum Tolerable Impact Level
This is the company-wide threshold that determines when damage becomes unacceptable. Select one of your defined impact levels as the threshold. During the impact assessment, any rating that reaches or exceeds this level will be flagged - and the corresponding time frame will be used to calculate the MTPD.
For example, if you set the threshold to "High," then any business process where an impact category reaches "High" within a given time frame is considered to have breached tolerance.
Define your impact categories
Impact categories are the types of damage you want to assess for each business process. Common examples include Financial, Operational, Legal/Compliance, and Reputational.
You can add, rename, or remove categories to match your organization's risk framework. Each category can include a description that will be shown during the assessment to help users understand what to evaluate.
Keep in mind that adding a new category after assessments have already been completed will reset those assessments to "In Progress," since the new category needs to be rated.
Define your time frames
Time frames represent the periods of unavailability you want to assess against. These are the rows in your impact assessment matrix - for example: up to 1 hour, up to 4 hours, up to 1 day, up to 3 days, up to 1 week.
You can customize these to match your actual business cycles. A retail company might care about hourly increments during peak season, while a consulting firm might only need daily or weekly intervals.
As with categories, adding a new time frame after assessments are completed will reset those assessments to "In Progress."
Tip: Get your configuration right before running assessments at scale. Changes to categories or time frames will require users to revisit completed BIAs. The configuration itself is best done in the UI (not imported), since it's a one-time task that benefits from careful thought.
Step 2: Review your business processes
Once configuration is complete, navigate to the BIA overview tab. You'll see a table listing all your business processes (primary assets) with the following columns:
Asset name - the name of the business process
Asset type - the category of the primary asset
BIA status - where the assessment stands (Not Started, In Progress, Completed, Needs Review)
MTPD - the calculated Maximum Tolerable Period of Disruption (shown as "-" if the BIA hasn't been completed yet)
Linked supporting assets - the assets and systems this process depends on
From this view, you can filter and sort to prioritize which business processes to assess first. A practical approach is to start with the processes you already suspect are most critical - this gives you early results that can inform resource allocation while you work through the rest.
If you notice that business processes are missing, you can add new ones directly from this view.
Step 3: Perform the impact assessment
Click on a business process to open its BIA detail page, then start the impact assessment.
What you'll see
The assessment presents a matrix with your impact categories as columns and your time frames as rows. For each cell, you select an impact level that answers the question: "If this process is unavailable for [time frame], how severe is the [category] impact?"
You can also see the linked supporting assets and systems for this process, sorted by their classification (most critical first). This gives you context while assessing - if a business process depends on a system with very high availability classification, that's a signal that disruption could be serious.
How to fill it in
Work through the matrix systematically:
Start with the shortest time frame and assess each impact category.
Move to the next time frame. Typically, impact severity increases as the disruption lasts longer - but this isn't always the case, so assess each cell based on actual business consequences.
For each rating, think in concrete terms: What specific financial loss would occur? What regulatory deadline would be missed? What customer-facing impact would be visible?
Add a justification in the text field to explain your reasoning. This is important for audit purposes and for anyone reviewing the BIA later.
How MTPD is calculated
Once all cells are rated, Kertos automatically calculates the MTPD. The system identifies the earliest time frame where any impact category breaches the Maximum Tolerable Impact Level you configured in Step 1.
The result is shown visually: time frames where the impact is within tolerance appear in green, while those that breach the threshold appear in red. The MTPD is the point where the transition happens.
Assigning a BIA owner
Each business process can have a dedicated BIA owner - the person responsible for performing and maintaining the assessment. By default, this is the business process owner, but you can change it. The BIA owner will receive review reminders when the assessment is due for reassessment.
Saving your work
When you're done, click Save BIA to store the assessment and return to the overview. If you need to stop partway through, saving will preserve your progress and set the status to "In Progress." You can also Discard changes to return to the overview without saving.
Step 4: Review RTO and RPO alignment
After completing your BIA assessments, the most important next step is validating that your recovery capabilities match your business requirements.
Check RTO against MTPD
For each business process, the MTPD tells you the maximum time it can be down. The RTO on the underlying systems tells you how fast your IT team plans to restore service. If the RTO is longer than the MTPD, you have a gap.
You can see this alignment directly on the asset detail pages. Systems and supporting assets display their RTO and RPO values alongside the MTPD of the business processes they support.
Example: Your payroll process has an MTPD of 1 day, but the payroll system's RTO is set to 3 days. This means your recovery plan doesn't meet the business requirement - you need to either improve the RTO (faster recovery) or reconsider whether the MTPD is realistic.
Check RPO against data criticality
For systems that process critical data, verify that the RPO (how much data loss is acceptable) is aligned with your backup strategy. A payroll system with an RPO of 1 hour means you need backups at least every hour - if your current backup schedule is nightly, that's a gap to address.
Step 5: Maintain your BIA over time
A BIA is not a one-time exercise. Business processes change, systems are added or replaced, and organizational priorities shift.
Review periods
You can set a review period for your BIA. When the review date approaches, Kertos creates a task for the BIA owner as a reminder. A typical review cycle is 12 months, but you may want shorter intervals (e.g., 6 months) if your organization is changing rapidly.
When to review earlier
Even outside the regular review cycle, you should reassess your BIA when:
New systems or assets are added to a business process
A significant incident occurs that exceeds (or approaches) the MTPD
The organization restructures or launches new products/services
Regulatory requirements change (e.g., new NIS2 implementation guidelines)
Automatic status changes
Kertos helps you stay on top of changes. If you modify your BIA settings - such as adding a new impact category or time frame - any completed assessments that are affected will automatically be set to "In Progress," prompting the BIA owner to review and re-rate the new dimensions.
Understanding BIA statuses
Status | What it means |
Not Started | No assessment has been initiated for this business process. |
In Progress | The assessment was started but not all impact ratings have been completed, or it was reopened due to a configuration change. |
Completed | All impact ratings are filled in and the MTPD has been calculated. |
Needs Review | The assessment was previously completed but the review period has been reached, or changes have been made that may affect the results. |
Troubleshooting
My MTPD shows "-" even though I completed the assessment. Check that your Maximum Tolerable Impact Level is configured in BIA Settings. If no threshold is set, the system can't determine when the impact becomes unacceptable, so it can't calculate the MTPD. Also verify that all cells in the impact matrix have been rated - leaving any cell blank keeps the status at "In Progress."
I added a new impact category and all my completed BIAs went back to "In Progress." This is expected behavior. A new category creates a new column in the assessment matrix that needs to be rated for every business process. Review each affected BIA and rate the new category across all time frames, then save to return to "Completed."
My RTO is longer than my MTPD - what should I do? This is a real finding, not a bug. It means your recovery plan doesn't meet the business requirement identified by the BIA. You have two options: work with your IT team to reduce the RTO (e.g., through redundant systems, faster failover, or better backup infrastructure), or revisit the BIA to confirm the impact ratings are accurate - sometimes teams overestimate the urgency.
I want to change my impact levels but I'm worried about losing data. Renaming an impact level doesn't affect existing assessments - only the label changes. Deleting an impact level that's in use will clear the ratings where that level was selected, and affected BIAs will be set to "In Progress" so they can be re-rated. This behavior is designed to prevent stale or incorrect data from persisting.
Who can configure BIA settings? BIA settings (impact levels, categories, time frames, threshold) require admin access. Regular users can perform impact assessments on the business processes assigned to them, but they can't change the configuration that applies company-wide.
Can multiple people work on BIA assessments at the same time? Yes. Each business process has its own independent assessment. Different BIA owners can work on their assigned processes simultaneously without interfering with each other.