Determining the business purpose of the application is the first thing that a risk practitioner should do when a shadow IT application is identified in a business owner’s business impactanalysis (BIA), because it helps to understand the rationale and value of the application, and the potential risks and issues that it may introduce or affect. A shadow IT application is an IT system or application that is used by the business units or employees without the knowledge or approval of the IT department or management. A shadow IT application may offer benefits such as convenience, efficiency, or innovation, but it may also pose risks such as security breaches, data loss, compatibility issues, or regulatory non-compliance. A BIA is a process of analyzing the potential impact of disruption to the critical business functions or processes, and identifying the recovery priorities and requirements. A BIA may reveal the existence of ashadow IT application, as it may be used to support or enable a critical business function or process. Determining the business purpose of the application is the first thing to do, as it helps to evaluate the necessity and suitability of the application, and to plan the appropriate actions to address the shadow IT application. Including the application in the business continuity plan (BCP), segregating the application from the network, and reporting the finding to management are all possible things to do after determining the business purpose of the application, but they are not the first thing to do, as they depend on the results of the evaluation of the application. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.2.1, page 143