The best approach for performing a business impact analysis (BIA) of a supply-chain management application is to interview groups of key stakeholders, as this allows the risk practitioner to obtain direct and detailed information on the business processes, dependencies, resources, and requirements that are supported by the application. The risk practitioner can also clarify any doubts, address any concerns, and validate any assumptions during the interviews. The BIA is a process of identifying and analyzing the potential effects of disruptive events on the critical business functions and objectives. The BIA helps to determine the recovery priorities, strategies, and targets for the business continuity plan. The other options are not the bestapproaches for performing a BIA, although they may be useful or complementary methods. Reviewing the organization’s policies and procedures can provide some background and context for the BIA, but it may not reflect the current or accurate situation of the business processes and the application. Circulating questionnaires to key internal stakeholders can be a convenient and efficient way to collect some data for the BIA, but it may not capture the complexity and nuances of the business processes and the application. Accepting IT personnel’s view of business issues can be biased and incomplete, as they may not have the full understanding or perspective of the business needs and expectations. References = Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Identification, page 58.