Actually, there is no definitive order to perform Risk Assessment (RA) and Business Impact Analysis (BIA), and the choice for one or another will depend on your expectations:
By doing BIA first you will have a prioritized list of processes and services that can impact the most of your business in case of disruptive incidents, then you can go to assess the most relevant risks for the most critical processes and services.
By doing risk assessment first you will have a prioritized list of risks your organization is most exposed to, i.e., the most potential disruptive incidents, then you can go to assess the impact on business regarding the processes and services affected by those risks.
Particularly, we prefer to do a risk assessment first, because this way you will have a better impression of which incidents can happen (which risks you’re exposed to), and therefore be better prepared for doing the business impact analysis (which focuses on consequences of those incidents).
For rating critical services considering the results of a risk assessment, you can consider the value of the risks, or the number of risks, associated with a specific service. For example, you can have a service with two high risks associated with it and other with ten medium risks associated with it. Considering your context, in terms of risks maybe the second service is more critical.
These articles will provide you a further explanation about risk assessment and BIA: