1. A Business Not a Technology Issue
Hackers, hurricanes, fires, flooding, power outages, denial of service attacks, application failures, employee error, sabotage and now terrorism are helping companies to focus on the necessity of a business continuity plan.
Through the late 1990s as companies prepared for Y2K, many IT executives, risk managers, CFOs and corporate managers realized that recovering computing systems, networks and data was not enough. As Y2K approached, it became more apparent that a disciplined approach was needed to recover not only data and systems, but also business processes, facilities and manpower to restore and maintain critical functions.
The starting point is a risk assessment. Identify and define your mission critical business processes and systems. Review them for vulnerabilities and identify steps required for restoration and recovery. For your data, make sure it is backed up to secure and separate locations. Evaluate various storage solutions including storage area networks, data replication systems, new virtualization systems, network attached storage devices and managed storage. Pay significant attention also to your telecommunications providers to ensure they have built diversity and redundancy into their networks and have well developed and tested contingency plans.
The risk assessment will start to drive out real questions on the business impacts and losses that could result from disruptions. Mission critical impacts, key business functions, processes and records must all be identified. This is also the time to determine resource requirements and acceptable recovery time frames.
Various recovery strategies should be evaluated to achieve your cost, reliability and time to recover objectives. Include physical, technological, legal, regulatory and personnel considerations when you evaluate alternatives. Common points of failure are a lack of executive and budget support and not fully engaging employees. Along with your data, employees are your most valuable asset.
Business continuity planning sounds expensive and it can be time-consuming. However, losing your business functions, processes and systems as well as your company, customer and financial data can be devastating. Build your plan. Train, test, train and test again.
2. Risk Analysis and Control
In the risk evaluation phase, there are a number of key areas that must be covered. One of the most important is to understand probable threats. In an ideal world, which most of us have noticed does not exist, we would identify and protect ourselves against all threats to ensure that our business continues to survive. Obviously, we are constrained by other factors such as budgets, time and priorities and need to apply cost benefit analysis to ensure we are protecting the most critical business functions.
A second important step is to identify all probable threats and prioritize them. Threats, typically, can be classified in several ways such as internal/external, man-made/natural, primary/secondary, accidental/intentional, controllable/not controllable, warning/no warning, frequency, duration, speed of onset etc. While classifying threats is helpful in terms of understanding their characteristics and potential controls, grouping and understanding by business impact is also important. Obviously, the same impact can result from a number of different threats.
Identifying mission critical business processes and systems is another fundamental building block of the business continuity plan. After your critical business processes and systems and probable threats are established, the next step is to identify vulnerabilities and loss potential. This requires an extensive scan of the organization to identify vulnerabilities and then analysis to understand those vulnerabilities which would have the greatest impact on your critical business processes and the organization. This starts to clarify and quantify potential losses, which helps to establish priorities.
Following the identification of the most probable threats and vulnerabilities, an analysis of existing controls is needed. This spans physical security as well as people, processes, data, communications and asset protection. Some controls such as physical security and data backup are obvious. Other controls required are often less obvious, but they can be identified through the risk evaluation process.
Once the key building blocks of critical business functions, most probable threats, vulnerabilities and controls are identified, the next stage is to develop an understanding of the probability of threats factored by the severity or impact of the threats. This leads to the business impact analysis phase which establishes priorities for protection.
The goal is to minimize threats, impacts and downtime and to mitigate any losses. Fundamentally, the goal is to protect your people, protect your data, protect your vital communications, protect your assets and to protect your brand and reputation. Overall, of course, the goal is to ensure your business continues to operate and to do it in a cost-effective way meeting standards of reasonable and prudent judgment.
3. Business Impact Analysis
Business impact analysis is a critical part of the business continuity planning process. This step quantifies data and gets into the real world issue of potential losses that can negatively impact your business. It is used to understand the most important impacts and how to best protect your people, processes, data, communications, assets and the organizationís goodwill and reputation.
Organizations often think in terms of disaster recovery. Business continuity and the business impact analysis is more focused on keeping the business up and running and less focused on recovery after a disaster. The business impact analysis also is not focused only on the potential disasters, but on all potentially critical discontinuities. Key elements of the Business Impact Analysis are to identify critical business functions, establish the maximum acceptable outage time for each of these functions and then to determine the impact of not performing those functions. This can be measured against regulatory, legal, financial, operations or customer service requirements.
Once the adequacy of security and controls is evaluated and critical business functions and outage times are defined, the business continuity planner needs to develop an understanding of the probability of threats factored by the severity or impact and to start to develop a cost benefit analysis of the largest impact and highest probability threats.
Itís virtually impossible to create an absolute value and priorization of threats and impacts. Generally, a relational system is used to drive out the key priorities. Often, each threat is evaluated according to its probability and assigned a 1, 5 or 10 rating. Then, each threat is evaluated according to its impact on critical business functions and on the business overall. For example, a discontinuity in a critical business function of less than one hour might receive a value of 0. A discontinuity of one to eight hours might be ranked a 1, eight to twenty four hours might be ranked a 2 and over 24 hours might be ranked a 3. Obviously, these rankings need to be developed on a company specific basis. Probability factored by impact creates the relational prioritization list.
This approach to risk evaluation and control allows management to start to quantify the risks and potential impacts on the organization in a thoughtful and analytical way. This results not only in higher quality decisions, but also provides an audit trail that demonstrates that management is paying attention to its risk management responsibilities. These responsibilities might be established by regulatory or legal bodies, demanded as a contractual commitment by customers or simply expected by shareholders as sound and prudent management. The key corporate goals are to protect people, protect assets, protect data and to protect the brand and reputation of the organization.
4. Selecting A Business Continuity Strategy
The risk analysis and business impact analysis have identified risks to key business functions. Also, the potential impacts and probabilities of these risks as well as the costs to prevent or mitigate damages and the time to recover will have been established. Evaluating and selecting strategies is based on using this knowledge. Strategy selection involves focusing on key risk areas and selecting a strategy for each one. The primary goals are to maintain business continuity in the face of a disruption or disaster, to recover key business functions quickly and to mitigate damages.
Many companies associate disaster recovery and business continuity only with IT and communications functions and miss other critical areas that can seriously impact their business. Other common areas for strategy development and selection are employees, facilities, power, customer service, billing, and customer and public relations. All areas require a clear well thought out strategy based on recovery time objectives, cost and profitability impact.
Recovery related to employees is the most overlooked part of strategy selection. Simple steps like the ability to contact employees at home or on their personal cell phone and to ensure all are accounted for at each facility are often overlooked. Communications is critical to keep employees informed and engaged. The most powerful tools for continuity and recovery are the knowledge, capabilities and motivation of employees.
Developing strategies with implementation steps means no time is wasted in a recovery scenario. The focus is to implement the plan quickly and successfully. The right strategies implemented effectively minimize the disruption and mitigate damages.
In some cases, a strategy decision may be no strategy at all. In this scenario and others where there is significant risk to the financial viability of the organization, business interruption or business income insurance may be a viable strategy. Generally, this provides the company with the income it is losing due to damage to its property. It therefore increases the company's chances of survival and the ability to keep its customers and recover.
5. The Business Continuity and Disaster Recovery Plan
Essentially, the plan addresses the who, what, where, why and when of recovery. Goal number one is to reduce the risk profile of the business. Goal two is to be well prepared so the impact of any disruption is minimized. Overall, the objective of the plan is to effectively minimize the chances of disruption and, if there is a disruption to quickly implement the recovery and get the business or organization working again.
The "why" is to maximize business continuity and minimize damages to company assets. Ultimately, the goal is to protect the organization from the key risks identified and to effectively implement the recovery strategies.
The "what" is a clear, detailed, but focused business continuity and disaster recovery plan, a plan that provides a successful road map to minimize business interruption and maximize business continuity.
The "who" refers to the teams. The recovery effort is focused through teams. While the Emergency Management Team is the leader of the recovery efforts, other teams could include: IT, telecommunications, facilities and power, customer relations, public relations, billing, customer service, and human resources.
The "where" is, of course, company facilities, but it's also other alternate sites, location of all employees and the ability to find and communicate with employees. Effectively organizing and deploying employees is the most fundamental requirement for successful recovery.
And finally, there is the question of "when." Unfortunately, hackers, hurricanes, fires and other risks seldom follow our agenda. The "when" we can control is the "when" of lowering the company's risk profile by implementing solutions before the problem develops. "When", of course, also has to do with the priorities of the recovery. These hopefully would be in place as a result of selecting effective strategies.
If you don't know where you're going, any road will get you there. The business continuity and disaster recovery plan is the road map to get you to your destination of minimizing risks, mitigating damages and reducing your risk profile.
6. Reducing Your Risk Profile
Like all plans, there is an ultimate goal to achieve. The goal in a business continuity plan is simply that: to continue your business in the face of a disaster or a disruption. A business continuity plan is not just for a disaster. Itís also for the smaller things in life, like your friendly neighborhood burglar who decides to borrow all of your computers or the small power interruption, which causes loss of data and downtime or the fire five floors below you, which causes a 5 hour building shutdown. These are a few of the many things, which do occur every day and do happen to companies like yours.
Disaster recovery has traditionally been associated with computing systems and data storage and recovery of data. Different than business continuity, disaster recovery is focused more on after the fact, quickly and effectively recovering from a disaster or disruption.
It's, of course, not realistic to think that you can guard against every risk. However, through risk analysis, business impact analysis, selecting effective strategies, documenting detailed recovery plans and testing your plans, you can significantly reduce many of your risks, often in a very cost effective way. You have an important management responsibility to safeguard company assets. Reducing your risk profile through a well thought out business continuity and disaster recovery plan is an effective way to do so.
Midwest Data Recovery Inc.
312 907 2100
Copyright © by Disaster Recovery Planning Forum All Right Reserved.