Tri-Paragon Inc. 130 King Street West, Suite 1800, P.O. Box 427, Toronto, ON Canada M5X 1E3
Phone: 416.865.3392 Email: firstname.lastname@example.org
(The science of performance)
“If you think it is expensive to hire a professional to do the job, wait until you hire an amateur” Red Adair
Unplanned System Outages
Disaster Recovery Plan Consists of 2 primary inputs- Business Impact Assessment and Risk Analysis
Are you unprepared for unpredictable and unexpected events which can expose your systems to unplanned outages? Planning for negative events strengthens your ability to respond and reduces your exposure to high losses if you are unprepared. There is an obvious parallel between the theory of unpredictable and unexpected events and the need for disaster preparedness for your critical IT assets.
There is no way we can predict hardware or software failures, human error or neglect, natural calamities or terrorist acts. But, once we acknowledge that some of these events inevitably will happen on our watch, we have already jumped the biggest chasm that separates us from being destroyed by a disaster versus surviving it.
“Assumption of inevitability and preparedness are two key steps that will put you in a much better position to survive when you encounter an unexpected event.”
Preparing for such events requires a Business Impact Analysis (BIA) approach. The Gartner IT Glossary states that BIA is “a process that identifies and evaluates the potential effects (financial, life/safety, regulatory, legal/contractual, reputation and operational) of natural and man-made interruptions (an unexpected event) on business operations”.
A BIA approach requires a clear understanding of where business objectives are supported by operations within the organization and ensuring that processes within those operations are protected. This means well-designed controls and management actions that mitigate the risks presented and minimize the impacts those risks can have on business operations.
The International Organization for Standardization (ISO) Technical Committee (TC) 292, the committee responsible for writing security, resilience, and business continuity standards, released ISO 22317 – Societal Security – Business Continuity (BC) Management Systems – Business Impact Analysis (BIA) in 2015, with the purpose of providing best practices for BIA development. While not an auditable standard, the publication does provide guidance on how to mature a BIA process.
In general, ISO 22301 calls for the BIA to identify activities that support offered products and services, assess the business impact of not performing any of these activities for a period of time, set acceptable time frames for resumption of disrupted activities, and identify related resources needed for these activities as well as inter-dependent activities that may be affected by a disruption.
The BIA is an essential step in the development of contingency and recovery plans, as well as a key part of the business continuity process that analyzes mission-critical business functions and identifies and quantifies the potential impact a loss of those functions -- e.g., operational or financial -- may have on the organization.
A BIA is critical in assessing the cost of business disruption and how Disaster Recovery (DR) plays a role in mitigating it. The BIA has several crucial elements, which include executive backing; a deep understanding of the organization; and BIA tools, processes and findings. The BIA lays out extensive and specific details about an organization's systems, technology, processes and employees, and how an incident would affect them.
During an emergency or disaster, a BIA helps to identify the most critical elements of the organization so the response process can start as soon as possible. Knowing which elements need to be recovered the quickest can make all the difference. As a result, it's imperative that the BIA and other important documents are easily accessible, in hard-copy form and online and stored in a safe and accessible manner.
The BIA is one of the best planning procedures an organization can undertake with the following goals to be addressed:
- Determining the most critical functions and systems.
- Figuring out financial, operational, legal and reputational costs if those systems went down.
- Deciding on the RPO and RTO; (Recovery Point and Recovery Time Objectives).
- Establishing requirements for recovery.
- Taking time with the critical business process to ensure information is correct and up-to-date.
- Analyzing areas of weakness and vulnerability.
- Gaining senior management buy-in and approval of the document.
There are many benefits to completing the BIA process and having a living document, including:
- The process gets company leaders talking about the organization and its most crucial elements. In the end, a company may find areas where improvement is needed.
- A comprehensive BIA, which an organization can achieve through the BIA process, is a proactive method for a solid BC/DR Plan.
- The BIA provides concise, relevant information about an organization's most important aspects and the costs incurred if there's downtime.
Possible “loss” scenarios that businesses are faced with and have the potential of disrupting or interrupting operations can consist of:
- Accidents – all too often, businesses suffer from losses due to workplace accidents.
- Emergencies – these are unexpected situations that pose considerable danger, thereby calling for immediate action.
- Utility failures – such as water shortage and shortage of power supply.
- Cyber attacks – when the company’s information system is under threat by external forces.
- Disasters – these could be natural disasters (force majeure) or man-made disasters.
- Supply chain – failure of suppliers to deliver raw materials and other goods and services needed on time.
- Labor disruptions – disputes within the company leading workers to refuse working until their demands have been heard and met by management.
- Workforce – absenteeism of key employees may also give rise to emergencies.
Fundamentally, BIA is considered to be at the heart of the company’s DR planning, since it is used for planning purposes, particularly for the minimization of risks in case operational interruptions or disruptions resulting from disasters and similar incidents.
BIA aids response and decision-making in case of unforeseen events that result in operational disruptions. In times of crisis, businesses cannot afford to be arbitrary and random in making decisions, particularly on their response to the impacts of the crisis to the operations of the business, and the organization as a whole.
Having performed BIA will enable management to quickly make informed decisions and provide appropriate direction in the face of the disastrous impacts or unexpected interruption of normal business operations facilitating a return to normal business operations.
To obtain your free copy of the Tri-Paragon BIA Guidelines to help you with your BIA panning and project initiation click on the button below: