Accidents and disasters happen, some of which can be so catastrophic that a business can stop functioning. Ensuring a business can continue to function even after a catastrophe requires planning.
Several steps can be taken in the planning process. These include:
A primary step in any planning is to identify which systems and applications are mission critical. A mission-critical system is any system that must continue to run to ensure a business continues to function. Similarly, a mission-critical application must also continue to run to ensure a business continues to function.
Determining what is mission critical before first understanding how an organization operates is impossible. For example, salespeople within a company sell products directly to customers, and customers submit orders over the phone or in person. Salespeople then enter the order into an application connected to a back-end database. In this example, the mission-critical elements are the salespeople, the phone, the application, and the back-end database.
On the other hand, a company sells the same products as in the previous example. However, customers are able to place their orders directly through a website. In addition, they can send orders to salespeople via email, and the salespeople then enter the orders into an application. This application is connected to the same database that the website uses. Customers can also phone orders in, but they do so less than 10 percent of the time. In this example, the organization has more mission-critical systems than in the first example. The salespeople, the phone, the application, and the back-end database are still mission critical, but the website application and email would also be mission critical.
The point to remember here is that the importance of a system is determined by how it’s used. One organization may consider a specific system mission critical, whereas another organization may consider the same system disposable.
A business impact analysis (BIA) identifies the impact of a sudden loss of business functions. The impact is often quantified in a cost. Both direct and indirect costs are used to calculate the impact. Direct costs are the immediate loss of sales or the expenses related to recovering from the loss. Indirect costs are related to the loss of customer confidence.
The BIA provides an analysis of the effect of a loss of specific IT services. For example, a BIA can be used to determine the impact of a loss of email or a specific database. The BIA also helps an organization determine the minimum set of services required for the company to continue to operate.
For example, remote users may use VPN technologies to connect to the private network from remote locations. What is the impact on the business if VPN services stop? A BIA could be completed to make that determination.
Other methods may be available for remote users to connect to the company. For example, remote users may still have access to email using a webpage, and remote salespeople may still be able to place orders using the phone. The BIA could determine that, although the VPN services are valuable, their loss would have minimal impact on the overall mission of the company.
On the other hand, a BIA for email services may determine that the loss of email would have a significant impact on the company. Email may be used for customer contact, project tasking, tracking, and other important communications.
When completing a BIA, the following steps would be taken:
The BIA is an important part of a business continuity plan and can also be part of a disaster recovery plan (DRP).
The result of the BIA is a BIA report, which documents the findings of the analysis. It often includes direct and indirect costs, maximum acceptable outage, and materials or resources needed for recovery.
A business continuity plan (BCP) is a document used to help a company plan for a disaster or an emergency. The goal is to ensure that the critical operations of an organization continue to function. The BCP includes procedures and instructions used to restore operations in the event of a disaster.
When completing a BCP, the following steps would be taken:
Details from a BIA report help in the creation of the BCP. The BIA and BCP are commonly completed in conjunction with each other.
The BCP includes specific steps that can be taken for different phases. The content of the phases is dependent on the disaster. For example, plenty of warning is given for a hurricane. One phase might be 72 hours before its arrival, and another phase might be 36 hours before. However, an earthquake or a fire wouldn’t include these same phases.
BCP phases include the following:
A disaster recovery plan (DRP) includes the details needed to recover a system from a disaster and provides the details necessary to respond immediately to a disaster. A DRP is included as part of a BCP.
Sometimes, the terms BCP and DRP are used interchangeably. However, they are separate. The differences are worthwhile to note:
The primary risk management techniques are avoiding, sharing or transferring, mitigating, and accepting. Risk can be shared or transferred by outsourcing and purchasing insurance. Business liability insurance is used to protect an organization from lawsuits and covers the company for damages from a lawsuit along with legal costs.
Three primary types of business liability insurance exist. The type of insurance needed depends on the function of the business. The types of liability insurance are:
Another type of insurance that can be purchased is asset replacement insurance, which is intended to replace assets damaged from a disaster. This insurance is usually purchased in conjunction with other steps to prevent a disaster.
For example, an organization may want to protect itself from fire damage. It can install fire suppression equipment and place portable fire extinguishers throughout the building. However, despite best efforts, fires might still occur.
Fire insurance can help a company replace assets if a fire causes damage. Other types of insurance that provide protection for assets include:
The insurance purchased depends on many factors, which include the value of the organization’s assets. For inexpensive assets, the cost of the insurance isn’t justified. The insurance could cost more over several years than replacing the product. The insurance purchased also depends on the relevant risks. For example, hurricane insurance is relevant for coastal states, such as Florida, Louisiana, and Texas, but is not relevant for landlocked states, such as Iowa or Ohio.