Clearly, the probability of a specific disaster occuring and its impact will depend largely on the particular circumstances of the organisation, such as location and type of business. For example, premises located near a river potentially may be susceptible to flooding, whereas those located on a hill probably are not. Similarly, a manufacturing plant suffering a flood may well experience a greater impact to its business than a service business with a largely field-based workforce experiencing the same ‘disaster’.
These are simplistic examples and obviously there will be other considerations, but they do serve to demonstrate how significantly this assessment of risk can vary from organisation to organisation or even within the different business activities and sites of a single company.
A final column in the matrix shows the estimated potential loss of finance per day in the case of the specific disaster occurring. Look closely at any item which shows red/red - i.e. a high probability and your organisation. This matrix is a powerful way of convincing the board that a full Business Continuity plan is essential.
Once there is an agreement to continue with the production of the plan, then each department in the company must be examined in some depth, noting the ‘things’ that are used in the day-to-day running of the business. This would include any paper records such as contracts, client instructions, correspondence, etc., together with details of the computer systems that are essential to the business. Other points to note would include the number of people required to run the business and who these should be as it may be necessary to run for some time on a skeleton staff. For each of the essential items there must be a plan to restore it in the case of a disaster.
All this talk of what to do in the case of a disaster is certainly not wasted, but the cheapest and most effective way is to avoid the disaster occuring in the first place! Stupid? Not at all, we are talking about protection against a disaster.
We are all aware of some aspects of physical protection in the form of fire alarms, burglar alarms, locks on doors, CCTV, etc. Technical protection can be split by hardware and software; with RAID drives to provide redundancy for disk drives, dual power supplies, clustered machines; with software protection including firewalls, anti-virus software, and ensuring the security aspects of any operating system are used correctly.
Prevention will always be more cost-effective than the creation of a full Business Continuity environment. However, regardless of the effectiveness of preventative measures, a Disaster Recovery site is usually required. There are many ways in which this can be provided, ranging from having a duplicate set of premises well away from the main premises (most expensive), through to having a reciprocal arrangement with a ‘friendly’ company to provide a certain amount of space in the case of a disaster.
Larger organizations tend to be spread across multiple sites and therefore may be able to make use of some space in a remote site to create a disaster site. A similar approach may be taken with regard to IT. For example, rather than having a set of computers set up and waiting on a remote site for a disaster to happen, it is more cost effective to have a test machine placed off-site which could be used for production systems in the case of a disaster at the main premises.
Whatever your situation; whatever size your organisation, you need a Business Continuity plan. Don’t employ consultants to write it for you, though. It’s your plan and it is unique to your organisation. So, do employ experienced consultants to help and guide you in creating it.
Infosecurity Europe is Europe's largest and most important information security event. Now in its 8th year, the show features Europe's most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 29th April - 1st May 2003. www.infosec.co.uk