Therefore, the start of any Business Continuity plan is a risk assessment. This does not need to be expensive to carry out. As a starting point, the head of each of the main departments of an organisation needs to be asked simple questions such as ‘What would it cost the company if you were unable to access your offices or computers?’ and ‘What would you need to do first to re-establish your department’s functionality subsequent to a disaster?’.
A risk matrix can be produced showing a list of potential disasters that could befall a company together with the probability of that disaster happening, graded as red, amber or green. The impact of the disaster upon the organisation would also be graded as red, amber or green.
Clearly, the probability of a specific disaster occuring and its impact will depend largely on the particular circumstances of the organisation, such as location and type of business. For example, premises located near a river potentially may be susceptible to flooding, whereas those located on a hill probably are not. Similarly, a manufacturing plant suffering a flood may well experience a greater impact to its business than a service business with a largely field-based workforce experiencing the same ‘disaster’.
These are simplistic examples and obviously there will be other considerations, but they do serve to demonstrate how significantly this assessment of risk can vary from organisation to organisation or even within the different business activities and sites of a single company.
A final column in the matrix shows the estimated potential loss of finance per day in the case of the specific disaster occurring. Look closely at any item which shows red/red - i.e. a high probability and your organisation. This matrix is a powerful way of convincing the board that a full Business Continuity plan is essential.
Once there is an agreement to continue with the production of the plan, then each department in the company must be examined in some depth, noting the ‘things’ that are used in the day-to-day running of the business. This would include any paper records such as contracts, client instructions, correspondence, etc., together with details of the computer systems that are essential to the business. Other points to note would include the number of people required to run the business and who these should be as it may be necessary to run for some time on a skeleton staff. For each of the essential items there must be a plan to restore it in the case of a disaster.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.