Let’s face it, the world is a more complicated and scary place nowadays. The very real possibility of terrorist attack – both physical and virtual – has increased, and with it comes different kinds of ‘what if’ questions that should be asked: For example, what if a virus invades our computer system and corrupts the data held? A critical consideration in the analysis of the risks and their possible controls is the duration of the impact and how long could the interruption last or, more appropriately, how long can the company afford for it to last?
Often IT Managers lack a framework to analyse a comprehensive business continuity plan which actually can work when required and adds value. The following seven-step contingency process can be used by a company to develop and maintain a viable contingency planning program for their IT systems:
- Develop the contingency planning policy statement
- Conduct the business impact analysis (BIA)
- Identify preventive controls
- Develop recovery strategies
- Develop an IT contingency plan
- Plan testing, training, and exercises
- Plan maintenance
Of course, that all sound’s very straight-forward but it is difficult to know how to start. An IT Manager can hold a workshop and create long list of risks and tackle these in an incoherent manner. A risk management framework should be developed in advance of this risk identification. The following types of impact/categories of damage can be used to identify the effects of disruption and loss exposure:
- Customers and suppliers
- Public relations/credibility/reputation
- Regulatory requirements/considerations
- Competitive position
The effects of these disruptions could be felt in terms of:
- Loss of assets: key personnel, physical assets, information assets and intangible assets
- Disruption to the continuity of the service and operations
- Violation of law/regulations
- Public perception
To measure the extent of the effect the loss exposure could be determined quantitatively or qualitatively as per Table 1.
|Quantitative Measures||Quantitative Measures|
Table 1 Methods of measure for calculating Loss Exposure
So what could be the worst-case scenario? Let’s look at what this means using a worked example. For companies with a strong internet presence this could be a loss of IT infrastructure, including all email and Internet facilities, the loss of databases, documents and records and all web sites. Such a scenario may occur through physical damage to a property, or through a problem with the Internet Service Provider or hosting facility.
Figure 1 Sources of interruption for an Internet company
By this time you now would have identified a list of risks which categorized against a Risk Breakdown Structure (RBS) where the risk impact has been assessed. In establishing disaster scenarios it is useful to classify them according to relevant criteria, such as: risks under a company’s control, risks beyond the company’s control; exposures with prior warning (e.g. a tornado), and exposures with no prior warnings (e.g. earthquake). The matrix below provides a framework for classifying types of risks according to where the crisis is generated and which systems are the primary causes. This is a useful step before developing risk mitigation measures in order to concentrate effort on developing effective risk mitigation plans. Rather than having to develop contingency plans for every eventuality, the matrix provides the basis for clustering ‘families’ of crises together and preparing for these rather than for each individual incident.
Table 2 Crisis typology
Against each risk there would be risk mitigation measures which would be proactive preventative measures, reactive impact reduction measures and fall-back plans. Any disaster recovery plan or business continuity plan should enable the organization to react to, recover and restore from the disaster within acceptable recovery point and recovery time objectives:
- Recovery Point Objective – The time at which the mission critical data must be recovered to resume business transactions
- Recovery Time Objective – The time at which the business functions must be recovered before the organization is severely impacted
Key considerations to any disaster recovery plan or business continuity plan would be the following business continuity issues:
The use of ‘hot sites’ could be one form of reactive control to compensate for the immediate impact of exposure and keep the organization’s critical systems and connections, as well as for any critical business partner.
In planning the organization’s response, the bank must also appreciate that it finds itself in a ‘brownfield’ planning context. Outsourcing would be another way of ensuring the resilience of the bank, as it would assure 24/7 monitoring by technical experts, who would help to identify and eliminate problems before they occur.
The communication strategy would also entail a systematic way in which to call out employees in the event of a business interruption outside office hours and overlap with customer relations
Having identified appropriate system recovery strategies the organisation must also designate appropriate teams to implement the strategy. The specific types of teams required are based on the system affected. Each business recovery team would be trained and ready to deploy in the event of a disruptive situation. The company could also utilize the three-tier structure to ensure that the bank’s response to an incident is effectively coordinated
Figure 2 Three-tier command and control system
There are just some of the techniques that can help you develop a disaster recovery plan or business continuity plan that provides an effective return in terms of investment which would actually add value on the ground when you actually needed it. Some that are used with great success by companies of all sizes are Virgin and London Metropolitan Police.
Tell me your thoughts in the comments and let’s open a dialog. I would be excited to hear other opinions on this topic.
|Consider joining our LinkedIn Group to continue this conversation as well - CLICK HERE|
|We hope you will consider joining our Facebook Community as well. Click on the image to your left to visit and join, or you can CLICK HERE|
Reading this article qualifies you to submit a request for PDU’s from PMI.
This Article qualifies as follows:
PDU AMOUNT: .25 PDU’s
For more information on registering your PDU’s with PMI – CLICK HERE
At Project Management for Today, we encourage conversation; agree with us or disagree with us, it’s all still knowledge, and we are here to share knowledge. Take a moment to add to the conversation by leaving a comment. It’s an opportunity to engage in the conversation!
If you believe in what we are doing, take a minute to share our articles on your social networks such as LinkedIn and other sites. Use the buttons on the left side of the page.
This article features content from a “Contributing Author” to the Project Management for Today Community. This content is published on this site with the author’s explicit permission. As with all articles on this site, this article is protected by copyright. If you are interested in becoming a Contributing Author to this site, you can learn more by reading the information HERE
The most important to Sachin is 'disruptive creativity'. Leveraging his domain knowledge in strategy, risk, Project Controls, Change Management and ITIL continual service improvement - Sachin has built up a strong knowledge of ERP transformation from both the Client, Prime Integrator and Tier Supplier perspective. Through DADA, Sachin now is aiming to bring genuine innovation to the traditional consultancy model through his unique “Consultancy as a Subscription Model”.
The advantage over a traditional consultancy is that it provides an economical and responsive way to support any project. Through DADA's flexible resource model Sachin project manages the work of our Associate network, enabling DADA to offer a Consulting Service at Contractor prices avoiding the Offshore model consulting.