In disaster recovery (DR) planning, once you've completed a business impact analysis (BIA), the next step is to perform a risk assessment. The risk assessment should be able to help you identify events that could adversely impact your organization. To get started with a risk assessment, begin by identifying the most critical business processes from the business impact analysis. An excellent document to assist you in preparing a risk assessment comes from the National Institute for Standards and Technology (NIST). The risk analysis involves risk identification, assessing the likelihood of the event occurring, and defining the severity of the event's consequences. The sequence in which these measures are implemented depends to a large extent upon the results of the risk assessment.
Once the risks have been identified, you'll want to identify the potential effects, symptoms and consequences resulting from the event.
Quantitative methods, which assign a numeric value to the risk, usually require access to reliable statistics to project the future likelihood of risk.
Once all relevant risks have been analyzed and assigned a qualitative category, you can then examine strategies to deal with only the highest risks, or you can address all risk categories.
About the author: Paul Kirvan, CISA, CISSP, FBCI, CBCP, has more than 20 years of experience in business continuity management as a consultant, author and educator.
Business Continuity Planning Process Diagram - Text VersionWhen business is disrupted, it can cost money.
Disaster recovery risk assessment and business impact analysis (BIA) are crucial steps in the development of a disaster recovery plan. To do that, let us remind ourselves of the overall goals of disaster recovery planning, which are to provide strategies and procedures that can help return IT operations to an acceptable level of performance as quickly as possible following a disruptive event.
Having established our mission, and assuming we have management approval and funding for a disaster recovery initiative, we can establish a project plan.
A disaster recovery project has a fairly consistent structure, which makes it easy to organise and conduct plan development activity. Adapted with permission from the BCM Lifecycle developed by the Business Continuity Institute.
Following the BIA and risk assessment, the next steps are to define, build and test detailed disaster recovery plans that can be invoked in case disaster actually strikes the organisation’s critical IT assets. Detailed response planning and the other key parts of disaster recovery planning, such as plan maintenance, are, however, outside the scope of this article so let us get back to looking at disaster recovery risk assessment and business impact assessment in detail.
Working with IT managers and members of your building facilities staff as well as risk management staff if you have them, you can identify the events that could potentially impact data centre operations. Supply chain disruptions present a key risk, said Susan Young, MBCI, a risk management professional with a London-based insurance company.
Water damage is a key risk to organisations in the UK, and sometimes the source can be so obvious it gets overlooked, said 2C’s Barnes. A BIA attempts to relate specific risks to their potential impact on things such as business operations, financial performance, reputation, employees and supply chains.


BIA outputs should present a clear picture of the actual impacts on the business, both in terms of potential problems and probable costs. 2C Consulting’s Barnes said a key aim of the BIA should be to define the maximum period of time the business can survive without IT. IBM's planned purchase of The Weather Co.'s data operations may be a bellwether event from which data professionals can learn.
Read our guide on how to prepare a risk assessment, and then download our free risk assessment template.
The BIA helps identify the most critical business processes and describes the potential impact of a disruption to those processes, and a risk assessment identifies internal and external situations that could negatively impact the critical processes.
Read our guide, and then download our free risk assessment template, which is available as a Word doc or PDF. The document is Special Publication 800-30, Risk Management Guide for Information Technology Systems.
It may also be useful to conduct a vulnerability assessment, which helps identify situations in which the organization may be putting itself at increased risk by not performing certain activities. Examples are surge suppressors to reduce the impact of a lightning strike, and uninterruptible power systems to limit the chances of a hard stop to critical systems due to a blackout or brownout.
Once a specific threat and its associated vulnerability have been identified, it becomes easier to plan the most effective defensive strategy. This will depend on management's risk appetite, which is their willingness to deal appropriately with risks. But, before we look at them in detail, we need to locate disaster recovery risk assessment and business impact assessment in the overall planning process. The speed at which IT assets can be returned to normal or near-normal performance will impact how quickly the organisation can return to business as usual or an acceptable interim state of operations. Such plans provide a step-by-step process for responding to a disruptive event with steps designed to provide an easy-to-use and repeatable process for recovering damaged IT assets to normal operation as quickly as possible. The results of the BIA should help determine which areas require which levels of protection, the amount to which the business can tolerate disruptions and the minimum IT service levels needed by the business. The risk assessment will also help you determine what steps, if properly implemented, could reduce the severity of the event. An example may be the increased risk of virus attacks by not using the most current antivirus software. The strategies you define for risks can next be used to help design business continuity and disaster recovery strategies.
The BIA identifies the most important business functions and the IT systems and assets that support them. The final column lists the product of likelihood x impact, and this becomes your risk factor. For example, in the Lloyd's insurance market in London, all businesses depend on a firm called Xchanging to provide premiums and claims processing.
Use our risk analysis template to list and organize potential threats to your organization.


Finally, the risk analysis results are summarized in a report to management, with recommended mitigation activities. In our risk analysis template, you will find columns that allow you to assign qualitative terms to each of the risks to your organization.
Next, the risk assessment examines the internal and external threats and vulnerabilities that could negatively impact IT assets. Those events with the highest risk factor are the ones your disaster recovery plan should primarily aim to address. Regardless of the methodology, the results should map to the critical business processes identified in the business impact analysis, and can help define strategies for responding to the identified risks. Therefore, recovery strategies for information technology should be developed so technology can be restored in time to meet the needs of the business.
The worksheet should be completed by business function and process managers with sufficient knowledge of the business.
Once all worksheets are completed, the worksheets can be tabulated to summarize:the operational and financial impacts resulting from the loss of individual business functions and processthe point in time when loss of a function or process would result in the identified business impactsThose functions or processes with the highest potential operational and financial impacts become priorities for restoration. The point in time when a function or process must be recovered, before unacceptable consequences could occur, is often referred to as the “Recovery Time Objective.”Resource Required to Support Recovery StrategiesRecovery of a critical or time-sensitive process requires resources. The Business Continuity Resource Requirements worksheet should be completed by business function and process managers.
Completed worksheets are used to determine the resource requirements for recovery strategies.Following an incident that disrupts business operations, resources will be needed to carry out recovery strategies and to restore normal business operations. Meetings with individual managers should be held to clarify information and obtain missing information.After all worksheets have been completed and validated, the priorities for restoration of business processes should be identified.
This information will be used to develop recovery strategies.Recovery StrategiesIf a facility is damaged, production machinery breaks down, a supplier fails to deliver or information technology is disrupted, business is impacted and the financial losses can begin to grow. Recovery strategies are alternate means to restore business operations to a minimum acceptable level following a business disruption and are prioritized by the recovery time objectives (RTO) developed during the business impact analysis.Recovery strategies require resources including people, facilities, equipment, materials and information technology. Staff with in-depth knowledge of business functions and processes are in the best position to determine what will work.
Equipping converted space with furnishings, equipment, power, connectivity and other resources would be required to meet the needs of workers.Partnership or reciprocal agreements can be arranged with other businesses or organizations that can support each other in the event of a disaster. Periodic review of the agreement is needed to determine if there is a change in the ability of each party to support the other.There are many vendors that support business continuity and information technology recovery strategies. External suppliers can provide a full business environment including office space and live data centers ready to be occupied.




Emergency preparations
Usa map pdf free download
Sample disaster management plan hospital


Comments

  1. 26.03.2014 at 21:54:18


    Make A Tornado Emergency Kit (11 Steps) but it will be much easier with.

    Author: AntikilleR
  2. 26.03.2014 at 16:26:45


    The advantage these radios can have over.

    Author: 125
  3. 26.03.2014 at 23:48:42


    Significantly as you nutritious foods that will final, like the.

    Author: ARMAGEDDON
  4. 26.03.2014 at 11:12:57


    Type of ferrocerium rod with magnesium that you can flake never take.

    Author: TANK