Business Continuity Disaster Recovery offers advice on effective Strategies and Planning when assessing Risk Management plus Crisis and Outage Mitigation.

Business Outage Risk Assessment and Analysis

Identifying likely areas of Risk

A risk analysis program entails the identification of the most likely threats to business continuity and deciding which areas of a company are most susceptible to these threats. The consequences of failure once these threats are realized are then considered in Business Impact forums.

The principal objective in emergency recovery planning is to maintain continuity if critical systems experience any level of failure. Risk analysis is the first stage in constructing both recovery and downtime coverage plans and every area of a company needs to be assessed to determine the potential risk and impact of perceivable threats.

Threats to Continuity

Possible threats to business continuity can be external or internal and can be natural, technical or human related. Even though it can be difficult to determine the exact nature of potential failures, it is important that risks be assessed and if possible quantified.

Consideration should include the geography of the business location including the proximity of rivers, landslide areas, power stations, airports, highways that may carry hazardous waste, and potential terrorist targets or accident zones. The history of the local area should be investigated to ascertain the level and regularity of natural disasters. Accessibility is another factor with security being an aspect affecting the likelihood of any attack on premises or infrastructure.

The track record of any Utilities used should also be factored in with older power stations more susceptible to failure and therefore more likely to be responsible for downtime.

Possible Threats to Business Continuity
Natural Human
Flooding
Fire
Snow storms
High winds
Hurricanes and Typhoons
Tornadoes
Landslides
Seismic activity
Epidemics		 Hacking
Vandalism
Sabotage
Burglary
Staff on strike
Industrial action
Supplier disruption
Partner company down
Terrorism
Civil disorder
War
Explosion
Bomb threat
Biological contamination
Hazardous waste spillage
Radiation
Embezzlement or extortion
Vehicular accident
Technical
Power failure or fluctuation
Heating, ventilation, air con failure
Malfunction or failure of hardware
System software bugs
Application software failure
Communications failure
Gas leaks
Chemical spill
Nuclear accident

Expanding the Scope of the Analysis

A comprehensive analysis of risk to business continuity can also include the internal structure of the organization. Impact on the various departments and services of perceived threats can be ascertained and included in the assessment.

Varying levels of automation and the amount of technology used will result in varying susceptibility to these threats with existing backup systems and services needing to be included when deciding on the final level of risk for each area.

Communications is an area often needing specialist analysis due to the nature and sophistication of the technology and companies such as PhonePresence DR can assist in telecom risk analysis and evaluation of the telecom recovery options.

Quantifying Risk Analysis

It's a worthwhile exercise to quantify the various threats in terms of overall impact. There are an array of methods used, plus the option for professional help, but a simple analysis could involve a combination of an impact level and probability ratings.

A scale of 1 to 4 could be applied to impact assessment such as:

1: Minor impact with disruption up to 2 hours. This would cover the more usual threats such as power outages and internal application failures.
2: Disruptive impact up to 8 hours. Hardware failures and malicious damage would usually fall into this category.
3: Serious outage up to 2 days. Cut communications or staff disputes may be involved at this level.
4: Major outage over 2 days. Natural disasters such as flooding and fire are the most likely causes of extended outages.

It's of course necessary to apply the scale uniformly and to ignore cumulative threats such as flooding leading to a landslide - consider them individually.

A probability value then needs to be applied to each threat going from 1 for low to 10 for high.

To then create a weighted risk rating the impact value should be multiplied by the probability factor e.g. if vandalism such as cabling into the premises being cut will produce an impact rating of 2 and because it's a high crime area the probability is assessed at 7, the weighted risk rating is 14.

Using a system such as this the threats can be scaled with resources and priorities be applied accordingly.

Readiness and Disaster Preemption

The risk of disaster affecting business continuity is uncertain and difficult to assess, but by being thorough and attempting the quantify the threats a complete and comprehensive business recovery plan can be developed. It should identify all the critical areas and functions of business, rate the risks, assess the subsequent damages and costs and make recommendations to protect services and data.

Hosted DR solutions, for example 999Alert, have risk analysis integral to product development and can assist in insuring your business against disaster.