DR can give a business a competitive advantage

The sight of the words ‘disaster recovery’ are generally greeted with a quick mouse click (or turn of the page). Particularly in these challenging times, businesses reckon that there is more interesting work to be getting on with. After all, what benefit is disaster recovery going to bring to your business’s bottom line ?

However, more than ever, disaster recovery is critical for any type of business, for the simple reason that it brings peace of mind, that whatever problem occurs, your business can continue to meet your customer’s needs and the disruption to day to day business is minimised. In today’s business environment, any disruption to business can result in customers going elsewhere and winning back those customers will be difficult.

So whether you have suffered an attack on your systems by a hacker, had some laptops misplaced or a JCB dug up your broadband cable, a disaster recovery plan can give you a competitive advantage and also remember that insurance companies and regulatory bodies are insisting on businesses having such plans in place, rather than just thinking about them.

For the purposes of this post, we will look at Disaster Recovery in the context of IT matters and focus in particular on risk assessment and business impact analysis.

Scope the work and then assess

When starting a Disaster Recovery planning process, as with any project, it is important to agree a scope from a business perspective – even if that is only to formally state that all the function or service lines in a business are to be included.

In order to ensure that all potential ‘disasters’ are reviewed and planned for, a risk assessment and a business impact analysis should be completed. Essentially, the risk assessment is asking what possible risks could happen and the business impact analysis is asking what impact would each risk occurrence have on the day to day running of the business. These two assessments may take a number of iterations before a final set of risks and impacts are identified and confirmed.

Brainstorming and the use of checklists can be two techniques to use in both assessments; with risk assessment, you will find it relatively easy to come up with a (long) list of potential risks. The key is then to prioritise the list, by assigning a probability of occurence (i.e. likelihood) and an assessment of each risk (i.e. consequence) based on the business impact analysis. To help ensure that there is a distinct ranking for each risk, it is advisable to assess a numerical ranking for the level of impact (e.g. a scale of 1 to 5) and percentage values for the probability of occurrence (e.g. 5%, 25%, 80% etc).

Adopting quantitative values for the risk and business impact analysis will help you prioritise the potential risks as illustrated in the following sample list, helping you see the wood from the trees, to focus on those risks that the business is most exposed to.

Do you accept, mitigate or transfer risk ?

Placing the combined rankings into a colour coded grid, such as the sample grid below, can illustrate the agreed risk management policy within the organisation.

In dealing with any risks, there are three possible approaches to managing the risk;

• Risk acceptance, where due to the relatively low probability and/or low impact, the organisation decides to not take any steps to mitigate or avoid the risk, but will deal with the risk as and when it occurs
• Risk mitigation where an action plan is in place to either reduce the probability of occurrence and/or the potential impact of the risk
• Risk transference, where a plan is decided to move the risk impact and the ownership of the response to a third party.

Good DR Planning is ongoing

The iterative nature of disaster recovery planning is important. Overtime, the impact and/or probability of risk occurence can be managed or responded to more effectively with the availability of better technology;

• New technology advances, e.g. Increased server reliability can reduce the probability of a risk occurring such as a server crashing
• Use of techniques such as the use of snapshots of servers or virtualisation can assist in mitigating a risk by reducing the turn-around time for getting a replacement server up and running with a particular business application
• Use of cloud based computing or off site hosting facilities with appropriate service levels can provide a means of risk transference

In future posts, I will look at other aspects of disaster recovery planning, including the link with business continuity management and possible options to mitigate and transfer risk in relation to IT.