Disaster Recovery Journal, Fall 2009

BEST PRACTICES

Getting it

Right the

First Time

By BILL HUGHES

No two organizations are the same. Each has unique objectives, challenges and opportunities and thus needs solutions that fit it exactly. Where most orga- nizations are the same, however, is in their desire to focus the right level of effort in the right area at the right time – to ensure that expending limited resources brings the most benefits. If an organization wants to ”laser focus” on the most optimal solution it needs to understand what the threats are that are challenging its survival, what the organization’s capabilities are and where they want to be. By following the carpenter’s adage of “measure twice, cut once,” you can ensure a more efficient, cost-effective approach to business continuity. This article explains how a focused approach – beginning with a risk assessment and including taking a programmatic look at the solution – can help you develop or refine your business continuity strategy.

Too often, organizations try to go “end of job” when attempting to address their business continuity needs with detrimental results. In other words, they literally dive right into solution development and implementation without first evaluating their existing situation and understanding what their true strengths and weaknesses are, where they want to be, and what it takes to stay there. This approach can prove to be problematic because energy, time and money can be spent focusing on solutions that don’t necessarily address the problems being faced and that may not achieve the desired state. In fact, the subsequent strategies often lack objective insight, may be short-sighted in scope, and can be difficult to sustain. You should approach business continuity pro-grammatically beginning with thorough risk assessments, a solid understanding of the impacts of a business interruption, and a detailed strategy that addresses not just how you will prepare for and respond to an incident, but also how you will maintain the edge on your capabilities over time.

Understand Your Risks and Impacts

To get started, you should have a solid understanding of the threats that can impact your most critical assets, whether those are people, business processes, or technology systems and data.

26 DISASTER RECOVERY JOURNAL FALL 2009

An assessment of current risk controls and the impacts of a threat materializing can identify strengths and weaknesses, and highlight where stronger controls are needed. Impacts can identify assets requiring stronger controls due to their criticality to the organization, and enable priorities to be set for how those assets are protected – and if impacted, recovered. The balance between threats, impacts and risk controls, coupled with your organization’s “risk appetite,” helps to identify what threats are most critical to address due to vulnerabilities, business concerns, and opportunities that are presented. This allows the organization to focus on those areas by developing or enhancing risk controls that can include preventive or reactive measures, and span everything from personnel planning through to physical security, supplier relationships, business process resiliency measures, and technology resiliency and recovery capabilities. This first measure helps you to focus your organizations efforts and ensures the solution you target fits the problem you’re trying to resolve.

Key considerations:

 Do you have an enterprise wide view of the natural, intentional and accidental threats to your business environment, including your people, facilities, suppliers, partners, supply chain and technology systems / data? Do you know what threats carry the greatest likelihood to impact critical assets due to weaknesses in controls? Do you know the business criticality of your organization’s processes and time-criticality of the things those processes are dependent on, such as other processes, people, partners, systems and data that they depend on? Have you taken an inventory of business processes and supporting technologies in order to establish critical relationships and interdependencies?