PC PAL Team

PC PAL Team

PC PAL is the UK's award winning Computer, Laptop, Mac & Smartphone support specialists, with experienced, qualified & local Computer Engineers based in your area. We are a name that local people have come to recognise and trust. Please take a moment to read our feedback from our loyal customers, or find your local PC PAL Engineer.
Tech News 22nd January 2010 2024

Steve Lane, PC PAL franchisee for Leicester South and Market Harborough, writes:

'There is a statistic banded around the business continuity

and disaster recovery world stating that “80% of businesses affected by a major

incident close within 18 months”.  It’s a

bit of a sweeping statement and I cannot find anything to back it up or justify

the figures.  It is often used to justify

a large spend on preparing for some disaster that may or may not arise.  My view is that business owners should take

some common sense steps to ensure that should a disaster arise, recovery is

easier.  Cost should be balanced with a

realistic view of the risks. If you are a large business the complexity is

greater but the principles are the same. Over the next three blog entries I

will focus upon the steps a small business of around 10 – 20 employees should

take.

Firstly let’s demystify impact assessments and risk

assessments. According the British Standard BS 25999, the starting point of

business continuity is to get a good understanding of your business through

Business Impact Analysis (BIA) and Risk Assessment (RA).  This sounds like something that is hard that

you might need an expert for.  That might

be true in a large complex business but in the small business there is a lot

you can do without help, keeping your costs down.  If is important that if you do make this an

internal process that it is made part of a job for an individual within your organisation

so it does not get forgotten.

The first step is to identify the information assets that

are critical to the organisation.  An

information asset is a definable piece of information that has value to your

organisation.  It may be a single

document, such as the release plans for a new product, or it might be a whole

database or system such as CRM.  I

recommend creating an “Assets” spreadsheet including these information

assets.  We will add some detail and get

an idea of value as part of the BIA.

The next step is to create a harm matrix.  This is simply a table similar to the following

where A is the highest and E is the lowest:

You can add as many rows for the parameters as is relevant

to your business but the above is a minimum.

Also you may want to adjust the financial figures to be something more

representative of your business.  It is also

important that the table has some tangible rows such as monetary values and some

more subjective and intangible rows such as loss of ability to operate.

For each information asset in your table, now create a

column that identifies the asset owner and the asset custodian.  The asset owner is the most senior person who

has responsibility.  So for example if

the information asset was the accounts database, the asset owner would probably

be the financial director.  The asset

custodian is the person that reports to the asset owner directly or indirectly

and is most familiar with the use of the information asset.  For example if the asset owner is the finance

director, this is often the next person under the financial director in a small

company (after all the finance department may just be two people).  Add into your asset spreadsheet the contact

details of these individuals including mobile phone numbers or home phone

numbers.

For each information asset you need to ask the information

owner and / or the information custodian the following question:

Using the harm matrix what is the maximum level of harm we

would suffer if the information asset was made unavailable for a:

Run down all of the rows in the harm matrix and identify the

highest answer. What you are trying to discover is the maximum impact whether

tangible such as financial or intangible such as damage to reputation that

would occur if an information asset was made unavailable for a particular

length of time.  Once you have the answer

you will discover how quickly an asset must be recovered after loss and have,

albeit subjective, a measure of value.  A

typical profile of an information asset might be:

From the profile above we can say that the information asset

must be restored in the event of a disaster in under a week and we can give an

arbitrary value index of £££ - 3.

Now that we have this done for information assets, we need

to abstract a little and consider premises.  Create another tab in your asset spreadsheet

and ask the same questions of your premises. What would be the impact that

would occur if your staff were not able to get into your premises an hour, a

day, 2 days, a week etc.  For example

what if it was snow bound?  The asset

owner and custodian in this case should be the key holder(s).  You should come up with answers to just how

critical your premises are to your operations.

Now add some more tabs and consider in turn the impact of

disaster at suppliers.  Also consider the

technology that is critical to your business such as Internet and mobile phone

networks.   Keep going and if necessary

add parameters that are relevant to your organisation.  Eventually you should end up with a picture

of the critical assets and processes that make up your business.  In essence you have now created a complete

business impact analysis.

You should now understand the critical assets that are

essential to the survival of your business, the time scales that they must be

recovered in, the people that are impacted by the loss of the asset, the

external factors such as suppliers, the dependence on technology and the basic

resources that must be assembled to maintain a minimum level of operations for

survival.  If you have got this far then

give yourself a round of applause.  It’s

a big achievement (but we not at the final destination yet!).  The important thing is that even if you have

not got a complete picture, you have made a start.  Even getting a partial picture is most

probably better than take the head in the sand approach.

In next week’s blog we will look at the risk assessment

process and how you might mitigate, transfer, avoid or insure the risk.  Putting controls into place and ensuring that

planning for a disaster is a priority, is time (and possibly money) well

spent. '

Steve Lane (PC PAL, South Leicester & Market Harborough)

 

PC PAL Team

PC PAL is the UK's award winning Computer, Laptop, Mac & Smartphone support specialists, with experienced, qualified & local Computer Engineers based in your area. We are a name that local people have come to recognise and trust.

Please take a moment to read our feedback from our loyal customers, or find your local PC PAL Engineer.

More Posts

Leave us a message