Steve Lane, PC PAL franchisee for Leicester South and Market Harborough, writes:
'There is a statistic banded around the business continuity
and disaster recovery world stating that “80% of businesses affected by a major
incident close within 18 months”. It’s a
bit of a sweeping statement and I cannot find anything to back it up or justify
the figures. It is often used to justify
a large spend on preparing for some disaster that may or may not arise. My view is that business owners should take
some common sense steps to ensure that should a disaster arise, recovery is
easier. Cost should be balanced with a
realistic view of the risks. If you are a large business the complexity is
greater but the principles are the same. Over the next three blog entries I
will focus upon the steps a small business of around 10 – 20 employees should
take.
Firstly let’s demystify impact assessments and risk
assessments. According the British Standard BS 25999, the starting point of
business continuity is to get a good understanding of your business through
Business Impact Analysis (BIA) and Risk Assessment (RA). This sounds like something that is hard that
you might need an expert for. That might
be true in a large complex business but in the small business there is a lot
you can do without help, keeping your costs down. If is important that if you do make this an
internal process that it is made part of a job for an individual within your organisation
so it does not get forgotten.
The first step is to identify the information assets that
are critical to the organisation. An
information asset is a definable piece of information that has value to your
organisation. It may be a single
document, such as the release plans for a new product, or it might be a whole
database or system such as CRM. I
recommend creating an “Assets” spreadsheet including these information
assets. We will add some detail and get
an idea of value as part of the BIA.
The next step is to create a harm matrix. This is simply a table similar to the following
where A is the highest and E is the lowest:
You can add as many rows for the parameters as is relevant
to your business but the above is a minimum.
Also you may want to adjust the financial figures to be something more
representative of your business. It is also
important that the table has some tangible rows such as monetary values and some
more subjective and intangible rows such as loss of ability to operate.
For each information asset in your table, now create a
column that identifies the asset owner and the asset custodian. The asset owner is the most senior person who
has responsibility. So for example if
the information asset was the accounts database, the asset owner would probably
be the financial director. The asset
custodian is the person that reports to the asset owner directly or indirectly
and is most familiar with the use of the information asset. For example if the asset owner is the finance
director, this is often the next person under the financial director in a small
company (after all the finance department may just be two people). Add into your asset spreadsheet the contact
details of these individuals including mobile phone numbers or home phone
numbers.
For each information asset you need to ask the information
owner and / or the information custodian the following question:
Using the harm matrix what is the maximum level of harm we
would suffer if the information asset was made unavailable for a:
Run down all of the rows in the harm matrix and identify the
highest answer. What you are trying to discover is the maximum impact whether
tangible such as financial or intangible such as damage to reputation that
would occur if an information asset was made unavailable for a particular
length of time. Once you have the answer
you will discover how quickly an asset must be recovered after loss and have,
albeit subjective, a measure of value. A
typical profile of an information asset might be:
From the profile above we can say that the information asset
must be restored in the event of a disaster in under a week and we can give an
arbitrary value index of £££ - 3.
Now that we have this done for information assets, we need
to abstract a little and consider premises. Create another tab in your asset spreadsheet
and ask the same questions of your premises. What would be the impact that
would occur if your staff were not able to get into your premises an hour, a
day, 2 days, a week etc. For example
what if it was snow bound? The asset
owner and custodian in this case should be the key holder(s). You should come up with answers to just how
critical your premises are to your operations.
Now add some more tabs and consider in turn the impact of
disaster at suppliers. Also consider the
technology that is critical to your business such as Internet and mobile phone
networks. Keep going and if necessary
add parameters that are relevant to your organisation. Eventually you should end up with a picture
of the critical assets and processes that make up your business. In essence you have now created a complete
business impact analysis.
You should now understand the critical assets that are
essential to the survival of your business, the time scales that they must be
recovered in, the people that are impacted by the loss of the asset, the
external factors such as suppliers, the dependence on technology and the basic
resources that must be assembled to maintain a minimum level of operations for
survival. If you have got this far then
give yourself a round of applause. It’s
a big achievement (but we not at the final destination yet!). The important thing is that even if you have
not got a complete picture, you have made a start. Even getting a partial picture is most
probably better than take the head in the sand approach.
In next week’s blog we will look at the risk assessment
process and how you might mitigate, transfer, avoid or insure the risk. Putting controls into place and ensuring that
planning for a disaster is a priority, is time (and possibly money) well
spent. '
Steve Lane (PC PAL, South Leicester & Market Harborough)
