In my last blog post I talked about the first step in Disaster Recovery or High Availability planning, Business Impact Analysis – The First Step in DR Planning. The next step in the process is conducting a Risk Assessment. A risk assessment will help you identify the events that could impact your organization. This will help you focus on the potential likelihood of impact and mitigate their effects on the organization. The purpose of a strong risk assessment is to assist you with determining the steps that could help you reduce the severity of an event. A DR plan will help guide you through the recovery phase of an event. A risk assessment will help you determine what to be prepared for.
A good risk assessment will help you understand the likelihood of an event occurring at your location as well as those situations where the organization might be putting itself at increased risk. Another use of a risk assessment is to use it as the basis of a report to support the need for the expense of a DR or HA plan implementation.
I think we’ve all heard the horror stories of businesses devastated by events outside of their control. Recently the news has been full of stories of storm and wildfire damage. The news media focuses on the affect on neighborhoods and families. Many of those neighborhoods and families are supported by businesses; local, regional, national, and global. Businesses that pay salaries to those families. Businesses that are backed by investment. Businesses that want to stay in business. The function of a risk assessment is to identify the risks before the news stories happen and prepare to mitigate them.
So what risks should you be planning for? Almost all of us have to concern ourselves with fire – maybe not wildfires but certainly internal fires. Here in the upper Midwest hurricanes don’t bother us much, but tornados do. We have to deal with ice storms that can knock power out for days and keep people off the roads. Those are natural risks. What about man-made hazards? There are accidents as well as intentional hazards to identify. These could include malicious destruction, viruses, and unplanned stuff that hits the fan. We have a good customer that was located next to a rail line. Actually they were below the rail line. It’s a risk most of us don’t face but needs to be accounted for. Another client told of an issue where the data center was below a second floor cafeteria. It doesn’t sound bad until liquid foodstuffs start seeping through the ceiling. The risk assessment needs to start with identifying all of the risks that a business could potentially face.
After the potential risks have been identified they need to be assessed. In this process, the likelihood of each risk is determined. Flood damage might be a high risk for one business, but not for another. Fire damage or intentional destruction is going to be a greater risk for some businesses than others. A Risk Assessment Matrix will help detail and document the assessment. I recommend a 1-10 scoring method be used to rate or rank every risk identified in the previous step.
The third step in a Business Risk Assessment is to determine the effect these events could have on the business, from loss of data and maybe even personnel, to loss of revenue and market share. This is where you can integrate the previous analysis done in the Business Impact Analysis into your Risk Assessment.
With a comprehensive Business Impact Analysis done and a completed Business Risk Assessment in hand, you can now create an effective Disaster Recovery or High Availability plan which will be focused on addressing the needs of the business. The sole intent is helping the organization survive a potential business interruption.
If you would like help in creating either a Business Impact Analysis or a Business Risk Assessment, please give me a call. I’d enjoy the conversation.
President, Arbor Solutions, Inc.