Business continuity and disaster recovery plans are enhanced when they include a risk management analysis.
But risk management analysis is often neglected when IT departments are hampered by time constraints and high-priority projects. When this happens, your disaster recovery (DR) plan becomes just another technical recovery document and your business needs are not correctly prioritized.
Include the following risk management techniques within your DR plan:
- System owner participation: Managers in key business units must recognize and report on how long they can manually operate the business after an outage, as well as the financial impacts associated with downtime. Their input will help identify hidden processes and workflows that are vital for recovery. User input is also necessary during risk management analysis because it helps ensure the proper assessment of business priorities.
- SWOT analysis: Use SWOT analysis -- or a similar approach -- to thoroughly examine potential risks. As each risk is identified, your team will formulate ideas for all four categories (strengths, weaknesses, opportunities and threats). SWOT analysis is a popular approach, because it's easy to understand and an excellent data collection tool for any type of risk management process.
- Risk transfer techniques: Risk transfer techniques include avoidance, reduction, sharing and retention. While avoidance is preferable, it's not usually a realistic risk management goal from a cost standpoint. Incorporating risk transfer techniques into your DR plan will reduce the likelihood and severity of failures during the recovery process.
- Application recovery ranking: Consolidated input from business centers will help identify critical applications. After analyzing the results, these applications are ranked in order of importance, helping to further strengthen your DR plan.
- Application system dependencies: System interfaces must be included in risk management analysis, as they are often a point of failure. Application systems often work with each other or share common databases. A recovered business system will not become functional until all files outside these applications are also restored. Be sure to define the requirements so that critical applications that rely on outside files are recovered as quickly as possible.
- Adaptable recovery plan: The impact and scope of disaster outages will vary considerably. Evaluate a wide range of realistic natural disasters. Based on probabilities, use risk management to create solutions for high-severity events.
- Technology threat analysis: Thoroughly evaluate the technical components of your DR plan from a risk management perspective. Identify alternatives in case primary solutions don't work out.
For example, you may encounter issues when reading backup tapes or communicating to the recovery center. Hypothesizing about potential threats in advance will help you avoid issues and will give you ideas for effectively working around them.
Harry Waldron, CPCU has worked in the IT profession for over 35 years. A Microsoft MVP, he works as a senior developer for Fairfax Information Technology Services in Roanoke, VA, where he provides technical, business and leadership support on key development projects. He writes about security and best practices for several technical forums, including myITforum.com. He has earned 10 professional designations in technology, business, and insurance fields.