Stage 2 covers the activities that evaluate the requirements for continuity as well as the development of an overall strategy in regards to the plans, measures and practices that will be used.
1. Requirements – Business Impact Analysis (BIA)
The Business Impact Analysis (BIA) seeks to quantify the range of impact that a loss of service will have. Some forms quantified for the damage a loss of service may cause include:
Lost income and incurred costs through overtime payments or fines paid;
Damaged reputation;
Decreased competitive advantage;
Decreased customer satisfaction and perception of the IT service provider;
Potential threat of injury or loss of life;
Immediate and long-term; and
Breach of law, regulations and compliance requirements.
Each form of impacts is measured against particular scenarios for each business process, such as an inability to invoice for a period of 3 days leading up to Christmas.
Figure 6.12: – Graphical representation of business impact in relation to time
© Crown Copyright 2007 Reproduced under license from OGC
The level of impact felt by business operation will also change depending on the length of disruption. Figure 6.12 shows how some disruptions will immediately cause a significant impact on business operations, whereas other disruptions won‟t impact immediately, but grow over the length of time that the disruption endures. This analysis will influence the approach and measures taken, primarily either being focused on risk reduction (being able to withstand failures) or recovery (to bring back the affected IT services over a period of time).
Some other aspects identified by the BIA include:
Staffing and skills necessary to continue operating at acceptable levels;
Time within which minimum staffing, facilities and services should be recovered;
The time within which all required business processes and operations should be partially and fully recovered; and
The relative priority of each business process being supported by IT services.
The views represented by the BIA should encompass all levels of the organization as well as any other stakeholders that might be affected.
2. Requirements – Risk Analysis Another activity performed in order to determine the requirements of IT Service Continuity Management is that of Risk Analysis. This involves the assessment of the existing threats that might cause disruption as how vulnerable the
organization is to that threat. This activity as a result is a joint responsibility of ITSCM, Availability Management and Information Security Management.
A standard and defined methodology should govern the use of Risk Analysis and Risk Management activities within the
organization. One particular methodology that might be used is the Management of Risk (M_o_R) framework, which is shown in the figure to the right.
Figure 6.13: – The M_o_R framework
© Crown Copyright 2007 Reproduced under license from OGC
The M_o_R approach adopts the following principles when applied:
M_o_R principles which are derived from corporate governance principles and are essential for developed good practices for risk management.
M_o_R approach which documents the agreed approach for the organization, including dynamic documents such as:
o Risk Management policy;
o Process guides;
o Plans;
o Risk registers; and o Issue logs.
M_o_R processes which consist of four main steps:
o Identifying threats and opportunities;
o Assessing the effect of threats and opportunities;
o Planning to reduce the threats and maximizing opportunities; and
o Implementing the corrective action and reviewing where the results do not meet expectations.
Embedding and reviewing M_o_R to continually review and improve the practices for Risk Management.
Communication which ensures that appropriate communication occurs, with plans documented to ensure staff members and stakeholders know their responsibilities and who the audience for communication should be.
Figure 6.14: – Developing a risk profile
© Crown Copyright 2007 Reproduced under license from OGC
Using their chosen methodology, the organization should develop and maintain a risk profile, which classifies risks on scales of severity and likelihood to occur. This profile will also show which risks have been determined to be acceptable, and for those deemed unacceptable there are some risk reduction or recovery measures required.
3. IT Service Continuity Strategy
The results of the BIA and Risk Analysis will be used by BCM and ITSCM to begin developing appropriate strategies in response. Overall, the strategy should represent a balance between risk reduction and recovery options, as well as a balance between the cost of developing and maintaining these options against the impact felt if the risks do eventuate.
Typical measures for used for risk reduction include:
UPS and backup power systems to computers, servers and other infrastructure;
Systems designed with fault tolerance when any downtime is unacceptable (involves multiple redundancy with load sharing and/or automated failovers);
RAID arrays for disk storage;
Spare equipment such as routers, switches, desktops and laptops to be used in the case of component failure;
Off-site storage for backups and for failover systems; and
Multiple suppliers for critical sub-services (e.g. WAN and internet connections).
Typical measures for recovery include:
Manual workarounds – such as using paper-based systems for a limited timeframe;
Reciprocal arrangements – where two or more organizations share the costs associated in developing and operating some shared facilities that can be used in the case of a disaster occurring;
Gradual recovery – aka. „cold standby‟ where the recovery facilities provide empty accommodation equipped with power, network cabling and telecommunications connections. Over the course of the disruption the provider moves in and configures any infrastructure required to recover service;
Intermediate recovery – aka. „warm standby‟ where the recovery facilities (often provided by third parties) provide the accommodation for necessary staff and house‟s preinstalled infrastructure to be used for recovery. The actual recovery however will take some time as the infrastructure will need to be re-configured as well as ensuring that applications and data can be restored from backups;
Fast recovery – aka. „hot standby‟ where the recovery facilities house dedicated infrastructure for the organization to utilize in the case of disruption. In the event of a failure the organization can then initiate failover to the recovery site, initiate any backups to restore and recover service within a 24 hour period; and
Immediate recovery – aka „hot standby‟ provides recovery facilities that support the immediate restoration of services, with potentially no visible impact on the business operations itself. This is often implemented in such a way that the organization houses dedicated equipment at an alternative site (often far enough away to not be affected by the same risk such as blackouts or weather events). In some cases the IT services actually being protected by this recovery option will only be those that support a vital business function.
It is important that the strategy includes a combination of measures, so that the balance between cost and risk as well as prevention and recovery is obtained. The plan should document where staff will be located, as well as how other critical services are managed such as power, water, telecommunications, couriers and information management.