Business continuity and risk analysis are very high-profile topics in today’s world. Risk analysis is actually part of a good business continuity plan. Learning how the two work together can help a business to protect its valuable information assets.
Risk analysis is the process of identifying the various risks that a given business faces. These risks can vary based on factors such as the type of business and geographic location. A business that processes information, such as an insurance company, faces some very different risks than a company that handles hazardous materials. Risk analysis identifies the business processes of a company, determines the impact to the company of an unplanned interruption of any or all of those processes, and determines the likelihood of an occurrence of such an event. Full risk analysis typically includes a business impact analysis.
Once risk analysis has been completed, management must decide how to respond to the identified risks. There are basically three responses: eliminate the risk; mitigate the risk; accept the risk. Eliminating the risk may involve drastic changes such as relocating the business out of a flood plain. Risk mitigation involves taking steps to minimize the impact of an incident. An example of this is installing fire sprinklers to extinguish a fire and minimize the damage. The third response is to accept the risk as a fact of doing business. This response typically assumes that there is either no way to eliminate or mitigate the risk, or the cost of doing either is prohibitive. Management’s response to the results of risk analysis has a direct impact on the company’s ability to recover from a disaster.
Disaster recovery is the actual process that a company goes through when recovering from some extended interruption in its business processes. These interruptions can stem from an event such as severe weather, fire, earthquake, terrorism, building infrastructure problems and cyber attacks. Disaster recovery typically involves taking media on which data has been backed up to an off-site location, configuring hardware similar to the systems affected by the disaster, restoring the data, and resuming a critical subset of the company’s business processes. Recovering a company’s information assets can be a complex and time-consuming chore. Good documentation and good planning are required for successful recovery from a disaster.
Business continuity is the planning process by which a company is able to determine risks, evaluate alternatives and plan for recovery in the event of a disaster. Business continuity planning encompasses both risk analysis and disaster recovery. The goal of business continuity planning is to avoid or minimize any the impact of an event that causes an interruption in business processes. Good planning includes lists of key personnel, communication procedures, equipment procurement procedures, recovery procedures
Prepare for the Unthinkable
A company may consciously decide that the risk of a catastrophic event is too small to warrant an investment of time and resources in planning. However, good business continuity planning requires that a company prepare for the unthinkable. Methodical analysis, documentation and planning all contribute toward a successful business continuity program. Assuming that a disaster will occur is imperative. The companies that do are the companies that are still in business after a disaster occurs.