Rothstein Home: Your Source for Disaster Recovery, Business Continuity Books, Service Level Agreements & More Rothstein: Management Consulting Services Rothstein: Business Survival Newsletter Rothstein: Original Feature Articles Rothstein: Disaster Recovery Forum Rothstein: Today's Industry News Rothstein: Links to Industry Web Sites Contact Rothstein Associates

Why Assess? Disaster Recovery & Business Continuity & Contingency Planning & Disaster Prevention Bookstore
Service Level Management & Service Level Agreements Bookstore

by  Philip Jan Rothstein, FBCI

Few businesses can survive for long by investing in projects without examining their justification, whether through a structured process or informally. Yet, it is not uncommon for a business continuity or disaster recovery program to evolve without a rational business basis. Why is this?

In theory, a contingency plan should be based on three key factors which are objectively weighed in a Business Impact Assessment (BIA): threats, vulnerabilities, and exposure to loss.

       In practice, the most ominous threats may not always be apparent; vulnerabilities may be concealed; and, exposure to loss difficult to quantify. But, the most common themes observed in organizations with contingency programs not based on impact assessments are (1) not grasping the relevance of the impact assessment process in the first place or, bluntly (2) "no glory."

       The first point is difficult enough to resolve. The contingency/recovery program is so easily justified on emotional grounds ("we've got to get the data center back within twelve hours or we're out of business!") that it is easy to gloss over the objectivity introduced by a BIA or by an Applications Impact Analysis, which concentrates on the impact to business operations resulting from computer applications outages.

       The second point is often more nettlesome. The outcome of a BIA is knowledge which may or may not impact the bottom line and therefore does not typically inspire outrageous salary reviews. Also, the BIA process often looks like an obstacle to implementing the contingency plan "everybody knows we need right away" rather than a valuable guide.

A Case Study
The risks to this oversight are theoretically obvious yet almost invariably overlooked, as we recently observed in a Midwestern manufacturing company. Their data center was protected by a reasonably thorough and remarkably well exercised disaster recovery program. Disaster recovery had evolved over a period of seven years without a BIA or applications impact assessment at any time.

       Management confidence in MIS recoverability was high and, in fact, appeared justified. The first "ultimate" test a real disaster resulting from a burst water main resulted in a successful data center recovery with critical applications operational within ten hours and full restoration of data center services at an alternate site within eighteen hours of declaration, well within the 24-hour target window.

       That was the good news. The bad news was that within 96 hours, several business functions were in shambles. Bottom-line losses were edging toward the seven-figure level. Sales and Customer Service were increasingly encountering embarrassing errors.

       Could a BIA and applications impact analysis have prevented this fiasco? Probably. First, management had never objectively examined the direct impact on Sales and Customer Service of an extended computer outage. Both areas could not effectively cope with the continuing influx of new business plus inquiries and changes to old business, without computer access for even one day. Data restored from the previous night's backup tapes resulted in inconsistencies with transactions already under way. New orders and changes coming in to Sales and Customer Service while the data center recovery was going on were completely out of synch with the computerized data being restored.

Lessons Learned
This unfortunate company learned the hard way that their targeted 24-hour data center disaster recovery window did not meet their business needs. Of course, the balance could as easily have gone the opposite way an actual business need which did not justify the 24-hour recovery window.

       This was observed in another manufacturing company, spending over $12,000 each month on a data center hot site recovery program. This was subsequently replaced with a $1,500 per month cold site agreement when a BIA and Applications Impact analysis revealed that the worst-case, bottom-line impact of a two-week computer outage would likely be less than what was spent annually on the hot site!

The lessons learned are simple:

  • any contingency program not based on an objective analysis of threats, vulnerabilities and exposure to loss is unlikely to meet the true needs of the organization
  • a BIA does not have to be a complex, lengthy process to be effective the "80-20" rule often applies
  • A BIA ensures that the contingency planning investment is not wasted or, even worse, ineffective when it is most needed.

Copyright (c)1997-2003, Rothstein Associates Inc. All Rights Reserved.

Back to Top

Site Map | The Rothstein Catalog on Disaster Recovery | The Rothstein Catalog on Service Level Books

Contact Us | Management Consulting Services | Business Survival Newsletter | Original Feature Articles

Disaster Recovery Forum | Today's Industry News | Links to Industry Web Sites | ‘Keep Me Posted’ | Privacy Policy

 

E-mail Rothstein Associates Inc.