Learn how organizations should define their own internal risk management policies and standards to ensure a solid development to your disaster recovery and business continuity efforts. The text transcript of Gold's comments is included below.
So you now have just been given this new role. You are the head of disaster recovery and business continuity planning, or perhaps you are the chief risk officer and you also have the responsibility for the firm's business continuity planning (BCP) and disaster recovery (DR) efforts. That being said, you own it, I own it -- now let's figure out where to start.
The first element we should look at is our own internal risk management policies and standards. And you are probably saying, "Why do we start with policies and standards?" Well, policies and standards actually represent the foundation of the framework for which all of your hedging and protecting and disaster recovery efforts will be built upon. When you look at your policies and standards, you probably have a policy around confidently: How well should we protect or safeguard this respected data. I know most organizations have a little bit of trouble with protecting the data and classifying the data; we all have a confidently standard.
Moving on, we probably have some notion of integrity as well: How well should I preserve or maintain the data to ensure it can't be manipulated? And then third, we also have availability standards as well. So we have the C, the I and the A. Now if you couple those policies with a good change-management standard, I personally believe you have the essence for a great beginning to your disaster recovery and business continuity efforts. So you are probably sitting there and saying: "Ok, I look at these policies and standards; that's really not working or me – I don't get it, Andre."
So let me give you an example. A lot of times firms will create what I call these DR tiers: tier 1, tier 2, tier 3. Typically tier 1 reflects all those business processes and associated applications that need to be restored within a 24-hour time period. Tier 2 comes back and has, you know, has a time frame of maybe one to two days, and perhaps tier 3 is anything greater than three days. So they will go and classify and ask that this be in tier 3, but then they will go back to the operations team and say: "You know what, I actually need that application up and running all the time; I need five nines, I need ten nines." So you have ten nines over here and you have a tier 3 business process, so you see the incongruence there? If you have this much operational availability but you classify the operation as a tier-three app – there is going to be a little problem there. But if you have sound policies and standards, which drive operational availability, and ultimately, business continuity and hedging and protection, it will certainly be a lot easier to have those conversation regarding what the recovery time periods and associated objectives should look like.
Business Continuity and Disaster Recovery Video Series
- Disaster recovery and business continuity planning basics
- Availability, business continuity and disaster recovery
- Defining internal risk management policies
- Elements of disaster recovery and business continuity planning
- Disaster recovery and business continuity planning problems
- Preventing business continuity, disaster recovery problems
So moving past policy, we now need to figure out what are those actions that we actually need to do to support BCP. Well, the first thing we need to do is go out there and do what we call a business impact analysis or perhaps a business impact assessment, a BIA in other words. So in starting this process, what you don't do is you don't go to your business analyst, you don't go to your technology geeks, you actually go to the firm's business leaders and just ask them: "What are your most important processes?" And if that's too grand of a statement, just ask them, "What are your, perhaps, top three, maybe top five, business processes?" I guarantee he or she will be able to articulate that to you.
The next thing you have to do after that is really start looking at the interdependencies for those business processes, looking at both vertical as well as horizontal dependencies, and really mapping out those relationships. After doing this, you really want to go back to those business leaders and ask them what happens if this business is not available and get them to quantify their respective answer -- not qualify their answer. And what I mean by qualify the answer is you really want to have a notion of how much does this process cost the firm in the event that it is unavailable. You now want to establish your recovery priorities. What you'll find is that the individuals that are going to be responsible for restoring these processes probably overlap to some extent, so you really want to go out and clearly identify not only what are those key business processes, but also the order in which we should restore those.