A famous Monty Python routine contains the tag line “No One Expects the Spanish Inquisition!” In one version of the scene, a couple is in a restaurant and all they can order is “Spam.” The husband in the scene yells, “What is this, the Spanish Inquisition?” at which point other cast members burst into the scene dressed as Grand Inquisitors. As funny and as absurd as the scene may be, we can learn strategies for disruptions that either prevent us from performing less-important tasks or force us to completely recover as best we can from a total interruption of our normal lives or our business operations.
We call this continuum “Business Continuity and Disaster Recovery Planning” (BC/DR). It starts with getting an understanding of what’s important. In our personal lives, we will purchase insurance for life, health and property. We may keep copies of critical documents such as mortgage papers, birth certificates, passports and so on in secure places such as safe deposit boxes. We may develop evacuation plans in case of fire that include the most important things in our homes. I would hope that we would also choose to backup our PCs or at least our data in preparation for that eventual computer crash.
Methodologies for developing BC/DR plans vary, but we can think of two fundamental stages: preparation and execution. Applying effort to the analysis process and building the implementation pay off when — not if — you need to invoke the plans. Fundamentally, preparation involves figuring out what functions are critical (whether personally or for a business) and then performing risk analysis. The second part is implementing your chosen protections and acting your plans when a disruption or disaster strikes.
In this blog, we’ll look at identifying your business functions and assets. Then we’ll look at sources of risk and how to prioritize them.
Dr. Stephen Covey starts his “7 Habits” series with a simple question: “What matters most?” It is a simple question, but Dr. Covey rightly indicates that the answers drive most of the rest of our decisions. Almost universally, life, protection from injury, safety, food and shelter come first. After that, we need to ask, “What else is important and how do we protect those things?” Any discussion of BC/DR in our lives and our businesses starts with these two questions. We call these steps Asset Identification and Risk Analysis. The process can be quantitative such as looking at replacement cost, or qualitative such as examining the emotional impact of a loss.
Once we have identified and prioritized our assets, we need to determine how to protect our assets and safeguard their value.
The concept of “Murphy’s Law” says that things will go wrong and the corollary is that they will do so at the worst possible moment. As impersonal as it sounds, preparedness for Incident Management leads us to organized ways to deal with something that disrupts our normal lives and activities.
When a minor or major disaster strikes, we need to be prepared to execute our plans, communicate with those who are important to us and then review to understand what we can do better the next time … and there will always be a next time.
The Hard Part: Identifying the Business and Assets
Coming back to Dr. Covey’s question, for business and in personal life, you need to ask, “What matters most?” If we’re worried about BC/DR for an enterprise, whether large or small, we need to identify the principal products and services the organization provides. Famously, an airline CEO said, “We’re a customer service business that happens to fly people around.” In other words, if you had to pare your business down to a few key functions, you must decide what they would be.
In the business world, no one wants to have his or her work considered unimportant or less important. Perhaps another way to look at this is to ask, “What’s essential?” With the threat of inclement weather, military bases often send nonessential personnel home or have them report later for work.
That isn’t to say one can quickly become embroiled in a political situation. After all, who would want their job to be called low-priority? It begs the question of why the job is being done in the first place.
The task of Business Impact Analysis (BIA) is the formal methodology of identifying the roles of an organization, prioritizing them and identifying the key assets to support those functions.
On a personal level, people have to ask what they would miss most if they lost assets such as family pictures and records or favorite works of art? The immediate answer becomes that everything is important, but managing it is impractical at best. Many families realize this when they downsize homes or move long distances.
Asset classification can become emotional, both at the work and personal level.
What assets do you need to protect and what functions do you need to provide because people are depending on you or your business? At work, what are the records that are needed, systems, software, networks and servers? How would they be replaced and restored in an emergency? What work could be left for later so that the critical functions can operate?
On a personal level, the task is harder because of emotion, memory and mind-set. Those three factors need be considered in personal asset evaluation.
Risk Analysis: What’s Critical?
If we look at the things that threaten our business or our personal well-being, we can group them into five categories: Natural Threat, Outsider Human Non-Hostile, Outsider Human Hostile, Insider Human Non-Hostile and Insider Human Hostile.
After we’ve identified the assets that are critical to our business or those that are most important personally, we need to look at the ways they can be lost, stolen, destroyed or otherwise damaged. Combining the value of the services, products or items, we can start to do threat-modeling (as it’s called in the security industry.) For natural risks, for example, what is the possibility of fire or flood? How might an insider make a careless or accidental mistake to delete a key company asset?
Computers and networking equipment wear out. Software has bugs. In our risk analysis, we need to consider the consequences of such failure.
As rationally and unemotionally as possible, all the risks to our personal and business property need to be evaluated and prioritized. We then need to assign a value to these assets. By balancing priority and cost to protect or replace something, we can decide how much to spend on its protection.
Looking at the risk analysis, then, we can apply quantitative and qualitative importance to the asset-risk pair. With the former, we can fairly easily apply a dollar amount to both the value and the cost of the protection. One simply asks, “Over time, is the cost of protecting something more than the cost of the item itself?” You can then start to make rational decisions.
In the case of qualitative risk analysis, this is much harder. If there’s an incident that shuts a company down for several days, what’s the impact on customer satisfaction and loyalty? Would people go to competitors the next time they need a product or service? On a personal level, what’s the emotional value of a particular item, photograph or something else that has deep significance? Regardless, eventually, you’ll need to put a price on the asset should the risk occur. Cryptographer and security pundit Bruce Schneier points out that we are very bad at evaluating risk at an emotional level. We tend to overestimate the rare-but-spectacular event and underestimate the commonplace.
Once you’ve done this, then you can prioritize your asset-risk pairs and figure out how much you can afford to spend protecting them. In other words, what do you do to implement your BC/DR philosophy?
We have four responses that we can take to any risk. Your decisions will need to be based on your qualitative and quantitative risk analysis. They are to Mitigate, Transfer, Accept or Reject (M/T/A/R):
- Mitigate: Take action to protect our assets so we can carry on essential business functions or have our personal property and goods protected.
- Transfer: Make the problem someone else’s and pay them to protect you from the risks you identified. Two possible ways of handling the transfer include:
- Insure: Should you suffer a loss, the insurance would pay you in place of the lost business or property. Business and homeowner’s policies are examples of having someone take up the cost of mitigating a set of risks.
- Outsource: Have someone else take care of the risks. Moving critical business elements to a third-party service provider might resolve the threat to your physical systems. Keeping important papers in a safe-deposit box might provide more protection at the cost of convenient access.
Both mitigating and transferring have costs and risks of their own and need to be considered in the cost of a solution. If you don’t have the budget or don’t want to invest in mitigation and transferring, you have two other choices:
- Accept: By doing this, you understand that you will experience the cost of the risk when it occurs. On the other hand, it is a gamble that the risk won’t occur and you’ll have to pay to recover should the worst happen.
- Reject: Decide that you will not engage in the behavior or business that could have a catastrophic risk. As a business person, you may choose to avoid a new venture or stop providing a service where the risks are too high. On a personal level, you may choose to relocate your family or find a new job (if possible).
Once your risks are prioritized, you can order them by importance and compare them to the budget. You can mitigate or transfer risks for which you have the budget. For any risk where there isn’t budget, the only choices are to accept or to reject the risk.
In an enterprise, risk management exercises may be ongoing and long-term. For an individual, it may be tied to other events. Financial planners will tell you, for example, to review your finances in the middle and end of the year. This might be a good time to consider your personal assets as well. Regardless, any risk plan is out-of-date almost immediately, so you have to plan to periodically review and refresh your strategies.
In my career as an engineer, some of my hardest tasks haven’t been purely technical. Instead, they have been at the intersection of technology and business. Both business impact analysis and risk prioritization can be hard work, because there are human, emotional and qualitative factors.
As critical as this work may be, it is only the beginning. Next, we need to develop and implement the process to protect our assets. Our plans can be invoked for relatively minor incidents, major problems or disasters. When disaster strikes, we have to execute the plans as rehearsed, communicate effectively and restore operations. After that, learning lessons means that we can update our plans and processes. The first goal is to avoid the disaster the next time, and if that’s not possible, lessen the cost and impact.
In Global Knowledge’s “Cybersecurity Foundations” and “Managing Risk in Information Systems” classes, we explore these topics in depth. For the shorter version, we’ll visit those ideas in my next blog article.