The business continuity review process covers the following:
1. Business Impact Analysis
Analysis of the company risk as a resulting impact from any disaster scenario below:
Cyber Attack (ransomware, data compromise, fraud), Fire, Flooding, Acts of Terrorism, Theft, Accidental Damage, Internal Network Failure (to include computer infrastructure hardware failure, cabling), Premises Destruction, Power Loss (including cuts, spikes, extended outages, internal wiring failure and external power failure) and External Network Failure (including telephone and broadband lines)
2. Review Recovery Strategy
In the event of loss of access to the building, company data and systems, or major infrastructure failure, identify strategies to be used and/or implemented.
For example: remote working to dedicated terminal servers, remote working to backup servers, remote working to cloud files and data, hosted disaster recovery services (such as email and virtual desktops), secondary backup/failover/virtual infrastructure to be manually or automatically brought online, replacement of equipment with physical recovery from online backup or local backup media. We will also require an overall contact database of key contacts to be notified of any emergency IT situations. We will provide you with the disaster recovery and business continuity services available, as well as the necessary recovery steps. It is then critical for the company’s decision makers to escalate the recovery process “firm-wide” so that every step is understood and streamlined throughout.
3. Recommend Business Recovery Changes
We will recommend strategic changes to your IT infrastructure and cyber security to aid in the business continuity cover for your company. Obviously these recommendations are not obligatory to be invested in, however, we would strongly urge you to consider them to ensure the protection and continuity of your company’s business operations should a disaster occur, recovery be required and a business continuity plan need to be invoked. Any business continuity solution that is implemented will also help with our SLA and the resolution time (RTO) should a critical issue occur.
Business Impact Definitions
There are four industry standard impacts when analysing the Business Impact of specific functions with a company. They are defined as follows:
1. Financial Impact: Revenue Loss and Financial Penalties: Financial impact measures the financial exposure to the company during a period that the company cannot perform their daily operations and services. The recovery time objectives or “time slots” (4 hours, 1 day) set out the maximum time before a financial loss would impact the firm.
2. Operational Impact: Operational impact looks at the internal impact of the company being unable to function. In effect it is the potential “knock on” impact as internal departments are dependent on the service or output delivered by the departments within the entire company. The impact would be deemed critical for the functionality of all internal departments and the company as a whole.
3. Regulator Impact: Regulatory impact is the requirement to enforce continuity of services due to a regulatory or contractual reason. For example, FSA, ISO or Legally regulated companies will need to have recovered systems and integrity of data within a maximum number of days. Some companies who provide services to external clients may also require recovery due to contractual Service Level Agreements (SLAs).
4. Reputational Impact: Reputational impact is the potential for serious damage to the reputation of the company within the general marketplace and the public due to the inability to provide a normal service. This would also include the potential for adverse publicity or any means that might reduce the firm’s potential for new business or the loss of existing business.
The following is a brief definition of some of the terms that are used when assessing your business risk:
Backed Up is the term used when safeguarding your data by copying it to a safe medium for recovery in the event of loss.
Replicated is the term used when automatically mirroring your data and critical servers to similar infrastructure at regular intervals.
High Availability is a load balancing platform that will ensure your critical servers remain online should primary infrastructure fail.
Disaster Recovery (DR) is the process of failover and restoration of systems and operations that are critical to your business after a disaster occurs.
Business Continuity (BC) is the creation of a plan that details how your organisation will recover and restore interrupted functions after a disaster.
Failover is an automatic and/or manual process for transferring a system to a different environment.
RTO is the recovery time objective that sets the minimum amount of time required to restore services once a disaster occurs.
RPO is the recovery point objective that sets the minimum point in time that is acceptable to restore services back to after a disaster occurs.