Assess Risks & Impact

Determine recovery options

Published under Risk Management

The possible options for recovery should be documented and presented to the BC Steering Committee. The options will build on the BIA results and will outline how ICT and IS can continue to meet the organisation’s objectives, obligations and statutory duties in a cost-effective manner, despite an incident which affects their ability to operate at normal levels.

Options should be determined for the following areas:

  • Staff (including skills and knowledge)
  • Premises (location(s) of work and locations where information is held)
  • Technology (telephony, data, applications, systems)
  • Supplies (materials and equipment)
  • Stakeholders

It is quite likely that various issues will be identified as a result of Risk Assessment, Business Impact Analysis, hazard identification or from operational experience which, if not addressed, may represent continuity risks. These risks should be recorded in the Business Continuity Risk Register and highlighted to the Business Continuity Steering Committee.

Examples of continuity risk might include:

  • Records management - an issue regarding poor storage, archiving and retrieval of vital records has been identified which could lead to vital information not being available when it is required and leading to a regulatory or reputational risk
  • Staff training - issues have been identified regarding low levels of multi-skilling, cross-training or succession planning. This could lead to a continuity risk if there were above average levels of sickness, industrial action or a key member of staff was unavailable for several weeks or months
  • Back-up plan (where risks have been identified with respect to the back up of data and the recovery and restoration of that data)

Activity plans to address the continuity risks should be implemented and related work integrated to ensure that the deadline for the delivery of the BCP is achieved.

The options will depend on:

  • Recovery Time Objectives for the critical processes
  • Recovery Point Objectives for the critical data
  • Interdependencies of components
  • Costs of implementation of various options
  • Consequences of inaction

It must be noted that the organisation should minimise the likelihood of implementing a solution which could be impacted by the same incident that caused the business disruption. For example relocating to a WARF which is only a few hundred metres down the road and which could be affected by the same power cut, telephony outage or flood as the organisation.

The strategies adopted for ICT and IS are often quite complex and will typically be one or a combination of the following alternate site options [BS 25999-1]:

  • Provision made within the organisation (Budge Up, Displacement, Remote Working, Reciprocal Agreements)
  • Services delivered to the organisation (mobile facilities or prefabricated units)
  • Services provided externally by a third party e.g. Work Area Recovery Facilities (WARF) (dedicated, syndicated or shared seats)
  • Mirrored sites which are identical to the primary sites in all technical aspects

There are several options available depending upon the organisation’s technology strategy, and the solution can be complex. These options can be classified according to whether they are cold, warm or hot sites and their relative advantages and disadvantages can be seen in the following table:

Site
Cost
Process Dependency
Hardware Equipment
Telecoms
Setup Time
Location
Cold
Low
None
None
Long
Fixed
Warm
Medium
Partial
Partial
Medium
Fixed
Hot
Medium/High
Full
Full
Short
Fixed
Mobile
High
Dependent
Dependent
Dependent
Not fixed
Mirrored
High
Full
Full
None
Fixed

In turn, the choice of these options will depend upon:

  • RTOs for processes which support the critical activities identified in the business area BIAs:
    • a process RTO of several months may allow the organisation to chose to leave any decisions until after the event
    • a process RTO of over a day or two may allow time for staff to be relocated to another site
    • a process RTO of less than a day will require tactics that enable the activity to be taken on by staff at other locations, or quick relocation of affected staff
  • Location and distance between technology sites
  • Number of technology sites
  • Remote access
  • Unstaffed (dark) sites or staffed sites
  • Telecoms connectivity and redundant routing
  • The nature of failover (automatic or manual)
  • Back up strategy (e.g. daily, weekly, monthly, CDs, tape, DASD or RAID)
  • Third party connectivity and external links

Further options may be selected to reduce the likelihood of an IT disruption and could include the following strategies:

  • Geographical spread of technology
  • Holding older equipment as emergency replacements or spares
  • Additional risk mitigation for unique or long lead time equipment
  • Cross training to ensure that there is more than one member of staff with key skills
  • Succession plans so that the loss of a senior manager or the IT Director does not present a risk.

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more