Untitled Document
www.expresscomputeronline.com WEEKLY INSIGHT FOR TECHNOLOGY PROFESSIONALS
06 December 2004  
Untitled Document
Sections

Market
Management
Technology
Technology Life

Columns

Between The Bytes

Services
Subscribe/Renew
Archives
Search
Contact Us
Network Sites
Network Magazine India
Exp. Hotelier & Caterer
Exp. Travel & Tourism
feBusiness Traveller
Exp. Pharma Pulse
Exp. Healthcare Mgmt.
Exp. Textile
Group Sites
ExpressIndia
Indian Express
Financial Express
Home - Management - Article

Business Accent

Business continuity planning: be prepared and be protected

Jaspreet Singh

When a small business loses its Internet connection or its network for a few hours, it suffers mightily. After all, unlike a large business, there’s often no way to make up for the lost revenue.

While disaster recovery and business continuity are closely related, they are far from interchangeable. Disaster recovery is just what it sounds like: getting your business back after a problem takes it down. The disaster can be anything—a virus, a cyclone, a disgruntled employee deleting a critical folder. The point is, your computer or network is inaccessible.

Business continuity planning, on the other hand, is the pre-emptive practice of ensuring that terrible events cause as little disruption as possible.

According to a US department of labour study, “93 percent of companies that experience a significant data loss will be out of business within five years.” Even lesser disruptions can cause significant loss through lost revenue, lost productivity and lost profits.

The standard business interruption (BI) definition and formula can be used to better understand the costs involved. BI = T x Q x V, where BI = business interruption, T = number of time units (hours, days) operations are shut down, Q = the quantity of goods normally produced, or sold, per unit of time used in T, and V = the value of each unit of production, usually expressed in profit.

As an example, consider a consultant whose server crashes and requires one week to restore to normal operations. If the consultant bills at Rs 1,000 per hour and is not able to bill for 40 hours, then the business interruption cost = BI = T x Q x V = 40 x 1 x Rs 1,000 = Rs 40,000 in missed revenue or delayed positive cash flow.

Besides, of course, there are the other potential adverse effects that are less easily calculated, such as negative publicity, loss of clients and legal liability.

Cost/Benefit Analysis

While there are a number of ways to identify, analyse, and assess risk, and there is considerable discussion of risk in the media and among information security professionals, real understanding of the process and metrics of analysing and assessing risk is lacking. Certainly, everyone understands that “taking a risk” means “taking a chance,” but a risk or chance of what is often not so clear.

We usually give more or less serious consideration to a major action before taking the chance, so to speak. Perhaps we would even go as far as to calculate the odds (chance) of experiencing an undesirable outcome, and take steps to reduce the chance of experiencing that outcome.

In order to effectively calculate the chance of experiencing the undesirable outcome, as well as its magnitude, one must have an awareness of the elements of risk and their relationship to each other. This, in a nutshell, is the process of risk analysis and assessment.

After determining the business impact, it’s time to determine what it is going to cost to recreate those processes or systems if a disaster occurs. The costs of replacing processes or systems should be weighed against the cost of doing nothing.

Before undertaking a cost/benefit analysis, the following terms have to be defined:

Annualised Rate of Occurrence (ARO). This term characterises, on an annualised basis, the frequency at which a threat is expected to occur. For example, a threat occurring once in 10 years has an ARO of 1/10 or 0.1; a threat occurring 50 times in a given year has an ARO of 50.0.

Exposure Factor (EF). This factor represents a measure of the magnitude of loss or impact on the value of an asset. It is expressed as a percent, ranging from 0 to 100, of asset value loss arising from a threat event.

Information Asset. This term, in general, represents the body of information an organisation must have to conduct its mission or business. A specific information asset may consist of any subset of the complete body of information, i.e., accounts payable, inventory control, payroll, etc.

Probability. This term characterises the chance or likelihood, in a finite sample, that an event will occur. For example, the probability of getting a 6 on a single roll of a dice is 1/6, or 0.16667. The possible range of probability values is 0.0 to 1.0. A probability of 1.0 expresses certainty that the subject event will occur within the finite interval. Conversely, a probability of 0.0 expresses certainty that the subject event will not occur within the finite interval.

Risk. The potential for harm or loss is best expressed as answers to these four questions:

  • What could happen? (What is the threat?)
  • How bad could it be? (What is the impact or consequence?)
  • How often might it happen? (What is the frequency?)
  • How certain are the answers to the first three questions? (What is the degree of confidence?)

The key element among these is the issue of uncertainty captured in the fourth question. If there is no uncertainty, there is no risk per se.

Risk Analysis. This term represents the process of analysing a target environment and the relationships of its risk-related attributes. The analysis should identify threat vulnerabilities, associate these vulnerabilities with affected assets, identify the potential for and nature of an undesirable result, and identify and evaluate risk-reducing counter-measures.

Risk Assessment. This term represents the assignment of value to assets, threat frequency (annualised), consequence (i.e. exposure factors) and other elements of chance. The reported results of risk analysis can be said to provide an assessment or measurement of risk, regardless of the degree to which quantitative techniques are applied.

Risk Management. This term characterises the overall process. The first phase, or risk assessment, includes identifying risks, risk-reducing measures, and the budgetary impact of implementing decisions related to the acceptance, avoidance, or transfer of risk. The second phase of risk management includes the process of assigning priority to, budgeting for, implementing, and maintaining appropriate risk-reducing measures. Risk management is a continuous process of ever-increasing complexity.

Safeguard. This term represents a risk-reducing measure that acts to detect, prevent, or minimise loss associated with the occurrence of a specified threat or category of threats. Safeguards are also often described as controls or counter-measures.

Safeguard Effectiveness. This term represents the degree, expressed as a percent, from 0 to 100, to which a safeguard may be characterised as effectively mitigating a vulnerability (defined below) and reducing associated loss risks.

Single Loss Expectancy or Exposure (SLE). This value is classically derived from the following algorithm to determine the monetary loss (impact) for each occurrence of a threatened event:

Asset Value x Exposure Factor = Single Loss Expectancy

The SLE is usually an end result of a business impact analysis (BIA). A BIA typically stops short of evaluating the related threats’ ARO or its significance. The SLE represents only one element of risk, the expected impact, monetary or otherwise, of a specific threat event. Because the BIA usually characterises the massive losses resulting from a catastrophic event, however improbable, it is often employed as a scare tactic to get management attention and loosen budgetary constraints, often unreasonably.

Threat. This term defines an event (e.g. a tornado, theft, or computer virus infection), the occurrence of which could have an undesirable impact.

Vulnerability. This characterises the absence or weakness of a risk-reducing safeguard. It is a condition that has the potential to allow a threat to occur with greater frequency, greater impact, or both. For example, not having a fire suppression system could allow an otherwise minor, easily-quenched fire to become a catastrophic fire. Both expected frequency (ARO) and exposure factor (EF) for fire are increased as a consequence of not having a fire suppression system.

Now the task includes the evaluation of the degree of risk reduction that is expected to be achieved by implementing the selected risk-reducing safeguards. The gross benefit less the annualised cost of safeguards selected to achieve a reduced level of risk yields the net benefit. Tools such as present value and return on investment are often applied to further analyse safeguard cost effectiveness.

The author is consultant, business solutions (IT Risk Management) at PricewaterhouseCoopers. He may be contacted at jaspreet.singh@in.pwc.com

 


UNSUBSCRIBE HERE
Untitled Document
© Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.