Don’t Let a Disaster Shut You Down: How Risk Management Can Keep You Operating

Having a disaster recovery plan means different things to different people.

For some, it’s getting the lights turned back on as soon as possible. For others, it’s making sure customer phone calls and email messages are answered. And for many, it’s knowing who is supposed to do what when things hit the fan.

The common theme running through all these goals is this: having a tested risk management plan in place will help you meet all these goals, and more.

Knowing a disaster is about to happen is luck, and technology – think hurricanes, electrical storms, that sort of thing. In many cases, experts can provide advanced warning for potential danger. But many disasters are unforeseen, such as tornados, riots, and earthquakes. Therefore, building a disaster recovery plan relies on this adage: Hope for the best but prepare for the worst.

You can recover from a disaster, but you must have a plan already in place to do so.

The Need for Risk Assessment

If you don’t have a disaster recovery plan, then you need to build one from scratch. At this point, your needs are the same as a firm with a well-honed plan in place: If something goes wrong, what do you have to do, who will do it, and how does it need to be done?

When you conduct a risk assessment, you look at several things:

  • What are the critical assets in your company?
  • What are the specific threats to those assets?
  • How effective are those assets in downtime?
  • What is the risk correlation to those assets and the threats they face?

What Risk Assessment Tells You

Once you’ve identified these specific risk issues, you need to be sure you review them on an annual basis because of changes to policies, technology, and processes. Even though those changes are part of normal business operations, these changes can drastically affect how well something will work during a disaster situation.

You need to ask yourself, what part of your business is THE most critical? What are you going to do in the event of X, Y or Z happening? Building that disaster recovery plan helps you recognize and address where you have shortcomings.

Running a risk assessment means going through your business, layer by layer, and looking at the different processes you have in place and really understanding how they interact (or don’t). Once you have data, you need to understand what’s changed policy-wise since the last time you ran an assessment, such as firewall requirements, VPN adoption, and more. Those updates may have altered how those interactions work, without your knowledge.

Documentation is Key

Developing a disaster recovery plan is about process, process, process. Your organization should have something in place that says, for example, “if I’m making a firewall change, I must have a second set of eyes look at it to make sure it passes the sniff test.”

Anytime there are security process updates, policy changes, etc., you need justification and documentation. Why were changes made, what changes were made, and how do those changes affect the systems currently in place?

Documentation also requires that someone other than the requestor of the change reviews the changes and understands the potential impact.

The process of documenting all changes that occur during the year will help highlight issues that need to be addressed before a disaster.

Consider:

  • What upgrades were made to the system?
  • What patches were released and to which system?
  • Are all the monitors on the same system?
  • Are the back-ups automatically slated to kick in when needed; and
  • What physical equipment was replaced during the year and why.

Use Communications to Mitigate Customer Impact

The quicker you recover, the quicker you communicate and inform everybody that needs to be informed, the better off you’re going to be. In the end, this allows you to fully inform customers and stakeholders of an outage event

Having a strong communication strategy built into your disaster recovery plan can mitigate the financial impact of a disaster, as well as the operational impact, because everyone on your team and in your organization knows who is in charge and what their individual responsibilities are. You eliminate confusion, panic, and overlap which, in turn, helps you better manage the customer impact.

When a disaster strikes a team with no plan for communication strategy, the situation will likely devolve into chaos almost immediately. Therefore, it’s crucial, from an operational standpoint, to be sure the team know who’s responsible for what, and their role in helping work through a disaster or outage.

Things to Consider

  • Is there a phone/call chain to follow in a disaster?
  • Does everyone have a copy of the phone chain?
  • Who are the back-up personnel if someone on that phone chain can’t be reached?
  • Who assumes operations control of a facility in a disaster?
  • Who fields calls and emails from customers?
  • What is the message to those customers?
  • If one facility is off-line, will calls automatically roll over to a different facility?

The list goes on.

The whole process of mitigating the customer impact is about ensuring that the needed personnel and resources are available in a situation because your goal is to maintain the same level of security, no matter what’s happened. You don’t want anything to escalate out of your control. Building a communication strategy into your disaster plan helps you properly control what you can control in an uncontrollable situation.

The best way to be ready for a disaster is to have a security program in place. This helps mitigate some of the things that can happen, because usually, if you prepare ahead of time, you’re in a better situation when something does occur.