The first step in creating an effective plan to protect your business from potential disaster is to establish an understanding of your actual risks. Given the many types of disasters that could cause your business to cease operations, and the different ways you will need to respond to each one, it’s foolish to begin any planning without a proper Disaster Risk Assessment.
Your Disaster Risk Assessment will be the guide for your entire planning process. How do you make sure to do it right?
Your Disaster Risk Assessment can essentially be broken down into two distinct components: 1) Disaster identification and disruption threshold, and 2) your Risk and Business Impact Assessment. The result will be a list of potential disasters, ranked based on a combination of their likelihood to occur and the severity of damage that would be cause to your business should they occur.
Your first step in this process is to identify the potential disasters that could occur and impact your business in any way. You should end with a detailed list of common threats to business continuity in the context of your business.
It bears mentioning that a disaster in the context of your Disaster Recovery Plan means more than what may initially come to mind. Most people tend to think of events that an insurance policy might consider an “act of god,” like a hurricane or a forest fire. However, in this context, “disaster” generally means an event that results in one or more of the following:
- One or more vital systems are offline, inaccessible, or not operational;
- Physical facilities are not available for an extended period of time, even if all systems are functional within it;
- Physical facilities are available, but all systems are non-functional; or
- Physical facilities and all systems are non-functional
As you can see, there are a wide variety of events that may result in one or more of the above definitions of a “disaster.” Among the types of events you should include in your Disaster Risk Assessment are:
- Environmental disaster (flooding, hurricane, fire, etc.);
- Hardware failure / Network or Server issue;
- Power outage
- Cybercrime (Ransomware, DDoS Attack)
- Pandemic Response
- Terrorist attack
- Human error
- Loss of Business-Critical Third-Party Services (e.g. Data Center)
Your Disaster Risk Assessment must also establish the type and scope of damage caused by a disaster that would be devastating to your business. Remember that the “damage” is the resulting impact to your business. “Office flooding” would be the disaster event, but “facilities temporarily inaccessible,” “documents and physical files destroyed,” and “local servers and network temporarily unavailable” would be the type and scope of the potential damage.
Your disruption threshold should essentially establish a rating system for the type of damage your business can occur before the disruptions would cause you to cease operations. I generally recommend at least four levels of potential disruption, but I have seen successful plans that rely on as few as three and as many as seven.
At the very least, you should determine what kind of damage would have essentially no significant impact on operations, what kind of damage would impact operations but not result in disruption of any essential operations, and what kind of damage would result in your business coming to a complete halt (regardless of duration.
Your Disaster Risk Assessment Matrix
Rank the disaster events you have identified based on a combination of their likelihood to occur and the potential damage they could cause using a Disaster Risk Assessment Matrix. For an example of a Disaster Risk Assessment Matrix, see below:
Business Impact Analysis
The result of your Disaster Risk Assessment Matrix is a list of potential disasters, ranked based on a combination of their likelihood to occur and the potential impact they would have on your business.
Your approach to your Plan should focus first on those disasters with the highest rating in the Disaster Risk Assessment Matrix. Your Plan should provide for all the potential disasters you identified as potentially impacting your business. However, the extent and complexity of your Plan will likely be impacted by your company’s size and available resources.
Your first priority is to ensure that your Plan addresses disasters that are more likely to cause your business devastating harm. Depending on your available time and resources, you should work your way down the list.
Creating Your Disaster Response Plan
Generally speaking, it is better to have a thorough Plan than a basic one, and better to have a basic Plan than none at all. As such, it is probably better that you have a basic Plan in place for any potential disasters than to have complex plans just for the top two or three.
However, as with all generalities, exceptions will exist, and you may need to make a decision whether having a robust plan for a likely type of disaster is more important than having a basic plan for a situation that is unlikely to occur.
Begin your disaster response planning based on the ratings you give to each event, starting with those most likely to cause devastating disruptions to your business. Keep in mind, though, that even a minor disaster can be catastrophic to a business that failed to anticipate its occurrence and plan for how to recover.