Business Continuity Best Practices Featured
Article:
Business Continuity Testing Starts With The Risks
by
Albert Streeb
All business continuity analysis should be risk based,
and risk prioritized to deal with the important business risks
first. This means that any risks to your business need to be
identified, examined and dealt with. There are 4 options for dealing
with each risk:
1. Reduce
the risk.
Reducing
the risk falls into 2 categories - reducing the likelihood of the
problem occurring and reducing the impact of the problem if it does
happen. A simple example is that by having a fire alarm you are
reducing the likelihood of a fire spreading unseen and by installing
a sprinkler system you are reducing the impact of fire.
Reducing
the risk is often referred to as mitigation. For example, data
backups are a form of mitigation. They reduce the impact if a
problem occurs which affects the primary data source. Any mitigating
actions require testing to provide assurance they work when
required.
2.
Transfer the risk.
This is an
interesting option which may be seen as a get-out, but which is a
perfectly valid thing to do. By transferring a risk it becomes
someone else's problem and you therefore have the risk covered. We
are not talking about blaming someone else, or even transferring the
risk to someone else in the company.
For
example, there could be a risk that office space will not be
available in the case of a disaster in the main location. Therefore
the risk can be transferred to a third party company which organises
office space for disaster recovery and keeps offices available for
companies who need such a recovery service.
3. Accept
the risk.
By
accepting the risk of a potential problem you are at least aware of
its existence and can plan for it happening. If it is a risk that
would have no impact for an acceptable period of time it should
still be noted but you may decide to take no action until it
occurs.
Almost by
definition, accepting a risk is also reducing the impact of the risk
as you are aware of the potential problem and can write it into your
business continuity plan.
4. Ignore
the risk.
This
option should never be selected. There is never a reason for
ignoring a risk once it has been identified. A risk can be accepted
(acknowledged) but must never be ignored.
Once the
actions for each risk have been identified, then anything put in
place to help cope with a risk needs testing. However, many
companies either test nothing at all or try testing every facet of a
business continuity plan. Both methods are doomed to failure. The
answer is to adopt a risk based testing approach from two
perspectives: the business continuity plan is fit for purpose and it
will work when invoked.
A health
check (testing the plan is fit for purpose) needs to be performed by
someone other than the authors of the business continuity plan.
Ideally it's performed by an independent third party that
specialises in testing business continuity plans, but it could be a
disinterested party from another part of the company. Independence
is essential here for an objective assessment.
Testing
the plan will work when invoked, must be viewed in a business
context and the elements of the plan prioritised so that the risks
with the most business impact and likelihood are tested first. This
approach and the techniques to perform business
continuity testing in a cost effective manner are the subject of
other articles.
Copyright Acutest UK 2006 -
http://www.acutest.co.uk
About
the author: A Streeb is an experienced practitioner of business
continuity testing at Acutest, an independent consultancy
specialising in business continuity assurance and software testing
services. For more information on this topic visit
http://www.acutest.co.uk or send an email to
enquires@acutest.co.uk
Back To Top: Business Continuity Best Practices
|
