A primary step in any planning is to identify which systems and applications are mission critical. A mission-critical system is any system that must continue to run to ensure a business continues to function. Similarly, a mission-critical application must also continue to run to ensure a business continues to function.

Determining what is mission critical before first understanding how an organization operates is impossible. For example, salespeople within a company sell products directly to customers, and customers submit orders over the phone or in person. Salespeople then enter the order into an application connected to a back-end database. In this example, the mission-critical elements are the salespeople, the phone, the application, and the back-end database.

On the other hand, a company sells the same products as in the previous example. However, customers are able to place their orders directly through a website. In addition, they can send orders to salespeople via email, and the salespeople then enter the orders into an application. This application is connected to the same database that the website uses. Customers can also phone orders in, but they do so less than 10 percent of the time. In this example, the organization has more mission-critical systems than in the first example. The salespeople, the phone, the application, and the back-end database are still mission critical, but the website application and email would also be mission critical.

The point to remember here is that the importance of a system is determined by how it’s used. One organization may consider a specific system mission critical, whereas another organization may consider the same system disposable.

A business impact analysis (BIA) identifies the impact of a sudden loss of business functions. The impact is often quantified in a cost. Both direct and indirect costs are used to calculate the impact. Direct costs are the immediate loss of sales or the expenses related to recovering from the loss. Indirect costs are related to the loss of customer confidence.

The BIA provides an analysis of the effect of a loss of specific IT services. For example, a BIA can be used to determine the impact of a loss of email or a specific database. The BIA also helps an organization determine the minimum set of services required for the company to continue to operate.

For example, remote users may use VPN technologies to connect to the private network from remote locations. What is the impact on the business if VPN services stop? A BIA could be completed to make that determination.

Other methods may be available for remote users to connect to the company. For example, remote users may still have access to email using a webpage, and remote salespeople may still be able to place orders using the phone. The BIA could determine that, although the VPN services are valuable, their loss would have minimal impact on the overall mission of the company.

On the other hand, a BIA for email services may determine that the loss of email would have a significant impact on the company. Email may be used for customer contact, project tasking, tracking, and other important communications.

When completing a BIA, the following steps would be taken:

• Defining the scope—The scope of a BIA is limited to specific IT systems. For example, the BIA could examine the impact of the loss of email or a website. If the scope is limited to loss of email, loss of additional IT services should not be included. The possibility of scope creep is reduced by defining the scope early in the project. Performing a BIA is possible for a total loss of services for a specific location. For example, a company could have multiple locations, one of which could be in an earthquake or hurricane zone. The BIA could determine the impact if a disaster caused a total loss of services from this latter location.
• Identifying objectives—BIA objectives are related to the scope of the BIA. The objectives identify specifically what the BIA should achieve. For example, a BIA task may include the following objectives:
  • Determining the direct impact of the loss of email services for one business day
  • Determining the indirect impact of the loss of email services for one business day
  • Calculating the impact of the loss of email services for three business days
  • Calculating the impact of the loss of email services for five business days
• Identifying mission-critical business functions and processes—Not all business functions and processes are mission critical. Some functions are convenient and help productivity, but the mission could still survive without them. The BIA separates the critical from the noncritical functions.
• Mapping business functions and processes to IT systems—This step can be easy or complex. For example, if the BIA analyzes email services served by one email server, the IT system is the email server. On the other hand, if an organization uses Microsoft SharePoint to increase collaboration among employees, the analysis can be complex. A SharePoint solution can include web servers, file servers, and database servers. Documentation on the IT systems will help in completing this step.

The result of the BIA is a BIA report, which documents the findings of the analysis. It often includes direct and indirect costs, maximum acceptable outage, and materials or resources needed for recovery.

A business continuity plan (BCP) is a document used to help a company plan for a disaster or an emergency. The goal is to ensure that the critical operations of an organization continue to function. The BCP includes procedures and instructions used to restore operations in the event of a disaster.

When completing a BCP, the following steps would be taken:

1. Identifying the scope
2. Identifying key business areas
3. Identifying critical functions
4. Identifying dependencies between key business areas and critical functions
5. Determining acceptable downtime
6. Creating a plan to maintain operations

Details from a BIA report help in the creation of the BCP. The BIA and BCP are commonly completed in conjunction with each other.

The BCP includes specific steps that can be taken for different phases. The content of the phases is dependent on the disaster. For example, plenty of warning is given for a hurricane. One phase might be 72 hours before its arrival, and another phase might be 36 hours before. However, an earthquake or a fire wouldn’t include these same phases.

BCP phases include the following:

• Notification/activation phase—Assessment teams are activated to respond to the emergency. These teams can be activated before the emergency in some situations, such as with a hurricane. For more immediate emergencies, such as a fire, the notification is done when the emergency occurs. The goal of this phase is to take steps to continue operations.
• Recovery phase—During this phase, the damage is assessed. If any losses are incurred, immediate steps can be taken to recover the systems. The focus in this phase is on the mission-critical systems.
• Reconstitution phase—During this phase, the organization returns to normal operations. If any mission-critical systems were kept operational using recovery operations, they can be normalized. For example, operations that were moved to an alternate server during the recovery phase can be returned to the original server. Non–mission-critical systems can be returned to operation in this phase.

A disaster recovery plan (DRP) includes the details needed to recover a system from a disaster and provides the details necessary to respond immediately to a disaster. A DRP is included as part of a BCP.

Sometimes, the terms BCP and DRP are used interchangeably. However, they are separate. The differences are worthwhile to note:

• BCP—The BCP is an overall plan used for emergency response. It identifies the critical systems for an organization, including acceptable downtimes. The BCP includes BIAs and DRPs for individual IT systems.
• DRP—The DRP is a key component of a BCP. It includes the details needed to recover one or more systems after a disaster. For example, a fire may have destroyed several servers in a server room. The DRP identifies the steps needed to recover the servers, including restoring data from backups.

The primary risk management techniques are avoiding, sharing or transferring, mitigating, and accepting. Risk can be shared or transferred by outsourcing and purchasing insurance. Business liability insurance is used to protect an organization from lawsuits and covers the company for damages from a lawsuit along with legal costs.

Three primary types of business liability insurance exist. The type of insurance needed depends on the function of the business. The types of liability insurance are:

• General—Most organizations will purchase general insurance. It provides protection against injury claims and property damages, which provides an overall umbrella of insurance covering most lawsuits. It may be all that an organization needs.
• Professional—This type of insurance protects the company if an employee provides faulty or inaccurate advice. It includes protection against malpractice, errors, and negligence. A company providing IT services to other companies may need this.
• Product—This type of insurance protects the company if a customer becomes injured because of using its product. For example, batteries in mobile computers can cause risks. This insurance would provide protection if a faulty battery caused a fire.

Another type of insurance that can be purchased is asset replacement insurance, which is intended to replace assets damaged from a disaster. This insurance is usually purchased in conjunction with other steps to prevent a disaster.

For example, an organization may want to protect itself from fire damage. It can install fire suppression equipment and place portable fire extinguishers throughout the building. However, despite best efforts, fires might still occur.

Fire insurance can help a company replace assets if a fire causes damage. Other types of insurance that provide protection for assets include:

• Flood insurance
• Hurricane, wind, tornado, or other weather insurance
• Life insurance for certain people, such as key officers

The insurance purchased depends on many factors, which include the value of the organization’s assets. For inexpensive assets, the cost of the insurance isn’t justified. The insurance could cost more over several years than replacing the product. The insurance purchased also depends on the relevant risks. For example, hurricane insurance is relevant for coastal states, such as Florida, Louisiana, and Texas, but is not relevant for landlocked states, such as Iowa or Ohio.