In assessing risks, it’s also important to understand the importance of manual work-arounds. “Right-sizing is really important. Payroll may say that if the payroll system fails on Tuesday, they can’t pay anyone on Thursday,” Cohen says. “But actually they could make copies of last week’s pay stubs and use those until the system is up and running. That stretches their recovery time to a week or more.”
Some of these processes may already be in place. “An executive may tell you that sales can’t be without their systems for more than a half hour,” Cohen says. “Then you talk with the salespeople, and they say, ‘Oh, we have outages longer than that all the time. We know what to do.’” The lesson: You have to talk to a lot of people.
Be aware of the tendency of many departments to label their functions mission-critical. That’s why, after mapping out processes and risks with each business unit, it’s essential to go back to senior management for a reality check on what really is a Tier 1 process and what is more likely Tier 2 or 3. “We call it the management filter,” Protiviti’s Porier says.
Staging the Alternatives
A thorough understanding of the business and all its dependencies leads to cost-effective business continuity strategies. “You can replicate in real time, electronically vault to another site, or use the old standby: recovery from magnetic tape. The more redundant and available a system is, the more expensive it is,” Porier says. The practice is usually to price options that meet the risk profile and then price solutions a little ahead and a little behind to assess cost/benefit implications. “Everything is critical when recovery costs a penny,” Unisys’ Dillman says. “When it costs $10 million, certain things suddenly become less critical.”
It’s also important to model alternative processes, such as telecommuting, that might occur during an incident. A perfect example is having sufficient remote access capacity in place for situations in which a large portion of your staff will be working at home. And consider staff dispersion and cross training to ensure that alternate staff can do what has to be done to keep the business running.
Finally, the business model is never static, so it’s important to keep the model current to prevent any devastating surprises when an outage actually occurs.