Risk Assessment: 3 Key Starting Points for Effective Business Impact Analysis
No venture is without risk. Assessing and managing risk and its potential impact on business is a critical role of business leaders. With the world becoming increasingly digital, IT departments must manage and mitigate more and more risk using both new technology and improved processes and practices. The varied risks to critical IT systems and data continue to evolve along with our political, economic, and environmental landscapes.
A simple risk assessment definition identifies which risks your organization should prepare for. A business impact analysis then predicts the potential disruption from each type of risk to your continued ability to do business. I want to discuss the three key areas of risk from an IT perspective that all leaders should be assessing and managing in their business impact analysis plan.
1. Unplanned Downtime
In our current always-on business world, unplanned downtime impacts business not just in the form of lost revenue or lost productivity, but also in customer confidence and loss of reputation. Consumers have many options and may quickly switch to a competitor if your business is down, leading to a loss of new and longtime customers alike.
The causes of unplanned downtime can range from natural disasters to a system administrator entering the wrong command to a cybercriminal exploiting a system vulnerability. The likelihood of any of these types of events happening to your business depends on many factors including your industry, your geographical location, and your preparedness, to name just a few.
Assess the risks of downtime to your organization by asking the following questions:
- What is the likelihood of each specific type of natural disaster impacting our organization?
Keep in mind that, even if a natural disaster does not impact your business physically, it may impact an entire region with loss of services such as power, communications, and other utilities.
Examples of natural disasters with debilitating business impact include:
Each of these natural disasters could result in massive disruptions to entire regions. Knowing which disasters are likely to have the biggest impact on your organization is an essential step in assessing risk and informing your business impact analysis.
- Does my organization have best practices in place to prevent human error from impacting systems?
System updates and other common maintenance activities can often turn into unplanned downtime when they are not tested in isolated environments first. What may seem like a harmless patch may have unintended compatibility issues with other systems and bring down your entire production site. Using best practices such as testing all patches and updates prior to production rollout can greatly reduce the risk of unplanned downtime.
- Is my business following security best practices for reducing downtime in the event of a cyberattack?
Cyberattacks, which we’ll discuss in more detail later, come in many forms, and some—like ransomware or dedicated denial of service (DDOS) attacks—can cause unplanned downtime among other potentially disastrous business impacts. Following security best practices and deploying security and recovery solutions can significantly reduce the risk and impact of cyberattacks.
2. Data Loss
Like unplanned downtime, data loss an unplanned result of some disaster-level event. Whether the data is lost due to accidental user error, a malicious cyberattack, or a natural disaster, data loss can come with heavy costs in terms of lost assets and productivity. This is particularly true if you are one of the many organizations whose data and digital assets have as much value—or more value—than their physical assets.
Unlike downtime, the risk of data loss is not as related to the type of disaster. Instead, it’s more related to the data protection solutions already in place to prevent data loss. Data loss is often measured in time because, in a disaster scenario, the data lost is whatever data has not yet been protected, meaning all data created after the last backup, replication, or snapshot. No platform, even the cloud, can fully eliminate data loss, but having the right solution in place can reduce data loss to a measurement of mere seconds—instead of the hours of lost data that come with many data protection solutions.
Consider the following questions when assessing your risk for data loss:
- How valuable is your data?
Not all data will have the same value. Some data may be extremely valuable intellectual property, and other data may have a mundane administrative purpose and can easily be replaced. Data should be assessed as to its value, and this will help determine the level of data protection it should receive.
- Where is your data physically located?
Data may be stored in different physical locations and on different types of data storage. The physical location of data may make it more vulnerable to specific disasters, especially natural disasters. If data storage can be physically destroyed by certain types of disasters and if your data backups or replicas are not located at a sufficient geographical distance, those backups may also be in danger from the same disaster. If your data is stored in the cloud, understand the physical locations of the cloud datacenters where your data physically resides and what the threats could be in those geographical regions.
- How much data could be lost?
Assess your current data protection strategy by determining your current recovery point objective (RPO) which will help you determine how much data you stand to lose in a disaster. Many solutions are based on traditional backup technologies and may only be protecting your data every 6 to 12 hours. That means you could lose 6 to 12 hours of data with this type of solution in place—and that’s assuming you can successfully recover from that last backup. Knowing how much data could be lost—and the value of that data—can help in determining your best data protection strategy for the future.
Cyberattacks can result in downtime, data loss, and other financial damage like loss of customer confidence or even lawsuits over stolen customer data. One of the leading cyberattacks facing all industries is ransomware. Ransomware can result in both unplanned downtime and data loss, often disrupting an organization’s operations for hours—or days.
Unlike natural disasters, cyberattacks are a constant, persistent threat with attacks occurring every few seconds worldwide. Some of these attacks are launched directly against your IT infrastructure, while others may be hiding on websites that can exploit your users. Unlike natural disasters, cyberattacks can often be prevented by following security best practices and can be recovered from quickly with good security solutions in place.
Even though most cyberattacks may be preventable, a single careless user action can unleash a cyberattack like ransomware that will swiftly infiltrate your system. Many high-profile ransomware attacks in the news lately showcase the long disruptions and great financial costs to organizations hit by these attacks. From a risk assessment standpoint, your organization must focus on both prevention and recovery—the eventuality of a cyberattack should be considered as when, rather than if.
Use the following questions to assess risk for cyberattacks:
- What kinds of cyberattacks would be most likely to target my organization?
All organizations differ in how they use digital services and data. Cyberattacks such as dedicated denial of service (DDOS) might target organizations with large online services. Cyberattacks designed to steal data may target retailers who store personal customer data including credit card information. Unfortunately, no organization is exempt from a potential ransomware attack—these attacks seem to target all types of businesses across every industry. Knowing which threats are most likely to target your organization is the first step in planning both for prevention and for recovery.
- Is your current cybersecurity plan adequate for the current threats?
Assess your current cybersecurity measures to make sure they are up to date with industry best practices and tailored to prevailing threats. Cybersecurity plans can become out of date quickly without proper testing, maintenance, and training.
- Is my data protection and recovery plan adequate for a ransomware attack?
Ransomware has changed the landscape of cybersecurity, including data recovery. Your data protection and cybersecurity have likely been seen as separate solutions in the past, but data recovery is now at the forefront of ransomware resilience. More traditional data protection and backup solutions are simply too slow to get your organization to recover from ransomware effectively—it’s likely time to re-evaluate your data protection strategy.
Business Impact Analysis
Business Impact Analysis (BIA) is the next step in risk management, both during and after risk assessment. Having identified the potential risks, BIA looks at the potential for business disruption and at the costs if a risk becomes a reality. Both risk assessment and BIA work together to help inform your risk management strategy so that you focus on those areas of risk with the highest potential business impact.
Business impact may include downtime or other business disruptions, loss of data or other assets, loss of productivity, loss of reputation, loss of revenue, and so forth. Once you understand the business impact, you can determine what level of investment is needed to mitigate that impact and select the best solutions for protection, resilience, and disaster recovery.
BIA and risk assessment are complementary processes essential to your organization’s disaster recovery planning. Understanding potential business impact may, for example, help you assess the greatest risks, such as how likely your business is to be targeted by specific types of man-made disasters or cyberattacks. Find out more about risk assessment, BIA, and the other essential steps for disaster recovery in our comprehensive disaster recovery guide.