HostedDB - Dedicated UNIX Servers

-->
Handbook of Information Security Management:Risk Management and Business Continuity Planning

Previous Table of Contents Next


CONDUCTING THE BIA

When actually explaining the intent of the BIA to those being interviewed, the following concepts should be observed and perhaps discussed with the participants:

  Intelligent Questions Asked of Knowledgeable People — Based loosely on the concept that if you ask enough reasonably intelligent people a consistent set of measurable questions, you will eventually reach a conclusion which is more or less the correct one. The BIA questions serve to elicit qualitative results from a number of knowledgeable people. The precise number of people interviewed obviously depends on the scope of the BCP activity and the size of the organization. However, when consistently directing a well-developed number of questions to an informed audience, the results will reflect a high degree of reliability. This is the point when conducting qualitatively oriented BIA — ask the right people good questions, and you will come up with the right results!
  Ask to Be Directed to the Correct People — As the interview unfolds, it may become evident that the interviewee is the wrong person to be answering the questions. You should ask who else within this area would be better suited to address these issues. They might be invited into the room at that point, or you may want to schedule a meeting with them at another time.
  Assure Them That Their Contribution Is Valuable — A very important way for you to build the esteem of the interviewee is to mention that their input to this process is considered valuable, as it will be used to formulate strategies necessary to recover the organization following a disruption or disaster. Explaining to them that you are there to help by getting their business unit’s relevant information for input to planning a recovery strategy can sometimes change the tone of the interview positively.
  Explain That the Plan Is Not Strictly an IT Plan — Even if the purpose of the BIA is for IT recovery, when interviewing business unit management for the process of preparing a technological platform recovery plan, it is sometimes useful to couch the discussion in terms of … “a good IT recovery plan, while helping IT recover, is really a business unit plan.” Why? Because the IT plan will recover the business functionality of the interviewees business unit as well, and that is why you are there.
  Focus on Who Will Really Be Exercising the Plan — Another technique is to mention that the recovery plan that will eventually be developed can be used by the interviewees, but is not necessarily developed for them. Why? Because the people that you are talking to probably already understand what to do following a disaster, without referring to extensive written recovery procedures. But the fact of the matter is that following the disruption, these people may not be available. It may well be the responsibility of the next generation of management to recover, and it will be the issues identified by this interviewee that will serve as the recovery road map.
  Focus on Time-Critical Business Functions or Processes — As the BIA interview progresses, it is sometimes important to fall back from time to time and reinforce the concept that we are interested in the identification of time-critical functions and processes.
  Assume Worst-Case Disaster — When faced with the question as to “When will the disruption occur?” The answer should be, “It will occur at the worst possible time for your business unit. If you close your books on 12/31, and you need the computer system the most on 12/30 and 12/31, the disaster will occur on 12/29.” Only when measuring the impacts of a disruption at the worst time can the interviewer get an idea as to the full impact of the disaster, and ensure that the impact information can be meaningfully compared from one business unit to the next.
  Assume No Recovery Capability Exists — In order to reach results which are comparable, it is essential that you insist that the interviewees assume that no recovery capability will exist as they answer the impact questions. The reason for this is that when they attempt to quantify and/or qualify the impact potential, they may confuse a preexisting recovery plan or capability with no impact, and that is incorrect. No matter the existing recovery capability, the impact of a loss of services must be measured in raw terms so that as you compare the results of the interviews from business unit to business unit, the results are comparable (apples to apples, if you will).
  Order of Magnitude Numbers and Estimates — The financial impact information is needed in orders of magnitude estimates only. Do not get bogged down in minutiae as it is easy to get lost in the detail. The BIA process is not a quantitative risk assessment! It is not meant to be. It is qualitative in nature and, as such, orders of magnitude impacts are completely appropriate and even desirable. Why? Because preciseness in estimation of loss impact almost always will result in arguments about the numbers. When this occurs, the true goal of the BIA is lost, because it turns the discussion into a numbers game, not a balanced discussion concerning financial and operational impact potentials. Because of the unlimited and unknown varieties of disasters that could possibly befall an organization, the true numbers can never ever be precisely known, at least until after the disaster. The financial impact numbers are merely estimates intended to illustrate degrees of impacts. So skip the numbers exercise and get to the point.


Previous Table of Contents Next