"Our deliverable is usually a diagram with some type of text or database behind it," Walch says. "The process model usually shows different entities such as people, business units, business partners, applications, infrastructure, and databases and describes the relationships between them and information flow. You'll see integration with Tivoli, Remedy, Paragon, or something similar." IT can use these diagrams and databases to understand the consequences and scope of various types of outages, as well as for subsequent forensic analysis.
Assessing the Risks This model is then used in the other part of this workshop process, which is to rank the importance of processes and to assess risks. Disaster recovery specialists are more concerned about specific risks, such as hurricanes, but business continuity planners tend to talk more in systems and processes. "I need a plan to tell me what to do when the power goes out," Protiviti's Porier says. "It doesn't matter what caused it."
In assessing risks, it's also important to understand the importance of manual work-arounds. "Right-sizing is really important. Payroll may say that if the payroll system fails on Tuesday, they can't pay anyone on Thursday," Cohen says. "But actually they could make copies of last week's pay stubs and use those until the system is up and running. That stretches their recovery time to a week or more."
Some of these processes may already be in place. "An executive may tell you that sales can't be without their systems for more than a half hour," Cohen says. "Then you talk with the salespeople, and they say, 'Oh, we have outages longer than that all the time. We know what to do.'" The lesson: You have to talk to a lot of people.
Be aware of the tendency of many departments to label their functions mission-critical. That's why, after mapping out processes and risks with each business unit, it's essential to go back to senior management for a reality check on what really is a Tier 1 process and what is more likely Tier 2 or 3. "We call it the management filter," Protiviti's Porier says.
Staging the Alternatives A thorough understanding of the business and all its dependencies leads to cost-effective business continuity strategies. "You can replicate in real time, electronically vault to another site, or use the old standby: recovery from magnetic tape. The more redundant and available a system is, the more expensive it is," Porier says. The practice is usually to price options that meet the risk profile and then price solutions a little ahead and a little behind to assess cost/benefit implications. "Everything is critical when recovery costs a penny," Unisys' Dillman says. "When it costs $10 million, certain things suddenly become less critical."
It's also important to model alternative processes, such as telecommuting, that might occur during an incident. A perfect example is having sufficient remote access capacity in place for situations in which a large portion of your staff will be working at home. And consider staff dispersion and cross training to ensure that alternate staff can do what has to be done to keep the business running.
Finally, the business model is never static, so it's important to keep the model current to prevent any devastating surprises when an outage actually occurs.
Leon Erlanger is a freelance author and consultant specializing in security.