In the first part of this article, we talked about the importance of setting out the Policy on IT processes. This policy will be the anchor for all the sections of the plan and will direct the resources where they are most needed to ensure the most critical IT functions are up and running during and after the emergency.
Business impact analysis
Once the policy has been set, the next step to take is to conduct an analysis of the impact on the business every time an IT function fails to function, according to its importance. It is best to assign a concrete value on this impact to clearly illustrate the losses and cost implications on the business, and to understand which functions can be cut-off or restored, depending on the situation.
List of tasks required to keep systems going
After the business impact analysis, a systematic list of tasks to be carried out should be made. This is to ensure that those systems in need of the most critical care get the fastest response and attention during the emergency. The most critical systems based on the Business Impact Analysis are those that will cause the largest damage and cost to the company if that IT function stops working. It is, therefore, critical for the tasks to be clearly listed and described in as much detail as possible to ensure that the most important IT systems are salvaged and looked after during the emergency. Be as thorough as much as possible, even for the least critical systems, because when it’s time to restore those functions that were switched off during the most resource-intensive times, the business will still have to look at the task list as its playbook to switch the systems back on. Remember that this list should be easily understood even by the least trained personnel as there is also no assurance that all the people who were originally performing these functions will still be available when it’s time to switch the systems back on.
Resources and gaps
Once the impact analysis is done, and there is already a concrete list of tasks and systems required, the business should be able to identify in the plan the amount of resources, including human resources, that can be allocated and assigned to perform those tasks. There should be a primary and secondary source of such allocations – the same goes for the assignment of individuals and people who will perform the function. If person A is not available, who will be the alternate? If technician A is, for any reason, unavailable to keep system A running, and there is no technician B within the company who can perform this task, it is important for the company to ask if there is an external IT service provider or technical support and services outside the company that can fulfill this function.
The next part of this series of articles on will discuss maintenance protocols and timelines for business continuity.