December 18, 2019

Last Updated on January 15, 2024

Recently one of our legal clients asked for a business impact analysis (BIA). The BIA was to cover all of its other offices in the U.S. and abroad…  But we would interview only the personnel at the headquarters office.
In other words, the functional recovery plan would be largely identical for each office globally, without really understanding anomalies or one-offs.
The problem with that approach is that each office is unique; therefore, a function that is performed in one location might not be performed in another. The effectiveness of the BIA will be excellent for headquarters but have diminishing returns at the other locations in direct proportion to how differently they function from the main office.
A BIA—and recovery planning in general—should be done facility by facility. Otherwise you won’t actually know the functions that are performed and need to be recovered in each specific place. Yes, you can make assumptions. But the people you’re interviewing at headquarters won’t have full insight into how things really work in say Paris or Shanghai.

“But how useful is a recovery plan that doesn’t include all of the information for half of your business functions? Let’s hope we don’t have to find out.”

In this case, it’s a safe bet that each office “does law.” For example, each office will have attorneys and legal secretaries who will perform almost identical critical functions, like litigation, or keeping the attorneys’ calendars. This firm also has a central IT department, which makes it easier to plan for Disaster Recovery (DR). But many other functions that are possibly being performed at each satellite office will be largely a mystery for recovery planning purposes.
When we analyzed this client’s half-dozen or so departments, we found over 80 different functions.  Of these, about 50% are centrally managed and implemented. So that leaves about 40 functions that are possibly performed at the satellite offices in various combinations.
How best to actually plan recovery for each of those 40 functions at the satellite offices?  We can’t answer that question because we don’t know what the recovery strategies should be.  Will employees work from home? Will everyone setup at a hotel? Who are the key people who factor into the recovery strategy? The BIA won’t include this information for the non-headquarters locations, which limits its value for recovery of those locations.
Viewed in terms of the five potential impacts of a disaster, here is how an “80/20 BIA” breaks down:

  1. Loss of computing will be covered because IT is handled centrally.
  2. Loss of telecom will require additional information before a plan may be developed because each office has its own unique requirements.
  3. Denial of physical access is inherently unique to each office and so would need more information before plan development.
  4. Loss of key people is unique to each office and cloning is not yet legal.
  5. Vendor disruption will be covered for the centrally managed areas.

From the standpoint of risk and return, an organization must decide if it can accept an “80% solution” like the one I just described. This will be faster and cheaper to arrive at, as flying consultants around the world can get pretty expensive.
But how useful is a recovery plan that doesn’t include all of the information for half of your business functions? Let’s hope we don’t have to find out.
To talk with an expert about the right recovery planning scenario for your business, contact Pivot Point Security.
For more information:

ISO 27001 Recipe & Ingredients for Certification eBrief

ISO 27001 Recipe & Ingredients for Certification eBrief Discover what you need to achieve ISO 27001 certification! This eBrief will give you a quick and easily digestible introduction to the ISO 27001 standard and the process of becoming ISO 27001 certified.