A Plan: The DAPR Plan, and its actualization, is the manifestation of your policy. Your policy should set the overall mission, beliefs, values, and standards for prevention – as well as recovery, when recover is necessary. The mission and its associated quality will be realized in detail by the plan. In this way, prevention is defined, and a schedule and level of recovery is established. And, when prevention and recovery are performed according to plan, they satisfy the policy.
Threats and Risk: The condition of threat is the thrust behind planning. Threats enter your awareness, you assess associated risk, and where necessary you make a plan of action in order to deny threats’ delivery of harm. You also plan recovery actions when threat manifests as actual harm.
As you consider your DAPR policy and plan, you must assess various threats for consideration of risk to your business, and to what level you need to accommodate these risks. The same threat may pose different risks to different organizations. For example, an organization that serves reference material to customers can possibly afford to be off of the web for an hour or so. However, for an organization that relies heavily or solely on real-time, time-sensitive online transacting, such as stock brokering, or something like ebay, being offline for even a few minutes can cause extreme inconvenience or even damage to customers. It can also hurt that organization’s reputation tremendously – imagine if AOL were “offline.”
Also realize that the same threat may represent differing demands on resources to differing organizations. For example, some organizations will be in a sole location – they may store their offsite backup data within that same city or general geographic area. We know this to be a condition for many organizations. A catastrophic disaster could conceivably wipe out the whole of their business intelligence – or ready access to it, and hence would impede their whole recovery effort. They may have to consider the expense of offsite storage to another city.
Another organization may be more dispersed, and may be able to afford and secure more “redundancies” (of data, and complete business platforms) because of already existing alternate business locations. Indeed, each discreet business location within a chain could be a backup to another location. A citywide disaster at one of their locations would, from a strictly business point of view, be far less threatening to their continuity of business. The former organization at the sole location may have to allocate a larger proportion of their total resources to DAPR than the latter.
Therefore, you must get the issues on your table for threat evaluation of the risk imposed, against ranked business processes. Even if you feel that some items are beyond your capacity or resource to deal with, you should still document them; the reasons why their scope of treatment is as it is; and document whose authority set the scale of treatment.
Apportion your resources for DAPR against a sanctioned policy and plan that is understood and agreed to by all relevant parties.
Next: Harming Events and Circumstances.