[ Pobierz całość w formacie PDF ]

to a particular disaster. This part of the risk assessment is often called
the business impact analysis.
Evaluations of threat, vulnerability, and cost are not only used to
determine what dangers to prepare for and how to meet them, but
also to prioritize preparedness efforts. As part of the planning
process, organization leadership will have to decide which threats are
the most likely and the most dangerous, and consequently with
regards to safety and sound business practices, where they should
invest their time and effort in preparing to deal with the conse-
quences of various dangers.
The assessment should define the possible disasters that a business
might encounter and their potential impact on the company s business
practices. Traditionally, fire is the most common form of disaster expe-
Sauter ch15-16 3/16/05 10:21 AM Page 339
CHAPTER 16 " BUSINESS PREPAREDNESS, CONTINUITY, AND RECOVERY 339
rienced by businesses, but depending on geographical location, enter-
prises might be particularly vulnerable to other kinds of danger as
well including floods, tornadoes, or wildfires. Usually accurate and
fairly complete information on likely hazards can be obtained through
local and state organizations such as emergency management offices,
floodplain management, public or commercial geospatial information
services, geological surveys, and universities and colleges.
Determining if a company is susceptible to a terrorist attack is more
problematic. Location and activity might suggest if a business is more
likely to become a victim of a terrorist incident. For example, given
the number of terrorist incidents involving commercial aviation, busi-
nesses involved in this sector, including tourism, travel services, and
airport vendors, might have greater concern over how their practices
might be affected by a terrorist attack. Organizations involved in
politically controversial activities might also consider the potential
for becoming victims of a terrorist act. Sources of information for con-
ducting a terrorist risk assessment might include local law enforce-
ment, industry associations, or a business sector information-sharing
and analysis center.
As part of risk assessment, each area of an organization (such as
billing, shipping, advertising, utilities, and information technology
services) should be assessed to determine the potential consequences
of different kinds of disasters. Impacts that should be considered are
the cost of repairing or replacing equipment; loss of worker produc-
tivity and the expense of replacing and training new personnel;
impact on customers; violations of contractual agreements; the impo-
sition of fines and penalties or legal costs; and interruption of sup-
plies or distribution of products.
Establish Before the planning team begins to decide how to best prepare for dif-
Operational
ferent threats and mitigate vulnerabilities, it must first identify the
Priorities
critical needs of each element within the company. Critical elements
are those resources, leadership, or capabilities whose loss would stop
or significantly degrade essential business activities, such as the
delivery of goods or services. The analysis of operational priorities
should determine the maximum amount of time that the organization
can operate without each critical element. This step is essential for
ensuring that the most important parts of the business are addressed
Sauter ch15-16 3/16/05 10:21 AM Page 340
340 PART 3 " HOMELAND SECURITY
first. An assessment of operational priorities might include determin-
ing essential activities and systems, key personnel, and vital records
and documents. Examples of critical operational priorities might
include sole-source vendors; lifeline services like water, oil, or gas;
and irreplaceable equipment. The assessment usually ranks person-
nel, facilities, and services as essential, important, or nonessential.
Another critical task for the planning committee is to determine the
Determine
Continuity and
practical alternatives for preparing the organization to deal with a
Recovery
disaster. The main focus in developing continuity and recovery
Options
options should be protecting the operational priorities identified by
the planning committee.
As part of this process, the committee will collect critical data that
would be needed to respond to a disaster including critical and
backup personnel listings; essential telephone numbers; inventories
of equipment, office supplies, and documents; lists of vendors and
customers; storage locations; software and data files backup/reten-
tion schedules; and important contracts.
The committee should also gather information about current capa-
bilities that are already available by reviewing existing plans, policies, [ Pobierz całość w formacie PDF ]