Business impact analysis for business continuity: Upstream and downstream losses

Learn to mitigate indirect impacts that disasters can have on businesses. In this excerpt from "Business Continuity and Disaster Recovery for IT Professionals," the author discusses upstream and downstream losses.

In addition to the direct impact of a business disruption such as an earthquake or flood, there are also indirect impacts you should consider. These can be viewed as upstream and downstream losses. Upstream losses are those you will suffer if one of your key suppliers is affected by a disaster. If your company relies on regular deliveries of products or services by another company, you could experience upstream losses if that company cannot deliver. If you run a manufacturing company that relies on raw materials arriving on a set or regular schedule, any disruption to that schedule will impact your company's ability to make and sell its products. This is how a disaster elsewhere can impact you, even if your company is unharmed. Downstream losses occur when key customers or the lives in your community are affected. If your business supplies parts to a major manufacturer that is shut down due to a hurricane or earthquake, your sales will certainly suffer. Similarly, if your company provides any type of noncritical service to your community and there is a flood or landslide, your sales could take a hit while residents of the community deal with the disaster. If you operate a chain of restaurants or movie theaters or golf courses, residents will be more focused on dealing with the disaster than on entertainment and leisure pursuits. These are considered downstream losses even if your business, itself, has not taken the direct impact of a disaster.

Keep in mind, too, that people, businesses, and communities are interrelated; very few (if any) companies exist in isolation. A natural disaster or serious disruption can create a chain reaction that ripples through the business community and impacts the local or regional economy.

Understanding the Human Impact

Although this chapter is focused on recovering business systems, it's clear that people are a major factor in business continuity efforts -- not only from a planning and implementation perspective but from the impact perspective as well. If a natural disaster strikes, it's possible that some or all of your company's employees will be impacted. It's possible that some may die or be seriously injured. Although no one likes to think about these possibilities, they cannot be ignored in a BC/DR plan. As you assess business functions and business processes, you'll also need to identify key positions, key knowledge, and key skills needed for business continuity. In some sense, this begins to cross over into what is traditionally called succession planning. In publicly traded companies or high profile start ups, the company often purchases what's called key man insurance. This insurance covers the cost of losing a high ranking executive in the company, the assumption being that if someone at that level were suddenly unavailable to carry out that function, the business would suffer financial losses.

Key Positions

Succession planning in companies covers many areas, but typically it's discussed in terms of replacing key employees as well as how to transfer the reins of the company from one leader to the next. Succession planning can include training employees to move up the corporate ladder and assume leadership positions. From a risk management perspective, it can also address who will replace key employees in the event of a planned or unplanned departure. For example, if a company was started by a couple of business partners, at some point before their retirement, they should spend time identifying their successors -- whether family members or trusted employees -- and identifying the path to hand over the leadership of the company. When done in a thoughtful and predetermined manner, this can help smooth the transition. In terms of BC/DR, this plan can help identify who should step up should something happen to the company's founders or executives.

Beyond key man succession and insurance, the BC/DR plan needs to look at key positions within the company and understand the role of each in the business continuity realm. For example, if you have complex database applications, you may identify a database administrator (DBA) as a key role in the business recovery process. Ideally, your existing database administrator would take care of this, but what if she was unable to respond to the business disruption because she was injured or unable to get to the site (or worse)? Rather than identifying specific people, you should identify roles, responsibilities, skills, and knowledge needed. Even though you'd prefer your own DBA to recover the system, if she was unavailable for any reason, you would know that you need a DBA to recover your systems and you could go to external sources to locate a temporary or permanent DBA replacement.

Human Needs

Beyond replacing needed skills and positions, it's important to keep the human impact in mind throughout your planning. As mentioned earlier in the book, everyone responds to disasters differently. If a portion of the building catches on fire and burns, it's likely that those employees in the area at the time the fire breaks out will experience the event in a variety of ways. Some people will evacuate and stand in the parking lot laughing about the close call, even as the fire engines pull in. Others probably will be frightened by the experience and may become shaky, disoriented, or panicky. Still others might seem fine immediately afterward but days or weeks later, they begin to display odd behavior that might be the result of a delayed onset of stress from the event. Clearly, the bigger the event (earthquake, tornado, hurricane), the bigger the human toll in terms of death, injury, and emotional distress.

A good business continuity plan will address the human factors for two reasons. First, addressing employee needs is simply the right thing to do. Although there are companies that may demand that employees report to work following a serious business disruption or face termination, most companies understand that everyone will have different needs. Some may report back to work, some may need to deal with family problems, some may be physically or emotionally unable to return to work immediately. The company's policies with regard to employee needs and requirements in the aftermath of a business disruption or natural disaster should be developed by your Human Resources department; however your BC/DR plan must take these varied responses into consideration. If your IT systems recovery effort hinges on two experienced network administrators, you need to address these as risks in your plan and develop mitigation strategies along with them.

The second reason for addressing employee needs in your BC/DR plan is because it makes good business sense. The ideal scenario might be that everyone is fine and shows up to work, but reality is often far different from that. You can demand that people show up all you want, but if faced with a choice between work and family, between work and health, people will usually choose family and health first. In some cases, insisting people return to work before they are ready can make things worse -- they may not be able to concentrate and therefore may make recovery efforts worse instead of better. Incorporating this reality into your plan will mean that you and your team come up with appropriate alternatives that can address the lack of key staff in the aftermath of a business disruption. This helps the employees who may be unable to come back immediately and also helps the company recover in the fastest, most efficient manner possible.

We won't dwell on the human element in this chapter, but we will mention it again in key places to keep it foremost in your mind so that as you determine the impact of various risks, you can also keep the human factor in mind.

Use the following table of contents to navigate to chapter excerpts.

 

 


Business Continuity and Disaster Recovery for IT Professionals


  Home: BIA for business continuity: Introduction
  1: BIA for business continuity: Overview
  2:BIA for business continuity: Upstream and downstream losses
  3:BIA for business continuity: Understanding impact criticality
  4:BIA for business continuity: Recovery time requirements
  5:BIA for business continuity: Identifying business functions
  6:BIA for business continuity: Gathering data
  7:BIA for business continuity: Data collection methodologies
  8:BIA for business continuity: Determining the impact
  9:BIA for business continuity: Data points
  10:BIA for business continuity: Understanding IT Impact
  11:BIA for business continuity: BIA for small business
  12:BIA for business continuity: Preparing the BIA report

ABOUT THE BOOK:   
 
Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) are emerging as the next big thing in corporate IT circles. With distributed networks, increasing demands for confidentiality, integrity and availability of data, and the widespread risks to the security of personal, confidential and sensitive data, no organization can afford to ignore the need for disaster planning. Business Continuity & Disaster Recovery for IT Professionals offers complete coverage of the three categories of disaster: natural hazards, human-caused hazards and accidental/technical hazards, as well as extensive disaster planning and readiness checklists for IT infrastructure, enterprise applications, servers and desktops – among other tools. Purchase the book from Syngress Publishing
ABOUT THE AUTHOR:   
 
Susan Snedaker, Principal Consultant and founder of Virtual Team Consulting, LLC has over 20 years experience working in IT in both technical and executive positions including with Microsoft, Honeywell, and Logical Solutions. Her experience in executive roles at both Keane, Inc. and Apta Software, Inc. provided extensive strategic and operational experience in managing hardware, software and other IT projects involving both small and large teams. As a consultant, she and her team work with companies of all sizes to improve operations, which often entails auditing IT functions and building stronger project management skills, both in the IT department and company-wide. She has developed customized project management training for a number of clients and has taught project management in a variety of settings. Ms. Snedaker holds a Masters degree in Business Administration (MBA) and a Bachelors degree in Management. She is a Microsoft Certified Systems Engineer (MCSE), a Microsoft Certified Trainer (MCT), and has a certificate in Advanced Project Management from Stanford University.


Dig Deeper on MSP technology services

MicroScope
Security
Storage
Networking
Cloud Computing
Data Management
Business Analytics
Close