Assessing the Risk
Disaster risk assessment is an often complex and sometimes subjective endeavor. Therefore, this tutorial can only begin to touch the surface on approaches and topics. Risk assessment is one area where the differences between enterprises are extremely important and where consultants can be invaluable.
Generally, however, a common approach is to break down a company’s IT risks into two main categories:
- Computer system problems (often including telecommunications), which cover events such as internal breakdowns, sabotage, and accidental damage
- Environmental problems, which usually cover hurricanes, tornadoes, floods, fires, terrorist attack, and similar events that affect more than just IT assets
The next step: For each of these categories, draw up a list of computing and telecommunications equipment (starting with servers), and assign risk factors and a recovery priority to each piece.
After going through the hardware, a corresponding list of software (applications) and data should be crafted within the same framework. When complete, all of this should provide a reasonably good picture of an enterprise’s vulnerability and suggest approaches for recovering from a loss of equipment, applications, and data.