Before an organization is able to prepare for a prospective disaster, there has to be consensus among its stakeholders that threats are real and relevant. There must be a collective sense that the danger could legitimately affect the organization, and that readying to combat it is worth the time, money, and resources required.
For a consensus to be reached among stakeholders, the following steps must be taken:
Identify past incidents and disasters – List the incidents that have previously affected the company.
- What has happened?
- When did it happen?
- How many times has it happened?
- How long was the recovery period?
- What actions were required to recover?
- What was the cost of recovery?
Extend the list to include other conceivable threats – Collect examples of how other stakeholders or businesses have been impacted by disasters.
- What has happened elsewhere and what was the impact?
- How are these examples relevant to the company.
Project the impact future disasters will create – Use both past incidents and conceivable threats to form an understanding of possible threats. Use the company definitions of risk and impact to anticipate the affect potential disasters will have on financial assets, reputation, employee safety and legal obligation.
Undertaking these steps with the organization’s IT management and relaying the results to stakeholders allows a company to form a collective sense of the threats facing them, as well as the potential impact associated with each threat. From there, a focused Risk and Threat Assessment can be conducted and comprehensive Disaster Plans and Programs can be developed at a level of investment appropriate to the exposure.
