Specific Areas of Concern
Based on the factors discussed in the following sections, an organization can determine how detailed its COOP must be and the level of consideration and effort that should be put into such a plan.
While any disasterfrom floods and fires to terrorist attacksmay impact all companies in the affected region equally, all businesses don't have an equal risk in the disaster, as certain firms play a more critical role in our way of life. Those firms that are components of our "critical infrastructure"including healthcare, finance, banking, telecommunications, utilities, and transportationface greater risk, as their inability to conduct operations would have a far-reaching affect on U.S. and global economies and our standard of living. Therefore, their plans must take into account emergency procedures that can minimize the time they are out of operation through any conceivable circumstance.
The location, condition, and criticality of operational functions drive risk levels. And the greater the risk, the more thoroughly a plan must identify potential responses. Consider the following location risk factors:
Natural disasters such as hurricanes, floods, tornadoes
Manufacturing versus corporate services
City versus suburban location
High rise versus sprawling campus
Operations concentrated in a single location or small area versus far-flung enterprise
Numerous geopolitical issues affect the uncertainty of operations and hence the overall risk level:
Political stability of the local government in international operations (Mexico, Europe, Asia, etc.)
Reliability of business-critical infrastructures such as power supply and transportation services
Local industry concentration, such as New York City's financial district
An organization's dependency on third parties to conduct its business affects its risk profile. The greater the dependency, the greater the risk, as a failure in any third party may compromise the organization's operations. Service providers such as ISPs, product vendors, lending sources, and the reliability of transportation services (shipping, commercial airlines, and so on) are factors that must be considered in determining an organization's dependency level.
This suggests that when an individual organization develops a COOP, the organization must consult with all other organizations on its supply chain to ensure that all necessary and reasonable measures are being takenfor everyone involved.
Every organization relies on its people to conduct business, and in turn has a duty to ensure the safety of its staff. Organizations such as hospitals, consulting firms, and the like may be more dependent than other types of organizations on the productivity, mobilization, and deployment of their personnel.
Not only do firms have to ensure that their people are safe while at work, and have the resources to do their jobsthey also need to ensure that employees can conveniently and safely commute to and from work. For instance, a flood may spare your office building, but make local roads impassible. You can't expect employees to traverse treacherous roads to report for work, even though all necessary business systems may be functional. In such a case, the organization's recovery-planning team must work in conjunction with local authorities in determining the best plan of action to open the roads for traffic.
Today, most firms rely on their information technology resources to conduct business. Any disruptions of processing capability may lead to unrecoverable losses. Firms need to determine how long they can afford to be down while waiting for backup systems to come online. In other words, this is a determination of the maximum system outage time that is absolutely unacceptable.