After the dust settled, the company’s CISO contacted CDW to ask how we could help him better mitigate and respond to disasters in the future. He knew that deficiencies existed in the company’s technology architecture. He also understood that correcting the deficient technologies would not be enough. They needed assistance identifying gaps in their program in addition to understanding the impact of losing their SaaS offerings. The firm was determined to avoid the financial and reputational damage of another serious outage.
Conducting a Business Impact Assessment
The path forward was clear. My team at CDW regularly assists organizations by conducting business impact assessments (BIAs), and I knew this type of assessment would provide exactly the information the company’s leaders needed. We drew upon our knowledge of the organization’s business to customize the business impact analysis that would evaluate both the financial and nonfinancial risks should an unplanned outage of a SaaS offering occur.
From a financial perspective, the SaaS provider could expect to address two different types of risk during an outage, whether brief or extended. First, there would be the loss of revenue from customers who understandably refused to pay for contracted services during the time of the outage. Second, the company would incur costs associated with overtime pay, fines and penalties, concessions, and more as it got back on its feet.
We also recognized that nonfinancial risks played a role in the company’s decision-making process. In addition to lost revenue and direct costs, the provider might face significant reputational damage among current and potential customers as a result of an extended outage. The company also wanted to understand how different types of outages would affect its brand reputation, market share, regulatory compliance posture, stockholder confidence and employee morale.
We walked through each type of risk and discussed how it might affect each of the company’s service offerings. The result was a prioritized list of risks facing the organization, sorted in order of their potential impact.
Remediating Serious Issues
The power of the business impact assessment rests on its ability to guide investments in technology remediation. Using the BIA results, business leaders can assess their acceptable risk tolerance, thereby offering guidance to their organizations on prioritization of systems and budget tolerance in correcting any technology deficiencies or holes in their disaster recovery processes.
After assessing the financial and nonfinancial risks to the SaaS provider, we came to the clear conclusion that contractual obligations resulting from a disaster significantly outweighed all of the others identified in the BIA. One of the SaaS offerings relied on a single shared application interface, a set of shared clustered database servers and a single set of application executables. If any one of these components became unavailable, the entire service offering would grind to a halt, affecting hundreds of customers.
As a result of this analysis, the SaaS provider is focused on rearchitecting the solution to remove the reliance on single points of failure and mitigating risk by developing additional redundancy into the solution. This new architecture will have a tremendous impact on the company’s operational capability. Moving forward, an issue with a solution component would affect a subset of customers, isolating others from the impact and minimizing the risk to the business.
That’s what business impact assessments are all about: providing business leaders with a clear description of the risks they face and helping them identify their acceptable risk tolerance.