Eng. Rami R.

Lubbad
rlubbad@gmail.com
rlubbad@ucas.edu.ps
Contents
Risk Mitigation in BC/DR
Types of risk mitigation strategies
Risk mitigation process
 IT risk mitigation
 Backup and recovery considerations
Risk mitigation in Risk Management

• Risk mitigation is defined as taking steps to reduce adverse

effects. It is developing strategies to accept, avoid, reduce, or
transfer risks related to potential business disruptions.

• Risk mitigation is a commonly used process within traditional

business risk management.
• Risk Mitigation is :
• The Last Phase in Risk Management Plan
• Start Point to begin the draft of your business continuity
and disaster recovery plan.
Risk mitigation phase details:
Risk mitigation phase in BC/DR
development
 we’re going in this presentation to develop strategies for Mitigating IT
risks including:
• Determining ways to sustain critical operations/needs,
• Designing the appropriate IT architecture to support business
continuity and;
• Develop policies and procedures that support these efforts.

Business Continuity is all about risk mitigation, and a risk mitigation plan is essential.
If you are not looking at how to reduce, eliminate, or accept risks, you are missing the mark.
 Risk Mitigation in BC/DR plan
• It’s important to develop risk mitigation strategies that match your
company’s profile. (critical needs)
• There is no one-size-fits-all answer in the risk mitigation phase
• You’ll have to create a strategy that meets your company’s financial,
operational, and risk management goals.
• Keep in mind (80/20) rule when developing your strategies:
• Twenty percent of your applications are going to require 80% of
your time, effort, and resources to address appropriately.
• Eighty percent of your applications, then, should only consume
20% of your time, effort, and resources.
Types of Risk Mitigation Strategies
 Types of Risk Mitigation Strategies

Important points for each option is the Cost and Time “ short term and long term”
Types of risk mitigation strategies:: Risk acceptance
 It is a strategy in which the organization accepts the potential
consequences of a given risk and “do nothing” to avoid, limit, or transfer
the risk.
 Is it logical to spend 100,000$ to mitigate Risk costs 1000$???
 Acceptance usually has a very low cost associated with managing the risk
(or zero cost) but; This option is very high cost in the aftermath of a
disruption.
 Risk acceptance should be evaluated along with the other options to
determine the implications, appropriate actions, and costs of various
mitigation strategies.
 Risk acceptance is the least expensive option in the near term and often
the most expensive option in the long term should an event occur
Types of risk mitigation strategies::Risk avoidance
 It is a strategy in which the risk is completely avoided.
 This might include shutting down critical systems and moving
them in advance of a hurricane.
 Avoidance takes the risk to zero but; often has a high cost
associated with it.
 Risk avoidance is usually the most expensive of all risk mitigation
strategies, but it has the result of reducing the cost of downtime
and recovery significantly.
 The cost is very high early on but it is lower cost after a business
disruption than other strategies.
 Types of risk mitigation strategies::Risk limitation
It is a strategy that falls in between acceptance and avoidance. It is a strategy
employing a bit of risk acceptance along with a bit of risk avoidance or an
average of both. 
Most companies choose a risk limitation strategy, especially for IT systems
where complete acceptance or avoidance is too costly on either side of a
disruption.
For example, performing daily backups of critical business data
 It doesn’t stop a disk drive from crashing; it doesn’t ignore the potential for disk failure.
 It accepts that drives fail and when they do, having backups helps you recover in a timely manner
 Risk limitation costs an average between acceptance and avoidance both in terms of early costs
and costs after the business disruption.
Examples; installing firewalls to keep networks safe, creating backups to keep
data safe, practicing fire drills to keep employees safe, and more.
Types of risk mitigation strategies:: Risk
transference
 It’s strategy that involves handing the risk off to a willing third
party.
 In Risk transfer, you usually have to pay some other company
some amount of money to assume that risk.
 You my pay to an IT company to manage your security or
databases for you, or an insurance company that will pay for
losses in the event of a business disruption.
Types of risk mitigation strategies:: Risk
transference
 Your risk transference will usually cost more as some sort of up-front or
ongoing fee, but that the overall cost usually will be somewhere in the
same area as risk limitation.
 One important point to note, is that risk limitation usually has an end-
point cost and finite and known and usually ends at some point in time.
 But; risk transference can be ongoing.
 Near-term costs of risk limitation and risk transference may appear to
be similar.
 It’s important to understand the duration of the cost with regard to
these strategies and the operational implications of each.
Relationship between time and cost for risk
mitigation options:
Risk mitigation process
In order to develop a risk mitigation strategy:
• You first have to know your options.
• you have to look at the various risks, threats, threat sources,
vulnerabilities, and impacts.
• Next, we need to look at the recovery profile including the
recovery requirements, options, timeframe of options (compared
with maximum tolerable downtime or MTD),
• Analyze cost versus the capability of options.
Risk mitigation process: Recovery
Options
 Recovery requirements are developed during the risk assessment phase and
include data from the business impact analysis .
 You can begin by delineating the key functional areas of your company and
determining the key business processes in each.
 Recovery requirements include the time and cost of recovery as well as any
specific processes or procedures required by each functional area of the
company.
 If a process is not mission critical (or essential), it is likely not a good
candidate for the expenditure of time and effort to develop mitigation
strategies
 Recovery requirements can be categorized even within the functional areas
 For example, a recovery requirement category for facilities is alternate office
space. Another category might be a crisis management center or a
communications command center
 Risk mitigation process: Recovery
Options
 Recovery options are developed for each critical business process or function.
 Recovery options must fit within the constraints of the recovery requirement.
Otherwise, they should not be considered as part of the BC/DR process.
 The cost and time to implement each type of option varies.
 Your primary concern is to develop a list of viable options based on the
business impact analysis data you have;
 For example, if you have a requirement for an alternate computing facility,
you have numerous options available including borrowing computer space
from a local firm to setting up a co-location center outside your own
geographic area to using public or private cloud options and many other
solutions in between.
 These options, should be listed so they can be included in the subsequent
evaluation steps.
Three Categories of Recovery
options
As needed , Pre-Arranged , pre-established
Risk mitigation process: Recovery
Options
 Recovery options usually fall into one of three categories
 Each of these can also be considered part of a mitigation strategy,
 You can acquire the option As needed
 Prearrange for an option,
 Or you can pre-establish an option.
 Time is one of the major factors in each of these options;
 Cost is another factor
 Overall utility to the organization is a third factor to explore

Let’s Look for each option in More detail>>>

 Recovery options: As needed Approach
• Acquiring resources as needed at: existing market rates and within existing market
availability following the business disruption.
• Some of the challenges of this approach are:
• the risk of availability,
• the risk of cost,
• and the risk of implementation.
• If you choose this approach; you should develop a plan with sufficient detail, such
as vendor contact information, part numbers, technical specifications, and
estimated costs, this may be a workable solution in some instance.
 Recovery options: Prearranged Approach
• Prearranged options involve making arrangements in advance for the
quick shipment or delivery of materials, supplies, and capabilities later.
• involve a contractual agreement with a vendor to supply required systems,
products, or services within an agreed upon time frame following a
business disruption.
• Your worst case scenario (Challenge) is needing these services only to find
out the selected vendor really can’t deliver on its promises while you’re in
the middle of handling a crisis
• So, to ensure your needs truly will be met in the event you need to activate
these arrangements, you need to have:
• a very high level of confidence in your selected vendor(s) and;
• well-written service level agreements (SLAs).
Recovery options: Pre-established
Approach
• Pre-established recovery options are those that are purchased,
configured, and implemented prior to a disruptive event and are used only
for recovering from a disruptive event.
• Owning alternate computing site that is activated only in the aftermath
of a business disruption.
• cost of this type of solution is lower on a per-unit basis because the
expenditures can be timed and managed
• that there are options within this solution: a cold, warm, or hot site
Types of Backup Sites - Hot Site, Warm Site, Cold Sits
• Hot Site: A backup site, which is up and running continuously.
• A Hot Site allows a company to continue normal business operations, within a very short period of time
after a disaster.
• Hot Site can be configured in a branch office, data center or even in cloud. Hot Site must be online and
must be available immediately.
• Hot site must be equipped with all the necessary hardware, software, network, and Internet connectivity.
• Warm Site: A Warm Site is another backup site, is not as equipped as a Hot Site.
• Warm Site is configured with power, phone, network etc. May have servers and other resources. But a
Warm Site is not ready for immediate switch over.
• The time to switch over from the disaster affected site to Warm Site is more than that of a Hot Site. But
less cost is the attraction.
• Cold Site: Cold Site contain even fewer facilities than a Warm Site. Cold Site will take more time than a
Warm Site or Hot Site to switch operation but it is the cheapest option.
• Cold Site may contain tables, chairs, bathrooms, and basic technical facilities
• but will require days or even weeks to set up properly and start operation from Cold Site.
 Comparison between Alternative Recovery Strategies
• Hot Site: Fully configured, ready to operate within hours
• Warm Site: Ready to operate within days: no or low power main computer. Does contain disks,
network, peripherals
• Cold Site: Ready to operate within weeks. Contains electrical wiring, air conditioning, flooring
Comparison of three recovery approaches:
Tip: Keep Recovery Solutions Simple
• For IT systems, pre-established and prearranged solutions are often best.
• Trying to get IT systems acquired, shipped, set up, configured, and online
in the aftermath of a business disruption is a major undertaking.
• Anything you can do in advance, within the constraints of your
organization, will be well worth it if your company faces a disruption.
• You’ll have to balance the cost of preparing against the cost of dealing
with the aftermath.
• In some companies, this cost can’t be justified. In larger companies, it
almost always makes financial and organizational sense to make
arrangements in advance
Recovery time of options
• Let’s remember, In Business Impact Analysis (BIA) slides
Recovery time of options::Meet options with
MTD
• List your recovery options.
• Your selected option should meet MTD requirements
• Any option that does not meet MTD requirements should be removed
from your consideration.
 Recovery options :: cost/capability
assessment
• You should have a pared down list of recovery options based on those that
meet MTD and recovery requirements
• Next, you’ll assess the cost of each of the remaining options and list the
capabilities included in that cost
• Some options may have various levels of cost/capability
 Recovery options :: cost/capability
assessment
• The attributes that can and should be included in the cost/capability assessment are:
• Cost—the cost of the mitigation or recovery option.
• Capability—the capabilities of the option.
• Effort—the amount of effort it will take to implement and manage the option.
• Quality—the quality of the product, service, or data associated with the option.
• Control—the amount of control the company will retain over the critical business
process.
• Safety—in cases where physical safety is a concern.
• Security—the estimates of physical and virtual (information and network access)
• Desirability—the assessment of the overall desirability of an option. this is a
qualitative judgment. The reasons for rating desirability as high, neutral, or low should
be documented.
 Recovery options :: Recovery service level
agreements
 SLAs (service-level agreements)are important when dealing with vendors in pre-
established or prearranged contracts.
 SLAs may also pertain to agreements your company has with others that must be
addressed in your plan. This might include customer service functions or other
externally facing functions your firm provides to others.
 Any agreement you enter into for recovery services should include specific metrics :
1. Response time to initial request for services
2. Technical capacities—computer equipment specifications, storage space,..,etc.
3. Access to recovery facility and equipment .
Comparison of three recovery approaches:
Risk mitigation process (Recap)
 Determining the cost, capability, effort to implement, quality, control, safety, and security
of each option under consideration can help you develop a comprehensive risk
mitigation strategy that meets the needs of your company.
 SLAs (service-level agreements) are important when dealing with vendors in pre
established or prearranged contracts.
 SLAs may also pertain to agreements your company has with others that must be
addressed in your plan. This might include customer service functions or other externally
facing functions your firm provides to others.
Risk mitigation process (Recap)

 Existing controls and risk mitigation solutions already in place should be

reviewed after requirements and options are reviewed.
 In some cases, existing solutions meet BC/DR requirements; in other cases,
existing solutions can be augmented or expanded to meet needs. In still other
cases, no satisfactory controls exist and a solution must be developed.
Risk mitigation process

 People, buildings, and infrastructure are sometimes overlooked in

the BC/DR risk mitigation phase.
 How will risks to people, buildings, and other infrastructure be
addressed through your BC/DR plan?
 Many of these may have been considered during the threat,
vulnerability, and impact assessment phases, and they specifically
should be included in the risk mitigation phase.
DEVELOPING YOUR RISK MITIGATION STRATEGY
The steps in developing your risk mitigation strategy are as follows:
1. Gather your recovery data.
2. Compare cost, capability, and service levels of options in each category.
3. Determine if the options remaining are risk acceptance, avoidance, limitation, or
transference and which, if any, are more desirable.
4. Select the option or options that best meet your company’s needs.
5. Action the plan
IT risk mitigation
Critical data and records should be viewed in light of
risk mitigation strategies under consideration.
There may be additional organizational, regulatory, or
legal requirements for reducing risk to critical data
and records that should be addressed as part of your
overall strategy.
IT risk mitigation
Critical systems and infrastructure should be assessed to determine
optimal solutions for risk mitigation.
There is a wide variety of solutions available in the market today.
You can select the optimal (or acceptable) solution for your business
only after assessing your business’s critical functions and specific
needs.
Backup and recovery
considerations
 There are numerous areas of the company that may require
alternate business processes to be developed and/or available.
These areas are sometimes overlooked in planning.

Customer service, administration, essential equipment, and

premises are four areas that require specific attention in your risk
mitigation planning.
Backup and recovery
considerations
IT recovery systems are numerous and include (among many
others) alternate sites, server, storage and network virtualization, and
more.

User’s desktop systems must be considered as part of the overall

risk mitigation process. Different strategies must be employed when
using standard or hosted desktop solutions.
Backup and recovery
considerations
Software and licensing information should be stored in a secure, off-site
location with backup data. Software license constraints must be well
understood.

Web sites are external-facing connections to the company. As such, they

require special security considerations and risk mitigation strategies.
 Homework
• There are generally 3 backup methods: Full,
Incremental, Differential (Cumulative)

• Develop a PowerPoint presentation that explains

these 3 Backup methods