Compass Consulting International, Inc.
|
Compass Consulting International, Inc.
|
| |
"What Are You Afraid Of? Part 3 of the series on Disaster Recovery Planning By Geoffrey C. Tritsch and Dr. Robert Kuhn
In last month's installment, we introduced a framework for disaster planning - event, impact, result. This month we look at how to determine when prevention is worth the cost. There are several attitudes to valuing disaster prevention strategies. Generally, you tend to be either a Grasshopper or an Ant. Grasshoppers play the odds. A disaster is unlikely to occur. Why worry, be happy. Ants take precautionary measures, no matter what the "odds," figuring that if they don't, they are going to have the disaster. While few institutions are wholly Ants, too many institutions are Grasshoppers by default -- no structured approach to disaster planning. The heart of risk analysis is the concept of "expected cost." Expected cost is the probability of any event multiplied by its associated costs. (The Ants' expected costs are pretty much fixed by the annual and annualized costs of their preventive measures. On the other hand, Grasshoppers either pay nothing if there is no disaster or the full cost of recovery if there is one. Averaged over a enough time and enough Grasshoppers, this all-or-nothing approach would yield the expected cost for the Grasshoppers.) The statistically rational person (or insect) acts to minimize expected cost. From a purely statistical viewpoint, if expected cost of prevention is less than that of loss, you prevent; if greater, you don't. One can justify being more "Antish" than statistically rational by thinking of prevention as insurance. When you buy insurance, your costs are likely to be higher, but you won't be wiped out by a disaster. Applying this thinking to disaster preparation, prudence encourages us to go with prevention even if the purely statistical rationale points the other way. Redundancy, diverse routing, fire suppression, alternative sites, and other preventative measures all cost money and offer little return on the investment if they are never needed. But they provide insurance against costly, high profile, and embarrassing results. On the other hand, you can't prevent all possible disasters, and as you get closer to doing so the costs rise asymptotically. So when the cost of prevention gets too high (when compared to the expected loss), one option is actually taking out insurance against the disaster instead of attempting to prevent it. Insurance companies write millions of policies, and, so long as the premiums are lower than the cost of prevention, taking out an insurance policy could be better protection against disaster. However, keep in mind that insurance policies don't prevent disasters. They only help you address the financial aspect of recovery. Of course, the discussion above assumes you can measure the cost of a disaster. For profit-making businesses this is mostly true (although how do you value human life?) It is more problematic in a non-profit arena, where costs and benefits don't come neatly in dollars. Public safety, public image, competition, inconvenience and even politics also come into play. But the financial impact is always a good place to start. That, in a nutshell, is the nature of risk analysis. Is it better to invest in preventing the event or mitigating its impact or is better to let the event happen and deal with recovery if and when necessary? The answer varies by institution, by disaster, by risk profile, and even by manager. In next month's article, entitled What You've Got and What You Need we will begin to look at where and how to gather information for your planning process.
Geoffrey Tritsch, President of Compass Consulting, has been a technology consultant specializing in higher education since 1980. He is a frequent presenter at workshops and conferences and a contributor professional journals. As Senior Consultant with Compass Consulting, Dr. Robert Kuhn focuses on assisting clients with management and planning for information technology. His core competencies extend deep into the fundamentals: systems and applications technologies and complex networking. Home |