Wednesday, September 16, 2009

ERM-BC-COOP: BIAs for boxes ??

Maybe I'm way off, but I get really upset when someone tells me to do a Business Impact Analysis (BIA) on a computer system, a box.

First, I'm "ticked off" because the real, critical resource is overlooked - that resource is "people" in case you are a first time visitor to a Glenn site.

But then to worry about BOXES !

My Spouse, while an intelligent woman - she has the MBA in the family - is not a risk manager, so when I ranted that someone wants BIA's on systems - boxes - she didn't understand why I was upset.

Fortunately, Yahoo came to my rescue.

The Spouse has a Yahoo email account; if Yahoo keeps changing things that "ain't broke" (a la Microsoft) she might start using her Gmail account more and Yahoo less (and then on to Linux Ubuntu?).

Anyway, to make my point, I asked her if the machine she was using went away, what would she do.

"Go to the library," she replied. Never mind that there are two more machines in the same room. Doesn't say much for the company she keeps, but …

OK, I said. Now what happens if Yahoo "goes away"? Can you still get your email?


The light comes on; she suddenly realizes that it's the APPLICATION that is critical, not the box, not the "system."

(And that's why whenever I expect an important email, I ask that it be sent to two different e-addresses, and maybe my snail-mail address as well. Hey, risk management is my business and I practice what I preach.)

I'm not suggesting that the box be ignored; my apps still need a place to call home. I will admit that moving some of my applications from machine-to-machine is a pain, especially when I have downloaded updates; fortunately all my critical vendors work with me (since I have all the important product and version license information available).

When I create a disaster recovery plan for an IT organization, I need to know what OSs are on each box and the amount and speed of the box's RAM. Do I care about the hard drive? Not a lot.


If I have 5 XYZ OS machines with 10 critical applications, including databases, I need to know

    (a) how much hard drive capacity I need for all these applications and databases

    (b) if they can co-exist on one machine or do I need to find multiple boxes

If they can co-exist, how fast must the processor run?

I need to know the requirements for a REPLACEMENT machine - or machines. I also need to assure that there is connectivity to whatever the current boxes are connected. (I recently learned THAT lesson when I discovered my new notebook lacks a connector for my old scanner.)

But, basically, a box is a box is a box.

That is not to write that I care nothing about the box. I do. I want to know the machine's Mean Time Before (Between) Failure - MTBF - and I want to know the Mean Time To Repair - MTTR - of the parts with the lowest MTBFs, and I want to know spares - and associated documentation and tools - are available to get the box up and running else I need to know where to find a new host for my applications.

I can live without my company machine -actually, I AM living without it as this is written - but I cannot live without the access to the inter and intranets. I have all manner of email, but the company email and IM are, temporarily, inaccessible. That pretty much puts me out of business. (I still have the phone, and I can use local - on the box - applications but . . .).

Since I have another machine with most of the same applications, I can keep busy, but there are many things - besides email - I cannot accomplish. The box that's "down" actually is fine; it's a security application that has brought email and IM and access to the company intranet to a halt.

The security apps developers know about the bug and are "working on it."

By the way, I actually anticipated this hiccup and created an email auto-responder that explains why I am not getting back to my fans in my usual speedy manner and that if they really need me, call the number on the auto-reply. (I have to tell you, I feel like the Maytag repairman … very lonely. Even the Help Desk hasn't called back; am I the new Rodney Dangerfield [z'l]?)

BIAs for systems? No. BIAs for applications. Yes and yes again.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

No comments: