This is the first article of a two-part series that will provide an example of a risk management plan for an IT project. This first article will provide examples of four of the seven sections of the plan. Part two will present examples of sections five, six and seven.
IT systems are vulnerable to a variety of disruptions, ranging from mild (power outage, disk drive failure) to severe (equipment destruction, fire). Many risks and vulnerabilities may be minimized or altogether eliminated through technical, management, or operational solutions as part of the organization’s risk management effort. This plan is designed to mitigate the risk of system and service unavailability by focusing on effective and efficient recovery solutions.
slide 2 of 5
IT Risk Management Contingency Planning Process
To develop and maintain an effective IT Risk Management contingency plan, organizations should use the following approach:
Develop the contingency planning policy statement
Conduct the business impact analysis (BIA)
Identify preventive controls
Develop recovery strategies
Develop an IT contingency plan
Plan testing, training, and exercises
slide 3 of 5
The contingency planning policy statement
To be effective the risk management contingency plan must be based on a clearly defined policy. The first section of your IT risk management plan is the policy statement. Your policy statement should define your organization’s overall risk management contingency objectives, and establish the framework and responsibilities for IT risk management planning. Key policy elements to include in this section are as follows:
Roles and responsibilities
Scope as applied to the type(s) of platform(s) and organization functions subject to contingency planning
Exercise and testing schedules
Plan maintenance schedule
Frequency of backups and storage of backup media
slide 4 of 5
The Business Impact Analysis (BIA)
The BIA is a key part of an IT risk management plan. The BIA enables your IT department to identify the system requirements, processes, and interdependencies and use this information to determine requirements and priorities. The purpose of the BIA is to link specific system parts with the services that they provide. Based on that information, discuss the consequences of a disruption to the system components.
slide 5 of 5
This section of your plan, the Recovery Strategy section, should address the impact destruction would have, and allowable outage times identified in the BIA section. Several alternatives should be considered when developing the strategy, including cost, allowable outage time, security, and integration with larger, organization-level risk management and contingency plans. It is best to list specific recovery methods such as commercial contracts with cold, warm, or hot site vendors, mobile sites, reciprocal agreements with internal or external organizations, and service level agreements (SLAs) with the equipment vendors.