[unisog] Risk analysis

Peter Van Epp vanepp at sfu.ca
Tue Feb 21 04:01:35 GMT 2006

On Tue, Feb 21, 2006 at 02:18:20PM +1100, Leigh Vincent wrote:
> I just like to add my thoughts on this I have just spent 2 years working
> on Business Continuity Plans etc which involves performing a Risk
> analysis.
> The risk analysis that I did involved our "hands on" techs and managers
> brain storming over what threats our IT services could possibly face. 
> >From this we looked at Existing Controls, Likelihood of the risk
> actually occurring, the impact which then by applying a mathematical
> calculation came out with an overall risk factor.
> >From this we established the a Terrorist attack was our number one risk
> mainly be cause there are no existing controls.  The next few were
> things like service packs, patch updates, portable devices, ignorance
> etc etc etc. We actually have a list of 21 possible risks.

	My first reaction to this is that you appear to have (but may not in
practice) missed the most likely ones. That would be ones like 
fire/flood/earthquake wiping out your data center, one or more staff with 
irreplacable knowledge getting hit by a bus, quitting or otherwise becoming 
unavialable (maybe unlike us you don't have anyone in that catagory :-)),
Backhoe Bill excavating your fibre so you are up just fine but can't connect
to anyone including your users for a longish period (this is going to look 
exactly like you are down to your users).
	When I worked for an airline that had fully redundant everything 
(including a cooling tower and dual paths to different city water mains)
Backhoe Bill managed to take out a main water trunk above both of our city
water feeds taking out both of them and something like a fire alarm dumped the 
cooling tower causing down time (and great excitement all around). One of the
three mainframes was aircooled (the other two needed water and had to shut 
down) and blocks of dry ice and fans kept reservations rolling in on the air
cooled mainframe (airco needed the water too ...).
	The smallish ones that do local damage are more likely to cause you 
grief than a major one like a terrorist attack. People understand down time 
in a terrorist attack, they don't understand (or at least don't forgive as 
easily) down time to something "minor" like a fire in your data center when
"everyone else is up". 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list