Olivier Le Moal - stock.adobe.co
What is the role of qualitative and quantitative impact in DR?
Disaster recovery planners use several metrics to craft a plan suited to their organizations. Quantitative and qualitative impact are two helpful metrics in a recovery strategy.
How do you weigh the impact of something that has an immediate financial result versus something that could have lasting repercussions? Organizations that perform both quantitative impact and qualitative impact analyses will have a more well-rounded and complete disaster recovery strategy.
Quantitative impact is determined by financial losses, including lost revenue, assets or production units, and salary paid to a stalled workforce. Quantitative impact usually increases over time: The longer a business interruption or disruptive event lasts, the greater the cumulative losses.
On the other hand, qualitative impact is much less tangible than quantitative impact, and more difficult to evaluate. It includes factors such as public reputation, goodwill, value of the brand and lost opportunities, among others. Qualitative impact can lead to financial losses over time -- due to loss of customer confidence, for example. However, it is often impractical or even impossible to estimate long term financial losses with any certainty.
Despite its intangible nature, organizations can still measure qualitative impact. In a business impact analysis (BIA), a risk's qualitative impact usually is rated using a numeric scale based on the magnitude of the impact on a specific area. An organization might use a scale of 1-10, for example, and focus on areas such company reputation.
Assess quantitative impact in DR
The principal goal in disaster recovery, from a quantitative perspective, is to minimize the number of incidents that disrupt business operations. Numerous metrics factor into technology disaster recovery. These include recovery time objective, recovery point objective, mean time between failures and mean time to repair. Each of these metrics is typically expressed with a numerical -- quantitative -- value. Risk assessments and BIAs both use quantitative values to help DR planners define strategies for dealing with specific incidents.
Tables 1 and 2 depict examples of both a BIA and risk assessment with sample values. In these tables, one is the lowest value and 10 is the highest.
Table 1: BIA data
Process/System | Level of Criticality (1-10) | Level of Interdependence (1-10) | Importance of Staffing (1-10) | Importance of Work Areas (1-10) |
Payroll | 9 | 7 | 8 | 6 |
Key product mfg. | 9 | 8 | 8 | 9 |
9 | 8 | 6 | 4 | |
Data center | 9 | 9 | 7 | 8 |
Table 2: Risk assessment data
Risk, Threat, Vulnerability | Likelihood of Occurrence (1-10) | Severity of Damage to Business (1-10) | Severity of Financial Loss to Business (1-10) | Impact to Employees (1-10) |
Severe weather | 8 | 6 | 6 | 7 |
Cybersecurity breach | 8 | 8 | 8 | 7 |
Loss of commercial power | 6 | 7 | 8 | 7 |
Loss of servers | 7 | 9 | 9 | 7 |
Each table uses quantitative values to rate different elements of risk and business viability. This data helps IT managers identify the components in the infrastructure that are most at risk and their importance to the organization. Quantitative impact provides the start point for organizations to develop strategies that ensure they remain operational in a disruptive event.
Assess qualitative impact in DR
By contrast, Tables 1 and 2 can also apply to a qualitative perspective, since the events included may also have a longer lasting impact on the business and its ability to operate. Tables 3 and 4 are adapted from Tables 1 and 2 and introduce a qualitative assessment of each situation in the event of a disruption or loss to the process/system.
Along with a hit to an organization's reputation, qualitative impacts may include a loss of business or breach of industry regulation.
Table 3: BIA data with qualitative impact
Process/System | Level of Criticality (1-10) | Level of Interdependence (1-10) | Importance of Staffing (1-10) | Importance of Work Areas (1-10) | Qualitative Impact |
Payroll | 9 | 7 | 8 | 6 | Disgruntled employees, union complaints |
Key product mfg. | 9 | 8 | 8 | 6 | Unhappy customers, loss of business; damage to reputation |
9 | 8 | 6 | 4 | Disgruntled employees | |
Data center | 9 | 9 | 7 | 8 | Unhappy customers, loss of business; damage to reputation |
Table 4: Risk assessment data with qualitative impact
Risk, Threat, Vulnerability | Likelihood of Occurrence (1-10) | Severity of Damage to Business (1-10) | Severity of Financial Loss to Business (1-10) | Impact to Employees (1-10) | Qualitative Impact |
Severe weather | 8 | 6 | 6 | 7 | Health and safely threats to employees, loss of business, damage to reputation |
Cybersecurity breach | 8 | 8 | 8 | 7 | Loss of business, damage to reputation, fines from breach of regulations |
Loss of commercial power | 6 | 7 | 8 | 7 | Unhappy customers, loss of business; damage to reputation |
Loss of servers | 7 | 9 | 9 | 7 | Unhappy customers, loss of business; damage to reputation |
Importance of quantitative and qualitative values in DR
Businesses must examine and evaluate both quantitative and qualitative evidence when they make decisions on DR activities and potential DR investments. If quantitative impact values from risk assessments and BIAs demonstrate mathematically that the risk to the business can be lowered with a second server, the decision to invest in that server can be easier. Qualitatively, the impact to the business -- such as reputational damage -- from a server loss can be explained to management by DR teams.