Olivier Le Moal - stock.adobe.co

What is the role of qualitative and quantitative impact in DR?

Disaster recovery planners use several metrics to craft a plan suited to their organizations. Quantitative and qualitative impact are two helpful metrics in a recovery strategy.

How do you weigh the impact of something that has an immediate financial result versus something that could have lasting repercussions? Organizations that perform both quantitative impact and qualitative impact analyses will have a more well-rounded and complete disaster recovery strategy.

Quantitative impact is determined by financial losses, including lost revenue, assets or production units, and salary paid to a stalled workforce. Quantitative impact usually increases over time: The longer a business interruption or disruptive event lasts, the greater the cumulative losses.

On the other hand, qualitative impact is much less tangible than quantitative impact, and more difficult to evaluate. It includes factors such as public reputation, goodwill, value of the brand and lost opportunities, among others. Qualitative impact can lead to financial losses over time -- due to loss of customer confidence, for example. However, it is often impractical or even impossible to estimate long term financial losses with any certainty.

Despite its intangible nature, organizations can still measure qualitative impact. In a business impact analysis (BIA), a risk's qualitative impact usually is rated using a numeric scale based on the magnitude of the impact on a specific area. An organization might use a scale of 1-10, for example, and focus on areas such company reputation.

Assess quantitative impact in DR

The principal goal in disaster recovery, from a quantitative perspective, is to minimize the number of incidents that disrupt business operations.

The principal goal in disaster recovery, from a quantitative perspective, is to minimize the number of incidents that disrupt business operations. Numerous metrics factor into technology disaster recovery. These include recovery time objective, recovery point objective, mean time between failures and mean time to repair. Each of these metrics is typically expressed with a numerical -- quantitative -- value. Risk assessments and BIAs both use quantitative values to help DR planners define strategies for dealing with specific incidents.

Tables 1 and 2 depict examples of both a BIA and risk assessment with sample values. In these tables, one is the lowest value and 10 is the highest.

Table 1: BIA data

Process/System Level of Criticality (1-10) Level of Interdependence (1-10) Importance of Staffing (1-10) Importance of Work Areas (1-10)
Payroll 9 7 8 6
Key product mfg. 9 8 8 9
Email 9 8 6 4
Data center 9 9 7 8

Table 2: Risk assessment data

Risk, Threat, Vulnerability Likelihood of Occurrence (1-10) Severity of Damage to Business (1-10) Severity of Financial Loss to Business (1-10) Impact to Employees (1-10)
Severe weather 8 6 6 7
Cybersecurity breach 8 8 8 7
Loss of commercial power 6 7 8 7
Loss of servers 7 9 9 7

Each table uses quantitative values to rate different elements of risk and business viability. This data helps IT managers identify the components in the infrastructure that are most at risk and their importance to the organization. Quantitative impact provides the start point for organizations to develop strategies that ensure they remain operational in a disruptive event.

Assess qualitative impact in DR

By contrast, Tables 1 and 2 can also apply to a qualitative perspective, since the events included may also have a longer lasting impact on the business and its ability to operate. Tables 3 and 4 are adapted from Tables 1 and 2 and introduce a qualitative assessment of each situation in the event of a disruption or loss to the process/system.

Along with a hit to an organization's reputation, qualitative impacts may include a loss of business or breach of industry regulation.

Table 3: BIA data with qualitative impact

Process/System Level of Criticality (1-10) Level of Interdependence (1-10) Importance of Staffing (1-10) Importance of Work Areas (1-10) Qualitative Impact
Payroll 9 7 8 6 Disgruntled employees, union complaints
Key product mfg. 9 8 8 6 Unhappy customers, loss of business; damage to reputation
Email 9 8 6 4 Disgruntled employees
Data center 9 9 7 8 Unhappy customers, loss of business; damage to reputation

Table 4: Risk assessment data with qualitative impact

Risk, Threat, Vulnerability Likelihood of Occurrence (1-10) Severity of Damage to Business (1-10) Severity of Financial Loss to Business (1-10) Impact to Employees (1-10) Qualitative Impact
Severe weather 8 6 6 7 Health and safely threats to employees, loss of business, damage to reputation
Cybersecurity breach 8 8 8 7 Loss of business, damage to reputation, fines from breach of regulations
Loss of commercial power 6 7 8 7 Unhappy customers, loss of business; damage to reputation
Loss of servers 7 9 9 7 Unhappy customers, loss of business; damage to reputation

Importance of quantitative and qualitative values in DR

Businesses must examine and evaluate both quantitative and qualitative evidence when they make decisions on DR activities and potential DR investments. If quantitative impact values from risk assessments and BIAs demonstrate mathematically that the risk to the business can be lowered with a second server, the decision to invest in that server can be easier. Qualitatively, the impact to the business -- such as reputational damage -- from a server loss can be explained to management by DR teams.

Dig Deeper on Disaster recovery planning and management

Data Backup
Storage
Security
CIO
Close