Sanzaplan: Emergency Recovery

Subject: Risk Management
Pages: 8
Words: 2248
Reading time:
8 min
Study level: PhD


SANZAPLAN manufactures and sells chips that contain people’s medical records. The chip is sold to different hospitals, health insurance companies, and doctors. The technology presents a significant market potential considering that it constitutes a scientific innovation, which people anticipate that it can succeed in the market. Although the company has an elaborate and well-established emergency management plan, it lacks a business continuity strategy, especially in the disaster recovery process. Having tried to raise the issue severally without success, the company now intends to outsource its non-value-added and commodity components of its operations. Since it cannot depend on its capable people to deal with the emerging risks, an opportunity has arisen to develop a disaster recovery plan since some of the company’s operations will be sourced from a third party. The current paper discusses the role and limitations of the third-party vendor in disaster recovery in an IT environment that is prone to risks that can lead to major disasters.


SANZPLAN is a manufacturer and seller of a special chip that contains a person’s medical details. The company needs to subcontract non-value-added and product components of its operation. This need arises in an environment that lacks a business continuity program in the area of technical disaster recovery. However, the organization has a reasonably effective and operational emergency management process. One of the areas that the company needs to outsource is the IT. The organizational management knows well that this business plan will expose the company to risks such as losing control of the IT environment and the failure to depend on its highly knowledgeable people to facilitate the recovery process in case of a disaster. This paper addresses various issues that the company should consider while engaging in an outsourcing contract with a third-party IT provider.

SANZPLAN and the IT Provider

In the agreement between SANZPLAN and the IT provider, the company needs to consider some issues to ensure that it remains resilient to risk as a way of increasing its recovery rates in the event a disaster occurs. Middle-line managers of any organization engage in tasks such as ensuring that processes run efficiently. Hence, noncore activities compete for the core activities that such managers perform. The core activities enable consistent growth of an organization. Since outsourcing in SANZPLAN is to be done for noncore activities, it implies that line managers are freed of some duties so that they can concentrate only on the processes that enhance organizational growth (Hiles, 2011). The third party should have the capacity to run IT just like SANZPLAN would do or even run it better. To accomplish this mission, the third party should have situational awareness via conducting environmental scanning to determine and evaluate potential risks that may impede the IT infrastructure together with its application. This plan facilitates the development of counter strategies for mitigating potential risks on behalf of SANZPLAN.

In the process of outsourcing, an organization transfers a part of its risks to another party. Therefore, the third-party vendor should be a specialist in running IT solutions on behalf of SANZPLAN. Hence, the vendor should mitigate some risks better than the organization that seeks the outsourcing services. Organizations’ HRM organ enhances employee productivity through a reduction of labor turnover. The HRM is also tasked with recruitment, training, and development of employees. In the event of low motivation, organizations experience low productivity levels due to costs such as absenteeism and non-optimal job performance. The vendor should supply IT services to SANZPLAN without fluctuations in terms of quality due to risks such as low motivation and productivity of its human resource.

Disaster Recovery Concerns that may Limit the Outsourcing Agreement

After the occurrence of a catastrophe, disaster recovery becomes necessary. In case of SANZPLAN, although the initial crisis may be brought to a halt, at this stage, the affected IT infrastructure and applications remain vulnerable to the implications of the disaster. Disaster recovery efforts encompass activities such as rehabilitation and reconstruction of the destroyed infrastructure. This process requires the commitment of huge financial resources. The contract between SANZPLAN and the third-party IT vendor must have an agreed plan. Therefore, in the event of a disaster, the IT provider may lack financial ability to fund the recovery process. Thus, the legal consideration at the time of entering into a contract constitutes an essential limit to the outsourcing agreement in the disaster recuperation process.

Risks, which compromise organizations’ financial position, are part of business (Raghavan, 2005). In fact, organizations do not have control over their internal and external business environments. The biggest challenge for SANZPLAN business environment encompasses the development of mechanisms for predicting risks and ways of protecting its brands from collapsing. This measure is vital in the event of an organizational crisis (Grundy & Moxon, 2013). Solutions to these challenges are central to ensuring continuity of an organization upon the occurrence of a crisis. Indeed, the most reliable systems for resolving the challenges reside in-house akin to the easiness of making radical and immediate decisions in the event of the occurrence of a disaster.

For SANZPLAN to prove and reliably place its brand, a direct control of its IT infrastructure is essential in ensuring real-time availability. Indeed, the company needs to have its own internal mechanism for maintaining recovery time objectives and resurgence point objectives without liaising with third-party vendors. The chip business is a core activity of the company. Besides, real-time accessibility to records and information, which is critical for the operations of the company, encompasses a primary disaster recovery concern when arriving at the outsourcing agreement.

Role of SANZAPLAN Personnel in ensuring that the IT Vendor can properly Recover the Technology Environment

Ensuring that the IT vendor can properly recover the technology environment, SANZAPLAN’s employees need to play the role of developing theoretical and practical paradigms for mitigating emergencies, catastrophes, and crises in a bid to enhance continuity. Hence, in the event of a crisis, the role of restoring normalcy should not be bestowed on the IT vendor alone. Therefore, the vendor should only be relied upon without the support from the personnel of the company in a situation that is void of turbulence.

To ensure that the IT vendor develops the capacity to recover the technology environment, input decision constructs are vital. Such constructs need to be developed in conjunction with SANZAPLAN’s personnel. This plan underlines the role of the personnel in generating environmental information that needs to be supplied to the vendor by conducting Situational Awareness (SA). SA refers to the processes of perceiving various elements that may pose threats to a network system. It entails the understanding of these elements through intensive analysis while not negating future projections of the impacts of such threats on the environment.

In the event of disasters, organizational leadership needs to create awareness of the repercussion of the disasters in the most effective manner. Proper information management and the deployment of organizational continuity plans encompass some of the strategies for accomplishing this concern (Hiles, 2011). Therefore, the personnel should provide information on which the vendor can act to ensure recovery in the technology environment.

Involvement and Preparations that the IT and other Business Areas need for the 3rd Party D/R Solution and Validation Testing

Disaster or recovery solution validation should depend on the input information from situational awareness programs. Therefore, preparations are necessary for CND and SA by the IT and other business areas. In the CND approaches, SA essentially focuses on assessing various situations in the complex and dynamic CND environment to make precise forecasts that enable operators to estimate the repercussions of attacks, precisely identify networks foes, and conduct an evaluation of risks as the foundation of arriving at the most subtle decisions (Gonzalez & Dutt, 2010). Such decisions will proactively protect the most valued assets of an organization, namely the information systems, in a concise manner.

The IT and other business areas need to be involved and prepared to adopt various actions through computer connections to facilitate protection, detection, analyzing, controlling, monitoring, and responding to myriads of cyber attacks for the 3rd party D/R solution and validation testing. This strategy helps in capacitating the vendor in responding to network disruptions and intrusions among other perceived actions that are not authorized by the network administrators. Such actions have the probability of influencing or even compromising information structures and network defense (Cordesman, 2002). These procedures should be executed by the collective and collaborative effort of SANZAPLAN personnel who are predominantly charged with monitoring, defense systems maintenance and management, and operation and maintenance of network infrastructure. The employees include network engineers, analysts of systems security, and administrators. One of the noble tasks of SANZAPLAN personnel in 3rd party D/R solution and validation testing is to ensure that the CND system is maintained, monitored, and that the necessary action is adopted to alleviate a network system from risks that are posed by cyber attackers. Such attacks can emanate from espionage, malicious software, destructive codes, service denials, and electronic attacks such as Stuxnet. These tasks are numerous. The implication is that the recovery environment is both complex and challenging. Hence, it calls for the incorporation of SA in aiding to identify potential threats to SANZAPLAN’s network systems.

Limitations on the Role of the IT Vendor

If the IT services that are provided through outsourcing meet the standards that the contract specifies, SANZAPLAN cannot question or place demand for better quality levels in response to changes that are made by competitors in the design and functionality of chips without making additional payment. Nevertheless, even where SANZAPLAN may be willing to adopt this strategy, it is limited by the capability and flexibility of the vendors’ operational systems. Hence, the role of the vendor is limited to its capacity at the time of entering into the outsourcing contract. Hidden costs and negative publicity where a vendor produces goods with child labor or exploitation outsourcing may present significant disadvantages. The role of the vendor should be limited to the extent that it provides IT services in accordance with the law and within the acceptable standards.

SANZAPLAN needs to possess its intellectual property. Safeguard of intellectual property is central to the effort to maintain innovation and creativity within SANZAPLAN. The intellectual property rights safeguard the fruits of the human mind with the aim of rewarding their creators to promote economic, social, and technological development (Trimble & Goldstein, 2012). Therefore, the role of the IT vendor should be limited to their academic property and not that of SANZAPLAN. This plan provides the company with an opportunity to guard its product (chips) rights. Besides, it makes the company able to control any risk that is targeted towards its technological infrastructure.

Controls that need to be in place to ensure that SANZAPLAN manages the IT Risk

The controls, whether preventive or detective, should be based on the results of the risk assessment. Being charged with the responsibility of providing IT and its support services, the vendor has the limitation of ensuring the availability and reliability of the services. To this extent, the vendor has an additional limitation of conducting an independent assessment of issues or activities that are likely to cause an outage. Through the assessment, the environment can be hardened to mitigate disasters from occurring or develop alternative workarounds in the event of the disaster so that minimal time can elapse before the full operational normalcy can be restored.

The controls should dwell on business processes, information technology, the anticipated man-caused risks, and environmental risks. Indeed, although the controls in an IT environment focus on enhancing cyber security, outages such as power supply and water supply also influence the availability of the IT services that are provided by the third-party vendor. Conducting an assessment of the risks that are independent of the third-party IT vendor provides a control over the acceptable risk limits that SANZAPLAN can absorb or recover in the event of a disaster. Consequently, the vendor cannot exceed a particular threshold of risk, which can lead to the collapse of SANZAPLAN or make the organization suffer from high recovery time objectives and hence the importance of an impact-based recovery strategic plan.


Other Factors that are involved in the IT Disaster Recovery Arena

Information Technology (IT) is not the only area that is being outsourced in SANZAPLAN and other companies. Consequently, it is imperative for the company under study to consider other disaster recovery areas. Outsourcing involves trading managerial control with the reduction in the cost of running an enterprise. Signing an outsourcing contract implies shifting the power to control the processes to other parties that do not reside in-house within a company. Consequently, misalignments of missions may occur. In case of SANZAPLAN, the outsourced IT vendor may focus on profit maximization by delivering services in the condition that is specified in the contract. Therefore, any possible misalignments between SANZAPLAN’s mission and the vendor’s objective should be kept in check.

Since SANZAPLAN’s chips carry a large amount of data, the IT environment requires enough space for handling and storing the data. Since the data is required in the operations of the company, the vendor must have access to it. Unfortunately, this accessibility exposes SANZAPLAN to the risk of the likelihood of such data being held without confidentiality. In some instances, outsourcing may create quality problems. The only way that outsourced vendors increase their profits is through the reduction of expenses. Therefore, consistency in the quality of services that are delivered by all outsourced services should be checked.


Cordesman, A. (2002). Cyber-Threats, Information Warfare, and Critical Infrastructure: Proceedings of the Symposium on Computer Security; Threats, and Countermeasures. Rome, Italy: The Avagliano Publishing House.

Gonzalez, C., & Dutt, V. (2010). Instance-based learning: Integrating decisions from experience in sampling and repeated choice paradigms. Psychological Review, 118(4), 412- 417.

Grundy, M., & Moxon, R. (2013). The Effectiveness of Airline Crisis Management on Brand Protection: A Case Study of British Airways. Journal of Air Transport Management, 28(2), 55-61.

Hiles, A. (2011). The Definitive Handbook of Business Continuity Management. New York, NY: John Wiley & Sons Inc.

Raghavan, S. (2005). Risk Management in SMEs. The Chartered Accountant, 1(1), 528-535.

Trimble, M., & Goldstein, P. (2012). International Intellectual Property Law, Cases and Materials. New York, NY: Foundation Press.