This plan outlines how Aiden continues to operate during and after a disruptive event, such as natural disasters, cyberattacks, pandemics, or system failures. The goal of this BCP is to ensure that critical business functions can continue with minimal downtime and impact, protecting the company's key assets, employees, and customers.
Table of contents
This risk assessment identifies potential threats to Aiden’s operations, evaluates the likelihood and impact of those threats, and outlines mitigation strategies. The goal is to prioritize risks and ensure effective business continuity.
The following are the key risks our SaaS company may face:
| Risk Category | Specific Risks |
|---|---|
| Technical Risks | Server outages, database corruption, DDoS attacks, software bugs, platform downtime. |
| Cybersecurity Risks | Data breaches, ransomware, phishing attacks, compromised API keys, unauthorized access. |
| Infrastructure Risks | Power outages, ISP failure, hardware failure, cloud service disruptions (Google Cloud). |
| Natural Disasters | Earthquakes, floods, fires, severe weather. |
| Human Risks | Insider threats, employee errors, social engineering, key personnel unavailability (sickness, resignation). |
| Supply Chain Risks | Third-party service disruptions (cloud providers, SaaS tools). |
This matrix evaluates each risk based on two key factors:
| Risk category | Risk | Likelihood | Impact | Overall Risk | Notes/Mitigation |
|---|---|---|---|---|---|
| Technical | Server Outage | Medium | Low | Medium | Servers are deployed using a redundancy of N+1, meaning there will be at least two servers deployed for each application. In case of a server failure a new one is automatically deployed to replace the failing server. |
| Technical | Region Outage | Low | High | High | Recovery by deploying a new cluster based on backups in a different Google Cloud region (europe-west4-a or europe-west4-b). Worst case revert to a different cloud provider. |
| Technical | DDoS Attack | Low | High | Medium | Traffic filtering, rate limiting, and leveraging DDoS protection services to absorb and redirect malicious traffic. |
| Technical | Software Bugs/Errors | High | Medium | High | Automated testing, continuous integration (CI/CD), and error logging. |
| Cybersecurity | Data Breach | Low | High | Medium | Strong encryption, multi-factor authentication (MFA). |
| Cybersecurity | Ransomware Attack | Low | High | Medium | Regular data backups, endpoint security software, employee training. |
| Cybersecurity | Phishing Attack | Medium | Medium | Medium | Security awareness training, email filtering. |
| Infrastructure | Power Outage | Low | Medium | Low | Use of cloud services. |
| Infrastructure | Internet Failure (ISP) | Low | High | High | Use of cloud services. |
| Infrastructure | Cloud Provider Failure | Low | High | Medium | SLAs with Google Cloud. |
| Natural disasters | Natural Disasters | Low | High | Medium | Remote work capabilities, data stored in cloud. |
| Human | Key Personnel Unavailability | Medium | Medium | Medium | Cross-training, documented procedures, remote work policy. |
| Supply chain | Third-Party Vendor Failure | Medium | Medium | Medium | SLAs with key vendors. |
The following mitigation measures are a core part of our daily operations.