Many organisations I've talked to have failed to adopt appropriate business continuity (BC) strategies. Instead, they plan for scenarios that are unlikely, decide on an approach that is unachievable, or fail to align BC strategies with other strategic initiatives. Identifying, implementing, and maintaining appropriate BC strategies will determine how successful (or not) an organisation is when responding to a major or localised incident.
The principle behind identifying appropriate BC strategies is one of synergy and practicality. BC strategies should be aligned and integrated with other strategies (such as business, product/service, IT, and premises strategies) and should be capable of meeting organisation requirements. These details were listed in the Business Impact Analysis (BIA) and Continuity Requirements Analysis (CRA)—see article 3 of this series, published on Jan. 21, 2013.
Organisations often believe they should plan for individual scenarios, such as fire, floods, flu pandemics, and power outages. The truth is that this often provides little benefit because it is not only time consuming but also impossible to plan for all eventualities.
Instead, time and effort is better utilised by planning for the consequences of such scenarios, such as the loss or unavailability of people, infrastructure components, suppliers, information, or a combination of these.
Information collected in the BIA and CRA for individual products and services is required to identify suitable strategies for each analysis . This will include how quickly the product or service needs to be recovered (the Recovery Time Objective, or RTO), the target point in time for acceptable data loss (the Recovery Point Objective, or RPO), and the maximum tolerable limits for these before the organisation suffers irreparable damage, known as the Maximum Tolerable Period of Disruption (MTPD) and Maximum Tolerable Data Loss (MTDL).
Strategies to be considered for essential activities and products/services include:
Diverse sites: Conduct activities for the product/service at more than one site. When an incident affects one site, the other can be used to continue essential activities for that product/service;
Replication: Replicate capabilities at another site (e.g., a third-party site or another office of the organisation), so it is ready to use. The backup site should only be used when the main site is affected by an incident;
Standby facilities: Have facilities available at another location that is only activated, set up, and made available when an incident affects the main site;
Subcontractors: Use a third party to conduct some or all activities for a product or service when an incident occurs, or use a dual-supply facility with multiple suppliers in case one fails (e.g., a manufacturing unit or a call centre). These arrangements would usually be put in place prior to an incident occurring;
Post-incident acquisition: Purchase equipment, facilities, or an alternate site after the main site and activities have been affected by the incident. A shopping list and potential suppliers should be available in advance of an incident;
Insurance: Purchase insurance for financial compensation for the loss of assets, business interruption, and death/injury. This would typically only be considered in combination with other strategies;
Do nothing: Where the RTO/RPO is a considerable period of time (e.g., a month or two), it may be practical to decide on a strategy after the incident.
The purpose of defining tactical responses is to identify what needs to be done to implement the chosen strategies for each product/service. Appropriate tactics will need to be chosen to cover the core requirements relating to:
People: Quantity, skills and knowledge;
Premises: Buildings and office facilities (furniture, filing cabinets, fax machines, photocopiers, telephones, printed stationery, de