Business Continuity Management (4): Strategy and Planning

1. Looks at your organisation in a way that makes the recovery requirements and priorities clear.
2. Assesses the threats to the organisation that need protecting against (incidents that are serious enough to completely stop your organisation from functioning, usually referred to as Business Continuity Incidents) and refines them into a set of common response triggers.

Embedding BCM in the Organisation's Culture
(click to see enlarged view).

This article looks at the design and planning of the organisation’s response to each type of Business Continuity Incident.

The first step is to list all of the options that are currently available and then consider for each trigger which ones are suitable. We have found it helpful in the past to structure these options into the following headings:

The results can be used to populate a table along the lines of the diagram below (see Example of a typical set of threats, response triggers and corresponding controls), that should give a map of what would be your current strategy for each response trigger and therefore for each threat. By highlighting any gaps (i.e. where there is no recovery strategy for a response trigger) and those strategies which you know are inadequate, you can build a clear heat map of your priority problem areas where you need to focus attention.

Example of a typical set of threats, response triggers and corresponding controls (click to see enlarged view)

The next step in solving those problem areas is down to obtaining budget.  Just because your strategy has a clear relationship with the underlying business risks does not guarantee there is a good business case to justify it. You also need to cross check it back to the value that the particular business area brings to the overall organisation and then calculate how much it would cost to deliver the proposed business continuity strategy.

Some business areas may propose recovery strategies for themselves that are quite different from the rest of the organisation. As the Business Continuity Manager you will have to negotiate a way through to the best overall solution. There will nearly always have to be a compromise between the needs (or dreams) of individual departments and the most cost efficient solution for the organisation as a whole.

Historically most energy has been put into technology solutions and the biggest problem currently for the Business Continuity Manager is being spoilt for choice. The other factors such as the location of alternative premises to carry out the recovery work tend to be lumped in with the technology solution. The commercial service providers who initially sold backup data centres, now all offer recovery workspaces. However with flexible web-based technology there is often no need to have your processing staff in the same location as the data centre; staff may well be able to access your systems from other offices or home.

The method of designing the optimal business continuity strategy for a particular organisation is best done in the same way that the organisation uses for other strategy development, whether using workshops, brainstorming, position papers or other techniques. The output is simply the approach (or approaches) that the organisation takes to recover each aspect of its business, covering the what, where and by whom.  The ‘strategy’ segment is the key thinking point in the business continuity lifecycle.  The planning stage is the ‘how to’ that follows.

Business Continuity Planning (BCP) is the part of the lifecycle that has the most public face and is sometimes assumed to be the ‘be all and end all’ of Business Continuity Management (BCM). However, on the assumption that a Business Impact Analysis (BIA) has been done and a business continuity strategy agreed, then the creation of the BCP is a fairly mechanistic process.

A BCP should contain at least two types of information:
1) The steps to be taken to restore/recover the critical processes.
2) Useful information during an incident.

Traditionally there used to be a single BCP for the whole organisation no matter how big or complex its structure; more recently there would be a BCP for each location or building occupied. These days BCP’s are often at departmental level with an overall organisational BCP as a ‘gluing’ document.

The main reason for this evolution has been the need to make the plans increasingly useable. Thus the information in each plan is very specific to a department, such as contact details of staff, clients, suppliers etc. and useful details such as reference numbers. Some of this data such as staff home numbers may be sensitive and should be restricted to as small a circulation list as possible.

Many BCP’s are simply word documents containing a series of tables with all the relevant information.  Some have been designed in a format that they can be emailed to a mobile device such a Blackberry and thus instantly be available in an emergency.  Others have been stored in a business continuity tool such as Strohl LDRPS or Office Shadow’s Shadow-Planner.

In our experience the best way of detailing the steps required to restore a critical process is to sit with the staff who would in normal circumstance actually have to do it and get them to walk you through it, explaining the ‘why’s’ as well as the ‘how to’s’. It is possible that in an emergency a different set of staff may have to step in and carry out the work and the more straightforward the explanation (i.e. jargon free) the better.  However, the level of detail required should not be too detailed; if the detailed steps are held in a standard operating procedure, and assuming it would be available during a crisis recovery phase, it should be referred to rather than repeated in the BCP.  During an incident if the staff experts are the ones doing the recovery then the steps in the plan are no more than prompts for them anyway.

There is no definitive list of the types of information that a department may find useful during a crisis. The more details are included the more work to keep them up-to-date. When a department has an alternative location to relocate to, it can usually store whatever it may need there in the way of specialized equipment and paper documentation. This is often referred to as a contingency box (or battle-box for the more military-metaphor minded). A list of its contents, together with the last time they were checked/updated is a useful part of the BCP.

Another section that is often included in a BCP is a checklist of the steps that can be used to record exactly who did what and when during an incident.  These are useful during tests as well as real incidents, helping the communication process as well as highlighting where the recovery process needs improving.