This is a continuation of the previous article Formulating Your Business Continuity Strategy. This second part of the BC Strategy phase of the "New BCM Manager" series provides the detailed elaboration of the three strategies for business continuity (BC) implementation.
Output of BC Strategy
The output of the business continuity (BC) strategy phase would generally include a strategy for mitigation, (crisis) response, and recovery.
(a) Mitigation Strategy
The mitigation strategy draws from the risk assessment performed in an earlier "Risk Analysis and Analysis" phase. Risks that remain high despite the presence of mitigating controls should be reviewed. There is a need to review the reasons:
- Are the implemented controls ineffective, or are there other causes that drive likelihood and/or impact variables up, in spite of these controls?
- Are there multiple causes of a risk, and have we addressed all or only some of them? Obviously high-risk threats cannot be ignored and must be mitigated to the best of our ability.
These threats must be identified and further attempts to lower the risk posed by them must be implemented with the objective to preventing any potential disruption. In addition, a mechanism must be in place to detect and sound the alarm should an threat materialize. These detection mechanisms could take the form of monitoring tools that captures and records abnormal changes in the environment or process.
While it is always better to prevent a disaster from happening, it is impossible to say with one hundred percent certainty that one will never occur. In the unfortunate event that a disaster causes business operations to be disrupted, a strategy is required to ensure effective and timely recovery and resumption.
(b) Recovery Strategy
The recovery strategy should focus on re-gaining or re-establishing what has been lost in the disaster.
- Think people, facilities, systems, records, equipment and the like.
- What has the disaster deprived the organisation of, and what resource needs to be recovered to allow the organisation to carry out its critical business functions and meet its minimum committed service levels?
- How quickly must these resources be made available? Then brainstorm on how to acquire these resources within the acceptable time frame, guided by the associated business function recovery time objective (RTO).
- What resources could be built or acquired by the organisation in anticipation of a disaster. This model gives the highest level of recovery assurance as the critical resource is guaranteed. For example, facilities, like a hot site, could be purpose-built so that in the event of a disaster, a critical function can be immediately up and running.
Alternatively, an organisation that does not or chooses not to own spare resource, could lease the resource. An example of leasing is to subscribe to a shared recovery space with a reputable service provider. There is some minimal assurance that recovery seats are available; however, as with such a model, there is no guarantee - the seats are shared and the first caller activating the recovery seats will be given priority. Yet other organisations may choose to procure resources only when a disaster occurs. This model gives the least recovery assurance as the required resources may not be available when needed most.
In developing the recovery strategy, not only must one think about getting back resources needed to continue critical business operations, one must also keep in mind that the recovery must be done within the prescribed RTOs for these critical operations. If a resource cannot be recovered in this time, an alternative means or interim method of carrying on the critical operation must be found. These interim measures are often called Temporary Operating Procedures (TOP).
(c) Crisis Response Strategy
Where an organisation does not already have an incident management or response plan, the strategy might also include a response component that spells out the prioritized activities that the organisation would undertake in a disaster. These activities include emergency responses, like evacuation, situational assessment and modes of communication.
Conclusion
Typically the business continuity strategy outlines the structure of how to prevent, respond and recover from a disaster.
It approaches recovery at a macro level and does not dwell on details. This is often useful in providing an overview to management and allows them to see the “big picture” for organisational recovery. It is important to gain their approval before we proceed to decompose the strategy into detailed actionable steps in the plan development phase of the project.
Learn More About Business Continuity Management (BC-CM-CC-ITDR)
You may want to know more about business continuity management courses.