What Are the Types of Business Continuity Strategy?

What Are the Types of Business Continuity Strategies?

This article continues the previous article, "Formulating Your Business Continuity Strategy. "

This second part of the BC Strategy phase of the "New BCM Manager" series provides a detailed elaboration of the three strategies for business continuity (BC) implementation.

Output of BC Strategy

The output of the business continuity (BC) strategy phase would generally include a strategy for mitigation, (crisis) response, and recovery.

Mitigation Strategy

The mitigation strategy draws from the risk assessment performed in an earlier "Risk Analysis and Analysis" phase.

Risks that remain high despite the presence of mitigating controls should be reviewed.  There is a need to review the reasons:

• Are the implemented controls ineffective, or are there other causes that drive likelihood and/or impact variables up despite these controls?
• Are there multiple risk causes, and have we addressed all or only some? High-risk threats cannot be ignored and must be mitigated to the best of our ability.

To prevent any potential disruption, these threats must be identified, and further attempts to lower their risk must be implemented. In addition, a mechanism must be in place to detect and sound the alarm should a threat materialize.

These detection mechanisms could take the form of monitoring tools that capture and record abnormal changes in the environment or process.   

While it is always better to prevent a disaster, it is impossible to say with one hundred per cent certainty that one will never occur. In the unfortunate event that a disaster disrupts business operations, a strategy is required to ensure effective and timely recovery and resumption.

Recovery Strategy

The recovery strategy should focus on re-gaining or re-establishing what has been lost in the disaster.

• Think people, facilities, systems, records, equipment and the like.
• What has the disaster deprived the organisation of, and what resource needs to be recovered to allow it to carry out its critical business functions and meet its minimum committed service levels?
• How quickly must these resources be made available? Then, brainstorm how to acquire these resources within the acceptable time frame, guided by the associated business function recovery time objective (RTO).
• What resources could the organisation build or acquire in anticipation of a disaster? This model gives the highest level of recovery assurance, as the critical resource is guaranteed. For example, facilities, like a hot site, could be purpose-built so that a critical business function can be immediately up and running in the event of a disaster.

Alternatively, an organisation that does not or chooses not to own spare resources could lease the resource. An example of leasing is subscribing to a shared recovery space with a reputable service provider. 

There is minimal assurance that recovery seats are available; however, as with such a model, there is no guarantee - the seats are shared, and the first caller activating the recovery seats will be given priority.

Yet other organisations may choose to procure resources only when a disaster occurs. This model provides the least recovery assurance as the required resources may not be available when needed most.

In developing the recovery strategy, one must consider not only getting back the resources needed to continue critical business operations but also keeping in mind that the recovery must be done within the prescribed RTOs for these critical operations.

If a resource cannot be recovered within this time, an alternative means, or interim method of carrying on the critical operation must be found. These interim measures are often called Temporary Operating Procedures (TOP).

Crisis Response Strategy

Where an organisation does not already have an incident management or response plan, the strategy might include a response component that spells out the prioritized activities the organisation would undertake in a disaster.

These activities include emergency responses, like evacuation, situational assessment and modes of communication.

Summing Up ...

The business continuity strategy typically outlines how to prevent, respond to, and recover from a disaster.

It approaches recovery at a macro level and does not dwell on details.

This is often useful in providing an overview to management and allows them to see the “big picture” for organisational recovery. It is crucial to gain their approval before we decompose the strategy into detailed, actionable steps in the plan development phase of the project.