Many organisations I've talked to have failed to adopt appropriate business continuity (BC) strategies. Instead, they plan for scenarios that are unlikely, decide on an approach that is unachievable, or fail to align BC strategies with other strategic initiatives. Identifying, implementing, and maintaining appropriate BC strategies will determine how successful (or not) an organisation is when responding to a major or localised incident.
The principle behind identifying appropriate BC strategies is one of synergy and practicality. BC strategies should be aligned and integrated with other strategies (such as business, product/service, IT, and premises strategies) and should be capable of meeting organisation requirements. These details were listed in the Business Impact Analysis (BIA) and Continuity Requirements Analysis (CRA)—see article 3 of this series, published on Jan. 21, 2013.
Organisations often believe they should plan for individual scenarios, such as fire, floods, flu pandemics, and power outages. The truth is that this often provides little benefit because it is not only time consuming but also impossible to plan for all eventualities.
Instead, time and effort is better utilised by planning for the consequences of such scenarios, such as the loss or unavailability of people, infrastructure components, suppliers, information, or a combination of these.
Information collected in the BIA and CRA for individual products and services is required to identify suitable strategies for each analysis . This will include how quickly the product or service needs to be recovered (the Recovery Time Objective, or RTO), the target point in time for acceptable data loss (the Recovery Point Objective, or RPO), and the maximum tolerable limits for these before the organisation suffers irreparable damage, known as the Maximum Tolerable Period of Disruption (MTPD) and Maximum Tolerable Data Loss (MTDL).
Strategies to be considered for essential activities and products/services include:
Diverse sites: Conduct activities for the product/service at more than one site. When an incident affects one site, the other can be used to continue essential activities for that product/service;
Replication: Replicate capabilities at another site (e.g., a third-party site or another office of the organisation), so it is ready to use. The backup site should only be used when the main site is affected by an incident;
Standby facilities: Have facilities available at another location that is only activated, set up, and made available when an incident affects the main site;
Subcontractors: Use a third party to conduct some or all activities for a product or service when an incident occurs, or use a dual-supply facility with multiple suppliers in case one fails (e.g., a manufacturing unit or a call centre). These arrangements would usually be put in place prior to an incident occurring;
Post-incident acquisition: Purchase equipment, facilities, or an alternate site after the main site and activities have been affected by the incident. A shopping list and potential suppliers should be available in advance of an incident;
Insurance: Purchase insurance for financial compensation for the loss of assets, business interruption, and death/injury. This would typically only be considered in combination with other strategies;
Do nothing: Where the RTO/RPO is a considerable period of time (e.g., a month or two), it may be practical to decide on a strategy after the incident.
The purpose of defining tactical responses is to identify what needs to be done to implement the chosen strategies for each product/service. Appropriate tactics will need to be chosen to cover the core requirements relating to:
People: Quantity, skills and knowledge;
Premises: Buildings and office facilities (furniture, filing cabinets, fax machines, photocopiers, telephones, printed stationery, desktop stationery, etc.);
Resources: Central IT systems, voice and data communication links, paper-based information, equipment (such as PCs, laptops, printers, and scanners);
Suppliers: Products, services, and materials provided by third parties and knowledge of which third parties can and should be used.
Some organisations, such as manufacturing companies, should also take into account the following: Production processes; materials, logistics, and inventory/stock; Power and utilities (e.g., water, gas, etc.).
The appropriate strategy and tactics are closely linked to the treatment of risks identified previously. There will be several actions organisations can take to reduce the risk and improve the tactical options available for particular strategies. These include: Cross-training individuals to be able to carry out the roles of others; Maintaining documented processes and procedures; Storing critical equipment off-site; Setting up a dual arrangement with another organisation (a suitable distance away) to share office space in the event of an incident that affects either of you; Providing key staff with remote access to log into systems from home; Installing backup generators and UPS power supplies to cover critical equipment; Holding extended/contingency levels of stock at alternative premises; Holding spare or old equipment or additional spares for critical equipment; Conducting extended due diligence on suppliers to validate robustness.
Whichever strategies and tactical options are chosen, it is important to ensure they are appropriate. Here are a few thoughts to help validate their appropriateness:
n Conduct an assessment to ensure there is an appropriate balance between the speed of recovery and cost. If the latter is too high, then a compromise on RTO/RPO may be required for the product/service.
n Ensure that any alternative supplier or alternative/backup site is at an adequate distance from the main site of the organisation, so it will not be affected by the same threat/incident.
n Ensure that any alternative location is suitably accessible by staff. There's little point in having an alternative site in Barka, if most of the staff live in Wadi Kabir.
n Having alternative suppliers is fine, but the company must ensure their supply routes are separate and cannot be affected by the same problem (e.g., two different telecoms suppliers is fine, but they must not share the same route into the premises; ensure the two suppliers are not sourced from the same wholesaler).
n Having a strategy to purchase equipment (such as PCs, servers, and laptops) after an incident is fine, but if there is a wide-scale incident affecting several areas and organisations in Muscat, it is likely that everyone will be trying to purchase equipment, and there may be reduced supplies as well as delivery delays!
As with the other aspects of BC management, it is vitally important to involve individuals with specialist knowledge (e.g., procurement, capacity planning, IT strategy, premises management, etc.) to ensure the most appropriate strategy and tactical choices are made and to ensure these are regularly reviewed and updated as the organisation changes.
*The author, who has over twenty-five years experience in business continuity, information security and risk management, is the General Manager of Al Mamlakah Services United LLC. This article is the fourth in a series of 10 weekly articles on aspects of business continuity, which will be carried on Monday's edition of Times of Oman.