What you will learn in this tip: Explore another way to organize a business continuity management (BCM) plan, with...
advance knowledge of the risks and outcomes to be addressed. This exercise shows that a successful BCM activity doesn't always have to follow the traditional sequence of activities.
Business continuity management programs traditionally follow a specific sequence of activities. Once the project has been approved and funded, you begin with either a risk assessment or business impact analysis (BIA). Depending on your view, either is acceptable as a next step. Once the BIA/risk assessment is done, the next step is to define strategies for recovery, resumption of business, and other key activities. Often we insert incident management and emergency response activities in here so that you'll know what to do if something happens. Once the strategies are done, the business continuity plan is completed. Following that are exercising, awareness and training, maintenance, integrating the plan into the company culture, and review/audit of the plan/program. The above sequence can be found in all current business continuity standards, and is highlighted in Figure 1 below (click on image for full size). It makes good sense. But is it the most advantageous way to build a business continuity management program?
Figure 1: Business continuity management activities
When embarking on a business continuity management program, the final result is usually not determined until after all the above activities have been completed. Suppose you faced a situation where management already knew the outcome they wanted for the business continuity management program. Suppose also that the scenario the plan/program will address is already identified. (Typically this is determined jointly by the risk assessment and BIA.) For example, suppose management decided that the business continuity management activity was to address the worst possible scenario -- something that would destroy the firm's ability to function. A good example is the loss of a major location, such as a headquarters complex. One example might be an earthquake; another might be a severe hurricane.
Business continuity management planning in reverse
Let's examine what may be an alternate way to conduct a business continuity management process. Let's assume management (or whoever approves and funds the project) wants the plan to respond to an incident that could -- in a very real sense -- destroy the business. Suppose the focus is the total loss of a key business location, such as headquarters. How would you develop such a plan and response? See Figure 2 below (click on image for full size).
Figure 2: An alternate look at business continuity management
Let's consider reverse-engineering a business continuity management program. We know the outcome, at least in terms of the situation the organization would face. We also know that the severity of the incident is such that the organization's key location -- without proper protection -- could be destroyed.
We don't really need a risk assessment, as we know the expected event and outcome. (It may be useful to consider various risk treatments, such as insurance, but the cost of insurance for such a major event may be prohibitive.) A BIA can be useful to help identify interdependencies and the financial impact of such a loss.
Clearly, we can focus initially on strategies for business recovery and resumption. If the organization's primary location is destroyed, and no strategies and advance preparations have been made for such an event, the business could indeed fail.
We can now focus on the actual business continuity management plan and supporting program as we know the outcome of the incident. We also know management's goal in such an event: recovery and resumption of the organization. The plan will need fundamental steps, each with associated procedures, contacts, primary and alternate suppliers, and even alternate staffing sources. Alternate locations may need to be identified, and advance arrangements may be needed from a real estate perspective.
Once the fundamental steps for initiating recovery and resumption have been defined, incident management and emergency response activities can be defined. Obviously these activities precede full recovery and resumption (R&R), but they can wait until the primary R&R steps have been defined.
Finally, after the primary activities -- strategies, response and resumption plans, and emergency activities -- have been defined, traditional business continuity activities (exercising, awareness and training, maintenance, review/audit) can be performed.
IT recovery and resumption
Parallel to these activities it's desirable to develop a technology recovery and resumption plan. Developed in parallel with the business-level recovery and resumption activities, the IT R&R initiative should support all technology requirements of the organization. Most likely it will be executed in parallel with the business R&R plan.
About this author: Paul Kirvan, CISA, CSSP, FBCI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter and can be reached at firstname.lastname@example.org.