Sergey Nivens - Fotolia
When gathering data for a business continuity plan, disaster recovery plan or any other strategy focusing on business resilience, we typically perform a risk analysis and business impact analysis. Data from those activities helps identify risks, threats and vulnerabilities, and how they might affect an organization. This allows us to create tailored strategies for responding to and mitigating disruptive events.
All well and good, you say. But have you considered taking the processes described above one step further, where you determine the consequences of an identified risk/threat? If you can identify the consequences or outcomes of a specific incident, that data may help you further refine how you respond.
Analyzing the short-, medium- and long-term consequences of an event can help assess and improve the survivability of an organization. Knowledge of the consequences of an event can affect how an organization develops plans, makes emergency arrangements and executes incident response. Below, we cover how to evaluate potential consequences of common disruptions, and demonstrate how you might incorporate consequence management into your existing business resilience strategy.
Assess and manage potential consequences
In the table below, let's take a closer look at the potential consequences of a sampling of disruptive incidents:
As you can see, the consequences of an incident could be significant to the continuation and future of the organization, so they must be examined carefully. Let's examine this further with Figure 1, which depicts a sequence of activities in a business continuity project:
Most of us have performed these activities -- with occasional variations -- in the course of a business continuity and disaster recovery (BC/DR) or business resilience project. But where do we factor in the consequences of our actions? Figure 2 provides a suggested approach for how to add consequence analysis to the planning process:
In the data gathering and strategy development phases, we suggest a consequence analysis component that asks the question: "What are the consequences or outcomes of this incident to the organization, its employees, its customers and its stakeholders?"
In the plan development and exercising steps, we suggest a consequence management component that asks the question: "How do we design and exercise the plan(s) so they will address the consequences as identified in the previous stages?"
And in the final stages of planning, we offer a consequence revalidation activity that asks the question: "How do we update or revalidate the likely consequences of specific events, based on our exercise results?"
We're not suggesting you overhaul your current business resilience plan development process. Rather, we're suggesting that your organization give additional thought and analysis to identifying the short-, medium- and longer-term consequences of a disruptive event. It's possible that identifying the consequences of an incident may suggest additional or alternative approaches to BC/DR activities and the company's response. For example, if long-term consequences suggest possible lawsuits or other costly litigation, not to mention damaging social media attention, it may be necessary to implement an alternate, legal strategy for dealing with those consequences.
Factoring in consequence analysis
When a disruption occurs, businesses typically launch responses such as evacuations, damage assessments and coordination with first responders. Assuming the event escalates or does not immediately resolve, the business may launch activities to mitigate the severity of the event and initiate alternate processing arrangements that have been previously defined by the BC/DR team. Figure 3 depicts a possible sequence of activities in the aftermath of a disruptive event:
While this is a high-level approach to incident response, it shows a clear progression of activities with the eventual outcome: A return to business as usual, or as close to "usual" as possible. However, it doesn't really consider short-, medium- or long-term consequences of the event. In Figure 4, let's see how we might integrate consequence management activities into the above process, using the same consequence activities as shown in Figure 2:
We might layer consequence analysis on top of incident assessment and team launching activities to ensure that those activities recognize the possible consequences of not performing an immediate damage assessment, or launching emergency teams before contacting first responders. We might consider consequence management during response, recovery and alternate working activities so we can launch the most appropriate actions in the most logical sequence.
Perhaps most importantly, we consider short-, medium- and long-term consequences of an incident in the course of the activities intended to return the organization to regular business operations. In doing this, we may determine which activities to perform, and whether or not we ought to change the sequence of launching them.
Check out our free business impact analysis template
Incident response for security breaches