We have reviewed a number of Business Continuity Plans recently that have fallen at the first hurdle because they are based on imagined scenarios and lack the rigour of a systematic Business Impact Analysis. Scenario based Business Continuity Plans assume that planning can be built around the activities required to manage a specific event. No matter how many scenarios are envisaged (and the number can become quite large, particularly when a combination of scenarios is considered), real life events have an annoying habit of not following carefully prepared scripts. Developing scenarios for Business Continuity Plans is time consuming and can be a distraction the real purpose of the plan. However, scenario development does have a useful role in developing exercises to test Business Continuity Plans. Testing is vital to ensure that the Business Continuity Plans are robust and those with BC responsibilities have the opportunity practice their roles. But an exercise becomes futile if the participants are merely following a script set out in the Business Continuity Plan with none of the stresses and strains that an actual event will generate. So what is the right approach?
No short cuts
There are no shortcuts to developing effective Business Continuity Plans. Where the initial driver is satisfy the demands of organisation’s customers or insurers for a plan, there may be a temptation to use a template as a quick and cheap way to get a Business Continuity Plan written. However this tick box approach likely to prove to be a false economy and will not result in developing a truly resilient organisation. As many as one in three companies fail after suffering a catastrophic event, and the reputational damage of failing to recover from a major incident is often a painful and expensive experience for all types of organisations. Business Continuity requires an appropriate level of commitment and resources.
Business Continuity is not usually a mainstream skill in many organisations and involving Business Continuity specialist can prove to be an invaluable. An experienced specialist is able to challenge the business units of the organisation – including the executive level staff – on their requirements and to ensure that each business function considers the rest of the business when making decisions on the criticality of the systems, applications and other resources they require. A specialist can also ensure the plans are developed in a robust way so that they are ready for accreditation for ISO 22301 if, or when, that is required.
True Business Continuity Plans should focus on impacts, not causes. Organisations should develop a Business Continuity Management System to document the strategies and procedures that will be activated in response to a disruptive incident, as well as how to operate in recovery mode until the organisation is able return to normal operations. The documentation of a Business Continuity Management System includes a Business Continuity Strategy, Policy, Incident Management Plan and departmental Business Continuity and Recovery plans.
Business Impact Analysis
The foundation of a Business Continuity Management System is Business Impact Analysis. Good Business continuity plans are the result of rigorous analysis. Most Business Continuity specialists will employ software tools to conduct Business Impact Analysis consultations efficiently and systematically. One of the prime goals of Business Impact Analysis is to identify the most important products and/or services of an organisation and identifying the critically important assets: processes (and their Maximum Tolerable Period of Disruption), systems (including Recovery Time Objectives), the people with essential skills, and dependencies between departments and on key suppliers and service providers, to maintain business continuity.
However Business Impact Analysis is only a means to an end i.e. an organisation is sufficiently prepared to continue in business. A Business Impact Analysis report has no value if it is not used to inform the organisations Business Continuity Management System. Some are now advocating an Adaptive Business Continuity that does away with with Business Impact Analysis. This may be appealing to organisations that are becoming more agile (for reasons other than Business Continuity) but the jury is still out. The serious consequences of not dealing effectively with catastrophic events demands firm evidence that this new approach will provide robust Business Continuity as so much is at stake.
Risk assessment, the likelihood of the loss of key operational facilities and the impact of their loss, is a key part of Business Impact Analysis and is a mandatory component of ISO 22301:2012. While they share the common goals of identifying, assessing, and managing risks, Business Impact Analysis is not the same as corporate Risk Management.
- Risk Management enhances an organisation’s ability to make risk-informed decisions so that the organisation can achieve its strategic goals.
- Business Continuity Management’s mission is to enhance enterprise resiliency by identifying and responding to potentially catastrophic events that could overwhelm the organisation’s operational resilience.
To give practical examples of how the measures are different: the threat of a merger of competitors, or changes in legislation, would be considered as part of a Risk Management plan while the consequences of a major fire would be addressed in a Business Continuity Plan.
In summary, Business Continuity Planning should be based on the loss or unavailability of key resources, regardless of the circumstances to develop business continuity capabilities. By focusing plans on recovery/restoration of critical assets, it is possible to create plans based on impacts, not causes. Mapping the dependencies of the organisation’s most important products and services (those on which your customers rely) in the planning phase provides the intelligence needed to create plans for the impacts on critical assets. When the options for reacting to the loss of an asset are known, it no longer matters why it is unavailable, and there is no longer need to think about planning for scenarios.