In a previous article on SearchDisasterRecovery.com, I compared two leading business continuity standards: NFPA
1600 vs. BS 25999. Given the growing concern about compliance with standards, we decided to examine documents that go beyond stating simply what needs to be done. We searched for and reviewed documents that explain how to conduct business continuity activities. Regrettably, there are few publicly available documents of this type available.
Most standards and guidance documents let users decide how to perform specific business continuity tasks. The documents we examined are the DRI International (DRII)/Disaster Recovery Journal (DRJ) Generally Accepted Practices (GAP) and the Business Continuity Institute's (BCI) Good Practice Guidelines (GPG).
Let's begin by comparing the processes associated with performing a risk assessment, a key activity in the early stages of a business continuity plan.
- Identify and define all potential risks to the process/functions to include regulatory, legal, operational, technological, financial, informational and physical security. Geographic characteristics may also need to be factored in.
- Define applicable threats to the enterprise, such as hurricanes, tornadoes, floods, wildfires, civil unrest, acts of terrorism, mass transportation breakdowns, utility failures, etc.
- Assess the probability of the threat.
- Assess the impact from the threat.
- Quantify/qualify the threat into a risk matrix.
- Identify potential mitigations to reduce, eliminate or transfer the risk.
- Tabulate a scoring system for impacts and probabilities and agree with the project sponsor.
- List threats to the urgent business processes determined in a business impact analysis (BIA).
- Estimate the impact of the threat on the organization using a numerical scoring system.
- Determine the likelihood (probability or frequency) of each threat occurring and weight according to a numerical scoring system.
- Calculate a risk by combining the scores for impact and probability of each threat according to an agreed formula.
- Optionally prioritize the risks according to a formula that includes a measure of the ability to control that threat.
- Obtain the organization sponsor's approval and sign-off of these risk priorities.
- Review existing risk management control strategies, noting where the assessed risk level is out of step with the current risk management strategies for that threat.
- Consider appropriate measures to:
- Transfer the risk, e.g., through insurance.
- Accept the risk, e.g., where impact/probability are low.
- Reduce the risk, e.g., through the introduction of further controls.
- Avoid the risk, e.g., by removing the cause or source of the threat.
- Ensure that planned risk measures do not increase other risks. For example, outsourcing an activity may decrease some types of risk by increasing others.
- Obtain the organization sponsor's approval, a budget and sign-off for the proposed risk management controls.
Next, let's compare the process for defining business continuity strategies:
- Engage in a dialog with management on reporting process within the organization and expectations.
- Develop or utilize an existing reporting format that is meaningful to direct management, including status, activities for the next period, risks, constraints and potential problems.
- Review the risk assessment(s) when selecting a strategy to ensure that there are no conflicts.
- Summarize risks and continuity timelines and present to senior management project timelines for approval of strategies that are developed.
- Request approval of strategy from a direct manager.
- Seek advice on content for the next approval level.
- Put together appropriate content change for the next approval level.
- Repeat until final approval is achieved at the senior management level.
- Utilize the information in the BIA, ensuring that new critical processes and/or systems are identified.
- Review the "worst-case scenario" for which these strategies might apply.
- Ensure location and human resources issues; environmental risks, customer/supplier chains, etc., are taken into consideration when developing the strategies.
- Have a full understanding of risk acceptance and how it may affect this strategy.
- Identify vital records throughout the organization.
- Understand retention periods for vital records, including electronic and paper.
- Define key aspects, such as location, method and security, for backup and/or storage of vital records.
- Ensure that senior management accepts the program for vital records retention.
- Develop system and data backup strategies that will meet the recovery point objective from the BIA requirements for each critical system identified.
- Review internal resources (e.g., multiple locations with like business functions and technology).
- Search out external business resources using processes such as requests for information, queries to professional organizations, etc.
- Review the following types of recovery alternatives and be prepared to make recommendations:
- Alternative sites or business facilities.
- Cold, warm or hot sites.
- Drop-ship/quick-ship agreements.
- Manual procedures.
- Mobile trailers.
- Reciprocal agreements.
- Work from home.
- Note: List may not be all inclusive.
- Form a business continuity management strategy team.
- Identify the organization's business strategy, objectives and legal and regulatory requirements, and understand how a continuity strategy will support these objectives.
Most standards and guidance documents let users decide how to perform specific business continuity tasks.
- If a BIA has been conducted, ascertain the effects of a loss of product and services and review its scope, assumptions and findings.
- Consider the strategy for each product and service.
- Provide members of executive management with the report, so they can choose options based on the organization's current and future business strategy.
- Ensure the agreed outline option is signed off by executive management, including the financial and resource provisions.
- Implement an ongoing process to ensure that the strategy is reviewed.
- Utilize some of the following tools to develop the organization's business continuity management strategy:
- A BIA.
- Strategy planning tools.
- Benchmarking against appropriate national and international standards.
- Political, environment, social and technical analyses.
- Cost-benefit analysis (including stakeholder, legislative and regulatory assessment).
- SWOT analysis (strengths, weaknesses, opportunities, threats).
- Financial planning and management.
As you can see, the steps to address these two activities vary greatly, despite the fact that their ultimate outcomes should be virtually the same.
In this article we have compared two well-known guidance documents that provide more than simply what should be done in a business continuity (BC) project. While the amount of process-level detail is still perhaps not as extensive as we might like, these two documents show that "how-to" information is certainly available and can help you progress through a complex BC planning process.
Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years' experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter. Write to him at firstname.lastname@example.org.