Comment: Does the business continuity model start in the wrong place?

Do the standard BC models leave organisations that are developing their first plans vulnerable for too long?

By David Honour, editor, Continuity Central

Every business continuity model that I have seen starts in the same place – by using a business impact analysis and risk assessment to determine the vulnerabilities that the business faces and the level of threat that these vulnerabilities present.

To look at one example, take PAS 56, developed by the British Standards Institution as a pre-cursor to a full British Standard:

PAS 56 states that the first stage of the business continuity lifecycle is ‘Understanding your business’. This involves first identifying your mission critical activities (MCAs) through asking the following five questions:
What are the key business objectives?
What outputs or deliverables (i.e products or services) are required in order to meet these business objectives?
When do the business objectives need to be achieved?
Who needs to be involved (both internally and externally) to achieve the business objectives?
How are the business objectives going to be achieved?

After determining what your MCAs are, you then should:
Identify the internal and external dependencies for the MCAs;
Identify the single points of failure of the MCAs;
Identify the internal and external influences that may impact upon MCAs.

PAS 56 states that there are two means by which the above can be achieved; namely the business impact analysis and the risk assessment.

In a recent conversation that I had with UK-based business continuity consultant Tim Armit, Tim made the point that the above model may be all well and good as a process but it does not address the real needs of companies that are starting the business continuity process for the first time. Such businesses need *immediate* protection. Any organisation which is developing its initial business continuity plan has realised that, in some areas, it is probably vulnerable to disruption from disasters and crises. If that organisation goes through the standard business continuity process, it will remain vulnerable for months, perhaps years, while its business continuity manager(s) and consultants go through a lengthy information gathering and assessment stage. Every day that passes while the BIA and risk assessment is being conducted is another day when the vulnerabilities of the business in question remain unmitigated; every day that passes is another day when the business remains unprotected.

The traditional business continuity process makes sense on paper; but does it address the real-world needs of businesses for rapid protection from threats? The answer, I’m afraid is ‘no’.

Where does that leave us? Let’s return to our hypothetical business which is just commencing the business continuity process. Tim Armit’s suggestion, and one which I agree with, is that the first step should not be to conduct a BIA; it should be to conduct an exercise. Any business manager worth his/her salt will be able to quickly identify the major disaster scenarios which could affect his/her company. Use these as the basis of a business continuity exercise; run the scenarios; record the results and you will almost immediately have a rough and ready idea of the major vulnerabilities faced by the business and the immediate mitigation steps that need to be put in place. By following this route the business can very quickly protect itself against the major threats it faces. *At this stage* it can conduct the business impact analysis and formal risk assessment to identify the less obvious threats and vulnerabilities and then it can progress the rest of the standard business continuity lifecycle safe in the knowledge that it has at least covered its main bases.

One argument against the above suggestion is that it makes the rest of the process messier: there is a risk that initial investments in mitigation measures may not turn out to be the ideal solution, with additional costs being incurred as a result. That’s a business decision that must be made: whether to risk spending more in the long term but ensuring that the business is protected much earlier in the process; or taking the risk of remaining vulnerable for longer in the hope that this will save money in the long term.

Continuity Central would very much welcome your feedback on this article. Please e-mail editor@continuitycentral.com

Tim Armit will be speaking at City and Financial’s ‘Business continuity and disaster recovery in the financial services sector’ conference, which runs from 26th – 27th January in London. Click here for more details.

READER COMMENTS:

I enjoyed your article:

I have used this method of developing initial continuity and recovery plans with great success in the past and have made several presentations to user groups. The results have been quite successful and have not limited further refinement of the plan and the conduct of a full BIA. Business people innately understand the requirement to get “something or anything” in place as quickly as possible. I call it “Backwards BCP” because we start at the end and work backwards. The order of activities being: Exercise, Initial plan development, Project planning, RA/BIA, Final plan development.

My first attempt at this method was while an employee of a large telecommunications company in Canada. Subsequently it has been used for clients in my role as a BC consultant/coach.

Brian Miller CBCP, President, Vanguard EMC Inc

In answer to your question "Does the business continuity model start in the wrong place?" I would answer yes, and would agree with many of your comments.

In my experience, organisations that introduce business continuity do so either because they have been told to by a regulator, insurer, major customer, or other such key stakeholder, or because someone at or near the top of the organisation is genuinely concerned about what would happen if a serious incident disrupted the organisation.

The focus for most organisations when introducing business continuity is, in my opinion quite rightly, the development and deployment of an effective business continuity plan. Readers may recall that I have previously argued that if this takes more than 3 to 6 months to complete, then the plan will be out of date before being deployed and will need to be reworked.

So, in my experience, I would say that the starting point is usually the need to develop a business continuity plan, and that this need to be deployed within 3 to 6 months. However, the starting point for the development of a business continuity plan should, in my opinion, be a business impact analysis exercise.

Having said this, I don't think that the identification and the analysis of risks needs to form a part of that business impact analysis. Why do I say this? Well, quite simply, the important point for any organisation introducing business continuity is to deploy an initial business continuity plan that can effectively meet the need of the organisation to have a contingency plan to follow in the event of an incident that causes serious disruption - irrespective of what caused that disruption. Later on the plan can be refined to enable the organisation to respond to specific events, but for that initial plan a full analysis of risks and development of responses just takes too long.

Mel Gosling Merrycon Ltd

Having spent the last two years working in Saudi Arabia, Kenya, Dubai and Turkey, I can assure you that starting with a scenario exercise would have been a disaster as it would not have revealed the real and more probable risks that most of the companies I worked for faced. These were identified once we dug into the analysis and had face to face meetings with the business areas. I'm a great believer in scenario exercises but see them as vital to fine tuning the plans once they have been written. When business units actually run through their plans against a specific scenario, more often than not, tasks which have been forgotten or ignored because they were initially thought to be unimportant, suddenly take on new meaning. Running scenarios against fires, floods, bombs,etc are all very well but when you think that they very seldom occur in most companies, it makes much more sense to do the analysis and then create scenarios that actually relate to the business and that the participants can immediately identify with.

Bill Ogilvie, senior consultant, SunGard Availability Services (UK) Limited

Appling this principle to enterprise contingency planning, I co-opted the military term "Rapid Deployment" to business continuity planning to describe a process of quickly "inoculating" a client's executive management team with vital contingency planning concepts they could apply in the interim, while the comprehensive business continuity process went through the ‘traditional’ model.

I still believe strongly that Rapid Deployment BCP is an excellent method for providing interim mitigation while working on ‘real plans.

Gregg Jacobsen, CBCP

As a profession we need both the intellectual framework which shows how
the whole discipline fits together and the certificated skills to know
what will achieve quick wins when initiating a business continuity programme.

Exercises, training, plan writing may be done in the opposite order to that in the business continuity management model for pragmatic reasons - but the model provides the overall framework for a complete BCM implementation. PAS56 may not be perfect but it does for the first time provide that framework and the BCI will be working with the BSI to refine it over the next few months.

Whilst a 'likely scenario' exercise can be an effective initiator to develop a programme, to use these scenarios as the main plank of a business continuity strategy seems to worryingly confuse the very different methods of risk management, business continuity management and crisis management. To relegate the BIA 'to identify(ing) the less obvious threats and vulnerabilities' seems to misunderstand its purpose and understand its power as a tool for planning for unexpected but catastrophic events.

An experienced practitioner will be suggesting risk-mitigation and
reduction measures while a BIA is being conducted - and that need not be
a long process. However the tools of business resumption - alternative
facilities, phone redirection etc - often involve significant costs and
long-term commitments. It is important to get these right at the start
otherwise both morale and the bottom line can suffer.

Ian Charters, FBCI Continuity Systems Limited

Thanks for this article. I absolutely agree that rehearsal or scenario testing is often the most relevant place to start a business continuity programme within an organisation. It can be used as a start point for organisations with unproven BCP (or none at all) and is increasingly a good way of kick-starting or refreshing a programme within an organisation with a more mature programme.

Rehearsal or scenario testing is one of the most powerful tools in the business continuity toolkit, and if handled correctly, can be the lynchpin of the BCP 'cycle'.

Angela Dees

•Date: 21st January 2005 •Region: World •Type: Article •Topic: BC general
Rate this article or make a comment - click here