WELCOME TO THE CONTINUITY CENTRAL ARCHIVE SITE

Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Maximum tolerable period of disruption: a new definition

Comments by Continuity Central readers

In a recent article Mel Gosling argues that the current definition of the term maximum tolerable period of disruption (MTPD) not only causes confusion, but is actually wrong, and needs to be replaced by a definition that will ensure that the concept is both readily understood and used as originally intended.

Mel's article has generated a lot of responses from readers: these are published below. They have been spell and grammar checked but are otherwise unedited.

Add your own comment

I read Mel Gosling’s article with great interest. As a practicing business continuity consultant, it has often struck me that the current definition of MTPD was not quite right, but it wasn’t until reading Mel’s article that I realised why.

As Mel points out, practical application of the MTPD concept inevitably does result in the definition being warped to “the point at which the impact is too great”. Using this alterative definition is particularly of use when examining sub-parts of business processes as it is often very difficult to determine the overall impact on the business of a failure in a small element of the process; whereas it is relatively easy to assess the localised impact.

Gareth Howell
Business Continuity UK

rule

Mel makes a interesting point, and there have been recent and lengthy discussions in several columns regarding the actual “in practice” meaning of certain BCM terms…

I would however challenge that the BCI GPG’s "irreparably damaged" and Mel's "becomes unacceptably large" do not represent the same point in time.

The MTPD is talking about the 59th second of the 59th minute of the 11th hour before your company goes under. A precipice I think none of us would be comfortable with getting to before the lights come back on.

If I'm correct, what Mel is describing is a point that might be somewhat short of the MTPD, and I'm sure there would be a period of increasing discomfort prior to the maximum tolerable being reached. There is a world of difference between ‘uncomfortable for your company’ and its death.

Obviously for all scenarios you would want to be having your RTO within your MTPD. If you reset your "Max" time as Mel is suggesting to a point earlier than your actual MTPD then similarly the RTO must move forward in time accordingly. If this is the case then you are, for instance, likely to be investing in unnecessarily expensive recovery systems or, conversely, robbing your resources of the time available to recover your business.

I would therefore respectfully suggest that Mel's new MPTD is in fact the old RTO.

Peter Morris
Business Continuity Coordinator

rule

I agree with the message in Mel Gosling’s article. I have also found that, in the majority of BIAs, interviewees are not able to identify the point at which the organisation’s viability will be irreparably damaged, or the level of impact at which this occurs.

However, as most people relate to their tasks within their specific business function or unit, they usually can identify the point at which the non-delivery of a product or service becomes unacceptable for their business function (within the organisation). With this in mind, I suggest a further amendment to the definition:

“The duration after which the impact on a business function organisation caused by the non delivery of a product or service becomes unacceptably large.”

Bernard McGee
SMS Business Continuity Consultant

rule

Mr. Gosling makes good arguments in favor of his revised definition of MTPoD. Why not make the definition even simpler with the following: “The duration after which the impact on an organization caused by the non-delivery of a product or service becomes unacceptable.” How is "large" defined? As opposed to what: small? medium? moderately large? very large? Keeping the definition as "unacceptable" leaves no doubt as to the severity of the incident. And the organization should certainly be able to define what is unacceptable.

Paul Kirvan, CISA, FBCI, CBCP
Paul Kirvan Associates

rule

In baseline we go back to the question: what is your risk appetite and when will the non-availability of your services hit this risk appetite?
Sounds to me like an old definition of the RTO / Recovery Time Objective?
So the MTPD is the RTO at service level?

Henny Raadschilders
Triple A security

rule

The most useful way to describe MTPD is the point your organisation is proverbially 'up the creek without a paddle'. I have yet to find one person who can’t work with that description when discussing their 'critical' functions.

Anonymous

rule

Mel has totally understood the problem with MTPD and has articulated it far better than I ever could. Excellent article.

Colin Gordon
Bydand Consultancy

rule

I concur with many of Mel’s points regarding the difficulty in accurately calculating the MTPD under the GPG definition and suggest there are additional contributory factors, that when entered into the equation increase even further the difficulty of arriving at a finite point where irreparable damage occurs to a business.

Companies serving multiple end users with multiple services and products often have the ability to invoke plans that allow for the selective allocation of those products and services on a priority basis. This is often pre-determined by contract value, retention of market share or contract renewal status to name but a few and not a first come first served basis, this situation can often extend the MTPD or, through effective and timely communications with the off takers transform the MTPD into a dynamic entity that can shift forward and back along the impact curve as reactive interventions are employed. The success or failure of these interventions and therefore the position of the MTPD cannot always be pre-determined, and depend to a degree on the responses of the service users.

The concept of MTPD is sound and remains an integral part of BCM, but it should be used correctly and the time taken to gather data, calculate and produce MTPDs for all business functions should show a return on this investment by actually being of use to those managing a BC event and not be just another thing to tick off as completed against, for example, BS25999. Approaching the calculation in this manner leads to someone (as I have seen in some organisations) simply stating “add a couple of hours to the RTOs and we have the MTPDs”). I have no burning desire to change definitions neither do I defend the current one, I do however feel that whatever tools are used to develop a robust and resilient business continuity plan should be used because they genuinely assist in that process. The survey showed a distinct lack of understanding of MTPDs and some mixed views on their value, I would suggest that those with BC management responsibilities should ask themselves how often they actually refer to the MTPDs when managing an incident and what real difference looking at them made.

Bill Simpson
Sembcorp Utilities (UK) Limited

rule

It is interesting to see the continuing debate on MTPD. It seems to me that the incredible value of the concept is gradually being recognised, but there continues to be difficulties with the detail and implementation. As I believe the MTPD is a critical component in the development of cost effective BCPs, I would like to add the following for consideration.

The latest discussion article in Continuity Central by Mel Gosling appears to me to go a long way towards raising the issue for further debate. However, there still seems to be a tendency to lean towards such terms as ‘irreparably damaged’, or ‘unacceptably large’ for business viability as the basis for establishing the MTPD. These in themselves are somewhat difficult to define for different organisations.

MTPDs at the business level, (also in the form of RTOs (Recovery Time Objective) at the Mission Critical Activity (MCA) level) have often been derived for critical activities from individual department levels, or assessed from a technical perspective, or even from an assessment of the impact involving major damage following an assumed physical scenario resulting in loss of operation. Managers at each level often have their own views of what is critical and important, without necessarily looking at the wider picture. This often results in a wide range of perceived MTPD/RTO from each area of activity that may not necessarily be related to the overall key survival drivers of the business.

Ultimately, however, for any business when income earned becomes less than the fixed operating costs over time, the business will eventually fail unless some continuity strategy is in place to either lower costs, or maintain income above a minimum level. As Mel, correctly points out, establishing the time at which such a state of ‘irreparable viability’ is reached may not be evident for some time after a disruption, if at all. The fact that many individual companies have functioned at an accounting annual operating loss for many years supported by financial institutions, or ‘creative’ accounting from parent companies, is testament to the difficulties in deciding at what point a business has incurred ‘irreparable damage’ to its viability.

The study by Knight and Pretty (1996) on the reasons why businesses failed after a disaster attempted to relate the quality of risk to the business failure through the lack of an effective management response at the time of a disruption. However, the underlying implication for the ultimate failure of the businesses involved seemed to me to suggest that it was more to do with the weakness of the financial position of the company involved and their inability to maintain cash flows, rather than being wholly due to the response (or lack of) by management to the particular disruption.

In the days when I undertook BIAs for global multinational organisations, a first step in developing value-add BCPs for the business was to identify very quickly what the organisation’s management considered to be critical to the future of their own business. Specifically, to identify what were the strategically important deliverables for the business, how, where and to which markets they were delivered and to establish the business objectives (if any) of the company. It was in these areas that BCPs needed to be focused to obtain the greatest return on the investment from any following BCM activity within the organisation. In many cases, but not all, it was interesting to note that the income sales/profitability profile often followed the Pareto Principle, where 80% of the profitability was often derived from 20% of the product/deliverables.

This generally meant starting with an overview of the business: From the sales department (e.g. products, markets and customer delivery models), moving on to finance (e.g.: profitability) and then into the various operations (e.g.: MCAs (Mission Critical Activities)) which were required to deliver the identified key deliverables. Knowing what these primary income generators were, where they were made within the company’s organisational framework, how they were produced, their method of delivery to the customer base and what were their key internal and external dependencies, including critical suppliers (e.g.: single source, unique deliverables, difficult to replace), enabled the financial dependency of critical MCAs throughout the entire supply chain for the company to be mapped. This analysis enabled the priority of action to be established and the associated vulnerabilities of each activity to be evaluated. The BCP could then ultimately be targeted at safeguarding less than 100% of the company’s deliverables, and still achieve significant financial benefit for management at a much lower cost for BCM activity.

The mapping process provided the basis on which to evaluate how the various MCAs could be made more resilient to support the delivery of the company’s strategic objectives. This resulted in BCPs that were developed for the critical activities at each layer within an organisation at the strategically important locations. These business continuity strategies could range from adjustments to marketing strategies such as re-prioritising markets for deliverables that were unaffected by the disruption, implementing financial incentives such as discounting or substitution for key customers, to adjustments in operational production output and processes of other products or deliverables from alternative sources. All these business continuity strategies have the same objective: Namely to ensure critically important customers and markets are retained to ensure a sufficient level of income was maintained for the business while the disrupted operations were being restored to an acceptable service level. This meant that, although the MTPD (RTO at the activity level) could differ at the individual internal organisational level, they all needed to be aligned to deliver on the same MTPD for the delivery of the product/service at the external customer level.

In effect, the MTPDs from the BIAs were able to direct the BCPs to develop action responses that focussed on how to safeguard those individual internal activities that were critical for achieving the strategic objectives and minimum income streams set for the overall business by the management. The analysis used the concept of :

1. ‘What do we need to do to ensure that sufficient income revenue continues to be obtained from the deliverables to our key customers to maintain the business into the future, whatever may be the cause of a disruption’ to a critical activity.

Rather than:

2. ‘How can we restore the business to normal levels within an acceptable period of time in the event of assumed significant damage to ‘business viability’

The difference between Q1 & Q2 above is that the BIA establishes a positive means of managing the impact to the business to within established strategic business plan objectives using the MTPD whatever the cause of disruption may be, whereas Q2 focuses on managing potential causes and determining what action is needed to restore damaged operations to normal service levels within a minimum period of time (e.g.: MTPD) based on the assumption of “irreparable damage” to the viability of the business. Both statements apply the concept of MTPD (and/or RTO) in establishing the BCP parameters, but Q1 directly relates the concept to support the company’s business plans as part of the business planning cycle through improved resilience.

This difference is key towards safeguarding a business overall, as it removes the ‘what-if’ scenario quantification thinking from a location based review (unless it is a single location business), so typical of an insurance company approach, and into a more holistic focus on the business as a whole. It takes into account more of the financial and external marketing implications to the business review by considering the entire supply chain of key deliverables and the impact on their customers, rather than being limited to an evaluation on the viability of a business from the internal damage to the bricks and mortar at any location. After all, physical damage at a location is but one of numerous potential causes of a disruption and loss of income for an entire business.

The quantification of MTPD should therefore be established from the company’s key strategic products and/or markets and how the revenue profile achieved for the company from key customers would be impacted by them not receiving the deliverables. Such a quantification at each critical activity level within an organisation will vary depending on the industry, the company’s management perspective, the customer expectation delivery profile (e.g.: next day delivery vs. delivery in months or minutes), market competition, seasonality and life-cycle of the deliverables pertaining to the particular industry under review.

The current definition appears to be based on an analysis of difficult to establish assumptions, whereas the above is more of a positive approach towards establishing a higher level of overall business resilience from a knowledge of customer behaviour profiles for the industry and the needs of the business. It therefore suggests to me that the definition of MTPD should move away from the idea of using time to restore disrupted operations/activity based on assumed ‘irreparable damage’ to the business viability and into a definition that is more reflective of an established criteria from management that enhances the resilience of the business. This will ensure the customer delivery of strategic deliverables for the business as part of the management’s strategic business plans and business resilience.

In all cases, however, the objective of the quantification should be to ensure that whatever disruption incurs anywhere within the supply chain for however long, including at critical suppliers, and at whatever time in the delivery cycle, the company has sufficient built-in resilience for the MCAs along the entire supply chain network to ensure the strategic objectives for the key external deliverables set by the management can still be delivered at an acceptable cost to the business.

The financial impact from a disruption in the supply chain should then be able to be managed in a positive manner that reflects the company management’s objectives so that the particular business can be better prepared to survive most disruptions.

Graham Goodenough

•Date: 11th Jan 2011 • Region: UK/World •Type: Article •Topic: BC general

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.
   

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here