A 4 stage Approach To Determining A Business Continuity Strategy

A 4 stage Approach To Determining A Business Continuity Strategy, business continuity strategy, iso 22301, iso 22301 strategy, ISO 22301 strategy, continuous improvement, continuous improvement diagram, business continuity continuous improvement strategy, business continuity continuous improvement strategy diagram , business continuity plan, business continuity planning

Clause 8.3 of the ISO 22301:2019 (ISO 22301) Standard for Business Continuity states that:

“Based on the outputs from the business impact analysis and risk assessment, the organization shall identify and select business continuity strategies that consider options for before, during and after disruption. The business continuity strategies shall be comprised of one or more solutions…… strategies and solutions shall meet the requirements to continue and recover prioritised activities within the identified time frames and agreed capacity”

In other words, the Standard is saying that organisations should develop one or more ways of handling disruptions (i.e. ‘continue and recover prioritised activities’) using the outputs from the required business impact analysis (BIA) and risk assessment activities (Clause 8.2), in order to define its operational requirements (‘within the identified time frames and agreed capacity’).

How do you achieve this? 

A 4 stage Approach To Determining A Business Continuity Strategy, business continuity strategy, iso 22301, iso 22301 strategy, ISO 22301 strategy, continuous improvement, continuous improvement diagram, business continuity continuous improvement strategy, business continuity continuous improvement strategy diagram

Business Continuity Planning Strategy Diagram

The following diagram is well known to many and identifies a continuous improvement model which organisations should adopt to facilitate good resilience and preparedness.

Business Continuity Planning Strategy Diagram

This ‘path’ may seem obvious, but it is surprising how many organisations choose to write their business continuity plans (BCPs), the ‘BCM response’ phase above, without either having fully understood their organisation or determined their high-level strategies.

Whilst ‘Understanding your organisation’ is relatively straight forward, ‘Determining BCM strategy’ can often prove a little more challenging.  

To address this phase, here is a simple 4 stage approach you can follow in order to determine effective business continuity strategies for your organisation.

Stage 1

Review existing capability against identified requirement

Once you have agreed the outputs from your BIA, i.e. recovery time objectives (RTO) and resource requirements for prioritised activities, you need to identify whether your organisation can meet or achieve these identified requirements.

Examples of the sort of requirements you need to consider are:

Restoring key applications within 1 hour
Ensuring customers can contact your call centre team within 24 hrs
Ensure your compliance team can meet legal/regulatory requirements

(Reporting to the ICO within 72 hrs of a data breach occurring)

If sufficient capability already exists within your organisation, then you can move to the next stage and start producing plans. Typically, however, this won’t be the case and several gaps will be identified, reflecting the fact that your organisation isn’t able to deal with a disruption as effectively as you would like. 

Stage 2

Identify appropriate strategies/solutions

This will, probably, be the most challenging aspect…identifying how best to fill those gaps. We have often found it beneficial to identify a number of appropriate options, with varying effort and cost. The key word here though is ‘appropriate’ in that each must be fit for purpose and relevant to your organisation.

There are 4 broad types of strategies that can be adopted:

Diversification – Undertaking activities at two or more geographically dispersed locations (including remote/mobile working). This is suitable strategy where your RTO is a matter of minutes or hours,

Examples would include having identical assembly lines in different buildings or ensuring everyone has a laptop and VPN access to enable remote working.

Replication – Copying resources to enable operations to be recovered quickly at a dormant site following an incident.  This is a suitable strategy where the RTO is greater than a few hours.

Examples would include either a standby or fully mirrored data centre or transferring knowledge or key skills across employees, thereby avoiding any single point of failure.

Stand-by – Having a facility available that can be made operational within the RTO.  This is a suitable strategy where the RTO is greater than 1 day.

Examples would include having a disaster recovery location, office sharing, or agreements in place with neighbours or similar businesses.

Defer – Deferring operations until the effect of the disruption has passed. This is also a suitable strategy where the RTO is greater than 1 day.

Examples would include closing an office during severe weather or rescheduling a key meeting or postponing a release date.

The output from this stage can be simplified as follows:

1) The requirements are…
2) Our current capability is…
3) As such, our gaps are…
4) The costs and options to fill the gaps are…

Stage 3

Decision making

You need to ensure that any decisions, on potential strategies, are made at the required level of accountability within your organisation.  This often means presenting the identified requirements, current capability, gaps, potential solutions and costs to your board or senior management team, who will need to factor in your organisation’s risk appetite.

It’s important to make clear that no one is under any obligation to choose any of the suggested options. Your organisation is perfectly at liberty to ‘reject’ proposed solutions and accept the risk of not having the capability to meet any identified requirements. The proviso however, is that the risk has been accepted at the appropriate level.  Clearly your strategy and capability need to be communicated internally. Where, for example, your recovery capabilities don’t meet your requirements, your internal teams need to reflect this in their BCPs and find workarounds or solutions to minimise the impact. 

In summary, either the costs and resources required to fill any identified gaps are accepted or the risks of not closing the gap are accepted at a senior level and are recorded for future review.

Stage 4

Fixing the gaps

The fourth and final stage of determining your BC strategy, assumes you have decided to address some of the identified gaps and you now need to implement the decision(s). Examples might include the onboarding of a second data centre, identifying a second supplier, buying key personnel laptops or embarking on a knowledge transfer programme.

Once the BC strategies have been determined, you can then start to develop your BCPs with greater confidence and insight. 

In essence, without determining your strategy any BC plans produced will, at best, simply not account for potential shortfalls in requirements and, at worst, may not benefit or be of relevance to your organisation when a crisis or incident occurs.