Clause 8.3 of the ISO 22301:2019 (ISO 22301) Standard for Business Continuity states that:
“Based on the outputs from the business impact analysis and risk assessment, the organization shall identify and select business continuity strategies that consider options for before, during and after disruption. The business continuity strategies shall be comprised of one or more solutions…… strategies and solutions shall meet the requirements to continue and recover prioritised activities within the identified time frames and agreed capacity”
In other words, the Standard is saying that organisations should develop one or more ways of handling disruptions (i.e. ‘continue and recover prioritised activities’) using the outputs from the required business impact analysis (BIA) and risk assessment activities (Clause 8.2), in order to define its operational requirements (‘within the identified time frames and agreed capacity’).
How do you achieve this?
Business Continuity Planning Strategy Diagram
The following diagram is well known to many and identifies a continuous improvement model which organisations should adopt to facilitate good resilience and preparedness.
Business Continuity Planning Strategy Diagram
This ‘path’ may seem obvious, but it is surprising how many organisations choose to write their business continuity plans (BCPs), the ‘BCM response’ phase above, without either having fully understood their organisation or determined their high-level strategies.
Whilst ‘Understanding your organisation’ is relatively straight forward, ‘Determining BCM strategy’ can often prove a little more challenging.
To address this phase, here is a simple 4 stage approach you can follow in order to determine effective business continuity strategies for your organisation.
Examples of the sort of requirements you need to consider are:
If sufficient capability already exists within your organisation, then you can move to the next stage and start producing plans. Typically, however, this won’t be the case and several gaps will be identified, reflecting the fact that your organisation isn’t able to deal with a disruption as effectively as you would like.
There are 4 broad types of strategies that can be adopted:
• Diversification – Undertaking activities at two or more geographically dispersed locations (including remote/mobile working). This is suitable strategy where your RTO is a matter of minutes or hours,
Examples would include having identical assembly lines in different buildings or ensuring everyone has a laptop and VPN access to enable remote working.
• Replication – Copying resources to enable operations to be recovered quickly at a dormant site following an incident. This is a suitable strategy where the RTO is greater than a few hours.
Examples would include either a standby or fully mirrored data centre or transferring knowledge or key skills across employees, thereby avoiding any single point of failure.
• Stand-by – Having a facility available that can be made operational within the RTO. This is a suitable strategy where the RTO is greater than 1 day.
Examples would include having a disaster recovery location, office sharing, or agreements in place with neighbours or similar businesses.
• Defer – Deferring operations until the effect of the disruption has passed. This is also a suitable strategy where the RTO is greater than 1 day.
Examples would include closing an office during severe weather or rescheduling a key meeting or postponing a release date.
The output from this stage can be simplified as follows:
1) The requirements are…
2) Our current capability is…
3) As such, our gaps are…
4) The costs and options to fill the gaps are…
It’s important to make clear that no one is under any obligation to choose any of the suggested options. Your organisation is perfectly at liberty to ‘reject’ proposed solutions and accept the risk of not having the capability to meet any identified requirements. The proviso however, is that the risk has been accepted at the appropriate level. Clearly your strategy and capability need to be communicated internally. Where, for example, your recovery capabilities don’t meet your requirements, your internal teams need to reflect this in their BCPs and find workarounds or solutions to minimise the impact.
In summary, either the costs and resources required to fill any identified gaps are accepted or the risks of not closing the gap are accepted at a senior level and are recorded for future review.
Once the BC strategies have been determined, you can then start to develop your BCPs with greater confidence and insight.
In essence, without determining your strategy any BC plans produced will, at best, simply not account for potential shortfalls in requirements and, at worst, may not benefit or be of relevance to your organisation when a crisis or incident occurs.
GET SOME HELP
Achieving this optimum balance is where URM excels. Our consultancy services come not only with a 100% certification guarantee, but with the assurance that any implemented BCMS will be tailored, appropriate and sustainable. URM’s ISO 22301 consultancy services are also totally flexible and our consultants can provide guidance and knowledge transfer across the full lifecycle or specific areas such as assisting with the business impact analysis, risk assessments, strategies, plans, exercising and embedding in the organisation.