The Evolution of Business Continuity
This year we have witnessed numerous incidents, from natural disasters to man-made disasters. As I bore witness to all of these incidents, I couldn’t help but think about where the Business Continuity Management (BCM) program first started and where it’s headed. Are BC professionals differentiating threats versus reality, to find the best methods for program improvements?
"Practitioners realized the importance of understanding their territories and associated risks; thus began the relationship between BC practitioners and Security professionals"
Fourteen years ago, when I began my career in Business Continuity (BC), planning was focused on “worst case scenario,” the “hole in the ground.” Departments were instructed to provide quantitative and qualitative impacts with the assumption that the primary work location was completely inaccessible for a minimum of six months. Disaster Recovery (DR) programs were embedded within the organization, and though business representatives were asked to participate in DR testing, the bridge between BC and DR had yet to be established.
The most advanced of BC programs focused on the completion of policy deliverables; checking the box to ensure that BIAs, plans and required testing were successfully completed. The compliance/audit department was content and BC practitioners were patted on the back for the governance and implementation of a succinct program.
With the occurrence of incidents that didn’t fit in the “hole in the ground” type of scenario (e.g., adverse weather, electrical & technology outages, etc.), practitioners realized that more practical, scenario based plans needed to be developed. BIA questionnaires began to examine application work around and required the business to identify and understand their reliance on technology to continue to service their clients. Scenario based planning opened the door to a more qualitative examination of the plan components, rather than a check in the box program. Practitioners began to examine the practicality of the feasibility of their recovery strategies. For example, a fire in the primary location has deemed the site inaccessible for 24 hours. A critical process conducted at the site has an RTO of 1 hour and employees are directed to recover at an alternate location located 2 hours away. The old version of BC would have considered the plan complete, after all the RTO is identified, an alternate location is secured and employees are aware of their responsibilities. However, how can the business ensure they can meet a 1 hour RTO, if it takes 2 hours to arrive at the back-up location?
These types of qualitative examinations began to quickly identify gaps and risks that had previously gone unnoticed. Practitioners went back to the business once again with the intent of identifying gaps and risks. The only way to do this, was to identify the most likely scenarios and plan against them. Coming up with a list of probable scenarios was not difficult, but are all scenarios applicable? Businesses located in California will not plan for snow storms, any more than businesses in New York will plan for Tornados. Practitioners realized the importance of understanding their territories and associated risks; thus began the relationship between BC practitioners and Security professionals.
Scenario based plans proved practical and increased the quality of the data contained within the plans. However, can one really plan for every scenario? Does it matter why the primary location is not accessible or does it only matter that it is not?
Scenario based planning is no longer a feasible or practical approach to effective BC planning. Regardless of the incident type, firms should primarily be concerned with the manner in which the incident ‘impacts operation.’ Is the facility accessible and available? Are critical technology and applications accessible? Are employees available and capable of working?
During Hurricane Sandy (2012), sites in impacted cities were not accessible, public transportation was suspended and utility resources were limited. Impact wasn’t limited to one or the other, but for many companies it was a combination of impacts. Sites were inaccessible and employees were unable to work remotely or commute to an alternate location. Companies with scenario-based plans were unable to locate recovery procedures that fit the “perfect storm” scenario and found themselves struggling to develop ad hoc recovery strategies. While companies that developed impact based plans, were able to adjust their response and recovery efforts to address multiple impacts.
Scenario based plans are limited and do not provide the wiggle room necessary to simultaneously respond to different scenarios. Impact based planning permits a company to develop strategies that allow for effective and timely recovery that is in line with RTOs and MTDs. The future of BCM does not lie in a 60-page plan with detailed actions for every probable incident, but in effective, actionable plans that target impact and risk.