Strategic Choices are important. You have a Business Impact Analysis (BIA). You have a Risk Analysis (RA). Is now already the time to create a Business Continuity Plan (BCP)? The short answer is “no.” Based on the BIA and the RA, one makes the strategic choices. These are decisions of principle by management to indicate the direction in which they want to see solutions worked on. This is not without consequences, and often comes at a cost. | In this post, I offer my own opinion, not that of any organization. |
Take your time and make basic considerations
Taking time to review the options for different strategies ensures that
- You see the advantages and disadvantages of the usual measures.
- Choose well-founded, robust and well-considered measures.
- You can choose the best cost-benefit tools and measures tailored to your situation.
Also consider the following when making choices:
- Personnel safety is top priority.
- Talk to the people on the crisis management team (CMT) and crisis communications team (CCT) and don’t decide without considering their opinions.
- Have strategic choices ratified by the highest in rank.
Also consider the impact, not the events. Group a number of events together to create more flexible plans. For example, fire, flood, bomb threats, anthrax letters may trigger a “lack of building access.” Then you can use it in whole or in part in multiple situations, or even in combination with other scenarios.
But what exactly are strategic choices? What can one choose?
What are the strategic choices
For each problem situation in your BIA and RA, you have to make a decision what to do about it. De facto, there are six possible strategies:
- Do nothing
- Get insurance
- Move the process via outsourcing
- Reduce risk
- Create a BCP
- A combination of some of the above options
Each of the five basic options has advantages and disadvantages. I provide some of them here:
Basic option | benefits | cons |
do nothing – accept the risk and the possibility of the process grinding to a halt | cheapeasy | process can stopbreach of trust, damage to reputation |
take insurance | relatively easythe money can offset | process has no immediate go-aroundcan be expensivebreach of trust, damage to reputation |
move the process via outsourcing | places the risk and liability on another person | process is not protected if a risk occurs to that other person |
Reduce risk – take measures that act on probability and impact | can be cost-effective and cost-efficientmay favor other responsibilities | can be expensivemay require people and resources |
create a BCP – take steps to perform the process elsewhere or in a different way | continuity in a flexible manner | may require new / different measures. |
The final decision is a weighing of costs versus benefits, versus the cost of doing nothing. And this decision, fortunately, you don’t have to make alone. Ultimately, you have to consult those people whose subject matter is in their daily area of expertise. The cost is not always financial. It can be money, but also lives, trust, reputation, loss of suppliers, loss of opportunities….
What do you need to make strategic choices for?
The strategies resulting from the BIA and RA may involve: (non-exhaustive list)
- People
- Everyone should know that personnel safety comes first. Everyone should know what to do and where to get their instructions Job rotation so you can take over from a colleague
- …
- Land and buildings
- Recovery locations internal to the organization or external
- Telework
- Use of competitor
- Disaster recovery site available
- …
- Suppliers
- Provide a reserve stock
- Demand continuity from your supplier
- Can he easily deliver at an alternate location?
- Get to know his peers
- …
- Information
- Ensure confidentiality, integrity and availability of data. Consider media other than digital.
- …
- Technology
- Handle the fail-safe principle
- Provide fail-over at machines
- Align machine RTOs with maintenance SLAs.
- Make sure backups do not suffer from the same threat.
- Ensure remote access.
- …
- Reputation
- Provide effective and efficient communication to all parties, and manage them.
- …
- …
Some examples of strategic measures:
Strategic option | Description strategic option |
BCP | Plans to determine what to do during outages of these processes/businesses. This also includes emergency communications. |
Cold Site | This is a site that is available and suitable to take over ICT, typically the server room, but she needs time to switch to among other things because of yet to start up. |
Data Backups Location | This is where data backups are kept. It is segregated from the data storage location. Make sure that a threat to the primary data is not easily a threat to the backups. |
Hot Site | This is a site that is ready and waiting for use by ICT at any time of day or night. Switching to this site can be done immediately and is basically seamless. |
Multiple Sites | Having more than one location/site is sometimes a geographically advantageous business. The key here is to organize the sites so that they can take over each other’s overload or tasks as needed. |
Reciprocal arrangements | These are agreements where two processes or activities/organizations agree to exchange resources according to needs and what is possible, if one of them is in a situation where it is needed. Both parties agree to reduce or shut down their activities. This when the other party’s processes have been damaged or interrupted, with the aim of providing the necessary resources. |
Recovery location | This is a location intended and designed as a place where a specific process is restarted. This can be in-house or within the perimeter of another organization. |
Telecommuting | Providing the opportunity for employees to work at a location other than the office. Often this is home-based work. |
SLAs | Agreements that determine how long a (contracted) party must perform a service, and to what specifications. |
Supply chain resilience | Knowing alternative vendors for all necessary hardware, software and services. |
Technology failover | Have systems that can take over each other’s tasks if a threat takes out one of them. |
Warehoused stock | Store products and components offsite to ensure their supply if the main location is affected by a threat. |
Warm site | A site that is ready for use but requires some minor routine actions to make it a hot site. This can mean setting up equipment and relocating resources to this site in a very short time. |
Inventory | Map all processes and critical infrastructure and equipment and create manuals as needed. |