“Tactics without strategy is the noise before defeat.” ~ Sun Tzu
Part 4 in a series.
To this point, we have collected and reported our Business Impact Analysis (BIA) data. Sadly, for many organizations this is where the process stops. But actually, this is where it gets good! Now, we actually get to use the data for something meaningful. BIA data is the backbone of your Business Continuity Management program, and it allows you to define strategies for technology based disaster recovery, business continuity and even crisis management. The problem with this blog is – given it’s limited space (it’s a blog not a book) – it is very difficult to articulate how valuable the data is. Let me provide a high-level overview.
In your BIA, you asked each department to identify what systems they use, how quickly they would need them recovered and how much data they could afford to lose. You compiled that information, vetted it with IT and the business leaders and together, you have come up with an agreed-upon list of critical systems. In other words, you defined the requirements of the Disaster Recovery Program. Once you have the information compiled, you should conduct a disaster recovery gap analysis to determine the overall status of your recoverability against the requirements defined by the business. You can then develop your strategy based the gaps and the overall requirements. It is important to look at the big picture and build a strategy that will allow the solutions to be executed so that ALL RTOs are met. Let me emphasize that: The end goal is to make sure that your solutions recover all in scope systems within the desired time frame. I can’t tell you what the strategy should be. That will depend on your individual requirements, budget, gaps and technology. I can offer this advice however: Protect your most critical systems first. By ‘critical’ I don’t necessarily mean systems with the shortest RTO. Look at the business functions that use each system and determine if they work manually and what the impact is if that function can’t continue. All of this is gathered in the BIA and helps to establish the recovery priority and defining what your recovery strategy will be.
Architect the business continuity strategy based on the information that you have collected. Take into consideration the criticality of the business functions, staff size, what vital resources they need in order to function, their overall interdependencies with other departments, customers and external companies. An obvious key here is if they are customer facing or not. I did a BIA for a major airline which demonstrated that while their financial services team could work virtually from anywhere, the gate and baggage teams obviously could not. (It’s hard to load bags on a plane when you’re working from home). There are several options for where to send staff if your facility is unavailable including dedicated end-user space, trailers that can be brought to your facility or having your staff work from home. The trend is to have people work from home – but this comes with a warning. I am hearing (more and more) people say that they will ‘just work from home’ like there is no planning involved. They figure that – what the heck – they work from home once a week, so if it works for one or two people, it HAS TO work for everyone. What’s the big deal? The big deal is that having a handful of people working from home while the core business is still functioning in the office is completely different than having the entire staff working remotely. There are technical issues – VPN capacity, use of company issued vs. personal laptops, security, interaction with customers and more. Also consider the fact that not everyone is suited to work from home. They may not have the space or temperament to work effectively for an extended period. To build this strategy you need to look at the big picture and identify what makes sense across the entire organization. I have a client of 225 people, of whom a very high percentage interact with customers on a daily basis. They also have a very high interdependency on each other. Working from home isn’t a viable option for them. Based on their size, we found a service provider who will supply trailers to their facility and most of their staff will work there. For larger organizations, finding dedicated space can be very expensive – hence the working from home option. The difficulty comes for retail companies who need a point of sale. This is problematic and a topic for another day.
Looking at a snapshot of your BIA data, your leadership team will have a clear understanding of your organization’s priorities. But in the midst of the crisis you can (and should) use impact and priority data to help drive specific decisions. In a situation where there are limited resources the leaders will likely have to make a critical business decision. Understanding critical time frames, impact of downtime and defined downtime limitations can help make these decisions a little easier. In this situation, the strategy that you’re defining is how to best use the information you’ve collected to support these ad-hoc and fast-paced decisions. I’ll get into this more in the next installment.
In the first installment, I referred to BIA data as a treasure trove. This high-level overview provides a glimpse into how that data becomes valuable in the actual building of your business continuity program. This is more ‘common sense’ than ‘rocket science’, but you know what they say – common sense isn’t all that common.
Next time: Priority and Impact