|
Business continuity on a limited budget
David Honour asks whether the priority should be given to crisis management or plan development when funds are limited.
In an ideal world, with unlimited funds and resources, business continuity managers would develop well rounded, fully tested, comprehensive business continuity plans, whilst at the same time putting together carefully chosen, regularly exercised, crisis management teams. However, the reality is that for the vast majority of organisations, business continuity management activities are compromised by limited budgets and insufficient time and resources. Therefore some prioritisation must take place. This is the first in a series of Continuity Central articles which will attempt to explore the prioritisation process and the reasons behind the budgetary and resource decisions that business continuity managers make.
Plan development and crisis management are both key areas of business continuity but where should the priority lie? Where funds and resources are limited is a better to try and focus on both areas or should one area be given the lion’s share of resources to the detriment of the other?
In true business continuity style the way to make the decision is to start with a risk assessment:
1) Scenario one: split funds and resources equally between the two areas.
This would mean that both plan development and crisis management could be covered up to a point. However, there is a substantial risk that both areas will be compromised with the result that the business continuity plan is not as good as it could be and neither is the crisis management team. Both could fail to perform well during an invocation.
2) Scenario two: focus funds and resources on plan development.
Here a detailed business impact analysis would be conducted and the major risks identified. Mitigation and recovery strategies would then be determined. This would result in a document that fully details the steps that will be taken to restore the company’s mission critical assets within the required recovery time objectives for the incidents that have been considered. However, since little resource has been put into developing the crisis team there is a strong risk that the plan will not be correctly used and implemented during an incident and that, if a scenario occurs which goes beyond the boundaries of the business continuity plan, there may be panic and confusion rather than strong crisis leadership and rapid decision making. One of the major lessons learned from September 11th was that many companies with well-prepared business continuity plans failed to handle the crisis effectively because the disaster created conditions which were beyond the scope of the plans.
3) Scenario three: focus funds and resources on crisis management.
Here the bulk of the limited resources are used to develop an excellent crisis management capability. A team is selected for its experience; its decision making capabilities; its ability to perform well under severe pressure and to be able to think ‘outside the box’. The team is frequently exercised and is strongly developed using team-building techniques. The advantage in this scenario is that the crisis team can respond to any potential incident and can quickly develop appropriate recovery strategies, even if these had not previously been envisioned. However, there is a strong risk that, because the focus has been on crisis management, rather than on business continuity plan development, the information that is needed to implement the disaster recovery strategies that the crisis team develop might not be available or might take a long time to acquire.
From the above it seems clear that a compromise solution is required. The benefits seem to fall on the side of having a strong crisis management team; but some element of business continuity plan development is necessary to ensure that the team has the necessary information and that the required pre-planned disaster recovery arrangements have been made. This is the MINIMISED PLAN and MAXIMISED TEAM approach:
MINIMISED PLAN
Keep the business continuity plan document to the absolutely bare minimum - no complicated procedures and processes, just simple information that the crisis management team can use as the basis of taking action and decisions.
MAXIMISED TEAM
Build the best team possible with your internal resources and add external resources where necessary to strengthen the team and fill the gaps. Use psychometric testing to help with this process. Train the team and exercise it again and again. Encourage lateral thinking and positive leadership. Ensure that your team can always be quickly contacted and that members know the exact location of primary and secondary Emergency Operations Centres and muster points. Ensure that each team member is backed-up by a deputy. The team should be empowered to make all necessary decisions for the company, should include key directors and managers and must have a clear leadership structure.
The above approach requires a particular ‘breed’ of business continuity manager to facilitate it. This person will no longer be primarily a planner but instead will be a ‘people person’. Analytical skills will still be needed but will take second place to team building and training abilities.
Part two
Andrew McCrackan continues our article series by highlighting the ethical dilemma faced by planners when budgets are not enough to mitigate all critical risks.
Many companies that find the funds to initiate comprehensive business continuity management programmes can’t find the funds to finish them in the same way. Conducting risk assessments and BIAs is one thing, but deciding on a strategy that doesn’t break the bank is quite another.
Many companies go through extensive business analysis for the purpose of business continuity only to find that their requirements far outweigh their budget. This is usually when requirements are ‘tempered’ by executive management. This is a nice way of saying they take to your critical business process list with an axe. The results can be less than ideal.
So how does this happen. One would assume that you have determined some baseline, semi quantitative criteria by which those imputing into the BIA process can gauge what is critical and what is not. It’s more than likely that you have, but the catch is that only one of the assessment areas is financial. Other impact areas such as reputation, health and safety, regulation, operational and so on can be partly quantified in financial terms but there are other aspects which I would hope cannot be assessed in this way. Therefore, what happens when a list of critical processes and associated continuity strategies are delivered out of the BIA process and cannot be justified to the business in financial terms?
This creates somewhat of an ethical dilemma. Say we are dealing with a process that, if stopped, could have an unacceptable safety impact on staff. The cost of ensuring zero downtime for this process could be prohibitive for the business, which gives rise to a possibly equally tangible unacceptable financial impact to the business. This is somewhat of a conundrum. How can we deal with this?
The only ethically correct answer is one that may not be very popular. Safety is paramount, so the required continuity capabilities must be put in place, whatever the cost. This is simply a cost of doing business in a modern (and civilised) world and has to be accounted for in goods and service prices to the organisation’s customers. If the market will not bear these costs then the business is simply not viable as an ethical, going concern. Some will argue that if the business fails then people will be out of work, which clearly impacts them significantly; possibly not as significantly, however, as being injured, or otherwise unavailable!
It’s very common to see results of BIAs presented to executive management only to come back somewhat less complicated than they were delivered. Unfortunately this practice is fraught with danger, not only in the health and safety sense. I was recently asked to manage a BIA for an organisation that had just completed a two-year initiative involving full business continuity management implementation, right down to a technical disaster recovery facility with a price tag in the low millions. Unfortunately the resulting solution when tested didn’t work due to fundamental process and technical dependency issues. Management had modified the initial BIA results to give what they described as a ‘pragmatic balance between contingency capabilities and expenditure.’ Two years on they were starting the process again. The solution price tag would be higher this time, but not as high as the price of having to go through the process twice. Factoring for the risk exposure to the organisation over the two year period for which they had very limited capabilities, the result of going cheap on business continuity could have been devastating.
The message is simple; to be able to implement business continuity management capabilities on a budget will always involve a level of compromise against the requirements as determined by staff. Going against financially driven critical processes can rarely be justified in pure financial terms, so the compromises will mostly fall in other impact areas such as health and safety, where the organisation may have a slightly larger risk appetite. It should be noted that most would perceive an event that has significant health and safety impact extremely unlikely and therefore acceptable to take some level of risk position on. It is not a flagrant disregard for safety but a belief that such an event is so unlikely that a reasonable person would not expect such a scenario to be addressed. In the year 2004 this is no longer a plausible argument.
Andrew McCrackan is the founder of Continuity Assurance International and author of a Practical Guide to Business Continuity Assurance, Artech House, Boston, 2004.
andrew.mccrackan@continuityassurance.com
|
