Archive for Recovery Strategies

The Job of the Business Continuity Planner

Many professionals that I talk to seem to think that the Business Continuity Planner’s job is to ensure their company can recover from business interruption events.  Now, this may just be an argument in semantics or me simply splitting hairs, but I don’t quite see it that way.

In my way of thinking, the Business Continuity Planner’s job is to make sure that management is informed of risks, potential impacts resulting from those risks and the costs/benefits of options available to mitigate or respond to those risks, so that management can make informed and intelligent decisions about what mitigation and recovery strategies to invest in.  And, when those decisions are made, the Business Continuity Planner is responsible for helping manage and coordinate the implementation and testing of those solutions.  But, it is senior management’s job to ensure that the company can recover from business interruption events.

In my mind, the worst thing that can happen to a Business Continuity Planner is not that the company cannot recover from an incident, but that senior management is justified in saying, “But no one told me that this risk existed and these implications could occur”.  If the Business Continuity Planner can show that the risks were identified, the impacts clear and viable solutions presented that management chose not to invest in, then the Business Continuity Planner had done his/her job.

We cannot force management to invest in business continuity or disaster recovery solutions, but we can let them know, with no uncertainty, what is potentially at risk should they not invest in, or under-invest in, business continuity and disaster recovery solutions.  Our jobs are to ensure that there are no surprises about what might occur and what the impacts might be should a business interruption event occur.

Prior to management making decisions to invest in solutions, the Business Continuity Planner’s job is to gather information, research risks and solutions, perform cost/benefits analysis and communicate our findings to the proper decision makers.  We are often research analysts and salespeople.  And, it is a difficult sale to make – asking management to invest capital from a limited available cache in our programs as opposed to other programs being pitched by other department managers.

Part of the risks we must inform management about, goes beyond the risk of disasters, but also includes the risk of being out of compliance with laws, contracts and industry standards.  And, we must be brutally honest about our abilities to respond and recover.  We do this by realistically conducting exercises and tests and reporting back the findings without a bias towards success.

Our jobs are to set expectations consistent with the risk environment and solutions in place today.  It is senior management’s job to decide what risks are acceptable and how much to invest in improving our solutions.  If they do not have all of the right information to make that decision, it is then that we have failed in our jobs.

Recovery Options Evaluation Criteria

When assessing recovery options for both technology and workarea, we recommend creating an options comparison chart with the following evaluation criteria:

  • Costs  (1x, Recurring, ATOD)
  • Accessibility
  • Testability
  • Scalability
  • Flexibility
  • Compatibility
  • Lead Time to Implement
  • Proximity
  • Shared Risks
  • Solution Complexity
  • Burden of Obsolescence
  • Ability to Meet Recovery Objectives

These criteria can be evaluated and scored with a relative value, such as High, Neutral, Low or a tailored value for each criteria, such as Most Complex, Neutral, Least Complex, etc.

Simply as an example, the final “scorecard” might look something like this:

Evaluation Criteria

Internal Recovery Solution

Hosted Recovery Solution

Recovery Service Vendor

Costs
    One Time Costs

$ 5.0 mil

$500k

Minimal

    Recurring Costs

Minimal

$5k/mo

$5k/mo

    At-Time-Of-Use Costs

Minimal

Minimal

$15k + $2k/day

Accessibility

Very Accessible

Mostly Accessible

Limited Accessibility

Testability

Easy to Test

Moderate

Must be Scheduled

Scalability

Limited

Moderate

Very Scalable

Flexibility

Limited

Moderate

Very Flexible

Compatibility

Very Compatible

Very Compatible

Somewhat Compatible

Lead Time to Implement

Long

Moderate

Short

Proximity

Nearby

Options

Options

Shared Risks

Some

Few

Few

Solution Complexity

Moderate

Moderate

Complex

Burden of Obsolescence

On Our Company

On Our Company

On Recovery Vendor

Ability to Meet Recovery     Objectives

Fully

Fully

Mostly

Security

Secured

Somewhat Secured

Somewhat Secured

Availability at time of     Need

Total

Total

At Risk

Facility Management     Requirement

Internal

External

External

 

Each value may bear farther explanation and justification, but the summary is nice to display in a side-by-side comparison format.

If you want a more detailed explanation of any of the Evaluation Criteria or want to suggest others to include in a full analysis, please feel free to share your thoughts by entering a comment.