Business Continuity Planning: Requirements to design a recovery strategy

In Part 11 of our Business Continuity Planning series, we discussed some of the key aspects of building a recovery strategy, such as disaster categorization and classification. In this article, we will discuss what you should consider when designing your recovery strategy.

Key processes and priorities

The report that your organization prepares at the end of the Business Impact Analysis is the centerpiece around which the recovery strategy is built. A well-assembled report provides you with a list of critical processes and their associated priority levels for restoration during and after a disaster. In the report, you will have already placed heavy emphasis on identifying the most essential processes. In the recovery strategy phase your organization can now look at processes that are less crucial, but still nonetheless should be restored relatively quickly. Based on your capacity, you can exclude processes that are categorized as very low risk.

Your business impact analysis (BIA) report, along with its resource requirements and dependencies, will provide you with the context you need to select a recovery site where you can  run the key business processes until your business is fully restored. Additionally, your BIA will help you coordinate business recovery operations with the Information Technology, Cybersecurity and the Business functions, during the aftermath of a disaster.

Sub plans

As we discussed in our article about program planning, the business continuity plan is an overarching plan that should consist of several sub plans like your crisis management plan, communications plan, disaster recovery plan and cybersecurity response plan. Except for the communications plan, the rest of them can be activated on their own for smaller incidents. The communications plan will always be in conjunction with other sub plans and the BCP itself.

Hence, it is important to define the disaster classifications and ensure all these sub plans are in alignment, so that your business recovery strategy can be orchestrated at the right time and in the right order.  As long as your sub plans are well designed, you will find there are scenarios where  invoking your IT Disaster Recovery Plan or Crisis Management Plan will be sufficient and you won't have to invoke your entire Business Continuity Plan. 

For example, each sub plan will likely need to be executed by different types of teams — we call this  organization structure. By implementing the appropriate organization structure for each plan, you will be able to make sure that only the necessary people are called upon. For example, you may determine in your plan for low risk technology disasters that only the IT team needs to be directly tasked with restoration and that no central management will be needed. However, when facing a disaster that is classified medium or high, we recommend the recovery is directed by the BCP teams. In that scenario, your BCP’s organization structure should override the structure in your sub plans. In most cases, the Core team of your BCP’s organization structure will be the directors or senior management. 

Similarly, the communications plan should have enough consideration to be used by the other individual plans, or the BCP when required. Such integrations must be identified, defined and communicated to the respective teams, to avoid confusion during the aftermath of a disaster.

Risk assessment report

Your risk assessment report serves as  another valuable input, when designing a recovery strategy. As you will recall from Part 7 of our BCP series risk assessments help you identify and mitigate the various risks associated with your operations. These same risks will inform the practicality of your recovery process and to identify any gaps.

For example, let’s say your company has postponed replacing parts of your data centre, for the past two years due to a financial crunch. As such, during your risk assessment you determined that your data centre was at risk for potential failure. You then determine that mitigation of this issue will take six months and there will be procurement and configuration processes involved. Knowing all this, as part of the IT Disaster Recovery plan, you also create measures to handle unexpected hardware failure.  

Our goal is to document the business recovery based on our current environment, even if they are full of risks. 

Stakeholders

Your stakeholders also play a key role in  designing the organization structure that will direct the business recovery. Having members of your organizational leadership team as part of your business continuity team will enable you to make decisions quickly. If an incident is identified and the initial investigations lead to recommendations to leave your organization’s building and activate the business continuity, then some of the directors and executives should be involved in providing oversight for the recovery operations. Members of your organizational leadership team (directors or the executives — depending on your organization) being part of the business continuity team will enable you to make the decision making process quick. In the same vein though, it’s a good idea to have alternative leadership team members that can be called upon when the primary appointed leaders aren’t available. 

Another group of specific stakeholders you should identify is the team responsible for managing and keeping the BCP updated during its lifetime. Some organizations retain a dedicated manager or a chief continuity officer to manage the business continuity operations of the organizations. However, in most organizations, the responsibility to manage the business continuity operations lies with the enterprise risk management team or crisis management team, as an additional responsibility.

If your organization has not identified the individual or team that is responsible for the maintenance and operation of the BCP, take it to the program committee and have roles cleared up, before moving forward with defining the recovery strategy.

Health of your manual processes

During the BIA, your organization should identify manual processes that can help you to continue the critical operations. It is important to know the reliability of such processes, especially for a longer period of time. Some processes such as payroll, could be executed manually for more than a month. However, other processes such as manually validating the health of a physical asset (especially for the production or manufacturing plants) is not feasible for more than a few days at the most.

Making these distinctions in the feasibility of each of your manual processes will help you prioritize appropriately, even in cases where several processes are equally important. .

Physical locations

When responding to disasters, you will be much better insulated from the resulting hazards, if you have more than one physical location where your organization operates. Ideally these locations should be far apart from each other to minimize the chances that both could be compromised by threats like terroism or tsunamis (among other disasters that would cause denial of access to office buildings). Generally, already having a second location that can be used as a recovery site will be cheaper (and more convenient) than trying to find a new building to rent and operate in on short notice (and until the disaster is dealt with). 

If you don’t have a second location, depending on your strategy, you will have to lease a location that suits your needs. Regardless, you need to have a minimum set of requirements for the recovery site in terms of seating capacity, equipment and other resources. When you start defining your business recovery strategy (which we’ll outline in  the next part of this series), you will have better clarity on these requirements or whether you even need one.

Conclusion

In order to properly define and plan your organization’s recovery strategy, there are several things you should consider. Generally some of the key inputs for your plan will be your BIA and risk assessment reports, your organization structures for yoru BCP and sub plans, the health of your manual processes  and careful analysis of how well your physical location(s) are insulated from disasters.