The time has come for business continuity to evolve beyond the idea of “all hazards” planning and deal directly with the core causes of business interruptions. This article details an approach that takes everything you loved about all hazards planning and enhances it with detailed procedures focused on the resources that your organization cares about most.
Evolution of Business Continuity
Before we analyze the value of all hazards planning, it’s important to step back and look at how we got here. Business continuity originated as disaster recovery as organizations became increasingly dependent on computer systems. The fear of computer unavailability not only spurred the rise of hot sites but also IT disaster recovery plans that focused on the recovery of systems, networks, applications, and data.
Beginning in the 1990s, organizations realized that recovering critical technology was useless if they lacked the necessary facilities and personnel needed to operate the technology. This new thinking led to recovery planning for facilities that detailed response tactics for a wide variety of threats such as tornados, fires, floods, etc.
The new millennium, encouraged by the events of Sept. 11, 2001, introduced a new chapter of business continuity planning. Organizations realized that they couldn’t possibly plan for every potential way in which their business could be interrupted (such as planes flying into buildings). Instead, a new approach emerged that focused primarily on the worst case scenario: all hazards planning.
All Hazards Planning
By definition, “all hazards” planning refers to a basic framework for responding to a wide variety of events. Based on this “one size fits all” definition, you may be thinking that it’s the perfect solution for your business continuity needs. However, before you begin drafting the plan, it’s important to look at all hazards planning objectively in order to determine the value it provides organizations. (The table above outlines some of the advantages and disadvantages of all hazards planning.)
There’s no denying that preparedness efforts of any type (including all hazards planning) add value to organizations. For those with limited funding or resources, all hazards planning provides a response framework that can guide general communication and collaboration in the event of a disruptive event. However, as many organizations attempt to implement all hazards plans, they often create strategies and documentation that are either too ambiguous or focused exclusively on facility loss (the perceived worst-case event). As such, all hazards planning often provides a false sense of security due to the lack of sufficient details and strategies that would normally allow an organization to respond and recover from a range of interruption scenarios.
Robust Business Continuity Planning
Recent events such as the H1N1 pandemic (personnel loss) and the hacker attack on T.J. Maxx (data breach) demonstrated the need for robust business continuity planning. Why? Both not only represent higher-likelihood events that could have a significant impact on an organization’s operational, financial, and reputational well-being, but also would meet the plan activation criteria defined by most organizations. So, what’s the problem? Organizations only utilizing an all-hazards planning approach would lack the specific details and strategies necessary to successfully recover from complex interruptions like these, since both require very unique response approaches.
But what about surprise events such as the eruption of Eyjafjallajökull in Iceland? This type of event is commonly referred to as a “Black Swan Event” because it has three specific attributes. First, the event is a surprise. Second, the event has a major impact. Third, after the fact, the event is rationalized by hindsight, as if it had been expected. The volcanic eruption unexpectedly produced an amount of ash so large that it crippled European air transportation. A general all-hazards plan would have enabled key organizational decision-makers to gather quickly. However, they would soon find that they need deeper analysis of potential solutions before action could be taken. Alternatively, an organization that had performed specific analysis planning related to the loss of transportation or international suppliers could lessen the impact of the interruption, primarily because they understood their exposure and had previously identified alternatives.
You may be thinking that this approach further complicates business continuity planning by trying to plan for every possible interruption scenario, but it doesn’t. Luckily, robust business continuity planning streamlines all of this through two activities that you may (or should) already perform: risk assessment and response framework development.
Risk assessment: Organizations and individual processes are dependent on a wide variety of unique resources to operate, though the most common include facilities, equipment, resources, personnel, information, and information technology (systems and data). Through the typical risk assessment and business impact analysis process, organizations should identify key dependencies and evaluate their likelihood of causing an interruption and impact if they were to become unavailable. Based on that evaluation, the highest risk dependencies can be examined further for mitigation opportunities. Some industries, such as manufacturing, are dependent on suppliers and equipment. Others, such as banking and finance, are dependent on technology and personnel. Based on the results of the risk assessment, the business continuity professional can facilitate the identification of the three or four key scenarios (such as the loss of personnel) that your response and recovery plans should address.
Response framework development: Robust business continuity planning requires detailed strategies for responding to organization-specific interruption scenarios while maintaining flexibility that enables the response to Black Swan Events. The following framework is an example of how organizations can use one event recovery plan with resource-specific strategies to respond to business interruptions. All event responses begin with initial response procedures and end with ongoing operations procedures. As applicable, interruption scenarios and their procedures are activated based on the actual business interruption. Here’s how it works:
- Initial response procedures: These procedures are activated upon notice of a business interruption and may include the following steps: enabling evacuation, performing accountability, contacting and assembling the appointed recovery team (such as the crisis management team), activating additional recovery plans (if applicable), assessing the situation, and executing the communications strategy.
- Interruption scenario procedures (as applicable): These procedures (or combination of procedures) are activated as needed in response to the interruption and may include the following steps: conduct a damage assessment, evaluate business impact, notify personnel, evaluate resource needs, implement alternate procedures, prepare alternate space, test recovered technologies, and perform crisis communication activities.
- Ongoing operations procedures: These procedures are executed when the business interruption or external event has subsided and there is no longer a need to continue the resource-specific recovery strategy. It may include the following steps: begin normal operations, update key stakeholders, deactivate recovery plans, and prepare for return to normal work locations.
Robust Planning in Action
To further clarify the flexibility and need for robust business continuity planning, let’s take a look at how a mortgage company would respond to two different interruptions:
Data breach: The organization’s business continuity program, in conjunction with enterprise risk management, identified data breach as a key risk. As such, a data breach response strategy was created and later activated upon notification of the breach. Luckily for the organization, the plan included steps specific to data breach that were not included in a previous all-hazards plan or in the initial response strategy. Due to governmental regulations surrounding a data breach, and the complexity of the necessary response, the plan outlined the required notification process, the timeline for contacting customers (45 days), contact information for legal counsel, and contracts with third-party providers such as public relations firms and printing companies. With the average cost of a lost record of $202 ($139 of which is lost business), the organization’s data breach response strategy lessened the opportunity for even greater financial hardship by avoiding regulatory fines and penalties.
Technology loss: The organization outsourced all of its information technology needs (servers, file storage, hosting, etc.) to a company that guaranteed 99.99 percent uptime. Unfortunately, a magnitude 8.5 earthquake hit the technology provider and disabled its data center for four days. While the mortgage company did not have an information technology recovery plan, it referred to the initial response strategy which provided general information on situation assessment and communication in order to jump-start an ad-hoc recovery of information technology. It also summarized alternate processes and manual workarounds (where available and practical) in order to enable some operations during the disruption.
The evolution of business continuity continues today with the death of all hazards planning. We now know that general procedures have their place in planning, but an organization’s most impactful interruption scenarios demand deeper analysis and planning before an event occurs. Robust business continuity planning provides organizations with strategies that are flexible yet custom-tailored to their unique business risks. While some planning is better than no planning at all, organizations who avoid the “one size fits all” approach and implement robust business continuity planning will achieve greater organizational resiliency and improved recoverability.
Christopher Burton, AMBCI, is a consultant at Avalution Consulting and focuses on operational risk and business continuity management in both public and private sectors. He is a frequent author and member of the Business Continuity Institute and Contingency Planners of Ohio. Burton may be contacted at firstname.lastname@example.org.