In trying to accomplish these, we need to have a model of the organization in the same way a military commander requires maps and various icons to plan battle tactics and strategies. This model should not only depict the services (products) that we are trying to protect and recover, but also the departments and resources that produce those services (products).
Organizations all have the same basic structure. There is a focus or reason for the existence of the organization: the production of a service or product. Some organizations align their department structure around the service (product), most don’t. By including all departments within an organization, all the components of the services (products) of the organization are captured by default.
Why do we want to make this distinction and work-around for capturing services (products lines)? The reason is that information along department lines is generally more available. Department heads and personnel know more about how their department’s work and what resources are required to make them functional than they do about all the components that go into producing a product or service offering. Therefore, using a model of the organization as represented by the “Business Continuity Planning Cube,” we can protect and recover the organization’s service offerings (products) by focusing on the recovery/protection of the organization’s departments.
Each department we examine will have one or several core processes. The department receives an input from somewhere, does something to transform that input, and delivers a product/service to a customer. The entire process is the supply chain. In business continuity planning we are responsible for protection and recovery of the entire chain.
If you examine the “process” component of the supply chain, you will note that it can be broken down into the resources categories that are required to transform the input into the final product or service that is supplied to the customer. Those resources can be further broken down into resource items. The “Process Supply Chain” diagram on the adjacent page depicts the way a department is defined by the resource items that it takes to make it productive:
Process Supply Chain
When we look at all the categories (and they can be broken down much finer than represented here) in the diagram all of the vendors and topics at the Disaster Recovery Journal conferences that, to the first-time attendee, looks like chaos, start to fit together because they are addressing unique components of the entire chain.
When information on all departments is gathered and recorded, the resulting information can be assembled in a “resource item matrix”:
The resource item matrix is one of the most critical schedules in the recovery plan. If the matrix is developed correctly, when all items listed for a particular department are made available, the department should again be productive.
The above representation of a resource item matrix depicts major categories or resources. In actual practice, each category such as staff, IT, etc. is broken down into its many components. IT, for instance, would have resource items such as PCs, servers, software, cabling, storage units, etc.
During the BIA process, the number of items required for production will be determined and entered for each department for each resource item. The result will be several pages of inventory that can be used to assess damage and to rebuild damaged components of the production process.
The plan recovery procedures revolve around restoring the items listed on this matrix. Additionally, the RTOs attached to the resource items become the target parameter in strategy determination for recovering and protecting all the organization’s critical resources.
As you can see from this drilling down from the general to specifics, the “Business Continuity Planning Cube” can be an effective tool in maintaining an overall consistency and focus in your plan-writing efforts.
Jim Barnes, CRP, MBCI, is CEO and founder of Barnes Continuity Planners, Inc. He has spent 16 years in business continuity planning and is the author of “A Guide to Business Continuity Planning,” the best selling book in the category for the last two years on Amazon.com. His most recent work is titled, “Business Continuity Planning and HIPAA.” Barnes also co-authored “E-Commerce Security – Business Continuity Planning: A Technical Reference Guide.”