Governance, Risk Management, and Compliance blog

Choosing the right business continuity scenarios for your BCP

[fa icon="calendar"] Wednesday, 08 June 2022 / by Jakob Holm Hansen

Our most recent blog post dealt with The three golden rules of a business continuity plan. This time, we continue in the world of business continuity planning and take a closer look at scenarios and strategies.

Let's start with establishing the terminology:

A business continuity scenario is a defined situation to which we may be exposed and which the continuity plan addresses.

A business continuity strategy is a manner in which we choose to handle a given scenario in the business continuity plan.

Many of us find it difficult to fully grasp these concepts, as we often associate the word "strategy" with a more general document describing the company's visions and future plans. In this case, however, it’s about strategies for dealing with fires, system crashes, virus attacks etc. The word strategy is therefore correct, but only in the context of a specific scenario.


Business Continuity Scenarios

How do we choose the scenarios to be addressed by our business continuity plans?
The secret is not making the BCP scenarios too specific, but at the same time making them specific enough to make them useful. If we believe we are able to come up with a complete list of detailed scenarios we may find ourselves experiencing a scenario that we had not anticipated.

So instead of a list of scenarios that look like this:

  • Fire at the data centre 
  • Rainstorm affecting the data centre 
  • Lengthy power outage at the data centre 
  • Data centre vandalism
  • Etc. 

- we have one scenario called:

  • Data centre out of service.


We need to be able to handle a situation in which we cannot use our data centre - regardless of the reason. When doing this, we avoid a great deal of unnecessary text in our business continuity plan (see The three golden rules of business continuity planning) and we indicate that our business continuity plan is able to handle several different situations.


In order to establish which scenarios are to be covered by our continuity plan, a workshop can be held involving selected employees from the organisation. 


As mentioned above, one scenario could be "Data centre out of service". Other examples of scenarios may include:

  • Critical systems out of service
  • Critical virtual server out of service
  • SQL server out of service
  • Extensive virus outbreak
  • Hacker attack 
  • Key supplier goes out of business 
  • Leak of information
  • Etc. 

As you can see, these scenarios differ in the level of detail and the task is now to find the correct level.

Business Continuity Strategies

Once we have established what scenarios our business continuity plan should cover, it is time to figure out what to do when or if the scenarios occur. In other words - defining the business continuity strategies.


We need to describe our strategies before these scenarios occur. Otherwise, we will have to come up with solutions on the fly. Be careful not to rely on "action team" based business continuity. In a crisis situation there is simply too much stress involved for us to be expected to come up with - and carry out - the right solution.


A good approach to describing the strategies is defining the steps to be taken in order to address the given situations. One way of doing this is by holding a workshop like the one mentioned above.

Furthermore, it is important to think through the entire situation:

  • Should a consultant/supplier be involved? 
  • Can we define a subset of data in advance that is especially critical and that must be recovered first? 
  • Remember communication! 
  • Remember testing! 
  • What are the prerequisites for this strategy? 
  • In what order must the systems be started? 
  • Etc. 


Neither should a continuity strategy be too detailed. We need to describe the various activities and the order in which they are to be performed, but we should not describe it right down to the level of every single nut and bolt.
If it is necessary to provide a precise description, for example, of how to restart an application, then this should be found in the disaster recovery procedures or the system documentation.

Once scenarios and strategies are in place, the backbone of our business continuity plan is established. We are now well on our way to writing a sound business continuity plan.

Please share your experience in creating effective, pragmatic and operational business continuity plans in the comments below.

About the Author:
Jacob Holm Hansen is our CEO and advises companies on ISO 27001/-2, IT risk assessments, GDPR, and business continuity planning. 

Emner: business continuity strategy, Business Continuity Planning, Information Security Management, business continuity scenario, ISMS, BCP, disaster recovery

GRC blog

The NorthGRC blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts