Our most recent blog post dealt with The three golden rules of a business continuity plan. This time, we continue in the world of business continuity planning and take a closer look at scenarios and strategies.
Let's start with establishing the terminology:
Many of us find it difficult to fully grasp these concepts, as we often associate the word "strategy" with a more general document describing the company's visions and future plans. In this case, however, it’s about strategies for dealing with fires, system crashes, virus attacks etc. The word strategy is therefore correct, but only in the context of a specific scenario.
How do we choose the scenarios to be addressed by our business continuity plans?
The secret is not making the BCP scenarios too specific, but at the same time making them specific enough to make them useful. If we believe we are able to come up with a complete list of detailed scenarios we may find ourselves experiencing a scenario that we had not anticipated.
So instead of a list of scenarios that look like this:
- we have one scenario called:
We need to be able to handle a situation in which we cannot use our data centre - regardless of the reason. When doing this, we avoid a great deal of unnecessary text in our business continuity plan and we indicate that our business continuity plan is able to handle several different situations.
In order to establish which scenarios are to be covered by our continuity plan, a workshop can be held involving selected employees from the organisation.
As mentioned above, one scenario could be "Data centre out of service". Other examples of scenarios may include:
As you can see, these scenarios differ in the level of detail and the task is now to find the correct level.
Once we have established what scenarios our business continuity plan should cover, it is time to figure out what to do when or if the scenarios occur. In other words - defining the business continuity strategies.
We need to describe our strategies before these scenarios occur. Otherwise, we will have to come up with solutions on the fly. Be careful not to rely on "action team" based business continuity. In a crisis situation there is simply too much stress involved for us to be expected to come up with - and carry out - the right solution.
A good approach to describing the strategies is defining the steps to be taken in order to address the given situations. One way of doing this is by holding a workshop like the one mentioned above.
Furthermore, it is important to think through the entire situation:
Neither should a continuity strategy be too detailed. We need to describe the various activities and the order in which they are to be performed, but we should not describe it right down to the level of every single nut and bolt.
If it is necessary to provide a precise description, for example, of how to restart an application, then this should be found in the disaster recovery procedures or the system documentation.
Once scenarios and strategies are in place, the backbone of our business continuity plan is established. We are now well on our way to writing a sound business continuity plan.
Please share your experience in creating effective, pragmatic and operational business continuity plans in the comments below.