This article provides an overview of Professional Practice 4 (PP4) – Design, which is the professional practice that “identifies and selects appropriate strategies and tactics to determine how continuity and recovery from disruption will be achieved”. Strategy design activities are essential to translate outputs gathered during the analysis phase into actionable strategies that the organization can implement and refine over time to improve the ability to respond and recover from a disruption.
PP4 outlines three primary areas that should be considered in the strategy design process, including the design of continuity and recovery strategies and tactics, threat mitigation measures, and an incident response structure. Let’s take a closer look at each.
- Continuity and Recovery Strategies and Tactics. Strategy and tactical design activities are taken to address continuity-related risks identified during the analysis phase to facilitate the recovery of a product, service, process, activity, or resource. The GPGs recommend identifying strategies at various levels within an organization in a similar manner to the recommended approach for conducting business impact analyses (BIAs). Strategy identification includes conducting strategic, tactical, and operational level development. These distinctions can be somewhat artificial and the GPGs account for this by dividing up recommended approaches into high-level recovery strategies (designed to continue delivery of products and services) and tactics (designed to recovery resource requirements).
- Threat Mitigation Measures. Whereas continuity and recovery strategies are prioritized and designed based on product, service, or process; threat (risk) mitigation targets specific threats or events. The goal of threat mitigation efforts are to identify controls to reduce the likelihood or impact of a specific threat. In some cases, threat mitigation processes may fall out of the direct jurisdiction of business continuity and include mitigation measures requiring the involvement of other subject matter experts.
- An Incident Response Structure. Establishing an incident response structure involves chartering the right teams and creating response frameworks to ensure that an organization can respond to and recover from a disruption. PP4 notes the purpose of designing an incident response structure is to “ensure that there is a documented and fully understood mechanism for responding to an incident that has the potential to cause disruption to the organization.” There can be value in setting up response teams at each of the levels in an organization (strategic, tactical, and operational), and PP4 highlights that it will be up to the organization to design a structure and framework that is most relevant.
By addressing each of these areas, PP4 assumes that an organization will have sufficient processes and strategies in place to enable plan documentation and additional activities in the implementation phase (PP5). The combination of outputs from PP4 and PP5 would allow for a sufficient response and recovery following an incident.
The challenge in designing any business continuity strategy, threat mitigation, or response structure is ensuring that it is tailored to the organization. “One size fits all” solutions don’t exist. Because of this reality, ISO 22301 is purposefully vague, stating that organizations need to determine and select strategies and establish resource requirements without providing detail regarding what those strategies may look like. PP4 recognizes this reality as well; however, PP4 documents high-level strategies, tactics, and guidance that can be applied to individual organizations. Let’s explore some the most significant benefits:
Identifies Strategic and Tactical Approaches to Reduce Business Continuity Risk
Since a continuity plan is only as good as the strategy it reflects, it is essential that organizations focus on strategy design activities. Strategy design involves understanding the requirements gathered during the BIA and risk assessment and effectively translating them into actionable strategies. Furthermore, practitioners need to consider the costs/benefits of any proposed strategy. PP4 adds value to this process by providing practitioners with a starting point for identifying high-level strategies, including:
To supplement high-level strategies, PP4 further outlines tactical considerations that need to be considered for a high-level strategy to be effective, including:
To be the most effective, practitioners need to select an appropriate strategy based on recovery requirements and then evaluate it against any tactical considerations to ensure that the strategy will be effective.
Identifies Controls to Minimize Threat-Specific Risk
PP4 provides value in documenting the process that can be used to identify specific threat controls and proactive measures to reduce the likelihood or impact of a specific event. This activity supplements a threat analysis (if undertaken) during the analysis stage. An organization would use the analysis to determine the most relevant threats and work with subject matter experts to develop additional controls. The controls identification process will likely require a cost/benefit analysis to determine whether the cost of implementing a control is justified by the level or risk that would be remediated and the potential costs to the organization if the risk were left unmitigated. Examples of controls might include information security enhancements, fire suppression systems, etc.
Facilitates the Design of Organizationally Relevant Incident Response Structures
In order to use business continuity strategies and provide command and control following a disruption, organizations need to establish some type of incident response structure. ISO 22301 (section 8.4.2) and PP4 both contain similar guidance in setting up an incident response structure. Where PP4 adds additional value is in documenting considerations that the practitioner should evaluate during the design process. Neither source states what the teams should look like or the types of individuals that should be on the team; however, PP4 does provide guidance regarding the roles and responsibilities for the response structure as a whole. This means that any teams created as part of this process should be able to:
- Mobilize [response and recovery] teams
- Activate plans
- Invoke resources
- Communicate to interested parties
- Communicate to the media
- Account for staff welfare
- Escalate activities
- Provide command and control
- Set limits on expenditures and delegation
- Account for changing priorities based on the situation
By designing continuity and recovery strategies and tactics, threat mitigation measures, and an appropriate incident response structure, an organization will be ready to implement the solutions as documented in business continuity and recovery plans.
PP4 CASE STUDY
Company X is an up and coming private sector organization that provides security monitoring services for home owners. They recently established a business continuity and IT disaster recovery program and have completed the analysis stage by conducting a BIA and risk assessment. Throughout this process, they identified a handful of critical services at the strategic level, the most time-sensitive of which is the ability to provide home monitoring and notify authorities in the event of a break-in at a customer location. At the tactical/operational level, the organization then identified a variety of resources required to continue the delivery of this critical service, including a call center (event monitoring center), IT infrastructure (including a phone system), call center staff, and a variety of systems required to connect to customer alarms and reach out to local authorities. Company X has a Crisis Management Team (CMT) in place but does not have any other formal response teams.
Due to very strict contractual agreements in customer contracts, the potential for legal liabilities, and potential impacts to customer safety, the Home Monitoring Service is assigned a maximum tolerable period of disruption of 30 minutes. The associated RTO is only 15 minutes, making response and recovery very challenging. Furthermore, during a threat analysis, they noted that power and telecommunications outages represent the highest level of risk. Using information in PP4 as a starting point, the organization starts the strategy design process:
Based on an initial strategy analysis, the practitioner poses two potential solutions to management: diversifying or using a contracted provider to provide call center and response capabilities following a disruption. The practitioner notes that replication may be an acceptable strategy if management is willing to accept additional risk; however, management indicates that it would fall outside their risk tolerance. Management requests that the practitioner pursue the diversification strategy and identify a potential secondary location that provides redundancy and high availability.
Using the tactical criteria in PP4 and guidance from management, the practitioner evaluates available options:
Company X decides that it must rework its incident response structure to accommodate the new strategy. Company X previously had a CMT in place but now decides that it will need additional response entities to handle the new site. Company X decides to create department recovery teams to monitor tactical/operational recovery activities for the event monitoring centers at both the primary and secondary locations in addition to teams for other departments involved in the response and recovery process, such as IT and facilities. Using PP4 as a starting point, the practitioner designed strategies and a response structures suitable to the organization.
Documenting the process to translate requirements from the analysis phase into concrete strategies is an essential activity for business continuity professionals. PP4 provides examples of high-level strategies and tactics that can serve as a starting point for practitioners and serve as a roadmap to work through the process.
If you’d like to discuss the GPGs, or aligning to ISO 22301 or pursuing certification, please reach out to us. We look forward to hearing from you!
- The BCI’s Good Practice Guidelines
- ISO 22301: 2012
- Implementing ISO 22301: The Business Continuity Management Systems Standard
- Introduction: BCI Good Practice Guidelines Series
- The Need to Establish Business Continuity Governance: An Overview of BCI Professional Practice 1
- The Importance of Embedding Business Continuity: An Overview of BCI Professional Practice 2
- Guide To Business Impact Analysis
- Business Continuity Implementation: An Overview of BCI Professional Practice 5
- Business Continuity Program Validation: An Overview of BCI Professional Practice 6