Determining the scope of your business continuity planning effort or what event you will plan to recover from, is a key activity that frames the entire business continuity program. Some organizations choose to plan for each likely threat that could occur, such as a fire or a labor strike, with specific response procedures for each. Other organizations choose to plan for the most severe threat, such as if a fire destroys an entire building. The problem with both of these planning assumptions is that neither of these organizations are likely to have a plan for the incident that occurs. It is incorrect to assume that the most severe threat will occur, and it is incorrect to assume that the specific threats that you plan for will occur either. In order to make the correct assumptions in defining your planning scope, your scope needs to be broader, focusing on the impact, and preparing for the worst.
The first place to start in determining this broader scope is understanding the difference between a threat and an impact. Threats, or more broadly, risks, are typically assessed at the beginning of a business continuity planning effort and essentially are the causes of a crisis or business interruption. Threats include natural threats such as hurricanes or disease, man made threats such as arson, IT threats such as a virus and supply chain threats such as the loss of a single sourced provider. This assessment is important because it determines what risks are most likely to occur, however your assumptions should not be driven solely based on this part of the assessment.
A risk assessment should go one step further and determine what impacts could occur from the most likely risks. For example, if a hurricane is likely to occur at your facility, the impact would be the unavailability of your facility. Determining what these key impacts are and how severely they would affect you (the characteristics of the effect), helps bring in the other half of the information needed to determine the appropriate planning assumptions.
By putting together the most likely risks with the most severe impacts, you will be able to determine key impact and key crisis event characteristics. For example, the facility in the hurricane zone would plan not for a hurricane itself, but for the impacts from a hurricane such as the unavailability of the public infrastructure, including roads, power and water, as well as IT infrastructure, facilities and potentially the people that evacuated in advance of the storm. By planning for these impacts, the organization prepares for all risks that would impact the availability of critical services and resources, thus preparing for many risks but ensuring that their most likely risks are covered.
Summarizing the Analysis
As a method of summarizing this perspective, the following table outlines an example of the relationship between threats, impacts and planning assumptions, and may assist you in organizing the outcome of your analysis.
|Threat||Potential Impact & Event Characteristics||Key Impacts||Planning Assumptions|
|Facility Fire||Loss of facility.
Loss of personnel.
Loss of physical data/files.
Loss of IT – hardware/services.
Inability to use- telephone – infrastructure.
Loss of product.
Loss of equipment.
|Inability to use facility, IT services, telephone services, and equipment, as well as anything contained within (to include people if they were injured or killed.)||Unavailability of facility, including the building it self, the IT services, the telephone infrastructure and the equipment housed within it.
X% of people are affected and unable to resume normal business functions.
|Electrical Outage||Inability to use facility.
Loss of IT services.
Inability to use telephone infrastructure.
Inability to use equipment
|Large Winter Storm||Inability to travel to facility
Loss of IT services – due to power outage
Inability to use telephone infrastructure – due to power outage
Inability to use equipment
Inability to use physical data/files
Inability to ship/receive