This week I have been doing a lot of thinking about BIAs, so I thought I would write this week’s bulletin on a strategy I think is missing from the Business Continuity Institutes “Good Practice Guidelines” (GPG).
At present according to the GPG there are seven strategies you can use to plan your recovery. These are:
1. Diverse Sites – the activity is carried out at two sites
2. Replication – this may be a third party site or the organisation’s own site and the staff move and work at the new site
3. Standby – This is an internal or external site which needs to have some work to be done before it is ready for staff to move and work at this site. Work area recovery provided by companies such as Daisy, Onyx or SunGard are examples of this.
4. Subcontract – this is where the activity affected by the incident, is carried out by a third party
5. Insurance – using insurance to cover any losses
6. List (Posts Incident Acquisition) this is where you have a list or specification, and you acquire the required asset after the incident
7. Do nothing - this is where there is a long RTO, and you do nothing until after the incident
These strategies are fine as they go, although I think they are a little out of date. There is no mention of working from home which, with evolution in IT, this is available to a lot more staff now, then it was when the GPG was written in 2013.
There is one situation which is not covered by these strategies where it is very difficult, or impossible, to shift the activity and carry out elsewhere. A few examples of this are:
1. In defence manufacturing, the licence to produce a particular product is linked to a particular geographical location and usually a designated building. It is unlikely that you would find the required manufacturing equipment at another site and the process would not be licensed to be built elsewhere even if the site was suitable. If you had a factory which made the same product in a different country, then your licence would probably not allow you to do it elsewhere.
2. In cement manufacturing, refining and chemical manufacturers the production is done in huge very expensive sites, and you try and run your sites at 100% capacity. If you are lucky enough to have another plant in the same area it may have no spare capacity to make up for an incident at your plant.
3. Companies which own and run data centres, if they have an incident, they cannot move their customers servers, and data, elsewhere.
4. Where there are large expensive bits of equipment such as CAT scanners in hospitals, although there may be others in the country it may be very difficult for patients to go to another location. This is the same for organisations which have unique, bespoke or very expensive equipment. It is very difficult for them to move their process elsewhere, or to shoulder the cost of a standby.
In all these cases this is a very limited scope to move their operation elsewhere, so the existing seven BCI’s strategies don't really work for them.
I have suggested to the BCI that there should be an eighth strategy called 'increased Resilience'. The organisation recognises the importance of the item, but sees decreasing the likelihood of having incidents taking place as their only option at carrying out the operation as moving the operation elsewhere is not viable.
Increased resilience could come in different forms. These could include:
1. Carrying a stock of strategic spares
2. Have the engineers on site with the skills to repair any damage or breakdown
3. Installing sprinklers or fire suppression equipment
4. Installing a standby generator
5. Insuring any network connectivity or utilities into site are duelled
6. Operate the equipment to reduce the likelihood of an incident occurring
7. Maintain the equipment to a very high standard
8. Duplicate key items within a site
I think a lot of organisations are already using their strategy as part of common sense risk management and not even thinking that they are carrying out a Business Continuity strategy. I have asked for this to be in the new GPG so we will see if it is accepted by the BCI.