can provide businesses with immediate
operations while waiting for management
to implement more stabilizing recovery
actions. The process may not be highly
efficient and will be labor intensive but
the customers will appreciate efforts to
maintain some level of business. The survival phase requires business owners and
employees to implement interim processing strategies.
Suspension of business operations is a
low-cost strategy. The business owner does
not try to reopen business until all technology and resources are available. The total
cost of suspending operations is more than
cash flow; business reputation may suffer
By KEN SCHROEDER
At therisk ofbeing branded a heretic, there are times when we in the business continuity profession get in the way and become our own worst enemy. To see what I mean, look at a typical small busi- ness – say 50 employees
or less. On top of this struggling enterprise
layer the business continuity tools, steps,
and procedures we insist must be there for
any successful program:
u Risk assessment
u Planning strategies
u Gap analysis
u Business continuity lifecycle
24 DISASTER RECOVERY JOURNAL FALL 2009
as customers seek out alternative sources.
The size of the disruption will affect the
availability of external resources and
recovery time. A short planned suspension of operations may become a permanent closer of the business. Small business
owners may forgo suspending operations
by considering other options.
Many small business owners have
grown businesses from simple manual
operations to technology-enhanced operations. Implementing alternative operating
methods using manual systems is a cost-effective option to remain open. This option
is labor intensive and requires management
to train employees on the alternative opera-
Let’s take a couple of minutes and
apply some old-fashioned common sense
to the issue.
First of all, in a typical small enterprise,
business continuity probably evolves from
a short blurb in a planning meeting where
someone says, “Well, shouldn’t we have
a business continuity plan?” following
which, everyone nods and delegates the
task to some unsuspecting underling in
their three person IT shop, and then move
on to the next topic. Right or wrong, it
happens, and we have to live with the reality of it.
Our stalwart, dedicated hero picks up
the latest copy of DRJ, reads some article
that applies second order differential equations to a risk assessment model, throws
up his hand in disgust, makes sure that IT
makes backup tapes, and calls it a day.
What advice can we in the industry
give our friend to make his job easier? I
think we can really put some clarity in the
process by asking, “What does he really
need to know to get started?” Here’s my
My mantra is: “Business continuity
planning is simple!” When all is said and
done, you only have to consider two lists
List 1: Risk Assessment Process
1. What threats face us?
2. What risks do those threats impose on us?
3. What can we do to minimize (or eliminate)
tions. The operations may not be as fast as
using technology and may cause customer
irritation. Other small businesses have a
high technology infrastructure that would
not allow for either suspension or alternative methods for continuous operations.
The most costly option for businesses is maintaining redundant capability. Businesses depending on computer
processing consider off-site backups and
redundant services and equipment as the
primary means for recovery. The majority
of small businesses will not have financial
resources to maintain redundant systems
as a feasible solution for possible disruptions. Very small businesses may consider
List 2: The Planning Process: Ensure backups for:
1. People (Who backs up whom?)
2. Places (Where can they work if we lose our
3. Process (How can they operate if the primary
process is unavailable?)
Is this an oversimplification?
Absolutely. But that’s the point.
As your grandfather admonished
you, “Always remember the KISS (keep
it simple, stupid) principle!” A typical
small business doesn’t have the assets,
resources, or time to throw at the business
continuity problem the way larger companies demand, but that doesn’t mean it’s
hopeless. My two lists of three are a great
The first list covers the threat/risk
assessment portion of planning. Our hero
doesn’t need to struggle with all the differentiation he reads about.
(Why, for example, does he need a separate entry for blizzard and ice storm; or,
to note the difference between a disgruntled employee and a disgruntled customer,
when “someone going postal” might suffice?)
Keep it simple. Focus on the risk, not
the threat: Computer systems go down!
Work interruption occurs! The building
incurs damage! Staff are unavailable!
The mitigations are the same, regardless of the threat that imposes the risk.
In fact, what advantage is there in listing