organization that had performed specific
analysis planning related to the loss of
transportation or international suppliers
could lessen the impact of the interruption, primarily because they understood
their exposure and had previously identified alternatives.
You may be thinking that this approach
further complicates business continuity
planning by trying to plan for every possible interruption scenario, but it doesn’t.
Luckily, robust business continuity planning streamlines all of this through two
activities that you may (or should) already
perform: risk assessment and response
framework development.
Risk assessment: Organizations and
individual processes are dependent on a
wide variety of unique resources to operate, though the most common include
facilities, equipment, resources, personnel,
information, and information technology
(systems and data). Through the typical
risk assessment and business impact analysis process, organizations should identify
key dependencies and evaluate their likelihood of causing an interruption and impact
if they were to become unavailable. Based
on that evaluation, the highest risk dependencies can be examined further for mitigation opportunities. Some industries, such
as manufacturing, are dependent on suppliers and equipment. Others, such as banking
and finance, are dependent on technology
and personnel. Based on the results of the
risk assessment, the business continuity
professional can facilitate the identification
of the three or four key scenarios (such as
the loss of personnel) that your response
and recovery plans should address.
Response framework development:
Robust business continuity planning
requires detailed strategies for responding to organization-specific interruption
scenarios while maintaining flexibility
that enables the response to Black Swan
Events. The following framework is an
example of how organizations can use one
event recovery plan with resource-specific
strategies to respond to business interruptions. All event responses begin with initial
response procedures and end with ongoing operations procedures. As applicable,
interruption scenarios and their procedures
are activated based on the actual business
interruption. Here’s how it works:
;Initial response procedures:;These
procedures;are;activated;upon;notice;of
a;business;interruption;and;may;include
the;following;steps:;enabling;evacuation,
performing;accountability,;contacting;and
assembling;the;appointed;recovery;team
(such;as;the;crisis;management;team),
activating;additional;recovery;plans;(if
applicable),;assessing;the;situation,;and
executing;the;communications;strategy.
;Interruption scenario procedures
(as;applicable):;These;procedures
(or;combination;of;procedures);are
activated;as;needed;in;response;to
the;interruption;and;may;include;the
following;steps:;conduct;a;damage
assessment,;evaluate;business;impact,
notify;personnel,;evaluate;resource
needs,;implement;alternate;procedures,
prepare;alternate;space,;test;recovered
technologies,;and;perform;crisis
communication;activities.
;Ongoing operations procedures:
These;procedures;are;executed;when;the
business;interruption;or;external;event
has;subsided;and;there;is;no;longer;a
need;to;continue;the;resource-specific
recovery;strategy.;It;may;include;the
following;steps:;begin;normal;operations,
update;key;stakeholders,;deactivate
recovery;plans,;and;prepare;for;return;to
normal;work;locations.
