Following a business impact analysis (BIA) and risk assessment, best practices indicate that an organization should identify business continuity strategies that allow the organization to treat risks and recover business activities in accordance with management-approved requirements. This seems like a simple task on paper; however, in practice, many organizations struggle to do this, and instead jump straight to documenting business continuity plans. In doing so, these plans fail to include the resources and strategies already in place, or the organization fails to acknowledge and address coverage gaps. This leads to a lost opportunity to identify new risk treatments or recovery strategies, ultimately resulting in plans with no real capability to respond and recover.
Following the BIA and risk assessment, in order to set the organization up for a successful strategy identification effort, business continuity professionals should perform a gap analysis to understand:
- How the organization’s existing response and recovery capabilities compare to the requirements from the BIA
- Which risks require treatment in accordance with management’s risk appetite or tolerance
Answering these questions will allow the organization to focus its limited resources on the right gaps.
The Gap Analysis
Response and Recovery Capabilities
One of the primary outcomes from the BIA process is the identification of recovery priorities, objectives, and targets (which includes but is not limited to recovery time objectives and recovery point objectives, or RTOs and RPOs). Once the organization’s top management approves these requirements, the organization should seek to understand its current response and recovery capabilities, as it pertains to time, capability, and quality, and then identify what gaps exist between requirements and these capabilities. As a starting point, consider answering the following questions:
- People: Can we recover minimum staffing levels by or before our business activity’s RTO?
- Facilities and Equipment: Can we recover minimum staffing levels to an alternate facility with necessary equipment by or before our business activity’s RTO?
- IT Applications: Can we recover our IT systems within management-approved RTOs and RPOs?
- Suppliers: Can our critical suppliers recover their operations by the time we need their products or services?
Let’s take a look at two more thorough examples:
The most straight forward gap analysis to perform is likely between IT application recovery objectives and recovery capabilities. If IT Application X has a disaster recovery strategy that includes nightly tape back-ups and third-party shared infrastructure, it is likely that the actual RTO/RPO would be approximately 72/24 hours, respectively. Now, compare that existing recovery capability to the requirements from the BIA. If the management-approved RTO/RPO is 24/24 hours, then there is a gap in the recovery time requirements, and, during the strategy identification effort, the organization must perform the cost/benefit analysis for lowering the RTO from 72 to 24 hours.
Tip: be sure to identify and consider actual system capabilities, as not every system may be recoverable due to infrastructure, application independencies, or network limitations!
A more complicated gap analysis to perform may be between business recovery requirements and capabilities. If Business Activity X (say a manufacturing activity) has a business continuity strategy to failover manufacturing operations to another already operational manufacturing facility that manufactures the same product, it is likely that the actual RTO would be less than 24 hours. The alternate manufacturing facility is approximately half the primary facility’s size, and does not have the same quality controls as the primary facility. However, if the results of the BIA indicate that Business Activity X has a management-approved RTO of 24 hours, with the product output quality and capacity at 100% at RTO, then there is still a gap in between recovery requirements and capabilities. Now, during the strategy identification effort, the organization must determine how to recover the business activity within quantity and quality requirements.
In addition to the gap analysis between recovery requirements and capabilities, the organization should understand which risks (identified during the risk assessment) exceed management’s risk tolerance by asking the following questions:
- Based on the results of the risk assessment, which risks associated with the loss of that activity or resource exceed the organization’s risk appetite due to lack of response and recovery planning or control measures?
- For the risks identified in #1, what are the risk treatment opportunities available to the organization to get the risk below the organization’s risk appetite?
When faced with resource constraints, this allows the organization to understand how risks compare to each other to determine which risk treatments to prioritize during the strategy identification effort.
Conclusions and Next Steps
Once the organization has an understanding of recovery and risk gaps as inputs into strategy identification, organizations can then focus its efforts on high priority gaps requiring identification of closure options, along with cost-benefit analysis for each option*. These steps set-up the organization for a successful business continuity and disaster recovery plan development effort, as well as investment in the right business continuity and disaster recovery strategies.
*Note: Avalution acknowledges that this perspective begs the question “ok, so how do you perform an effective strategy identification effort?” Avalution is currently working on developing that perspective, so check back soon!
Business continuity and IT disaster recovery planning is all that we do. If you’re looking for assistance with your business impact analysis and risk assessment, we can help! Please contact us today to discuss your unique needs.
Avalution Consulting: Business Continuity Consulting