Business
continuity management involves three distinct but complementary approaches:
- Resilience arrangements
aim to maintain essential/critical information services despite incidents if
at all possible, at a reduced, fallback or emergency service level at least;
- Disaster recovery arrangements to recover and restore services that have failed
for whatever reason (including failed or overwhelmed resilience);
- Contingency arrangements to help the organization cope with whatever situations
turn up unexpectedly (including failures in the other approaches, plus
other novel incidents and crises, unfortunate coincidences and extreme/outlier
risks involving Little Green Men From Mars).
Resilience is often neglected or misunderstood, yet it’s a valuable
approach with benefits under normal operational conditions as well as during
and following major incidents. Plenty of capacity generally means good performance, for instance. Assurance is another advantage: it is feasible
to test various failure scenarios on a setup that has been professionally engineered
for resilience, with low risk and little if any impact on production services –
“professionally engineered” being key of course. Low risk is not zero risk … but surely
that’s better than not being able to test at all for fear of failure!
DR is conventional. I'll leave it there.
Contingency is another valuable concept that revolves around the people more than the technology. When
faced with a major incident, crisis or disaster, will your organization fall
apart or pull together? Under extreme
stress, do workers give up, dejectedly, or knuckle-down and get creative? Over-reliance on specific individuals in critical
roles is a warning sign (obvious in hindsight but not too hard to spot in
advance), whereas if workers are multi-skilled, broadly competent and willing
to step up to any challenge, the organization is more likely to get through
tricky situations. The same thing applies
to over-reliance on key suppliers, partners and customers, networks, systems,
data, cloud services or whatever. Knowing when reliance has become over-reliance is yet another assurance issue.
Generally speaking, it's good to have alternatives or options. If the organization has little choice, the things it relies so heavily upon had
better be highly resilient and well-engineered just-in-case, touching on all three business
continuity approaches. There’s also a
clear link to risk management, governance and assurance.
Business continuity
management rocks!
