Design - Introduction
Design is the Professional Practice within the business continuity management lifecycle that identifies and selects appropriate solutions to determine how continuity can be achieved in the event of an incident.
The Analysis stage identifies the business continuity requirements and the Design stage determines the solutions that should then be implemented to best achieve these requirements.
At this stage in the business continuity management lifecycle, the business continuity professional should design solutions that enable the organisation to respond to an incident, and continue to provide its prioritised activities.
Designing Business Continuity Solutions - About
Designing solutions for how an organisation is going to continue operating following a disruption is based on the business continuity requirements identified in the Business Impact Analysis (BIA), and the outcomes from the risk and threat assessment.
Designing Business Continuity Solutions - General Principles
The business continuity requirements and the outcomes of the risk and threat assessment are reviewed and appropriate business continuity solutions designed.
Once the solutions are designed, top management should agree the most appropriate solutions, and projects should be initiated to implement these solutions.
Price versus performance, and cost versus benefit are often used to guide top management when agreeing the most appropriate solutions.
Designing Business Continuity Solutions - Process
The solution design process should include the following steps:
- Identify and document the organisation’s existing continuity capability (if this has not yet been done).
- Identify suitable solutions that enable each RTO, RPO and MBCO to be achieved. This may include:
- Identifying new solutions that close the gap and meet the business continuity requirements.
- Reviewing the existing continuity solutions to evaluate whether the most appropriate and cost-effective solutions are in place. This may involve a reduction in capability if the current capability is greater than the business requirement.
- Adjust the solutions to accommodate a phased level of recovery, as required. This may be driven by the MBCO requirements.
- Analyse the solutions for effectiveness and cost. High-level approximate costs may be used at this point to support decision making.
- Provide top management with an evaluation of the range of solutions and obtain management approval on those selected.
- Consolidate the selected solutions by resource type.
Consolidation requires the following steps:
- Combine the continuity requirements from the selected solutions.
- Review the requirements for the selected solutions to check that they:
- Are consistent across the organisation.
- Do not conflict with one another or with corporate policies.
- Are achievable.
- Review the requirements for the selected solutions to:
- Identify opportunities for optimising resources.
- Identify opportunities for improving the procurement of resources and the logistics for their delivery during a disruption.
- Provide top management with an evaluation of the consolidated requirements and budgetary requirements for procurement.
- Obtain agreement from top management to provide the financial and resource provisions for the implementation of the agreed solutions.
- Establish the projects required to implement the agreed solutions.
Designing Business Continuity Solutions - Outcomes
The main outcomes from designing business continuity solutions are:
- A consolidated set of resource requirements to be used when purchasing resources.
- A set of business continuity solutions which are agreed by top management.
- A business continuity capability, based on the agreed solutions that should be used when developing and implementing plans.
- Sufficient information and clarity of solutions to establish projects with appropriate funding and resources for implementing the agreed solutions.
Risk & Threat Mitigation Measures - About
Mitigation measures should be identified and implemented to reduce the impact of a disruption to the organisation’s prioritised activities.
The business continuity professional should collaborate with risk, physical security, and information security professionals to develop and implement mitigation measures as appropriate.
Organisational resilience can be increased when related management disciplines are coordinated, not only within the organisation but with suppliers and other interested parties.
Risk & Threat Mitigation Measures - General Principles
Measures selected should be targeted at unacceptable levels of risk, any single points of failure (SPOF), and the main threats to the organisation’s prioritised activities.
All of these are identified in the Analysis stage of the business continuity management lifecycle.
Interested parties’ expectations and contractual arrangements with suppliers should be considered when determining the most appropriate measures.
The responsibility for meeting the organisation’s business continuity requirements remains with the organisation regardless of any risk or threat identified in the supply chain.
Risk & Threat Mitigation Measures - Process
The key steps when evaluating risk and threat mitigation measures are:
Review the output from the BIA and the risk and threat assessment to identify unacceptable levels of risk, SPOFs and threats to the organisation’s prioritised activities.
Identify any measures that can be taken to reduce the likelihood or impact of a disruption to the organisation’s prioritised activities.
Determine which risks and threats can be mitigated by having a business continuity plan in place.
Analyse the mitigation measures for effectiveness and cost.
Obtain agreement and sign off from top management for the recommended mitigation measures, including acceptance of any identified risks and confirmation that financial and resource provisions will be available.
Establish and implement projects for each of the agreed mitigation measures.
Risk & Threat Mitigation Measures - Outcomes
The main outcomes when designing risk and threat mitigation measures are projects for implementing the agreed measures to reduce the likelihood or impact of a disruption to the organisation’s prioritised activities.
