BCLE 2000C PG 04 Jan2019

BCLE 2000
Lesson 4: Business Continuity

Strategies
Canadian Participant’s Guide

This four-day course has been developed by
DRI International and DRI Canada to provide a
comprehensive understanding of The Professional
Practices for Business Continuity Management and
their proper application within a business continuity
program. It is designed for the business continuity
professional with less than two-years’ experience.
© 2019 DRI International & DRI Canada. All rights reserved.

© 2019 DRI International & DRI Canada. All rights reserved.
BCLE 2000: Canadian Participant’s Guide Lesson 4: Business Continuity Strategies
The Professional Practices for Business Continuity Management

1. Program Initiation and Management
2. Risk Assessment
3. Business Impact Analysis
4. Business Continuity Strategies
5. Incident Response
6. Plan Development and Implementation
7. Awareness and Training Programs
8. Business Continuity Plan Exercise, Assessment, and Maintenance
9. Crisis Communications
10. Coordination with External Agencies
Professional Practice Four: Business Continuity Strategies

Objectives
Select cost-effective strategies to reduce deficiencies as identified during the risk assessment and business
impact analysis (BIA) processes.
Professional’s Role
1. Utilize the data collected during the risk assessment and BIA processes to identify the available continuity
and recovery strategies for the entity’s operations that will meet the RTO and RPO as defined in the BIA
2. Utilize the data collected during the risk assessment and BIA to identify the available continuity and
recovery strategies for the entity’s technology that will meet the RTO and RPO as defined in the BIA
3. Identify supply chain issues, for both suppliers and customers, from the BIA that may affect the selection
of a recovery strategy
4. Consolidate strategies where appropriate to reduce costs and/or complexity
5. Assess the cost of implementing identified strategies through a cost/benefit analysis
6. Recommend strategies and obtain approval to implement
3
1. Identify Available Continuity and Recovery Strategies

Utilize the data collected during the risk assessment and BIA processes to identify the available continuity and
recovery strategies for the entity’s operations that will meet both the RTO and RPO requirements as defined in
the BIA:
1.1 Review the recovery requirements identified for each of the entity’s operational areas
1.2 Identify alternative business continuity strategies
1.2.1 Develop manual workaround procedures
1.2.2 Develop reciprocal agreements
1.2.3 Identify internal dual-usage space that could be equipped to support recovery, such as
conference rooms, training rooms, or cafeterias
1.2.4 Identify an external alternate site
1.2.5 Contract third party service providers / outsourcers
1.2.6 Transfer workload to a surviving site
1.2.7 Transfer staff and workload to a surviving site
1.2.8 Suspend operations that are not time-sensitive and transfer people/workload to surviving site
(displacement)
1.2.9 Build a dedicated alternate site
1.2.10 Direct impacted personnel to work from home
1.2.11 Consider that the manufacturing environments have specific needs
1.2.12 Develop vital hard-copy records and work-in-process recovery strategies
1.2.13 Review alternate site options (site location, availability, suitability, etc.)
1.3 Assess viability of alternative strategies against the results of business impact analysis, recovery time
objectives, and recovery point objectives
1.4 Review any existing insurance coverage, which may include:
Business interruption (BI) insurance
Contingent business interruption (CBI) insurance
Extra expense insurance
1.5 Develop a preliminary cost/benefit analysis for the selected strategies
2. Identify Alternative Technology Continuity and Recovery Options

Identify the available continuity and recovery strategies for the entity’s technology that will meet the RTO and
RPO as defined in the BIA:
2.1 Review the recovery requirements identified for the entity’s technology
2.2 Identify alternative technology recovery strategies
2.2.1 Develop manual workaround procedures
2.2.2 Implement active/active technology environment through a dual data center (continuous
availability)
2.2.3 Implement active/passive technology environment for high availability of time sensitive technology
4
2.2.4 Contract third party service providers / outsourcers (e.g., hot site, cloud computing)
2.2.5 Outsource the entire technology environment through a strategy such as cloud computing
2.2.6 Identify site where recovery would occur but build-out only HVAC, electrical and some technology
(warm site)
2.2.7 Identify site where recovery would occur but build-out only at time of disaster (cold site)
2.2.8 Identify strategies for recovery of data in electronic form that meets RPO requirements
2.2.9 Review alternate site options (site location, availability, suitability, etc.)
2.3 Assess Viability of Alternative Strategies Against the BIA

Compare internal and external solutions
 Ability to meet defined RTO and RPO
 Advantages
 Disadvantages
 Costs (preparation, maintenance and execution)
 Mitigation capability and control options
2.4 Develop a Preliminary Cost Benefit Analysis

A process (after a BIA and risk assessment) that facilitates the financial assessment of different strategic
business continuity options and balances the cost of each option against the perceived savings.
3. Address Supply Chain Issues Affecting Recovery Strategies

3.1 Identify any delivery issues that may arise from the relocation to another site
3.2 Ensure that the effect on the entity’s operation and processes is minimal in the case of a supplier event
3.3 Identify any issues that may occur with the delivery of product to a customer in the event of an
interruption to their operation
4. Review and Consolidate Strategies

Identify areas in which the same recovery strategy could be used to meet the requirements for multiple areas of
operations:
• Consolidate strategies where appropriate to reduce costs and/or complexity
• Assess the cost of implementing identified strategies through a cost/benefit analysis (next page)
• Recommend strategies and obtain approval to implement (next page) Notes:
5
5. Strategy Cost Benefit Analysis

5.1 Estimate the cost of implementing and maintaining recovery for the identified recovery strategies
5.2 Validate that the recovery strategy being implemented is commensurate with the impacted operational
area
5.2.1. Consider financial, regulatory, and additional factors that could affect recovery.
5.2.2. Ensure the recovery solution is in line with recovery objectives.
5.2.3 Ensure the cost of recovery is in line with the value of what is to be recovered
The relationship of strategy cost to recovery window is: ______________________________
6. Recommend Strategies and Obtain Approval

• Set a realistic timeframe for the implementation of the recovery strategies
• Present specific recommendations for approval
• Document conclusions
Group Activity: Continuity/Recovery Strategies

Describe at least two continuity/recovery strategies that your entity uses:
1.
2.
6
Business Continuity Philosophies

Two approaches:
Recovery Protection
Continuity Protection
7
Important Strategies to Consider for Business Continuity

An overall continuity strategy for business operations might include the following:
• Reciprocal agreements
• Internal alternate site in dual usage space
• Dedicated alternate sites
• Manual workarounds
• Displacement
• Work from home
Reciprocal Agreements
Sites engaged in reciprocal agreements are:
• Similar in size, operation and technology
• Have enough excess capacity for both sites
• Difficult to use when conducting exercises
• Discredited by auditors and regulators
Changes at one site can render the other site’s recovery capability invalid!
Internal Alternate Site in Dual Usage Space

An alternate site used for operations, functions or processes for which it was not originally designed. Factors to
investigate when using internal arrangements include:
• Locations (for alternate sites)
• Preparation costs
• Equipment necessary to populate the space
• Recovery time for the strategy
Cafeteria Alternate Site in Dual Usage Space
Fidelity Investments cafeteria after the 9/11 attacks
8
Dedicated Alternate Sites

Another site built by the organization to be used specifically for recovery operations.
• Large organizations with unique recovery requirements
• Expensive
• Short recovery time
The relationship of strategy cost to recovery time window is inversely proportional. Remember: $=1/t.
Manual Workarounds
Continue business operations in the absence of technology or other shared service, to include:
• Filling time gaps
• Process
• Activities
Displacement
Business functions operating at the affected site displace Business functions operating
those operating at the alternate site. at the alternate site require
eventual recovery.
• Business functions (performing less critical tasks) will make room for more critical functions
• The recovery time is affected by the distance between the two sites
• Advantage is using existing company infrastructure
Work from Home

• Used when an entity has the capability to support staff working from home through remote connectivity
• Can be used in combination with other strategies to reduce alternate site requirements
• Identify those functions that can be performed from home
9
Self-Assessment: Continuity/Recovery Philosophies

Select either continuity or recovery protection for the business functions listed below:
Business Function RTO Continuity Recovery

Manufacturing 6 hours
Accounting 72 hours
Janitorial Service 2 weeks
Patient Intensive Care 0
Banking Transaction 2 hours
Technology Recovery Strategies

Depending on how much downtime you have before the technology recovery must be complete, recovery
strategies selected for the technology environment could be one or more of the following:
Dual Data Centre
Hot Site
Warm Site
Cold Site
Co-location
10
Identify Strategies for Recovery of Technology Data

• Physical and virtual media backup
Full
Differential
Incremental
• Data replication (disk mirroring)
Range of Strategies for Recovery of Technology Data
11
1.2.11 Manufacturing – Strategies

Manufacturing environments have specific needs and may use the following recovery strategies:
• Repair/rebuild at the time of the event
• Shift production to another line or site
• Utilize existing inventory
• Utilize excess capacity in other plants
• Buy back product from customer(s) and redistribute it as needed
• Provide a substitute product in lieu of the unavailable products
• Outsource production
Manufacturing – Business Relocation Strategy

Internal recovery - switching production from one site to another site
• Requires excess capacity
• May require retooling
• Could limit production
• By profit margin
• By customer relationship
Retooling Issue
• Move production from one item to another
• Cost
• Time
Proximity Issue
• Shipment consequence
• Customers
• Suppliers
12
Manufacturing – Surviving Site Strategy
With this approach, shifting production to other sites and utilizing the excess capacity at each site achieves
continuity.
When Site down! Capacity at impacted site drops to 0%. Capacity at remain sites jumps to ________%
Manufacturing – Safety Stock Strategy
With this approach, utilizing existing inventory achieves continuity.
Timeframe to Rebuild
Repairing or rebuilding a large/complex site, such as a factory, at the time of the event may require more time
than the entity can tolerate.
13
Margins by Plant
Stock Keeping Unit (SKU) Prioritization
14
Customer Prioritization
Strategy Identification and Evaluation – Execution Strategies
Negative Answers Eliminate Strategies
15
Strategy Identification and Evaluation – Preparatory Strategies
Preparatory Strategies may fill gaps of execution strategies, change the acceptable level of recovery, or be the
only possible strategy.
Alternate Site-Based Risk Considerations

Develop and review scoring process with interested parties
Note: Consistency in risk allocation required
RISK CATEGORY % IMPACT
Physical and political 25
Financial 15
Quality 20
Process 10
HSE/regulatory 10
Sustainability 5
Reputation 5
Site security 10
16
Strategy Identification and Evaluation Issues

• Cash costs and opportunity costs
• Proximity issues
• Capacity issues
• Quality issues (customer satisfaction/acceptance)
• Product packaging issues
• Product capability issues
• Availability/reliability
• Longer term consequences of decision
• Regulatory issues
Recovery Strategies – Makeup Production + Order Limits
Available makeup production capacity limits this plan to 80% replacement. Remaining 20% accounted for by
reducing standard unit quantity and limiting customer order quantities.
17
Request for Proposal (RFP)

• Establishes a relationship with a continuity/recovery services provider
• Specifies service requirements the provider must meet
• Is the basis for the continuity/recovery contract
The Basic Components of an RFP

• Introduction
• Description of the entity
• Objective of the RFP
• Notices to respondents
• Proposal requirements
• General terms and conditions
• Specifications
• Pricing and delivery schedule
• Respondent questionnaire
• Supporting information
18
Important Concepts
Strategies driven by risk assessment and business impact analysis
Hot site
Warm site
Cold site
Reciprocal agreements
Manual workarounds
Displacement
Manufacturing strategies
Cost of recovery - recovery window function
19
Class Exercise
Using the prioritized business function/process list developed during the BIA, develop the following:
1. Identify & describe three continuity/recovery strategies needed to meet the function/process RTOs
2. The advantages (pros) and disadvantages (cons) of each strategy
3. A cost estimate for each strategy (e.g., high, medium, low)
Discuss how you would present recommendations for leadership approval.
Business Function/Process (from Lesson 3 Class Exercise) RTO

1
Strategy Advantage (pro) /Disadvantage (con) Cost

1.1
1.2
1.3
2.1
2.2
2.3
3.1
3.2
3.3
20
Knowledge Checks
Professional Practice Four: Business Continuity Strategies
Circle the best choice for each question below. There is only one correct answer for each question.
1. When assessing strategies, what is the MOST important element?

a. Meeting the RTOs and filling gaps as identified in the BIA
b. Comparing the internal and external solutions
c. Assessing the risk of each strategy
d. The cost effectiveness of the strategy
2. Which of the following is a viable strategy for manufacturing continuity?

a. Selecting a viable warm site
b. Developing effective surviving site strategy
c. Developing work from home procedures
d. Identifying strategies that meet RPO requirements
3. When evaluating RFP responses, it is important to:

a. Focus on the costs identified
b. Select the vendors who respond after the designated date for reply
c. Compare the responses by their ability to meet the RTO
d. Look primarily at vendors who service only customers in your regional area
4. A presentation to leadership on recovery strategies should include:

a. A variety of options and alternatives to choose
b. A report on the strategies to be confirmed by leadership
c. A thorough report that covers all possible alternatives
d. A report on the strategies you have implemented
21

BCLE 2000C PG 04 Jan2019

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BCLE 2000C PG 04 Jan2019

Uploaded by

Copyright:

Available Formats

BCLE 2000

Lesson 4: Business Continuity

Canadian Participant’s Guide

© 2019 DRI International & DRI Canada. All rights reserved.

The Professional Practices for Business Continuity Management

Professional Practice Four: Business Continuity Strategies

1. Identify Available Continuity and Recovery Strategies

2. Identify Alternative Technology Continuity and Recovery Options

2.3 Assess Viability of Alternative Strategies Against the BIA

2.4 Develop a Preliminary Cost Benefit Analysis

3. Address Supply Chain Issues Affecting Recovery Strategies

4. Review and Consolidate Strategies

5. Strategy Cost Benefit Analysis

6. Recommend Strategies and Obtain Approval

Group Activity: Continuity/Recovery Strategies

Business Continuity Philosophies

Important Strategies to Consider for Business Continuity

Internal Alternate Site in Dual Usage Space

Fidelity Investments cafeteria after the 9/11 attacks

Dedicated Alternate Sites

Work from Home

Self-Assessment: Continuity/Recovery Philosophies

Business Function RTO Continuity Recovery

Janitorial Service 2 weeks

Patient Intensive Care 0

Banking Transaction 2 hours

Technology Recovery Strategies

Identify Strategies for Recovery of Technology Data

• Data replication (disk mirroring)

Range of Strategies for Recovery of Technology Data

1.2.11 Manufacturing – Strategies

Manufacturing – Business Relocation Strategy

Manufacturing – Surviving Site Strategy

Manufacturing – Safety Stock Strategy

With this approach, utilizing existing inventory achieves continuity.

Stock Keeping Unit (SKU) Prioritization

Strategy Identification and Evaluation – Execution Strategies

Negative Answers Eliminate Strategies

Strategy Identification and Evaluation – Preparatory Strategies

Alternate Site-Based Risk Considerations

RISK CATEGORY % IMPACT

Physical and political 25

Strategy Identification and Evaluation Issues

Recovery Strategies – Makeup Production + Order Limits

Request for Proposal (RFP)

The Basic Components of an RFP

Cost of recovery - recovery window function

Business Function/Process (from Lesson 3 Class Exercise) RTO

Strategy Advantage (pro) /Disadvantage (con) Cost

1. When assessing strategies, what is the MOST important element?

2. Which of the following is a viable strategy for manufacturing continuity?

3. When evaluating RFP responses, it is important to:

4. A presentation to leadership on recovery strategies should include:

You might also like