In this episode, Bryghtpath Principal & Chief Executive Bryan Strawser walks through the Bryghtpath Business Continuity Framework – it’s our view of the lifecycle & workflows that should be established in any Business Continuity & Disaster Recovery framework.
Topics discussed in this episode include the business impact analysis, business continuity & disaster recovery planning lifecycles, exercises, issues management, incident & crisis management processes, and after-action reporting.
Related Episodes & Blog Posts
- Bryghtpath: Business Continuity Capabilities & Services
- Episode #43: Threat Management Framework
- Episode #59: All roads lead to one – Crisis Management Frameworks
- Episode #79: The Bryghtpath Global Security Framework
- Blog Post: Why your company needs a third-party risk management framework
Hello, and welcome to the Managing Uncertainty Podcast. This is Bryan Strawser, Principal and Chief Executive here at Bryghtpath.
And I want to spend this episode talking about our business continuity life cycle.
The starting point that we use as we begin to build a custom business continuity and disaster recovery life cycle for our clients. This is really our starting point. This is where we conceptualize, initially, our thinking over our decades of experience about the business continuity and disaster recovery life cycle.
And then, we start to use this with our clients to develop something custom that is very well-integrated into their existing risk and continuity crisis incident management, disaster recovery life cycles. And also, to connect to their view of risk in the organization. So again, this is our boilerplate. It’s definitely something that we use as a starting point, to get to something custom for a client or for an organization.
And hopefully, something that you might find valuable as you think about how these processes work and flow as a life cycle within your organization.
So, let’s take a look at the actual document here. And we’re going to start on the left. And we always start with risk. What we’re thinking about with risk is, how that your organization’s view of risk at an enterprise level or at a capability team process level, flows into your business continuity processes.
So, as we’re looking at risk, there’s a number of factors that we’re thinking about that come into play as we think about risk from a continuity and disaster recovery standpoint. And these are listed here. We’re thinking about the organizational structure. You may have separate operating companies, so those come into play. We’re thinking about the products and services that you are engaged in, that you’re selling or providing. We’re looking at the business functions and activities within the organization. We’re thinking about your employees, and what impact, what might cause harm to them. What does an impact to their workplace or morale mean for retention and their productivity?
We’re looking at your supply chain risk, and how your supply chain, your materials, your parts, your third-party services from your vendors, how does that flow into the organization? We’re looking at applications, and then here we’re talking about IT applications, what are the tools you use? It could be Salesforce, Oracle Financials, any of those application suites. Or even one-off applications that you’re using for an individual team. It could be video surveillance software. It could be business continuity software. It could be software as a service that you’re subscribing to. But how do those applications fit? What’s the underlying IT infrastructure behind those applications? What do they rely upon? What kind of networking, what kind of hardware, what kind of data center dependencies come into play?
And then lastly, facilities. Where does the work get done, and how critical are those facilities based upon the work that is actually done there? And are those facilities in good or bad locations from a risk standpoint?
All of these factors flow into your Business Impact Analysis or BIA. And of course, for the BIA, what we’re trying to understand here is really two questions. And some of this, you may not call part of your Business Impact Analysis, but we’re trying to understand the criticality of a business capability. And then we’re also trying to understand what happens when that business capability is disrupted? What happens when it’s impacted? And what does that impact look like on the things on the left? Are there upstream and downstream dependencies? Is there an impact on your team? Is there an impact on your IT applications and infrastructure? Is there an impact on your third-party services? How does all of that play? And out of that, you’re determining your recovery time objectives, and the first take on what your business continuity recovery strategies are going to look like.
Now, your Business Impact Analysis is going to be used to drive a number of things in your business continuity and disaster recovery process. But I want to go up, and we’re going to follow the BCDR planning process around, and then I’ll come back to the BIA and we’ll talk about the incident and crisis management.
So let’s go up here on the framework, and now we’re in the gray box, business continuity, and disaster recovery planning. And this is your traditional, annual or biannual, business continuity, and disaster recovery planning life cycle. You might start with training, or maybe there’s some kind of policy acknowledgment at the beginning.
But eventually, your BIA data is going to flow into your business continuity plan. And in your plan, you’re following a traditional planning process. In your plan, you’re documenting the business capability is assigned to this team or department or division. You’ve got your RTOs and your dependencies figured out from your BIA process.
And now you’re documenting your recovery processes or recovery procedures. That’s our next box down, that flow into this. Your BIA data and your business continuity plans, also connect to DR plans. Because as the business defines what is and is not critical from a business standpoint, and when those functions need to be back up and running, and you’re defining the applications, the IT applications, that are critical for that business function, then your IT organization, your DR organization, should be managing and creating disaster recovery plans for those critical IT applications and the underlying infrastructure that makes that work.
So that is your three-way process happening here, where you’ve got your BIA flowing into BC plans, the BIA and BC plan data driving what’s important from a disaster recovery plan perspective, and both of those have recovery procedures or recovery strategies, on how you’re going to recover those businesses and applications.
And then of course, from here we have, now that we have BC plans, we’re going to exercise these plans through tabletops for BC plans, or through more fully-integrated exercises for BC plans. We’re going to test our disaster recovery solutions. So we’re going to test to make sure we can hit that RTO and RPO that we’ve defined. And then after the exerciser test, we’re going to have our attestation, or our after-action process, where we’re going to capture the lessons learned, and use that information to then go back and update plans, and strategies, and capabilities from there. So that’s that top business continuity and disaster recovery planning box and mini life cycle within the broader way that we think about the business continuity of the life cycle.
So coming down out of your business continuity and disaster recovery box, we have issues management. And you can call this really whatever you want. Issues management is the traditional ISO 2203 term. But what we’re tracking here is, when you’re coming out of your exercises and testing. Or, when you’re also when you’re identifying recovery strategies, you’re going to find issues that you want to address. You’re going to have after-action items that you want to track, and monitor, and then close out. You’re going to find recovery strategies that require development, that might be an alternate workspace, it might be work from home capabilities, it might be additional VPN capacity. Those are just examples. But you’re going to have findings, even from audits and such, that turn up.
So the whole issues management process is about how do we track those findings that have been identified, and we see them through to the conclusion? Those conclusions could be, “Hey, we closed this out because we’ve successfully addressed the finding.” It could be that we have a mitigation plan to reduce the risk from the finding. It could be that there are exceptions, or we’re accepting this additional risk. And so, all of that kind of factors into issues management. And most of your business continuity tool suites that are out there, or GRC suites that are out there, have some kind of issues management capability. So that’s, that’s what we’re tracking here.
Now I want to go to the bottom of the life cycle, and I want to look at the incident and crisis management box. And here, whatever the process is in an organization, what we’re signifying here is we’re talking about, how are incidents tracked and monitored and escalated from an incident management perspective? And those incidents, they could be cybersecurity issues. They could be IT or platform issues. They could be security incidents or financial incidents, reputation management incidents. Human resources incidents, like a workplace violence situation. We’re really thinking holistically about incidents that are being tracked. And then how would those become a crisis as they escalate, and they hit your criteria in your crisis management process? And we’ve talked about that before in our crisis management framework discussions and podcast. How does it escalate from an incident to being a crisis? And, we want to track that for business continuity framework purposes here. So that’s what this gray box, incident in crisis management, signifies.
And then lastly, in the bottom right, now we’re activating plans. We might be doing this in the context of a crisis, thus the connectivity. But something has happened, and because of that something that has happened, we’ve crossed the threshold, the triggers in our business continuity or disaster recovery plan activation. So we’re going to activate the plan. We’re going to engage in our recovery activities, hopefully executing our defined recovery strategies or recovery procedures. We’re going to do that until the business is recovered or we’ve moved to the new normal, the next normal, and we’re back to those normal operations. And then we’re going to deactivate our plan process. And then we’re going to have an act or action. We’re going to talk about what worked and didn’t work in the context of this crisis, what worked and didn’t work in the context of activating this business continuity and disaster recovery plan.
And then again, those findings from your after-action process, will those flow into your issues management process, so you have one way that you’re tracking all of that information.
So again, this is our business continuity lifecycle. This is how we think about the processes, the structure that needs to be in place over the course of the year, and ongoing, to have an effective business continuity and disaster recovery process within your organization.
I hope you found this helpful. If there’s anything we can help you with, as you think about building this capability within your organization or taking a look at what you’re doing in your organization today, you can reach out to us anytime at firstname.lastname@example.org or give us a call at (612) 235-6435.
That’s it for this edition of the Managing Uncertainty Podcast. We’ll be back next week with another new episode.