Adaptive Business Continuity

The goal of Adaptive BC is the continuous improvement of response and recovery capabilities, not the accumulation of documents.

Evidence clearly demonstrates that most people cannot pick up an unfamiliar and complicated plan at time of disaster and use it for an effective and efficient response. Documentation alone must not be the primary guide, desired deliverable, or measure of preparedness efforts.

Documentation serves only to support thinking and discussion involved in preparedness. Each responder must have as much of a visceral, immediate, and intuitive understanding of the roles, responsibilities, and actions required of him or her as possible. Documentation is effective only inasmuch as it provides a reminder of the processes that participants developed and practiced over time.

How long an organization can cope without a particular service will almost always depend on an integrated combination of factors too numerous to identify and too complex to quantify. Moreover, the changes that result from the exact timing and actual impact of a disaster on a service will dictate different judgements about applicable recovery strategies, priorities, and time. Definitive changes to a service’s holistic “ecosystem” cannot be foreknown.

In this context, forcing a single answer for a recovery time target is often impossible, inaccurate, and ill-advised. Realistically, the best answer to, “How soon does service X need to be recovered?” is, “It depends.” Therefore, only static, precise, predetermined, and significant time restrictions should be specifically incorporated into recovery preparations. Such restrictions are likely to relate to immediate threats to health and safety, violation of laws and regulations, and/or failure to meet contractual obligations and service level agreements.

Traditional planning methodology focuses on gaining executive (and only executive) support. This exclusivity of focus follows from the fallacy that the majority of necessary information, resources, and support for a successful continuity program are known and controlled by executives.

Many individuals from many levels of the organization greatly influence preparedness outcomes. The continuous improvement of recovery capabilities requires identifying and gaining the support and ongoing engagement of these key individuals and not just executives.

The practitioner must obtain meaningful information in order to effectively prepare the organization for disaster. Most times such information can only be obtained from front line staff or subject matter experts, and often only after having first built a relationship of trust.

Furthermore, it is not the practitioner or the executives who will be restoring systems and services at time of disaster. Response and recovery will require dedicated effort from people at every level of the organization. These are the people who most need to know the procedures and possess the competencies to continue the organization’s services. Developing these capabilities requires appropriate and ongoing engagement.

Traditional BC standards called for measurements but were unable to offer examples. As Brian A. Jackson of the Rand Corporation notes, “The limits of many of the means of assessing preparedness have led to interest in the use of exercises… As a result, whether or not a plan has been exercised is frequently used as a proxy measure for assessing its preparedness value.”

Business continuity tests are not reliable measures of recoverability. There are significant limitations in using a test to simulate a real disaster, and serious problems exist in using such an exercise to validate an organization’s ability to hit its defined Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs).

Exercises should be used to support the continuous improvement of response and recovery capabilities. They should neither be used as tests of recoverability nor as reviews of planning documentation. As such, the focus of exercises should be to:

• Get comfortable working and making decisions in a (simulated) post-incident or post-disaster environment
• Know the structure and practice the initial actions of designated response teams
• Increase awareness of both existing and missing resources, procedures, and competencies needed to respond and recover
• Identify areas and owners for short- and long-term improvements

Traditional continuity planning focused practitioners more on strict methodology and prescribed compliance than on the genuine effectiveness of the work performed. Practitioners often did not understand the business and were unable to address the real concerns of executive leadership.

Adaptive BC encourages practitioners to learn the mission and culture of each department, and to understand the systems and services involved. Response and recovery processes cannot just be bolted on to a department’s pre-existing structure and environment. Alien and artificial processes are not easily adopted and are likely forgotten or discarded at time of disaster. Processes that align with the day-to-day nature of the department will be more effective when most needed.

Practitioners must move beyond merely collecting data about the business, and instead improve their business acumen by learning the vision, mission, and operations of each area within the organization as well as the language of leadership within the context of continuity of services.

Measurement is crucial to Adaptive BC. Traditional continuity planning relied on the accumulation of deliverables or conformity to defined standards as metrics without regard for the effectiveness of such materials or activities. This oversight resulted in an inability to demonstrate the business value of practitioners’ efforts to executives and other key stakeholders.

The final measure of preparedness is the effective response and actual recoverability of a system or service (or a holistic collection of both) at time of disaster. Organizations cannot afford to wait until time of disaster to know to what degree they are prepared to recover from a significant physical or staffing loss.

Measuring an organization’s capability to respond to and recover from an unexpected unavailability is straightforward. Measurement should focus on the following three factors:

• Resources: The degree to which resources that will be required at time of disaster will be available
• Procedures: The degree to which each individual responder fully knows and has internalized his / her duties at time of disaster
• Crisis Competencies: The degree to which each individual responder, operating in conjunction with other responders, will be able to function effectively throughout the duration of the disaster.

Measurements indicate where an organization can invest to improve its capabilities to recover. Benchmarking demonstrates that such investments have provided the intended results. Practitioners must benchmark existing levels of preparedness as early as possible within an organization, and then again at regular intervals.

Measurement and benchmarking provide a quantitative foundation for Adaptive BC. In this way the organization can be confident that the defined processes, additional resources, and improved competencies are contributing to the desired result – continuous recoverability improvement.

Traditional continuity methodology insisted that the practitioner obtain formal support from executive leadership before any work could begin. Standards dictated that all program objectives be identified, documented, and approved by the executive team before the practitioner could even begin work to prepare the organization.

Adaptive BC believes that executive leaders know their business well enough to identify the most critical functions and put the right people in charge of them, thus providing a command and control structure for the preparedness program and its practitioners. Work can begin quickly within individual areas based on the specific needs and knowledge of the accountable and assigned leader in each area.

Using an incremental approach, the practitioner can consistently deliver value and make beneficial course corrections based on regular feedback. The successful practitioner of Adaptive BC must carefully navigate competing constraints while ensuring that Board members and senior leaders are aware of their risks for fiduciary accountability, loss of revenues and capital, inadequate or inapplicable insurance, and impact to brand. Practitioners should partner with individual leaders to determine the appropriate actions and investments that will improve the organization’s capability to respond to and recover from disaster, while keeping such efforts aligned in the context of business priorities.

The risk assessment (RA) and the business impact analysis (BIA) form the backbone of traditional continuity planning. They are considered fundamental components in virtually every best practice guide and industry standard. Employing these two practices leads practitioners along a trajectory that further entangles their work in the many related techniques of traditional continuity planning, along with the negative outcomes of these techniques. Practitioners should eliminate the use of the risk assessment and business impact analysis.

Risk Assessment

The results of a risk assessment may lead the practitioner, leadership, participants, and organization as a whole to prepare for and mitigate threats that never materialize while other non-identified threats materialize instead. Preparing for the wrong threats is a waste of resources and may lead to a false sense of security that further jeopardizes the organization.

Some threats, such as cyber attacks, disgruntled employees, and utility or infrastructure disruptions, are identified and mitigated but materialize nonetheless. It is precisely because bad things will happen, despite the best efforts of very capable risk managers to prevent them, that continuity planning is so critical. (See additional points in “Prepare for Effects, not Causes.”) There are also significant liabilities for continuity practitioners who do not possess the training and expertise to properly implement and follow through on a risk assessment. Risk assessment is a technique of risk management, a discipline with its own body of knowledge apart from business continuity. Administering a proper risk assessment and implementing the resulting action items may necessitate deep knowledge of actuarial tables, information security, insurance and fraud, state and federal regulations, seismological and meteorological data, and the law. Typical continuity practitioners do not possess such deep knowledge; those who do are most likely specifically trained as risk managers. Adaptive BC practitioners as such should eliminate the risk assessment from their scope of responsibility.

Business Impact Analysis

The purpose of a formal business impact analysis is to identify an organization’s services along with the potential daily or hourly loss, usually in terms of money, that a disruption of the service would have on the organization. Over time, the purpose of a BIA has changed, expanded, and become indistinct. The term BIA now often includes recovery time objective (RTO) and recovery point objective (RPO) data, response and recovery strategies, upstream and downstream dependencies, and other information.

The BIA as a measure of estimated losses should be abandoned. Its main purpose was to help leadership identify the most critical services and to set a prioritization for continuity planning efforts. The discipline should eliminate the BIA because:

• The goal of quantifying the impact of disaster is likely a non-starter from the beginning. Numerous commentators have identified numerous deep flaws at the core of the BIA practice. Rainer Hübert’s definitive paper, “Why the Business Impact Analysis Does Not Work,” makes a compelling argument for the industry to abandon the practice of BIA work entirely because of the “very costly and even fatal misinterpretations and misrepresentations” inherent in the process.
• Executive leadership can be trusted to identify critical services based on their experience and knowledge of the organization (as discussed in “Obtain Incremental Direction from Leadership”) and therefore can set general direction and prioritization for preparedness planning.
• The proper sequence to restore services at time of disaster will depend on the exact nature of the post-disaster situation, a situation that cannot be predicted ahead of time. Because the organization must be flexible and responsive to the situation as it unfolds in real time, recovery time targets and a prescriptive recovery sequence should not be predetermined.

Due to the increasingly nebulous and confused understanding of the term BIA, along with the many connotations and associations that the term has within traditional continuity planning, both the practice and term itself should be entirely abandoned in Adaptive BC.

Adaptive BC focuses on the three major effects of an incident:

1. Unavailability of location
2. Unavailability of people
3. Unavailability of resources (physical or virtual)

A vast number of circumstances and combinations of cascading events can lead to one or all of these effects. An organization cannot responsibly afford to plan for so many causes. Fortunately, a robust response and recovery strategy can be generated and effectively executed from a short list of intelligently combined options.

The organization can mix and scale a portfolio of response and recovery processes as the incident unfolds and the situation changes. Often the response to effects can be relatively simple if staff is trained to evaluate from among a short set of known options and then act as practiced in advance. This allows the organization to remain flexible and efficient in its management of the incident.