Early on in the development of a business continuity program, careful, pragmatic scoping can be the difference between quick and appropriate wins and a never-ending planning effort with little capability. Organizations typically build programs due to customer and/or regulatory requirements; however, instead of taking the time to carefully scope and prioritize the business continuity effort (and provide resources accordingly), organizations often take an “all or nothing” approach to planning – plan for every “box on the org chart”, every facility, every application, and every resource. Many organizations do not realize that business continuity can, and often should, initially address an organization’s most critical/time-sensitive products and services, expanding to other parts of the organization overtime.
An appropriate scope enables an organization to efficiently plan for a disruptive incident. Additionally, scoping effectively allows an organization to prioritize critical products and services during the initial implementation of business continuity and expand the program to less critical areas overtime. Ideally, an organization defines the scope of business continuity based on the following factors, which are discussed in additional detail throughout the remainder of this post:
- Stakeholder Requirements
- Products and Services
- Risk Appetite
Most importantly, an effectively scoped business continuity program takes into account stakeholder requirements. Stakeholders include customers, regulators, management, and other interested parties. Each stakeholder group has expectations, and to be effective, business continuity should address and protect an organization from violating these expectations. Therefore, an organization should design its business continuity program to protect itself from the impacts of violating key requirements such as:
- Contractual Obligations (service level agreements)
- Regulatory Requirements
- Customer Promises
- Employee Commitments
- Health/Safety Requirements
While requirements vary greatly based on a number of factors, an organization will find it extremely difficult to prioritize, let alone build and maintain an effective business continuity program, without understanding its requirements. Furthermore, once requirements are understood, an organization can document a specific and appropriate set of business continuity objectives.
Define Products and Services
After understanding its obligations and establishing business continuity objectives, an organization can move forward with the scoping effort by understanding and assessing its products and services (beneficial outcomes provided by an organization to its customers, recipients and interested parties – ISO 22301) delivered to each relevant stakeholder group. Defining products and services is an effective way to manage the scoping effort at a strategic level because products and services are easily understood by management, employees, regulators, and customers alike. They create value! After an organization takes an inventory of its products and services, it must determine if an interruption to each product and service would result in the inability to comply with the organization’s requirements and/or business continuity objectives (as described above), or result in unacceptable consequences. Those products and services, that if interrupted would result in missed obligations or unacceptable consequences, should be considered in scope, together with all supporting departments, activities, and resources.
Once the organization defines a list of “in-scope” products and services, it can and should retrieve the organizational chart and begin mapping departments or business units back to these products and services (remembering that every department will not be included). This exercise allows an organization to begin understanding and prioritizing the critical business areas that must be addressed by business continuity and also provides insight into the time and resources required to implement business continuity. When this activity is complete, an organization should have an understanding of in-scope products and services, and a list or “map” of the departments that support or deliver these products and services.
The graphic below provides an illustration of the relationship between products and services, departments, activities, and resources. Note: Avalution recommends identifying activities and resources during the business impact analysis, not during the scoping effort.
Define Risk Appetite
At this point in the scoping effort, an organization should have a clear understanding of business continuity requirements and objectives, as well as an initial inventory of in-scope products, services, and departments.
The final activity in the scoping process is defining an organization’s risk appetite (the impacts that an organization is unwilling to tolerate or that are deemed to be unacceptable). To reach consensus on this topic, an organization should leverage information from the previous two activities and present management with potential impacts associated with the inability to deliver in-scope products and services. Management should subsequently give guidance on which impacts are unacceptable, to include the amount of downtime the organization is willing to tolerate.
Although potential impacts vary between organizations and industries, the following categories are a good starting point in understanding and defining potential impacts associated with a disruptive incident:
- Regulatory Impacts
- Legal and/or Contractual Impacts
- Customer Impacts
- Financial Impacts
- Operational Impacts
- Reputational Impacts
Based on guidance provided by management, an organization can formally define and document its risk appetite using criteria that describes impact that is unacceptable. Downtime associated with products and services, departments, and resources that may exceed an organization’s risk appetite should be in scope of the business continuity program.
Based on requirements and obligations, the importance of the organization’s products and services, and a documented risk appetite, an organization can document a formal scope statement that establishes the boundaries of the business continuity effort.
Organizations often find themselves developing, or trying to maintain business continuity programs, without a formal understanding or definition of the program’s scope. This leads to a host of issues, including misallocation of resources, ill-defined preparedness objectives, an inability to maintain recovery strategies, and difficulty enforcing policy. Effective scoping not only delivers focus, but it formalizes business continuity objectives, defines in-scope products and services, and facilitates agreement on risk appetite.
Stated simply, effective scoping is one of the surest ways to prevent (or address) ineffective business continuity programs and align a program’s scope with stakeholder expectations.
Business continuity and IT disaster recovery planning is all that we do. If you’re looking for help with building or improving your business continuity program, we can help.