Early on in the development of a business continuity programme, careful, pragmatic scoping can be the difference between quick and appropriate wins and a never-ending planning effort with little capability.  Organisations typically build programmes due to customer and/or regulatory requirements; however, instead of taking the time to carefully scope and prioritize the business continuity effort (and provide resources accordingly), organisations often take an “all or nothing” approach to planning – plan for every “box on the org chart”, every facility, every application, and every resource.  Many organisations do not realize that business continuity can, and often should, initially address an organisation’s most critical/time-sensitive products and services, expanding to other parts of the organisation overtime.

An appropriate scope enables an organisation to efficiently plan for a disruptive incident.  Additionally, scoping effectively allows an organisation to prioritize critical products and services during the initial implementation of business continuity and expand the programme to less critical areas overtime.  Ideally, an organisation defines the scope of business continuity based on the following factors, which are discussed in additional detail throughout the remainder of this post:

  1. Stakeholder Requirements
  2. Products and Services
  3. Risk Appetite

Understand Requirements
Most importantly, an effectively scoped business continuity programme takes into account stakeholder requirements.  Stakeholders include customers, regulators, management, and other interested parties.  Each stakeholder group has expectations, and to be effective, business continuity should address and protect an organisation from violating these expectations.  Therefore, an organisation should design its business continuity programme to protect itself from the impacts of violating key requirements such as:

  • Contractual Obligations (service level agreements)
  • Regulatory Requirements
  • Customer Promises
  • Employee Commitments
  • Health/Safety Requirements

While requirements vary greatly based on a number of factors, an organisation will find it extremely difficult to prioritize, let alone build and maintain an effective business continuity programme, without understanding its requirements.  Furthermore, once requirements are understood, an organisation can document a specific and appropriate set of business continuity objectives.

Define Products and Services
After understanding its obligations and establishing business continuity objectives, an organisation can move forward with the scoping effort by understanding and assessing its products and services (beneficial outcomes provided by an organisation to its customers, recipients and interested parties – ISO 22301) delivered to each relevant stakeholder group.   Defining products and services is an effective way to manage the scoping effort at a strategic level because products and services are easily understood by management, employees, regulators, and customers alike.  They create value!  After an organisation takes an inventory of its products and services, it must determine if an interruption to each product and service would result in the inability to comply with the organisation’s requirements and/or business continuity objectives (as described above), or result in unacceptable consequences.  Those products and services, that if interrupted would result in missed obligations or unacceptable consequences, should be considered in scope, together with all supporting departments, activities, and resources.

Once the organisation defines a list of “in-scope” products and services, it can and should retrieve the organisational chart and begin mapping departments or business units back to these products and services (remembering that every department will not be included).  This exercise allows an organisation to begin understanding and prioritizing the critical business areas that must be addressed by business continuity and also provides insight into the time and resources required to implement business continuity.  When this activity is complete, an organisation should have an understanding of in-scope products and services, and a list or “map” of the departments that support or deliver these products and services.

The graphic below provides an illustration of the relationship between products and services, departments, activities, and resources.  Note: Avalution recommends identifying activities and resources during the business impact analysis, not during the scoping effort.

Define Risk Appetite
At this point in the scoping effort, an organisation should have a clear understanding of business continuity requirements and objectives, as well as an initial inventory of in-scope products, services, and departments.

The final activity in the scoping process is defining an organisation’s risk appetite (the impacts that an organisation is unwilling to tolerate or that are deemed to be unacceptable).  To reach consensus on this topic, an organisation should leverage information from the previous two activities and present management with potential impacts associated with the inability to deliver in-scope products and services.  Management should subsequently give guidance on which impacts are unacceptable, to include the amount of downtime the organisation is willing to tolerate.

Although potential impacts vary between organisations and industries, the following categories are a good starting point in understanding and defining potential impacts associated with a disruptive incident:

  • Regulatory Impacts
  • Legal and/or Contractual Impacts
  • Customer Impacts
  • Financial Impacts
  • Operational Impacts
  • Reputational Impacts

Based on guidance provided by management, an organisation can formally define and document its risk appetite using criteria that describes impact that is unacceptable.  Downtime associated with products and services, departments, and resources that may exceed an organisation’s risk appetite should be in scope of the business continuity programme.

Conclusion
Based on requirements and obligations, the importance of the organisation’s products and services, and a documented risk appetite, an organisation can document a formal scope statement that establishes the boundaries of the business continuity effort.

Organisations often find themselves developing, or trying to maintain business continuity programmes, without a formal understanding or definition of the programme’s scope.  This leads to a host of issues, including misallocation of resources, ill-defined preparedness objectives, an inability to maintain recovery strategies, and difficulty enforcing policy.  Effective scoping not only delivers focus, but it formalizes business continuity objectives, defines in-scope products and services, and facilitates agreement on risk appetite.

Stated simply, effective scoping is one of the surest ways to prevent (or address) ineffective business continuity programmes and align a programme’s scope with stakeholder expectations.

Business continuity and IT disaster recovery planning is all that we do. If you’re looking for help with building or improving your business continuity programme, we can help.