Business Continuity : (Earth)shaken not sturred…

The recent events in Japan made me wonder about – the importance of – risk assessment and business continuity planning. Many companies may already have a business continuity plan, some companies are even required to do so, e.g. financial institutions, critical infrastructure providers…
Some sectors have self-imposed rule sets to provide a risk assessment and business continuity plan.

What is a business continuity plan?

A business continuity plan (or BCP) is a plan that outlines the course of action a business will take to ensure the continued activity of the business during and after disaster. So defined a BCP implies or builds upon the results of a solid and thorough risk assessment. What risks is my business exposed to? What impact do these risks have on my business? And when these potential risks become reality, what do I need to do to ensure the continuation of my business' activity?
Those are questions a business tries to answer in its BCP.

It is not my intention to teach you how to build your own plan, nor do I intend to tell you which is the best way to perceive one. In light of the recent events in Japan, I want to put some questions before you, upon which you might want to ponder some time. Let's go through some issues that one will have to think about when drawing up one’s own business continuity strategy.

Location, location… and its risks.
You will want to have a backup location in case your main building is destroyed. Preferably somewhat remote from the main site. But, wait, how far is far enough? It al depends on the risks you are exposed to. Sometimes distances is not a safeguard, but geographical or geologic structure of the location might be a more suited property to use as a marker. One thing is certain: next door is not an option. Since you backup site would then be exposed to the same risks as your primary site. Ask yourselfs this: what are the disasters most likely to happen in your neighbourhood? Airplane crash? Fire? Flood? Nuclear Meltdown?
e.g. if your primary site is near a body of water, you are more at risk from floods than others. So perhaps you will choose a backup site on higher ground and more remote from water. (But in that case what about access to water for firefighting?)
For the first two, a location 50 km from your primary site might be sufficient, for the nuclear meltdown risk, 200 km might not even be sufficient.
Meteorological data is also important: what are the prevalent directions of the wind in your region? Is there a risk for drought, making you more vulnerable to fires? Is you region often rainy, thus making it more at risk from floods?
Are there dangerous industries in your environment? Not only nuclear plants pose a threat, but perhaps also chemical installations and other industries pose a risk to there environment in such a way that being in the vicinity should also be a factor to take into account. What if the shit hits the fans at our friendly neighbour the power plant?
Each location has its own risk profile so to speak. Probably your main site and backup site will have both risks attached to their location, but make sure these risks are of a different nature so that the chance they are both hit by the same misfortune is a small as possible.

Dependency of others…
In what way and by what degree are you dependent on third parties for critical resources such as power, water, information? Have those parties taken sufficient measures to ensure they can fulfil their contracts when the situation is dire and grim? Have you verified this? Triple check!

Specifics or general purpose
Also, very important, do you stipulate specific scenario’s? Or do you build a plan depending on “worst case scenario”? My preference is for the latter. What is the worst case scenario? Really?

Procedures, people and resources
It is good to have procedures. It is even better to have procedures you have tested on a regular basis. Your people should know who to contact in case of an emergency. Decisions will have to be made to ensure the continued activity of the business. Priorities will have to be assigned to tasks and activities to determine which resources need to be restored first.
Practice the procedures! Your employees should know them almost by heart, so that when disaster strikes and everyone is under stress, things run as smoothly as possible.

And then disaster strikes…
… on a scale like it has in Japan.

Is your business ready to handle such events ? Can you be sure your risk assessment is sound and that your plan therefore is solid enough to withstand the cataclysmic consequences of an event like the one that hit Japan? (It does not have to be an earthquake that takes you out.)
What are you willing to accept as being to big to handle? Do you want to be up and running no matter what? Do you have to be?

I hope you will have understood by now that there is no one good answer to the ideal business continuity strategy. It all depends on the risks you are willing to take and suffer. It is also a recurring exercise. You’ll assess en reassess your risks on a regular basis and finetune, modify and refit your strategy.

It is time to (re)think your assessment, trust me.

Update: published an article that is also considering some risk assessment issues that can be taken away from the events in japan.

Being able to continue what you were doing, no matter what, is also a matter of security.

Stay secure!