We Just Did A BIA and GAP Analysis… Now What?

How to Perform an Effective Business Continuity Strategy Identification and Selection Effort

Reader Note: This article is a continuation from Castellan’s November 2014 article titled: We just did a BIA and Risk Assessment … Now What? How to Perform an Effective Business Continuity Gap Analysis. If your organization just finished a business impact analysis (BIA) and risk assessment, but has not yet performed a gap analysis, it may be helpful to read about performing an effective gap analysis before continuing on to this article.

Once an organization understands gaps between business continuity requirements (as defined in the business impact and risk assessment) and current capabilities, management can determine which gaps they wish to address through strategy selection – either through risk mitigation or resource-specific recovery methods.  Determining methods to decrease the likelihood of a disruptive incident reduces the potential that a risk will materialize, while identifying methods to respond to and recover from a disruptive incident decreases downtime and protects the organizations’ brand and financial position (among other assets).

Failing to perform an appropriate strategy identification and selection process may increase the likelihood of a disruptive incident, or may lead to unnecessary downtime as the organization searches for the most appropriate methods to respond to the event and recover its most important activities and resources in an ad hoc manner following the onset of the disruption.

The strategy identification and selection effort involves three activities:

  1. Identify available strategy options
  2. Perform cost-benefit analysis on each available option
  3. Present best choice(s) for selection and implement selected strategy

Following this method allows the organization to identify then select the best, most cost-effective methods to manage the risk and impact associated with a disruptive incident.

The business continuity strategy identification and selection effort involves risk management approaches that address two needs:

  • Risk Mitigation Strategies: Measures implemented before the onset of a disruptive incident that decrease the likelihood of it occurring.
  • Response and Recovery Strategies: Capabilities that enable the organization to resume a minimum level of operations and detail how it will operate during a disruptive incident.

Let’s take a closer look at each.

Risk Mitigation Strategies
Risk mitigation involves identifying possible preventative measures to affect likelihood of a disruptive incident occurring and impacting the organization’s resources (to be clear, this is not about trying to prevent a threat, it is about minimizing the likelihood of a disruptive incident affecting the organization’s ability to deliver its products and services).  There are many forms of risk mitigation (and multiple options may exist per resource type); however, the following list provides an example of an option per resource type:

  • Supplier: Reviewing single-sourced supplier business continuity capabilities and documenting contractual provisions to ensure the organization can continue receiving products and services necessary to continue operations.
  • Facility and Equipment: Securing backup power to the facility and its equipment to help ensure business activities can continue as normal with minimal downtime following a power failure.
  • People: Ensuring multiple personnel can fulfill the duties of critical roles removes staffing single points of failure and helps ensure business activities can continue if a staff member is absent.
  • Technology: Replicating data at an alternate location and making available alternate computing capabilities protects against the loss of applications and data.

Response and Recovery Strategies
Response and recovery strategies enable business activities to resume to a minimum level of service following a disruptive incident (and eventually return to normal).  Like risk mitigation, there are many recovery strategy options; however, the organization may identify available options that fit their unique culture.  The list below provides an example of an option per resource type:

  • Supplier: Identifying and documenting contingency agreements with alternate suppliers ensures that the organization can continue receiving products and services necessary to continue operations if the primary supplier is unable.
  • Facility and Equipment: Relocating to a pre-identified alternate site with necessary equipment (within a suitable distance from the primary site) ensures the organization can continue in absence of the primary site.
  • People: Scaling down workload to address only time-sensitive activities ensures the organization can continue delivering minimal levels of service to customers during periods of high absenteeism.
  • Technology: Developing and documenting manual workarounds enables personnel to continue performing business activities while information technology is unavailable.

For each risk or gap that management wishes to address through the strategy selection process, the organization should identify all realistic, available options to either mitigate the risk before the onset of an incident or ensure a response and recovery strategy is in place to meet recovery objectives following the onset of an incident.

Once an organization identifies available strategy options, the organization should understand the potential costs and benefits of each option (the benefits are often obvious because they are noted in the BIA and risk assessment).  In doing so, the organization should consider the initial implementation costs, as well as long-term strategy maintenance costs (if any).  Below is an example of a cost-benefit analysis for implementing a disaster recovery strategy:


Using this example, both options provide the same recovery objectives – the primary difference falls between whether the organization prefers spending capital or operating expense, as well as where residual risks lie (e.g. with internal staff or with a third-party).  The matrix above allows management to understand available options, as well as the pro’s and con’s associated with each, in order to make an informed decision on strategy selection.

Following the cost-benefit analysis, the organization should present the best choice(s) to management (e.g. the business continuity steering committee) for selection.  Management can either choose one of the presented strategies, propose an alternate strategy, modify recovery objectives to ease investment burden, or accept the risk entirely (and take no action).

Assuming management selects a strategy, the organization should coordinate with necessary internal (e.g. project management and procurement) and external (e.g. third-party recovery providers) stakeholders to acquire and implement the appropriate solution to address the risk.

Following implementation, the organization can ensure appropriate usage of response and recovery strategies by documenting methods by which the organization will execute these strategies in the form of business continuity plans.  If performed effectively, the strategy identification and selection effort ensures that the organization’s top management selects the most appropriate, cost-effective risk mitigation and recovery approaches, consistent with acceptable levels of risk and BIA-derived recovery objectives.  It also ensures that business continuity plans are actually executable and enables the organization to meet recovery objectives during a disruptive incident.

Business continuity and IT disaster recovery planning is all that we do. If you’re looking for assistance with building or improving your business continuity program, we can help!

Get The Business Impact Analysis (BIA) Template

Ready for some hands-on help? Let’s discuss how to best achieve your resilience goals.