One of the biggest challenges of continuity planning is where to begin. And for many businesses this will mean dusting down the risk register. This is of course is an entirely logical approach, but potentially a red herring too. So why is this? Surely business continuity and a risk register are inextricably linked? They are, but both give a different perspective.
In simple terms, a business generates income and profit by delivering its products and/or services – which it does by utilising its assets and resources. These are either tangible – such as buildings, plant, machinery, stock and IT or intangible – such as IP, brand, regulation or reputation.
If the business loses its ability to utilise its assets and resources, perhaps for only minutes in terms of IT and communication networks, then at some point it will no longer be able to deliver its product/service. And that will eventually have an impact on the business, whether financially, reputationally or both. At some point the damage will certainly be irreparable. And we’re not talking about a total loss scenario; it might just be the loss of use or access to the assets.
So that’s the business continuity perspective.
The risk register however will tend to focus on threats and likelihoods. If a site has been destroyed, this may be immaterial. It is the ‘recovery’ of the site’s functions that will reinstate the product or service delivery, and consequently the income and profit and the subsequent survival of the business.
Sure enough, reducing the likelihood of loss to critical assets and resources is a key element in the continuity plan, particularly for businesses that can’t reinstate their operations quickly. And the risk register can help define the risk treatment, but this only takes place once the business has a clear idea of its continuity objectives.
It is simpler to say… if we can’t deliver ‘x’ how long have we got until the business dies?