BCP or BIA

Business continuity planning life cycle
Image via Wikipedia

A business might possibly choose not to have a BCP but they might be interested in doing a BIA
After all, the “impact” might be something positive resulting from some change.

Oh, the Irony!
Expeditious and cost effective.

I’ve audited BCPs and always found them lacking. They are difficult to build and often make assumptions that are necessary to get the plan done but are unreasonable in reality.

The real issue with BCPs is lack of imagination.
First, they should be structured as contingency plans.
Not all events that will disrupt the business enough to trigger the BCP will affect the business in the same way. Sometimes an incident can be handled without letting it become a disaster.

Secondly they should be layered and have contingencies at each layer.
For example, one kind of disaster might mean that some or all of the key
people are unable to play their roles.

A Risk Analysis derived BIA is going to be probabilistic by deinition – and reality isn’t like that. Your BCP has to have contingencies that cater equally or the low probability events.
And combination of events.

Enhanced by Zemanta

About the author

Security Evangelist

Leave a Reply