Assurance and business continuity

Business continuity management involves three distinct but complementary approaches:

1. Resilience arrangements aim to maintain essential/critical information services despite incidents if at all possible, at a reduced, fallback or emergency service level at least;
   
   
2. Disaster recovery arrangements to recover and restore services that have failed for whatever reason (including failed or overwhelmed resilience);
   
   
3. Contingency arrangements to help the organization cope with whatever situations turn up unexpectedly (including failures in the other approaches, plus other novel incidents and crises, unfortunate coincidences and extreme/outlier risks involving Little Green Men From Mars).

Resilience is often neglected or misunderstood, yet it’s a valuable approach with benefits under normal operational conditions as well as during and following major incidents. Plenty of capacity generally means good performance, for instance. Assurance is another advantage: it is feasible to test various failure scenarios on a setup that has been professionally engineered for resilience, with low risk and little if any impact on production services – “professionally engineered” being key of course. Low risk is not zero risk … but surely that’s better than not being able to test at all for fear of failure!

DR is conventional. I'll leave it there.

Contingency is another valuable concept that revolves around the people more than the technology. When faced with a major incident, crisis or disaster, will your organization fall apart or pull together? Under extreme stress, do workers give up, dejectedly, or knuckle-down and get creative? Over-reliance on specific individuals in critical roles is a warning sign (obvious in hindsight but not too hard to spot in advance), whereas if workers are multi-skilled, broadly competent and willing to step up to any challenge, the organization is more likely to get through tricky situations. The same thing applies to over-reliance on key suppliers, partners and customers, networks, systems, data, cloud services or whatever. Knowing when reliance has become over-reliance is yet another assurance issue.

Generally speaking, it's good to have alternatives or options. If the organization has little choice, the things it relies so heavily upon had better be highly resilient and well-engineered just-in-case, touching on all three business continuity approaches. There’s also a clear link to risk management, governance and assurance.  

Business continuity management rocks!