Once business impact analyses have been performed, the Impact Score will be calculated for each business component included in the scope. Continuity managers can determine which business components are critical or not based on the Impact Score and other data available, such as whether the business component is supporting critical assets or other vital business components.
Any business components defined at least once as critical in the Impact Analysis section are added automatically to the list of strategies. These business components will remain in the Strategies section, even if they are later defined as not critical, in which case they can be removed manually from the list of strategies. Keep in mind that business components can also be added manually to the Strategies section, regardless of whether or not they were defined as critical.
In the Continuity Strategies section, continuity managers will be able to determine appropriate strategies for the business components, which can be added manually or automatically through the Impact Analysis when defined at least once as critical. The system offers three strategy options by default:
•Accept: This strategy can be selected when the risks to the continuity of a certain business component that has been identified as critical are known and accepted. No measures will be taken to avoid an interruption or ensure continuity of the activity in the event that it is interrupted.
•Suspend or Terminate: This strategy can be applied when a business component is identified as critical and a formal decision is made to suspend or terminate the activity. The risks, in this case, are not accepted, yet they may be too costly to treat or it may be infeasible to plan for continuity and institute measures to prevent an interruption.
•Opt for Continuity: If a business component is identified as critical and cannot be interrupted without severe repercussions, this should be the strategy selected. In this case, continuity managers will outline measures to prevent interruptions and to mitigate the impact an interruption might have. These measures might include preventive activities – such as risk analyses to identify and treat threats to its continuity, the establishment of additional security controls, or detailed documentation of the activity so that in the absence of key staff others will be able to step in - and the creation of plans that define exactly what steps must be taken and by whom so that the activity can enter contingency mode, so that the activity can be fully recovered, or so that the activity can be immediately recovered without ever entering contingency mode. This is often the case with critical activities that cannot be interrupted without enormous losses, often involving mirror or hot backup sites that can be activated immediately.
In the Customizations section of this module, new strategy options can be created and the three default options can be disabled if necessary.
Regardless of the strategy selected, a justification must be provided for each decision made, and the strategies selected can be redefined at any time. Each decision is recorded in a log, which includes the date the decision was made, by whom, and the strategy adopted.
Optionally, events from the Workflow module and plans published in the Plans section of this module can be associated with the most recent strategy defined for each business component. In addition, files in any format can be attached to each strategy. However, note that if a new strategy is selected for the business component, the previous strategy is no longer altered and these associations are fixed.