(ID999) INCIDENT RESPONSE - Tel: UK 0044 1732 897 601

Business Continuity & Threat Analysis

How we work in BCP

Business continuity planning (BCP) is the process whereby an organisation's exposure to internal and external threats are identified and divided into hard and soft assets to provide effective prevention and recovery for the organisation. A business continuity plan is a roadmap for continuing operations under adverse conditions such as a storm or a black swan event. It is important to include employees as assets during this process so a register will need to be created if your organisation does not already have one.

Once BII has defined your organisations threats, impact scenarios are produced and form the basis of the business recovery plan. In general, planning for the most wide-reaching impact is preferable. A typical impact scenario such as 'building loss' encompasses most critical business functions. A BCP may document scenarios for each building. More localised impact scenarios for example 'loss of a specific floor in a building' may also be documented.

Following the above impact scenarios BII will work with you to produce a Business Impact Analysis report. The report will differentiates critical (urgent) and non-critical (non-urgent) organisation functions/activities. Critical functions are those whose disruption is regarded as unacceptable. Perceptions of acceptability are affected by the cost of recovery solutions. A function may also be considered critical if dictated by law. With this information we can determine data recovery point objectives.



Threat Analysis

After defining recovery requirements, documenting potential threats is recommended to detail a specific disaster’s unique recovery steps. 

Common threats

  • Disease
  • Earthquake
  • Fire
  • Flood
  • Cyber attack
  • Sabotage
  • Hurricane
  • Utility outage
  • Terrorism

Threat impact

All threats in the examples above share a common impact: the potential of damage to organisational infrastructure - except one (disease). The impact of diseases can be regarded as purely human, and may be alleviated with technical and business solutions. However, if the humans behind these recovery plans are also affected by the disease, then the process can fall down.

During the 2002-2003 SARS outbreak, some organisations grouped staff into separate teams, and rotated the teams between the primary and secondary work sites, with a rotation frequency equal to the incubation period of the disease. The organisations also banned face-to-face contact between opposing team members during business and non-business hours. With such a split, organisations increased their resilience against the threat of government-ordered quarantine measures if one person in a team contracted or was exposed to the disease.