Business Continuity Strategy

madunixExecutive IT Director
Name: Fadi Sodah, Experience: +25 years in Information Technology.
Edited by: David Draper
Business Continuity Strategy is a phase of decision-making and determination of objectives in terms of recovery. ISO 22301 is a baseline standard for Business Continuity Strategy.

A business continuity plan (BCP) is a document that contains the vital information that an organization needs to keep running in the case of a disaster. The BCP should define the business's core functions, indicate which systems and procedures must be maintained, and explain how to do so.

Business Continuity Strategy  

According to ISO 22301, a business continuity plan is defined as “documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following a disruption.” (clause 3.5) .  ISO 22301 talks about resilience, recovery, and contingency approach for continuity of critical/important business activities. ISO 22301 Business Continuity standard is the most appropriate method of building a Business Continuity Strategy. The standard can be downloaded from the ISO website, but a fee is applicable. Furthermore; Business Impact Analysis (BIA) is an analytical process used to assess the consequences of an incident and the change over time of the quantitative impact and the qualitative impact resulting from the interruption of an activity. The results of the Business Impact Analysis (BIA) are necessary to define the Business Continuity Strategy. Iterations between establishing your Business Continuity Strategy and selecting and deploying solutions culminate in the final form of the Business Continuity Strategy.


Criteria for assessing Business Continuity arrangements

For Business Continuity arrangements to be considered operational:
  • The BCP must be validated at a suitable level in accordance with the dependent companies' Business Continuity Strategy.
  • The importance of documentation in BCP cannot be overstated; it must cover all procedures and strategies required for resuming activities and returning to normal.
  • The BCP must be flexible enough, particularly in terms of "solutions," to provide a sufficient level of coverage for each affected resource category while still meeting the Business Continuity objectives.
  • The BCP must be current. It should be updated to reflect changes in the strategy, the business environment, and available market solutions.
  • The BCP should keep track of the planned solutions and the activities implemented if the BCP is activated, especially for regulatory authorities.
  • The BCP testing is of fundamental importance.  If all Business Continuity arrangements meet these criteria, they can be considered operational.


Recovery Time Objective (RTO)

RTO is the (worst case and achievable) length of time it should take to recover an application back to full service. To determine RTO, the following question must be answered for each selected activity: Following a total interruption to the activity, at what moment and at what level (capacity/volume of activity) do we decide that the activity must be resumed? 
This question must be asked without any consideration for the nature of the incident or the cause of the interruption. The nature of the activity is important, which is a key source of information when making the decision. The shorter the activity's RTO (the period between the incident and resumption, or possibly even no interruption), the higher the requirement level in terms of Business Continuity.


Recovery Point Objectives (RPO)

The Recovery Point Objective is the updated state of the data that must be in the Information Systems if the BCP is activated to resume activity under satisfactory conditions (without damaging data loss). RPO is the (worst case and achievable) duration of processing that can be lost as a result of a disaster.


Applicable rules and principles for determining Business Continuity objectives

An objective must be valid whatever the scenario. According to the incident, the organization can adapt to implementing solutions and the order of priority between the activities, but these adaptations result from crisis management decisions. 
  • Assumptions used for defining objectives (RTO and RPO).
  • There is no method for automatically obtaining the RTO for an activity. The RTO is the result of management's strategy, although the consideration of client, technical and financial constraints may lead to a readjustment of the objectives before the final strategy is validated.
  • The objectives (RTO and RPO) must be written in the strategy.
  • Once validated, the objectives cannot be changed without re-launching the process of strategy validation.


Applicable rules and principles for choosing Business Continuity solutions

  • The ability of the solutions to achieve the Business Continuity Objectives set in the strategy (RTO and RPO).
  • The ability of the solutions to cover (partially or totally) all of the reference scenarios. 
  • The impact of the envisaged solutions on the level of operational risk to which the activity will be exposed when these solutions are executed according to the predefined Business Continuity mode. 


Business Impact analysis is the basis on which the Business Continuity Strategy of an organization is defined. The final version of the Business Continuity Strategy results from iterations between defining your Business Continuity Strategy and choosing and implementing solutions. 




madunixExecutive IT Director
Name: Fadi Sodah, Experience: +25 years in Information Technology.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.