Sergey Nivens - Fotolia


Fortify your business resilience with consequence management

Is there something lacking in your incident response strategy? Consequence management could be the missing piece in your organization's IT resilience plan.

When gathering data for a business continuity , disaster recovery or any other strategy focusing on business resilience, we typically perform a risk analysis and business impact analysis. Data from those activities helps identify risks, threats and vulnerabilities, and how they might affect an organization. This allows us to create tailored strategies for responding to and mitigating disruptive events.

All well and good, you say. But have you considered taking the processes described above one step further, where you determine the consequences an identified risk/threat? If you can identify the consequences or outcomes a specific incident, that data may help you further refine how you respond.

Analyzing the short-, medium- and long-term consequences an event can help assess and improve the survivability an organization. Knowledge the consequences an event can affect how an organization develops plans, makes emergency arrangements and executes incident response. Below, we cover how to evaluate potential consequences common disruptions, and demonstrate how you might incorporate consequence management into your existing business resilience strategy.

Assess and manage potential consequences

In the table below, let's take a closer look at the potential consequences a sampling disruptive incidents:

Incident response

As you can see, the consequences an incident could be significant to the continuation and future the organization, so they must be examined carefully. Let's examine this further with Figure 1, which depicts a sequence activities in a business continuity project:  

Business continuity activities
Figure 1

Most us have performed these activities -- with occasional variations -- in the course a business continuity and disaster recovery (BC/DR) or business resilience project. But where do we factor in the consequences our actions? Figure 2 provides a suggested approach for how to add consequence analysis to the planning process:

Consequence planning
Figure 2

In the data gathering and strategy development phases, we suggest a consequence analysis component that asks the question: "What are the consequences or outcomes this incident to the organization, its employees, its customers and its stakeholders?"

In the development and exercising steps, we suggest a consequence management component that asks the question: "How do we design and exercise the (s) so they will address the consequences as identified in the previous stages?"

And in the final stages planning, we offer a consequence revalidation activity that asks the question: "How do we update or revalidate the likely consequences of specific events, based on our exercise results?"

We're not suggesting you overhaul your current business resilience plan development process. Rather, we're suggesting that your organization give additional thought and analysis to identifying the short-, medium- and longer-term consequences of a disruptive event. It's possible that identifying the consequences of an incident may suggest additional or alternative approaches to BC/DR activities and the company's response. For example, if long-term consequences suggest possible lawsuits or other costly litigation, not to mention damaging social media attention, it may be necessary to implement an alternate, legal strategy for dealing with those consequences.

Factoring in consequence analysis

When a disruption occurs, businesses typically launch responses such as evacuations, damage assessments and coordination with responders. Assuming the event escalates or does not immediately resolve, the business may launch activities to mitigate the severity the event and initiate alternate processing arrangements that have been previously defined by the BC/DR team. Figure 3 depicts a possible sequence activities in the aftermath a disruptive event:

Disruptive event
Figure 3

While this is a high-level approach to incident response, it shows a clear progression activities with the eventual outcome: A return to business as usual, or as close to "usual" as possible. However, it doesn't really consider short-, medium- or long-term consequences the event. In Figure 4, let's see how we might integrate consequence management activities into the above process, using the same consequence activities as shown in Figure 2:

Consequence management
Figure 4

We might layer consequence analysis on top incident assessment and team launching activities to ensure that those activities the possible consequences not performing an immediate damage assessment, or launching emergency teams before contacting responders. We might consider consequence management during response, recovery and alternate working activities so we can launch the most appropriate actions in the most logical sequence.

Perhaps most importantly, we consider short-, medium- and long-term consequences an incident in the course the activities intended to return the organization to regular business operations. In doing this, we may determine which activities to perform, and whether or not we ought to change the sequence launching them.

Next Steps

Check out our free business impact analysis template

Incident response for security breaches

Dig Deeper on Disaster recovery planning and management

Data Backup