To celebrate Nadiya Hussain winning the ‘Great British Bake Off’ this week, I thought I would look at a way of explaining a ‘technical challenge’ to us business continuity people – the Maximum Tolerable Period of Disruption (MTPD).
One of the key parts in the development of business continuity is identifying an organisation’s priority activities; which ones we need to recover first and the ones we can recover later. Instead of letting the organisation randomly come up with their recovery priority and setting their RTO (recovery time objective which is the plan for recovering the activities) we use the MTPD. This gives us an indication of how quickly they should be recovered and the priority of recovery. Using the MTPD information developed in the ‘design’ stage of the business continuity lifecycle, we can go on to set the RTO for each activity.
When training, I use the following series of diagrams to explain to students the concept of the MTPD.
Figure 1 is a typical graph with time along the x axis and impact, starting at low and rising to high, on the y axis.
The unacceptable level of impact will be different for all organisations. It can be defined in a number of different ways. It could be when the company runs out of money and goes into administration following a loss of their manufacturing facility; to a major loss of reputation and other organisations not wanting to do business or be associated with them. The unacceptable impact may also be defined in terms of customer service, financial loss, legal and regulatory impact, loss of life and limb or impact on the environment. For subsidiaries of major multinationals or government departments, an unacceptable impact may be defined as when the organisation is amalgamated with another or when top management is replaced after an incident.
Those carrying out the BIA and defining the MTPD should have a clear definition of what constitutes an unacceptable impact. This needs to be used consistently across the organisation when conducting the BIA. When I am carrying out the analysis stage of the lifecycle, I ask top management, prior to carrying out the BIA, to choose which unacceptable impacts to consider and to define the level of impact. This ensures that the impacts define what is important to top management and should reflect the organisations’ culture and strategy. I personally don’t allow more than five different impacts to be chosen.
The activities across the organisation need to be defined and listed. For each activity, there is a time at which, if the activity was to cease, the impact would become unacceptable.
We can see from figure 2 that the different activities have different times at which their impact crosses the unacceptable level. A has the quickest impact and C has the longest impact. A might be an activity such as a call centre which takes customer enquiries and sales, so has a big financial and customer service impact in a short time. C could be the human resources department, which would eventually have an unacceptable impact.
When carrying out the analysis, the precise time at which the impact becomes unacceptable can be difficult to calculate. Financial impact may not be too difficult to calculate but the time at which your reputation is majorly impacted is much more difficult to define. There could be a whole number of facts to take into account; on a slow news day your disaster could reach the headlines and have a major impact on your reputation but if there is a major event occurring elsewhere it may not be covered and have very little impact.
As the definition of an unacceptable impact is hard to calculate we use bracket times as shown in Figure 3. The bracketed times have to be tailored to the organisation. An organisation such as a hospital may have 0-1 hour or 1-6 hours at the start of its scale but an organisation that typically works nine to five, five days a week, may have, as per figure 3, its first bracket time as 0-24 hours.
You can see from the graph that A and B have their unacceptable impact within a bracketed time – A in the 0-24 hours bracket and B in 1 week to one month.
Once we have got all the bracketed timings for our activities we can define the priority of which activities should be recovered. We would recover A first and C last. Taking this information, we can then go on and define the RTO for each activity – how to do this is the subject of a different bulletin!
To me, the importance of using this methodology to define your MTPD is that your results are tied to the culture and strategy of the organisation, with top management defining what is considered an unacceptable impact.
Thanks to Johann Raath of Vodafone who provided me with some of the key ideas that helped me develop this concept.
If you would like a copy of the slides which you can use when defining your MTPD as per the Figures 1-3 please email email@example.com.