Strategy is the bridge between the BIA and the BCPs. The BIA tells the organisation what it is trying to protect: which activities are critical, what is the acceptable outage, and what resources are required. The BCPs tell the organisation how to protect it: which people will be deployed, which premises will be used, which systems will be available, which suppliers will provide support. Between the BIA and the BCPs is the strategy that connects the two: the deliberate decisions about which approach will be taken for each resource type, why that approach was chosen, and what the constraints and assumptions are.
Without deliberate strategy decisions, BCPs are written without a foundation. Different BCP writers might make different (and conflicting) assumptions: one might assume that staff will work from home during a premises disruption; another might assume that an alternate site will be activated; a third might assume that the activity will be suspended for several days. These conflicting assumptions produce BCPs that cannot be simultaneously executed and that will fail on activation.
Strategy must be approved by top management before BCPs are written. Strategy approval is not merely a governance requirement; it is a practical sequencing requirement. BCPs translate strategy into operational procedures — and if strategy is not approved before BCPs are written, the plans must be rewritten when strategy is finalised. Top management strategy approval establishes the specification from which BCPs are to be built.
What Strategy Development Produces
BC strategy development produces two deliverables: a strategy document that describes the chosen approach for each resource type, and a strategic options analysis that explains what other options were considered, why they were rejected, and what the cost-benefit implications are. The strategy document is an executive-level document (5–10 pages) that summarises the key decisions; the strategic options analysis is a detailed supporting document that provides the analysis behind each decision.
For each resource type (people, premises, technology, suppliers, vital records), the strategy development process follows the same pattern: (1) identify the strategic options available (e.g., for premises: primary site hardening, warm alternate site, cold alternate site, work-from-home, hot standby, reciprocal arrangement); (2) for each option, assess cost (capital and ongoing), speed (how quickly can the activity be recovered using this option), reliability (what is the likelihood that this option will be available when needed), and testability (can this option be exercised regularly); (3) apply selection criteria to determine which option best meets the organisation’s risk appetite and constraints; (4) document the decision and the supporting analysis.
Selection criteria typically include cost (budget constraints), speed (RTO must be achievable), reliability (the option must be dependable under stress), regulatory acceptability (the option must comply with regulatory requirements or supervisory expectations), and operational fit (the option must be compatible with existing operational practices and systems). These criteria are not equally weighted; for a financial services organisation with a 4-hour RTO, speed is likely to be the highest-weighted criterion, followed by reliability, and cost might be a secondary consideration.
People Strategies
People strategy addresses the question: how will the organisation ensure that critical staff are available to operate each critical activity during and after a disruption? The principal people strategies are: cross-training (ensuring that multiple staff members can perform critical functions, so that illness or unavailability of one person does not disable the function), succession planning (ensuring that critical roles have defined successors who are trained and ready), flexible working arrangements (allowing staff to work from home or alternate locations), contractor and agency agreements (arrangements to bring in temporary staff if the usual staff are unavailable), and mutual aid arrangements (agreements with other organisations to share staff during major disruptions).
Cross-training is the most reliable people strategy but it is also the most resource-intensive. A critical function with only one person who knows how to perform it is a single-point-of-failure risk. Cross-training that function (ensuring that at least two people can perform it) eliminates the single-point-of-failure risk but requires ongoing training effort, because as staff leave and join the organisation, new people must be trained into the cross-trained roles.
Flexible working allows staff to operate from alternative locations if the primary premises are unavailable. For knowledge work, flexible working is often the most cost-effective people strategy; for physical operations (branch banking, trading floor operations), flexible working is impossible and alternate premises with staff stationed there becomes necessary.
Premises Strategies
Premises strategy addresses the question: if the primary office is unavailable, where will critical staff work, and how will they be equipped? The principal premises strategies range from low-cost/slow-recovery to high-cost/fast-recovery: primary site hardening (making the primary site more resilient to disruption), cold alternate site (empty space that can be equipped in 24–72 hours), warm alternate site (equipped space with equipment pre-installed), hot standby (fully operational backup site ready for immediate activation), work-from-home (staff work from home), and reciprocal arrangements (agreement to use another organisation’s space).
The cost and speed implications are stark. A warm alternate site with full IT pre-configuration can activate in 4–8 hours but costs 50–100% of primary site costs annually. A cold alternate site costs 10–20% annually but requires 24–72 hours to configure. Work-from-home can activate in 1–4 hours and has minimal ongoing cost, but is only viable for activities that can be performed remotely. Reciprocal arrangements have minimal ongoing cost but depend on the other organisation’s availability, which may be uncertain during a major disruption.
| Premises Strategy | Description | Activation Time | Cost Implication |
|---|---|---|---|
| Primary site hardening | Improve resilience of existing premises (generator, flood barriers, access redundancy) | N/A — prevents disruption | Medium capital; reduces insurance premium |
| Warm alternate site | Equipped facility with IT pre-installed; needs configuration on activation | 4–8 hours | High ongoing cost; fastest activation |
| Cold alternate site | Space available; IT must be delivered and configured on activation | 24–72 hours | Low ongoing cost; slower activation; cheaper |
| Work-from-home / remote working | Staff work from home with corporate laptop and VPN; suitable for knowledge work | 1–4 hours | Low additional cost if existing infrastructure; not suitable for all activities |
| Hot standby (fully operational) | Mirror site fully operational at all times; seamless failover | Minutes | Very high cost; justified only for highest-criticality activities |
| Reciprocal arrangement | Agreement with another organisation to use each other’s space in emergency | 4–24 hours | Very low cost; depends on other party’s availability; may not be reliable |
Technology Strategies
Technology strategy addresses the question: if critical systems become unavailable, how will the organisation continue to perform critical activities? The principal technology strategies are: hot standby (backup systems that are continuously synchronised and can take over instantly), warm standby (backup systems that are regularly synchronised but require some configuration before takeover), cold standby (system backup that must be restored and configured, which takes several hours), cloud-based redundancy (systems deployed in multiple cloud regions or availability zones), manual workarounds (procedures to perform critical activities without the system), and degraded operation (systems operating at reduced capacity).
Technology strategy is often the area where BCMS and IT disaster recovery (DR) are most confused. IT DR focuses on recovering systems; technology strategy in BCMS focuses on enabling the business to continue while systems are being recovered. A BCMS that focuses exclusively on IT DR (""we will restore the system from backup in 4 hours"") without also addressing technology strategy (""while the system is being restored, how will the business process payments?"") will find that the BCP cannot be activated until the IT DR completes — which may be after the MAO has been breached. Effective technology strategy includes both IT recovery capability (how fast can systems be restored) and business continuity capability (how can the business operate while waiting for system recovery).
Supplier Strategies
Supplier strategy addresses the question: if critical suppliers become unavailable, how will the organisation continue to source essential goods or services? The principal supplier strategies are: dual sourcing (maintaining contracts with two suppliers so that loss of one supplier does not disable the activity), contractual BCM requirements (requiring suppliers to maintain business continuity capability and to notify the organisation in advance if they undergo major disruption), supplier BCP assessment (periodically assessing suppliers’ business continuity capability), and in-house fallback (developing the internal capability to perform the function if the supplier fails).
Dual sourcing is often the most reliable supplier strategy but it is also the most expensive, because it requires paying two suppliers for the same service. The cost-benefit analysis for dual sourcing must weigh the cost of maintaining a second supplier against the recovery cost if the primary supplier fails. For critical services (payments processing, core banking system), dual sourcing is often justified; for less critical services, single sourcing with good contractual BCM requirements may be adequate.
Selecting and Approving Strategies
Strategy selection requires cost-benefit analysis. For each resource type and each critical activity, the team prepares a brief cost-benefit analysis comparing the strategic options and recommending the option that best meets the selection criteria. The cost-benefit analysis should be quantified where possible (cost to implement, cost to maintain, time to activate) and should be explicit about assumptions and constraints. Cost-benefit analysis that is vague (""the warm site is better because it is faster"") does not provide adequate decision support; the analysis should specify: cost to implement, annual cost to maintain, RTO improvement compared to the alternative, probability that the strategy will be needed, and total cost of ownership over a defined period (e.g., 5 years).
Strategy approval is a top-management decision. The approved strategy becomes the specification for BCP development; BCP owners will use the strategy document to determine what procedures to write and what resources to assume. If strategy is not approved by top management before BCP development begins, the BCP development will either stall waiting for strategy decisions, or BCPs will be written with divergent assumptions and will require rework once strategy is approved.
| Strategy Decision | Criteria for Selection | Documentation Required |
|---|---|---|
| Single vs dual supplier | Criticality of the service; supplier BCM maturity; cost of dual sourcing vs recovery cost | Supplier risk assessment; dual-sourcing cost-benefit; contractual BCM clauses |
| Alternate site type (warm vs cold) | RTO vs cost; nature of activity (can it be done remotely?); frequency of likely activation | Alternate site agreement; activation procedures; equipment inventory; IT configuration documentation |
| Manual workaround vs system recovery | Time to system recovery vs MAO; availability of manual procedure knowledge; regulatory acceptance of manual processing | Manual procedure documentation; staff trained on manual process; regulatory clearance if required |
| Cross-training vs contractor cover | Criticality; speed of activation; cost; confidentiality | Cross-training register; contractor framework agreement; activation procedures |
| Cloud vs on-premise recovery | RTO; data sovereignty (Indonesia’s UU PDP and PDKN requirements); cost; bandwidth | Cloud recovery architecture; data residency compliance; bandwidth test results |
| IMPORTANT | Strategy must be approved by top management before BCPs are written. BCPs translate strategy into operational procedures — and if strategy changes after BCPs are written, the plans must be rewritten. Top management strategy approval is not just a governance requirement (Clause 5); it is a practical sequencing requirement. The strategy document is the specification from which BCPs are built. |
| BITLION INSIGHT | Work-from-home as a continuity strategy is now mainstream in Indonesian organisations following the COVID-19 pandemic — but its application in BCMSs is uneven. Organisations that built remote working capability during 2020–2021 and have maintained it (corporate laptops for all knowledge workers, VPN with adequate capacity, cloud-based collaboration tools) have a genuine premises continuity strategy for knowledge work. Organisations that assumed ”everyone can work from home” without the technology infrastructure to support it have a strategy assumption that will fail on activation. The BIA resource assessment must verify that WFH infrastructure can actually support the minimum staffing required at RTO. |