The chosen options will then be signed off by the BCSC and the BC Strategy will have been chosen. Any proactive measures put in place to mitigate the risk are fed back into the Risk Management strategy.
The strategies which are adopted for Business Continuity will, for some processes, be dependent upon the strategy for IT Service Continuity. For example if ICT Operations has decided that the best strategy for backing up and restoring the critical systems is to do a mirrored back up to a WARF, the business processes who use those systems will then recover to desks in the WARF if their building becomes unavailable or access to the systems is denied. The strategy for staff in ICT Operations will also be to recover to the WARF, as they will be required to restore the data back ups and provide workstations for use by the staff recovering to the WARF site to maintain and to provide ongoing support.
A Help Desk facility may have to restore to another site within the organisation if they have complex telephony which makes it difficult or expensive to relocate to a WARF, and this in turn will govern where some of the Telephony Team will relocate following an incident.
As discussed by Thomas Carroll in The Definitive Handbook of Business Continuity Management [DH BCM], all organisations are careful about expenditure and budget will nearly always be a limiting factor on the solution or options that are implemented to protect the organisation. It does not make sense to implement an expensive solution for a loss which may have little value to the business or a solution which enables an RTO of minutes when days are required.
The following graph shows the relationship between RTO and cost and when determining the strategy for recovery an acceptable combination between the cost to recover, the cost of impact and RTO should be determined, so the chosen solution can be justified on a cost/benefit basis.
The next step is to prepare a project plan for implementing the strategy and to design the BCP.