Good article. The solution to the agencies' dilemma lies in tapping the organizations' threat profiles; if we're talking about near-random single-epicenter events such as earthquake, air accident or similar, then yes, the radius of effect determines separation.
If the threat origin is predominantly man-made and targeted (as was 9/11), then a sophisticated and determined attacker may be smart enough to hit primary and backup sites concurrently (or other critical external communications assets), so separation may be less relevant and secrecy, integrity and physical robustness become the focus. This idea of profiling (we use impact, threat and vulnerability profiles) is fundamental to operational-risk management and uniquely defines an organization's exposure.
It should be straightforward for the agencies to specify 'rules' on this basis.
1. Declare your market criticality.
2. Declare your threat profile.
3. Look up the protections you need to have in place from an agency manual.
Please let them know.
John Robinson FBCI
Director, JR Consulting Partners Ltd
To read the original story "Mapping out BCP Guidelines,"June 2003, go to: www.wallstreetandtech.com/bcp2003