Business Continuity planning is an essential part of running any modern organization that takes its business and its clients seriously. With so many potential business disasters looming that can befall an organization at any time, it seems unwise not to take actions to prepare for and try to prevent the devastating impact of such catastrophes.
There is a multiplicity of benefits in planning for Business Continuity within your organization. Not only will your data, hardware, software, etc., be better protected, but the people that compose your organization will be better safeguarded should a disaster occur. In addition, employees will be informed and rehearsed as to what actions to take to immediately start the recovery process and ensure business continuity if disaster strikes.
Without this type of preparation any unexpected event can severely disrupt the operation, continuity, and effectiveness of your business. Disabling events can come in all shapes and varieties. They can vary from the more common calamities like hard drive corruption, building fires or flooding to the rarer, yet more severe and often longer lasting disruptions that can occur on a city-wide or even national basis; events such as disruptions in transport (oil crises, metro shut-downs, transport worker, strikes, etc.), infrastructure weakening from terrorist attacks, or even severe loss of staff due to illness like a pandemic flu. All of these strikes a blow at an organization’s struggle for business continuity.
For smaller companies the impact of the above mentioned and even lesser disasters can hit much harder. For example, unexpected non-availability of key workers alone could be catastrophic, potentially causing as much disruption to business continuity as technological hardship, especially if it occurs during the height of the company’s busy season. If only one person is trained to do particular and/or essential tasks, their unexpected absence can severely disrupt productivity.
Thus, putting business continuity plans into practice in your organization now can prepare your business for most any potential disaster, help ensure that you will be able to maintain continuity of your business practices, and reduce or even possibly remove the effect such calamities could have on your organization.
In addition to the above mentioned benefits, the following are also advantages of business continuity planning:
- If not already, your organization my soon be required to incorporate some type of Business Continuity Management planning into its policies by either corporate governance or governmental legislation.
- With an effective and practiced Business Continuity plan, your insurance company may well view you more favorably should some sort of disaster ever require you to call upon their services.
- In creating a Business Continuity plan, the process of evaluating potential weakness and planning how to deal with what could possibly go wrong often offers management the chance to gain a better understanding of the minutia of their business and ultimately helps an organization identify ways to strengthen any short comings. Frequently the greatest and most immediate value of the Business Continuity planning process is the awareness one gains of the details of his/her business and not necessarily the streamlining of how to handle disaster as an organization. Business Continuity planning can often create awareness of useful ways to improve an organization, sometimes even in areas that had previously gone unconsidered.
- Business Continuity planning will make your organization more robust. It can strengthen your organization not only against large-scale problems it can also help make smaller problems that might have caused continuity interruptions to become moot, through detailed planning.
- Business Continuity plan will show your investors that you take business seriously, that you are prepared and desire to maintain productivity regardless of difficulty. This preparation will also show your staff that you have their employment and personal well-being in mind. It will show that you care.
- Informing your customers that you have a Business Continuity plan, that you have taken steps to ensure continuity of your productivity so that you can keep your commitments to them, lets them know that you consider the provision of quality service a high priority which in turns instills their confidence in your business.
- A Business Continuity plan helps protect your organization’s image, brand, and reputation. Being known as a reliable company is always good for business.
- And finally, a Business continuity plan can significantly reduce your loses if ever you are hit by disaster.
A Business Resumption Plan describes how to resume business after a disruption. A Disaster Recovery Plan deals with recovering Information Technology (IT) assets after a disastrous interruption. Both imply a stoppage in critical operations and are reactive.
Recognizing that some services or products must be continuously delivered without interruption, there has been a shift from Business Resumption Planning to Business Continuity Planning.
A business continuity plan enables critical services or products to be continually delivered to clients. Instead of focusing on resuming a business after critical operations have ceased, or recovering after a disaster, a business continuity plan endeavors to ensure that critical operations continue to be available.
The effects of September 11, 2001
September 11, 2001 demonstrated that although high impact, low probability events could occur, recovery is possible. Even though buildings were destroyed and blocks of Manhattan were affected, businesses and institutions with good continuity plans survived.
The lessons learned include:
- plans must be updated and tested frequently;
- all types of threats must be considered;
- dependencies and interdependencies should be carefully analyzed;
- key personnel may be unavailable;
- telecommunications are essential;
- alternate sites for IT backup should not be situated close to the primary site;
- employee support (counselling) is important;
- copies of plans should be stored at a secure off-site location;
- sizable security perimeters may surround the scene of incidents involving national security or law enforcement, and can impede personnel from returning to buildings;
- despite shortcomings, Business Continuity Plans in place pre September 11 were indispensable to the continuity effort; and
- increased uncertainty (following a high impact disruption such as terrorism) may lengthen time until operations are normalized.
Critical services or products are those that must be delivered to ensure survival, avoid causing injury, and meet legal or other obligations of an organization. Business Continuity Planning is a proactive planning process that ensures critical services or products are delivered during a disruption.
A Business Continuity Plan includes:
- Plans, measures and arrangements to ensure the continuous delivery of critical services and products, which permits the organization to recover its facility, data and assets.
- Identification of necessary resources to support business continuity, including personnel, information, equipment, financial allocations, legal counsel, infrastructure protection and accommodations.
Having a BCP enhances an organization’s image with employees, shareholders and customers by demonstrating a proactive attitude. Additional benefits include improvement in overall organizational efficiency and identifying the relationship of assets and human and financial resources to critical services and deliverables
Every organization is at risk from potential disasters that include:
- Natural disasters such as tornadoes, floods, blizzards, earthquakes and fire
- Power and energy disruptions
- Communications, transportation, safety and service sector failure
- Environmental disasters such as pollution and hazardous materials spills
- Cyber attacks and hacker activity.
Creating and maintaining a BCP helps ensure that an institution has the resources and information needed to deal with these emergencies.
This step consists of the preparation of detailed response/recovery plans and arrangements to ensure continuity. These plans and arrangements detail the ways and means to ensure critical services and products are delivered at a minimum service levels within tolerable down times. Continuity plans should be made for each critical service or product.
Mitigating threats and risks
Threats and risks are identified in the BIA or in a full-threat-and-risk assessment. Moderating risk is an ongoing process, and should be performed even when the BCP is not activated. For example, if an organization requires electricity for production, the risk of a short term power outage can be mitigated by installing stand-by generators.
Another example would be an organization that relies on internal and external telecommunications to function effectively. Communications failures can be minimized by using alternate communications networks, or installing redundant systems.
Analyze current recovery capabilities
Consider recovery arrangements the organization already has in place, and their continued applicability. Include them in the BCP if they are relevant.
Create continuity plans
Plans for the continuity of services and products are based on the results of the BIA. Ensure that plans are made for increasing levels of severity of impact from a disruption. For example, if limited flooding occurs beside an organization’s building, sand bagging may be used in response. If water rises to the first floor, work could be moved to another company building or higher in the same building. If the flooding is severe, the relocation of critical parts of the business to another area until flooding subsides may be the best option.
Another example would be a company that uses paper forms to keep track of inventory until computers or servers are repaired, or electrical service is restored. For other institutions, such as large financial firms, any computer disruptions may be unacceptable, and an alternate site and data replication technology must be used.
The risks and benefits of each possible option for the plan should be considered, keeping cost, flexibility and probable disruption scenarios in mind. For each critical service or product, choose the most realistic and effective options when creating the overall plan.
Proper response to a crisis for the organization requires teams to lead and support recovery and response operations. Team members should be selected from trained and experienced personnel who are knowledgeable about their responsibilities.
The number and scope of teams will vary depending on organization’s size, function and structure, and can include:
- Command and Control Teams that include a Crisis Management Team, and a Response, Continuation or Recovery Management Team.
- Task Oriented Teams that include an Alternate Site Coordination Team, Contracting and Procurement Team, Damage Assessment and Salvage Team, Finance and Accounting Team, Hazardous Materials Team, Insurance Team, Legal Issues Team, Telecommunications/ Alternate Communications Team, Mechanical Equipment Team, Mainframe/ Midrange Team, Notification Team, Personal Computer/ Local area Network Team, Public and Media Relations Team, Transport Coordination Team and Vital Records Management Team
The duties and responsibilities for each team must be defined, and include identifying the team members and authority structure, identifying the specific team tasks, member’s roles and responsibilities, creation of contact lists and identifying possible alternate members.
For the teams to function in spite of personnel loss or availability, it may be necessary to multitask teams and provide cross-team training.
If an organization’s main facility or Information Technology assets, networks and applications are lost, an alternate facility should be available. There are three types of alternate facility:
- Cold site is an alternate facility that is not furnished and equipped for operation. Proper equipment and furnishings must be installed before operations can begin, and a substantial time and effort is required to make a cold site fully operational. Cold sites are the least expensive option.
- Warm site is an alternate facility that is electronically prepared and almost completely equipped and furnished for operation. It can be fully operational within several hours. Warm sites are more expensive than cold sites.
- Hot site is fully equipped, furnished, and often even fully staffed. Hot sites can be activated within minutes or seconds. Hot sites are the most expensive option.
When considering the type of alternate facility, consider all factors, including threats and risks, maximum allowable downtime and cost.
For security reasons, some organizations employ hardened alternate sites. Hardened sites contain security features that minimize disruptions. Hardened sites may have alternate power supplies; back-up generation capability; high levels of physical security; and protection from electronic surveillance or intrusion.
Business continuity plans can be smoothly and effectively implemented by:
- Having all employees and staff briefed on the contents of the BCP and aware of their individual responsibilities
- Having employees with direct responsibilities trained for tasks they will be required to perform, and be aware of other teams’ functions
After training, exercises should be developed and scheduled in order to achieve and maintain high levels of competence and readiness. While exercises are time and resource consuming, they are the best method for validating a plan. The following items should be incorporated when planning an exercise:
- The part of the BCP to be tested.
- The anticipated results. Objectives should be challenging, specific, measurable, achievable, realistic and timely.
- Identifies the departments or organizations involved, the geographical area, and the test conditions and presentation.
- Artificial aspects and assumptions
- Defines which exercise aspects are artificial or assumed, such as background information, procedures to be followed, and equipment availability.
- Participant Instructions
- Explains that the exercise provides an opportunity to test procedures before an actual disaster.
- Exercise Narrative
- Gives participants the necessary background information, sets the environment and prepares participants for action. It is important to include factors such as time, location, method of discovery and sequence of events, whether events are finished or still in progress, initial damage reports and any external conditions.
- Communications for Participants
- Enhanced realism can be achieved by giving participants access to emergency contact personnel who share in the exercise. Messages can also be passed to participants during an exercise to alter or create new conditions.
- Testing and Post-Exercise Evaluation
- The exercise should be monitored impartially to determine whether objectives were achieved. Participants’ performance, including attitude, decisiveness, command, coordination, communication, and control should be assessed. Debriefing should be short, yet comprehensive, explaining what did and did not work, emphasizing successes and opportunities for improvement. Participant feedback should also be incorporated in the exercise evaluation.
Exercise complexity level can also be enhanced by focusing the exercise on one part of the BCP instead of involving the entire organization.
When critical services and products cannot be delivered, consequences can be severe. All organizations are at risk and face potential disaster if unprepared. A Business Continuity Plan is a tool that allows institutions to not only to moderate risk, but also continuously deliver products and services despite disruption.