Business Continuity Planning

1.1Introduction

Business continuity is not anew topic in the business environment as disaster are abound. The main driver for having a business continuity and business resiliency plan is to enable a business resume smooth operations after a disaster. All organizations are faced with both internal and external threats. Therefore, an organization must have in place plans including processes and procedures for handling any threat or disruption to the business. A business continuity plan is therefore important as it provides a road map to the organization under adverse conditions. It is also important to note that business continuity planning is referred to as Business continuity and resiliency planning BCRP, while in the US; it is referred to as continuity of operations planning. The continuity of operations plan establishes the priorities and procedures that the business will use to sustain its operations and provide it alternative methods as well as location of operations in the event of an extended event (Wold, 2006; Stourac, 2014, pp. 260-9 ).

For an organization to operate post disaster and still maintain its competitive edge and the integrity of its value system, it is important to have in place proper guidelines to the employees and the management on what to do, and how to behave. It is also important to establish priorities based on the importance of processes, plans, and the operations. The critical business functions must be given priority in this case. For example, a business organization such as supermarket would have different priorities with the schools, warehouses, and the rest. It is therefore important to determine the most critical buns functions that must be taken into consideration in the event of adverse conditions. One of the most important business function is the supply chain value when an organizations faced with an adverse conditions, it is important to ensure that the organization’s supply chain function are reinstated immediately to avoid losing the customers an help all the stakeholders drive their business needs (Baker, 2012, pp. 36-40; Barry, 2012, pp. 36-38).

2. Scope Of Business Continuity Planning

Business continuity/operations plan ensure that

2.1Critical Business Functions must be Identified and Prioritized

A sound business continuity plan must detail all the critical functions, identify them, and prioritizes the functions. The entire business inventory must be recorded and automated in advance and these records must be accurate. A function can be critical to businesses if it helps the organization maintain its brand image, market share, or may lead to product failure in the event of loss. Any business function that might have legal or regulatory consequence must be given priority because these will be highly impacted if the business operations cannot be performed after a disaster (Whitworth, 2006, pp. 40-63).

2.2Recovery Time Objectives Have Been Determined For Critical Assets

The organization must also set the minimum recovery time for the critical assets. All organization prefers a downtime of less than 2 hours beyond which all the business functions will be adversely impacted. The best example of an organization with the best recovery time objectives (RTO) is military because they are ready to résumé their operations within a very short time. When connected to the revenue streams the RTO represents the maximum time that the facility, person, processor technology is unavailable or delayed until revenue is seriously impacted. Many organizations can easily extend their recovery time by ensuring that they create alternative pathways or processes that can be followed while the business is still down. For example, SAS has created developed a platform that many organizations are currently using to outsource their software development. Additionally, many organizations such as GE are currently subcontracting. However, the alternative workaround processes should be cost effective and time saving. The organization must estimate the RTO for all processes and applications in order to optimize its loss of functionality and or reduced functionalities. The RTO should be defined and estimated with the following in mind:

People (employees, contractors, consumers, approvers, etc UMUC. 2011)

Process (formulas, recipes, manufacturing methods, function "run books," etc.)

Plant (buildings, capital equipment, warehouses, transportation vehicles, etc.) and

Technology (computers, telephones, fax machines, copiers, measuring equipment, etc.)

2.3 Establish Recovery Point Objectives for Critical Applications

The recovery point objectives refer to the level of tolerance an organization can allow. The tolerance for loss must be determined. The RPO must also allow for effective filing a document archiving and this is why the filing procedures must be defined to help guide the recovery process without which the critical transaction records are likely to get lost. Considering the current state of technological advancement, it is healthy tom argue that critical data files can easily be maintained and synchronized in secure locations especially in the private clauds. This makes it easy for organization to realize a zero RPO (Balaouras, 2009).

2.4 Conduct a Comprehensive Risk Assessment on Critical Facilities

All the critical facilities must also be analyzed and a comprehensive risk assessment. In as much as the loss of critical facilities can be mitigated, it is important to note that the coast of mitigation is very high. Any organization that aims to minimize risk must ensure that they conduct thorough risk assessments. All organization must lilts all the possible risks that the organization is likely to be faced with, including the possible potential impact these risks have on the organization. The impact either may be a total loss, or may result into a significant loss of the organizations functionality. In this case, risk management can therefore be seen as a failover plan for an organization should an adverse event occur, an organization should test its disaster recovery plans (Totty, 2009)

2.5 Define A Clear Succession Plans For The Key Employees Or Consultants

The most important employee in an organization is manager. These people are important to the smooth running of an organization. Therefore, if an organization is faced with the demise of these key personal, there should be succession plans in place. The best succession planning policy is it considers replacement from within. These succession plans have added advantage to the company as the employees are given a clear way to manage their career prospects. This also promise productivity and eliminates employee takeovers (Cerullo, & Cerullo, 2004, pp. 70-78).

6. Ensure that a Technology Backup Strategy Exists and Is Regularly Tested

While many businesses confuse I/T Disaster Recovery Planning with full business recovery planning, the organization must ensure that its IT recovery plan is separated from the entire business recovery planning because it has to provide in-depth and determent specific recovery procedures. Never the less, the procedures must ensure that the company’s data privacy and integrity are given priority. Many organizations prefer high performance, high capability systems for disaster recovery (Slater, 2012; Swanson, et al, 2010)

2.6 Define Technology Domains

Technology can be used to effectively create a domain structure that enhances the ability to consolidate resources with similar requirements for Confidentiality, Integrity and Availability. Technical infrastructure and advanced processes can be applied at the domain group level, saving considerable costs and substantially reducing complexity.

Most business units cannot justify the expense associated with providing a continuous availability strategy, rigorous monitoring or enabling strong authentication techniques. When several business units share the benefits and costs however, the expense can be more easily justified (On Windows, 2006; Rawlings, 2013; Rucks, et al, 2011).

Damage assessment and recovery planning can frequently be streamlined if the resources most sensitive to delay or disruption can be quickly identified, salvaged and restored. Potential lost revenue is generally reduced when critical business operations are restored more quickly.

2.7 Capacity Planning For Increased Demand

Business Continuity Planning is not exclusively for the restoration of processes after a disaster or disruptive event. Successfully executing an effective plan can also provide considerable benefits including increased market share. Like the old joke about the two people in the jungle trying to outrun the tiger, Business Continuity Planning is the ability to respond more quickly and more successfully than competitors to gain a competitive advantage are. All of organizations are able to recover from a disruptive event . All of them also could have recovered more quickly and more easily if they had done something just a bit differently. As shown in the graphic, being prepared gives you the advantage of getting "back in business" sooner than your competitors do (Lam, 2002, pp. 19-25).

3. Planning Steps

Step One – Organize The Project

The first step is to organize the project by appointing a project coordinator who determines the scope and assumptions. The second step is to draft the plan, the task and the assignment for each task
Step Two – Conduct Business Impact Analysis
At this time, it is important to conduct the business impact analysis by identifying the processes, functions and system in any organization. Then the respective departmental heads are interviewed and the results of the interview analyzed to determine all the critical processed and business application. Finally, it is important to prepare an impact analysis of any possible interruption on the critical business systems after that, the critical systems are ranked (Geer, 2012, pp.16-18).

Step Three – Conduct Risk Assessment

Risk assessment is an integrated process, which all analyze the critical systems to determine if this system can be, sever disrupted and document the acceptability of risks. The critical activities are reviewed, the backup system is also reviewed and any form of vulnerability analyzed. After that, the probability of system failure is documented, and then a risk and security analysis is done. Documenting security is a major step in risk assessment.

Step Four – Develop Strategic Outline for Recovery (analyze Critical System Processing Requirements for Recovery)
the fourth step is to assemble all the departments, and analyze their contingent plans taking into consideration the heavy processing days, the volume of transactions, and the processing durations. The system use, frequency, runtime, and throughput are also analyzed. The person who supports the functions is also identified to enable faster connection while at the same time documenting unit strategy during recovery (conceptually how will the unit function?)

Step Five – Identify Onsite And Offsite Backup Recovery Procedures, And Select Alternate Facility

After identifying the planning team, it is also important to identify the onsite and offsite back recovery procedures that must be followed. This is because in most occasions the organization may be forced to operate offsite if the offices are destroyed. This includes reviewing the code of conduct, processes and all the documents that must be secured first (Kirvan, 2009,

Step Seven – Develop Recovery Plan
at this step, the recovery plan is developed by first developing a simple plan detailing all the objectives, the assumptions under considerations and the criteria for invoking the plan. This will also include;

the procedures for asssessign and declaring disdaster

the procedures for notifying all units and officials

The oprocesurdes for alerting all other users

In addition, the procedures for notifying the staff, and the alternative locations to initiate offsite operations.

The evacuation procedures

The document will also delineate the roles and responsibility of each person in the event of the disaster, the staffing procedures, and the transportation processes

Finally, it must also include the procedures that will be followed while in contingency mode in the event of the disaster

Step Eight – Test The Plan

The plan is then tested to determine its effectiveness. The plan is also tested to determine gaps in the recovery plan. The first step involves developing the test strategy, then test the recovery plan and make necessary modification if need be.

Step Nine – Plan Maintenance And Periodic Audit To Maintain The Plan

Periodic audit of the plan is important as it takes into considerations any changes in the business environment, the inventory as well as personal. New threats may also be identified and new procedures developed to handle the increasing threats. This periodic audit helps in developing new recovery plans and distributing the plans to relevant authorities or personnel in the organization (Karim, 2011, pp. 183-192).

4. Disaster Recovery Options

Options

Examples

Criteria

Build

On-site DR evolution

In-house resources available

In-house expertise

Have effective dry plan

Ongoing funding is measureable and available making the program successful.

The organization can dedicate proper resources to the program

The organization can ensure a consistent testing and exercise regime

The organization can keep focus for continuous improvement on the program.

Buy

Trucking in DR(mobile disaster recovery )

Funding

Outsourced and cloud-based DR options

funding

5. Test

5.1 Scheduled Date And Time Of Test

Start Date/Time

Finish Date / Time

What to test

What to test /assets

Ranking

Where to test

Frequency of tests of full scale test

Participants

servers,

1

Onsite and offsite

Annually

All employees[1]

PCs/workstations

2

Onsite and offsite

Annually

All employees

network/Internet

3

Onsite and offsite

Annually

All employees

building security

4

Onsite and offsite

Annually

All employees

phones/communications

5

Onsite and offsite

Annually

All employees

supply chain

6

Onsite and offsite

Annually

All employees

workflow/staff procedures

7

Onsite and offsite

Annually

All employees

5.2 Type Of Test, Frequency, Duration And Related Cost

Test Being Conducted

Example,

Cycle

duration

Costs ($)

Orientation Test

Participants, and recovery plans

One month

One hour

10,000

Drill

Fire drill, radio test, Tornado, Earthquake, system

One month

2 hours

10,000

Tabletop Test

Communication and brainstorming

One month

2 hours

20,000

Functional Test

Communication and resource allocation

One month

2 hours

20,000

Full Scale Test

System, personal , resources, and operations

One month

One week

100,000

6. Conclusion

Business contingency and continuity pans are very important to all organizations especially in this age of technology where disaster is common. Many organization suffer from system crash, some experience low throughput, while others are faced with cyber attacks. In the event of these disasters, organization should be able to resume their operation within the shortest time. The recovery time objectives should be clear and so are the recovery point objectives. The organizations should also suffer minimum loss due to such disaster. Never themes, even with a proper failsafe, it is important to conduct periodic audit to ensure that the organization’s recovery plan is up-to-date with the changes in the organization

Process descriptions checklist

Specifics

Remarks

Remarks

Minimum processing requirements

Location of vital records

Categories for vital records

Forms requirements

Critical forms

Equipment descriptions

In the recovery site

In the unit

Software descriptions

Used in recovery

Used in production

Logical drawings of communication and data networks in the unit

Logical drawings of communication and data networks during recovery

Vendor list

Communication needs –

Production

In the recovery site

Resource plan for operating in contingency mode

Criteria for returning to normal operating mode

Procedures for returning to normal operating mode

Procedures for recovering lost or damaged data

Testing and Training

Testing Dates

Plan Maintenance

Periodic Document Maintenance

Review

Review action plans

Review recovery teams

Review team activities

Review/revise tasks

Review/revise documentation

References:

Baker, N. (2012). Enterprisewide Business Continuity. (Cover story). Internal Auditor, 69(3), 36-40.

Barry, C. (2012). Backup plans. Multichannel Merchant, 8(5), 36-38.

Balaouras, S. (2009). Businesses take BC planning more seriously. (2009). For Security & Risk Professionals.

Cerullo, V., & Cerullo, M. J. (2004). Business continuity planning: a comprehensive approach. Information Systems Management, 21(3), 70-78.

Geer, D. (2012). Are You Really Ready for Disaster? Three exercises for testing your business continuity plans. CSO Magazine, 11(8), 16-18.

Karim, A. (2011). Business Disaster Preparedness: An Empirical Study for measuring the Factors of Business Continuity to face Business Disaster. International Journal of Business & Social Science, 2(18), 183-192.

Kirvan, P. (2009, July). Using a business impact analysis (BIA) template: A free BIA template and guide. TechTarget: SearchDisasterRecovery. Retrieved November 4, 2011, from http://searchdisasterrecovery.techtarget.com/feature/Using-a-business-impact-analysis-BIA-template-A-free-BIA-template-and-guide.

Lam, W. (2002). Ensuring business continuity. IT professional, 4(3), 19-25.

On Windows. (2006, March 23). Half of us businesses lack continuity plan. On Windows Magazine, Retrieved from http://www.onwindows.com/Articles/Half-of-US-businesses-lack-continuity-plan/2063/Default.aspx

Rawlings, P. (2013). SEC’s Aguilar Pushes Continuity Plan Testing. Compliance Reporter, 25.

Rucks, A., Ginter, P., Duncan, W., & Lesinger, C. (2011). A Continuity of Operations Planning Template: Translating Public Policy into an Effective Plan. Journal of Homeland Security and Emergency Management, 8(1).

Slater, D. (2012, December 13). Business continuity and disaster recovery planning: The basics. Retrieved from http://www.csoonline.com/article/204450/business-continuity-and-disaster-recovery-planning-the-basics?page=1

Swanson, M., Bowen, P., Phillips, A., Gallup, D., & Lynes, D. (2010, November 11). Retrieved from website: http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf

Totty, P. (2009). Business Continuity: Test and Verify. Credit Union Magazine, 75(12), 46.

UMUC. (2011). Module 11: Service Restoration and Business Continuity. Retrieved from http://tychousa.umuc.edu/

Whitworth, P. M. (2006). Continuity of Operations Plans: Maintaining Essential Agency Functions When Disaster Strikes. Journal of Park & Recreation Administration, 24(4), 40-63.

Wold, G. H. (2006). Disaster recovery planning process. Disaster Recovery Journal, 5(1).

Tracy Stourac, (2014). Wheels, hubs and spokes: incorporating a scorecard into a business continuity programme. Journal of Business Continuity & Emergency Planning 2014, 7 (3): 260-9

[1] Facilities manager, IT tech, HR manager, senior management, brand management, third-party support and a sampling of critical clients.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s