The BCP must ensure that in the event of disruption of work activities due to unforeseen events, business operations can continue in a normal manner or with as little interruption as possible, and risks and damages can be mitigated.
The objective of a BCP is to document the solutions that provide Business Continuity for one or more activities. At the same time, the BCP provides guidelines for crisis management relating to various kinds of key crises identified.
This document attempts to make a preventive, proactive, and reactive plan to help the organization avoid crisis and disasters should they occur, and therefore be able to return to 'business as usual quickly' should such crisis occur. The documents within the BCP must allow the intended users to quickly identify the solutions to be activated according to the nature of the incident (extent of consequences, resource categories affected).
Several events can occur that may disrupt business operations. Organizations must have robust Internal Control and Operational Risk Control measures in place to mitigate the risk. Disasters can result from three types of factors (or combinations of these), including Human behaviors, Natural disasters, Technological breakdowns.
Failure to resolve problems associated with such occurrences swiftly can lead to customer and client dissatisfaction, loss of profits, negatively affect organization reputation, and means that normal functions or services cannot be performed.
This Business Continuity aims to establish sound practices for business continuity and disaster recovery. It attempts to ensure that business can continue smoothly in the event of any disruption(s) and that critical operations are prioritized as much as possible.
The benefits of the BCP are:
What is often underestimated is the value of the process of establishing the BCP for the following two reasons:
2. Definitions, Tools, and Concepts
This section introduces the main definitions, tools, and concepts used in business continuity planning.
Business continuity planning refers to the planning and preparations which are necessary to identify the impact of potential losses arising from an emergency; to formulate and implement viable recovery strategies, to develop recovery plans which ensure continuity of organization services in that relation, and to administer a comprehensive testing and maintenance program. Business Continuity Planning is a methodology for everyone in the organization to ensure normal operations.
Business Continuity Plan (BCP) focuses on preventing and sustaining an organization's business processes during and after a disruption. A BCP involves costs, and it may not be cost-effective to have a fully developed and implemented plan for all scenarios.
The BCP development process consists of the following steps:
Disaster Recovery Planning (DRP) refers to a policy that defines how people and resources will be protected in a disaster, and how the organization will recover from the disaster. DRP is just a subset of BCP. However, IT DRP is a detailed information system procedures to facilitate the recovery of capacity on an IT DR site following an incident. For example, the IT DRP contains all information necessary to switch the IT production site over to a DR site (IT backup).
Business impact analysis (BIA) refers to a document that identifies present organizational risks and determines the impact of ongoing, business-critical operations if such risks actualize. The BIA tries to measure the potential loss and escalating losses over time to provide Management, Board Directors, and Shareholders with reliable data for the identification of critical services and sufficient data for decision making.
Recovery Time Objective (RTO) is the amount of time allowed for the recovery of a business function or resource after a disaster occurs.
Recovery Point Objective (RPO) is the acceptable amount of data loss measured in time. The RPO is the point in time to which the organization must recover its data as defined by this Policy.
Emergency Operation Center (EOC) is a location where an organization can quickly relocate following a disaster, such as fire, flood, terrorist threat, or other disruptive events.
Crisis management team (CMT) refers to a group of Managers who direct recovery operations and are responsible for the organization's survival.
Crisis management refers to the oversight of the process designed to support the CMT.
Recovery strategy refers to a process to resume the minimum set of critical services identified in the BIA (e.g., use of another delivery channel to provide the same service).
The BCP governance structure is made up of a BCP Committee that ensures senior management commitment and defines senior management roles and responsibilities.
The BCP management committee is responsible for oversight, initiation, planning, approval, testing, and BCP auditing.
The BCP Committee meets annually. Besides, the Chairman and Committee Secretary can arrange for extraordinary meetings as deemed necessary. The responsibilities of the committee include:
4. Communication Channels
In case of a disaster event, rumors can spread quickly, and the ordinary communication channels might be interrupted. All staff must receive the same information from management. This is typically done by email. In the case email of services being interrupted, bulk SMS communication from management to staff is used. The organization should ensure the availability of contact information to bulk SMS providers. In a few severe cases, the organization may need to establish a hotline for staff and their relatives. However, the communication from staff to organization should be routed through the normal hierarchical structures.
5. Business Continuity Plan for Selected Scenarios
5.1-Selection of scenarios
It is impossible and inefficient to foresee and address each possible scenario that could interrupt normal business operations. For example:
Each of these scenarios is assessed using several criteria, including:
5.2-Likely causes for the scenario
Among likely reasons for events that lead to businesses' disruption are fire, earthquake, flood, storm, terrorism, riot, political unrest, robberies, sabotage, virus attacks, and hardware failures, technical failures at the grid, or communication systems.
5.3-Likelihood of occurrence
For example, the likelihood that a particular event occurs is assessed in three categories, including:
5.4-Impact of disruption
Business impact analysis (BIA) is one component of the BCP. BIA is an analytical process used to assess the consequences of an incident and the change over time of the quantitative (financial) impact and the qualitative (non-financial) impact resulting from the interruption of an activity. The results of the BIA are necessary to define the Business Continuity Strategy. It is essential to consider interdependencies between systems, business processes, and departments.
Impact of any business disruption may include:
For example, in BCP, the business impact is categorized as follows:
As much as possible, and to the extent that it is efficient, events that interrupt business should be prevented. For example, the availability of well-maintained fire extinguishers can prevent serious damages by fire; or the availability of a well-maintained backup generator will prevent business disturbance due to loss of power. For each of the scenarios, preventive measures should be assessed.
In case an event cannot be prevented, its impact should be mitigated as much as efficiently possible. For example, the availability of fire insurance will limit the financial damage of fire, and the availability of backup systems will prevent the permanent loss of data. For each of the scenarios, mitigation measures should be outlined.
5.7-Recovery Point Objective and Recovery Time Objective
Recovery Time Objective (RTO) is the (worst case and achievable) length of time it should take to recover an application back to full service. The shorter the activity's RTO (the period between the incident and resumption, or possibly even no Interruption), the higher the level of requirement in terms of Business Continuity. Recovery Point Objective (RPO) is the (worst case and achievable) duration of processing that can be lost as a result of a disaster.
Applicable rules and principles for choosing Business Continuity solutions:
• Each organization must, for activities whose continuity or recovery must be ensured, choose business continuity solutions while taking into account: (1) the ability of the solutions to achieve the Business Continuity Objectives set in the strategy RTO/RPO, (2) the power of the solutions to cover (partially or totally) all of the reference scenarios, and (3) the impact at the envisaged solutions on the level of operational risk to which the activity will be exposed when these solutions are executed according to the predefined Business Continuity mode.
• When choices are made between different solutions, the assessment leading to these choices must be documented.
• All organizations must ensure that their chosen solutions allow interdependent entities (internal or external) to continue their activities (e.g., postal mail forwarded to the recovery site).
• The finalized choice of solutions must be articulated and documented.
5.8-Crisis Management Team composition
In case of a crisis, a Crisis Management Team (CMT) needs to be composed to implement the actions of BCP. The composition of CMT can be slightly different from the Composition of the BCP Committee as the latter is more general, and the Crisis Management Team is staffed such that the optimum response to the particular event is ensured. Approval and decision rights remain unaffected.
5.9-Crisis Management Team member tasks and basic recovery processes
As soon as the Senior Management has declared the state of a BCP event, the Crisis Management Team comes together. After ensuring that emergency issues are solved, and further damage is avoided/controlled, it is the first task to create a detailed recovery plan that can cope with the specific event. BCP outlines the respective steps that need to be taken in selected scenarios and includes various tools (such as contact lists) to ensure they can be followed. However, a more detailed and specific plan will be needed as soon as the particular event and situation can be described. BCPs naturally cannot consider each possible event in all detail. It is the responsibility of the (RM) Risk Management functionality to facilitate the process of creating such a response plan.
6. Business Continuity Plan Awareness and Training
Business continuity is an important component of the organization's risk management program. Many occurrences highlighted in the BCP are highly unlikely to happen (or are perceived as highly unlikely to happen). For that reason, experience has shown that many employees might not be aware of their role within the BCP, or even its existence. Therefore, it is crucial for the organization to invest resources in training to ensure relevant staff is familiar with the BCP. Raising employee awareness is a must.
Business Continuity Plan looks at an entire organization, not only for requirements but also for dependencies. A formal training and awareness component is necessary for a successful Business Continuity Planning so that the tests and exercises contribute to the ongoing improvement of the program.
The BCP should be tested once per year. The BCP Committee might decide on additional tests if deemed necessary to cope with significant changes in business processes, business technology, facilities, BCP Committee Membership, Executive Management, or anticipated events that might cause a business interruption. It is vital to review BCP and test it regularly.
The goal of BCP testing is to ensure the BCP process is:
The availability of the information contained in the BCP must be guaranteed. It is integrity must be preserved, and care must be taken to define an appropriate level of confidentiality. Points to be noted:
• A distribution list must be established as soon as each document is created. Each document must only be distributed to those who are implicated. The level of information must correspond to their responsibilities during the activation and operation of Business Continuity solutions as well as the return to normal. The recipients and end users of these documents must be able to find the information that they are looking for quickly, as they may be under unprecedented pressure due to the urgency of the situation.
• The documents' format must ensure that the BCP is accessible under all circumstances: in production, in backup, and remotely.
• It is, therefore, advisable to use different storage media, whether that BCP is in paper or electronic format. A copy of all of the documents for the BCP must be available at the production or usual sites, in backup, in the crisis management room, and remotely.
• The physical protection (paper version) and logical protection (electronic version) of the information contained in the BCP must be in line with the requirements of their classification level, and their integrity must be maintained (e.g., paper BCP stored in a fireproof safe).
• BCP documents must be updated on an ongoing basis and at least once per year.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.