2. Why Should Companies Take a Closer
Look at Business Continuity Planning?
How net business continuity and disaster recovery solutions can help
organizations lessen the impact of disasters and incidents.
Over the last 30 years, companies have significantly changed their approach to ensuring
that their businesses can continue to run in the event of a catastrophe.
In the 1970s, IT departments responsible for
companies’ information-based assets focused
on the recovery of the data center and
associated networks. By the 1990s, the focus
had shifted to business units. The commitment
of management became a critical success factor
in the development of business continuity plans,
as both IT and the business were required to
develop those plans.
As a result of 9/11, organizations extended
business continuity planning to create
enterprise-wide plans. Today, executive
management is much more involved in ensuring
the success of the plans, and the focus has
shifted from power, hardware, and software
outages to regulatory requirements, business
requirements, and non-traditional events such
as terrorist attacks.
Business continuity planning / disaster recovery (BC / DR
Many organizations still merge the terms disaster recovery and business continuity.
However, for the purpose of this paper, each term is defined so that all parties
involved have the same foundation from which to work.
3. Disaster recovery is the process by which you
resume business after a disruptive event. Events
can range from significant (e.g., an earthquake,
a terrorist attack) to something smaller like
malfunctioning software caused by a computer
virus. However, given the human tendency to
look on the bright side, many business
executives are prone to ignoring disaster
recovery because disasters seem unlikely to
occur.
Business continuity planning suggests a more
comprehensive approach to ensuring that the
business can continue to make money, not only
after a natural calamity, but also in the event of
smaller disruptions,
including illness or departure of key
staffers, supply chain partner problems,
or other challenges that businesses face
from time to time.
The business continuity plan (BCP)
encompasses every aspect of any
recovery procedure used to keep a
company operating. It provides an
understanding of the
risks the company has identified,
mitigation for those risks, business
impacts of the risks, and a mapping of
critical business functions to the
organization.
A part of the BCP, the disaster recovery
plan focuses on the recovery or
resumption of IT as it supports the
business.
Reasons for developing business continuity capabilities
Changes in business processes and technology, increased terrorism concerns, recent
catastrophic natural disasters, and the threat of a pandemic have focused even greater
attention on the need for effective business continuity planning. Executive management is
now expected to consider the potential for area-wide disasters that could affect an entire
region and result in significant losses to the organization
In most cases, recovery time objectives
(RTOs) are now much shorter than they were
a few years ago, and for some institutions,
RTOs are based on hours and even minutes.
Ultimately, all business units should anticipate
and plan for the unexpected and ensure that
their business continuity planning processes
The board and executive management
are responsible for ensuring that the
organization identifies, assesses,
prioritizes, manages, and controls risks
as part of the business continuity
planning process. The board and senior
management should establish policies
4. appropriately address the lessons they have
learned from past disasters.
General Dwight D. Eisenhower said, “In
preparing for battle, I have always found that
plans are useless, but planning is
indispensable.” The same thing can be said
about business continuity planning. The real
value in business continuity planning lies not in
the report that is produced (although call-out
lists and procedures are definitely of value),
but in the following three areas:
− The decision-making / assessment
process: Identifying what could
happen, associated consequences,
prevention and mitigation, and the
business risks.
− The data gathering process:
Evaluating what type of data you have,
who uses it, where it is located, and
what risks it faces.
− The increased awareness that results
from such a project.
that define how the organization will
manage and control the identified risks.
Once a policy is established, the
board and senior management must
understand the consequences of these
identified risks and support continuity
planning on a continuous basis.
− The business continuity planning
process should include regular
updates to the BCP. The BCP
should be updated based on
changes in business processes,
audit recommendations, and
lessons learned from testing.
− Changes in business processes
include technological
advancements that allow faster
and more efficient processing,
thereby reducing acceptable
business process recovery
periods.
For example, in response to competitive
and customer demands, many ITl
institutions are moving toward shorter
recovery periods and designing
technology recovery solutions into
business processes. These technological
advances underscore the importance of
maintaining a current, enterprise-wide
BCP.
Additional industry practices that are
commonly used to maintain a current BCP
include:
− Integrating business continuity
planning into every business decision
− Incorporating BCP maintenance
responsibilities in applicable employee
job descriptions and personnel
evaluations
− Assigning the responsibility for periodic
review of the BCP to a planning
coordinator, department, group, or
committee
− Performing regular audits and annual,
or more frequent, tests of the BCP
Human resources, represent one of most critical
BCP components, and often, personnel issues
are not fully integrated into the enterprise-wide
plan. Based on the business impact analysis
(BIA), the BCP should assign responsibilities to
management, specific personnel, teams, and
service providers.
5. Plan purpose
A BCP provides for the continuation of critical business functions and the recovery of
those functions in the event of a disaster. Many potential contingencies and disasters can
be averted, or the damage they cause can be reduced, if appropriate steps are taken to
manage through the event. A completed plan outlines the course of action taken in the
event of an emergency and the recovery process for business units to return to normal
business operation.
The BCP addresses the following:
− How will management prepare
employees for a disaster, reduce the
overall risks, and shorten the recovery
window?
− How will decision-making succession be
determined in the event management
personnel are unavailable?
− How will management continue
operations if employees are unable or
unwilling to return to work due to
personal losses, closed roads, or
unavailable transportation?
− Who will be responsible for contacting
employees and directing them to their
alternate locations, if required?
− Who will be responsible for leading the
various BCP teams (e.g., crisis /
emergency, recovery, technology,
communications, facilities, human
resources, business units and
processes, and customer service)?
− Who will be the primary contact for
critical vendors, suppliers, and service
providers?
− Who will be responsible for security
(information and physical)?
6. Plan objectives
Objectives of the BCP include:
− Reducing the risk of disruption of operations
− or loss of information
− Communicating responsibilities for the protection
of information and continuity of mission-critical
business functions
− Minimizing the number of decisions that must be
made following an event
− Decreasing dependence on the participation of
any one specific person in the response process
− Minimizing the need to develop procedures
during response
7. Plan components
All BCP s need to encompass how employees will communicate, where they will go, and
how they will keep doing their jobs. Details can vary greatly, depending on the size and
scope of a company and the way it does business. For some businesses, issues such as
supply chain logistics are most crucial and are the focus of the plan. For others, IT may
play a more pivotal role, and the developed plan may concentrate on systems recovery.
For example, the plan at one global IT company
would restore critical mainframes with vital data
at a backup site within four to six days of a
disruptive
event; obtain a mobile PBX unit with 3,000
telephones within two days; recover the
company’s more than 1,000 LANs in order of
business need; and set up a temporary call
center for 100 agents at a nearby training
facility.
But the critical point is that neither IT systems
nor supply chain logistics can be ignored, and IT
and human resources plans cannot be
developed in isolation from each other. BC / DR
is about constant communication.
Business and IT leaders should work together to
determine what kind of plan is necessary and
which processes and business units are most
crucial to the company. Together, they should
decide which people are responsible for
declaring a disruptive event and mitigating its
effects. Most importantly, the plan should
establish a process for locating and
communicating with employees after such an
event. In case of a catastrophic event, the plan
also needs to account for employees who
have more pressing concerns than returning to
work, as was recently demonstrated along the
U.S. Gulf Coast during the aftermath of
Hurricane Ike.
To be successful, the BCP should include the following items at a minimum:
1. Escalation chart – documents the escalation
path for specific issues based on prepared
scenarios
2. Call list – determines who is on call and how
to contact those people supporting specific
components of the plan
3. Actions to take – document action items and
recommended decisions to minimize decision
making in a crisis
4. Recovery inventories – identify the items
required for recovery to determine what can be
recovered if lost (e.g., building, systems, etc.).
5. Disaster recovery plans – establish the
procedure for recovering IT systems
6. Responsibilities – determine roles and
responsibilities of personnel during a disaster
and as part of ongoing plan maintenance
7. Priorities – provide the recovery priority
and sequence
8. Administration maintenance and exercising –
identify required maintenance and sign-offs
9. Organization – details organizational charts
10. Alternate facilities and resources – list
backup work and recovery locations (e.g.,
contracts, vendor)
9. Plan organization II
Below is a sample of how a BCP might be organized:
Section 1: General company information
− Plan mission statement
− Outage emergency definition
− Escalation levels
− Service levels during an outage
emergency
− Listing of business functions and
processes
− Definition of criticality
Section 2: Business recovery teams
− Description of recovery teams
− List of team members
− List of team tasks
Section 3: Backup procedures
− Configurations
− Inventories
− Applications
− Backup procedures
− Inventories of offsite data, documents,
forms, and supplies
Section 4: Recovery procedures
− Hardware
− Software
− Communications
− Applications
Section 5: Implementation plan
− Tasks required for execution of BCP
Section 6: Recovery exercise plan
− Parameters
− Objectives
− Measurement criteria
−
Section 7: Recovery plan maintenance
− Requirements
− Procedures
−
Section 8: Relocation / migration plan
− Tasks required to return to permanent
site
Appendices:
− Vendor contacts
− Equipment lists
− Personnel information
− Forms / documents
Why build a BCP rather than move to a
Why build a BCP rather than move to a
second data center for disaster recovery?
The most significant benefits of developing a BCP are the organization and prioritization
of processes and applications required to recover critical business processes in an orderly
fashion. Moving to a secondary site without developing a plan essentially doubles your
infrastructure costs and does not ensure business continuity or disaster recovery.
Key drivers for these excess costs include:
− Lack of application consolidation and
virtualization planning could make
determining budget priorities more
difficult.
− Lack of process modification could lead
to disruptions and additional downtime.
− Unplanned outages during the transition
phase could impact the business and
customers.
− Not all processes or applications will
need redundancy immediately, if at all.
− Failover of equipment does not
guarantee failover of systems, extending
potential outages.
− Lack of planning could conceal critical
interdependencies among in-house
applications and other companies.
− Lack of planning may result in
purchasing infrastructure to mirror
technologies at end of life or late in the
technology refresh cycle.
− Lack of planning may impact balancing
10. − Lack of a plan may emphasize quantity
over quality, which in turn, will decrease
productivity and impact the customer
experience.
the risks and benefits of the second site.
Consultative methodology: