Business Continuity Planning
You can help by splitting this big page into smaller ones. Please make sure to follow the naming policy. Dividing books into smaller sections can provide more focus and allow each one to do one thing well, which benefits everyone.
A Business Continuity Planning (BCP) methodology is used to produce a plan to enable an organization to continue in operation in the face of some kind of interruption to its normal operation. The methodology needs to be scalable for an organization of any size and complexity. Even though the methodology has roots in regulated industries, any type of organization may create a BCP manual, and arguably every organization should have one in order to ensure the organization’s longevity. Evidence that firms do not invest enough time and resources into BCP preparations are evident in disaster survival statistics. Fires permanently close 44% of the business affected. In the 1993 World Trade Center bombing, 150 businesses out of 350 affected failed to survive the event. Conversely, the firms affected by the Sept 11 attacks with well-developed and tested BCP manuals were back in business within days.
A BCP manual for a small organization may be simply a printed manual stored safely away from the primary work location, containing the names, addresses, and phone numbers for crisis management staff, general staff members, clients, and vendors along with the location of the off-site data backup storage media, copies of insurance contracts, and other critical materials necessary for organizational survival. At its most complex, a BCP manual may outline a secondary work site, technical requirements and readiness, regulatory reporting requirements, work recovery measures, the means to re-establish physical records, the means to establish a new supply chain, or the means to establish new production centers. Firms should ensure that their BCP manual is realistic and easy to use during a crisis. As such, BCP sits along side crisis management and disaster recovery planning and is a part of an organization’s overall risk management.
The analysis phase in the development of a BCP manual consists of an impact analysis, threat analysis, and impact scenarios with the resulting BCP plan requirement documentation.
Impact analysis [ edit | edit source ]
An impact analysis results in the differentiation between critical and non-critical organization functions. A function may be considered critical if the implications for stakeholders of damage to the organization resulting are regarded as unacceptable. Perceptions of the acceptability of disruption may be modified by the cost of establishing and maintaining appropriate business or technical recovery solutions. A function may also be considered critical if dictated by law. Next, the impact analysis results in the recovery requirements for each critical function. Recovery requirements consist of the following information:
Threat analysis [ edit | edit source ]
After defining recovery requirements, documenting potential threats is recommended to detail a specific disaster’s unique recovery steps. Some common threats include the following:
All threats in the examples above share a common impact – the potential of damage to organizational infrastructure – except one, disease. The impact of diseases is initially purely human, and may be alleviated with technical and business solutions. During the 2002-2003 SARS outbreak, some organizations grouped staff into separate teams, and rotated the teams between the primary and secondary work sites, with a rotation frequency equal to the incubation period of the disease.
The organizations also banned face-to-face contact between opposing team members during business and non-business hours. With such a split, organizations increased their resiliency against the threat of government-ordered quarantine measures if one person in a team contracted or was exposed to the disease.
Damage from flooding also has a unique characteristic. If an office environment is flooded with non-saline and contamination-free water (e.g., in the event of a pipe burst), equipment can be thoroughly dried and may still be functional.
Definition of impact scenarios [ edit | edit source ]
After defining potential threats, documenting the impact scenarios that form the basis of the business recovery plan is recommended. In general, planning for the most wide-reaching disaster or disturbance is preferable to planning for a smaller scale problem, as almost all smaller scale problems are partial elements of larger disasters. A typical impact scenario like ‘Building Loss’ will most likely encompass all critical business functions, and the worst potential outcome from any potential threat. A business continuity plan may also document additional impact scenarios if an organization has more than one building. Other more specific impact scenarios – for example a scenario for the temporary or permanent loss of a specific floor in a building – may also be documented.
Recovery requirement documentation [ edit | edit source ]
After the completion of the analysis phase, the business and technical plan requirements are documented in order to commence the implementation phase. For an office-based, information technology intensive business, the plan requirements may cover the following elements which may be classed as ICE (In Case of Emergency) data:
Other business environments, such as production, distribution, warehousing, etc., will need to cover these elements, but are likely to have additional issues to manage following a disruptive event.