Business Continuity Planning

February 24, 2008

Business Continuity Planning

Simply put, business continuity plans are created to prevent interruptions to normal business activity. They are designed to protect critical business processes from natural or man-made failures or disasters and the loss of capital resulting from the unavailability of normal business processes. Business continuity planning is a strategy to minimize the effect of disturbances and to allow for the resumption of business processes.

A disruptive event is any intentional or unintentional security violation that suspends normal operations. The aim of BCP is to minimize the effects of a disruptive event on a company. The primary purpose of business continuity plans is to reduce the risk of financial loss and enhance a company’s capability to recover promptly from a disruptive event. The business continuity plan should also help minimize the cost associated with the disruptive event and mitigate the risk associated with it.

Business continuity plans should look at all critical information-processing areas of the company, including but not limited to the following:

  • LANs, WANs, and servers

  • Telecommunications and data communication links

  • Workstations and workspaces

  • Applications, software, and data

  • Media and records storage

  • Staff duties and production processes

Life safety, or protecting the health and safety of everyone in the facility, is the first priority in an emergency or disaster. Although we talk about the preservation of capital, resumption of normal business-processing activities, and other business continuity issues, the main, overriding concern of all plans is to get the personnel out of harm’s way. Evacuation routes, assembly areas, and accounting for personnel (head counts and last known locations) are the most important elements of emergency procedures. If at any time there’s a conflict between preserving hardware or data and the threat of physical danger to personnel, the protection of the people always comes first. Personnel evacuation and safety must be the first element of a disaster response plan. Providing restoration and recovery and implementing alternative production methods come later.



Image from book
ASSET LOSS

The loss of assets entails more than just the hard costs of replacing destroyed systems. Other examples of business assets that could be lost or damaged during a disaster are:

  • Revenues lost during the incident

  • Ongoing recovery costs

  • Fines and penalties incurred by the event

  • Competitive advantage, credibility, or good will damaged by the incident

Image from book

Continuity Disruptive Events

We can make a simple list of these events, categorized as to whether their origination was natural or human. Examples of natural events that can affect business continuity are as follows:

  • Fires, explosions, or hazardous material spills of environmental toxins

  • Earthquakes, storms, floods, and fires due to acts of nature

  • Power outages or other utility failures

Examples of man-made events that can affect business continuity are:

  • Bombings, sabotage, or other intentional attacks

  • Strikes and job actions

  • Employee or operator unavailability due to emergency evacuation or other issues (these could be either man-made or naturally caused)

  • Communications infrastructure failures or testing-related outages (including a massive failure of configuration management controls)

The Four Prime Elements of BCP

There are four major elements of the BCP process:

  • Scope and Plan Initiation. This phase marks the beginning of the BCP process. It entails creating the scope and the other elements needed to define the parameters of the plan.

  • Business Impact Assessment. A BIA is a process used to help business units understand the impact of a disruptive event. This phase includes the execution of a vulnerability assessment.

  • Business Continuity Plan Development. This term refers to using the information collected in the BIA to develop the actual business continuity plan. This process includes the areas of plan implementation, plan testing, and ongoing plan maintenance.

  • Plan Approval and Implementation. This process involves getting the final senior management signoff, creating enterprisewide awareness of the plan, and implementing a maintenance procedure for updating the plan as needed.

Scope and Plan Initiation

The Scope and Plan Initiation phase is the first step toward creating a business continuity plan. This phase marks the beginning of the BCP process. It entails creating the scope for the plan and the other elements needed to define the parameters of the plan. This phase embodies an examination of the company’s operations and support services. Scope activities could include creating a detailed account of the work required, listing the resources to be used, and defining the management practices to be employed.

With the advent of the personal computer in the workplace, distributed processing introduces special problems into the BCP process. It’s important that the centralized planning effort encompass all distributed processes and systems.

Roles and Responsibilities

The BCP process involves many personnel from various parts of the enterprise. Creation of a BCP committee will represent the first enterprisewide involvement of the major critical functional business units. All other business units will be involved in some way later, especially during the implementation and awareness phases.

  • The BCP committee. A BCP committee should be formed and given the responsibility to create, implement, and test the plan. The committee is made up of representatives from senior management, all functional business units, information systems, and security administration. The committee initially defines the scope of the plan, which should deal with how to recover promptly from a disruptive event and mitigate the financial and resource loss due to a disruptive event.

  • Senior Management’s Role. Senior management has the ultimate responsibility for all phases of the plan, which includes not only initiation of the plan process but also monitoring and management of the plan during testing and supervision and execution of the plan during a disruptive event. This support is essential, and without management being willing to commit adequate tangible and intangible resources, the plan will not be successful.

The business resumption, or business continuity, plan must have total, highly visible senior management support. Senior management must agree on the scope of the project, delegate resources for the success of the project, and support the timeline and training efforts.

Also, many elements of the BCP will address senior management, such as the statement of importance and priorities, the statement of organizational responsibility, and the statement of urgency and timing.


BCP Department Involvement


s spreadsheet

WHO

DOES WHAT

Executive management staff

Initiates the project, gives final approval, and gives ongoing support

Senior business unit management

Identifies and prioritizes time-critical systems

BCP committee

Directs the planning, implementation, and test processes

Functional business units

Participate in implementation and testing


Image from book
CONTINGENCY PLANNERS

Contingency planners have many roles and responsibilities when planning business continuity, disaster recovery, emergency management, or business resumption processes. Some of these roles and responsibilities can include:

  • Providing direction to senior management and ensuring executive management compliance with the contingency plan program

  • Integrating the planning process across business units

  • Providing periodic management reports and status

  • Ensuring the identification of all critical business functions

  • Coordinating and integrating the activation of emergency response organizations

Image from book


Image from book
THE FCPA

The Foreign Corrupt Practices Act of 1977 imposes civil and criminal penalties if publicly held organizations fail to maintain adequate controls over their information systems. Organizations must take reasonable steps to ensure not only the integrity of their data but also the system controls the organization put in place.

Image from book

Some organizations with mature business resumption plans (BRPs) employ a tiered structure that mirrors the organization’s hierarchy. Senior management is always the highest level of decision makers in the BRP process, although the policy group also consists of upper-level executives. The policy group approves emergency management decisions involving expenditures, liabilities, and service impacts. The next group, the disaster management team, often consists of department and business unit representatives and makes decisions regarding life safety and disaster recovery efforts. The next group, the emergency response team, supplies tactical response to the disaster and may consist of members of data processing, user support, or persons with first aid and evacuation responsibilities.

Because of the concept of due diligence, stockholders may hold senior managers as well as the board of directors personally responsible if a disruptive event causes losses that adherence to base industry standards of due care could have prevented. For this reason and others, it is in the senior managers’ best interest to be fully involved in the BCP process.

Senior corporate executives are increasingly being held liable for failure of due care in disasters. They may also face civil suits from shareholders and clients for compensatory damages. The definition of due care is being updated to include computer functionality outages as more and more people around the world depend upon information to do their jobs.


Business Impact Assessment

The purpose of a BIA is to create a document to be used to help understand what impact a disruptive event would have on the business. The impact may be financial (quantitative) or operational (qualitative, such as the inability to respond to customer complaints). A vulnerability assessment is often part of the BIA process.

BIA has three primary goals:

  • Criticality Prioritization. Every critical business unit process must be identified and prioritized, and the impact of a disruptive event must be evaluated. Obviously, non–time-critical business processes will require a lower priority rating for recovery than time-critical business processes.

  • Downtime Estimation. The BIA is used to help estimate the Maximum Tolerable Downtime (MTD) that the business can tolerate and still remain a viable company; that is, what is the longest period of time a critical process can remain interrupted before the company can never recover? It is often found during the BIA process that this time period is much shorter than expected; that is, the company can tolerate only a much briefer period of interruption than was previously thought.

  • Resource Requirements. The resource requirements for the critical processes are also identified at this time, with the most time-sensitive processes receiving the most resource allocation.

A BIA generally takes the form of these four steps:

  1. Gathering the needed assessment materials

  2. Performing the vulnerability assessment

  3. Analyzing the information compiled

  4. Documenting the results and presenting recommendations

Gathering Assessment Materials

The initial step of the BIA is identifying which business units are critical to continuing an acceptable level of operations. Often, the starting point is a simple organizational chart that shows the business units’ relationships to each other. Other documents may also be collected at this stage in an effort to define the functional interrelationships of the organization.

As the materials are collected and the functional operations of the business are identified, the BIA will examine these business function interdependencies with an eye toward several factors, such as determining the business success factors involved, establishing a set of priorities between the units, and deciding what alternate processing procedures can be utilized.

The Vulnerability Assessment

The vulnerability assessment is often part of a BIA. It is similar to a Risk Assessment in that there is a quantitative (financial) section and a qualitative (operational) section. It differs in that the vulnerability assessment is smaller than a full risk assessment and is focused on providing information that is used solely for the business continuity plan or disaster recovery plan.

A function of a vulnerability assessment is to conduct a loss impact analysis. Because there will be two parts to the assessment (a financial assessment and an operational assessment), it will be necessary to define loss criteria both quantitatively and qualitatively.

Quantitative loss criteria can be defined as follows:

  • Incurring financial losses from loss of revenue, capital expenditure, or personal liability resolution

  • The additional operational expenses incurred because of the disruptive event

  • Incurring financial loss from resolution of violation of contract agreements

  • Incurring financial loss from resolution of violation of regulatory or compliance requirements

Qualitative loss criteria can consist of the following:

  • The loss of competitive advantage or market share

  • The loss of public confidence or credibility, or incurring public embarrassment

During the vulnerability assessment, critical support areas must be defined in order to assess the impact of a disruptive event. A critical support area is defined as a business unit or function that must be present to sustain continuity of the business processes, maintain life safety, or avoid public relations embarrassment.

Critical support areas could include the following:

  • Telecommunications, data communications, or information technology areas

  • Physical infrastructure or plant facilities, transportation services

  • Accounting, payroll, transaction processing, customer service, purchasing

The granular elements of these critical support areas will also need to be identified. By granular elements we mean the personnel, resources, and services that the critical support areas need to maintain business continuity.


Common steps to performing a vulnerability assessment could be[*]:

  1. List potential emergencies, both internally to your facility and externally to the community. Natural, man-made, technological, and human errors are all categories of potential emergencies and errors.

  2. Estimate the likelihood that each emergency could occur, in a subjective analysis.

  3. Assess the potential impact of the emergency on the organization in the areas of human impact (death or injury), property impact (loss or damage), and business impact (market share or credibility).

  4. Assess external and internal resources required to deal with the emergency, and determine whether they are located internally or whether external capabilities or procedures are required.

 
Analyzing the Information

During the analysis phase of the BIA, several activities take place, such as documenting required processes, identifying interdependencies, and determining what an acceptable interruption period would be.

The goal of this section is to clearly describe what support the defined critical areas will require to preserve the revenue stream and maintain predefined processes, such as transaction processing levels and customer service levels. Therefore, elements of the analysis will have to come from many areas of the enterprise.

Documentation and Recommendation

The last step of the BIA entails a full documentation of all the processes, procedures, analyses, and results and the presentation of recommendations to the appropriate senior management.

The report will contain the previously gathered material, list the identified critical support areas, summarize the quantitative and qualitative impact statements, and provide the recommended recovery priorities generated from the analysis.

Business Continuity Plan Development

Business Continuity Plan development refers to using the information collected in the BIA to create the recovery strategy plan to support these critical business functions. Here the planner takes the information gathered from the BIA and begins to map out a strategy for creating a continuity plan.

This phase consists of two main steps:

  1. Defining the continuity strategy

  2. Documenting the continuity strategy

Defining the Continuity Strategy

To define the BCP strategy, the information collected from the BIA is used to create a continuity strategy for the enterprise. This task is large, and many elements of the enterprise must be included in defining the continuity strategy, such as:

  • Computing. A strategy needs to be defined to preserve the elements of hardware, software, communication lines, applications, and data.

  • Facilities. The strategy needs to address the use of the main buildings or campus and any remote facilities.

  • People. Operators, management, and technical support personnel will have defined roles in implementing the continuity strategy.

  • Supplies and equipment. Paper, forms, HVAC, or specialized security equipment must be defined as they apply to the continuity plan.

In developing plans, consideration should be given to both short-term and long-term goals and objectives. Short-term goals can include:

  • Vital personnel, systems, operations, and equipment

  • Priorities for restoration and mitigation

  • Acceptable downtime before restoration to a minimum level of operations

  • Minimum resources needed to accomplish the restoration

Long-term goals and objectives can include[*]:

  • The organization’s strategic plan

  • Management and coordination of activities

  • Funding and fiscal management

  • Management of volunteer, contractual, and entity resources


Image from book
THE INFORMATION TECHNOLOGY DEPARTMENT

The IT department plays a very important role in identifying and protecting the company’s internal and external information dependencies. Also, the information technology elements of the BCP should address several vital issues, including:

  • Ensuring that the organization employs an adequate data backup and restoration process, including off-site media storage

  • Ensuring that the company employs sufficient physical security mechanisms to preserve vital network and hardware components, including file and print servers

  • Ensuring that the organization uses sufficient logical security methodologies (authentication, authorization, etc.) for sensitive data

  • Ensuring that the department implements adequate system administration, including up-to-date inventories of hardware, software, and media storage

Image from book
Documenting the Continuity Strategy

Documenting the continuity strategy simply refers to the creation of documentation of the results of the continuity strategy definition phase. You will see the word documentation a lot in this chapter. Documentation is required in almost all sections, and it is the nature of BCP/DRP to require a lot of paper.

Plan Approval and Implementation

As the last step, the business continuity plan is implemented. The plan itself must contain a roadmap for implementation. Implementation here doesn’t mean executing a disaster scenario and testing the plan, but rather it refers to the following steps:

  1. Approval by senior management

  2. Creating an awareness of the plan enterprisewide

  3. Maintenance of the plan, including updating when needed

  • Senior management approval. As previously mentioned, senior management has the ultimate responsibility for all phases of the plan. Because they have the responsibility for supervision and execution of the plan during a disruptive event, they must have final approval. When a disaster strikes, senior management must be able to make informed decisions quickly during the recovery effort.

  • Plan awareness. Enterprisewide awareness of the plan is important. There are several reasons for this, including the fact that the capability of the organization to recover from an event will most likely depend on the efforts of many individuals. Also, employee awareness of the plan will emphasize the organization’s commitment to its employees. Specific training may be required for certain personnel to carry out their tasks, and quality training is perceived as a benefit that increases the interest and the commitment of personnel in the BCP process.

  • Plan maintenance. Business continuity plans often get out of date: a major similarity among recovery plans is how quickly they become obsolete, for many different reasons. The company may reorganize, and the critical business units may be different than when the plan was first created. Most commonly, the network or computing infrastructure changes, including the hardware, software, and other components. The reasons also may be administrative: Cumbersome plans are not easily updated, personnel lose interest or forget, or employee turnover may affect involvement.

  • Whatever the reason, plan maintenance techniques must be employed from the outset to ensure that the plan remains fresh and usable. It’s important to build maintenance procedures into the organization by using job descriptions that centralize responsibility for updates. Also, create audit procedures that can report regularly on the state of the plan. It’s also important to ensure that multiple versions of the plan do not exist, because they could create confusion during an emergency. Always replace older versions of the text with updated versions throughout the enterprise when a plan is changed or replaced.

Comments »

The URI to TrackBack this entry is: http://itgovernance.blogsome.com/2008/02/24/53/trackback/

No comments yet.

RSS feed for comments on this post.

Leave a comment

Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>



Anti-spam measure: please retype the above text into the box provided.

Get free blog up and running in minutes with Blogsome | Theme designs available here