The first part of this two-part series was published in the December 2000 issue of Hi-Tech Security Systems. This second part focuses on the considerations one needs to take in developing a workable 'business continuity plan'.
Developing business continuity plans
The heart of the 'Business continuity management' process is the 'Business continuity plan' (BCP). This document brings together: the actions to be taken at the time of an incident; who is involved and how they are to be contacted. The plan or plans must reflect the current position of the organisation and all its stakeholders. A BCP should be designed to provide recovery of the organisation within the recovery time objectives established during the BIA process.
In developing the plan consideration must be given to:
* The use of planning aids, plan development and maintenance tools.
* Inclusion of job descriptions for those involved in delivering the plan.
* What action plans and checklists should be provided.
* What information databases and other supporting documentation are required.
A definition of what constitutes a 'disaster' for the organisation should be agreed upon and included in the plan. It is important to differentiate between an interruption and a 'disaster'. There should be a clearly laid out escalation procedure setting out how a 'disaster' is declared. It is recommended that the key phases of the recovery are identified, agreed and documented within the plan.
The plan should also include:
* The recovery team description, responsibilities and organisation.
* Support staff required including recovery and group co-ordinators.
* The location and equipping of the Emergency (Crisis) Operations Centre.
A procedure should also be established to shift from the emergency response plan to the business continuity plan.
A draft BCP can now be produced on a plan structure that is suited to the organisation. There may be a requirement for departmental plans and it is important that these integrate into the high level plan for the organisation. At the draft stage it is important to establish mechanisms that will allow for the easy maintenance of the plans in the future.
The plan should seek to allocate tasks and responsibilities and:
* Differentiate between recovery and departmental teams.
* Identify task to be undertaken.
* The teams required to perform required tasks and their responsibilities.
* Identify and list key contacts, suppliers and resources.
* The communications required to inform stakeholders and media.
The plan should define the business continuity procedures and should cover the mission critical process and functions of the organisation. It should detail what are the key resources used and what processes are to be followed to recover these resources and ensure continuity of the business. Areas to be included are:
* The use, location and protection of critical information and documentation.
* The requirements for workspace covering critical functions.
* The telecommunications requirements of the operations.
* The essential personnel requirements to deliver the agreed level of service.
The plan should integrate into other key plans:
* Crisis communications and public relations.
* Safety and emergency plans.
* IT and communications recovery.
* Security.
* Departmental operating plans.
* Supply chain logistics.
* Operational risk management.
The BCP may include the following:
* General introduction and overview.
* Objectives.
* Responsibilities.
* Exercising.
* Maintenance.
* Plan invocation.
* Disaster declaration.
* Damage assessment.
* Continuity actions and procedures.
* Team organisation and responsibilities.
* Emergency (Crisis) operations centre.
* Communications.
* Who should be informed.
* Contacts.
* Key messages.
* Suppliers.
* List of recovery suppliers.
* Details of contract provision.
Full document management procedures should be associated with the BCP in order to maintain its currency. A list of all plan holders has to be maintained together with a distribution and change control process.
4. Establishing the continuity culture
Documenting the BCP is one element of developing a BCM strategy. Its success, however, depends upon:
* Implementation of the recommendations made, across the entire business.
* A programme of training of those directly involved in the execution of the plan.
* An education and awareness programme to ensure enterprise-wide understanding and adoption of the plan, covering internal and external stakeholders, ie employees, customers, suppliers and shareholders.
It is essential to commit to implementing all recommendations and strategies identified in the BCP, otherwise investment made in its preparation will be redundant. Similarly, training and awareness must be embarked upon to ensure that the entire organisation is confident and competent concerning the plan. All parties must appreciate the importance of BCM to the operation's survival and their role in this process.
This awareness should extend to those external stakeholders and third parties upon which the organisation depends/has influence in both normal and crisis operations.
By implementation of the plan in this manner, all those associated with the organisation can have confidence in its ability to manage in a crisis, and the embedding of the continuity culture will have started.
Actions:
* Select the emergency management/BCM/crisis and recovery teams.
* Implement relevant training programmes for each team dependent upon task, including crisis communications/ media training as appropriate. This process is ongoing as team members change.
* Establish/equip emergency and crisis centres.
* Establish internal and external contractual arrangements/ service level agreements.
* Implement back-up and off-site storage arrangements.
* Distribute plan documentation as appropriate.
* Conduct internal and external awareness programmes. These programmes can be built into employee and supplier induction processes and customer marketing programmes.
* Prepare crisis communication statements for all stakeholders.
5. Plan exercising, maintenance and auditing
Exercising the Plan
A BCP cannot be considered reliable until it is exercised and has been proven workable, especially since false confidence may be placed in its integrity. Exercising the plan therefore assumes considerable importance. Exercising can take various forms, from a test of the communications plan, a desktop walk-through to a full system test. The objective of the exercise is twofold: to verify that the plan is practically workable by modelling recovery from disaster conditions, and training to familiarise staff with the operation of the plan.
The frequency of the exercise is dependent upon business need and the environment in which it operates. A minimum requirement should be every 12 months, but for some businesses or processes where the pace of change is particularly aggressive, a more frequent programme may be necessary.
Actions:
* Establish a meeting of key recovery staff.
* Prepare a representative and suitably detailed disaster scenario. Include aspects such as date, time, current workload, political and economical conditions, accounting period end, concurrent activities.
* Initiate the exercise as a walk-through or a full system test by summarising circumstances. Consider whether to vary those published, for example by substituting for a key player.
* Document and evaluate exercise results, amending the plan where necessary.
Plan maintenance
Organisations exist in a dynamic environment and are therefore subject to change - in people, process, market, risk, environment, geography, even business mission - and the BCP must reflect these changes to remain valid.
A process must be established whereby the BCM team is informed of these changes and can incorporate them into the plan. The effective change control procedures must be implemented to ensure distributed plans are of the same issue.
Actions:
* Define plan maintenance scheme and schedule.
* Monitor activities.
* Update plans.
* Distribute under formal change control procedures.
Plan audit
The audit process ensures that the BCM process remains current and viable in line with organisational change and current BCM practice. This process should ideally be carried out by an independent auditor - that can be external or internal - to ensure objectivity. As with exercising, the audit should be conducted on a minimum of an annual basis. It is desirable to use a recommended industry audit process, which facilitates benchmarking.
Actions:
* Set audit objectives and scope.
* Assess and select the audit method.
* Audit the administrative aspects of the BCM process.
* Audit the plan's structure, contents and actions sections.
* Audit the plan's documentation control procedures.
* Submit to the sponsor.
For details contact John Sharp, Chief Executive Officer of The Business Continuity Institute (UK) on tel: (0944) 870 603 8783, fax: (0944) 870 603 8761 or e-mail: [email protected]
Sources of information
The following websites provide additional sources of information on Business Continuity and Risk Management:
Risk Measurement - (subscription websites)
Practical Risk Management Online www.prarisk.com
Risk Management reports www.riskreports.com
Information/associations
Business Continuity Institute www.thebci.org
Survive Business Continuity Group www.survive.com
Ass. of Insurance & Risk Managers www.airmic.com
US Risk and Insurance Management Group www.rims.org
Risk management information www.rmisweb.com
Risk information www.riskinfo.com
Interactive Risk Forum www.riskforum.com
Global Association of Risk Professionals www.garp.com
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version