Sreedhar MK
Business Continuity & Information Security Management Expert
Disasters happen. Recoveries have to be orchestrated.Continuity Plans are like backup parachutes – hardly ever needed but you don’t want to operate without one. Preparing for the future requires some sort of business continuity and disaster recovery plan.
Whether hurricanes, pandemics, wildfires, or other catastrophes like unanticipated shutdown orders, most companies are not immune to unplanned business interruptions. Undertaking the creation of a Business Continuity Plan is no small feat, but requires careful planning and assessment of mission-critical functions and available resources.
Business Continuity Planning (“BCP”) is the process of creating a system of prevention and recovery from potential interruptions and other threats to an organization. Its purpose is to enable a business to recover certain vulnerable parts of the company after an interruption occurs.
However, developing such a plan can circumvent the misfortune of succumbing to a hard-hitting business interruption. The elements of a Business Continuity Plan include: (1) The Team, (2) The Mission, and (3) The Policy.
BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks. Once the risks are identified, the plan should also include:
- Determining how those risks will affect operations
- Implementing safeguards and procedures to mitigate the risks
- Testing procedures to ensure they work
- Reviewing the process to make sure that it is up to date
The Team - The BCP Planning Team should include diverse members across an organization’s various departments, including upper management, human resources, legal, finance, operations, as well as onsite personnel who are most likely to encounter operational hazards resulting in a business interruption. Once the team is formed, roles and responsibilities regarding plan communications, implementation, monitoring, maintenance, and crisis management should all be assigned. A budget and planning calendar should also be established.
The Mission - After a Team is formed, upper management and ownership will need to communicate the commitment to the Business Continuity Plan and Team from the highest level of the organization in the form of a Mission Statement. A BCP advisory team member, such as legal counsel, can assist with the formation of the issued statement.
The Policy - Following the formation of a Team and the preparation of the Mission Statement, a Business Continuity Policy, encompassing a comprehensive set of standards and guidelines for ensuring the effectiveness of the organization’s BCP, should be created. The final BCP Policy should identify a chain of command, establish the flow of information and personnel direction through emergency communication protocols, identification of and processes for managing resources, as well as other key methodology related to potential losses and recovery strategies.
Six stages of Business Continuity Management Cycle
- Risk Assessment
- Business Impact Analysis
- Business Continuity Strategy
- Business Continuity Planning
- Business Continuity Testing
Risk Assessment
All risk associated with the objective of achieving business continuity of the organization should be identified, analyzed and evaluated. Controls that would minimize the impact of such identified risks shall get implemented based on the core risk management principles Treat, Tolerate, Terminate and Transfer of risks. Risk Assessment will be an ongoing process. Organization’s business strategy, change in process, changes to technology, Incidents reported, review outcomes and compliance requirements will provide input for the risk assessment.
Business Continuity Impact Analysis:
An important stage of developing a BCP is performing a business continuity impact analysis. It identifies the effects of disruption of business functions and processes, dependencies (inter, intra and external) with other supporting processes. It also uses the information to make decisions about recovery priorities and strategies.
An operational and financial impact worksheet helps to run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:
- The impacts—both financial and operational—that stem from the loss of individual business functions and process
- Identifying when the loss of a function or process would result in the identified business impacts
Completing the analysis can help companies identify and prioritize the processes that have the most impact on the business' financial and operational functions. The point at which they must be recovered is generally known as the “recovery time objective”.
Business Continuity Strategy
The business continuity strategy should be based on the legal, regulatory, contractual and statutory compliance requirements of the organization. The strategy should not be limited to the continuity of the core processes but should also taken into consideration the supporting services, that would help the organization to achieve continuity of the core processes during a disruption.
Business Continuity Planning
Planning is a very vital component of Business Continuity. Adequate planning will help the organization to foresee the probable disruptions based on the organization culture, geo location, socio-political-economic conditions and the various compliance requirements. Each critical process in the organization should have a detailed business continuity plan.
Business Continuity Testing
Testing is the most important factor that resembles the efficiency and effectiveness of organization’s business continuity process. Various testing methods like table top, structured walk through, simulation etc. can be used to test the effectiveness. The main advantage of such testing will minimize unexpected challenges and surprises during an actual disaster situation. The results of such testing should be documented and if required, improvements to the business continuity process should be made to keep the business continuity program viable and executable.
Conclusion
Business Continuity is not a project. It is a process that should be dynamic and aligned with the organization’s strategy. Business Continuity Management capabilities should be tested at least annually, for adequacy and effectiveness based on the risk factors that would impact the organization’s business from time to time.