In preparing for battle I have always found that plans are useless, but planning is indispensable.
…….. General Dwight Eisenhower
No business can afford to have the lights off, not for a second! One can monitor and reduce risk, but incidents will happen.
What is Business Continuity Management :
Organization’s business strategies and decisions are based on the assumption that the Organization will continue to operate as normal on a daily basis. While Risk Management is about identifying possible risks and putting into place treatments to try to prevent an occurrence that impacts on its operations, Business continuity Management (BCM) detail s the necessary procedures and strategies that are to be auctioned should an actual disruption occur. The objectivbe of Business Continuity Management is to ensure the uninterrupted availability of all key business resources required to support essential (or critical) business activities.
The Business Continuity Management framework sets out the process and tools necessary to enable rapid response to incidents, recovery of key processes and restoration to the core business activities (Business As Usual). The Business Continuity Management Framework is based on the preparation of :
- Business continuity Plans (BCP) for key areas and activities of the Organization
- Disaster recovery planning for critical infrastructure and resources
- Communication and media liaison strategies, and
- Crises management and recovery, and emergency planning.
Link to Risk Management :
Business Continuity Management is inextricably linked to the Risk Management – one is the consequence of the other. Where Business continuity Management (including Planning and Testing) comes into force is through impact. The risk event has occurred, how should the Organization respond, recover and restore to fully operations? Similarly to Risk Management, the scale and timing of incidents/events cannot be reliable predicted, however the difference lies in being able to categorise where the known impacts can occur.
Why a Business Continuity Management Approach ?
Due consideration needs to be given to management of incidents and crises across the Organization from a multi-unit, multi-city, multi-man-power perspective. This requires collaboration between all units and people and a two-way flow of information during incidents and events. Planning also allows for both correct local and high level response to occur and also drives fundamental awareness at the Management and core resource area level of capital requirements, service availability and ‘gaps’.
By implementing a Business Continuity Management Framework an Organization is able to:
- Recognize the risks and impacts, key resources and core processes
- Respond to the event; protect life, property, systems and other resources
- Recover the resources, systems and processes
- Restore to full operations, and
- Review response, test preparedness and recalibrate planning.
Definition of Event Levels :
Business Continuity Management acknowledges that despite the best efforts employed in organizational risk management, events adversely affecting (disrupting) organizational operations will sometimes occur. These events usually are categorized as follows :
|Minor Incident||A Minor incident or outage within a single area or process, insignificant or minor impact on the organization. However, Multiple or ongoing incidents may have a cumulative effect, becoming a major incident or crisis.|
|Critical incident||A Critical incident or outage where key business process are disrupted or resources are lost, has a moderate or major impact on the organization. May affect external areas.|
|Najor Critical Incident||A Major Critical Incident, or series of incidents, that have the potential for extreme impact on processes, resources and the Organization’s long term prospects or reputation. May affect external areas.|
It is important to remember that incidents can occur across, or affect a range of categories, and are not limited to the traditionally-expected areas of Facilities Emergencies and IT Disasters. Taking a broader view allows a wider classifications of impacts as the following impact categories all of which are low frequency high severity which may lead to: substantial loss of life, high value property damage, long interruption periods and all other associated effects.
Catastrophe: A sudden and widespread disaster. FEMA definition: “… Any natural or manmade incident, including terrorism, that results in extraordinary levels of mass casualties, damage or disruption severely affecting the population, infrastructure, environment, economy, national morale, and or government functions. Compared to disaster, in a catastrophe most or all of the community built structure is heavily impacted; most, if not all, of the everyday community functions are sharply and simultaneously interrupted and help from nearby communities cannot be provided.
Disaster: Disaster Management Act 2005 defines disaster as “Disaster is an event of natural or manmade causes that lead to sudden disruption of normalcy within society, causing damage to life and property to such an extent that is beyond the capacity of normal social and economic mechanism to cope up with.”
Industrial Disaster: “Industrial Disasters are caused by chemical, mechanical, civil, electrical or other process failures due to accident, negligence or incompetence, in an industrial plant which may spill over to the areas outside the plant causing damage to life and property.”
Chemical Disasters: “Chemical disasters are occurrences of emission, fire or explosion involving one or more hazardous chemicals in the course of industrial activity or storage or transportation or due to natural events leading to serious effects inside or outside the installation likely to cause loss of life and property including adverse effects on the environment.
Emergency: Emergency is an unplanned event that significantly: Disrupts normal operations, poses serious threat to persons or property, cannot be managed by routine response, requires a quick and coordinated response across multiple departments or divisions.
Threats that can lead to emergency / disaster / catastrophe
- Environmental Disasters: Tornado, Hurricane, Flood, Snowstorm, Drought, Earthquake, Electrical storms, Fire, Subsidence and Landslides, Freezing conditions, Contamination and environmental hazards, Epidemic.
- Organized and/or Deliberate Disruption: Act of terrorism, act of sabotage, act of war, theft, arson, labor disputes / industrial action.
- Loss of Utilities and Services: Electrical power failure, loss of gas supply, loss of water supply, petroleum and oil shortage, communications services breakdown, loss of drainage / waste removal
- Equipment or System Failure: Internal power failure, air conditioning failure, production line failure, cooling plant failure, equipment failure (excluding IT hardware)
- Serious Information Security Incidents: Cybercrime, Loss of records or data, Disclosure of sensitive information, IT system failure.
- Other Emergency situation: Workplace violence, Public transportation disruption, Neighborhood hazard, Health and safety regulations, Employee morale, Mergers and acquisitions, Negative publicity, legal problems.
Plan for Business continuity (Business Continuity Plan (BCP):
A business continuity plan is a comprehensive statement of consistent actions to be taken before, during and after a disaster. The plan should be documented and tested to ensure continuity of operations and availability of critical resources in the event of a disaster.
Business Continuing Plan is an interdisplinary peer mentoring methodology used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined time after a disaster or extended disruption. The logistical plan is called Business Continuity Plan. In plain language BCP is how an organization prepared for future incidents that could jeopardize the organization’s core mission and its long term health. It is aimed at reducing operational risk associated with information management controls. Most organizations implement a phased methodology to analyze potential areas of vulnerability, define viable strategies, and implement business continuity plans.
Phase I – Initiation: In phase one, an organization sets to the fullest extent practicable.” forth the overall goal for the BCP effort – validating the scope of the plan, and taking an inventory of the processes or business units needed for the project. It identifies key stakeholders in the process including executive sponsors, steering committee, and any other subject matter experts. This phase sets the parameters, and trains the team in the project objectives and methodology.
Phase II – Business Impact Analysis and Risk Assessment: The business impact analysis is the next step in creating a business continuity plan. This part of the process serves as the foundation of any viable recovery planning effort. It includes all the critical business functions and processes, along with their potential threats. Here risks are identified, prioritized, and managed; the various single points of failure for the business including external dependencies are identified; and the overall business impact of these risks and SPOF are calculated. Recovery Time Objectives, Recovery Point Objectives and Recovery Communication Objectives are also identified for each critical business process. This phase is also utilized to identify regulatory requirements and best practices or standards that need to be followed; and the time and effort required in implementation of the BCP.
Phase III – Strategy Development: Leveraging the information from the BIA and risk assessment, organizations determine which business functions are “core” or “mission-critical” and determine a strategy to manage the risks identified in the risk assessment process (address, mitigate, or accept). The critical time frames and impacts from the BIA are used to determine which contingency strategies are viable. The strategy alternatives must satisfy the BIA for both cost effectiveness and response times. The planners usually present three to four alternatives to management with the most cost effective alternative as the recommendation.
Phase IV- Business Continuity Plan Development: On the basis of phases I, II and III, the Business Continuity plan is created. Being the main deliverable of the project, the BC plan includes department level DR plans, external supplier response plans, and the like. The BC Plan is updated regularly. The primary components of the BCP include, but are not limited to:
- Communication/ Coordination Plan: Communication is the key in any crisis. The Communication and Coordination plan establishes the communication channels to be used during the execution of a BCP; determines a chain of command for coordination of the BC effort; defines authorized media contacts; and includes notification procedures for key suppliers, vendors and clients.
- Emergency Response Plan: The Emergency Response Plan specifies responses to the emergency situations, which are defined as risks that pose a danger to life, property, or the environment. This includes Emergency Notification tools like Email, Phone, SMS, FAX or Pager.
Phase V – Business Continuity Plan Testing: In a quest to know whether their BCP is viable and usable, planners conduct thorough functional testing of their mission-critical applications and personnel to verify that all business processes work as expected. Plan testing is a regulatory requirement as well. It defines the methodology used to test the BCP, deciding on “how often do we test?”, “how much do we test?”, and “how do we judge the success or failure of the test?”. Once the test methodology is decided upon, business continuity plan is tested as an iterative task, at least twice annually.
Phase VI – Plan Maintenance: An outdated plan is as good as no plan. Most organizations strive to keep their Business Continuity Plans up to date with the latest and most efficient recovery processes. Elements regarding Recovery time objectives, Recovery Point Objectives, are evaluated and included in the plan. Testing and managing of the recovery strategy is kept consistent with the latest changes to the enterprise. Education is ongoing to maintain awareness of responsibilities when an emergency strikes.
Elements of Business Continuity Management (BCM)
Business Continuity Management is an ongoing process with several different but complementary elements mentioned below:
- Risk Mitigation Plan: Organizations, today, are taking a comprehensive and methodical approach to risk mitigation to ensure their business continuity. By developing, implementing and testing risk mitigation strategies, they provide their business with a level of resiliency and operational insurance which positions their business to continue, perform and succeed against unexpected threats. A viable Business Continuity plan involves a detailed plan for risk identification, prioritization, monitoring, and mitigation as a part of project planning. It covers all business units, verticals, service offerings, support groups and subsidiaries; and offer a deeper, more diverse, and quantified feedback on risks. This enables organizations to address the actual and the potential risk events in a systematic manner.
- Business Continuity Plan: The value of a business continuity plan can never be exaggerated. Business Continuity plan is one of the pillars in the overall framework of Project Business Continuity Management. Organization should develop a comprehensive BCP based on the size and complexity of the institution. The goal of the BCP should be to minimize losses to the institution, serve customers with minimal disruptions, and mitigate the negative effects of disruptions on business operations.
- Pandemic Plan: BCP planning cannot be restricted only to breakdown of critical operations and controls. Business can also get hampered in the event of a pandemic, which leads to human-resource disruption. An absence of staff can result in stalling of key functionalities which are important to keep an organization functional. It thus becomes important to prepare your company for organizational downtime during the health crisis; by considering the risk of pandemic outbreak while planning for business continuity.
- Contingency Plan: The key to attain and sustain success is by being prepared for the unexpected. Contingency planning is thus imperative for every organization so that they can have advance plans and strategies ready, to effectively handle unexpected problems, emergencies and catastrophic events. This is an important component of BCP which ensures the continuity and survival of a business – by devising a series of actions that can prevent the disruption of critical business functions.
- Business Recovery: BCM aims at devising plans which keep businesses operational despite all odds. Business Recovery forms one of the most crucial aspects of BCP as the efficiency of an organization depends on its effective business recovery plans which can restore critical business functions and data within acceptable time frame. Depending on the defined recovery strategies, Business Recovery can include temporary manual processing, recovery and operation on an alternate system, or relocation and recovery at an alternate site. Whatever be the mode of recovery, Business Recovery needs to look at various aspects like cost, allowable outage time, and a secure and fast restoration and resumption of business operations.
- Audits: Examining the business continuity process’s readiness; reviewing the documented plans for adequacy and completeness; examining the regular update and relevance of continuity plans; and identifying actions for enhancement of organization through proper risk analysis are all essential components of BCP. These requirements demand the need for auditing, which provides assurance to board on business continuity. Auditing is essential yet complex, encompassing audit planning, scheduling, implementation and management to ensure compliance with BCP. The need of the hour is to implement high quality audit management software which can automate certain aspects of auditing to enhance the efficiency of an organization.
Business Continuity Management (BCM) Challenges :
Terrorist attacks, natural disasters and power breakdowns have made compliance to BCP an indispensable aspect of business planning. However, adhering to the BCP is an uphill task for most organizations. Along with the difficulty in realistically simulating disaster scenarios, there are also various challenges involved in it. That is the reason why many enterprises still side step the issue or hold plans which are out of date or inadequate.
- Conducting Risk Analysis: Simulating disaster scenarios is a tough task for any organization. It involves the time consuming challenge of identifying risks to effectively handle them through risk management techniques. The whole process of risk management in terms of BCP involves moving to the finest details of the data so as to track down all risk factors. A proper risk analysis not only prepares an organization for compliance to BCP, but helps in improving the overall performance and efficiency of the organization.
- Managing Distributed Tasks: BCP brings with it the challenge of organizing the distributed and fragmented data. Every organization has numerous risk management techniques and internal control activities for various purposes, but they are usually not coordinated to act as a whole. This can lead to redundancies and inconsistencies which can hamper an organization’s contingency plan. Organizing distributed activities and data is thus one of the biggest management challenge faced while complying with the BCP.
- Managing Internal Audits: High level internal audits are a must for every organization to comply with regulations along with enhancing their performance through enhanced operational efficiency and risk analysis. However, manual handling of a wide range of audit-related programs processes, and data not only increases management activity but also decreases performance level. The main challenge then for an organization is to automate these manual processes through optimum audit management software solutions which are effective yet cost-friendly.
- Testing and Monitoring: Adhering to the BCP standards is iterative, which requires regular testing and monitoring to ensure BCP is up to date and operational. This also involves the challenge of monitoring the ongoing backup processes so that any backup failure can be rectified before impacting the BCP lifecycle.
- Updating Business Plan regularly: Organizations need to ensure that their business continuity plan is updated according to the changing requirements of their company. It also involves the challenge of hiring and training staff on compliance with BCP and functioning skills, so that business does not get hampered by any disaster.
- Identifying Cost Effective Solution: Gaining maximum from minimum is the general progressive rule of an organization. The main challenge in complying with BCP regulations lies in identifying high performance business continuity solution with lowest cost. The cost aspect is a major challenge with BCP; as Business Continuity Programs are generally viewed as blocked money which provides no return in normal circumstances. This poses a challenge while identifying backup storage systems, which are efficient and robust along with being cost-friendly.
- Ensuring Data Security: When data becomes your invaluable treasure, you face the challenge of ensuring optimum data security by protecting it from unauthorized access and theft. This requires proper encryption techniques and lock mechanisms to ensure that the backed-up data remains safe even if it is kept in remote locations. Companies following conventional manual handling of data are all the more vulnerable to risk of data loss.
- Restoring Data: You need to ensure that your backed-up data is not hardware or platform dependent. This is an essential technical requirement to be kept in mind so that the backed up data can be easily restored when required.
Business continuity is a continuous process, designed to ensure that an organization operates efficiently when times are normal, and continues to do so when the times are turbulent. This implies having a robust business continuity system in place that is continually tested, exercised, and updated. Companies and entities that are new to business continuity often focus their efforts solely within the boundaries of their organization. As their business continuity arrangements mature, these boundaries expand to include supply chain vulnerabilities and threats posed by the activities of other companies located close by. This is where many business continuity frameworks break down. However, profession’s innovators are now starting to acknowledge the importance of having comprehensive solution providers as partners, which helps institutions across the gamut of activities from planning to implementation to monitoring of business continuity strategies within a continuous improvement cycle. It caters to unique business needs seamlessly – whether the need is for point solutions to solve an immediate need or analysis and planning around a total business continuity program.
Any Business Continuity and Disaster Management Plan is not a one-size-fit-all approach, and the result may need to be much more complex in some areas than it is in others. The most important consideration is that key staff are able to enact the plan with minimal prompting at the time of Business Continuity event.
BCP Standards and Extracts: Number of standards for BCP are prescribed by various agencies such as:
- BS 17799 Information Security Standard
- BS 25999 BCP Standard
- ISO 9000:2000
- NFPA 1600
- ISO 17799 Information Security Management Standard.
Terms and Definitions :
- Business Continuity Management Framework: sets out the processes and tools necessary to enable rapid response, recovery and restoration to core business activities.
- Business Continuity Plan (BCP): comprises many elements which, collectively, define the approach to dealing with a break in business continuity, and which prescribes the steps an organization should take to recover lost business functions.
- Corporate Governance: refers to the way in which an Organization is directed and controlled in order to achieve its strategic goals and operational objectives.
- Event: an occurrence that affects/disrupts business operations. Levels of events are categorized as incident/emergency, major incident/emergency or crisis.
- Prioritized Scope: identifies those key priority areas of Organization’s operations for focused Business Continuity Planning efforts.
- Risk Management: the systematic application of management policies, procedures and practices to the tasks of communication, establishing the context, identifying, analyzing, evaluating, treating, monitoring and communicating risks to the attainment of the Organization’s outcomes and outputs.
Risk Management Framework: the structure within an Organization that supports the risk management practice, reporting, responsibilities and accountabilities at all management levels within the enterprise. The risk management framework is a description of streams of accountability and reporting that will support the Risk Management Process within the existing organizational structure.