Business Continuity Planning
We believe all organisations recognise the importance of having a Business Continuity Plan, however we understand that it can be difficult to know where to start. That’s why we have written this white paper as a guideline for what you should consider when developing your plan.
Business Continuity
Planning
1. The life cycle of Business Continuity Management (BCM)
Writing a Business Continuity Plan (BCP) is not a one off exercise – it is essential that it becomes embedded in the culture of the organisation and is continually updated to reflect changes in the company and environment.
Don’t try and develop the whole BCP in one go – you will encounter elements which are more challenging than others and need some time to address. Break the project down into phases and concentrate on “quick wins” which you can implement to demonstrate progress and get the attention of staff who need to contribute to the overall solution. This also encourages the culture of BCM being a dynamic and ongoing discipline within the organisation.
2. Assess the potential threats and risks facing your company and analyse their likely impact.
It is daunting to think about the possibility of a disruption preventing your business from operating but you need to accept that unexpected events can cause turmoil for your business and statistically they do happen. Once you have carried out a Risk Assessment (RA) you will be able to better understand the potential impact of risks and then develop a plan that ensures that both your business’s assets and personnel are sufficiently protected. Enter the risks you can identify into the grid below and assess both the likelihood of them happening and the consequences if they should. Remember that not all risks can be anticipated so try to use generic scenarios such as “what if our premises were destroyed” rather than “what if there was a fire” or “what if a hurricane strikes”.
Then carry out a Business Impact Analysis (BIA) to investigate what action can be taken to mitigate the impact or eliminate the risk so that “red” entries can be downgraded either by reducing the likelihood of them happening or making the impact if they do happen less serious. For example, if loss of comms is a very high probability and would have a very significant impact on your ability to operate you should consider installing a secondary service as a backup. This additional connection could also be used for load balancing and hence improve productivity under normal business operations which would help justify the cost of implementing the BCP.
Examples of potential impacts from both identified and unidentified risks to consider include:
• Lost revenue
• Reputational damage • Unbudgeted costs
• Customer defection/dissatisfaction • Missed service delivery targets • Regulatory fines
• Delay/inability to commence future business plans • Downgraded credit rating
4. Separate Business Continuity from Disaster Recovery
Although these disciplines are very much related, it is important to consider them separately. Business Continuity Planning is intended to prevent the negative consequences of an interruption to operations and enable Business As Usual (BAU). A Disaster Recovery Plan (DRP) focuses on the ability to restore operations to pre-‐incident status with the minimum of downtime and data loss. Try to separate responsibilities so that one team will focus on keeping the day-‐to-‐day business running while another deals with solving whatever has caused the invocation.
5. Identify key resources
While all organisations have operations specific to their business there are certain key things which are constant across all companies.
Staff:
Probably the most important element of every business. Ensure that you have a list of contact details for all members of staff and make sure that it is kept current on a regular basis. Have a strategy in place for being able to communicate with all relevant people quickly and accurately in an emergency situation.
Consider which job functions are critically necessary to continue every day operations. Make sure key processes are fully documented with a secure and accessible record of critical passwords, etc. Carry out cross training to be certain all functions can be fulfilled by more than one member of staff.
Company data:
Your business cannot continue to operate in the short term without immediate access to information such as customer contact details, order status, financial records, etc, so you will need to ensure these can be very quickly recovered as part of your BCP. There are many solutions that can support this requirement such as hosted applications (also referred to as Cloud Computing), system replication and even “failover” where your live systems automatically recover immediately in a remote location. In the longer term you will need to have access to information such as contracts and trading history so this needs to be part of your DRP. Of course, you may be able to implement a single solution that covers both requirements, however faster recovery typically means a higher cost so it may be appropriate to have a mixed solution to ensure an appropriate Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for different business functions at a price you can justify commercially. For example, you may decide to host your business critical applications in an off-‐site secure data centre with a guaranteed Service Level Agreement (SLA) for power and communications to ensure availability but it may be satisfactory to simply hold paper copies of important documents in a remote secure storage site.
Premises:
You should decide in advance where your core business will operate from in the event of not being able to work in your normal premises. While some members of staff may be able to work from home in the short term, it is not a viable alternative for running your company which can be challenging enough when everyone is in the same office. Furthermore, you have no control over the confidentiality of data which has serious security implications at a time when your business is particularly vulnerable. Have contracts in place that entitle you to use alternative premises so that you can invoke immediately without having to investigate availability and get agreement which you realistically won’t have time to do in an emergency scenario. Test regularly to make sure you can carry out business critical activities from your alternative premises, it is no good relocating to somewhere that does not have sufficient physical capacity, connectivity or power. Ensure the staff who would be required to work from the site know how to get there and are comfortable
with being based there – if you don’t have their cooperation the recovery plan simply won’t work.
Equipment:
Identify what equipment is essential to the day-‐to-‐day running of your business and plan where you could get replacements from in an appropriate timescale. If availability in an emergency does not fit your RTO then consider holding spares at a remote location, or taking out a contract with another company who uses similar equipment and could provide you with a guaranteed interim service.
6. Document the BCP
Use the KISS principle (Keep It Simple Stupid) -‐ a huge document will just be ignored in an emergency. Concentrate on the basic information and make it easy to navigate.
Start with who has authority to invoke the plan and who has specific responsibility for making each part of it happen. Try and work with job titles rather than individual names so the plan doesn’t need to be amended when staff change jobs. Don’t try and document exact details of what they should do as the actions required may vary in the particular scenario you find yourself in, if you pick the right people they will be able to make the necessary decisions and get on with managing their specific responsibilities.
Include a list of critical suppliers and partners with full contact information. If it is only stored on your system which no longer exists – well, enough said!
Involve the relevant people in the production of the BCP so they are comfortable with the responsibility and actions required from them.
Publish the document and make sure there is a form of version control so everyone knows they are working from the same version. Distribute the document to each of your relevant staff members and make sure there is at least one copy stored off site that people know where to find in an emergency.
across the organisation so that any changes introduced into the business are reflected in the recovery strategy.
Test the plan using a worst case scenario such as catastrophic loss of premises and assets. Gather feedback from all participants and update the BCP to reflect any shortfall in RTO and RPO.
Regularly review and update the BCP to ensure it still meets your recovery requirements and highlights its importance to key personnel.
7. Benefits of implementing a BCP
Your auditors should be asking about your business resilience and ability to meet your SLAs and commitments in any event. Showing you have a proven BCP in place will “tick the box” for this requirement.
Use it as a marketing tool to differentiate between you and your competitors to win (or retain) customers.
And don’t forget to have a chat with your insurance broker about how you have reduced the likelihood of making an expensive claim on your Business Interruption policy and therefore their liability to pay you compensation – you may find they will discount your premium which again will contribute to any costs involved in implementing your BCP.