• No results found

Business Continuity Planning

N/A
N/A
Protected

Academic year: 2021

Share "Business Continuity Planning"

Copied!
7
0
0

Loading.... (view fulltext now)

Full text

(1)

Business Continuity Planning

We believe all organisations recognise the importance of having a Business Continuity Plan, however we understand that it can be difficult to know where to start. That’s why we have written this white paper as a guideline for what you should consider when developing your plan.

(2)

 

Business  Continuity  

Planning  

 

1.  The  life  cycle  of  Business  Continuity  Management  (BCM)    

Writing   a   Business   Continuity   Plan   (BCP)   is   not   a   one   off   exercise   –   it   is   essential   that   it   becomes  embedded  in  the  culture  of  the  organisation  and  is  continually  updated  to  reflect   changes  in  the  company  and  environment.  

   

Don’t  try  and  develop  the  whole  BCP  in  one  go  –  you  will  encounter  elements  which  are   more  challenging  than  others  and  need  some  time  to  address.    Break  the  project  down  into   phases  and  concentrate  on  “quick  wins”  which  you  can  implement  to  demonstrate  progress   and   get   the   attention   of   staff   who   need   to   contribute   to   the   overall   solution.     This   also   encourages   the   culture   of   BCM   being   a   dynamic   and   ongoing   discipline   within   the   organisation.  

   

(3)

 

2.     Assess   the   potential   threats   and   risks   facing   your   company   and   analyse   their   likely   impact.  

 

It  is  daunting  to  think  about  the  possibility  of  a  disruption  preventing  your  business  from   operating   but   you   need   to   accept   that   unexpected   events   can   cause   turmoil   for   your   business  and  statistically  they  do  happen.    Once  you  have  carried  out  a  Risk  Assessment  (RA)   you  will  be  able  to  better  understand  the  potential  impact  of  risks  and  then  develop  a  plan   that   ensures   that   both   your   business’s   assets   and   personnel   are   sufficiently   protected.     Enter  the  risks  you  can  identify  into  the  grid  below  and  assess  both  the  likelihood  of  them   happening   and   the   consequences   if   they   should.     Remember   that   not   all   risks   can   be   anticipated  so  try  to  use  generic  scenarios  such  as  “what  if  our  premises  were  destroyed”   rather  than  “what  if  there  was  a  fire”  or  “what  if  a  hurricane  strikes”.  

 

 

 

Then  carry  out  a  Business  Impact  Analysis  (BIA)  to  investigate  what  action  can  be  taken  to   mitigate  the  impact  or  eliminate  the  risk  so  that  “red”  entries  can  be  downgraded  either  by   reducing   the   likelihood   of   them   happening   or   making   the   impact   if   they   do   happen   less   serious.     For   example,   if   loss   of   comms   is   a   very   high   probability   and   would   have   a   very   significant   impact   on   your   ability   to   operate   you   should   consider   installing   a   secondary   service  as  a  backup.    This  additional  connection  could  also  be  used  for  load  balancing  and   hence  improve  productivity  under  normal  business  operations  which  would  help  justify  the   cost  of  implementing  the  BCP.      

(4)

 

Examples   of   potential   impacts   from   both   identified   and   unidentified   risks   to   consider   include:  

 

• Lost  revenue  

• Reputational  damage   • Unbudgeted  costs  

• Customer  defection/dissatisfaction   • Missed  service  delivery  targets   • Regulatory  fines  

• Delay/inability  to  commence  future  business  plans   • Downgraded  credit  rating  

   

4.   Separate  Business  Continuity  from  Disaster  Recovery  

 

Although   these   disciplines   are   very   much   related,   it   is   important   to   consider   them   separately.    Business  Continuity  Planning  is  intended  to  prevent  the  negative  consequences   of  an  interruption  to  operations  and  enable  Business  As  Usual  (BAU).    A  Disaster  Recovery   Plan   (DRP)   focuses   on   the   ability   to   restore   operations   to   pre-­‐incident   status   with   the   minimum  of  downtime  and  data  loss.    Try  to  separate  responsibilities  so  that  one  team  will   focus  on  keeping  the  day-­‐to-­‐day  business  running  while  another  deals  with  solving  whatever   has  caused  the  invocation.  

   

5.   Identify  key  resources  

 

While  all  organisations  have  operations  specific  to  their  business  there  are  certain  key  things   which  are  constant  across  all  companies.  

 

Staff:  

 

Probably   the   most   important   element   of   every   business.     Ensure   that   you   have   a   list   of   contact  details  for  all  members  of  staff  and  make  sure  that  it  is  kept  current  on  a  regular   basis.     Have   a   strategy   in   place   for   being   able   to   communicate   with   all   relevant   people   quickly  and  accurately  in  an  emergency  situation.  

(5)

Consider   which   job   functions   are   critically   necessary   to   continue   every   day   operations.     Make   sure   key   processes   are   fully   documented   with   a   secure   and   accessible   record   of   critical  passwords,  etc.    Carry  out  cross  training  to  be  certain  all  functions  can  be  fulfilled  by   more  than  one  member  of  staff.  

 

Company  data:  

 

Your  business  cannot  continue  to  operate  in  the  short  term  without  immediate  access  to   information  such  as  customer  contact  details,  order  status,  financial  records,  etc,  so  you  will   need  to  ensure  these  can  be  very  quickly  recovered  as  part  of  your  BCP.    There  are  many   solutions  that  can  support  this  requirement  such  as  hosted  applications  (also  referred  to  as   Cloud   Computing),   system   replication   and   even   “failover”   where   your   live   systems   automatically  recover  immediately  in  a  remote  location.    In  the  longer  term  you  will  need  to   have  access  to  information  such  as  contracts  and  trading  history  so  this  needs  to  be  part  of   your   DRP.     Of   course,   you   may   be   able   to   implement   a   single   solution   that   covers   both   requirements,   however   faster   recovery   typically   means   a   higher   cost   so   it   may   be   appropriate   to   have   a   mixed   solution   to   ensure   an   appropriate   Recovery   Time   Objective   (RTO)  and  Recovery  Point  Objective  (RPO)  for  different  business  functions  at  a  price  you  can   justify   commercially.     For   example,   you   may   decide   to   host   your   business   critical   applications   in   an   off-­‐site   secure   data   centre   with   a   guaranteed   Service   Level   Agreement   (SLA)   for   power   and   communications   to   ensure   availability   but   it   may   be   satisfactory   to   simply  hold  paper  copies  of  important  documents  in  a  remote  secure  storage  site.  

 

Premises:  

 

You  should  decide  in  advance  where  your  core  business  will  operate  from  in  the  event  of   not  being  able  to  work  in  your  normal  premises.    While  some  members  of  staff  may  be  able   to  work  from  home  in  the  short  term,  it  is  not  a  viable  alternative  for  running  your  company   which  can  be  challenging  enough  when  everyone  is  in  the  same  office.    Furthermore,  you   have  no  control  over  the  confidentiality  of  data  which  has  serious  security  implications  at  a   time  when  your  business  is  particularly  vulnerable.    Have  contracts  in  place  that  entitle  you   to   use   alternative   premises   so   that   you   can   invoke   immediately   without   having   to   investigate  availability  and  get  agreement  which  you  realistically  won’t  have  time  to  do  in  an   emergency   scenario.     Test   regularly   to   make   sure   you   can   carry   out   business   critical   activities  from  your  alternative  premises,  it  is  no  good  relocating  to  somewhere  that  does   not  have  sufficient  physical  capacity,  connectivity  or  power.    Ensure  the  staff  who  would  be   required  to  work  from  the  site  know  how  to  get  there  and  are  comfortable  

(6)

with  being  based  there  –  if  you  don’t  have  their  cooperation  the  recovery  plan  simply  won’t   work.  

 

Equipment:  

 

Identify   what   equipment   is   essential   to   the   day-­‐to-­‐day   running   of   your   business   and   plan   where   you   could   get   replacements   from   in   an   appropriate   timescale.     If   availability   in   an   emergency   does   not   fit   your   RTO   then   consider   holding   spares   at   a   remote   location,   or   taking  out  a  contract  with  another  company  who  uses  similar  equipment  and  could  provide   you  with  a  guaranteed  interim  service.  

   

6.   Document  the  BCP  

 

Use  the  KISS  principle  (Keep  It  Simple  Stupid)  -­‐  a  huge  document  will  just  be  ignored  in  an   emergency.    Concentrate  on  the  basic  information  and  make  it  easy  to  navigate.      

 

Start   with   who   has   authority   to   invoke   the   plan   and   who   has   specific   responsibility   for   making  each  part  of  it  happen.    Try  and  work  with  job  titles  rather  than  individual  names  so   the   plan   doesn’t   need   to   be   amended   when   staff   change   jobs.     Don’t   try   and   document   exact   details   of   what   they   should   do   as   the   actions   required   may   vary   in   the   particular   scenario   you   find   yourself   in,   if   you   pick   the   right   people   they   will   be   able   to   make   the   necessary  decisions  and  get  on  with  managing  their  specific  responsibilities.      

 

Include   a   list   of   critical   suppliers   and   partners   with   full   contact   information.     If   it   is   only   stored  on  your  system  which  no  longer  exists  –  well,  enough  said!  

 

Involve  the  relevant  people  in  the  production  of  the  BCP  so  they  are  comfortable  with  the   responsibility  and  actions  required  from  them.      

 

Publish  the  document  and  make  sure  there  is  a  form  of  version  control  so  everyone  knows   they  are  working  from  the  same  version.    Distribute  the  document  to  each  of  your  relevant   staff  members  and  make  sure  there  is  at  least  one  copy  stored  off  site  that  people  know   where  to  find  in  an  emergency.    

 

(7)

across  the  organisation  so  that  any  changes  introduced  into  the  business  are  reflected  in  the   recovery  strategy.  

 

Test  the  plan  using  a  worst  case  scenario  such  as  catastrophic  loss  of  premises  and  assets.     Gather  feedback  from  all  participants  and  update  the  BCP  to  reflect  any  shortfall  in  RTO  and   RPO.  

 

Regularly   review   and   update   the   BCP   to   ensure   it   still   meets   your   recovery   requirements   and  highlights  its  importance  to  key  personnel.  

   

7.   Benefits  of  implementing  a  BCP  

 

Your  auditors  should  be  asking  about  your  business  resilience  and  ability  to  meet  your  SLAs   and  commitments  in  any  event.    Showing  you  have  a  proven  BCP  in  place  will  “tick  the  box”   for  this  requirement.  

 

Use   it   as   a   marketing   tool   to   differentiate   between   you   and   your   competitors   to   win   (or   retain)  customers.  

 

And  don’t  forget  to  have  a  chat  with  your  insurance  broker  about  how  you  have  reduced  the   likelihood  of  making  an  expensive  claim  on  your  Business  Interruption  policy  and  therefore   their   liability   to   pay   you   compensation   –   you   may   find   they   will   discount   your   premium   which  again  will  contribute  to  any  costs  involved  in  implementing  your  BCP.    

References

Related documents

Public cloud services can be defined as a delivery model for on-demand IT and business services for a market, over public Internet, based on pay-as-you-go models for an

CONSERVATIVE Certificate of Deposit Government Bonds Fixed Annunities Insured Municipal Bonds MODERATE Corporate Bonds Indexed Annuities Preferred Stock R.E.I.T.s BDCs AGGRESSIVE

The influence of the Burmese Buddhist scholastic system over the Shan monastic learning in recent decades becomes clear if we compare the syllabuses of the state- sponsored exams

In the meantime, resources do exist to assist business owners with the development of a Business Continuity Plan (BCP).. Why is a Business Continuity Plan

The iron sources are transported into the Gram-negative bacterial cell via specific uptake pathways which include an outer membrane receptor, a periplasmic binding protein (PBP), and

Synchronization in the uplink of OFDMA systems operating in doubly selective chan- nels is recently carried out in [114–117]. In [114, 115, 117], the authors proposed a method for

Moxa’s line of SNMP ioLogik products, such as the Ethernet ioLogik E2000 series, the modular Ethernet ioLogik E4200, and the cellular ioLogik W5340, offer a powerful yet easy-to-use

These included gender equity (promotion of female literacy in Kerala), social exclusion (measures to tackle the inherent inequalities in the caste system in Kerala),