Ensuring Business Continuity

Introduction:

Last year’s terrorist attacks in the US have forced many organizations to critically reevaluate the adequacy of their existing business continuity plans and disaster recovery arrangements.The tragedy highlighted how important it is for organizations to remain commercially operational under even the most exceptional circumstances. E-business, which relies heavily on IT, is particularly vulnerable, because IT failures directly limit the capability to generate revenue.

The thoroughgoing approach to business continuity planning (BCP) that I present here— called the BCP cycle—can help you avoid those pitfalls.The BCP cycle is generic enough to have practical value in a wide range of IT-related organizations, and it is process-oriented, ensuring well-guided BCP efforts and tangible results.

Business Continuity Planning Cycle:

BCP is a cyclical process; an organization should review its business continuity plan whenever it introduces changes to the business or alters its business priorities. I see the BCP process as a cycle of eight core steps, as depicted in Figure 1.

Figure 1 (next page) shows two concentric rings. The inner ring describes the core BCP process. Inseparable from BCP is the concept of business recovery planning (BRP). Even when an organization can ensure business continuity, typically with backup resources, at some point it must also recover its previous, fully functional state. The outer ring depicts the BRP process.As an organization works through each core BCP step, it must, at the same time, address BRP.

Central to the BCP cycle is the business continuity policy, which defines the organization’s holistic approach to business continuity.

The key areas covered in a good business continuity policy include:

• Contact Points—who to contact during office hours, outside office hours, and in an emergency;
• Roles and Responsibilities—a well-defined organizational structure for the business continuity and recovery teams;
• Risk Levels—a categorization of business risks and the level of risk the organization deems acceptable;
• Continuity and Recovery Service Levels—how much time is acceptable for responding to threats, implementing continuity plans, and recovering from failure scenarios;
• Business Continuity Reviews—how and when the organization reviews business continuity plans;
• Business Continuity Processes—processes and procedures that inform staff how to react to and handle particular failure scenarios;
• Incident Reporting and Documentation—methods of recording and documenting incidents and responses to them;
• Testing—acceptance criteria and testing requirements for the business continuity plan; and
• Training—training requirements for staff involved in business continuity and disaster recovery processes.

Common Pitfalls in the Business Continuity Planning Process:

• Incomplete: The BCP process is not complete. Outputs such as the business continuity plan and policy either do not exist or exist in incomplete form.
• Inadequate: The plan and strategies can’t deal with the level of risk that the organization deems acceptable.
• Impractical: The plan is not practical or achievable within the organization’s constraints (manpower, time, and budget, for example).
• Overkill: The plan is overly elaborate or costly with respect to the overall level of business risk that the organization is willing to take.
• Uncommunicated: The business continuity team has not communicated the plan to all the right people. Staff— both management and technical—remains unaware of business continuity issues.
• Lacking a Defined Process: Business continuity processes remain ill defined. Staffers are unsure of how to react in a failure scenario, or they discover too late that their existing processes fall short.
• Untested: The organization hasn’t tested its plan, or hasn’t tested it thoroughly enough to provide a high level of confidence in its soundness.
• Uncoordinated: The business continuity effort lacks organization and coordination. The organization has either not established a business continuity team, or the team lacks individuals who can effectively drive the effort to completion.
• Out of Date: The plan hasn’t been reviewed or revised in light of changes in the organization, its business, or technology.
• Lacking in Recovery Thinking: The organization doesn’t adequately address how it intends to recover to a fully operational state after executing its business continuity plans.