In preparing for battle I have always found that plans are useless,
but planning is indispensable.
…….. General Dwight Eisenhower
No business can afford to have the lights off, not for a second! One can monitor and reduce risk, but incidents will happen. What is Business Continuity Management : Organization’s business strategies and decisions are based on the assumption that the Organization will continue to operate as normal on a daily basis. While Risk Management is about identifying possible risks and putting into place treatments to try to prevent an occurrence that impacts on its operations, Business continuity Management (BCM) detail s the necessary procedures and strategies that are to be auctioned should an actual disruption occur. The objectivbe of Business Continuity Management is to ensure the uninterrupted availability of all key business resources required to support essential (or critical) business activities. The Business Continuity Management framework sets out the process and tools necessary to enable rapid response to incidents, recovery of key processes and restoration to the core business activities (Business As Usual). The Business Continuity Management Framework is based on the preparation of :
- Business continuity Plans (BCP) for key areas and activities of the Organization
- Disaster recovery planning for critical infrastructure and resources
- Communication and media liaison strategies, and
- Crises management and recovery, and emergency planning.
- Recognize the risks and impacts, key resources and core processes
- Respond to the event; protect life, property, systems and other resources
- Recover the resources, systems and processes
- Restore to full operations, and
- Review response, test preparedness and recalibrate planning.
|Minor Incident||A Minor incident or outage within a single area or process, insignificant or minor impact on the organization. However, Multiple or ongoing incidents may have a cumulative effect, becoming a major incident or crisis.|
|Critical incident||A Critical incident or outage where key business process are disrupted or resources are lost, has a moderate or major impact on the organization. May affect external areas.|
|Najor Critical Incident||A Major Critical Incident, or series of incidents, that have the potential for extreme impact on processes, resources and the Organization’s long term prospects or reputation. May affect external areas.|
- Environmental Disasters: Tornado, Hurricane, Flood, Snowstorm, Drought, Earthquake, Electrical storms, Fire, Subsidence and Landslides, Freezing conditions, Contamination and environmental hazards, Epidemic.
- Organized and/or Deliberate Disruption: Act of terrorism, act of sabotage, act of war, theft, arson, labor disputes / industrial action.
- Loss of Utilities and Services: Electrical power failure, loss of gas supply, loss of water supply, petroleum and oil shortage, communications services breakdown, loss of drainage / waste removal
- Equipment or System Failure: Internal power failure, air conditioning failure, production line failure, cooling plant failure, equipment failure (excluding IT hardware)
- Serious Information Security Incidents: Cybercrime, Loss of records or data, Disclosure of sensitive information, IT system failure.
- Other Emergency situation: Workplace violence, Public transportation disruption, Neighborhood hazard, Health and safety regulations, Employee morale, Mergers and acquisitions, Negative publicity, legal problems.
- Communication/ Coordination Plan: Communication is the key in any crisis. The Communication and Coordination plan establishes the communication channels to be used during the execution of a BCP; determines a chain of command for coordination of the BC effort; defines authorized media contacts; and includes notification procedures for key suppliers, vendors and clients.
- Emergency Response Plan: The Emergency Response Plan specifies responses to the emergency situations, which are defined as risks that pose a danger to life, property, or the environment. This includes Emergency Notification tools like Email, Phone, SMS, FAX or Pager.
- Risk Mitigation Plan: Organizations, today, are taking a comprehensive and methodical approach to risk mitigation to ensure their business continuity. By developing, implementing and testing risk mitigation strategies, they provide their business with a level of resiliency and operational insurance which positions their business to continue, perform and succeed against unexpected threats. A viable Business Continuity plan involves a detailed plan for risk identification, prioritization, monitoring, and mitigation as a part of project planning. It covers all business units, verticals, service offerings, support groups and subsidiaries; and offer a deeper, more diverse, and quantified feedback on risks. This enables organizations to address the actual and the potential risk events in a systematic manner.
- Business Continuity Plan: The value of a business continuity plan can never be exaggerated. Business Continuity plan is one of the pillars in the overall framework of Project Business Continuity Management. Organization should develop a comprehensive BCP based on the size and complexity of the institution. The goal of the BCP should be to minimize losses to the institution, serve customers with minimal disruptions, and mitigate the negative effects of disruptions on business operations.
- Pandemic Plan: BCP planning cannot be restricted only to breakdown of critical operations and controls. Business can also get hampered in the event of a pandemic, which leads to human-resource disruption. An absence of staff can result in stalling of key functionalities which are important to keep an organization functional. It thus becomes important to prepare your company for organizational downtime during the health crisis; by considering the risk of pandemic outbreak while planning for business continuity.
- Contingency Plan: The key to attain and sustain success is by being prepared for the unexpected. Contingency planning is thus imperative for every organization so that they can have advance plans and strategies ready, to effectively handle unexpected problems, emergencies and catastrophic events. This is an important component of BCP which ensures the continuity and survival of a business – by devising a series of actions that can prevent the disruption of critical business functions.
- Business Recovery: BCM aims at devising plans which keep businesses operational despite all odds. Business Recovery forms one of the most crucial aspects of BCP as the efficiency of an organization depends on its effective business recovery plans which can restore critical business functions and data within acceptable time frame. Depending on the defined recovery strategies, Business Recovery can include temporary manual processing, recovery and operation on an alternate system, or relocation and recovery at an alternate site. Whatever be the mode of recovery, Business Recovery needs to look at various aspects like cost, allowable outage time, and a secure and fast restoration and resumption of business operations.
- Audits: Examining the business continuity process’s readiness; reviewing the documented plans for adequacy and completeness; examining the regular update and relevance of continuity plans; and identifying actions for enhancement of organization through proper risk analysis are all essential components of BCP. These requirements demand the need for auditing, which provides assurance to board on business continuity. Auditing is essential yet complex, encompassing audit planning, scheduling, implementation and management to ensure compliance with BCP. The need of the hour is to implement high quality audit management software which can automate certain aspects of auditing to enhance the efficiency of an organization.
- Conducting Risk Analysis: Simulating disaster scenarios is a tough task for any organization. It involves the time consuming challenge of identifying risks to effectively handle them through risk management techniques. The whole process of risk management in terms of BCP involves moving to the finest details of the data so as to track down all risk factors. A proper risk analysis not only prepares an organization for compliance to BCP, but helps in improving the overall performance and efficiency of the organization.
- Managing Distributed Tasks: BCP brings with it the challenge of organizing the distributed and fragmented data. Every organization has numerous risk management techniques and internal control activities for various purposes, but they are usually not coordinated to act as a whole. This can lead to redundancies and inconsistencies which can hamper an organization’s contingency plan. Organizing distributed activities and data is thus one of the biggest management challenge faced while complying with the BCP.
- Managing Internal Audits: High level internal audits are a must for every organization to comply with regulations along with enhancing their performance through enhanced operational efficiency and risk analysis. However, manual handling of a wide range of audit-related programs processes, and data not only increases management activity but also decreases performance level. The main challenge then for an organization is to automate these manual processes through optimum audit management software solutions which are effective yet cost-friendly.
- Testing and Monitoring: Adhering to the BCP standards is iterative, which requires regular testing and monitoring to ensure BCP is up to date and operational. This also involves the challenge of monitoring the ongoing backup processes so that any backup failure can be rectified before impacting the BCP lifecycle.
- Updating Business Plan regularly: Organizations need to ensure that their business continuity plan is updated according to the changing requirements of their company. It also involves the challenge of hiring and training staff on compliance with BCP and functioning skills, so that business does not get hampered by any disaster.
- Identifying Cost Effective Solution: Gaining maximum from minimum is the general progressive rule of an organization. The main challenge in complying with BCP regulations lies in identifying high performance business continuity solution with lowest cost. The cost aspect is a major challenge with BCP; as Business Continuity Programs are generally viewed as blocked money which provides no return in normal circumstances. This poses a challenge while identifying backup storage systems, which are efficient and robust along with being cost-friendly.
- Ensuring Data Security: When data becomes your invaluable treasure, you face the challenge of ensuring optimum data security by protecting it from unauthorized access and theft. This requires proper encryption techniques and lock mechanisms to ensure that the backed-up data remains safe even if it is kept in remote locations. Companies following conventional manual handling of data are all the more vulnerable to risk of data loss.
- Restoring Data: You need to ensure that your backed-up data is not hardware or platform dependent. This is an essential technical requirement to be kept in mind so that the backed up data can be easily restored when required.
- BS 17799 Information Security Standard
- BS 25999 BCP Standard
- ISO 9000:2000
- NFPA 1600
- ISO 17799 Information Security Management Standard.
- Business Continuity Management Framework: sets out the processes and tools necessary to enable rapid response, recovery and restoration to core business activities.
- Business Continuity Plan (BCP): comprises many elements which, collectively, define the approach to dealing with a break in business continuity, and which prescribes the steps an organization should take to recover lost business functions.
- Corporate Governance: refers to the way in which an Organization is directed and controlled in order to achieve its strategic goals and operational objectives.
- Event: an occurrence that affects/disrupts business operations. Levels of events are categorized as incident/emergency, major incident/emergency or crisis.
- Prioritized Scope: identifies those key priority areas of Organization’s operations for focused Business Continuity Planning efforts.
- Risk Management: the systematic application of management policies, procedures and practices to the tasks of communication, establishing the context, identifying, analyzing, evaluating, treating, monitoring and communicating risks to the attainment of the Organization’s outcomes and outputs.
Author : Lajpat Ray Chandnani