What is Business Continuity Planning?
August 27, 2015
This is the question our very own Claude Williams helped answer at last night’s ISSA Baltimore Chapter’s meeting in his talk, “The Business of Business Continuity: A Business Continuity Planning Overview.”
What is business continuity?
The goal of business continuity is to essentially keep business going to minimize the monetary repercussions of a disaster. Specifically business continuity plans look to:
- Reduce the opportunity for business interruption
- Reduce operational and financial impact of disruptions
- Improve the ability to generate revenue during an incident
Additionally, an organization’s business continuity plan needs to support the organization’s other processes, specifically those of incident, risk and information security management. There may also be regulatory compliance that needs to be met through a business continuity plan. NIST is one agency that offers their own breakdown on how to create a business continuity plan.
Who is involved in business continuity?
A well crafted BCP probably affects most of the organization in one way or another. As far as formulating the plan itself, the main players include:
- The business continuity manager
- Senior management/executive leadership to sign off on the plan
- Functional leadership
- The plan’s process owners
Once the plan is in place, all staff affected by it need to be aware of the plan and receive training on how to properly carry out its steps.
What are the steps in developing a BCP?
A BCP is the solution after careful analysis on the potential risks a business faces and an interpretation of the impact each of those risks may have. Watch below as Claude describes the potential for the risk of his house burning down in relation to the impact that event would cause on his life.
A BCP then takes that combination of risk and impact to identify the potential areas for greatest disaster and crafts a response that would help minimize that impact.
What is a Business Impact Analysis (BIA)?
The BIA is a part of the risk analysis step in formulating a BCP and it looks to assigning qualitative and quantitative values to each of the company’s assets that may be affected by a given disaster. During the BIA phase the goal is to:
- Identify a company’s critical systems needed for survival
- Understand how the company would be impacted by different identified threats
- Gather quantitative and qualitative information on impact
- Identify areas that would suffer greatest financial and operational loss
- Estimate outage time that can be tolerated as a result of a disaster or disruption (MTD)
- Compile resource requirements including recovery point objective (RPO)
- Identify recovery alternatives
- Document and submit for approval
When it comes to selling a BCP to management, numbers always win. If you can estimate the operational and monetary values associated with a flood wiping out one of your facilities, it makes it harder for management not to give thought to a BCP that can help minimize impact.
What levels of disaster should be planned for?
The easy answer is all levels of disaster should have a plan. The formal answer is there are three levels:
- Non-disaster i.e. server goes down
- Disaster i.e. pipe bursts preventing the office from being used for a few days
- Catastrophe i.e. a tornado wipes out an entire facility and all equipment inside
Each disaster obviously has their own recovery needs, but each should have a clear plan for recovery. Every department needs their own plan for recovery since they each have their own unique processes they need to tend to.
What is the format of the plan?
Once you perform your BIA and you have your understanding of your disaster potentials, you can leverage your research to craft your department’s recovery plan. There is no right or wrong way because it end ups being customized to your department’s specific impact level and needs. Here is a general outline you can leverage for guidance:
- Supporting Info – this section gives the backdrop of the damage incurred
- Process for Activation – this section includes how to notify those involved and how to kick start the BCP into action
- Recovery – this is the area that outlines your plans for recovering business to be operational again as soon as possible
- Restoration – this part will outline how you start building up the business back to pre-disaster levels
- Appendix – just as the name implies, this section is filled with the little extras that enhance the full BCP
Practice makes perfect
As with any good plan, practice makes perfect. However, in the event of the disaster, nothing goes perfectly so planning is even more important to ensure that at least some of the processes go into effect properly and business can resume as quickly as possible.
This post is adapted from content related to the EC-Council Disaster Recovery Professional (EDRP) training course.
For more information about this training, contact a training consultant at 240-667-7757.