Business Continuation - The basics according to John Small 2014-02-21


Published on

Business Continuation - The basics according to John Small

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Business Continuation - The basics according to John Small 2014-02-21

  1. 1. Business Continuation – The Basics Terminology The terms Disaster Recovery and Business Continuation / Business Continuity are sometimes used interchangeably. However, the terms have two very different contexts. In the early days of data processing the mainframe computer was usually housed in a large room with very large windows so everyone could see the computer. This led to the term “Glass House”. The term “DisasterRecovery” originally was associated with restoring the “Glass House” environment. Now the term “Disaster Recovery” is commonly related to the restoration of the IT infrastructure and its many technical components. In today’s complex business work environment we not only have to take the “Glass House” into consideration, but also the client / server computer networks (which are spread all over the place). In today’s complex business environment there is also a particular focus on restoring a Business Unit’s processes and that is commonly referred to as “Business Continuation” or “Business Continuity”. Business Continuation also involves work-area space and needed facilities (i.e., desks, chairs, telephones, office supplies, etc.). Another very important aspect of Business Continuation, which is sometimes overlooked, is the human factor – the Business Unit staff who will actually perform the recovery of the Business Unit’s processes. What is a disaster? When asked about disasters most people normally think of fires, floods, tornadoes, earthquakes, and airplane crashes. These are certainly disasters. However, there are other types of events that many people don’t normally think of, but they can certainly be deemed a disaster too: A building is evacuated because of a gas leak. The building and all its contents are undamaged, but the building and all its contents are placed off-limits. A disgruntle employee sabotages essential computer hardware / software / data. A database becomes hopelessly corrupted. A person digging a ditch with a backhoe cuts a fiber optic cable. Network communications are disrupted. An employee downloads a file from the internet. The file just happens to be infected with a computer virus. The virus is unintentionally introduced into the company’s network and causes a multitude of significant problems.Major portions of the IT infrastructure has to be taken offline during the clean-up process. So, with all this variety taken into consideration, the classic definition of a disaster is:an event, of significantproportion, that disrupts normal business activities for an extended period of time. Page 1 Copyright © 2014 All Rights Reserved. Business As Usual, Inc.
  2. 2. Disasters occur everyday in varying degrees of magnitude. Sometimes there is little or no warning. Sometime there is little, if anything, that you can do to prevent them. However, you and your company do have control over how you can prepare for a disaster. Why do we need Business Continuation? It should be fair to say that most operating companies would like to remain just that – operational. However, statistics have proven that a company experiencing a disaster without a Business Continuation Plan (Plan) usually ceases operating in a relatively short period of time. A prime reason for going out of business is lost computer data. Without critical computer data (i.e., Accounts Receivable, Order Entry, etc.) a company quickly loses its business focus. At least with a Plan a company can cripple along with its few critical processes. This buys time to determine the extent of the damage, estimate the length of the outage, and begin recovery efforts. If you can’t take care of your customers while experiencing a disaster, your competition most certainly will. Once a customer is lost, it is extremely difficult to get them back. Another business function that absolutely needs to continue is Payroll. How long do you think your employees will tolerate not getting paid before they revolt? For publicly owned companies, the fiduciary duty to protect the business and corporate assets continues to gain legal standing. Senior Management may be vulnerable to stockholder’s litigation if reasonable and prudent steps have not been taken to address risks that may threaten the company’s continued operation. In some industries, primarily financial institutions, the Federal Government has mandated that Business Continuation Programs be established and maintained. Senior Management Support An essential part of a successful Business Continuation Strategy is active involvement and support by Senior Management. It is recommended that Senior Management strongly "encourage" Business Unit Managers to incorporate Business Continuation into their day-to-day activities and not treat it as an addon.Even to the point of having Business Continuation as a topic on the Manager’s Annual Performance Review. This incorporation can be a real challenge because Business Unit Managers are quite busy just keeping up with normal day-to-day activities. How is a Business Continuation Strategy developed? A Business Continuation Strategy can be described as a program (a continuous activity) as compared to a project (a one-time activity with a specific start and a specific end). A Business Continuation Strategy has a lifecycle: Business Impact Analysis (B.I.A.) Solutions Planning Exercise Maintenance A Business Continuation Program’s lifecycle is iterative. Once the sequence is finished, it starts over again. So, we’re never really “finished”. Page 2 Copyright © 2014 All Rights Reserved.Business As Usual, Inc.
  3. 3. Business Impact Analysis The classic first step in developing a Plan is conducting a B.I.A. survey. The B.I.A. is a consistent and objective way to gather data regarding a Business Unit and its processes. Elements of risk are also identified. The B.I.A. asks a wide variety of questions. To list only a very few B.I.A. questions: Questions regarding the Business Unit’s mission critical processes: What are these processes? What resources are needed to perform these processes? Who provides inputs to these processes? Who receives the output from these processes? What are the process’s deadlines? How much adverse financial impact (in terms of dollars) would result from this Business Unit’s downtime? What is the bare minimum number of key staff that would be needed to re-establish the Business Unit’s critical processes at the recovery site? Specifically, who will perform these critical processes? Specifically, who are their trained back ups? What computer applications are absolutely critical to the Business Unit’s processes? Who are the Business Unit’s customers and/or contacts (both internal and external to the company) that would be most affected by its downtime? Do you have their contact information stored off-site? Where is the original application software install media stored? Who are your critical vendors? Do you have their contact information stored off-site? What is the maximum amount of downtime that can be tolerated? Any vital documents, reports, or microfiche? If so, what are they and where are they stored? Are there fines or breach of contract conditions that can result from this Business Unit’s downtime? Are there highly modified or one-of-a-kind devices currently in production that are critical to the Business Unit’s operation? If so, do they have back ups? Are the Business Unit’s servers and/or PC hard drives backed up on a regular basis? If so, is the backup media taken to a secure off-site location in a timely manner? Another reason to perform a B.I.A. is to determine the relative degree of criticality of the company’s Business Units. If you asked all the company’s managers about their Business Unit’s degree of “criticality”, they would all say their Business Unit’s processes are very important to the company’s survival. Page 3 Copyright © 2014 All Rights Reserved. Business As Usual, Inc.
  4. 4. Few Managers would like to have their Business Unit referred to as “non-critical”. However, in reality, there will be only a few Business Units that are truly mission critical, there will be many that are fairly important, and several Business Units that are non-critical. The reason for realistically classifying the Business Units to their degree of “criticality” is that you want to recover only the most critical business processes first. Business processes considered less critical can be recovered later in a phased manner. In many cases it is appropriate to tell non-critical Business Unit’s staff to stay home until instructed to return to work or commandeer this staff to assist mission critical Business Units. It is unwise, and probably impossible, to attempt restoring everyone at the same time. The B.I.A. process assists Senior Management in objectively making this criticality evaluation by providing facts and information that can be compared across the wide variety of Business Units. It is common Business Continuation practice to present a report to Senior Management, for their review / approval, that summarizes the B.I.A.’s findings. When is the frequency for conducting B.I.A.s?: It is common Business Continuation practice to conduct a company-wide B.I.A. annually. All departments participate. It is recommended that a Business Unit’s B.I.A. be reviewed anytime there is a major change in their business processes, major changes in computer hardware/software, or when there has been a major Business Unit organizational change (i.e., merger or divestiture, etc.). Any significant changes identified should also be reflected as modifications to the Business Unit’s Plan in a timely manner. Another set of questions normally answered at the preliminary stage is a Risk Assessment. A Risk Assessment asks questions regarding events (i.e., Hurricane, ice/snow, riots, computer hardware failure, flood, etc.) that a particular company location may encounter, an estimate of the probability of an event occurring, and an estimate to the possible level of impact if this event occurs. Solutions Once a determination is made regarding which business units need a Plan, and many low criticality Business Units may not need a Plan, it is determined just what would be the most appropriate response / method(s) for recovering this Business Unit’s processes. These “Solutions” will be the foundation for the subsequent step – the actual writing of the Plan. Several factors are taken into consideration. For example: Based on the B.I.A., how quickly does the Business Unit really need to recover its critical business processes? The term for the recovery time aspect is Recovery Time Objective (R.T.O.). R.T.O. is the maximum length of time, in hours or days, that can elapse before the loss of a business process becomes unacceptable. How much money has been budgeted for the Business Units’ recovery efforts and/or recovery resources? Do mission critical Business Units depend on the output of this Business Unit for their continued processing? Is management willing, based on a cost justification analysis, to assume the risk / consequences of a Business Unit’s processes not being performed in the usual manner? Page 4 Copyright © 2014 All Rights Reserved.Business As Usual, Inc.
  5. 5. Examples of common response solutions: Call Center – Re-route incoming calls to a sister site that handles similar calls. Go to a formal recovery site (i.e., internal/external to the company, or Business Unit staff work from home, etc.) for recovery efforts. “Hold Until Restored” – identify, hold, and manage incoming work until the computer system’s functionality is restored. Work is subsequently processed on a First In / First Out or on a prioritized basis. Planning The classic approach to prepare for a disaster is to create a detailed written Plan for each Business Unit as deemed appropriate via the B.I.A. Plans can be developed in a variety of ways: There are many commercial proprietary software packages that accommodate data input, plan generation, and reporting. Many organizations (both large and small) use Microsoft WORD and/or internally developed templates. There are pro’s / con’s to each of the development methods (i.e., cost, flexibility, maintainability, etc.). Regardless of how the Plan is written, at a minimum, it should answer the following basic recovery questions: 1. Where do we go? There are several generic options: Recovery Sites can have a variety of preparedness: Hot-Site – with minimal preparation; walk in, sit down, and begin processing. Minimal delays are expected before a Business Unit can begin its recovery steps. Warm Site – some recovery resources are in place, but some degree of preparation is still needed (i.e., hardware may need to be reconfigured from a test environment to a production environment, etc.). Some delays can be expected before a Business Unit can begin its recovery steps. Cold Site – The bare basics are in place (i.e., raised floor, HVAC, etc.), but an extensive amount of preparation / build out is still needed in order to become fully functional for a recovery effort. Considerable delays are to be expected before a Business Unit can begin its recovery steps. The degree of preparedness depends on how quickly the Business Unit needs to be back in operation and what kind of budget has been allocated. The cost to recover increases exponentially as the recovery time objective shortens. Page 5 Copyright © 2014 All Rights Reserved.Business As Usual, Inc.
  6. 6. There are several recovery location options available: An external commercial recovery resource provider. For a subscription fee, these companies will provide a wide variety of resources (i.e., hardware, telecomm connectivity, work-area recovery space, system software, mobile recovery units, etc.) needed for a recovery. The recovery resources to be provided are specified in a contract. Recovering companies are responsible for supplying their respective application software, data, and personnel. Reciprocal recovery agreement between two companies or Business Units within a company. The agreement basically says that if one party experiences a disaster it can use the other party’s computer / facility / resources. This alternative is particularly suited to large companies that have large data centers located around the country that can serve as backups for each other. The creation of a Memorandum of Understanding document is common practice to formalize this recovery relationship. The relationship may be bilateral or unilateral. Commandeer internal work-area / resources – It is common for non-critical Business Unit staff’s work-area / resources to be taken over by mission critical Business Units during a recovery effort. With high speed networks and many computer applications being offered via the internet, recovering Business Units’ processes at employees’ homes may be an option. 2.What should we do when we get there? When a Business Unit Manager receives a phone call in the middle of the night informing them that their building is on fire is probably not the best time for them to start thinking about what needs to be done. It is really hard to think clearly, objectively, and rationally in this kind of situation. A better approach is to develop a portion of the Plan that is called the “Day 1 List”. This portion of the Plan summarizes the critical few (no more than 10 – 15) items that MUST be performed in the first twelve hours of a disaster. This way the Business Unit Manager and/or key Business Unit staff can go bing-bing right down the list and not overlook something important. If you can act in an efficient / organized manner in the first twelve hours of a disaster, you’re a long way down the road to survival, and hopefully, to recovery. A major aspect of the “Day 1 List” is contacting a wide variety of persons (internal and external to the Business Unit) and/or organizations and informing them that you are experiencing a problem. This portion of the Plan should detail their contact information (i.e., name, address, telephone number, FAX number, after hours telephone number, email address (office and home), pager number, and cell phone number, etc.). If the person to be contacted is a VIP, who within the organization should make the call? Customers can be very understanding and helpful if they know up front that you are experiencing a problem. However, what they don’t like are surprises. Page 6 Copyright © 2014 All Rights Reserved.Business As Usual, Inc.
  7. 7. 3.What resources are needed at the recovery site? Some needed items (i.e., desk/chairs, PCs, general office supplies, copy of the Plan, etc.) can be pre-staged at the recovery site. However, there are some items (i.e., backup data from off-site storage, special pre-printed forms from your vendor’s warehouse, etc.) that the Business Unit will need to obtain once staff arrives at the recovery site. These items need to be detailed in the Plan along with the vendor’s contact information and the time frame in which the items are needed (i.e., immediate, 1 – 2 days, etc.). Another important aspect of the Plan is to have it stored at several secure off-site locations (i.e., key employees’ homes) so the Plan can be quickly and easily accessed. The Plan should be marked and treated as a confidential document. It is recommended that, on an annual basis, the individual Plans be presented to Senior Management for their review / approval. Exercise The initial writing of the Plan is important, but even more important is subsequent exercising of the Plan. A very lengthy, eloquently worded Plan can be written and place it in a fancy binder, but is this Plan really capable of doing its intended job (i.e., facilitating the recovery of the respective Business Unit’s critical business processes)? There is only one way to find out. Exercise It! As a Plan is exercised there will be items identified that will necessitate additions and/or corrections to the Plan. An exercise program should be established with a crawl, walk, run philosophy in mind. Begin with basic exercise goals and steadily increase the scope and complexity of the exercises over time. This builds confidence of the exercise participants and ferrets out the most basic “Gaps In Excellence” first. There are a variety of ways that a Plan can be exercised: A table-top exercise is conducted. Normally the exercise is set in the context of a specific scenario (i.e., building is inaccessible due to storm damage). Business Unit staff discuss their response participation based on the steps outlined in the Plan. A formal scheduled exercise with limited and specific exercise objectives conducted with a limited number of Business Unit staff. Conducted in anexercise environment. A formal scheduled exercise of all the Business Unit’s mission critical recovery activities conducted by the Business Unit’s key staff. Conducted in anexercise environment. An unscheduled exercise of all the Business Units’ mission critical recovery activities conducted by the Business Unit’s key staff.Conducted in a production environment. This is the ultimate recovery exercise challenge. If the Business Unit’s recovery strategy is “work-from-home”, key staff can work from home on a regular / periodic basis. Processing hitches or irregularities can be noted and addressed along the way. How frequently the Plan is to be exercised depends on the Business Unit’s degree of criticality. Minimally, the Plan should be exercised once a year. For Business Units that are deemed “mission critical” more frequently is recommended. It just depends on the Business Unit’s situation and criticality. Page 7 Copyright © 2014All Rights Reserved.Business As Usual, Inc.
  8. 8. Components of a good exercise: Specific exercise goals set prior to the exercise. Adequate preparation by exercising participants. During the exercise the participants record specific issues that occur, recorded on an Issue Form, in a timely manner. A formal exercise Post-mortem should be conducted by the exercise participants to answer these basic questions: What went well? What didn’t go well? These items can be referred to as “Gaps In Excellence”. Did the actual time for the recovery meet the Business Unit’s stated R.T.O.? The goal of the Post-mortem is not to assign blame or point the finger. The Post-mortem’s goal is to determine how the response / recovery processes can be improved. The outcome of the Post-mortem should be a detailed list of action items needed to address the “Gaps In Excellence”. Each topic should be assigned a responsible person and a deadline for completion. The action items should be completed, at the latest, before the next exercise. It is recommended that the exercise results, Post-mortem documentation, and the improvement action items be presented to Senior Management for their review / approval. Some Business Continuation professionals grade the exercise’s outcome as Pass / Fail. A Pass / Fail grading process can be pretty intimidating, particularly when the exercise results will be presented to Senior Management for their review / approval. A better approach is to treat the exercise and its outcome as a learning experience with the goal of improving the response / recovery process. Maintenance Have you ever seen a Business Unit that didn’t have personnel turnover and/or changes in its business processes? Probably not many. The Plan must be kept current and reflect an accurate picture of the Business Unit, its processes, supporting information, and its recovery / response strategies. Maintenance of the Plan should be periodically performed, minimally once a year, or when there is a significant change of: Business Unit staff computer hardware / software business processes significantBusiness Unit organizational change (i.e., merger or divestiture, etc.) Page 8 Copyright © 2014All Rights Reserved.Business As Usual, Inc.
  9. 9. Summary This article is obviously highly summarized and an over simplification of the Business Continuation Planning process. However, it at least illustrates some of the high-lights of data gathering, data analysis, and thought processes that should go into developing a Business Continuation Strategy. Also, this article is meant to be thought provoking: If your Senior Management asked Business Unit Managers some of the sample B.I.A. questions, what kind of answers do you think they’d get? Is your company / Business Units adequately prepared to address the three basic Business Continuation questions?: Where do we go? What should we do when we get there? What resources are needed at the recovery site? Today’s business environments are very complicated and the recovery window is ever shrinking. This places a great challenge on management to be ready for whatever may come their company’s way. Being prepared for a disaster may mean the difference of the company staying in business or not. If there are any questions, please contact: John Small, CBCP MBCI Business As Usual, Inc. 1926 Honey Laurel Drive Conroe, Texas 77304 Office 972-743-2631 Page 9 Copyright © 2014 All Rights Reserved.Business As Usual, Inc.