2. RSM Astute Consulting Group
Indian member of RSM International
Personnel strength of over 1,000
Consistently ranked amongst India's top 6 Accounting and Consulting groups
(Source : International Accounting Bulletin - 2010, 2011 & 2012)
Nationwide presence
RSM International
Annual combined fee income of US$ 4 billion
700 offices across 106 countries
Personnel strength of 32,000
International delivery capabilities
www.astuteconsulting.com
4. RSM Astute ConsultingBusiness Continuity Plan
BUSINESS DISRUPTIONS IN DIGITAL AGE
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
The core network switch failed in Blackberry
Infrastructure in 2011. At the same time, back-up switch
alsocouldnottakeoveroperations.
Itwassuspectedthatthedatabasethatactsasthe‘brain’
to the network function also had to be restored from
corruptversion.
The messaging and browsing delays wereexperienced by
BlackBerry users in Europe, the Middle East, Africa, India,
Brazil,ChileandArgentinaforalmost72hours.
A fire broke out at a Mumbai-area due to short circuit in
common power cables in December 2011. Airtel, providing
telecommunication services to its customers was
operatinginthesamepremises.
This created a network outage and disrupted mobile
servicesformanyofthecompany’scustomersforseveral
hours.
The company had to shift some of its equipment to
redundancysite.
Application system and payment systems failed in Royal
BankofScotlandduring2012-13.
Millionsofcustomeraccountwerefrozenduetofailures.
Customersweredeniedaccesstotheiraccounts.
Customers could not use their card for transactions for
morethanaweek.
U.S. witnessed terror attack on World Trade Centre on 11
September2001.
This incident shattered beliefs of the organizations
related to the ability to survive, communicate, invoke
emergencyresponseandrestoresystems.
Assumptionsaboutsinglepointoffailurewentwrong.
Except for a few organizations with mirrored data
centers, there was near complete loss of data for others
paralyzingoperations.
Succession planning, post-traumatic disorders impacted
longtermsurvival.
Blackberry
Services, Global
Royal Bank,Scotland
Airtel India
World Trade
center, USA
5. Business Continuity PlanRSM Astute Consulting
l
l
l
l
l
l
l
l
l
l
Global production supply chain impact for months,
economylossaroundUS$360billion.
US $ 78 billion oil import to sustain power resulted in
tradedeficit.
Post recovery studies pointed the need to “use of
information technology for intelligent tools, increased
connectivity with rest of Asia and efforts to increase
informationavailability.
Cyber war in South Korea March 2013, paralyzed
television station and multiple banks due to explosion of
“timebomb”intheformofadeadlyvirus.
Payment systems, mobile payments, internet Banking
andATMsystemswerecrippled.
Bankbranchoperationsofsomebankscametoagrinding
halt.
The investigations of the “virtual traces” suspected
possibilityof“enemyact”.
A global IT Service provider in Sweden witnessed multi-
dimensional hardware failure in 2011 impacting more
than 50 customers simultaneously and had cascading
effecttotheirclients.
Operations of Pharmacies, financial companies, local
municipal service providers, on-line school
managements, vehicle inspection units and
Infrastructure monitoring service providers were
affectedonlargescale.
Civil life was disrupted for two days resulting into near
emergencysituation.
Triple Disaster,
Japan
Cyber War
South Korea
IT service
Provider, Sweden
6. Chapter: 1 Continuity Plan - Business Need
Chapter: 2 Defining Business Continuity Policy
Chapter: 3 Implementing Business Continuity
Plan
1-10
1.1 Arrival Of Digital Age 2
1.2 Business Continuity Plan As An Imperative 3
1.3 Widespread Impact For Stakeholders 7
1.4 Reasons And Consequences Of Disruption 9
11-22
2.1 Early Warning Signals 12
2.2 Business Continuity: Preliminary Analysis 15
2.3 Defining Business Continuity Policy 21
23-38
3.1 Planning And Support 24
3.2 Business Impact Analysis 26
3.3 Recovery Strategies 28
3.4 Recovery Plans 32
3.5 Exercising And Testing 34
3.6 Pre-incidental Surveillance 36
3.7 Effective Communication 36
3.8 Exception Handling 37
3.9 Certifying Business Continuity Plans 38
Table of Contents
RSM Astute ConsultingBusiness Continuity Plan
7. Chapter: 4 Technology Trends Impacting
Business Continuity Considerations
Chapter: 5 Sustaining Business Continuity Plan
Annexures
39-43
4.1 Using Mobile Work Force For Recovery 40
4.2 Cloud Based Disaster Recovery 41
4.3 End User Mobile Devices And Social Media 41
4.4 Big Data 41
4.5 Globally Connected Devices 42
44-56
5.1 Aligning Business Continuity With Change Dynamics 45
5.2 BCP Testing – An Everyday Affair 46
5.3 BCP And Operational Efficiency 46
5.4 Economics Of BCP 50
5.5 Business Disruption Insurance 52
5.6 Industry-wide BCP Drills 52
I Glossary 57
II Structure Of ISO Standard 22301:2012 59
III Certain Laws And Regulations Related To Business Continuity 60
Business Continuity PlanRSM Astute Consulting
9. Chapter 1: Continuity Plan - Business Need
1.1 ArrivalOfDigitalAge
Businesses enterprises have witnessed a remarkable transformation in the recent
past due to adoption of Information Technology. The success of any organization
todaydependsonitsabilitytoharnessthepotentialofinterconnectedandtechnology
driven world. Some of the trends that have influenced and shaped business models
todayareillustratedbelow:
lIncrease in size, scale and complexity of businesses enabled by technology
platforms.
lWidespread use of Enterprise Resource Planning, Customer Relationship
Management, Business Intelligence Systems, Decision Support Systems and
HighlyAutomatedfinancialsystems.
lAbility of the business to reach customers globally through multiple channels
includingATMs,Kiosks,internet,mobile,andsocialmedia.
lHighlyinterconnectedglobalnetworkofbusinesspartners,suppliers,customers,
serviceproviders,governmentandregulatoryagencies.
l24 x 7 operations, competitive pricing, end point delivery focus and customized
servicing.
lRise in volume, velocity of local as well as cross border transactions and all
associatedoperationalandcontrolmechanisms.
lGovernment,LegalandAdministrativemachinery movingtoe-governancemode
furtheraidingtheprocessofautomationaswellascontrols.
These transformations are applicable to all organizations and industries across the
globe,irrespectiveofthenatureofthebusiness.
With deep penetration of technologies due to mobile revolution and social media,
technology has reached masses. Disparities due to digital divide are shrinking. The
digitalerahasarrivedinallspheresoflifeinallstrataofthesocietyacrosstheglobe.
The ubiquitous nature of Information technology is a fact of the modern world. For
financial institutions, travel business, healthcare, telecommunications and
entertainment industries, availability and accessibility of information on moment to
moment basis across the globe, through all channels and media has become the
lifeline.
2Business Continuity PlanRSM Astute Consulting
10. Organizations are realizing that any business disruption caused due to failure of
informationtechnologysystemhasseverebusinessimplicationsandfinancialimpact.
As such, the need for “Business Continuity Planning” in this digital era for business
enterprise can hardly be over-emphasized. Organizations need to think through the
implications if there is a sudden disruption of all or any specific services from any
location.Asabusinessowner,youneedtobewatchfuloftheeventshappeningaround
you.
1.2.1 Illustrationsandsurveys
1.2 BusinessContinuityPlanAsAnImperative
RSM Astute Consulting3 Business Continuity Plan
lHardware failure in 2010 in Virgin Blue airline, led to
missioncriticalapplicationunavailability.
lInternetbooking,reservations,check-inandboarding
systemsweredisrupted.
lBusiness was interrupted for 11 days, affecting around
50,000passengersand400flights.
lTotallossestimatewasUSD20milliondollars.
lNewYork Times’ website was taken offline for several
hours and was redirected to suspected Syrian
ElectronicArmy(SEA)servers.
lSeveral system addresses, links were updated by
hackers.
lAttemptstohacktheWashingtonPostweremade.
lOperationsofthemediawerecompletelyaffected.
lThe culprits belonged to political outfit in Syria that
isopposedtospecificmediagroups.
lCyber war in South Korea March 2013, simultaneously
paralyzedtelevisionstationandmultiplebanksdueto
explosionof“timebomb”intheformofadeadlyvirus.
lPayment systems, mobile payments, internet
BankingandATMsystemswerecrippled.
lBank branch operations of some banks came to a
grindinghalt.
lThe investigations of the “virtual traces” suspected
possibilityof“enemyact”.
Virgin Airlines,
USA
New York
Times, USA
Cyber War
South Korea
11. 4Business Continuity PlanRSM Astute Consulting
lA global IT Service provider in Sweden witnessed
multi-dimensional hardware failure in 2011 impacting
more than 50 customers simultaneously and had
cascadingeffecttotheirclients.
lOperations of Pharmacies, financial companies, local
municipal service providers, on-line school
managements, vehicle inspection units and
Infrastructure monitoring service providers were
affectedonlargescale.
lCivillifewasdisruptedfortwodaysresultingintonear
emergencysituation.
lApplication system and payment systems failed in
RoyalBankofScotlandduring2012-13.
lMillions of customer account were frozen due to
failures.
lCustomersweredeniedaccesstotheiraccounts.
lCustomers could not use their card for transactions
formorethanaweek.
lU.S. witnessed terror attack on World Trade Centre on
11September2001.
lThis incident shattered beliefs of the organizations
related to the ability to survive, communicate, invoke
emergencyresponseandrestoresystems.
lAssumptionsaboutsinglepointoffailurewentwrong.
lExcept for a few organizations with mirrored data
centers, there was near complete loss of data for
othersparalyzingoperations.
lSuccession planning, post-traumatic disorders
impactedlongtermsurvival.
lGlobal production supply chain was impacted for
months, Economy loss estimate was around $360
billion.
l$ 78 billion oil import to sustain power resulted in
tradedeficit.
lVarious studies conducted post recovery considered
use of information technology for “intelligent tools”,
“increasedconnectivitywithrestofAsia”and“efforts
toincreaseinformationavailability”.
Triple Disaster,
Japan
IT service
Provider, Sweden
Royal Bank,Scotland
World Trade
center, USA
12. It need not be assumed that such outages are stray examples affecting only specific
set of industries or functions. Apart from such illustrations, many organizations also
witness multiple disruptions due to various reasons in day-to-day life. Very often,
theseare considered as aberration, but on a collective basis, the scale and magnitude
ofsuchlossesremainveryhigh.
Globalsurveysconductedbydifferentrenownedbodiesacrosscountriesin2013,show
howdisruptionisstillawidephenomenon,intermsofindustry,scaleaswellasimpact.
l85%ofsurveyrespondentsexperiencedatleastonedisruptionintheyear.
lLess than 50% businesses checked whether business continuity programs are
likelytobeeffectiveinpractice.
lDisruption in supply chain led to a loss of productivity for almost half of
businesses along with increased cost of working (38%) and loss of revenue
(32%).
On an average, US enterpriseslosebetween US $ 84,000 and US $ 108,000 (Rs. 50 to 60
RSM Astute Consulting5 Business Continuity Plan
lA fire broke out at a Mumbai-area due to short circuit
in common power cables in December 2011. Airtel,
providing telecommunication services to its
customerswasoperatinginthesamepremises.
lThis created a network outage and disrupted mobile
services for many of the company’s customers for
severalhours.
lThe company had to shift some of its equipment to
redundancysite.
lThe core network switch failed in Blackberry
Infrastructure in 2011. At the same time, back-up
switchalsocouldnottakeoveroperations.
lIt was suspected that the database that acts as the
‘brain’ to the networkfunction alsohad to be restored
fromcorruptversion.
lThe messaging and browsing delays were
experiencedbyBlackBerryusersinEurope,theMiddle
East, Africa, India, Brazil, Chile and Argentina for
almost72hours.
Airtel India
Blackberry
Services, Global
13. lacs) for every hour of IT system downtime. In addition to financial services,
telecommunications, manufacturing and energy are also high on the list of industries
withahighrateofrevenuelossduringITdowntime.
HereisabriefsamplingoftypicalU.S.dollardowntimecostsperhourbyindustry:
Industry Downtimecost
BrokerageService $6.48million
Energy $2.8million
Telecom $2.0million
Manufacturing $1.6million
Retail $1.1million
HealthCare $0.6million
Media $0.1million
It is worth noting that the downtime costs covered only tangible elements of loss viz.
lossofemployeeproductivity,operationallossesandpenalties.
1.2.2 Businesscontinuityplanningisajourney
Early leaders and technology-enabled organizations had been working on business
continuity planning since two decades. However, the subject of “Business Continuity
Planning” gained a significant attention after the terror attack on World Trade Centre
in2001.
The world also witnessed many more major disasters after the same. These included
hurricanes like Sandy, Katrina, earthquakes in New Zealand, Tsunami in Thailand, and
triple disaster in Japan. All of these resulted into wide spread damages and impact on
localbusinessunits,majorlossesandrecoverycostsrunningintomulti-billiondollars.
Apart from natural disasters, business disruptions due to operations failures, system
errors,frauds,cyber-attacksalsodrewalotofattentioninthelastdecade.Regulatory
regimes, control mechanisms became more stringent. Customer expectations raised
the bar of service availability requirements. Technological innovations helped
organizationsforbuildingalternateplansonrealtimebasis.
Throughout this journey, nations, societies and organizations across the globe have
been learning, innovating and implementing business continuity plans and the
successofthesamevariedfromcasetocase.
6Business Continuity PlanRSM Astute Consulting
14. 1.2.3 Keylearning
Organizations across the globe are learning certain lessons from these diverse
experiences.Keylearningforanyorganizationcanbesummarizedas:
lThethreatsinthemodernworldare“real”andnomorelefttoimagination.
lOrganizations today operate in complex economic, social, environmental,
political and technical environment than ever before, as a result of which
continuityneedsarebecomingcomplex.
lMorethancontinuity,disruptionisnormtoday.
lTo mitigate the risks of business disruptions in the digital era, all organizations
needaneffective“BusinessContinuityPlan.”
BusinessContinuityPlanningearlierwasconsideredfromsinglebusinessperspective
and was owned by a single organization. Now businesses are closely interlinked and
they also directly interface with customers through technology channels. Therefore,
business continuity failure of any single business has ripple effects and in some form
the larger sections of the societies get affected. As customers are heavily dependent
ontechnologyusage,ensuringthatservicesremaincontinuedthroughsuchchannels
isconsideredaspartofsocialobligationofthebusiness.
It is now widely acknowledged that business disruption has many stakeholders than
thebusinessownerhimselfasdepictedinthetablebelow.
1.3 WidespreadImpactForStakeholders
RSM Astute Consulting7 Business Continuity Plan
Stakeholder Participationinbusinesscontinuity
Customers Customer demand for continuity and resilience is an irresistible
force.
E.g. Banking, travel, insurance, healthcare, public services,
stock exchanges, customer demands drive the need to build
businesscontinuity.
Investors Investorshavedualinterestinthebusinesscontinuityplan.
lOne is to ensure that the investments are justified,
optimumandwellrealized.
lSecond, is to ensure that the business obligations and
commitmentstovariousstakeholdersaremet.
15. Thebusinesscontinuitystandardreleasedbyinternationalstandardorganization(ISO
22301) in 2012 is named as “Societal Security - Business continuity management
systems–requirements.”
8Business Continuity PlanRSM Astute Consulting
Stakeholder Participationinbusinesscontinuity
Business Business partners are dependent on commitments that an
Partners organizationhasmadeaspartofbusiness.
This includes material supply, financial payments, service
deliveryandanyotherobligation.
Legislators To protect the customer and consumer interests, all countries
have passed rules/ regulations that define the technology
requirement, that directly or indirectly define business
continuity.
Insurers Insurers see business continuity as complementary, helping to
reduceclaims.
Insurance products based on business continuity are now
increasinglycommon.
Employees Employees are under stress anytime during disruption. They
havetobattleontwofronts.
lOneistomanageownsurvival.
lSecond,istosupporttheorganizationaspertheirroleand
skill
Public Disruption in business today, not only affects customers, but
alsopublicatlarge.
E.g. Any disruption in transportation business, shall lead to a
chaineffectthatshallimpactlivelihoodofpublic.
Corporate Social Responsibilities include protection of public
interests.
Societies Asmentioned,anylargescaledisasteroranysignificant
atlarge disruption of major services may affect entire society and its
abilitytowithstandsuchdisruption.
Thepreparednessfor the same is largely collaborative, through
community participation and beyond boundaries of single
organization.
16. 1.4 ReasonsAndConsequencesOfDisruption
There are number of reasons why businesses face disruptions and there is cost
attachedtoeverysuchdisruption.Someofthereasonsaretabulatedbelow:
Consequencesofdisruptiononbusinessenvironment
lMaterialDamage
lLossofproductivity/Increasedcostofworking
lProductreleasedelay/Customercomplaintsreceived
lCancellationofsalesorders
lLossofrevenue/Serviceoutcomeimpaired
lDelayedcashflows
lPaymentofservicecredits
lFinebyregulatorfornon-compliance
lProfessionalindemnitiesandliabilities
lDamagetobrandreputation/image
lLossofHumanlife
lLongtermdisabilityofthebusiness
Most of the business operations in the modern world happen through interconnected
systems/ processes and are accessible globally. Hence, the impact of disruptions due
tofaultyplanning,improperfail-overareveryhigh.
RSM Astute Consulting9 Business Continuity Plan
Resource non
availability
ØSingle source
services/ product
failure
ØPower/ Fuel outage
ØWater shortage
ØTelecom failure
ØTransportation
failure
ØStaff non-availability
ØFacility unavailable
ØUnplanned outage of
IT
Man made errors
ØErroneous
backup /
restorations
ØApplication
errors/
Operational
Errors
ØImproperly
maintained or
configured
internal assets/
networks
Human / External
factors
ØCyber-attack
(malware, Denial
ofserviceattack)
ØTerror attacks
ØCriminal
activities
ØRiots,
commotions
ØHostile
intrusions in
territories
Natural
Disasters
ØAdverse
weather
(windstorm,
flooding,
snow, etc.)
ØEarthquake/
Tsunami
ØFire
17. Consequencesofdisruptionontechnologyenvironment
The technology impact due to any major disruption may not be visible to the external
world unless the organization has shared part of the same as part of transparency to
publicorauthoritiesingeneral.Theseinclude
lPhysicaldamagestoITenvironment
lCorruptionofsystems/databases
lLossofcurrentdata/archives
lLossofsourcecodes,intellectualpropertybuiltoveryears
lLossoftransactiontrailsrequiredasevidence
lCompromisedinformationsecurityanddefensearchitecture
lNonavailabilityofservicesatparticularlocationsorthroughparticularchannels
lLossofkeyITresourcesinvolvedinstrategyandoperations
Summary
lPlanningforbusinesscontinuityisanimperativeforsurvivalindigitalera.
lDisruptions, major or minor impacts organizations. Such impacts can have
wideeffectonallstake-holdersandhaveconsequences.
lRisks arising out of business disruptions are still underestimated by large
organizationsglobally.
lBusinessContinuityPlanningisbeyondserverrebuildinganddatareplication.
lThe dividends of proactive for business continuity planning are higher than
thesamedoneundercompulsions.
10Business Continuity PlanRSM Astute Consulting
19. Chapter 2: Defining Business Continuity Policy
2.1 EarlyWarningSignals
Many organizations tend to believe that they remain unaffected by downtime issues.
They have a notion, that they shall be able to find out alternate recovery ways as and
when disruption takes place. There is also an apprehension that business continuity/
disaster recovery planning is a complex and costly requirement and this should be
taken up when the priority demands the same. As a result of the same, organizations
tend to keep the issue of business continuity planning as backburner, unless it is
enforcedbyregulatorsorlearntthroughhardexperience.
Toovercomethisdilemma,organizationsmustkeepaneyeonearlywarningsignals.
While an organization may be engrossed in its routine activities, some factors may
indicatetheurgencytoprioritizebusinesscontinuityplanning.
Thesameisdepictedbelow:
2.1.1 Recurringincidences
Most of the organizations have incident resolution mechanisms. The maturity of this
mechanism varies from organization to organization. Some organizations use formal
toolstorecord,classify,resolve,measureturnaroundtimes(TAT)forincidences.
Organizations are sometimes conscious about incidences arising out of mala-fide
intentions.Inextremecases,securityincidencesleadtodeeperlevelofinvestigations
andlegal/disciplinaryactions.
Recurring incidences
l
lFinancial losses
Operational failure
Shrinking Time for maintenance
Acceptable outage limits
Back time availability
l
l
Technology Dependency
Points of failures
l
l
Architectural complexity
External Factors
Environmental conditions
l
l
Social conditions
Early warning
signals
12Business Continuity PlanRSM Astute Consulting
20. Incidencesalsoneedtobeanalyzedfromtheperspectiveofabilityoftheorganization
to respond to the incident. Following indicators suggest that organizations need to
considerdiscontinuitythreatsmoresignificantly.
Recurringincidences,wherepreventivecontrolsareproventobeweak.
Incidences resulting into long downtimes, and the controlling factors typically
areexternalinnature.
Operational analysis of the incident ends when “root cause” is identified.
However,organizationmaynothavesolutionfortherootcauseitself.
Incidenceswhereriskhastypicallybeenconsideredas“acceptable”innature.
Incidences arising from external sources where organization defense can be
consideredasweak.
Incidenceshavingcascadingimpactontheoverallchainoftheprocesses.
Most of these incidences may have started hitting the bottom-line directly or
indirectly. These are signals where a major disruption may happen if adequate
measuresarenottakenintime.
2.1.2 Shrinkingtimewindowforsystemmaintenance
The information technology team in any organization needs to carry out various
activities as part ‘system maintenance’. Also, they need to have enough time and
spacefortakingfullback-upsandtestsuccessofrestoration.Manyorganizationstend
to underestimate the importance of the same. Further, there is always a pressure to
increase system uptime. There exists a growing realization that time available for
back-ups or back-end maintenance/ upgrades are low. This is a typical case of
‘shrinking time window’ for system maintenance. Illustrative cases are mentioned
below:
In all industry sectors, the need for making the system available for business
transactionsiscontinuallyontherise.
E-Business and supply-chain processes require infrastructure to always be up
andrunning.
Access to critical data from anywhere in the world to improve collaboration and
enablefaster,moreinformeddecisionsrequiring‘24x7’availabilityofsystems.
Certain statutory requirements and contractual obligations need to be met on a
recurringbasis/withinspecifictime.
l
l
l
l
l
l
l
l
l
l
RSM Astute Consulting13 Business Continuity Plan
21. Shrinking time window for system maintenance indicates that the system upgrades
may not be current. The points of failures within various system components could
remainhidden.Thechancesthatanyvulnerabilitymaydisruptthebusinesscontinuity
may be growing and the organization may not be geared to handle such incidences in
time.
2.1.3 Technologicaldependency
Business models are becoming more complex and there is always a need to remain
aligned with the trend. Competitive pressures and cost pressures are on rise.
Organizations need to embrace technology to manage these requirements. Some of
the requirements that make technology dependency a critical factor in business
continuityplanningareillustratedbelow.
Organizations need to ensure that the businesses are available through all
channelsofinformationlikeinternet,socialmedia,ATM,kiosk,mobiles,etc.
When email/ SMSare integrated into business functions to improve customer
communications, this dependence becomes even greater. At the back-end, such
dependencecreatesneedforcontinuousaccesstoinformationandapplications;
andvarioussystemcomponents.
Backend architectures that support complex business needs are equally
complex. The number of hardware, software components and system interfaces
are very high. It creates points of failures at multiple locations. The organization
maynothavefactoredintoimportanceofallsuch‘singlepointsoffailures.’
The technology automation trend is towards centralization of infrastructure.
Various technologies get consolidated, controlled and monitored from central
locations.Thiseventuallyincreasestheriskof“singlepointoffailure”,asasingle
disruption at central location has an operational impact across various
functions.
Distributed applications pose additional risk from business continuity point of
view. New applications now run across multiple servers simultaneously, enabling
them to capitalize on internal infrastructure. However, failure of one server may
leadtofailureofthecriticalapplication.
These factors indicate growing thrust on business continuity planning/ disaster
recoveryplanningrequirement.
l
l
l
l
l
14Business Continuity PlanRSM Astute Consulting
22. 2.1.4 Socialandenvironmentalconditions
Thoughanorganizationcannotcontrolexternalfactors,itcancertainlykeepaneyeon
external development. Some of the external factors that heighten the risk of business
disruptionscanbeillustratedasbelow.
Hazardous projects being constructed in the near vicinity that may increase the
chances of fire, accidents. Fumes, pollutants may lead to corrosion of important
hardware assets if not protected adequately leading to early failure of such
equipment. Similarly, inadequately protected power/ data cables may get
damagedifanymajorconstructionactivityistakingplacenearby.
If an organization is operating in an area that is increasingly susceptible to
natural calamities such as earthquake, hurricane, cyclone, then it is an early
warningthatorganizationshouldstartworkingonalternativeplans.
All local factors need not be necessarily seen from ‘disaster’ point of view. But such
factors may have sufficient potential to alter local evacuation plans, local recovery
plans,crisismanagementplans.
TheprimarypurposesofaBusinessContinuityPlanare
Protectionofhumanlife
Restrictionofbusinessimpactduringdisruption
Resumptionofcriticalfunctionsontimelybasis
Managingexternalinterfaces
Re-assuringstakeholders
Ensuringregulatorycompliance
An organization needs to carry out preliminary analysis of the overall purpose of
businesscontinuityinitsowncontext.Theapproachtothesameisillustratedbelow:
l
l
l
l
l
l
l
l
2.2 BusinessContinuity:PreliminaryAnalysis
RSM Astute Consulting15 Business Continuity Plan
Defining purpose of BCP
To Define Business
Continuity policy
and scope
To Evaluate
BCP
parameters
To Identify core
business
elements
To Set
organization
context
23. 2.2.1 Definingorganizationcontext
Before carrying out any exercise for business continuity planning, an organization
needstounderstandthecontextinwhichoperates.
Small organizations with limited operations and dependency on technologies and
processes need to analyze ‘start point’ or ‘point resumption from where business will
be re-built’, i.e. in case of a total disaster and a need to re-build the business, a view of
thesameistabulatedbelow:
Pointofresumption Perspective
Owner/Proprietor An owner of the business may believe that he/ she can
restartbusinessonhis/herown,aspertheoriginalstartup.
This could be an instance of proprietor working in his/ her
areaofspecialization.
Team/Employees A small business managed by an owner with a management
team,viewtheemployeesascriticaltotheirbusiness.
Typicalexamplecouldbeinstanceofasmallretailbusiness.
Insuchcase,teamisthestartpointofrebuildingbusiness.
Customers For many businesses, a close relationship with customers
relationships matters a lot. In such case, the owner/manager will assign
greatervaluetocustomerrelationship.
Here, the business continuity strategy will focus on
managing critical customers, establishing good
communication with the customer during a disruption and
takingallmeasurestoretaincustomerloyalty.
In this case, customer relationship is the start point for
rebuildingbusiness.
BusinessEntity Most of the organizations shall fall in this category. They
needtorestoretheentirebusinessasawhole.
Thereareseveralotherperspectivesofanorganizationcontextsuchas
Industry
ProductsandServices
Scale
Size
l
l
l
l
16Business Continuity PlanRSM Astute Consulting
24. Stakeholders
Supplychain
Partnership
Managerialenvironment
Operationalenvironment
Workculture
LegalandRegulatoryenvironment
Interdependencyoftheaboveelements
All these factors need to be first identified and defined to understand overall context
underwhichbusinesscontinuityistobeplanned.
2.2.2 Identifycorebusinesselements
A closer look of all the elements shall help the organizations to identify which of the
elements in business architecture can be considered to be ‘core’ from business
continuity perspective. Organization needs to evaluate BCP parameters with respect
tothesekeyelements.
Coresystemsmayinclude
CoreITsolutions
EnterpriseResourcePlanning
Retailtransactionwebsites/Retailtransactionstores
E-governancesites
Telecomswitches
Perimetersecuritydevices
CRMsystems
ATMswitches/Financialswitches
FundTransfersystems
Clearinghouse
Allotherbusinessspecificsites
However, an organization may also consider some of the feeder / peripheral systems,
treasury/accountingsystems/regulatoryreportingsystems/dataanalyticalsystems,
hardware accessories, specific devices as the core’ to the survival or normal
functioningofthebusiness.
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
RSM Astute Consulting17 Business Continuity Plan
25. 2.2.3 EvaluateBCPparameters
In this phase, organizations need to work out a sketch of how a BCP shall function in
caseofanydisruptionasfollows:
Assessoverallpreparednessoftheorganizationonbroadparameters.
Identifyrisksarisingoutofdeficienciesincurrentbusinesscontinuityplan.
Evaluatecomplexityintermsofefforts,feasibilityofbusinesscontinuityplan.
Provideinputstodetailedbusinesscontinuityplanningprocess.
This needs to be evaluated from various dimensions such as people, premises,
processes,technologyandtools.
Illustrativelistofallsuchparametersismentionedbelow:
People
Whatisthecurrentstatusofpeoplesafetyintheorganization?
Whatisthecurrentlevelofpreparednessforemergency?
Whatiscontactinformationforallemployees/staffworkingonpremises?
What is the administrative and logistics support available at different
locations?
Whichresourcescanbeconsideredas“keyresources”?
Where the key resources are located and how is their availability for
businesscontinuity?
l
l
l
l
Ø
l
l
l
l
l
l
18Business Continuity PlanRSM Astute Consulting
Tools
People
Premises
ProcessesTechnology
26. Who are priority suppliers/partners and how do they participate in critical
activities?
Whoareinterestedpartiesandhowdotheymatterforbusinesscontinuity?
Whatisthelevelofstaffingrequiredforsustainingbusinesscontinuity?
Whatskills/levelofexpertiseisrequiredtoundertaketheseactivities?
Organizations need to take panoramic view of their people resources during this
evaluationprocess.
Premises
Fromwhatlocationstheorganizationoperatesitscriticalactivities?
What alternative premises / alternative arrangements does organization
have?
Does the organization have any reciprocal arrangements with other
organizations?
Whatisthenatureoffacilitiesfail-overoptions?
Whatfacilitiesareessentialtocarryoutcriticalactivities?
What are the ease, speed and distance limits of connectivity to alternate
sites?
What is the history of vulnerability to natural disasters and malicious
physicalattack?
Whatlogisticsandinfrastructureshallberequiredtosupportthemovement
ofpeopleandsupplygoods?
Isthereregulatoryrequirement/guidancetooperatefromalternateregion?
Organizations need to deliberate in detail on possible alternatives of premises
evenbeforeenteringintodetailedphase.
Process
Howmuchanhourofunplanneddowntimewillcostthebusiness?
Which business process and subsystem non-availability shall contribute to
thecostofdown-time?
Does the organization depend upon one or more mission critical
applicationssuchasERPorCRMsoftware?
How many transactions can be afforded to be lost without significantly
impactingthebusiness?
l
l
l
l
Ø
l
l
l
l
l
l
l
l
l
Ø
l
l
l
l
RSM Astute Consulting19 Business Continuity Plan
27. What evidences and logs shall need to be produced during and after data
recoveryprocess
Do you tender key services out to another organization, to whom and for
what?
Whatareorganizationcontractualandregulatoryobligations?
How will customer service get impacted from short term and long term
perspective?
How will business relationship with partners, suppliers get affected by an
unexpectedIToutage?
Whatistheminimumsecurityoftransactionsthatneedtobeensured?
Whicharethekeysupplyrequirements?
Whatlogisticsprocessescanbeinvoked?
Organization needs to gain visibility between business processes and business
continuityrequirements.
Technology
Whatarethechannelsthroughwhichservicesneedtobeprovided?
What are the current methods/ limitations of data synchronization within
andacrosslocations?
Whatistheoveralllevelandreliabilityofinternal/externalconnectivity?
What are the current arrangement for serving existing hardware and
softwareincludinglicenses?
Whatistheoveralltimescheduleduringwhichentiresystemandmachinery
needstobebroughtback?
Whatarebroadleveltechnologyrisks?
Whichtechnologypartnersyoucanrelyupon?
The organization needs to understand its technology limitations during this
process.
Tools
What systems and means of voice and data communication are required to
carryoutcriticalactivities?
Whatistheinventoryof“recoverytools”andisthesameupdated?
l
l
l
l
l
l
l
l
Ø
l
l
l
l
l
l
l
Ø
l
l
20Business Continuity PlanRSM Astute Consulting
28. Which tools can be operated from alterative locations/ mobile locations/
homelocations?
Whattoolsareusedforauthentication,controls,loggingandmonitoring?
Whathasbeentheeffectivenessofdatarecoverytoolsaspartofoperations
andtesting?
What communication channels are available to the organization in case of
disruption?
Howdoesonerecordincidences?
The organization needs to gain a macro level understanding of how it can
leverageonexistingtoolsoriftheyneedtobuyadditionaltools.
Preliminary Analysis as mentioned earlier enables organization to define scope of
business continuity planning appropriate to the size, nature and complexity of the
organization.
Thisscopeshouldcover
ITUnits
Facilities
BusinessProcesses
UserEnvironment
Customertouchpoints
Covering all touch points of customer service is essential for ensuring effective
business continuity. Especially, in case of natural disasters, customers panic and are
dependent on call center services. If this aspect is not factored in business continuity
scope,itcanaddtotheconfusionandaffectsthecorporatebrandimage.
Theoutcomeoftheentireexerciseshouldresultintoameaningfulbusinesscontinuity
policythatservesasinputstodetailedbusinesscontinuityplanning.
Defining business continuity policy is not drafting statements. Organizations need to
visualizetheoutcomeofBCP.
l
l
l
l
l
l
l
l
l
l
2.3 DefiningBusinessContinuityPolicy
RSM Astute Consulting21 Business Continuity Plan
29. Summary
Early warning signals could suggest the need to prioritize business continuity
planning.
Apreliminaryassessmentoforganizationcontext,people,premises,processes,
tools and technologies gives broad indication of business continuity
requirements.
Understanding key touch points of the business with external world and
corresponding internal structures helps organization to define the scope of
BusinessContinuityPlan.
l
l
l
22Business Continuity PlanRSM Astute Consulting
31. Chapter 3: Implementing Business Continuity Plan
3.1 PlanningAndSupport
BusinessContinuity management cycle goesthrough various stepsand a briefview of
the same is shown below. Broadly, this includes policy definition, planning and
support,businessimpactanalysis,definingrecoverystrategies,detailingoutrecovery
plans, conducting exercises and tests. This needs to be also supported by various
otherorganizationactivities.Anillustrativeapproachisdepictedbelow:
Planningandsupportisthefirststepafterbusinesscontinuitypolicydefinition.
First, the organization should create Business Continuity Management Organizational
Structure or a ’steering committee‘ to drive BusinessContinuity plan. Typically a cross
functionalteamrepresentedbyvariousstakeholdersshouldformthisteam.
24Business Continuity PlanRSM Astute Consulting
Policy
Define Goals
Planning
and support
Project
Management
Business
Impact
Analysis
Gain visibility
Recovery
Strategies
Evaluate
options
Recovery
Plans
Provide
Guidance
Exercising
and Testing
Check
Effectiveness
Top
management
BCP Steering
Committee
Business Unit
Technology
units
Support
units
32. Cross functional representation of business continuity management structure. The
‘steering committee’ shall take the organization through entire life cycle of business
continuitymanagement.Therolesofthetopmanagementaredefinedbelow.
RSM Astute Consulting25 Business Continuity Plan
Function Role
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
Chief ChairBusinessContinuityPlanningsteeringcommittee.
Executive Provide necessary support to Business Continuity Planning
Officer project.
Ensure business continuity plans remain aligned to strategic
goals.
Chief Benchmark Business Continuity Planning expenditure with
Financial industry.
Officer Prioritize investments in areas that directly have high risks
frombusinesscontinuity pointofview.
Measure and monitor financial performance of Business
continuityplan.
Chief Provide inputs about disruptions, threats, impacts for effective
Risk businesscontinuityplanning.
Officer Ensure adequate attention and awareness of business
continuityprogrambytheorganizationstakeholders.
Chief Align technology objectives, plans and programs to business
Information continuityrequirements.
Officer Prepare,implementandmaintainITdisasterrecoveryplan.
Chief Ensure information security requirements are built into
Security businesscontinuityprogram.
Officer
Business Definebusinesscontinuityrequirements.
Units Assign classification to requirements as mission-critical,
critical,normal.
Provide necessary financial and operational support to
BusinessCommitteeProgram.
Allemployees Get trained about day-to-day precautions to be taken to
pre-emptoperationalorotherthreats.
Gettrainedaboutemergencyresponseplan,evacuationplan.
Participateindisasterrecoverydrills.
Abidebycorporateinstructions,guidelines.
33. Organizations also need to create support mechanisms to manage such framework.
This needs to be taken through standard project management cycle that includes
defining project objectives and milestone, identifying success factors, planning for
contingencies,admeasuringprogress.
Support to the project should include providing necessary resources, building
competencies, creating awareness and provisioning of communication channels.
Steeringcommitteeshouldalsocreateproperbudget,fundingandreviewmechanism.
3.2.1 Processdatagathering
Thisis a continuationofpreliminary analysiscarriedout to definebusiness continuity
policy. However, this is a far more detailed exercise with a very close view of the
businessprocess.
Process data can be gathered through various techniques. A work flow analysis needs
to be performed by observing daily operations, interviewing employees, conducting
surveys, studying management information systems and other means. This analysis,
inconjunctionwiththeothertools,allowsmanagementtounderstand:
Businessobjectivesupportedbytheprocesses.
Informationrequiredandresourcesrequiredalongwiththeircriticality.
Keypersonnelhandlingprocesses.
Locationsfromwhereprocessesaresupported.
Vitalrecordsthatneedtoparticipateintheprocessdesign.
Sharedinfrastructurerequiredtoruntheprocess.
Sub-processes/supportingapplications/subsystems.
Interdependenciesoftheprocesses.
Risksassociatedwiththeprocess.
Abilityoftheprocesstowithstanddisruption.
3.2.2 Risksanalysisandmitigation
If the organization has adapted/ is practicing well established enterprise risk
management framework, the same may be used to assess overall risks arising due to
business disruption. If an organization is able to use quantitative methods for risk
assessments, it helps the management to prioritize business continuity plan more
easilyandthelevelofeffortsrequiredtomitigatetherisk.
3.2 BusinessImpactAnalysis
l
l
l
l
l
l
l
l
l
l
26Business Continuity PlanRSM Astute Consulting
34. In a normal business risk analysis exercise, organizations tend to ignore or
underestimate business disruption causes and consequences. When conducting risk
analysisrelatedtobusinesscontinuityplanning,organizationneedsto
Thinkofallpossiblethreatsandcausesofdisruption.
Buildscenariosandassessvariousshortcomingsofthecurrentprocesses.
Takeviewsacrossallprocesses,locations,allfunctionalunits.
Understandcascadingimpactofanyfailure.
Some of the risk mitigation measures may be taken immediately that do not require
elaboratebusinessdevelopmentplanning.Thesemayinclude
Physicalandadministrativecontrols.
Sparepart/inventorymanagement.
Thirdpartyagreementsandserviceleveldefinitions.
Introducingcertainredundancies.
3.2.3 Identifyingmaximumtolerableoutage
A good understanding of business process architecture and business continuity risks
associated with the same helps organization to work out maximum tolerable outage
forcriticalprocesses.
Maximum tolerable outage need to be seen from end to end perspective. It is the
duration from an unexpected event till critical business activities are resumed.
Recovery Time Objective (RTO) is also often used terminology, but this is measured
primarily from technology perspective. The relation between various events is
depictedbelow:
l
l
l
l
l
l
l
l
RSM Astute Consulting27 Business Continuity Plan
Major Unexpected
Events
Damage
Assessment
Disaster
Assessment Resume
Critical
Business
Declaration of
Disaster
Last successful Backup-
Recovery Point
Maximum Tolerable Outage
Recovery Time Objective
Crisis Line
35. There is also an element of data loss that may happen if recovery is made from last
successful back-up. The point from where recovery may take place is called as
“RecoveryPointObjective.”Goodbusinessimpactanalysisshouldthrowlightoncosts
associatedwithrecoverypointobjectives.
Acceptable solution range can be determined based on the trade-off between various
costsasdepictedbelow.
Innutshell,BusinessImpactAnalysisgivesanorganizationaninsightto
Criticalbusinessprocesses.
Indicativeprioritizationplan.
MaximumTolerableOutageperprocess.
Datalosspossibilitiesandassociatedcosts.
CriticalResourceRequirements.
Dependenciesonexternalplan.
Quantificationoflosses/budgetrequiredforrecovery.
Organizations can use tools such as Critical Path Method for getting additional
visibilitytotheentireprocessofrecoveryplanning.
Having defined business policy, identified critical processes and carried out business
impact analysis, the next step is working out business recovery strategies. Recovery
strategiesshouldhave
Strategicobjectives
Recovery options for all components participating in the business process
supportedbytechnologyorotherwisealigned
l
l
l
l
l
l
l
l
l
3.3 RecoveryStrategies
28Business Continuity PlanRSM Astute Consulting
Data Loss
cost
Data Availability
cost
System
Availability cost
System
Downtime cost
Solution Range
TIME
Recovery Process Objective Recovery Time Objective
36. 3.3.1 Strategicobjectives
TomaintainaccesstoInformationandapplications.
To sustain revenue, profitability and productivity at acceptable levels no matter
whatplannedorunplannedeventsoccur.
To your data, applications, and systems to a level that meets your business
requirementsandRTOandRPOs.
To assure the integrity and quality of your environment during interruptions and
whenitreturnstofulloperations.
Recoverystrategyneedstohaveahighlevelofdeliberation.Typically,anorganization
needstotakea360degreeviewofresumingbusinessoperations.
3.3.2 Recoverycomponentsandstrategicconsiderations
l
l
l
l
RSM Astute Consulting29 Business Continuity Plan
Recovery components Strategic considerations
InfrastructureRecovery
Network links, paths,
routes,
Powersupplies
Voice/ Data
Communication
Telecommunication,
Equipment, Servers,
Devices.
l
l
l
l
Incaseofminordisruption,optionstoevaluatefor
recoveringinfrastructurecaninclude
coldrestarts
recoverythroughredundancy
recovery through high availability
architecture
Re-buildingofinfrastructure
In case of major disruptions, alternate sites have
to be brought up first before infrastructure is set-
up,unlessitisahotorwarmsite.
l
l
l
l
37. 30Business Continuity PlanRSM Astute Consulting
Recovery components Strategic considerations
DataRecovery
Structureddata
Unstructureddata
Systemfiles
l
l
l
Data recoveries can take place through multiple
mechanisms.
Backupsolutions/Incrementalupdates
Storagereplication
Archive/re-dologs.
Clustering/Highavailabilityarchitectures
ContinuousBackup
Multi-platformprotection
Differenttechniqueshavedifferentrecoverytime,
recovery points and associated cost. This needs
cost-benefitanalysis.
l
l
l
l
l
l
ApplicationRecovery Applicationcanberecoveredthrough
Useofloadbalancers
Clustering
Redundantsystemmanagement
Reconstruction
The strategies could be different for different
application architecture, such as server based,
thick/Thinclientbased,mobile/internetbased.
Otherparameterstoconsiderinclude
User base/ reach of the application to the
users
Recovery Point objectives/ Point of
resumption
Acceptable and unacceptable configurations
duringcrisismanagement
Level of access restrictions during recovery
process
GenericBusinessdemands.
l
l
l
l
l
l
l
l
l
38. Following illustrative diagram shows as to how these recovery mechanisms can be
seenfromtime/costperspective.Thisalsodependsonthenatureofcontingency.
RSM Astute Consulting31 Business Continuity Plan
Recovery components Strategic considerations
SiteRecovery Organizationsneedtoevaluatedifferentoptions
Noofsites:Singlesite/Dualsite/Multisite.
Nature of site : Cold site, Warm site, Hot site,
tertiarysites,cloudbased
Nature of location: Near DR site/ Distant DR
site.
Nature of synchronization : Replication/
Mirroring
Agreements: Reciprocal, Supply-Chain
related,selectiveoutsourcing.
Organization need to weigh arrangements when
originalsiteispartiallyorfullynon-functional.
l
l
l
l
l
InterimProcesses As recoveries are in progress, organizations need
tostrategizedfor
Services that shall continue to sustain
operations
Servicesthatshallbeshutdown,degraded
Transitionstrategy.
l
l
l
Time to Recover
CosttoRecover
Site Recovery
Application Recovery
Data Recovery
Infrastructure Recovery
39. 32Business Continuity PlanRSM Astute Consulting
Inaddition,anorganizationneedstobuildstrategiesfor
Userenvironmentrecovery
DisruptionImpactcontainment
Publicrelations/Mediamanagement
Fundmanagement/Insurance
BusinessContinuityPlan,DisasterRecoveryPlan,EmergencyResponsePlanandCrisis
Management have very close correlation with each other and should not be
documented in isolation. Correlation and characteristics of these plans is depicted as
below.
The table below shows how different plans are devised by organizations and their
characteristics.
l
l
l
l
3.4 RecoveryPlans
Type of Plan Characteristics
Emergency EvenDriven/Localmanagement
responsePlan Focustowardscontainmentofthreat
Humanlifeprotection
PhysicalandAdministrativeinnature
CrisisManagement Eventescalationdriven
Plan Focustowardswiderassessmentandcontainment
Overallcoordinationacrossorganization
Multifunctionalinnature
l
l
l
l
l
l
l
l
Emergency
Response
Plan
IT-Disaster
Recovery
Plan
Crisis
Management
Plan
Business
Continuity
Plan
Specific event
based
integration
41. 34Business Continuity PlanRSM Astute Consulting
3.5 ExercisingandTesting
Business continuity testing can be of various types. The table below shows nature of
testsconductedwithtestfocusandoutcomeofvarioustypesoftests.
Apart from the above list, organizations can conduct only location specific tests,
evacuation drills, cyber security attack mock drills, communication management
drillsasperitschoice.
BCPdrillplanningprocessismentionedbelow:
Nature of Test Focus Outcome
Checklists Only compliance checks. Comprehensiveness.
based tests
Structured Take the organization Ensure consistency, uniformity and
walkthroughs through process. create common body language.
Simulation tests Simulate different Helps in evolution of business
scenarios in test continuity plan.
environment.
Parallel tests Organization is not Refining Business Continuity Plan.
certain and confident
about its Business
Continuity Plan.
Partial Verifying that plans are Specific purpose testing.
interruption tests working in practice along
with limited interruption.
Full Verifying that plans are Effectiveness of testing.
interruption tests working in practice along
with full interruption.
Develop risk scenarios
Independent testing
Include all stakeholders
Define specific objectives for BCP exercise
42. 3.5.1 Definespecificexerciseobjectives
BCPexercisingneedstohaveapurpose.Thishelpsorganizationtomeasuresuccessof
theexercise.Suchobjectivescanbeextremelynarroworbroaddependingonthetime
availability.Illustrationofsuchpurposeismentionedbelow.
Verification of recovery time and recovery point objectives for a specific
component.
Impartingtrainingtonewjoineesforaselectivepartofbusinessrecoverycycle.
Testingdisruptionatonespecificlocation.
Suchexercisewhensimulatedpracticallyiscalled‘drill’.
.
3.5.2 Includebusinessstakeholders
Business owners play a vital role in drills. Their participation helps organizations in
manyways.
Businessbuy-inindrillexerciseisbetter.
Thesuccess ofthe drill finally needs to be certifiedby business. Thisensuresend
to-endtests.
Businessstakeholdersshouldverifythesuccessfulrecoveryofservices.
Business stakeholders realize what to expect in terms of recovery capabilities
andperformanceattherecoverysiteduringanactualdeclaration.
3.5.3 Developspecificriskscenariosfororganizationalexercises
When an organization conducts drill without specific scenarios, the overall objective
of the drill gets compromised. Defining specific risk scenarios for DR testing helps in
manyways.
Itprovidesamorerealisticsituationfortheresponseteamtoreact.
Responsealignmentstothescenarioarebetter.
Inreallife,peopleanywaydealwithscenarios.
3.5.4 Independenttesting
Many companies deploy independent staff, which develops BCP and the other (with
littlespecific knowledge ofa system executing those tests) involved in execution. This
servesdualbenefits.
l
l
l
l
l
l
l
l
l
l
RSM Astute Consulting35 Business Continuity Plan
43. Testingrobustnessofbusinesscontinuityplan.
Crosstrainingstaffonbusinesscontinuity.
Certainadditionalconsiderationscanaidthebusinesscontinuityplantomakeitmore
effective.Onillustrativebasis,thiscouldinclude
Pre-incidentsurveillance
Effectivecommunication
Exceptionhandling
Pre-incidentalsurveillancehelpstopre-emptmanypossiblethreats.Theyhelpin
Early detection and prevention of incidences such as terrorist attack, employee
misbehavior, short circuits, fires, derailment of transport system helps an
organizationtoavoiddisaster.
Gaugingsecurityreactionandoverallorganizationresponse.
Buying time to review threat levels and security arrangements and allows
counter measures to be initiated to either eliminate or reduce the risk to an
acceptablelevel.
Whereas organizations strive to remain connected to public in general during
emergency,theyneedtoensuretwoadditionaltypesofcommunications.
Proactivecommunication
Communicationsduringprolongeddowntime
3.7.1 Proactivecommunication
Various agencies such as meteorological department issue an early warning
communicationstopublicingeneralaboutanimpendingdisaster. Astheybraceupto
face the challenge, their dependency on all service providers increases. Some
organizationsmakeproactivecommunicationtothepublicstating:
Thekindofservicesthatshallbeavailable
Thelocationsfromwhichsuchservicesshallbeavailable
Thechannelsthatshallbeoperative
l
l
l
l
l
l
l
l
l
l
l
l
l
3.6 Pre-incidentalSurveillance
3.7 EffectiveCommunication
36Business Continuity PlanRSM Astute Consulting
44. Thelevelof preparednessoftheorganization
Suchanorganizationhasalreadybuiltthetrustforthecustomer.
3.7.2 Communicationsduringprolongeddowntimes
All factors during business recovery process may not be in control of an organization.
As a result of which, prolonged system downtimes could be expected. It is necessary
that a section of this information is shared with public at large as organizations will
needtobetransparenttoallitsstakeholders.Suchcommunicationshallinclude
Policyofthecompany
Currentcircumstances
Thereasonsofdelayofservicerestoration
Actionbeingtakenandrationalbehindthesame
Expectedtimeplansforactivities
Stakeholderupdates
A business continuity plan need not necessarily work as per desired basis and
decisions will need to be taken on the spot and couldbe dynamic. Ground realitiescan
differ from idealistic conditions. Organization needs to take care of exceptional
conditions.
3.8.1 Emergencymanagement
After a major disaster, an organization has many issues to handle; including somelife
anddeathsituations.Someemployeesmaybeintraumaticconditionsormaybeinnot
be able to travel, organization should build such exceptions as part of their business
riskanalysisandworkoutmitigationplansaroundthesame.
3.8.2 Securityandfraudcontrolduringdisruption
During disaster and recovery process, the entire attention of the organization is
naturally focused towards resumption of business activities. This phase typically may
havefollowingshortcomings.
Internalcontrolsfallweak
Discretionalactivitiesarepermitted
l
l
l
l
l
l
l
l
l
3.8 ExceptionHandling
RSM Astute Consulting37 Business Continuity Plan
45. Segregationofdutiesisnotadheredto
Thereisuncertaintyofdataloss
DataIntegritymaynotbeensured
There could be tendencies during disruption to steal organization property, over-
spend on items procured and system compromises of various natures. Post
resumption of business, an organization needs to review the entire recovery process
taking into account various factors including security and fraud related aspects. An
organization is also expected to demonstrate enough sensitivity to the staff, their
experience and skills who possibly would have taken best decisions during disruption
event.However,exceptionsneedtobeisolatedandidentified.
After business continuity plan is implemented and tested, it is the organization’s
choice to go for any formal certification or bench marking. However, a formal
certificationhasitsownbenefitintermsof
Benchmarkingagainstindustrybestpractices
Ensuringperiodicassessment
Sustaining pressuretokeepbusinesscontinuityplanupgraded
Having an reasonable assurance of organization preparedness for business
continuity
Demonstratingtothestakeholdersaboutorganization’scommitment
Following points need to be remembered while implementing business continuity
plans.
Business Continuity Program Implementation goes through a structured life
cycle.
Participative involvement can ensure that every stage of the life cycle is
designedwithathoughtthroughprocess.
BCPTestingcanbeconductedinmanywayskeepinganeyeoneffectivenessand
assurance.
Organizations need to identify activities beyond BCP life cycle to make the plan
robust.
Formal certification helps organization to benchmark the robustness of their
solutionsagainstgloballyacceptedstandards.
l
l
l
l
l
l
l
l
l
l
l
l
l
3.9 CertifyingBusinessContinuityPlan
38Business Continuity PlanRSM Astute Consulting
47. Chapter 4: Technology Trends
Business Continuity Considerations
4.1 UsingMobileWorkForceForRecovery
Impacting
While it is worth considering continuity plan from business point of view, it is equally
interesting how emerging technologies, trends and innovations contribute to shape
the business continuity plans. There are numerous ways, methods, processes that
offer wide variety of choices to the business to adapt to their individual business
needs. Someoftheillustrationsarementionedbelow.
UseofMobileRecoveryworkforce
CloudbasedDisasterRecovery
EndUserMobiledevices/SocialNetworkingsites
BigData
Globallyinterconnecteddevices
Traditionally, one of the aspects of business continuity included working from
designated alternate site. However, organizations are realizing that remote access
technologiescanenablethemtooperatefromanywhere.
Organizations are creating ‘mobile work force’ housed in mobile unit that constitutes
ofemergencyresponse team, client service teams, insuranceteams and others as per
theneed.
Suchteamensures
Theconnectivitytomainsystemsisavailablefromanywhere.
Routineoperationsareconductedregularlythroughsuchmobileunits.
When the emergency arises, or on-demand basis, they can reach anywhere, get
connectedtothenetworkandensurecustomerservicedoesnotgetaffected.
Thetoolsaretested,andoperateduringemergency.
Byensuringre-usability,thebusinesscontinuitycostsarecontrolled.
Such arrangements are very useful in the areas prone to frequent disruptions due to
naturalorpoliticalconditions.
l
l
l
l
l
l
l
l
l
l
40Business Continuity PlanRSM Astute Consulting
48. 4.2 CloudBasedDisasterRecovery
4.3 EndUserMobileDevicesAndSocialMedia
4.4 BigData
Cloud based technologies are helpful to many organizations for whom building
alternate recovery mechanisms couldbe expensive. Cloud basedmodels are available
on ‘pay as use’ model and helps organizations to manage their costs within limits.
Further, in such a scenario, physical infrastructure can be managed from remote
locations, thus reducing dependency on physical infrastructure. Remote location
recovery is easier by providing alternate sites. For cloud DR Service providers need to
facilitatereconfiguringthenetworksetupforanapplicationasperthedemand.
Cloud infrastructure combined with virtual private networks (VPNs) supports rapid
reconfiguration for applications that only communicate within a private business
environment. It should be noted that cloud on DR is different than normal business
running in Cloud solution. In the second case, any disaster recovery could be more
complexasdifferentcomponentsofthesystemsmaynotbeeasilyre-constructed.
Proliferation of mobile devices and social media is changing the entire business
models.Thesearecreatingflexiblework-forceandconnectivityeverywhere.
End user environment recovery has simplified due to such proliferation. Further,
mobiledeviceshelpBCPinmultipleways
Establishingcrisiscommunication
Providingabilitytoreachglobally
Mobileapplicationaccessibility
Providing datacollectionpoints
The digital universe is constantly expanding. The data is now getting generated in all
forms and it is predicted to reach 40 trillion gigabytes in next five years. Further, this
data is no more ‘structured data’ that can be extracted by Structured Query Language
(SQL),butisavailablethroughmanychannels,manyformatsandmanydevices.
An illustration of how data is available in multiple forms and is getting generating
throughmultiplechannelsanddevicesisdepictedbelowwithtabulatedexamples.
l
l
l
l
RSM Astute Consulting41 Business Continuity Plan
49. System NatureofData
BigData Sensors/ Device Data, Social interactions and feeds, Video, Audio
Images,Speechtotext,Mobilegeneratedinformation,GPRSdata
Web Web based transactions, Web search, Behavioral data, Digital
marketing
PartnerData Customertouchpoints,SupplierTouchpoints,ExternalInformation
ERP Business Transactions, Management Information, Financial details,
etc.
Volume, variety, velocity and veracity stand for “V-characteristics of big data”.
Increasing number of corporations has access to far more information beyond their
control to manage. Many large/ mid-size organizations are still struggling to cope up
withbigdatarequirements.
Searchengineproviders,dataanalyticscompanies,globalorganizationshavealready
started work on business continuity plans and are at different stage of maturity.
However, for most organizations, business continuity requirements and management
ofthesameinnormalordisruptiveenvironmentareyettoevolve.
Technology has and is continuously becoming all pervasive in nature and will
penetrate all strata of the society globally. With social media, wireless and mobile
technologies the interconnection of devices and flow of information will change the
data dynamics. As per international studies, there will be more internet connected
mobiledevicessuchassmartphonesand3Gtabletsthanthetotalworldpopulationby
2014endasperGuardianreport.
4.5 GloballyConnectedDevices
42Business Continuity PlanRSM Astute Consulting
Big Data
Web based
Analytic
Partner
Data
ERP-
structured
data
52. RSM Astute Consulting45 Business Continuity Plan
Chapter 5: Sustaining Business Continuity Plan
5.1 AligningBusinessContinuityWithChangeDynamics
Business continuity planning is not one time activity. Every organization today is in
constantstateofchange.Businessdeliverymodels,architectures,processes,designs,
undergoing technologies always undergo changes. New innovations shall drive
organizations to adapt newer standards. It is not expected that the entire business
continuity plan needs to be rewritten or tested. The key lies in ensuring that the
business continuity plans are flexible enough to accommodate changes to the
dynamicenvironment.
Organizations need to evolve a BCP response mechanism to align with dynamic
businessenvironment.Suchrequirementsaretabulatedbelowonillustrativebasis.
NatureofChange PrimaryfocusforBCPupgrade
Organizationalrestructuring Steeringcommitteeresponsibilities
Key personnel availability/ Emergency
preparedness
ChangestoCommunicationPlan
Trainingandeducation
Technicalre-architecture Back-up/RestorationPlan
Fail-OverPlan
DRplan
Businessdeliverymodel ChangestoMaximumAcceptableOutage
BusinessRecoveryPlan
DRplans
Majorsystemupgrades Backwardcompatibility
Synchronizationacrosssites
Relocations Physicalsecuritythreats
Evacuationplans
Connectivitycontrols
Daytodaychanges Documentupgrades
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
53. MinimumDocumentationrequirements
It is often discussed, as to what length and depth the business continuity plan should
be prepared. Following is an illustrative list of documents that must be available and
updatedanytime.
Emergencycontactlist
Personalcontactlist/Vendorcontactlist
EquipmentandSpecifications
ServicelevelagreementsandMemorandumsofUnderstanding
Crisiscommunicationplan
SecurityIncidentResponseplan
Operationresumptionplan
ITStandardOperatingProcedures
EmergencyManagementPlan
OccupantEvacuationPlan
Someorganizationsassumethatbusinesscontinuityneedstobetestedonceayearor
onceinsixmonths.Thisexercisecouldbehumongousforevenmid-sizeorganizations.
Typically,mid-sized/large-sizedorganizationshavemultipleoperatingunits,multiple
locations from which operations take place and multiple sub-systems. A careful
planning allows organization to identify boundaries that can be carved out as ‘test
units’ from business continuity point of view. Segmental testing makes it feasible to
operate,testandevaluatethetestresultseffectivelyandensuringuninterruptedflow
ofbusinesstransactions.Further,learningfromsuchtestinghelpstheorganizationto
upgradetheirbusinesscontinuityplan.
Apart from a formal testing of continuity plan, an organization encounters various
day-to-day operation issues, failures, disruption issues of various natures. A
disruptionneednotbemajorsoastocallitasadisaster,butsuccessfulhandlingofthe
samehelpsorganizationtoremainvibrant.
Operational efficiency is the core requirement for any BCP to succeed. Organizations
that focus on certain areas, shall achieve higher level of operational efficiency than
others.Suchareascanbesummarizedasshownonthenextpage.
l
l
l
l
l
l
l
l
l
l
5.2 BCPtesting–AnEverydayAffair
5.3 BCPAndOperationalEfficiency
46Business Continuity PlanRSM Astute Consulting
54. 5.3.1 Earlydetectioncapabilities
An early detection of possible business disruption can help organizations to contain
itsimpactandreducethe‘costofrecovery.’Thefollowingtableisanindicativeplanfor
buildingsuchcapacities.
KeyActivity ActionPlan
Ensure infrastructure Ensure that all equipment can be monitored
monitoring capability using your technologies and tools.
Create log management systems that capture,
correlate and filter events.
Deploy “Building management tools”, especially in
data center, that are capable of detecting environ-
ment level exceptions with remote alert systems.
Uselocalintelligencefor Take inputs from local law enforcement machinery.
preventing criminal Put active vigilance on suspicious activities.
activitiesaround Assess social unrest/ political turmoil environment
topre-emptthethreats.
5.3.2 Calibrationofdataneeds
An organization needs to plan its data reservoir appropriately. Carrying of huge
amount of data not required through complex IT networks may not be warranted. It is
essential to calibrate the data needs by optimizing the data requirements, making it
availableonlyandwheneverrequired.
Thefollowingtableisanindicativeplanforcalibrationofsuchneeds.
KeyActivity ActionPlan
Classify data into Distinguish between workload that falls into the
categoriesbasedon "alwayson"categoryfromothers.
availabilityneeds.
l
l
l
l
l
l
l
RSM Astute Consulting47 Business Continuity Plan
Calibration of needs
BCP at design stage
Simplified alternatives
Early detection capabilities
55. 48Business Continuity PlanRSM Astute Consulting
Key Activity Action Plan
Check viability of low All data does not require disk-to-disk replication
cost replication over distance, disk-to-disk mirroring, continuous
data replication via snapshots or some other
method.
Check if tape back-ups provide resiliency and
portability that disk lacks.
Back-up what is relevant There is need to differentiate between static (less
dynamic) data vs. changing data. Introduce
de-dup checks in your back-up strategy.
Center your backup strategy and technology using
appropriate classifying techniques.
5.3.3 BuildingBCPatdesignstage
‘A stitch in time saves nine’ is a proverb that is applicable during design stage. Be it
network design or application design, certain minimum precautions if taken in time,
can actually help organization to contain efforts during business recovery stage. The
table below is an indicative plan for building business continuity requirements at
designstage.
KeyActivity ActionPlan
Ensure application Use secure coding practices.
design controls Employ appropriate caching techniques so as to
DR Costs minimize data loss if interruption occurs.
Well Integrated architectures minimize
complexities / incompatibilities in recovery
processes.
Mobile application development ensures end user
environment recovery is faster.
Differentiate between Understand seasonal variances or day-today
peak hour needs and activity variances that create different load
slack hour needs conditions on organization resources.
Build operational flexibility into BCP design to take
care of varying conditions.
Optimize DR plan Build capability that can be tested as part of day
-to-day operations, alleviating the burden on
formal test schedules.
l
l
l
l
l
l
l
l
l
l
56. Secure coding practices reduce the chances of exploiting vulnerability by intruders,
thusavertingbusinessdisruptionduetocyber-attacksasshownbelow.
5.3.4 SimplifiedAlternatives
Some of the aspects of BCP need not be as complex as they seem. These can have
simplifiedalternatives.Someofthesearementionedasbelow:
KeyActivity ActionPlan
Buildalternativesupply Having different stream of suppliers is a normal
chainandlogistics need of any business. However, in case of a major
disruption there are chances that the supply chain
isequallyaffectedbythesame.
Considerhowanalternatesupplychainistobebuilt.
Cross-trainedemployees In case of any disaster/ disruption, it may be
possible, that trained resources may not be
available. Especially, some of the resources may
have suffered personal losses and may be in
traumatic conditions. In worse case, loss of human
lifecannotbedenied.
Cross-train and rotate employees working on BCP
test.
Useofsocialmediafor It is not necessary that the organization builds its
communicationto own communication channel in case of any
customersandthe disruption. This may not be viable or available in
market caseofneed.
Use social media to remain connected to the
customers,marketandpublicingeneral.
Buildstrategiesas In case of major disasters, the normal human and
temporarysupportand business boundaries may collapse. There is every
servicesfrom possibility that the competitor is as much affected
competitors as you or may get affected in future.
l
l
l
l
l
l
l
RSM Astute Consulting49 Business Continuity Plan
Design
security requirements
security architecture
Testing
code review
security testing
Deployment
vulnerability management
environment hardening
57. KeyActivity ActionPlan
Explore collaborative approach with competition to
salvagethesituation.
Useindustryregulatorybodies/consortiumforhelp
inextremesituations.
5.4.1 Investmentsinbusinesscontinuity
Businesses do go through serious challenges and some stop altogether - even with
plans in place. The risk is high for those who fail to deliver their promises. Business
continuityrequiresinvestmentsofvarioustypes.
Although there is no standard cost model for business continuity, factors that
dominatecostinclude
Scale
Complexity
Management’sriskappetite
Strengthofexternaldemandbyregulators,customersandshareholders
For a small office-basedbusiness with long delivery timesand tolerant customers, the
cost can be low, limited to a basic analysis, planning and the obvious methods of
protection of assets, processes and information may suffice. For organizations with
l
l
l
l
l
l
5.4 EconomicsofBusinessContinuity
50Business Continuity PlanRSM Astute Consulting
InvestmentArea NatureofInvestments
Leadership Decisionsmakingandplanningprocess.
Developmenttime Valueoftimetoprepare,trainandtest.
Relationshipmanagement Managing customer relationships which create
loyaltyandretention.
Retaining key employees to increase availability and
efficiencyduringrestoration.
Continuedcommitment Ensuring that the plans are current and ready when
needed.
Contingencypurchases, Essential resources to support business continuity
servicesandfunds andresumptionmustbeinplace.
Continuousimprovement Finding better and more efficient ways of doing
businessandbusinessrestoration.
58. multiple sites, many lines of business, large volumes of sensitive data and a
demandingclientbase,theundertakingcanbesignificant.
5.4.2 Returnoninvestment
AwelldevelopedBCPensuresreturnstobusinessinmanyareasasdepictedbelow:
Area Nature of Returns
Brand Image Maintaining Reputation of the business.
Time to restore business Minimizing restart time for the business.
Customer/ Employee The cost of acquiring new customer/ employee is at
Retention least two times the cost of retaining them.
Expense Controls Reducing Damage of assets during disruption and
direct/ indirect costs associated with such repairs.
AvoidedLosses If an organization is able to complete sales/ service
transaction,inspiteofdisruption,thismeansthereisno
lossatallduetopro-activebusinesscontinuityplan.
Staying in the business There is always a risk to “Go out of the business” in
case it is not restored.
Following chart demonstrates the difference to the business continuity parameters
whenthereisadequateplanning.
RSM Astute Consulting51 Business Continuity Plan
If BCP is implemented
If BCP is not implemented
Time Horizon
Start Acceptable recovery period
limit
BCP Goal: Operation Limit
Minimum Acceptable
Operation Limit
Recovery
Time (and cost)
saved due to BCP
Recovery gap
After disaster period
Disaster
strikes
Before
100%
LevelofOperationactivity
60. Theflowofsuchexerciseisdepictedbelow.
In2013,theexercise
Wassupportedbyallmajorexchanges,marketsandindustryutilities.
HadParticipantbaseof128securitiesfirmsand62marketorganizations.
Covered 985 communications connections between securities firms and banks
andtheexchanges,marketsandutilities.
Involved testing components for Equities, Options, Fixed Income, Clearing and
Settlement Utilities, Market Data, Payment Systems, Treasuries, Commercial
PaperandForeignexchange.
Assessed the ability of the securities industry to operate through adverse
conditions.
5.6.2 Financial Services Sector Coordinating Council (FSSCC)– tests against cyber
-attacks
Cyber-attacks on smaller financial institutions and businesses are some ways for
hackers to impact financial transactions. Such malicious attack disrupts capital
markets and shakes investor confidence in the financial system. Hackers are also
using individuals and smaller institutions as a gateway to infiltrate larger banking
organizations.Distributeddenialofserviceattemptstohurtthecredibilityoffinancial
institutions by crashing their websites or other public-facing outlets that are used by
millions of financial clients. Phishing attack allows hacker to get login access of firm
employeesinordertosendoutfalseinformationthatcoulddisruptthemarkets.
l
l
l
l
l
RSM Astute Consulting53 Business Continuity Plan
Readiness of Industry
Standardize the test format Educate all participants about test plan
Conduct Industry wide test
Select specific set of financial transactions
All Participants switch to back-up site
simultaneously forthose transactions
Integration testing and Analysis of overall results Give feed back to the industry
Generate Market intelligence
61. Financial Services Sector Coordinating Council (FSSCC) hosted a market-wide cyber
disruption exercise across equities clearing and trading processes.This helps
organizations to assess their internal incident response plans in conjunction with
eachother.
Itisexpectedthatsuchexercisewillimprovethereadinessofsectorasawhole.
5.6.3 ReserveBankofIndiaguidelinesonindustryBCPrequirements
Reserve Bank of India has recommended three step approaches to test business
continuityplantobankingindustry.
54Business Continuity PlanRSM Astute Consulting
Denial of
service attack
l
External
Hackers
Phishing
attack
l
Small financial
institutes
l
Target
Businessesl
Disrupt capital
market
l
Impact
Shake market
confidence
l
Set BCP
Alarm
Reciprocal
arrange-
ments
Industry
mock
drills
l
l
Set industry level crisis organization
Establish forms of communication
l
l
Honoring of transactions for other banks
Introduce safeguards, limits and waivers
l
l
Identity industry level scenarios
Conduct test, gather intelligence, improve response
62. SetBCPAlarm
Establish an industry-wide alarm and crisis organization representing
diverse interest groups. Any of the institutions can invoke the alarm
organizationbyactivatingthelevelaffectedandsimulating.
Considerhavingawebsiteforindustry-wideBCPrelatedinformationforthe
benefitofconstituentsoftheindustry.
TestReciprocalArrangements
Reviewing the extent to which the RBI and the Individual banks, can act on
behalfofoneanotherinexceptionalsituationslike:
WavingchargesoverotherbanksATMusage
Honoringchecksofotherbanks
Banks may consider waiving off penalties to be levied on delay of in-
paymentsofTreasurydeals.
IndustryMockDrills
Industry as a whole should plan for conducting a BCP drill on a periodic
basis.
Test scenario can include unavailability of particular city/ processing hub is
unavailable for a day. Such scenario shall require involvement of large
sectionofmachineryandserviceproviders.
5.6.4 BCPasemergencyservice
For all emergencies, respective governments have made different provisions for
continued services. U.S. Government has established following services in
telecommunicationsectortotakecareofemergencysituations.
TelecommunicationsServicePrioritySystem(TSPS)
GovernmentEmergencyTelecommunicationsservice(GETS)
WirelessPriorityServiceProgramme(WPS)
Such services shall ensure that federal, state, fire brigade, local police, public safety
communicationchannelsremainuninterruptedduringemergencies.
Ø
l
l
Ø
l
l
l
l
Ø
l
l
l
l
l
RSM Astute Consulting55 Business Continuity Plan
63. Summary
ToensurecontinuedrelevanceofBCPrequireseffort
It is possible to sustain Business continuity program by constant vigilance on
operationalefficienciesandadaptingrighttechniques.
BCPhasassuredreturnofinvestmentsifplannedcarefully.
With growing inter-dependencies across businesses industry wide BCP drill
shallbecomenorm
More than compliance requirements, BCP for certain services shall become
statutoryrequirementsonthepathforward.
l
l
l
l
l
56Business Continuity PlanRSM Astute Consulting
64. RSM Astute Consulting57 Business Continuity Plan
ANNEXURE I: Glossary
Businesscontinuity The activity performed by an organization to
planning ensurethatallcriticalbusinessfunctionswillbeavailableto
customers, suppliers, regulators, and other entities that
musthaveaccesstoorrelyuponthosefunctions.
Businessunit The component of business continuity which deals
recoveryplanning specifically with the relocation of key organization
personnel in the event of an adverse event, and the
provision of essential records, equipment supplies, work
space, communication facilities, computer processing
capability,etc.
Businessimpact Exercise conducted to differentiate between
assessment critical (urgent) and non-critical (non-urgent) organization
functions/activitiesbasedonimpacttothebusinessonpre-
defined parameters. This also involves balancing of control
costandavailabilityoftechnicalrecoverysolutions.
ColdSite An alternative facility that is void of any resources or
equipment except air-conditioning and raised flooring.
Equipment and resources must be installed in such a facility
to duplicate the critical business functions of an
organization.Cold-siteshavemanyvariationsdependingon
theircommunicationfacilities,UPSsystems,ormobility.
Consortium An agreement made by a group of organizations to
Agreement share processing facilities and/or office facilities, if one
memberofthegroupsuffersadisaster.
ContinuousBackup Back-up of computer data by automatically saving a copy of
everychangemadetothatdata,essentiallycapturingevery
version of the data that the user saves. It allows the user or
administratortorestoredatatoanypointintime.
CrisisManagement The overall coordination of an organization’s response to a
crisis, in an effective, timely manner, with the goal of
maximizing employee safety and avoiding or minimizing
damage to the organization’s profitability, reputation and
abilitytooperate.
65. ElectronicVaulting Transfer of data to an offsite storage facility via a
communication link rather than via portable media.
Typically used for batch/journal updates to critical files to
supplementfullbackupstakenperiodically.
Hotsite Analternativefacilitythathastheequipmentandresources
to recover the business functions affected by the
occurrence of a disaster. Hot sites may vary in type of
facilities offered (such as data processing, communication,
or any other critical business functions needing
duplication). Location and size of the hot site will be
proportionaltotheequipmentandresourcesneeded.
Disasterrecovery Is the process, policies and procedures related to
planning preparation for recovery and continuation of technology
infrastructure critical to an organization after a natural or
human-inducedortechnologicaldisasterhasoccurred.
Maximum Timeitwouldtakeforadverseimpacts,whichmightariseas
acceptable a result of not providing a product/service or performing an
outageMAO activity,tobecomeunacceptable.
MinimumBusiness Minimum level of service and/or product that is acceptable
continuity to the organization to achieve its business objective during
objectiveMBCB adisruption.
Recoverypoint Point to which information used by an activity must be
objectiveRPO restoredtoenabletheactivitytooperateonresumption.
Recoverytime Period of time post declaration of an incident within which
ObjectiveRTO product or service must be resumed or activity must be
resumed, and / or resource must be recovered.
.
58Business Continuity PlanRSM Astute Consulting
66. ANNEXURE II: Structure Of ISO
Standard 22301:2012
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organization
4.1 Understand of the organization and its context
4.2 Understanding the need and expectations of interested parties
4.3 Determining the scope of the business continuity management system
4.4 Business continuity management system
5. Leadership
5.1 Leadership and commitment
5.2 Management commitment
5.3 Policy
5.4 Organizational roles, responsibilities and authorities
6. Planning
6.1 Actions to address risk and opportunities
6.2 Business continuity objective and plans to achieve them
7. Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information Operation
8. Operation
8.1 Operation planning and control
8.2 Business impact analysis and risk assessment
8.3 Business continuity strategy
8.4 Establish and implement business continuity procedure
8.5 Exercising and testing
9. Performanceevaluations
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
10. Improvements
10.1 Non-conformity and corrective action
10.2 Continual improvements
RSM Astute Consulting59 Business Continuity Plan
67. 60Business Continuity PlanRSM Astute Consulting
ANNEXURE III: Certain Laws And Regulations
Related To Business Continuity
Health Insurance
Portability and
Accountability Act (HIPAA)
HIPAA mandates a five-day maximum turnaround on
requests for information.
Sarbanes-Oxley Act of
2002
Sarbanes-Oxley mandates a required timeframe in
which to report financial results— each quarter and at
year-end. Failure to make these deadlines can result in
financialpenalties.
New Basel Capital
Accord (Basel II)
Requires financial institution capital reserves to
include operational and credit risks and includes IT
securityriskasaprincipaloperationalrisk.
Basel II also requires business resiliency standards for
anyfinancialinstitutiondoingbusinessintheEU.
Basel II defines certain principles for business
continuity.
USA PATRIOT ACT 2001 Defines what information can be made available to
federal and local authorities for those suspected of
terrorismorterrorist-relatedactivities.
This act requires contacted institutions to respond
withinaspecifictimeframetorequestsforinformation
fromdatabases.
FINRA (Financial Industry
Regulatory Authority) – US
Rule4370
Each member must create and maintain a written
business continuity plan identifying procedures
relating to an emergency or significant business
disruption.
The business continuity plan must be made available
promptly upon request to FINRA staff.
Civil Contingency Bill UK Defines emergency preparedness for core
organization to provide civil protection and warrants
tohavebusinesscontinuityplaninplace.
European Program for
Critical Infrastructure
Protection – (EPCIP)
Has defined special requirements for "Prevention,
Preparedness and Consequence Management of
Terrorism and other Security Related Risks" for the
period.
68. RSM Astute Consulting61 Business Continuity Plan
International Association
of Insurance Supervisors
Mandates insurer to establish, operate effective risk
management program and this includes risks
associatedwithbusinesscontinuity.
ASISSPC.1 The standard known as the Standard helps an
organization design a balanced system to reduce the
likelihood and minimize the consequences of
disruptiveevents.
ISO22399 Provides general guidance for an organization to
develop its own specific performance criteria for
incident preparedness and operational continuity, and
designanappropriatemanagementsystem.
ISO223 Protection of society from and response to incidents,
emergencies, and disasters caused by intentional and
unintentional human acts, natural hazards, and
technicalfailures.
Addresses the challenges an organization, group of
organizations or society may face before, during and
afteradisruptiveevent.
IRDA - BCP
requirements
IRDA compliance defines business continuity planning
asoneofthecorerequirements.
SEBI - Guidelines for
Business Continuity Plan
(BCP) and Disaster
Recovery(DR)
Has issued guidelines to stock exchanges and
depositoriestohavezerodataloss.
ReserveBankofIndia Reserve Bank of India mandates all Banks to have
entire business continuity framework and disaster
recoveryframeworkinplace.