Business Continuity Planning

Business JW
JW
T
T
JW
Disaster
T

Continuity
Recovery
Planning (BCP)
Planning (DRP)
Fundamentals

Fundamentals
Fundamentals Wilson
John

John Wilson Wilson
John
Copyright © 2004 T. John Wilson & Associates P/L

Business Continuity Planning – JW
T

What is it ?
In broad terms it is a plan to cater for continuing in
business, in the event of a major disaster, both from a
business process and ICT recovery perspective.
By definition, it is a Business Plan, which
encompasses similar terms such as:
– Disaster Recovery Planning (usually IT
environment)
– Risk Assessment/Management
– Contingency Planning
It is supported by two AS/NZS Standards:
– AS/NZS 4360:1995 for Risk Management
– AS/NZS 4444:1996 for Business Continuity
Planning


Why do we need to Plan for Disasters JW
T

?
We need to assess the potential risks to the
organisation, which could result in disasters or
emergency situations
We need to consider all the possible incident types,
and the impact they may have on the organisation’s
ability to continue in business
We need to plan for resuming business (not just ICT),
in the event of a disaster
40% of major companies that experience a serious
disaster go out of business within one year

WHY ?


Answer JW
T

Earthquake
The process of resuming
normal business is:

• Too Traumatic

• Too Difficult

• Too Expensive

There has been little or no Planning & Preparation
to minimise the impact of a Disaster

JW
T

What is a Disaster ?
Act of God:
Earthquake
e.g. Kobe, Turkey
Cyclone/Hurricane
e.g. Florida
Floods
e.g. Nyngan, Bangladesh
Bushfires
e.g. Australia, California
Act of Man:
Accident e.g. Plane Crash, Train Crash
Terrorism e.g. World Trade Centre, Bali
Sabbotage e.g. Network Hacking, Staff Grievance

BCP in Perspective JW
T

For a business to continue/survive after a disaster,
3 main preparatory disciplines are needed:
– Business Impact, Risk Assessment & Management (ongoing)
– Business Continuity Planning (non-IT & ongoing)
– Disaster Recovery Planning (IT only & ongoing)
A business ignores
these at its peril !!!


BCP/DRP Becoming Mandatory – JW
T

WHY ?

Other than Employees, Information/Data is a company’s most valuable asset –
this may be computerised or on paper.
Can the business continue operating manually, if computers
are not available ?
Business is becoming increasingly dependent on computerisation and technology
Auditors are demanding it
Insurers are demanding it
Shareholders are holding management responsible for having it


Requirements for JW
T

Getting Something Done

The knowledge of how to do it
The skill to do it
The time in which to do it
The desire/motivation to do it
Problem: Requirements may be for Constructive or
Destructive reasons
Motivating Factor: The individual’s Attitude or Frame of Mind


Pyramid of Needs JW
T

(Abraham Maslow, in the 1920’s)

I
am
Motivation making Self-Actualisation
the best
Theory of myself
Respect of
family, friends etc. Esteem
Acceptance by
family, friends & workmates Love Needs
Safety (physical) and
Safety from Worry Safety Needs
Food, Warmth, Shelter, Sex
Psychological
Theory: “Once needs have been met at Needs
one particular level, they
cease to be motivators”

Start with Management by: JW
T

Getting their commitment & support by:
Educating them on the changing/increasing role of IT
Explaining the risks & implications to them
Identifying the cost of not having a BCP/DRP
Getting them involved in initial planning
Getting their commitment – both financial & People
Making BCP/DRP a Corporate Policy


Corporate Policy Guidelines should: JW
T

Demonstrate that management is serious about BCP/DRP
Involve Legal, Financial and Audit departments to reinforce it
Emphasise the importance of corporate procedures and data and the
need to protect it
Define the minimum requirements to allow the business to recover
after a disaster
Be delivered to all employees concerned in an authorative manner


AS/NZS 4444:1996 (Section 9) states that JW
T
a BCP should cover:
Identification/Prioritisation of critical business processes
Identification of potential impact of various types of disaster on
business activities
Identification & Agreement of responsibilities and emergency
arrangements
Documentation of agreed processes and procedures
Education of staff in the execution of these procedures
Testing of the BCP
Ongoing updating of the BCP


Perspectives of Business JW
T

Continuity Planning:

The following perspectives should be
central to creating a BCP:
Prevention: What can be done to
minimize the likelihood of a crisis ?
Detection: What can be done to ensure
timely detection of a crisis ?
Correction: What can be done to ensure
optimum response to recovering from a
crisis ?


Phases of JW
T

Business Continuity Planning
To begin with, it is imperative to focus on the “Minimum”
requirements to allow the business to continue – avoid a Rolls
Royce solution which becomes too costly and impractical to implement
and maintain. Then focus on:

Risk Assessment

Business Impact Analysis

Strategy Planning
& Agreement

Plan Development

Testing/Maintenance


Risk Assessment JW
T

This is the first step towards a Business Continuity Plan
(BCP)
Ideally it should be a Management Workshop which
identifies the Critical Business Processes & Risks which
the business faces (both IT & non-IT), and the likelihood of
them happening
These risks should then be placed in descending order of
priority/seriousness
These should be documented
for later input to the BCP and
be part of Risk Management
Policy
…..see next slide

Risk Assessment Table JW
T

A Risk Assessment Table, including Target Recovery Timescales, should be prepared,
containing the following headings:
– Risk Ref No (in descending order of priority)
– Description
– Extent (of loss to the business)
– ODDS (of occurring) – Low, Medium, High or Extreme
– Impact (on the business) - L, M, H or E
– Risk (of it happening) - L, M, H or E
– Maximum Allowable Outage (Days)
– BCP Action (Xref to appropriate section)

Business Processes rated H or E should
be given highest priority

Note: This table should logically follow the Overview in the BCP itself

Risk Management JW
T

AS/NZS 4360:1999 Standard definition:

“ The systematic application of management policies, procedures and
practices to the tasks of identifying, analyzing, assessing, treating and
monitoring risk”
The standard also recommends the scope to cover an interruption
period of 0 - 14 days. A period longer than that is significantly less
probable


Business Impact Analysis JW
T

Management need to have structured analythical
information on:
– Critical business activities & associated computer
systems
– Critical timeframes for each activity
– Consequences (Direct & Indirect) of these activities
being unavailable
– Mimimum resources required for each activity


Strategy Planning & Agreement JW
T

Management should workshop, identify & agree the strategies for
Business Continuity in the event of a disaster
Multiple strategies may be needed depending on size and
business nature of the organisation
Alternative manual processes may be needed if IT environment is
not available
Minimum requirement is to
enable business to continue
operating


Plan Development JW
T

(Typical Contents)

Action Plans: Basic instructions for incident containment, communications
policies, notification guidelines
General Supporting Policies: Operation, Maintenance, Testing, Training &
Distribution of the plan
Background Information: Decisions on which BCP is based – agreed definitions,
scope, scenarios considered and relationship to IT DRP
Checklists and Forms
Recovery Strategies: Documentation for recovery and resumption of critical
business processes, including personnel involved
Contact Details: of all key personnel who would be involved in the execution of
the BCP.

JW
T

BCP Essentials
BCP outputs can vary depending on the size and complexity of the
business, however….
To be effective any BCP must be kept as simple as possible and must
still address two major areas:
1. Logistics: High level information on:- Where to recover to; business
priorities; plan activation; checklists
2. Operational: Pre-existing procedures/processes which may require
manual operation to address the needs of Business Continuity Planning


JW
T

BCP Minimum Essentials

Every BCP must address at a minimum:
– Initial recovery and/or continuity of business operations
– Activities necessary to maintain operations in crisis mode
– Return of the business operations to the original
locations/state (resumption procedures)


Putting it into Action JW
T

Testing the plan is essential – otherwise it is hypothetical
A role-playing workshop involving key personnel is a good
approach to testing
Focus on the manual requirements for Business Continuity
e.g. ensure key suppliers are involved:
– Spare cheque books at bank
– Stock of company letterhead, order books, invoices at
print supplier


JW
T

Summary
BCP Focus needs to be on Minimum Requirements to keep
business operating
Remember it is an interim arrangement – not permanent
Apply the KISS principle - keep it basic and simple, otherwise it
will be unworkable
Keep the planning at management level, otherwise interest
groups get involved, making it unworkable
Ensure the BCP gets updated to reflect changes in the business


JW
T

Q st i on
? p pens
! ….
just in
case
!
v er ha pared
–
e it ne be pr
e
Let’ s hop …. Bu
t let’s


Business Continuity Planning

More Related Content

What's hot

Viewers also liked

Similar to Business Continuity Planning

Business Continuity Planning