Business Continuity Plan (BCP)
The Business Continuity Plan (BCP) is an essential part of any organisation’s response planning. It sets out how the business will operate following an incident and how it expects to return to ‘business as usual’ in the quickest possible time afterwards.
The Need for a Business Continuity Plan
Major events such as terrorism (New York, 2001; London, 2005), Hurricane Katrina and Swine Flu have brought the issue of Business Continuity Management to the attention of all business owners and executives. They now realise that they need to take steps to improve the chances that their business would survive such incidents and continue to operate, deliver an acceptable level of customer service and generate income. Less news grabbing, but just as significant, are events such as:
- local infrastructure failures (e.g. internet access or telephone systems);
- access denial due to external incidents (a fire in another company, road traffic accidents, bad weather);
- staff unavailability (winter flu, industrial action, unexpected Lottery win!);
- accidental or malicious corruption or destruction of data;
- theft of company property;
- the failure of key suppliers to meet delivery deadlines;
These are all sound reasons to have in place a credible Business Continuity Management System. Other drivers which should encourage organizations to take Business Continuity Planning more seriously include:
- Increased Executive/Board responsibilities (e.g. Turnbull Report/Combined Code of Corporate Governance, Sarbanes-Oxley Act (USA), Basel II Accord etc).
- Large clients and public bodies often require that a Business Continuity Plan has been developed and implemented; even just to get on a preferred supplier list or submit a tender.
- Auditors increasingly expect to see a Business Continuity Plan in place as part of their due diligence audits.
- The Civil Contingencies Act 2004 has placed Business Continuity Management obligations on public sector organisations.
- Insurers increasingly require to see evidence of Business Continuity Plans in place.
- Holding Companies & Shareholders have rising expectations in respect of corporate governance.
- Regulatory Bodies are starting to impose Business Continuity Management on the organisations they regulate.
- Learning of a disaster to a neighbor or associate.
- Experiencing a disaster or near miss!!
Business Continuity Plan Objectives
- Guide the company’s disaster recovery teams: This is one of the most fundamental objectives of business continuity management. Your BCP plan template is more than just a document to be stored away and never seen again. It’s a step-by-step guide that will be used by your recovery teams during an actual disaster situation.
- Identify disaster recovery personnel:Who is o n those disaster recovery teams? What are their roles? How can they be reached in an emergency? Identifying this information is one of the most important goals of your business continuity planning.
- Assess risks and impact: Another crucial purpose of creating a BCP is identifying the various threats to your operations. In a later section, your plan will outline different types of disasters that could disrupt the business. You will also include the impact of each scenario: how much damage would be caused, how long the recovery would take, the cost of operational losses and so on.
- Provide the step-by-step protocols: Your plan will provide the specific procedures that need to be followed to assist in recovery. Chances are, when disaster strikes, personnel won’t remember exactly what they’re supposed to do. Your disaster recovery teams should have a general idea, but if needed they’ll be able to consult the document to follow the exact procedures as they’re listed.
- Identify the location of critical data and assets: One of the most important IT business continuity plan objectives is to identify where critical data and other assets are being stored. This allows recovery teams to begin recovery even if key IT personnel are unavailable. Imagine, for example, a scenario in which you had no IT workforce. There must be, at least, a footprint for other personnel or stakeholders to follow. Any confusion will significantly impede the recovery process.
- Prioritize emergency communications: Who communicates with the client during an emergency? Who notifies the workforce? Who speaks to the media? By having a business continuity management policy in place, recovery personnel will understand their roles for both internal and external emergency communications.
- Identify back-up locations and resources: Recovery teams need to know where and how to relocate operations, and with what resources. Your BCP will outline the availability of any back-up office space or the procedures for securing a new space rapidly. Additionally, it will cite the availability of back-up physical resources, such as workstations and devices.
- Outline existing preventative measures: A business stakeholder wants to know, “What are we doing to prevent ransomware situations like the one I just read about in the news?” This is another reason for your BCP. It will outline the technologies, tools and protocols that are already in place to prevent or mitigate the effects of a disaster.
- Find weaknesses and propose solutions: Any holes in your continuity planning must be addressed. The BCP is as much a process as it is a static document. It’s a work in progress, in which risks need to be constantly evaluated. Identify scenarios that would leave operations unprotected, and propose specific action steps that should be taken immediately.
Components of Business Continuity Plan (BCP)
There are five components of Business Continuity Plan:
- Disaster Recovery Plan
- Continuity of Operations Plan
- Incident Management Plan
- Occupant Emergency Plan
- Business Resumption Plan
Steps in Developing a Business Continuity Plan (BCP)
Development of a business continuity plan includes four steps:
- Conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them.
- Identify, document, and implement to recover critical business functions and processes.
- Organize a business continuity team and compile a business continuity plan to manage a business disruption.
- Conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan.
Business Continuity Plan Vs. with Emergency Response, Crisis Management and Disaster Recovery
Business Continuity Planning joins with Emergency Response, Crisis Management and Disaster Recovery Planning [see Figure 1] to create a comprehensive process for recovering from unexpected events that threaten stability or even the future existence of an organization. Business Continuity is often the most crucial element in determining whether an organization can survive a major disruption over the long run. While the other three are certainly important factors in reducing damage, saving lives and re-establishing a reliable snapshot of the organization's technology infrastructure, databases and transactions, all are rendered ineffective without a sound Business Continuity Plan (BCP).
source: ChainLink Research
Benefits of Having a Business Continuity Plan
- Having a business continuity plan in place will keep businesses trading when they would have otherwise have probably failed due to an incident.
- Business continuity plans can significantly reduce the cost of disruptions.
- Companies with business continuity plans benefit from insurance premium discounts, reduced excesses and doors opening to new insurance markets.
- Having a business continuity plan allows what would otherwise be unacceptable risks to be insured.
- Business continuity maintains continuity of operations and service delivery
- Business continuity helps to build customer confidence
- Business continuity helps to build confidence within the organization / business
- Business continuity is potentially life saving
- Business continuity provides competitive advantage
- Business continuity provides compliance benefits
- Business continuity helps mitigate business risks and financial exposures
- Business continuity helps preserve brand value and company reputation
- Business continuity ensures supply chain security and order fulfillment
- Business continuity can help enhance or develop an appropriate organizational culture
- Business continuity can help enhance health and safety
- Business continuity helps the organization / business to be more resilient
- Business continuity gathers information that is useful to the whole organization / business
Business Continuity Plan- Best Practices
- Full-Fledged Automation: In spite of remarkable advances in automation technologies, a good number of enterprises are found to rely on recovery systems that are manual or are handled by using human power. The important feature of such practice is over reliance on entrepreneurs and their employees in terms of their ability to access organization’s remote facilities. Remote accessibility can be severely compromised in the event of a natural disaster or terror attack. Hence remote accessibility cannot be relied upon in these situations. By adopting full-scale automation, business can minimize their dependence on remote accessibility and involvement of human intervention to maintain business continuity.
- Understand limitations of virtual systems: Adoption of virtual server, desktops, and storage can considerably improve ability of the organization to deal with outages and downtime. These virtualized systems have an intrinsic ability that reduces risk of downtime by offering greater protection from outages. In spite of this, you need to understand that such virtualized systems cannot offer hundred percent safety against failure. This calls for need to be prepared for the unexpected by employing a robust backup strategy.
- Testing of Every Plan: Although, employing business continuity plan immunizes business against natural disasters and guarantees business availability, it cannot be considered to be a fool proof plan until you have checked and tested every single step. You need to make sure that the business continuity plan is able to sustain the most challenging conditions. More than twenty percent of businesses surveyed were found to have never undertaken testing of their business continuity plans. Equal number of companies admitted infrequent testing of the business continuity plan. Testing establishes the credibility of business continuity plan and must be undertaken on a quarterly basis. This must involve running of critical applications and testing every single system.
- Relevance of Location: With reference to a recent Consumer Economics report, as high as forty percent organizations in the midsized category rely on a single data center for their business operations. In view of growing threats of terror attacks due to current situation and greater frequency of natural disasters owing to global warming, it necessary to assess security level of data centers in terms of their geographical locations. One must also take into account ease of accessibility during unexpected events and range of service availability in catastrophic situations. There is an urgent need to explore a cloud based data storage option by organizations that have facility of a single remotely located data center. These steps will help reduce effect of downtime during extreme situations.
- Need prioritization: Even if a comprehensive and in-depth business continuity plan is essential for those organizations whose requirements of data recovery are of extremely large scale, there has to be a critical analysis of the most significant applications, software, and data storage. These mission critical applications must be given priority while planning expenditure for business continuity. Precise identification of critical applications can avoid unnecessary spending on less important applications.
Disaster Recovery Planning
Disaster Recovery Plan (DRP)
Business Continuity Planning (BCP)
Enterprise Risk Management (ERM)
- ↑ What is a Business Continuity Plan (BCP)? [^http://www.cpni.gov.uk/Security-Planning/Business-continuity-plan/ cpni.gov.uk]
- ↑ Why is a Business Continuity Plan Needed BusineeContinuityUK
- ↑ Business Continuity Plan Objectives InvenioIT
- ↑ What are the Components of Business Continuity Plan (BCP)? Delcorp Data
- ↑ What Steps should be followed in Developing a Business Continuity Plan (BCP)? ready.gov
- ↑ Business Continuity Plan Vs. with Emergency Response, Crisis Management and Disaster Recovery Research
- ↑ What are the Benefits of Having a Business Continuity Plan Continuity Central
- ↑ Business Continuity Plan- Best Practices CloudOye
- How to Create an Effective Business Continuity Plan cio.com
- Small Firm Business Continuity Plan Template finra.org
- How to Build an Effective and Organized Business Continuity Plan forbes
- Rethink Your Business Continuity Strategy HBR
- SungardASVoice - Why Your Business Continuity Plan Can't Wait Pragati Verma