Business Continuity Planning (BCP)
Business continuity planning (BCP) is the creation of a strategy through the recognition of threats and risks facing a company, with an eye to ensure that personnel and assets are protected and able to function in the event of a disaster. Business continuity planning (BCP) involves defining potential risks, determining how those risks will affect operations, implementing safeguards and procedures designed to mitigate those risks, testing those procedures to ensure that they work, and periodically reviewing the process to make sure that it is up to date.
The Philosophy and the Science of Business Continuity Planning
Business continuity planning can be almost as much of a consternation to organizations as the disaster that thrusts those plans into action. Unless we’re talking Hollywood summer blockbusters, disasters are no one’s idea of a good time. However, retaining core business operations, like data centers and telecommunications, during and after unforeseen events is crucial to long-term company health. Part of the reason business continuity planning can be so difficult to broach is that management and IT personnel can approach it from very different perspectives. The philosophy behind business continuity planning often stems from senior management, who ultimately have the final say on what resources, time and personnel are devoted to critical projects. Business leaders’ strategic focuses for disaster recovery solutions will likely be less technical and more based on cost and PR. After all, they’re the face of the corporation when something goes wrong. IT personnel, on the other hand, will tend toward the scientific side of the equation, prioritizing infrastructure investment. Both of these perspectives are valid, and can create contention if the two sides don’t see eye to eye. One way to bridge this potential risk management gap is to separate the idea of ‘risk’ from the idea of ‘management,’ according to business continuity planning expert Geary Sikich. What you’re about to read might seem a little abstract, but stick with it.
Business Continuity Planning - Standards
Several business continuity standards have been published by various standards bodies:
- ISO - ISO 22301:2012, "Societal security – Business continuity management systems – Requirements", specifies a management system to manage an organization's business continuity arrangements. It is formal in style in order to facilitate compliance auditing and certification. It is supported by ISO 22313:2012, "Societal security – Business continuity management systems – Guidance" which provides more pragmatic advice concerning business continuity management. ISO/IEC 27031:2011, "Information security – Security techniques – Guidelines for information and communication technology [ICT] readiness for business continuity" offers guidance on the ICT aspects of business continuity management.
- United Kingdom – British Standard BS 25999 was a two-part business continuity management standard. “BS 25999-1:2006 Business Continuity Management. Code of Practice” offered pragmatic implementation guidance, but was withdrawn in 2012 when ISO 22313 effectively superseded it. “BS 25999-2:2007 Specification for Business Continuity Management” formally specified a set of requirements for a business continuity management system. It too was withdrawn in 2012 when it was (in effect) replaced by ISO 22301.
- North America – Published by the National Fire Protection Association NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs.
- North America - ASIS/BSI BCM.01:2010 published Dec 2010
- ANSI/ASIS SPC.1-2009 Organizational Resilience: The ANSI/ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems—Requirements with Guidance for Use American National Standard is under consideration for inclusion in the DHS PS-Prep, a voluntary program designed to enhance national resilience in an all hazards environment by improving private sector preparedness.
- Australia – Published by Standards Australia HB 292-2006 : A practitioners guide to business continuity management HB 293-2006 : Executive guide to business continuity management In 2010, Standards Australia introduced their Standard AS/NZS 5050 that connects far more closely with traditional risk management practices. This interpretation is designed to be used in conjunction with AS/NZS 31000 covering risk management.
Business Continuity Planning Phases (See Figure 1.)
- 1. Project Initiation
- Define Business Continuity Objective and Scope of coverage.
- Establish a Business Continuity Steering Committee.
- Draw up Business Continuity Policies.
- 2. Business Analysis
- Perform Risk Analysis and Business Impact Analysis.
- Consider Alternative Business Continuity Strategies.
- Carry out Cost-Benefit Analysis and select a Strategy.
- Develop a Business Continuity Budget.
- 3. Design and Development (Designing the Plan)
- Set up a Business Recovery Team and assign responsibility to the members.
- Identify Plan Structure and major components
- Develop Backup and Recovery Strategies.
- Develop Scenario to Execute Plan.
- Develop Escalation, Notification and Plan Activation Criteria.
- Develop General Plan Administration Policy.
- 4. Implementation (Creating the Plan)
- Prepare Emergency Response Procedures.
- Prepare Command Center Activation Procedures.
- Prepare Detailed Recovery Procedures.
- Prepare Vendors Contracts and Purchase of Recovery Resources.
- Ensure everything necessary is in place.
- Ensure Recovery Team members know their Duties and Responsibilities.
- 5. Testing
- Exercise Plan based on selected Scenario.
- Produce Test Report and Evaluate the Result.
- Provide Training and Awareness to all Personnel.
- 6. Maintenance (Updating the Plan)
- Review the Plan periodically.
- Update the Plan with any Changes or Improvement.
- Distribute the Plan to Recovery Team members.
Figure 1. source: CIO Index
Risk Based Business Continuity Process (See Figure 2.)
- The first stage is to guide management and operations personnel through a structured risk identification and assessment process. Facilitated workshops have been found to be a very effective means of doing this. The threats identified are assessed using an organisation specific risk matrix taking into account the recovery time objectives for the business.
- The next stage is to identify strategies to reduce the risk for the key scenarios identified. The suitability of alternative strategies is assessed against the output of the risk assessment and, if necessary, the cost-benefit of alternative strategies is analysed.
- Using a list of key risks as guidance on the type of events which the business may need to respond to, the final stage is to develop the business continuity plan (BCP). The BCP brings together the actions to be taken at the time of an incident, the persons involved in managing the incident and how they are to be contacted. It should also interface with other key plans for the business (e.g. crisis communications and PR, safety and emergency plans, etc.).
- Documenting the BCP is one part of the overall BCM programme. Its success, however, relies upon the development of a risk-aware culture across the business, regular rehearsing and testing of the BCP and reviewing of the key risks and BCM strategies.
Figure 2. source: Risktec
Business Continuity Planning (BCP) - Governance Structure
A BCP contains a governance structure often in the form of a committee that will ensure senior management commitments and define senior management roles and responsibilities. The BCP senior management committee is responsible for the oversight, initiation, planning, approval, testing and audit of the BCP. It also implements the BCP, coordinates activities, approves the BIA survey, oversees the creation of continuity plans and reviews the results of quality assurance activities. Senior managers or a BCP Committee would normally:
- approve the governance structure;
- clarify their roles, and those of participants in the program;
- oversee the creation of a list of appropriate committees, working groups and teams to develop and execute the plan;
- provide strategic direction and communicate essential messages;
- approve the results of the BIA;
- review the critical services and products that have been identified;
- approve the continuity plans and arrangement;
- monitor quality assurance activities; and
- resolve conflicting interests and priorities.
This BCP committee is normally comprised of the following members:
- Executive sponsor has overall responsibility for the BCP committee; elicits senior management's support and direction; and ensures that adequate funding is available for the BCP program.
- BCP Coordinator secures senior management's support; estimates funding requirements; develops BCP policy; coordinates and oversees the BIA process; ensures effective participant input; coordinates and oversees the development of plans and arrangements for business continuity; establishes working groups and teams and defines their responsibilities; coordinates appropriate training; and provides for regular review, testing and audit of the BCP.
- Security Officer works with the coordinator to ensure that all aspects of the BCP meet the security requirements of the organization.
- Chief Information Officer (CIO) cooperates closely with the BCP coordinator and IT specialists to plan for effective and harmonized continuity.
- Business unit representatives provide input, and assist in performing and analyzing the results of the business impact analysis.
- The BCP committee is commonly co-chaired by the executive sponsor and the coordinator.
Benefits of Business Continuity Planning (BCP)
An organisation that prioritizes Business Continuity Planning is not only protecting its assets, but is actively investing in the future of the business. Effective BCP not only benefits an organisation, it enhances the service offering and positions the business exceptionally well. Some key benefits of BCP:
- Uninterrupted Operational and Customer Service Support: A major priority for all outsource providers is to deliver to their clients a continuous service that is not interrupted by unplanned events. Unplanned and often disastrous events can have major impacts on many aspects of any business. The ability to provide uninterrupted Operational and Customer Service Support can only be achieved when an organisation implements effective BCP. When a business is able to identify the impacts and establish an efficient reaction plan it becomes easier to make legitimate decisions in a limited amount of time. This is a great advantage within the outsourcing industry as many clients will factor effective BCP in making their buying decision.
- Avoid or minimize the loss of business revenue: When a business is unable to operate, it has a direct impact on the revenue generated. When an organisation is able to determine the risks and impact of a disastrous event, they are also able to identify the potential financial exposure. This provides a much needed financial view and creates the ability to minimize and/or prevent financial loss.
- Cultivate Client Confidence: Building strong relationships with clients requires trust and credibility. Effective BCP positions an organisation as an ‘Outsourcer of Choice’ and positively influences an organisation’s confidence in their choice of partner.
- Increases Staff Morale: BCP contributes to staff confidence and loyalty. With effective planning in place, management and staff have the capacity and resource to respond in a structured and tested manner. When employees feel part of a proven solution their confidence level increases and they can play integral roles in disaster management.
- Brand Equity and Enhanced Business Prominence: Protecting Brand Equity is key when rendering Customer Service support to clients. Effective BCP retains and enhances the brand equity bringing with it a number of additional benefits including: increased margins, customer loyalty, expansion opportunities, negotiating power and a competitive advantage. When an organisation succeeds in minor or zero disruption to its services during an unplanned emergency situation it usually outshines its competitors and maintains and strengthens its reputation, therefore increasing customer and market confidence.
- Business Continuity Planning Definition Investopedia
- The Philosophy and the Science of Business Continuity Planning datacenters.com
- Business Continuity Planning - Standards Wikipedia
- The Phases of Business Continuity Planning [^https://www.sans.org/reading-room/whitepapers/recovery/introduction-business-continuity-planning-559 sans.org]
- Understanding a risk based Business Continuity Process risktec.tuv.com
- The Governance Structure to establish control in Business Continuity Planning Public Safety Canada
- What are the Benefits of Business Continuity Planning (BCP)? MindPearl