As we have seen in our previous Newsletter 16, Business Continuity is vital for any business. It is therefore imperative that it is well planned in order to ensure the best possible results. We feel that it is worth devoting this newsletter to the Business Continuity Planning.
Before setting off to plan Business Continuity, the possible disaster scenarios are listed and analysed. In some occasions the scenarios may be relatively general (e.g. a terrorist attack, an earthquake or a war-like scenario), whereas in other occasions, they may be more specific –such as loss of electrical power, of IT servers, of a specialized piece of machinery, of physical access to the air traffic control facilities. This exercise narrows down the endless possibilities of situations that could go out of hand and improves focus. The quality of planning and the effectiveness of the selected measures improves. Of course, one set of measures may eventually fit more than one scenarios.
Even though the primary purpose of Business Continuity is to provide for predictable disasters, unpredictable events may also occur. In these occasions, a given set of measures prescribed for another situation, having similar effects, may prove sufficient.
While working on the disaster scenarios, consideration is also given to dependencies on other organizations such as power or telecommunications providers, supplies or transportation. In this case, failure of a critical component of one organization has a chain effect on others that are users to the failed services. The provider organization, while analysing the criticality of their products must be fully aware of their importance to their client organizations. Likewise, the client/ recipient organization must include in their scenarios, possible failures of their providers. Although these refer to uncontrolled threats, outside the influence of the organization, they have a severe impact on the organization’s operability and response. Their identification enables planning and action for possible diversification, such as the use of alternative telecoms providers, the installation of standby power generators and so on.
In order to effectively plan for Business Continuity, Business Impact Analysis (BIA) is required. Performing Business Impact Analysis allows the organization to identify / consider all business processes and to prioritise them with respect to their importance and criticality towards the mission and delivery of services. Recovery point objectives are the points within a procedure when it is critical to resume the operation of what has been lost, otherwise the data lost will be such that the service cannot be delivered. Recovery time objectives identify for how long (how much time) the procedure can continue without recovering what has failed. After this time, the consequences will be unacceptable. These need to be determined for every process that needs to remain operable.
The findings of this analysis dictate the business continuity arrangements, the urgency, the importance and the investment justified. What types of measures should be selected? When should they be activated? What comes first and what later? As businesses are dynamic and processes, geography, technology, market positioning and the regulatory framework continuously change, the BIA should routinely be reviewed and, if necessary, revised. Its revisions may lead to revised measures required to ensure the continuity of business.
The measures that rectify the identified failures are then planned and put in place. This usually requires setting up some infrastructure (such as backup generators and backup fuel and UPS arrangements) and having fall-back procedures (such as switch from automatic to manual and having alternative transportation agreements). Such measures will very probably include other supplier organisations, utility providers, municipalities and pertinent authorities. Fall-back procedures will need a pre-specified trigger to set them running, i.e. a person authorised to determine when they go live and a mechanism to inform all involved staff. They need people to act and a person (or team) responsible to supervise and solve queries and problems as they arise. Procedures and instructions should be clear and unambiguous. They should be readily accessible in the event of a disaster. Fall-back procedures should also include provisions to preserve new data or information gained while they are activated so that they can be stored and used properly once business is back to normal.
Last but not least, all business continuity arrangements must be tested in desk audits, walk-throughs, dry drills and actual, real life simulations or trials. This is a very important and often neglected step, as it requires the investment of time and resources in preparation and execution. Small teams can be utilised for the desk audit and the walk-throughs, while for the dry drills and the real life simulations/trials all affected staff plus clients and the public (if relevant|) should be involved. The lessons learned, the weaknesses identified and the improvements that become apparent in the testing stage are invaluable in improving the BC plan and arrangements.
It goes without saying that all involved in the execution of the Business Continuity plans should be adequately and repeatedly trained. Practice makes perfect and if a Business Continuity plan actually needs to be activated, it is imperative that people are confident on what to do and what not to do.
Business Continuity planning should be rigorous and ongoing! It may make the difference between the survival and the collapse of an enterprise. It is useless if carried out by a small team behind closed doors or if it ends up to ornate people’s bookshelves. It needs awareness, training, practice and team work more than anything else.
15.1.2016