Business Continuity Plan

Introduction

An unwarned threat or vulnerability can expose a business to financial disaster and reduced customer satisfaction.  But an effective Business Continuity Plan (BCP) can help business entities in providing essential and unique services to their customers without feeling the impacts of downtime.

Risk Assessment

The biggest challenge in writing an effective BCP is identifying the potential risks. Some of the source of risks can be

• community-wide hazardous events due to which support staff cannot come to office


• accidents or sabotage causing disaster


• Disasters such as floods, earthquakes, or acts of terrorism


• Security threats such as virus attack, network and communication failures


• disastrous application errors such as crash of primary database or wrong production fix

Once the potential risk has been identified, check

• The probable magnitude of error


• The frequency or probability of occurrence

The purpose of Risk Assessment is to identify the  exact  threats,  and  the  estimated  exposure  together  with  the  contingency  and mitigation actions required, and also the benefits arising out of covering the risk.

Developing a Plan

A typical business continuity plan should have separate plans for each of these: prevention, response, resumption, recovery, and restoration. Some of the essential items are

• Objective: The purpose of writing the BCP is stated. It also states the different phases the organization intends to have and their interpretation of the objective of each phase.


• Scope: The divisions of business that fall within the scope of the BCP are stated here. Also any special scenarios being handled must be stated here. It is possible that a organization can have BCP specific to events.


• Assumptions: The assumptions based on which the plan was formulated are stated here. For example, a team, which is trained to handle the BCP operations will be available to execute the BCP, or, alternate site in-case of calamity should be ready to use within ‘x’ hours etc. Apart from assumption, any limitation should be clearly documented.


• Team: The BCP team, their sub-teams, roles and responsibilities are stated here. It also mentions which team take care of which phase of the BCP process, i.e., response, recovery, etc.


• Goals: The firm should state its maximum permissible outage time and the furthest point to which data loss is permitted. These are stated here, along with the performance goals.

Some of the risks that are identified can be reduced by implementing measures that can reduce its occurrence.  Examples of the Preventive Safeguards that can be documented are

• Surveillance


• Access Control


• Authentication


• Anti-virus


• Filters


• Intrusion Detection systems


• Backup plans

Response

Whenever a disaster occurs there needs to be an initial response such as communication to all stakeholders.  The resource requirements for such initial emergency Response are listed in initial phase If hard copies of documents and forms are needed for any approval, they must also be mentioned here.

Once the initial list is ready, a detailed Notification documentation should also be prepared. The list will clearly state the position, whether primary/alternate, timeout duration for response, address, phone/cell numbers, email and any other possible modes of contact.



Before notifying the impact of disaster, it is important to assess the damage. The guideline for doing so should be documented  e.g., all the things that must be inspected, the kinds of evaluation to be done—whether salvage/replace, the reporting to be done, and the time required, among other activities.



Once the damage assessment is done, the conditions that must be met for the event to be declared a disaster should also be stated. The disaster scenarios should also be mentioned. This will make it easy to initiate the resumption and recovery processes. The circumstances under which the business continuity plan is activated are outlined here: e.g., the server will not be up before 24 hours, or the primary site cannot be restored before 48 hours, etc.

Resumption

The procedure for transition from the emergency response to business resumption is given here. The process of making decisions regarding operations, concerning where and how they would be deployed, and the activities to be   performed and to what extent, are described. Activities are assigned to the different sub- units in the BCP team and each group performs its assigned tasks. This part of the plan is also called the Business Resumption Plan (BRP).

Recovery

The procedures to perform recovery are stated here. This part of the plan is called the Disaster Recovery Plan (DRP). This section of the plan must be more like an operations manual. It should be a simple sequence of instructions that can be followed to perform recovery. Any dependencies among the activities must also be clearly stated. It must be fairly detailed to avoid mistakes that can result in time loss.

Restoration

The steps for restoring the original site for business are described here. Responsibilities are marked against each team/role. The process of performing the parallel run with the alternate  recovery  site  along  with  the  procedures  for  comparing  results  from  the alternate  site  with  the  restoration-in-progress  site  are  described.  The criteria for switching to the original site and dismantling the alternate site are also stated.  Appendices can be used to mention the vendor contracts, and the business continuity measures of these vendors, information that is needed because the success of the BCP depends on the availability of the vendors. Furthermore, a description of the alternate site facilities, addresses and phone numbers of the control centre, and the contact list for notification could be presented in the appendices.

Image Credit : Google

Conclusion

BCP planning and execution is done to be safe from the consequences of events that can impact business. Ultimately it is better to be plan rather than face the consequence of unplanned event.

References

Disaster Recovery Journal: http://www.drj.com/drj2/drj2.htm

Google.