Business Continuity Planning
The strategic objective of business continuity planning, also known as disaster recovery planning, is to ensure that the enterprise has the ability to suffer disasters of various magnitudes with very low risk that the enterprise will fail as a result.
- I. Business Impact Analysis
- A. A cross-function internal team should perform a study that:
- 1. Identifies relevant risks, or events, that could strike the enterprise.
- 2. Investigates all possible alternatives for reacting, or responding, to the identified events.
- 3. Determines the duration of any business interruption until recovery activities could restore normal operations, whether that interruption affected company personnel, company systems, or both.
- 4. Estimates the impact of having business partially or fully interrupted based on the outage duration information from the prior step. The impact or effect could take the form of:
- a. unplanned direct costs associated with the event
- b. increased normal operating costs
- c. lost or delayed revenues
- d. changes in intangibles such as market share, public perception, etc.
- 5. Determines or estimates the unplanned costs, increased normal operating costs, lost revenues, and effect on intangibles associated for each recovery alternative.
- B. Study results should be documented and presented to management along with a recommendation for which of the alternative recovery strategies should be selected. This document is often called The Business Impact Analysis Report.
- C. Management should select a strategy based on the Business Impact Analysis Report and any other information it believes is appropriate for the situation. The strategy selected may be anywhere in the range between simply waiting for a disaster to happen and establishing an identical fully staffed and equipped facility remote facility with duplicate personnel, systems, and infrastructure whose only purpose is to take over business without interruption when a disaster takes place.
- II. Recovery Strategy
- A. The recovery strategy selected by management should be identified in a policy statement so that managements interests and intentions are clearly communicated to company personnel.
- B. The approved recovery strategy should be documented, and the document, or at least certain parts of it, should be distributed to all company personnel.
- III. The Recovery Plan
- A. Damage assessment, plan activation, and salvage activities.
- 1. Local managers should be directly involved in assessment activities so they have the information needed to make the decision on whether to activate the plan; and if activating the plan, to what extent it should be activated.
- 2. The decision to activate the plan should be done first orally to any critical parties like hot-site providers, to the affected local personnel, and then communicated in writing to those parties identified in the plan.
- 3. Any potential salvage procedures must be implemented as quickly as possible as most of them have a very limited window during which they are effective. Salvage procedures may cover documents, drawings, and other filed or reference information, office equipment, microcomputers, furniture, fixtures, etc.
- B. Hardware restoration. The plan should:
- 1. Include a complete hardware inventory.
- 2. Include vendor information, lead times, and other needed purchasing information.
- 3. Indicate in detail the process for acquiring, installing, configuring, and otherwise restoring hardware support for business activities.
- C. Alternate office facilities. Plans designed to support a complete recovery of the business should consider the potential for needing to rearrange or relocate company personnel during a disaster situation. Company personnel, whether focused on the disaster or on continuing business activities, will need someplace to work, equipment and supplies to work with, and services such as the telephone and fax.
- D. Data Recovery. This part of the plan should have two components: backward and forward data recovery. Backward recovery includes all transactions entered or received by the system and then lost due to the disaster. Forward recovery takes in all the transactions that were in the entry process or that occurred after the disaster happened and could not be entered.
- 1. Backward recovery issues include identifying lost transactions, having them sequenced if necessary, and then re-entering and processing them. Care should be taken to ensure that activities kicked off when a transaction is entered, or because of it, are not done twice.
- 2. Forward recovery issues include capturing those transactions that are in the entry process when the disaster happens, transactions occurring and being handled while systems are being restored, and reconciliation and review activities designed to ensure that system files are complete and accurate.
- E. Personnel issues. Personnel health and safety are company priorities. During and after a disaster, there are additional risks that should be considered.
- 1. The plan should include a complete employee listing so that rolls can be checked, calls to employees with instructions can be made expeditiously, and, in the most extreme circumstances, families can be notified of injuries and other problems.
- 2. The Employee Assistance Program is likely to come into play and some consideration should be given to providing for counselors to be available on-site and at employee residences both during and after the disaster.
- IV. Plan Testing and Maintenance
- A. The plan should be tested on a regular schedule to ensure managements ability to rely on it.
- B. The plan should be tested based on predetermined scenarios that include the situation, the test procedures, who will perform those procedures, and the expected results.
- C. The actual test should be conducted based on the predetermined scenarios with all participants keeping a log of the things that happen, both as expected and not. One person should be responsible for the official log of the overall test.
- D. The plan should be regularly updated to reflect the test results and any other change, event, or information that has an effect on the plan strategy or tactics. Once maintained, either the entire plan or just the updated portions should be distributed as they had been previously.