Business Continuity Planning


It always pays to have a backup ready!

A company I know suffered a major fire, which was reported on local TV. They had a disaster plan, and were in temporary accommodation with rented IT equipment and mobile phones the next day, restoring their company applications and data from backup tapes stored offsite. My contact used his address book to ring round all his customers. Some had seen the reports of the fire and were in the process of making other arrangements, others had already been contacted by competitors who had seen the fire story and thought it gave them an opportunity. He was able to assure them his company would still be able to meet their requirements, and they stayed in business. Sadly, this is not usually the case.

 

The need... 

 

It should be axiomatic that managers would consider steps they might need to take to preserve their business under a range of possible disruptive outcomes. Yet for many the need for business continuity planning was only grudgingly recognised with the publicity associated with the Year 2000 Problem (Y2K).

 

By doing little or nothing, management is effectively making a judgment on the costs of business continuity planning versus the costs and likelihood of disruptive events occurring. This is exactly like not paying your home insurance policy. In most years you will save money. However, if something does go wrong – a fire, a flood, subsidence, major theft, you will be catastrophically affected, and may never be able to replace what is lost.

 

Managers assume that whatever happens, they will be able to rely on team spirit, and the ingenuity and improvisation of staff. Sadly, it rarely works. Some people perform exceptionally under severe stress without guidance, but many don’t always make good judgements, or remember to do everything they should. And often too much information needed to keep the business going is lost. About 70% of companies that suffer a major disruption to service go out of business within a year.

Business Continuity Planning...

 

Business continuity planning (BCP) need not be expensive, and its benefits even without a disruptive event can offset significant parts of the costs. These benefits include understanding and improving the business processes and better team dynamics.

 

Business continuity planning involves two major activities:

The latter activity is often forgotten, but it frequently yields strong results. It should be an automatic result of the first more visible stream, provided management is fully committed to the BCP process.

 

The critical challenge is to avoid BCP being seen as an extra work load dispensed from above, as something that needs to be filled out, returned, filed and forgotten. Managers and staff need to be engaged in planning for their personal survival.

 

If this is achieved the process improvements and team benefits are often considerable.

The BCP Process...

 

BCP is an ongoing process. It starts with the identification of the critical business processes (often called a "business impact analysis") and their critical dependencies - failure of which could cause the process itself to fail.

 

The next stage is to consider the alternatives both at the pre-emptive and responsive levels. The latter recovery strategies then form the basis of the documented action plans, which in turn are the key part of the BCP document. This needs to be short, user-friendly and able to be easily updated - its goal is to help the business cope with a disaster, not an auditor with a checklist.

 

A critical element is to establish dependencies on other units within the organisation and on external parties, and to involve them in the BCP planning. This both puts these parties on notice and allows meshing of various BCP activities, and identifies any holes in the overall BCP that need to be addressed.

 

Testing is critical, both to test for completeness and adequacy and to train those with BCP responsibilities. This progresses from structured walkthroughs to fully live testing involving other units when the staff are ready for it - the aim is to build competence, not to show up short-comings.

Independent Facilitation...

 

It is essential that the management in each department own their own BCP. It cannot be done for them. Nonetheless many find that BCP is an open field without much guidance. A facilitator can provide the questions that need answering and suggest possible alternatives that are worth considering. A facilitator is also invaluable in the various testing stages.

 Companies that stayed in business after a disaster:

PAS 56/BS 25999

PAS 56 (Publicly Available Specification 56) is a working document on Business Continuity Management (BCM) from 2003 that will eventually lead to a standard (BS 25999). The BS 25999 standard will be published in two parts - Part 1, BS 25999-1 "Code of Practice for Business Continuity Management", is expected to be published in late 2006, and will replace PAS 56, Part 2 - BS 25999-2 "Specification for Business Continuity Management", is expected to be published in 2007, and will specify the Business Continuity Management processes and control measures required to achieve certification against the standard.

The essential components of PAS 56 are:

For more information, see here.

The advice given on this and other pages is for general information only, as a starting point for ideas rather than solutions to specific problems. Jana Information Systems Services Limited will not accept legal liability for any consequences for any individual or company of following any advice on this page except as part of a legally-binding contract between this company and a customer, with appropriate professional liability insurance in place.

© Jana Information Systems Services Limited, 2006