Business continuity planning (or business continuity and resiliency planning) is the process of creating systems of prevention and recovery to deal with potential threats to a company.
Any event that could negatively impact operations is included in the plan, such as supply chain interruption, loss of or damage to critical infrastructure (major machinery or computing /network resource). As such, BCP is a subset of risk management.In the US, government entities refer to the process as continuity of operations planning (COOP).
In December 2006, the British Standards Institution (BSI) released an independent standard for BCP — BS 25999-1. Prior to the introduction of BS 25999, BCP professionals relied on information security standard BS 7799, which only peripherally addressed BCP to improve an organization's information security procedures. BS 25999's applicability extends to all organizations. In 2007, the BSI published BS 25999-2 "Specification for Business Continuity Management", which specifies requirements for implementing, operating and improving a documented business continuity management system (BCMS).
Business continuity management is standardized across the UK by British Standards (BS) through BS 25999-2:2007 and BS 25999-1:2006. BS 25999-2:2007 business continuity management is the British Standard for business continuity management across all organizations. This includes industry and its sectors. The standard provides a best practice framework to minimize disruption during unexpected events that could bring business to a standstill. The document gives a practical plan to deal with most eventualities – from extreme weather conditions to terrorism, IT system failure, and staff sickness.
This document was superseded in November 2012 by the British standard BS ISO22301:2012, the current standard for business continuity planningIn 2004, following crises in the preceding years, the UK government passed the Civil Contingencies Act 2004 (The Act). This provides the legislation for civil protection in the UK: Businesses need to have continuity planning measures in place in order to survive and continue to thrive whilst working towards keeping the incident as minimal as possible.
The Act was separated into two parts: Part 1 focuses on local arrangements for civil protection, establishing a statutory framework of roles and responsibilities for local responders. Part 2 focused on emergency powers, establishing a modern framework for the use of special legislative measures that might be necessary to deal with the effects of the most serious emergency.
A Business impact analysis (BIA) differentiates critical (urgent) and non-critical (non-urgent) organization functions/activities. Critical functions are those whose disruption is regarded as unacceptable. Perceptions of acceptability are affected by the cost of recovery solutions. A function may also be considered critical if dictated by law. For each critical (in scope) function, two values are then assigned:
Recovery Point Objective (RPO) – the acceptable latency of data that will not be recovered. For example is it acceptable for the company to lose 2 days of data?
Recovery Time Objective (RTO) – the acceptable amount of time to restore the function.
The recovery point objective must ensure that the maximum tolerable data loss for each activity is not exceeded. The recovery time objective must ensure that the Maximum Tolerable Period of Disruption (MTPoD) for each activity is not exceeded.
Next, the impact analysis results in the recovery requirements for each critical function. Recovery requirements consist of the following information:
The business requirements for recovery of the critical function, and/or
The technical requirements for recovery of the critical function
After identifying the applicable threats, impact scenarios are considered to support the development of a business recovery plan. Business continuity testing plans may document scenarios for each identified threats and impact scenarios. More localized impact scenarios – for example loss of a specific floor in a building – may also be documented. The BC plans should reflect the requirements to recover the business in the widest possible damage. The risk assessment should cater to developing impact scenarios that are applicable to the business or the premises it operates. For example, it might not be logical to consider tsunami in the region of Mideast since the likelihood of such a threat is negligible.
After the analysis phase, business and technical recovery requirements precede the solutions phase. Asset inventories allow for quick identification of deployable resources. For an office-based, IT-intensive business, the plan requirements may cover desks, human resources, applications, data, manual workarounds, computers and peripherals. Other business environments, such as production, distribution, warehousing etc. will need to cover these elements, but likely have additional issues.The robustness of an emergency management plan is dependent on how much money an organization or business can place into the plan. The organization must balance realistic feasibility with the need to properly prepare. In general, every $1 put into an emergency management plan will prevent $7 of loss.
Biannual or annual maintenance cycle maintenance of a BCP manual is broken down into three periodic activities.
Confirmation of information in the manual, roll out to staff for awareness and specific training for critical individuals.
Testing and verification of technical solutions established for recovery operations.
Testing and verification of organization recovery procedures.
Issues found during the testing phase often must be reintroduced to the analysis phase.
The BCP manual must evolve with the organization. Activating the call tree verifies the notification plan's efficiency as well as contact data accuracy. Like most business procedures, business continuity planning has its own jargon. Organisation-wide understanding of business continuity jargon is vital and glossaries are available. Types of organisational changes that should be identified and updated in the manual include:
Organization structure changes
Company investment portfolio and mission statement
Communication and transportation infrastructure such as roads and bridges
Specialized technical resources must be maintained. Checks include:
Virus definition distribution
Application security and service patch distribution
As work processes change, previous recovery procedures may no longer be suitable. Checks include:
Are all work processes for critical functions documented?
Have the systems used for critical functions changed?
Are the documented work checklists meaningful and accurate?
Do the documented work process recovery tasks and supporting disaster recovery infrastructure allow staff to recover within the predetermined recovery time objective?
For contact click here .