Essential Concepts. For Effective. Business Continuity Planning

Transcription

1 Essential Concepts For Effective Business Continuity Planning 1

2 What is a Business Continuity Plan (BCP)? A Business Continuity Plan (BCP) is a comprehensive set of business strategies and actions designed to protect people and the business in the event of a disruption. Disruptions can take many forms, including natural disasters, technical failures, terrorism, sabotage, security breaches or other threats. A key outcome of a BCP is business resilience. The BCP provides a roadmap for prompt threat assessment, response and recovery, thereby enabling continued product delivery and service. Effective BCPs are based on a continuous cycle of Plan-Do-Check-Act. (See preceding graphic). This management system approach helps ensure a constant vigilance for disruption threats, development of appropriate strategies and plans, organizational training, plan testing and maintenance and continuous improvement. This White Paper provides a tour of what I feel are essential concepts for effective business continuity planning. The Business Continuity Planning Life Cycle - Tom Rancour Let s take a closer look at the Business Continuity Planning process. mentioned, it follows a classic Plan-Do-Check-Act life cycle approach. As In the PLAN step of the cycle, BCP roles and responsibilities are defined. Critical business processes and systems are identified, threats and risks to those processes and systems are determined and protection and mitigation strategies are developed. In the DO step, plans are developed, including a Crisis Management Plan, Business Recovery Plans, and Communications Plans. In the CHECK step of the cycle, plans are tested and maintained. In the ACT step, the entire BCP program is reviewed and continuous improvement opportunities are identified and acted upon.

3 PLAN BCP Roles and Responsibilities An early step is to establish key BCP roles and responsibilities: BCP Champion. This person is the owner and champion for the overall plan. Typically, the senior executive for the site assumes this role. They ensure appropriate financial and human resources are available to implement the plan. They are ultimately responsible for ensuring the plan identifies and addresses potential losses to critical business processes and systems, and that the plan is tested and maintained. BCP Coordinator. This person leads the overall BCP development and implementation effort, including chairing an on-going BCP Steering Committee. The BCP Coordinator s responsibilities include collecting and reporting progress data on BCP effectiveness and plan status. BCP Steering Committee. The BCP Steering Committee is a working group, comprised of cross-functional leaders responsible for developing specific business continuity strategies, supporting plans and procedures. The BCP Steering Committee collectively analyzes threats, determines risks and develops necessary business and process recovery plans. In addition, the BCP Committee designs and deploys appropriate tests to check the effectiveness of the BCP and continuously improve it. The BCP Committee ideally has representatives from line management, facilities/building maintenance, safety, health, environment and security, human resources, finance, supply chain, sales and marketing, legal and communications. Crisis Communications Coordinator. Another important BCP role is the Crisis Communications Coordinator. This individual is responsible for internal and external communications before, during and after a crisis event. Risk Assessment and Business Impact Analysis In the PLAN step, potential threats and vulnerabilities to business continuity are identified. This is completed as a BCP Steering Committee brainstorming session. Threats and vulnerabilities may include threats to the entire enterprise 3

4 or to specific critical processes and functions. Critical business processes and functions are identified by the BCP Steering Committee. These are broadly defined as those processes and systems whose failure would most quickly threaten product or service delivery and/or cause a material financial and operational impact. Example threats and vulnerabilities include natural disasters, fires, and loss of critical infrastructure (such as power, water, equipment and data damage, etc.) Threats and vulnerabilities might also include strikes or labor disruptions, systems failures, security breaches, disclosure of proprietary information, or other man-made events. Threats and vulnerabilities might also take the form of non-compliance with legislation, regulations and/or accepted industry practices. After identifying threats and vulnerabilities, the BCP Committee must assess risk. A risk assessment evaluates the impact and probability of each threat. A Business Impact Analysis (BIA) is then conducted on elevated risks (higher impact and probability threats). The BIA provides an estimate of anticipated financial/operational impacts following a disruption. It is a valuable method for establishing Recovery Time Objectives (RTOs), that is, how quickly a critical business process or system must be continued to prevent a serious impact. Besides establishing recovery priorities, the BIA also estimates the minimum amount of resources needed for recovery. Develop Strategies During the PLAN step, existing risk prevention, mitigation and recovery strategies are identified by the BCP Steering Committee. Potential new strategies are also identified in this phase and costs and benefits analyzed. Also, steps are taken to monitor for new or modified threats and risks. DO Develop and Implement Plans This phase of the BCP Life Cycle involves putting plans in place to implement BCP strategies. Output of this phase includes development of a Crisis Management Plan, Business Recovery Plans, and Communications Plans. 4

5 Crisis Management Plan (CMP) The Crisis Management Plan establishes procedures for promptly evaluating situations/events and, as appropriate, declaring a crisis and activating employee protection, recovery plans and communications plans. Situation assessments and decision-making are conducted by a Crisis Management Team who has decision-making authority. The Crisis Management Plan often includes designation of interim management personnel or alternates, in the event that senior management is unavailable during an emergency or crisis event. Business Recovery Plans (BRPs) Business Recovery Plans include a Site Emergency Response Plan, an IT Disaster Recovery Plan, and Process Recovery Plans. Emergency Response Plan The Emergency Response Plan (ERP) should include a description of the site s emergency response organization. For example, use of an Incident Command System with designation of an Incident Commander, an Emergency Operations Center, and Emergency Response Team. Specific information on response team roles and responsibilities should be included, along with names and contact information. The ERP also contains the Site Evacuation Plan designating evacuation routes, rally points, headcount reconciliation methods, and other procedures. A Shelter-in-Place Plan may also be included where there is a likely threat of earthquake, adverse weather, environmental hazards (chemical or radiological event in the area) or other applicable events where evacuation is inappropriate. IT Disaster Recovery Plan An IT Disaster Recovery Plan (IT DRP) describes procedures and information for responding to information system and telecom disasters. The IT DRP describes vital IT operations, users, equipment and materials and recovery times/recovery 5

6 points. The plan describes various foreseeable IT disasters and response and recovery strategies, procedures and responsibilities. The IT DRP may also describe methods for protection, storage and retrieval of critical documents. Process Recovery Plans (PRPs) Process Recovery Plans provide for the continuation/recovery of critical business processes and systems in the event of disaster. Examples actions might include relocating business processes to unaffected areas (either on-site or off-site), providing temporary measures to support existing operations (for example, portable generators to maintain power for critical production), and leveraging product distribution networks, distributed manufacturing, and supply chains. PRPs include detailed descriptions for the restoration of critical business process and systems impacted by a disaster. Specific individuals accountable for the identified critical business processes or systems must be identified and designated. These BCP Process Owners develop and maintain PRPs. Communications Plans Communication Plans typically address both internal and external communications before, during and after a disruption. Communications Plans include methods for notifying employees of emergencies, disasters and disruptions. This includes contacting off-site employees to keep them informed concerning site conditions and whether or not to report to work. Communications Plans also specify who to notify (both internal and third parties) when a crisis or emergency occurs and establishes communications procedures for situation updates. BCP Training An important part of the BCP effort is training. Employees must be trained in applicable BCP roles, responsibilities and procedures. For example, all employees should receive training on site emergency response/evacuation procedures. More specific roles and responsibility training must be provided to 6

7 employees with crisis management, damage assessment and disaster recovery responsibilities. CHECK Plan Testing and Maintenance Plans must be tested to check their effectiveness. In this phase, response and recovery capabilities are tested through a table top or practical exercise. A critique of tests is conducted by the BCP Steering Committee and continuous improvement actions are implemented to address identified gaps. Plans also must be updated as appropriate following tests. ACT Management Review Consistent with continuous improvement principles, the entire BCP program is evaluated at least annually by senior management to determine overall effectiveness and identify areas for improvement. For example, have new risks been identified and evaluated? What is the status of risk mitigation efforts? What are the lessons learned from response to actual disruptions? Are all critical processes identified and are Process Recovery Plans in place? What changes, if any, are necessary in the BCP Steering Committee membership? 7

8 Summary & Disclaimer This White Paper is intended to provide a brief overview of essential principles and practices to help you develop an effective Business Continuity Plan BCP). It is important to note that an effective BCP requires an on-going and extensive risk assessment and management effort. This White Paper therefore is not intended as a total solution or review of all essential elements for your situation nor a replacement for an overall effective, comprehensive business continuity management system. About the Author Tom Rancour helps organizations achieve excellence in safety, health, business continuity and sustainability through relentless focus on culture, processes and management systems. He has over 30 years of diverse experience across multiple industries. Prior to founding Rancour & Associates, Tom was Corporate Director, Safety and Environmental Operations for Honeywell International, Inc., Morristown NJ. He is a Certified Safety Professional (CSP) and Certified Industrial Hygienist (CIH) and holds advanced degrees from the University of Michigan and Michigan State University. He is a Board member of the Michigan Industrial Hygiene Society and a member of ASIS International, the preeminent organization for security professionals. He resides in the Detroit metropolitan area. Interested in transforming your business continuity culture, processes and systems? Give us a call today! 8