Starting a Business Continuity Program? Where do I jump on?

Transcription

1 Starting a Business Continuity Program? Where do I jump on? Paul D. Kamikawa CBCP Always in Business Continuity Planning, LLC. pkamikawa@frontier.com June 12, 2017 Most Business Continuity Management programs pictorially describe themselves as boxes and arrows that eventually cycle back onto themselves. 1&pq=business%20continuity&sc=8-19&sk=&cvid=0C9F46B BD E E There are a multitude of variations - more boxes - more arrows all pointing back to the first. The reason is that a sustainable Business Continuity Program has to continually renew itself with changes in technology, organization, and support. As new applications, business priorities, and personnel become active, the plans, impacts, and scope of the Program changes. To stay relevant and responsive the recovery plans need to change also. If the program or process is cyclical where do you start? Of course the answer is, It depends. My diagram has 4 phases. This simple one should work fine. There are advantages and disadvantages to start in any given phase. You need to realize that a viable program is not complete without addressing all phases. A short term and long term vision of the program and a supported project plan is essential to get started.

2 Assess This is the recommended starting position. Assess what is critical, or risky, or recoverable before you start to plan. This is good advice because it supplies the Why question. Why are we spending money on strategies, time, and consultants? But the money factor is one reason it may be hard to start here. A comprehensive Business Impact Analysis (BIA) or Risk Analysis is costly, requires special skills, and requires time commitment across the organization, not to mention strong executive backing. I have found when questioning executives, managers, and IT as to what is critical to the business they can be 85%-95% right. Not a bad percentage to start less costly efforts. A BIA is essential because at some point someone is going to ask why? Without impact and dependency data to back up your criticality rating it s hard to justify funding down the road. Risk is more and more the driving force to start or rejuvenate their program as companies are becoming leaner and increasingly dependent on suppliers to stay alive. A risk assessment along with the impact of a disruption is a strong motivator for planning. Start here if you have the resources and the long term commitment because it is only the starting point to being recoverable.

3 Strategize This is probably the least likely starting point for a Business Continuity Management Program but it may cover you in the short term until you get your act together. A disaster that a company has just experienced is a strong motivator. If you know you will need a recovery strategy in place to satisfy a regulatory, business, or contract need you may have to commit based on a best guess. The immediate need is the key because implementing strategies involve funding, often ongoing annual costs. If a data center has no place and no equipment to recover the probability to recover is little better than zip-nada-zilch. Having a place (and appropriate backups) at least offers a chance for recovery eventually. A place also allows a company to test recovery procedures and hardware. The cloud is a good example of buying into a recovery strategy. Let the cloud do the recovery. Just make sure you have a good network recovery plan. Some strategies are assumed. If you have multiple locations, relocating workers could be a workable solution. Just make sure your location disaster does not cause a disaster at the second site. Planning to put 15 people with workstations and phones in a conference room requires power, network, and telephony infrastructure not to mention additional air conditioning. Work from home strategies will have a greater chance of success if there is a policy for employees to take their laptops home every day. Cooperation among companies and suppliers to back each other up is becoming more common reciprocal agreements. This strategy is hard to test, implement, and validate especially in manufacturing where part certification is required. Is it financially viable for a backup company to go through certification and remain in sync if they may never be called upon? Ensure one disaster does not turn into two. Governance can play a role in initiating a program outlining the resiliency policies and documenting compliance. Sometimes you need a hammer. Start here if you have an immediate need to demonstrate some level of recoverability or have the Corporate Governance clout to kick start your program.

4 Plan It may seem that starting at the planning phase is putting the cart before the horse but it may be the only way to get the Program off the ground. The top areas of the company that are critical are usually well understood and are the logical places to start. Many times the strategy is assumed so a validation step in the planning process will be required. Often one or more areas in a company become aware of the need for planning due to an actual disaster or past work experiences so you have some advocates to begin with. More and more companies have to at least produce a plan document as part of a vetting process to qualify as a supplier. The planning effort increases awareness which may trigger business areas to put recovery requirements early in the adoption process such as IT to include recovery plans as part of new application evaluation. Many organizations start here because it may require fewer resources. Begin with a pilot project to build skills and improve methodologies before a corporate wide rollout. There is also a wide range of education, consultants, and training opportunities available that can help get the Program started. Part of the planning methodology will incorporate business impact and risk analysis along with mini exercises which covers the other phases. Depending on the components of the plan, the information gathered in the planning process overlaps the Business Impact Analysis (BIA) data by 70% to 80% so a full blown BIA in the future will require less effort. There are instances where there are no immediate viable strategies. The planning effort then provides the procedures to tread water until capabilities are restored. Manufacturing is a good example. The lead times for equipment and the physical site preparation can be long. Planning in these situations helps document work arounds that they have probably have already executed many times for minor disruptions. Preplanning and gathering restoration requirements could shorten the startup time to rebuild. One pitfall some companies fall into is that if they buy into a Business Continuity or Disaster Recovery software application, they then believe they have a plan. With or without a software platform the effort

5 to fill in all the blanks is the same. A software product may assist in data collection and the ongoing maintenance, but there is no real shortcut to educating and training the actual practitioners on how to use the plans. Participation needed to sustain viable recovery plans begins with the planning process. If there are no plans and I recommend starting with Crisis Management Planning. Crisis Management bridges the Emergency Response planning that safety and security probably already have in place with Business Continuity/Disaster Recovery. It also will raise awareness for the value of recovery plans which the Crisis Management Team will see as the next required component. A good Crisis Management Plan also addresses one of the main impediments to recovery which is communication. By having a clear chain of command and limited span of control, as per the Incident Command System (ICS), people will know who s in charge, who to contact, and where to report. Applying the same Crisis Management planning principles to the IT War Room will help reduce the chaos that complex recovery efforts often generate. Start here if you have the skills and requirements but not necessarily full funding for the BIA and reasonable strategies available. Execute: It is like the tail wagging the dog. How can you execute a plan you haven t written yet? Well there usually are plans, they are just not documented. Many assumptions are part of the plans that may or not be workable. Use the assumptions in a scenario to test the assumptions. Get management s attention by creating a disaster scenario that is frightening but plausible. A tabletop exercise can generate enthusiasm for getting the impacts, recovery strategies, and processes documented. An exercise without a plan is essentially a brain storming session can lead to support for a program. By exercising tribal knowledge it will also highlight the gaps in procedures and support needed for recovery which will give you an idea of the planning effort. This approach works if you have an advocate in

6 executive management prior to the exercise that will follow up with support afterwards otherwise the enthusiasm will die. Other components of a plan can also be discovered and maintained in this phase. Companies are implementing notification systems for contacting employees for emergency and work situations which provide up to date call lists. Configuration Management Databases (CMDB) provide application, equipment, and recovery information that is important in planning. Work processes are captured in certification and regulatory documentation. Data that already exists in some form can shortcut the effort and help a program get started. Start here if you want to scare management into supporting a Business Continuity Program. In summary, getting a Business Recovery Management (BCM) Program off the ground will require executive support and commitment to resources and funding. Take advantage of the opportunities as they arise. A well-defined Business Continuity Programs answers the who, what, where, how and why of resilience. Most times the opportunity to jump on all of these aspects of BCM do not come at one time. Who will be affected, who will be in charge, who will be contacted, who will be on the recovery teams, who is paying for the strategies? What needs to be protected, what risks do you face, what is the impact, what are the costs? Where do you meet, where do you recover, where are the procedures stored? When is an incident considered a disaster, when do impacts go critical? How do you recover, how do you contact employees and executives, how do you work with first responders, how do you react to incidents? Why are spending time and resources on the Program? A Program evolves and improves over time. You might start in any of the phases: access, strategize, plan, or execute. What is important is that you start and sustain support. In reality your program will

7 start through a combination of the phases. Being aware how the phases fit together and the when it makes sense to emphasize one over the other is the key. Sustainability depends on executive support, the resources available, and the capabilities of the team. In these turbulent times and dependencies outside of your control a Business Continuity Management Program adds value and a level of survivability for today s companies. About the author: Paul D. Kamikawa is Principal Consultant of Always in Business Continuity Planning, LLC. Consulting practice. Over 30 years experience in Business Continuity and Disaster Recovery Planning. The complete article can be read at Copyright 2017

8