A 3-Stage Business Continuity Framework

22 Feb

We have designed a framework that we believe companies could use when preparing a business continuity plan (BCP). This framework will be divided into three stages:

The first is the initiation phase, which generally encompasses all that will be completed when a BCP is first proposed. This involves defining the event for which we are preparing for, identifying the key players involved and the main aspects of the BCP.

The second is the continuous phase, which incorporates many activities that take part at inception of a BCP and also take place regularly during the lifespan of a BCP. This is carried out to prevent the BCP from becoming out of date. These activities include identifying threats, establishing a “whole business approach” and carrying out regular tests, reviews and updates.

The final phase is implementation, which involves putting the BCP into action and ensuring it is in place should a disaster ever affect the business.

Phase 1: Programme Initiation

Crisis Definition

Before an event can be addressed, one must first adequately define it. Is it simply an incident or a crisis “one that can interrupt anything that the organisation considers critical” This will be assessed accordingly by a crisis management team, who will be recruited to properly assess a situation.

Forming the BCP Team

As pointed out by the group the business continuity process should be an enterprise-wide activity rather than just an IT issue. Just viewing business continuity as an IT issue may lead to inadequate resource allocation for the business continuity plan. Therefore it is important to establish a programme which chooses key people within the entire organisation and not just within the IT department.

Choosing people from different departments to participate in the preparation of the business continuity plan (BCP Team) will increase the variety of skill available and also will act as a voice for their department when planning the contingency plan. The CIO can have a key role in identifying these key individuals. The business continuity plan should be the responsibility of a senior manager (business continuity manager) who will lead the development of the business continuity plan. Within this initial phase the programme roles, responsibilities and processes will be defined and agreed by the BCP team. Also the team should identify the key personnel, resources and suppliers needed in the event of a crisis and those identified should be assigned specific tasks in the event of a crisis. Once the BCP team is assembled they can go about discussing what should be included in the business continuity plan.

Aspects of BCP

These are the main areas of interest in relation to a forming a BCP.

1. BCP Governance

BCP Governance is concerned with how aware management are of their commitments and roles. This section needs to contain a structure, possibly in the form of a committee who are responsible for overseeing the plan as a whole.

2. Business Impact Analysis (BIA)

The importance of a BIA is in relation to identifying the main products/services that the company provides, while clarifying the impact a disruption may have on these. Another area that is looked at in this section is identifying areas that could potentially lead to revenue loss, additional expenses and intangible losses. At this phase it is important to identify the organisations insurance requirements and identify inter-dependencies that exist between a company’s products/services.

3. Plans, Measures and Arrangements for Business Continuity

This stage of the plan requires the company to prepare a detailed recovery/response arrangement to maintain business continuity. The aim of these arrangements is to provide the organisation with an idea of when they would be able to provide a minimum level of service during a time of disaster. BCPs need to be made specifically for each product/service that the company provides. They also need to ensure continuity within each business process of an organisation.

4. Readiness Procedures
These procedures ensure that all staff members are adequately briefed on the plans contents and the measures that will be going ahead in the event of a disaster. Everyone needs to be aware of their responsibilities while those staff members who have direct responsibility need to keep up to date on their role in the event of an incident.

5. Quality Assurance Techniques
This process is essential for helping companies evaluate what part of their plan needs to be updated and improved on. These techniques may include an internal review or an external audit, or possibly a combination of both methods.

Phase Two: Continuous

Internal and External Threats

There is a need for both a company’s internal and external threats to be explored at the outset of a BCP.

An internal threat is something that occurs within the company. Examples include interruption to supply chain, security breaches, and data loss. As a company evolves other internal threats may become a bigger risk to the company, for example if the company is customer orientated, a power outage could cause adverse effects. External threats are those that come from outside of the company, something the company cannot control, for example natural disaster and terrorism. Another example is hack attack on the company’s system. In order for a company to prepare for these attacks a stringent and well organised business continuity plan needs to be in place within to company.

Identification of these threats will serve to increase the company’s resilience by being prepared for all eventualities. Flexibility needs to exist within the BCP to ensure all threats are prepared for. For example, the same action would not be taken for supply chain interruption as would be for the occurrence of an earthquake.

Whole Business Approach

As pointed out in the Initiation Phase of our framework, a Business Continuity Plan needs to be an enterprise-wide activity. There needs to be a whole business approach in adopting the BCP in order to gain full advantage of the plan when it is called upon.

The programme initiation phase of our framework and building the right team is crucial in making a BCP an enterprise-wide exercise. If the correct team is put in place, it will insure there is strong leadership (Business Continuity Manager from top management of the business) and an active involvement from all sectors of the business (BCP Team). By the importance of the BCP being recognised from the top down, the plan should become a crucial part of the business that is integrated into the everyday functioning of the company. If this ‘embedding’ of the plan into the company’s culture is successful, then each member of staff will be aware of the importance their role has in its success and pay due diligence to that role. For the recognition of this importance to continue into the future, beyond the initial setup stage, testing and reviewing will be crucial.

As part of an all-encompassing “whole business” approach, recognising the need for suitable secondary protocols are essential. We propose that this should involve an assessment of the company itself by professionals in the area of disaster recovery. This will provide the company with the necessary instructions to accommodate for financial strains that secondary protocols can cause.

Testing

A BCP is defunct unless it has been proven to be effective. In order to ensure this, companies perform full tests on their BCPs which are performed at initiation to ensure a new plan is effective, and at regular designated times until further changes have to be made. This is necessary in order to keep the plan up to date as the external environment and threats change constantly.

As discussed in a previous post there are three different types of tests:

1. A Plan Review
This is a theoretical review of all BCP documentation.

2. Table-top Test
All of those involved in the BCP gather together to discuss and examine the plan and how it would be implemented.

3. Simulation Test
This is a practical demonstration of the company’s procedure under particular circumstances or in an unexpected event. It is the most exhaustive of BCP tests, and will prove the best indicator of a plan’s effectiveness.

These tests are measured based on the following standards, which incorporate the main aspects of a BCP as discussed.

1. Participation
This refers to those taking part in the test.

2. Attendance
Were people present and prepared for the test?

3. Plans (Early and Later Stages)
How well did those involved react to the initial stages of the issue? How exhaustive were the plans drawn up for issues including the co-ordination and allocation of key resources?

4. Support and External Players
How helpful were the support groups? Who was needed the most?

5. Leadership
Did those in charge during the co-ordination of the plan during the test react well?

6. Information Flow
Were those in relevant positions kept well informed during the process?

7. Quality Assurance
Reviewing the test regularly will help to ensure quality and effectiveness.

Mistakes

Testing shouldn’t be about “ticking the boxes”. Companies must account for all exceptional circumstances, and place their business ahead of all else. In the case of an unexpected event that a BCP doesn’t specifically address, there are critical areas that must first be looked at. As already discussed “The testing should challenge and surprise the organisation and its stakeholders”. This of course means that tests should also accommodate for all business processes, not just IT and IS. By recognising these pitfalls, a company is ensuring the continued survival of their business in a thorough and comprehensive way.

Updates

Our framework also takes into consideration past mistakes that others have made with regards to BCP. Over-reliance is addressed through assessing all possible areas of concern. The scope of the BCP will cover all aspects of the company, not just IS and IT, as this has become an increasing issue recently. Other issues such as security, insurance and service evaluation will also be addressed. Regular assessments of the company’s BCP will be a part of the BCP tests that will be carried out.

Phase 3: Implementation

The implementation of the BCP is one of the most critical aspects of the project. The role of the BC Manager and the BC Team is crucial here, as is the “Whole Business Approach”.

Other stages required in a successful implementation are;
• Actively encouraging employees to embrace the operation activity of the BCP by conducting internal discussions/study meetings etc. Encourage employees to gain knowledge themselves to enhance their skills with regards to disaster prevention and responses. This can be done by providing incentives for taking part in emergency-response courses and seminars related to BCP.

The BCM should also conduct their own training session on their BCP. Regular training sessions for the employees that focus on BCP-education will ensure if/when a disaster occurs that the organisation is adequately prepared. These sessions should involve the following aspects;
1. Evaluate and re-evaluate the effectiveness of the BCP
2. Help employees gain an understanding of the BCP and clearly identify their own roles
3. Actively promote cooperation and collaboration amongst employees in the case of a disaster.
It is the role of the manager to keep everyone informed and updated on the BCP.

The group also pointed out that even if a good continuity plan is implemented and tested regularly there is no guarantee of success, as the Lehman brothers showed during the 9/11 attacks when they were denied access to their recovery center, they had to draw on emerging processes in creative ways, showing that crisis adaptability is the key to continuity. Regular reviews of the BCP will be carried out to ensure that it remains accurate and up to date, depending on the external environment.

Figure 1.1 Proposed Framework

freamework

We believe that the above framework incorporates all aspects that are essential when it comes to business continuity planning. By assessing literature, previous successes and failures, we have feel that we have accounted for the obvious and the unexpected. As with every framework, there is room for interpretation, but it is our belief that it should prove successful.

Group 10

Tim Ahern
Briain Dollard
Ross Leahy
Cian O’Brien
Eileen O’Brien
Claire O’Sullivan

Advertisements

2 Responses to “A 3-Stage Business Continuity Framework”

  1. Tim Ortmeyer April 10, 2013 at 3:46 am #

    Very nice post. I just stumbled upon your weblog and wanted to say that I have truly enjoyed browsing your blog posts. After all I will be subscribing to your rss feed and I hope you write again soon!

  2. ombuge odinga October 3, 2015 at 10:06 am #

    good information!!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: