Business Continuity Framework

22 Feb

Introduction

As per Assignment 2 and as part of our module IS6118, we have developed a Business Continuity framework based on our previous blogs regarding Business Continuity. We have used different components discussed in our blogs regarding the topic to produce a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities [1][3]. We have researched different components of the framework and also background to business continuity to get a better understanding of the topic. We have also looked how technologies can be used to help with business continuity and also how a framework has been used in real life case studies. We have decided on 7 main components of a business continuity framework:

1)      Policy/Planning

2)      Management

3)      Communication

4)      Reporting

5)      Identify Critical Business Functions

6)      Analysis

7)      Implementation

Business Framework

Business Continuity Framework

 

1) Policy/Planning

Business continuity planning is an essential future plan for a business in order to provide a service without any factors affecting its performance. A business can never foresee future events such as a crime, natural disaster, IT failure, power failure, fire, etc. [1]. When it comes to policy and planning service level agreements are fundamental to achieving business continuity. Downtime whether it is planned or not can be hugely damaging to an organisation and it is for this reason why SLA’s are incorporated. They effectively ensure the minimum levels of availability from suppliers and then lay out a plan to define what actions will take place in the event of disruption. The challenge comes when trying to link business continuity and SLA’s together as there are certain services which most definitely require service-level-agreements to be put in place. There are internal and external services which will require necessary SLA’s and they vary from RTO’s, RPO’s, review of BIA, risk assessment, network recovery, time required to recover and restart from failover etc. Such companies as IBM have developed a solution to organisations which enables them to improve business continuity much more efficiently and effectively to data protection strategy and storage infrastructure by applying service level concepts [2] [3].

Business continuity plan is devised to lessen down the distraction that could be caused by the disaster and keep the business competitive. The Business Continuity plan should include the occurrence of several events including equipment failure; disturbance in power supply or telecommunication; application failure or database corruption; human fault, disruption or strike; malicious Software (i.e. viruses, trojan horses or worms) attack; hacking; other Internet attacks; social disturbances or terrorist attacks, fire, theft and natural disasters like flood, hurricane, earthquake etc. [5].

2) Management

Managing the Business Continuity Policy or plan is essential to its success. Assessing the risk(s) that threaten(s) the company is an essential prerequisite to crafting a BCP. Conducting a risk assessment to develop response strategies is vital to a successful BCP. Another management priority is to frequently Rehearse, Maintain and Review the BCP [4]. Management from the top is crucial to the framework as there will be a clear outline of procedures and processes and the risks which need to be eliminated. The strategy of the organisation needs to be clearly defined in order to ensure the BCP is utilised appropriately and the management should also aim to create a culture of business continuity in the organisation and drive home the significance the BCP and this in turn will contribute to the success of it. If this isn’t driven home by the management then the business could be in jeopardy as the costs associated with business continuity could spiral. The Business Continuity Program should be aligned with the enterprise business objectives and that is the responsibility of the management [2].

3) Communication

Communication involves producing plans for training staff that would be involved in the business continuity process and also plans for testing the systems that are involved in the recovery. Identify key staff and potential backup staff in the event of a disaster. Hold staff meetings. Every employee should be made aware of the BCP and should be reminded of it on a regular basis. Test the BCP and put it into action sop that if the day arrives that it needs to be implemented then at least you have practice runs completed [1][5][3]. The idea of communication as part of the business continuity framework is a hugely important aspect as it allows for the framework to be tested before implementation. There is a huge gap here in the framework to utilise the medium of social networks and it is time that businesses start thinking about incorporating social media into their business continuity. One of the main reasons social media will be used during a business continuity plan is for communication during a crisis, disaster or planned and unplanned downtime. Through analysing the opportunities available to businesses through the use of social media to support the business continuity, tools such as ‘Yammer’ can support the HR team in terms of being able to communicate with employees and provide better care in the midst of an incident of downtime. Social media allows the employees a greater influence over an organisation than ever before whether they like to admit it or not. Other social media outlets include, Facebook, Twitter, LinkedIn, Google+, YouTube etc. By using in-house social media tools will aid in improving business processes and procedures due to feedback generated by employees whether it be good or bad and as a result this will help provide more information on areas for improvement which then in turn leads to better BCM. Also in order for a business continuity plan to work the professionals need to be in direct contact with the powers that be in a company in order to understand the company they are working with to ensure that the right risks are mitigated with effective approaches and methods [2].

4) Reporting

A document should be prepared outlining all the remedies in the event of a BCP been implemented and should be easily accessible in an identified location. Duplicate copies should be distributed to employees and also digitally and in an off-site location [3]. In reference to an off-site location this is where the cloud comes into the equation when an organisation is in partnership with a trusted cloud service. These reports, data and information can be stored in the cloud and that is one of the major advantages of utilising the cloud. In the event of planned or unplanned downtime the organisation can rely on the trusted cloud service to have the data readily available and easily accessible. However there may be certain issues when it comes to storing information depending on the jurisdiction and territory but this only applies to regulated organisations. Data integrity will also need to be addressed for the Business Continuity Plan [2].

5) Identify Critical Business Functions

If a business has a plan in place to deal with such events, then the essential functions of a business are fail safe and a business can provide an uninterrupted service. Identify critical external contacts which includes essential information about the contact and the contact list should also include solicitors, IT consultants, landlord etc. information. Identify essential equipment. Make sure there is a back-up system in place such as RAID in the event of a disaster or emergency. Also back up generators and hardware should be ready to use in the event there is a computer failure or power failure [3]. Identify Essential Documents. Documents regarding employee information, premises lease, tax papers, legal issues etc. should be duplicated and stored off site in the event of a fire or natural disaster. The business should be able to set up again [1]. The cloud can aid with the running of business critical functions in the event of downtime as when organisations are in partnership with a trusted cloud service they will have access to a secure and exclusive network with an extremely high availability and this will allow this critical business functions to operate [2].

6) Analysis

Analyse what roles and responsibilities are given to employees during disaster recovery, along with full contact details and capability profiles. Identify Essential Documents. Documents regarding employee information, premises lease, tax papers, legal issues etc. should be duplicated and stored off site in the event of a fire or natural disaster. The business should be able to set up again [1]. The purpose of the risk analysis is to identify procedures that could possibly prevent or reduce the effect of a disaster. These procedures include educating personnel about issues such as security, Vandalism, workplace violence and so on. Risk Analysis involves the analysis of the organisational environment to identify threats that could lead to a disastrous situation.

Areas to be reviewed for such threats are the actual physical location of the organisation, access security, the organisation’s policies, practices and the construction of any of the organisation’s facilities. The objective of this analysis is to identify the vulnerabilities that could cause the most damage to the organisation and to select the appropriate controls for providing effective protection.

The Business Impact Analysis (BIA) can be divided into 3 steps:

1)      Performing the BIA

2)      Determining the minimum processing requirements

3)      Analysing the risk.

Analysing the risk differ from the traditional risk analysis because it actually refers to the prioritisation of resources as well as the identification of possible loss situations for resources [5].

7) Implementation

Implementation involves providing details of services and equipment available to be utilized during recovery. Also, outlining details of all the steps in the recovery process, both to get an initial basic operation up and running, and for full restoration of business. Create a list of responsibilities for implementation of a BCP. This should identify which employee does what and how. Such as person who should phone the fire brigade, this person could be appointed as the Fire Safety Officer [1]. When the development of the strategies recovery is done or completed, then it is now time to implement these strategies. While waiting to implement or to develop these strategies much preparation is needed. For example set up procedures for backup, contracts and agreements. This would also involve assigning personnel to various tasks in case disaster strikes. These tasks are called emergency response practice and should be performed by a team [5].

 Conclusion

Based on our above framework and from our previous blogs we feel that for business to continue during a disaster the organisation should follow the guidelines mapped out in our framework. By using the components discussed we feel that a business will be fully prepared in the event of planned or unplanned downtime which affects the performance of the business and thus in turn will lead to loss in revenue. Management needs to be involved from the outset in order to clarify the needs of the organisation and insure that critical business functions will be made a priority and aligned with the enterprise business objectives.

 

Source [1] https://sopinion8ed.wordpress.com/author/billynomates2012/

Source [2] https://sopinion8ed.wordpress.com/author/ericlynch1/

Source [3] https://sopinion8ed.wordpress.com/author/gashe2k12/

Source [4] https://sopinion8ed.wordpress.com/author/jamesdaly1990/

Source [5] https://sopinion8ed.wordpress.com/author/mirra2/

 

Group 5
Greg Ashe
Shane Counihan
James Stephen Daly
Ruth Kapinga
Eric Edward Lynch

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: