Archive by Author

Business Continuity Plan

7 Feb

In my previous blog I have discussed about Discovery Disaster Planning. Now I will highlight the Business Continuity Plan to complete what others in my category have already explained.  (jamesdaly1990) already introduced a Business Plan Process framework, and I total agree with him that it can be helpful for our group to build a good framework.

In my own understand of Business Continuity Plan I also discover similar information like (billynomates2012) mentioned in his previous blog, but in different way. As I mentioned in my last blog that “disasters might take place anytime, so the organizations must be prepared” [4]. Taking into consideration the type and extent of the company, a plan i.e. Business continuity plan is devised to lessen down the distraction that could be caused by the disaster and keep the business competitive [3]. The Business Continuity plan should include the occurrence of several events including equipment failure; disturbance in power supply or telecommunication; application failure or database corruption; human fault, disruption or strike; malicious Software (i.e. viruses, trojan horses or worms) attack; hacking; other Internet attacks; social disturbances or terrorist attacks, fire, theft and natural disasters like flood, hurricane, earthquake etc [2].

Business Continuity planning stages

Stage 1 Project Beginning

– Defining Business Continuity aims and extent of coverage.

– Establishing Business Continuity Steering Committee.

– Drawing up Business Continuity guidelines and policies.

Stage 2 Business Analysis

– Performing Risk Analysis and Business Impact Analysis.

– Considering alternative business continuity approaches.

– Carrying out the Cost-Benefit assessment and selecting an approach.

– Developing a Business Continuity Budget.

Stage 3 Design and Development (Designing the plan)

– Setting up a team for Business Recovery and assigning accountability to the members.

– Identifying plan structure and chief elements

– Developing Backup and Recovery approaches.

– Developing Scenario for executing plan.

– Developing escalation, notification as well as plan activation criteria.

– Developing General Plan Administration Policy.

Stage 4 Implementation (Devising the plan)

– Preparing Emergency Response practices.

– Preparing Command Centre Activation practices.

– Preparing comprehensive recovery practices.

– Preparing vendors agreements and purchasing recovery resources.

– Ensuring everything essential is in place.

– Ensuring Recovery Team members are familiar with their tasks and duties.

Stage 5 Testing

– Exercising Plan grounded on chosen Scenario.

– Producing test report and evaluating the outcome.

– Providing training and awareness to each and every Personnel.

Stage 6 Maintenance (Updating the plan)

– Reviewing the Plan at regular intervals.

– Updating the plan with any alterations or enhancements.

– Distributing the plan to the recovery team members.


Business continuity planning framework

A single business continuity planning framework should be maintained to make sure that each and every level of plan is consistent and also to recognize priorities for the purpose of testing and maintenance [2]. Business continuity plans should be task oriented and modular. Every plan should evidently indicate the conditions for its occurrence along with the people accountable for putting into practice every element of the set plan [4]. New plans must be related with the established emergency processes and prevailing fall-back arrangements, telecommunications, core computer services and accommodation [1]. Distinct levels of plan might be needed as every level might include a dissimilar focus and take in distinct recovery panels [3]. Every plan should comprise of four chief elements:

  • Emergency actions – outlining the instant action to be carried out subsequent to a major incident which jeopardises business procedures [1]1.
  • Fallback procedures – outlining the actions to be carried out in order to move necessary business processes and the support services to a temporary location [2].
  • Resumption procedures – outlining the actions to be carried out to return the company and its procedures to the normal full function, generally at the actual site [1].
  • Test schedule – outlines how the plan needs to be examined [4].

Every level of the business continuing plan and every individual plan should include a particular custodian.


The implementation of an efficient Business Continuity Management framework within a company offers advantages in several areas [2]. The benefits include safety of shareholder value; decreased exposure to specific risks through methodical risk recognition; better understanding about the business is attained through way of risk analysis; functional resilience follows on from executing risk reduction; downtime is deceased at the time when alternative procedures as well as workarounds are recognized; compliance problems could be recognized and managed for optional procedures; important records could be protected and maintained; the consequences for Health & Safety laws and Duties of care could be taken into consideration [1]; enhanced operational efficiency by a forced practice of business procedure re-engineering, superior organizational resilience through allotting alternative individuals to support main procedures and through describing and documenting recovery procedures; safety of both the knowledge and physical assets of the company; preservation of marketplaces through ensuring the continuity of supply; enhanced safety and prevention of liability actions [2].

The drawbacks associated with business continuity include the fact that the plan needs to be continuously edited for modifications, the plan needs to be tested on a continuous basis [3], the plan must be kept in a safe environment for the reason that it would include information important to how the systems operate taking in the possible information related to confidential processes [1]; the examiners would have to continually tear into the plan revealing what they regard as flaws. If there is no plan, they have less to complain about, the cost of planning and actions and lastly, the time spent to carry out the entire procedure.

To conclude, from the above discussion it can be clearly stated that business continuity planning has acquired a good place in today’s continuously changing business world [1]. Putting in place a BCP framework should be viewed as precedence for any company provided the operational risks which they encounter and the important functions and operations which they carry out [2]. The formation of a Business continuity plan should not be viewed as a onetime project but should become a vital fraction of the everyday operations of the company [4]. Further, BCP framework has several advantages associated with it but at the same time companies should also not overlook the drawbacks/limitations related to BCP.


1.Cerullo, V. and Cerullo, M. J. (2004) Business continuity planning: A comprehensive approach, Information Systems Management, Vol. 21, No. 3, pp. 70-78.

2.Gibb, F. and Buchanan, S. (2006) A framework for business continuity management, International journal of information management, Vol. 26, No. 2, pp. 128-141.

3. Herbane, B., Elliott, D. and Swartz, E. M. (2004) Business continuity management: Time for a strategic role? Long Range Planning, Vol. 37, No. 5, pp. 435-457.

4. Lam, W. (2002) Ensuring business continuity, IT professional, Vol. 4, No. 3, pp. 19-25.

Business Disaster Recovery Plan

27 Jan

Business Disaster Recovery Plan

In my previous blog I mentioned a planning for business continuity is a comprehensive process that includes disaster recovery. Today am going to discuss about Disaster Recovery Plan (DRP)

Botha and Von Solms (2004) have defined it as “disaster recovery focuses mainly on the recovery of the information technology department and all related functions”[1].

Disaster might take place anytime, so the companies need to be well prepared in advance. Depending on the nature and size of the company or business, a plan is designed with the view to trim down the disturbance of disaster and ensure that the business remains competitive for long [2].

Because of the progression of Information Technology (IT), companies nowadays rely highly on IT for their day to day operations (Gibb and Buchanan, 2006) [3].

With the appearance of e-business, a number of companies need to operate around the clock. Moreover, a single downtime might result in a disaster. As a result, the traditional DRP (Disaster Recovery Plan), that lays focus on reinstating the centralized data unit, might not prove to be adequate. A more wide-ranging, systemized and thorough Business Continuity Plan (BCP) is required to attain a state of business continuity where in important networks and systems are constantly available (Herbane et. al., 2004) [4].

According to Hassim (2000) “A disaster may be any accidental, natural or malicious event which threatens or disrupts normal operations, or services, for sufficient time to affect significantly, or to cause failure of the enterprise” [5].

The majority goals of disasters recovery plan are:

  • Minimize interruptions to normal operations
  • Limit the extent of disruption and damage
  • Minimize the economic impact of the interruption
  • Establish alternative means of operation in advance
  • Establishing high internet connection reliability and fault tolerance

Bother also mentioned that in 2002, Vistastor Corporation estimated that 43% of organisation that are affected by disasters close immediately and those that manage to survive, 29% close within a matter of 2 years. They also estimate that one of 5 hundred organisations will experiment a severe disaster at least once a year [6].

Wilson (2000), believe that the majority of disaster are as a result of unplanned events in and around the working environment.  Such as neglecting to save a important file, a complete network failure, losing installation backup disks or the loss of the original copy of an important document and online transaction processing web site or the deletion of critical files by a new employee[7].

Disasters are constantly looming and, therefore, organisations must preferable implement a business continuity plan.


1. Botha Jacques and Von Rossouw,(2004), “A cyclic approach to business continuity

planning”,Information Management & Computer Security; 2004; 12, 4; ABI/INFORM


2. Lam, W. (2002) Ensuring business continuity, IT professional, Vol. 4, No. 3, pp. 19-25.

3.Gibb, F. and Buchanan, S. (2006) A framework for business continuity management, International journal of information management, Vol. 26, No. 2, pp. 128-141.

4. Herbane, B., Elliott, D. and Swartz, E. M. (2004) Business continuity management: Time for a strategic role? Long Range Planning, Vol. 37, No. 5, pp. 435-457.

5. Hassim, M. (2000). To plan or not to plan? Accountancy SA [Online]. [Cited May 11,

2002] Available from Internet URL

6. Botha, J. (2002). A Cycle Approach to Business Continuity Planning

7. Wilson, B. (2000). Business Continuity Planning: A Necessity In The New ECommerce

Era. Disaster Recovery Journal [Online]. [Cited October 21, 2000] Available

from Internet URL



Business Continuity Introduction

22 Jan


Many have already defined Business Continuity. They already gave a clear understanding of Business Continuity; we now know that “Most organisations see business continuity as a process that is executed over time, rather than a static set of documentation. While there are many different approaches to business continuity methodology, nearly all of them share the elements identified below”. [1]


What is Business continuity management (BCM)?

“Business Continuity Management means ensuring the continuity or uninterrupted provision of operations and services. BCM is an on going process with several different but complementary elements. Planning for business continuity is a comprehensive process that includes disaster recovery, business recovery, business resumption, and contingency planning as show below”. [2]


In my future blogs I will develop the figures above in more details; this is just a brief introduction of BCM.

Concept of Business Continuity

Business continuity is basically the activity carried out by a company with the view to make sure that the important business operations would be available to the suppliers, customers, regulators as well as other entities which need to have admittance to those operations (Gibb and Buchanan, 2006). These activities take in many day to day activities like project management, change control, system backups and lastly, help desk. Moreover, business continuity is not something that is executed during an emergency. Business Continuity implies towards those activities which are carried out every day to keep up the service, recoverability and consistency (Cerullo and Cerullo, 2004). In addition to this, business continuity can also be defined as the tactical and strategic ability of the company to plan for and take actions for business disruptions and incidents so as to carry on business procedures at a satisfactory predefined standard (Herbane et. al., 2004). The basis of business continuity are program development, standards and assisting policies, procedures and guidelines required to make certain that a firm would continue without any obstruction, regardless of the unfavourable events or circumstances (Gibb and Buchanan, 2006). Further, all system design, support, implementation and maintenance need to be grounded on this foundation to hold hope of attaining business continuity, recovery from disaster or during few situations, system support (Cerullo and Cerullo, 2004).



3. Cerullo, V. and Cerullo, M. J. (2004) Business continuity planning: A comprehensive approach, Information Systems Management, Vol. 21, No. 3, pp. 70-78.

4. Gibb, F. and Buchanan, S. (2006) A framework for business continuity management, International journal of information management, Vol. 26, No. 2, pp. 128-141.

5. Herbane, B., Elliott, D. and Swartz, E. M. (2004) Business continuity management: Time for a strategic role? Long Range Planning, Vol. 37, No. 5, pp. 435-457.

When should the value of IS investments be measured quantitatively/ qualitatively?

18 Nov

As many of the previous bloggers such as sully1210 and kechi4me have already explained, what I will say is that I agree with each one of them. In my part I will add that benefits of the information system in tangible form can be analysed quantitatively while the benefits in intangible have to be analysed qualitatively. Like the efficiency of the project can be analysed quantitatively, but the second stage of the effective project has to be analysed qualitatively.

An information system sometimes plays an integral role in implementing the strategies of the business like development of new products, new services or new business altogether. Thus, information system helps in achieving the strategic goals of the company. An information system can help in supporting the existing business strategy by providing the competitive edge and new opportunities. It can also help to reengineer the business by cutting the costs and help to provide better services and products, these can be analysed qualitatively except the cost part. Information systems can be analysed in terms of strategic value, risk and financial profitability. The output of information systems can be analysed by seeing the success of the information development and success of information system usefulness.

The objectives attained can be tangible i.e. in terms of monetary benefits and can be intangible. The intangible objectives can be operational, special and general capability objectives. Operational objectives would involve the enhancements and the positive changes in the activities relating to the operations of the company. Special objectives would be related to objectives which are not directly related to the output of the company like auditing, changes of tax.

General capability objectives can be seen as the need to process the information before actual requirement. In my opinion, the critical value of IS to an organisation is the manner in which it affects business processes in line with the organisation’s strategy.

I believe the value of IS investment should be measured both during the implementation process and post implementation period.

The role of ‘gut instinct’ in IS evaluation

10 Nov

The understanding of factors that would govern the outcome of an investment after some years is generally very slight and frequently negligible.  To be very clear it can be stated that the basis of knowledge for evaluating the outcome ten years from now results in little and nothing at times (Smith and Shefy, 2004).

Formal rational methods of evaluation have a limit on accomplishments achieved when using them in making investments. This is evident when managers go by their ‘gut instincts’ when making decisions. There are a number of factors such as cultural, personal and political issues that effect investment decisions.  These factors are not easy to rationalize. It therefore becomes necessary to use gut instinct in a decision affected by such factors because instincts take into consideration the realities of the world.

According to Wheatly (1992), “we inhabit a world that is always subjective and shaped by our interactions with it. Our world is impossible to pin down, constantly and infinitely; more interesting than we ever imagined” this expression as been mentioned in previous blog. It is crucial to use rationally together with gut instinct in making successful investment decisions.

As a result, gut instincts shouldn’t be overlooked since it is a different type of reasoning and considers how exactly the world actually is instead of just databases or monetary measures (Matzler et. al., 2007).

Constructive management decision-making calls for several different facets. Rational thinking alone is not sufficient. Further, it can be stated that gut instinct plays a chief role in all decision making processes since in the absence of an understanding of gut feeling or instinct there would be no understanding of the management itself (Smith and Shefy, 2004).

Many IT investment decisions are made, or apparently made, and rightly so, on purely technical rational grounds. Such decisions may be made using the same type of formal structure that might be used to buy a factory, develop a new product, build a house or play bridge. But much of the time, the process of evaluating IT is the application of prognosis, praxis, the application and the absorption of a range input information.

The information can include data, evaluation techniques, personal experience, personal knowledge, corporate or departmental politics, personal desires and intuition; a process of filtration and distillation of frequency very complex data, information and knowledge to levels manageable to the human mind. This decision-making process is often known as or expresses itself in the term of instinct, ‘gut feel’, ‘intuition’ and other equivalent terms.

In order to influence and improve IT investment decisions, it would be very useful to have a deeper understanding of this interior practice or functioning of the managerial mind. Hitt and Brynjolfsson have identified this challenge succinctly when they observed that “the problem of IT value is far from settled”. In fact according to Lacity and Hirschheim (1995) “the problem is that meaningful measures of departmental efficiency do not exist for IS….much of the knowledge required to make efficient economic decisions (related to information systems) cannot be expressed as statistical aggregates, but is highly idiosyncratic in nature”.

Evaluation of Information System Investments

2 Nov

Evaluation of information systems has become an increasingly key issue, it provides the crucial feedback function, helping to prevent the repetition of the same costly errors; and so the organization learns (Ian O. Angell and Steve Smithson). Evaluation of information systems is an area full of potential pitfalls.  Hochstrasser argues that the high rate of IT/IS failure is partly attributable to a lack of solid but easy to use management tools for evaluating, prioritizing, monitoring, and controlling IT investments. Voss et al, claims that technology focused investments fail due to organizational problems, and identified economic justification as a significant contributing factor.

Information system can be analyzed in a three step procedure.

  • First is evaluating intangible benefits.
  • Second is analyzing the investment and risk.
  • Third is analyzing the tangible benefits.

All the three analysis should be done to get the effectiveness of the information and how can it help the organization. The result of implementing the information system is evaluated by analyzing the success of information system implementation, investment in information system and information system functionality. Evaluation of information system must also include the success achieved in the products and the processes of the company.

Hochstrasser and Griffiths identified the overwhelming belief of many industries that they are faced with outdated and inappropriate procedures for investment appraisal, and that all responsible executives can do is to cast them aside in a bold ‘leap of strategic faith’.

They also think that to evaluate in information systems is giving monetary value to the intangible benefits from the information system. First in evaluating the information system is to calculate the total investment made in the information system that is the investment cost.

The cost would include all the costs like developing and maintaining the systems cost, the current production cost. Then one should evaluate the value which was derived by accomplishing the objective by the use of information systems. One thing to analyze is the purpose of the information systems.

According to (Irani, 2000), there are different types of information system. An information system can be a very small application which caters to the need of single activity or it can be a big system which is supporting the organization firm wide. One more type of information systems should be evaluated differently these are infrastructure investments. Infrastructure are investments on which the applications to be used in future are to be built.

An organization may have been forced by the legislations to implement the information systems. Upper management may feel the need to implement the systems and also there can be qualitative and quantitative benefits from implementing the information systems. (Butler Cox Foundation, 1990)

Earl and Runge suggest that an investment in information system can take different forms. In information it can be implemented to improve the information already in place, to remove the old system and replace it with the new system or install complete new system.

Investing in system which is very common in the industries is different from investing in the new system. Evaluation of utilization of resources also needs to be done in evaluation.

So finally the evaluation of the information system should include the following steps. These steps are Cost Identification, contribution to the strategies of business, analysis of the benefits achieved, second order effects (surprises or unpredictable effects),  flexibility it provides, implement ability, risk it brings, helping in testing a new business idea. After analyzing these eight factors, company should be able completely evaluate the information systems.

So, what do you think?

What approaches are used to evaluate IS investments?

28 Oct

Evaluation of information systems in an organization is seen in different ways by information technology person and an accountant. An IT person in a company will see the competitive edge the Information system will give to the organization. On the other hand an accountant will analyze the information systems in terms of cash flows, then calculating different measure to account for the cash flows like NPV, IRR and economic value add. Both these approaches have failed to capture the full potential of the information system investments as they can’t gauge how the information system is complementing the strategies of the business.  (Willcocks, 1992)

Evaluation of the project can be done checking the how it improves the efficiency in the company and also how it is effective in the company. Efficiency can be checked by analyzing the cost reduction the information system brings into the company. Reduction of costs mainly comes from the reduction in the labour costs. Information systems maintaining the payroll, processing the order for sales etc were the main information systems for reducing the labour costs. These type of savings are relatively easy to quantify and can be analyzed by techniques like NPV, IRR, ROI. IBM used a method called SESAME to check the performance of the system using the information system and not using the information system. (Lincoln and Shorrock, 2012)

Effective projects for information system will such that they help to perform the tasks of the company in a better way and help in the strategic decision making of the company. The systems help to perform task effectively and in a better way. An information system which is effective sometimes cannot be justified for the efficiency. Such justification cannot be rationalized sometimes in monetary terms.  The effectiveness of the information system can be seen in two stages. First after the implementation of the system the benefits are realized within company. Thereafter the effect of the implementation is felt on external environment which may lead to behaviour change in the parties concerned and thus its benefits realized. Now calculating the benefits in the second stage of the effective project can lead to miscalculation and thus the wrong expected benefits from implementing the information system. As a result of this the effective projects in the information systems are implemented based in the instinct of the management. (Ballantine, Galliers and Stray, 1996).

There are other types of information systems which need to be implemented like “mandatory” investments. This can be due to requirement of new legal rules or due demand of the industry, customer or supplier. Second are the infrastructure investments which are investments in the platforms for technology, systems for communication and networks. Third can be investments for research purpose. They are implemented mainly for aim of development and getting accustomed to the new generation of technologies. For the above systems evaluation also needs to be done so that the company can decided whether to buy the information system, or develop in- house systems. So the options need to be analyzed in terms of efficiency as well as effectiveness.  Thus mandatory investment in information system also needs to be evaluated.

Similarly the evaluation of the infrastructure investment should be done not on the standalone basis but also the application which will be enabled by the infrastructure system. So the organization should evaluate the benefits from the infrastructure investment and only if the benefits can seen only then should the company proceed with the investment. Investment in research information should be treated as a special case and the cost for that should be included in the budget allocated for the overall research of the company. But investment in research projects should also be evaluated and should help in learning and developing the organization. (Feeny, 1988)

Is IS evaluation different to evaluation of other investments?

20 Oct

Information systems involve a lot of investments for a company. Evaluation of information systems investments would involve analyzing the return which a company has got from investing in the information systems. There have been large investments made by the organization in the information systems over the history. As for most of the companies information investments in the information systems does not give direct output it is essential to analyze whether the investment makes sense or not. So the evaluation of the investments in the information system is all about this justifying the investment in the information systems.

This can be difficult as benefits of the information systems can be tangible as well as intangible. Also it has been observed that in an information systems project the interaction between the systems and the organization cannot be predicted with accuracy and thus they are different from the traditional capital projects where the interaction can be predicted easily.

Evaluation of information systems is difficult as benefits of the information systems can be tangible as well as intangible. Also it has been observed that in an information systems project the interaction between the systems and the organization cannot be predicted with accuracy and thus they are different from the traditional capital projects where the interaction can be predicted easily. Evaluation of information system is different from other investments because of the benefits are not directly visible by the implementation of the information system.

The research done by the people have shown that the companies face difficulties in evaluating the information system investments. Some managers believe that the advantages of

implementing the information system are so much that it’s not necessary to quantify them.  Studies have shown that the relationship between investments and success of the business is not linear. Also companies have not collected enough information to evaluate the information system investment. Investment in information system in many organization is done on the belief that the as the systems are utilized the gains from using the system will be accrued. Also there will be reduction in the costs of the company and services of the company will improve.



%d bloggers like this: