Archive | Business Continuity RSS feed for this section

A 3-Stage Business Continuity Framework

22 Feb

We have designed a framework that we believe companies could use when preparing a business continuity plan (BCP). This framework will be divided into three stages:

The first is the initiation phase, which generally encompasses all that will be completed when a BCP is first proposed. This involves defining the event for which we are preparing for, identifying the key players involved and the main aspects of the BCP.

The second is the continuous phase, which incorporates many activities that take part at inception of a BCP and also take place regularly during the lifespan of a BCP. This is carried out to prevent the BCP from becoming out of date. These activities include identifying threats, establishing a “whole business approach” and carrying out regular tests, reviews and updates.

The final phase is implementation, which involves putting the BCP into action and ensuring it is in place should a disaster ever affect the business.

Phase 1: Programme Initiation

Crisis Definition

Before an event can be addressed, one must first adequately define it. Is it simply an incident or a crisis “one that can interrupt anything that the organisation considers critical” This will be assessed accordingly by a crisis management team, who will be recruited to properly assess a situation.

Forming the BCP Team

As pointed out by the group the business continuity process should be an enterprise-wide activity rather than just an IT issue. Just viewing business continuity as an IT issue may lead to inadequate resource allocation for the business continuity plan. Therefore it is important to establish a programme which chooses key people within the entire organisation and not just within the IT department.

Choosing people from different departments to participate in the preparation of the business continuity plan (BCP Team) will increase the variety of skill available and also will act as a voice for their department when planning the contingency plan. The CIO can have a key role in identifying these key individuals. The business continuity plan should be the responsibility of a senior manager (business continuity manager) who will lead the development of the business continuity plan. Within this initial phase the programme roles, responsibilities and processes will be defined and agreed by the BCP team. Also the team should identify the key personnel, resources and suppliers needed in the event of a crisis and those identified should be assigned specific tasks in the event of a crisis. Once the BCP team is assembled they can go about discussing what should be included in the business continuity plan.

Aspects of BCP

These are the main areas of interest in relation to a forming a BCP.

1. BCP Governance

BCP Governance is concerned with how aware management are of their commitments and roles. This section needs to contain a structure, possibly in the form of a committee who are responsible for overseeing the plan as a whole.

2. Business Impact Analysis (BIA)

The importance of a BIA is in relation to identifying the main products/services that the company provides, while clarifying the impact a disruption may have on these. Another area that is looked at in this section is identifying areas that could potentially lead to revenue loss, additional expenses and intangible losses. At this phase it is important to identify the organisations insurance requirements and identify inter-dependencies that exist between a company’s products/services.

3. Plans, Measures and Arrangements for Business Continuity

This stage of the plan requires the company to prepare a detailed recovery/response arrangement to maintain business continuity. The aim of these arrangements is to provide the organisation with an idea of when they would be able to provide a minimum level of service during a time of disaster. BCPs need to be made specifically for each product/service that the company provides. They also need to ensure continuity within each business process of an organisation.

4. Readiness Procedures
These procedures ensure that all staff members are adequately briefed on the plans contents and the measures that will be going ahead in the event of a disaster. Everyone needs to be aware of their responsibilities while those staff members who have direct responsibility need to keep up to date on their role in the event of an incident.

5. Quality Assurance Techniques
This process is essential for helping companies evaluate what part of their plan needs to be updated and improved on. These techniques may include an internal review or an external audit, or possibly a combination of both methods.

Phase Two: Continuous

Internal and External Threats

There is a need for both a company’s internal and external threats to be explored at the outset of a BCP.

An internal threat is something that occurs within the company. Examples include interruption to supply chain, security breaches, and data loss. As a company evolves other internal threats may become a bigger risk to the company, for example if the company is customer orientated, a power outage could cause adverse effects. External threats are those that come from outside of the company, something the company cannot control, for example natural disaster and terrorism. Another example is hack attack on the company’s system. In order for a company to prepare for these attacks a stringent and well organised business continuity plan needs to be in place within to company.

Identification of these threats will serve to increase the company’s resilience by being prepared for all eventualities. Flexibility needs to exist within the BCP to ensure all threats are prepared for. For example, the same action would not be taken for supply chain interruption as would be for the occurrence of an earthquake.

Whole Business Approach

As pointed out in the Initiation Phase of our framework, a Business Continuity Plan needs to be an enterprise-wide activity. There needs to be a whole business approach in adopting the BCP in order to gain full advantage of the plan when it is called upon.

The programme initiation phase of our framework and building the right team is crucial in making a BCP an enterprise-wide exercise. If the correct team is put in place, it will insure there is strong leadership (Business Continuity Manager from top management of the business) and an active involvement from all sectors of the business (BCP Team). By the importance of the BCP being recognised from the top down, the plan should become a crucial part of the business that is integrated into the everyday functioning of the company. If this ‘embedding’ of the plan into the company’s culture is successful, then each member of staff will be aware of the importance their role has in its success and pay due diligence to that role. For the recognition of this importance to continue into the future, beyond the initial setup stage, testing and reviewing will be crucial.

As part of an all-encompassing “whole business” approach, recognising the need for suitable secondary protocols are essential. We propose that this should involve an assessment of the company itself by professionals in the area of disaster recovery. This will provide the company with the necessary instructions to accommodate for financial strains that secondary protocols can cause.

Testing

A BCP is defunct unless it has been proven to be effective. In order to ensure this, companies perform full tests on their BCPs which are performed at initiation to ensure a new plan is effective, and at regular designated times until further changes have to be made. This is necessary in order to keep the plan up to date as the external environment and threats change constantly.

As discussed in a previous post there are three different types of tests:

1. A Plan Review
This is a theoretical review of all BCP documentation.

2. Table-top Test
All of those involved in the BCP gather together to discuss and examine the plan and how it would be implemented.

3. Simulation Test
This is a practical demonstration of the company’s procedure under particular circumstances or in an unexpected event. It is the most exhaustive of BCP tests, and will prove the best indicator of a plan’s effectiveness.

These tests are measured based on the following standards, which incorporate the main aspects of a BCP as discussed.

1. Participation
This refers to those taking part in the test.

2. Attendance
Were people present and prepared for the test?

3. Plans (Early and Later Stages)
How well did those involved react to the initial stages of the issue? How exhaustive were the plans drawn up for issues including the co-ordination and allocation of key resources?

4. Support and External Players
How helpful were the support groups? Who was needed the most?

5. Leadership
Did those in charge during the co-ordination of the plan during the test react well?

6. Information Flow
Were those in relevant positions kept well informed during the process?

7. Quality Assurance
Reviewing the test regularly will help to ensure quality and effectiveness.

Mistakes

Testing shouldn’t be about “ticking the boxes”. Companies must account for all exceptional circumstances, and place their business ahead of all else. In the case of an unexpected event that a BCP doesn’t specifically address, there are critical areas that must first be looked at. As already discussed “The testing should challenge and surprise the organisation and its stakeholders”. This of course means that tests should also accommodate for all business processes, not just IT and IS. By recognising these pitfalls, a company is ensuring the continued survival of their business in a thorough and comprehensive way.

Updates

Our framework also takes into consideration past mistakes that others have made with regards to BCP. Over-reliance is addressed through assessing all possible areas of concern. The scope of the BCP will cover all aspects of the company, not just IS and IT, as this has become an increasing issue recently. Other issues such as security, insurance and service evaluation will also be addressed. Regular assessments of the company’s BCP will be a part of the BCP tests that will be carried out.

Phase 3: Implementation

The implementation of the BCP is one of the most critical aspects of the project. The role of the BC Manager and the BC Team is crucial here, as is the “Whole Business Approach”.

Other stages required in a successful implementation are;
• Actively encouraging employees to embrace the operation activity of the BCP by conducting internal discussions/study meetings etc. Encourage employees to gain knowledge themselves to enhance their skills with regards to disaster prevention and responses. This can be done by providing incentives for taking part in emergency-response courses and seminars related to BCP.

The BCM should also conduct their own training session on their BCP. Regular training sessions for the employees that focus on BCP-education will ensure if/when a disaster occurs that the organisation is adequately prepared. These sessions should involve the following aspects;
1. Evaluate and re-evaluate the effectiveness of the BCP
2. Help employees gain an understanding of the BCP and clearly identify their own roles
3. Actively promote cooperation and collaboration amongst employees in the case of a disaster.
It is the role of the manager to keep everyone informed and updated on the BCP.

The group also pointed out that even if a good continuity plan is implemented and tested regularly there is no guarantee of success, as the Lehman brothers showed during the 9/11 attacks when they were denied access to their recovery center, they had to draw on emerging processes in creative ways, showing that crisis adaptability is the key to continuity. Regular reviews of the BCP will be carried out to ensure that it remains accurate and up to date, depending on the external environment.

Figure 1.1 Proposed Framework

freamework

We believe that the above framework incorporates all aspects that are essential when it comes to business continuity planning. By assessing literature, previous successes and failures, we have feel that we have accounted for the obvious and the unexpected. As with every framework, there is room for interpretation, but it is our belief that it should prove successful.

Group 10

Tim Ahern
Briain Dollard
Ross Leahy
Cian O’Brien
Eileen O’Brien
Claire O’Sullivan

Business Continuity Framework

22 Feb

Introduction

As per Assignment 2 and as part of our module IS6118, we have developed a Business Continuity framework based on our previous blogs regarding Business Continuity. We have used different components discussed in our blogs regarding the topic to produce a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities [1][3]. We have researched different components of the framework and also background to business continuity to get a better understanding of the topic. We have also looked how technologies can be used to help with business continuity and also how a framework has been used in real life case studies. We have decided on 7 main components of a business continuity framework:

1)      Policy/Planning

2)      Management

3)      Communication

4)      Reporting

5)      Identify Critical Business Functions

6)      Analysis

7)      Implementation

Business Framework

Business Continuity Framework

 

1) Policy/Planning

Business continuity planning is an essential future plan for a business in order to provide a service without any factors affecting its performance. A business can never foresee future events such as a crime, natural disaster, IT failure, power failure, fire, etc. [1]. When it comes to policy and planning service level agreements are fundamental to achieving business continuity. Downtime whether it is planned or not can be hugely damaging to an organisation and it is for this reason why SLA’s are incorporated. They effectively ensure the minimum levels of availability from suppliers and then lay out a plan to define what actions will take place in the event of disruption. The challenge comes when trying to link business continuity and SLA’s together as there are certain services which most definitely require service-level-agreements to be put in place. There are internal and external services which will require necessary SLA’s and they vary from RTO’s, RPO’s, review of BIA, risk assessment, network recovery, time required to recover and restart from failover etc. Such companies as IBM have developed a solution to organisations which enables them to improve business continuity much more efficiently and effectively to data protection strategy and storage infrastructure by applying service level concepts [2] [3].

Business continuity plan is devised to lessen down the distraction that could be caused by the disaster and keep the business competitive. The Business Continuity plan should include the occurrence of several events including equipment failure; disturbance in power supply or telecommunication; application failure or database corruption; human fault, disruption or strike; malicious Software (i.e. viruses, trojan horses or worms) attack; hacking; other Internet attacks; social disturbances or terrorist attacks, fire, theft and natural disasters like flood, hurricane, earthquake etc. [5].

2) Management

Managing the Business Continuity Policy or plan is essential to its success. Assessing the risk(s) that threaten(s) the company is an essential prerequisite to crafting a BCP. Conducting a risk assessment to develop response strategies is vital to a successful BCP. Another management priority is to frequently Rehearse, Maintain and Review the BCP [4]. Management from the top is crucial to the framework as there will be a clear outline of procedures and processes and the risks which need to be eliminated. The strategy of the organisation needs to be clearly defined in order to ensure the BCP is utilised appropriately and the management should also aim to create a culture of business continuity in the organisation and drive home the significance the BCP and this in turn will contribute to the success of it. If this isn’t driven home by the management then the business could be in jeopardy as the costs associated with business continuity could spiral. The Business Continuity Program should be aligned with the enterprise business objectives and that is the responsibility of the management [2].

3) Communication

Communication involves producing plans for training staff that would be involved in the business continuity process and also plans for testing the systems that are involved in the recovery. Identify key staff and potential backup staff in the event of a disaster. Hold staff meetings. Every employee should be made aware of the BCP and should be reminded of it on a regular basis. Test the BCP and put it into action sop that if the day arrives that it needs to be implemented then at least you have practice runs completed [1][5][3]. The idea of communication as part of the business continuity framework is a hugely important aspect as it allows for the framework to be tested before implementation. There is a huge gap here in the framework to utilise the medium of social networks and it is time that businesses start thinking about incorporating social media into their business continuity. One of the main reasons social media will be used during a business continuity plan is for communication during a crisis, disaster or planned and unplanned downtime. Through analysing the opportunities available to businesses through the use of social media to support the business continuity, tools such as ‘Yammer’ can support the HR team in terms of being able to communicate with employees and provide better care in the midst of an incident of downtime. Social media allows the employees a greater influence over an organisation than ever before whether they like to admit it or not. Other social media outlets include, Facebook, Twitter, LinkedIn, Google+, YouTube etc. By using in-house social media tools will aid in improving business processes and procedures due to feedback generated by employees whether it be good or bad and as a result this will help provide more information on areas for improvement which then in turn leads to better BCM. Also in order for a business continuity plan to work the professionals need to be in direct contact with the powers that be in a company in order to understand the company they are working with to ensure that the right risks are mitigated with effective approaches and methods [2].

4) Reporting

A document should be prepared outlining all the remedies in the event of a BCP been implemented and should be easily accessible in an identified location. Duplicate copies should be distributed to employees and also digitally and in an off-site location [3]. In reference to an off-site location this is where the cloud comes into the equation when an organisation is in partnership with a trusted cloud service. These reports, data and information can be stored in the cloud and that is one of the major advantages of utilising the cloud. In the event of planned or unplanned downtime the organisation can rely on the trusted cloud service to have the data readily available and easily accessible. However there may be certain issues when it comes to storing information depending on the jurisdiction and territory but this only applies to regulated organisations. Data integrity will also need to be addressed for the Business Continuity Plan [2].

5) Identify Critical Business Functions

If a business has a plan in place to deal with such events, then the essential functions of a business are fail safe and a business can provide an uninterrupted service. Identify critical external contacts which includes essential information about the contact and the contact list should also include solicitors, IT consultants, landlord etc. information. Identify essential equipment. Make sure there is a back-up system in place such as RAID in the event of a disaster or emergency. Also back up generators and hardware should be ready to use in the event there is a computer failure or power failure [3]. Identify Essential Documents. Documents regarding employee information, premises lease, tax papers, legal issues etc. should be duplicated and stored off site in the event of a fire or natural disaster. The business should be able to set up again [1]. The cloud can aid with the running of business critical functions in the event of downtime as when organisations are in partnership with a trusted cloud service they will have access to a secure and exclusive network with an extremely high availability and this will allow this critical business functions to operate [2].

6) Analysis

Analyse what roles and responsibilities are given to employees during disaster recovery, along with full contact details and capability profiles. Identify Essential Documents. Documents regarding employee information, premises lease, tax papers, legal issues etc. should be duplicated and stored off site in the event of a fire or natural disaster. The business should be able to set up again [1]. The purpose of the risk analysis is to identify procedures that could possibly prevent or reduce the effect of a disaster. These procedures include educating personnel about issues such as security, Vandalism, workplace violence and so on. Risk Analysis involves the analysis of the organisational environment to identify threats that could lead to a disastrous situation.

Areas to be reviewed for such threats are the actual physical location of the organisation, access security, the organisation’s policies, practices and the construction of any of the organisation’s facilities. The objective of this analysis is to identify the vulnerabilities that could cause the most damage to the organisation and to select the appropriate controls for providing effective protection.

The Business Impact Analysis (BIA) can be divided into 3 steps:

1)      Performing the BIA

2)      Determining the minimum processing requirements

3)      Analysing the risk.

Analysing the risk differ from the traditional risk analysis because it actually refers to the prioritisation of resources as well as the identification of possible loss situations for resources [5].

7) Implementation

Implementation involves providing details of services and equipment available to be utilized during recovery. Also, outlining details of all the steps in the recovery process, both to get an initial basic operation up and running, and for full restoration of business. Create a list of responsibilities for implementation of a BCP. This should identify which employee does what and how. Such as person who should phone the fire brigade, this person could be appointed as the Fire Safety Officer [1]. When the development of the strategies recovery is done or completed, then it is now time to implement these strategies. While waiting to implement or to develop these strategies much preparation is needed. For example set up procedures for backup, contracts and agreements. This would also involve assigning personnel to various tasks in case disaster strikes. These tasks are called emergency response practice and should be performed by a team [5].

 Conclusion

Based on our above framework and from our previous blogs we feel that for business to continue during a disaster the organisation should follow the guidelines mapped out in our framework. By using the components discussed we feel that a business will be fully prepared in the event of planned or unplanned downtime which affects the performance of the business and thus in turn will lead to loss in revenue. Management needs to be involved from the outset in order to clarify the needs of the organisation and insure that critical business functions will be made a priority and aligned with the enterprise business objectives.

 

Source [1] https://sopinion8ed.wordpress.com/author/billynomates2012/

Source [2] https://sopinion8ed.wordpress.com/author/ericlynch1/

Source [3] https://sopinion8ed.wordpress.com/author/gashe2k12/

Source [4] https://sopinion8ed.wordpress.com/author/jamesdaly1990/

Source [5] https://sopinion8ed.wordpress.com/author/mirra2/

 

Group 5
Greg Ashe
Shane Counihan
James Stephen Daly
Ruth Kapinga
Eric Edward Lynch

 

Business Continuity: How Does it Come About?

10 Feb

In these blogs we have now looked at examples of Business Continuity Plans and cob12 looked at one method of implementing a Business Continuity Plan. Here I will attempt to break this down further and look at a basic ‘how to’ for implementing a Business Continuity Plan.

The first thing to note is the complexity of setting up the Business Continuity Plan in an organisation. It is by far more effort and time consuming to set up than it is to administer once in place. This suggests that the use of an effective framework could ease the burden of setting up a Business Continuity Plan.

It is common practise for an outside consultant to be brought in to an organisation to set up the Business Continuity Plan. However, it is important to remember that this consultant, while working to establish an effective Business Continuity Plan, will not be there when the plan will be administered. It is therefore important to have the organisations full commitment to the plan from the outset. If the Business Continuity Plan is simply a document handed to the organisation at the end of the consultancy period, it is sure to fail when called upon. The organisation needs to take ownership of the plan and, as mentioned in a previous post, embed it in the organisations culture.

A positive way to insure that this happens is to appoint a Business Continuity Manager. This manager should work closely with the consultant and see the Business Continuity Plan through from its infancy to its implementation, effectively spear heading the project. The manager should be well known to every member of staff. In turn, each member of staff needs to know there role in the BCP under the guidance of this Business Continuity Manager. It is vital to have the cooperation of all staff to insure the success of the Business Continuity Plan.

Finally, once the initial set up phase is complete, the Business Continuity Plan should not become just a book on a shelf in the office. It needs to be incorporated in to the day to day running of the organisation, tested, reviewed, and updated as required.

Wallace, M. & Webber L. (2010) The Disaster Recovery Handbook The American Management Association

How to Fail at Business Continuity

10 Feb

There are many factors that can contribute to a “less-than-perfect” business continuity program – or a program that truly fails to meet management expectations. What are those fatal mistakes that should be avoided and how can an organization prevent them from occurring? [1]

Not Understanding the Organisation;

One of the main jobs of business continuity professionals is to understand the organisation he or she is working with and that means being aware of how they work, their processes and key products. But here is where the problem lies as they often tend to enhance their program by overloading it in layers and software applications. And this in turn is a huge waste in resources and capital.

When talking about business continuity you are referring to a process which is put in place to alleviate risk within core areas of an organisation. And these risks have to predetermined and decided upon by the powers that be, the management. It all boils down to the top dogs in identifying the type of risk the organisation wants to alleviate, because realistically it is impossible to eliminate all risks. In order to be certain that you are mitigating the high priority risks the business continuity professionals need to have a concrete understanding of the organisation’s strategy, critical products and services and what the long-term goals are. It is from the very top that this information must come from in order to be sure of which risks to eliminate with effective approaches and methods. Without this there is a risk that the plan may be focusing on the wrong aspects of the organisation and not the core functions, services and processes.

Executing Methodology Instead of Managing a Program;

Businesses are always continually trying to improve how they create their business continuity programs and practices, and this is achieved through the use of business continuity methodologies and strategies. A strategic goal linking the activities together is crucial when building a program; otherwise the business continuity program will not provide the intended value. The majority of these methodologies recommend performing analysis activities and these types of analysis help aid the management in focusing on planning for the continuity of the organisations core functions and activities and identify the most appropriate risk mitigation, response and recovery strategies.

Unnecessarily Using Business Continuity Jargon;

When trying to communicate with business and technology stakeholders or the heads of organisations business continuity jargon can be very confusing to people not in the loop when it comes to the subject. Terms which include acronyms such as EOC, RTO, RPO, BIA etc. only help to cause more confusion to the situation. Using these terms in the end generally causes confusion and a lot of frustration. When using these terms it requires non-business continuity professionals to have to adapt to the terminology and learn it on the go which leads to a substantial amount of extra training in order to enable these employees to be able to participate in the business continuity planning. The vast majority of employees and personnel in an organisation will greatly appreciate when the business continuity professional avoids the jargon and speaks in a language they can understand which will result in less confusion and more productivity.

Unrealistic Recovery Objectives;

A lot of organisations out there, during the process of the analysis phase of business continuity planning, request that every business process and unit be defined by their OWN recovery objectives. The problem with this however, is that managers will often struggle to define the appropriate recovery timeframe.

Failing to Create a Culture of Business Continuity;

If a business continuity program does not have the support of the business and the business fails to think of risk mitigation and recoverability when making day-to-day decisions then it is destined to fail regardless if the organisation has the best systems, employees, analysis, strategies and plans. It is important to drive home the significance of a business continuity program into the culture of the business in order for it to be successful in the event of a disaster occurring. This logic also applies to the managers if they fail to take into consideration business continuity when making a decision as they could well be putting the business in jeopardy and the costs associated to business continuity could escalate.

Sources;

  1. http://www.disaster-resource.com/index.php?option=com_content&view=article&id=820:the-top-five-ways-to-fail-at-business-continuity&catid=3:planning-and-management

What does 2013 mean for Business Continuity?

10 Feb

 

Recently, a survey was published by Continuity Central in which business from all around the globe were asked their opinion on how they thought Business Continuity would fare in 2013. A total of 184 responses were received with over 80% of them being from Business Continuity professionals working in large organisations. The survey consisted of various questions relating to the changes, challenges and spending on business continuity measures in 2013, and how these matters would affect roll-out of business continuity packages during the year. (1) Over 85% of respondents feel there will be some level of change in the way organisations manage business in the coming year. (2)  While they considered the biggest challenge to business continuity was the availability of funds to spend on Business Continuity measures. In the current financial times, across the board many companies have seen their IT budgets slashed forcing IT managers to decide whether to thinly spread their budget over a lot of resources or invest in only ones they see as most critical to the company. The problem with spreading your budget so thinly is obvious. Trying to force your budget to cover your needs can result in a company opting for providers that do not necessarily match their needs. Conversely, cherry-picking the “most important” resources and ignoring the rest can leave an organisation grossly unprepared in areas.

Another factor which has not been lost on many organisations, particularly those on the East cost of the United States is that of what appears to be increased natural disasters. Many are still feeling the effects of super storm Hurricane Sandy last October. The results from Sandy were devastating to businesses with over 8% of the U.S. population suffering power outages. The Government declared a state of emergency and the New York Metropolitan Transit Authority to declare it the worst disaster in its 108 year history. (3) Hundreds of businesses from the online Newspaper The Huffington Post to the New York Stock Exchange were affected due to inadequate Continuity Plans in place. The arrival of another potentially devastating storm in Nemo in the past few days has only re-iterated the value of having a Business Continuity plan in place for businesses.

Among other areas to look at in 2013, many experts believe the fear of a cyber threat will become much more real over the coming 11 months. In accordance with this IT will still be dominate most BC plans but will be refreshed under big data and cloud and mobility services. Social media will continue to present both a challenge and opportunity for business continuity professionals, as it provides opportunities for early visibility of issues and effective crisis communications, while equally being a source of misinformation and a medium to fan the flames of a crisis.(4) Another source of change in the BC world will be the projected introduction of the new International Business Continuity Management standard, ISO 22301 with certificates set to be issued in several countries. These factors would seem to be dominating the expected trends with regards to BCP’s in 2013, Hurricane Sandy has given businesses a more telling insight into the value of having a BCP in place then any provider could ever hope to do and it is the loom of potential future disasters that are dominating Business Continuity issues in 2013

 

 

(1) www.backup-technology.com

(2) www.emergencyplanningsolutions.com

(3) www.thevarguy.com

(4) www.thebceye.blogspot.ie

Business Continuity Framework

10 Feb

Here is a sample framework that I came across and found quite useful:

BC Structure

 

 

[1] http://www.anao.gov.au/betterpracticeguides/workbook/workbook04.html

Why are firms poor at disaster recovery?

10 Feb

If a firm has IT systems inside their business, then Business Continuity is an important part of what they should be thinking about. One of the biggest fears for the IT manager of any company is the catastrophic loss of data – this might be through a server failure, a data loss or a power overload causing a server to go down. Not only will the firm lose the data, issues will arise over compliance, legal implications with regards to loss of data and the exposure and public relations issues, all of which can have a huge impact on the running of a business. It is therefore essential that all businesses have a Business Continuity plan for their IT services.

Disaster recovery used to be reserved for large enterprises, but in the increasingly 24/7 business world, more and more midmarket firms are finding they can’t afford not to keep things running. And high-availability requirements are growing all the time.” [1]

Some companies are just poor at IT disaster recovery in general and there are a number of reasons for this, such as:

  • Regulatory Compliance: A lot of companies tend to be under rules and regulations about how the data should be kept and secured, who should and shouldn’t have access to it and of course the often high cost of having a data recovery infrastructure.
  • Processes and Procedures: These have to be constantly updated and tested. In addition there has to be consideration taken for the risk of errors – a lot of these systems will involve human processes and therefore will be prone to human error.
  • Lack of Testing: A lack of test strategies inside the organisation to ensure the disaster recovery processes actually work. “The impacts of failing to test, however, are a significant erosion in the investment made in developing a technology recovery solution. Failure to exercise plans and people, or only ‘testing’ once a year, leaves an organization and its recovery capabilities unprepared for an actual incident.” [2]
  • Time to Restore the Data: Once the disaster has struck. If a company is only using one tape to store the data on and this gets lost or is destroyed during the recovery process, the data may be gone forever and be unrecoverable.
  • Logistical Problems: If the data is off-site, it may be both difficult and problematic to get it back. This can be particularly so if the disaster happens outside of office hours or on a bank holiday. Sending C.D.’s and tapes between sites may result in some storage devices being lost.

“More than 60% of U.S. small businesses do not have a formal emergency-response plan and fail to back up their financial data off-site, leaving them vulnerable to catastrophic data loss in the event of a natural disaster.” [3] This is a figure released by ‘Small Business Disaster Preparedness Study’ (2012) [4] – In essence, these businesses are simply not prepared for any kind of disaster and are leaving themselves vulnerable to what could be catastrophic effects, maybe even the loss of the entire company.

When a disaster strikes, a business needs to be 100% sure that they can recover their systems and servers both quickly and efficiently.

[1] http://searchcio-midmarket.techtarget.com/magazineContent/Roadmap-to-Recovery?pageNo=1

[2] http://www.sungardas.com/Documents/FiveReasonsWhyDisasterRecoveryPlansFail_EBO-008.pdf

[3] http://www.journalofaccountancy.com/News/20126135

[4] http://na.sage.com/sage-na/newsroom/~/media/site/sagena/documents/surveys/sage%20survey%202012%20backup%20report

Disaster Recovery: RTO & RPO

10 Feb

“Disaster recovery is the process by which you resume business after a disruptive event. The event might be something huge-like an earthquake or the terrorist attacks on the World Trade Centre-or something small, like malfunctioning software caused by a computer virus.” [1] Essentially, as already touched on by most of the other bloggers here, disaster recovery is completely focused on the IT systems that help to support a business’ core functions.

Two of the most important aspects of Disaster Recovery are Recovery Time Objective (RTO) and Recovery Point Objective (RPO).  Take for example a company that uses only tape as its backup and does a backup every night – if this company were to lose mass amounts of data, it would take a certain amount of time to go and actually get the tape, bring it back, restore its server and subsequently restore the data. The amount of time it takes to complete these tasks is known as the RTO, i.e. the amount of time it takes to bring a server back to where it was before the disaster struck.

For the same company, if they backed up their data religiously at midnight every night and the disaster happened at 4p.m. then the recovery point would be the previous night. There are however other ways of backing up so that firms can have a much shorter recovery point, i.e. every 20 minutes. This is known as the RPO.

It is however worth noting that the shorter both the RTO and the RPO, the more expensive it is to a business to implement that type of solution.

How can a firm know what type of plan is most appropriate for them? Typically, the more transactions a firm carries out, then the shorter the recovery time they will need. Most organisations tend to be willing to spend more on these solutions due to the huge amounts of money they stand to lose should their down-time be long.

What is the difference between the two? Dejan Kosutic [2] says that “The difference is in the purpose – RTO has a broader purpose because it sets the boundaries for your whole business continuity management, while RPO is focused solely on the issue of backup frequency. They are not directly related – you could have RTO of 24 hours and RPO of 1 hour, or RTO of 2 hours and RPO of 12 hours.” But both are absolutely crucial for Business Continuity management – if they are not predetermined, then firms will just be guessing what to do when disaster strikes and “guessing is the best way to ensure you never recover from a disaster.” [2]

[1] http://www.csoonline.com/article/204450/business-continuity-and-disaster-recovery-planning-the-basics

[2] http://blog.iso27001standard.com/2012/01/30/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/

What is Business Continuity?

10 Feb

Business Continuity in essential to ensure that businesses will always have the capabilities to supply vital business functions to “customers, suppliers, regulators and other entities” [1] that need to have access to these functions. The term Business Continuity describes a mentality or methodology of conducting day-to-day business [1], as opposed to Business Continuity planning which is essentially the way by which a firm can conduct and implement such appropriate measures.

Business Continuity is not just an important thing for firms to consider, it is absolutely crucial if a firm wants to survive and indeed thrive in the future – many businesses suffer severe damage as a result of events that they simply hadn’t planned for. Such events can range from anything like IT virus infections or broken supply chains to accidents, illness and crime, as well as natural disasters. These can result in simple unplanned events occurring like late deliveries or poor customer service, to name but a few. Or, at the other end of the spectrum, a firm’s service might break down altogether which, without relevant planning, may lead in the frim struggling to recover, allowing competitors gain a significant advantage. A tiny hit to a customer’s confidence in a business or service can take huge amounts of time and effort to recover and in some cases the effects can be irreversible.

These leads us on to the idea of Business Continuity planning (BCP), in other words, if something were to happen that affects a business’ normal operating procedures, do they have a plan in place? The plan is essentially a group of documents with instructions for employees on what they need to do before during and after any disaster. Business Continuity planning needs to be in line with a firm’s mission statement. “Creating and maintaining a BCP helps ensure that your business has the resources and information needed to deal with an emergency” [2]. Other benefits include:

  • Enhance your business image with employees, shareholders and customers by demonstrating a proactive attitude.
  • Improve efficiency in the overall organization.
  • Identify the relationship of assets both human and financial resources with respect to critical services and deliverables.

Here are a few points which could be considered as a template when creating such a plan [3]:

  • Cooperation of Organization & a Team
  • Review Business functions
  • Conduct business impact analysis
  • Policies, Procedures & Protocols
  • Create a Written Plan
  • Test & Modify

Here is a link to a sample Business Continuity plan template: http://www.inc.com/tools/business-continuity-plan-template.html

[1] http://en.wikipedia.org/wiki/Business_continuity

[2] http://www.bdc.ca/en/advice_centre/tools/business_continuity/business_continuity/Pages/default.aspx#.URT_gqUvF1Y

[3] http://www.youtube.com/watch?v=v8-bR1DUwII

Business Continuity: Your Reputation Is Everything

10 Feb

What is a business without a good reputation? And for that matter, what does reputation have to do with Business Continuity?

Well the answer to the first is simple; a business is nothing without a good reputation. The second question; while the answer is a little more long winded, it is basically just as simple.

A good reputation is vital for a business and is usually achieved by hard work, diligence, attention to detail, top of the range customer service, amongst other things. So where does Business Continuity come in to play? A good Business Continuity Plan (here on BCP) can be the difference between two companies with similar reputations maintaining this good reputation. A good reputation is enforced daily in a business. But what if there is a disruption to the daily functioning of a business? The company with the better BCP in place will rise above the other in times of adversity and not only maintain its good reputation but reinforce it and illustrate to customers, stakeholders, perspective customers, that disruption to the normal functioning of the business does not have an adverse effect on the service provided.

There have been numerous points made in previous blogs about important points to consider when implementing a BCP. One that I would like to highlight is the absolute need for the threats to a company to be explored at the very outset of developing a BCP. I spoke in my last blog about the need to focus only on what is important, identifying the threats to a company, be they internal or external should be looked at as just as important a step in increasing the effectiveness of a BCP.

The difference between internal and external threats;

An internal threat is something that can go wrong from within the company. These threats will differ depending on the nature of the business but some examples would include interruption to supply chain, security breaches, and data loss (RIM has been looked at by sully1210 in a previous post).

On the other hand, external threats are those that come from outside of the company, something the company cannot control. For example, natural disaster and terrorism (sully1210 looks at the effect of the latter on Air New Zealand).

By identifying the internal and external threats a company can put an effective BCP in place and it will actually serve to increase the company’s resilience by being prepared for all eventualities. Once again I will use the ‘no one size fits all’ expression to emphasise the flexibility that needs to exist within the BCP. The same action would not be taken for supply chain interruption as would be for the occurrence of an earthquake.

So how can a company insure this ‘flexible’ BCP will actually work when called upon? Two important points must be remembered;

  1. The BCP should be embedded in the organisations culture
  2. All staff must be absolutely certain of their role should the BCP need to be implemented

These two points go hand in hand in that one leads to the other. By the importance of the BCP being recognised from the top down, the plan should become a crucial part of the business that is integrated into the everyday functioning of the company. If this ‘embedding’ of the plan into the company’s culture is successful, then each member of staff will be aware of the importance their role has in its success and pay due diligence to that role.

%d bloggers like this: