Tag Archives: Business Continuity

Business Continuity Framework

22 Feb


As per Assignment 2 and as part of our module IS6118, we have developed a Business Continuity framework based on our previous blogs regarding Business Continuity. We have used different components discussed in our blogs regarding the topic to produce a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities [1][3]. We have researched different components of the framework and also background to business continuity to get a better understanding of the topic. We have also looked how technologies can be used to help with business continuity and also how a framework has been used in real life case studies. We have decided on 7 main components of a business continuity framework:

1)      Policy/Planning

2)      Management

3)      Communication

4)      Reporting

5)      Identify Critical Business Functions

6)      Analysis

7)      Implementation

Business Framework

Business Continuity Framework


1) Policy/Planning

Business continuity planning is an essential future plan for a business in order to provide a service without any factors affecting its performance. A business can never foresee future events such as a crime, natural disaster, IT failure, power failure, fire, etc. [1]. When it comes to policy and planning service level agreements are fundamental to achieving business continuity. Downtime whether it is planned or not can be hugely damaging to an organisation and it is for this reason why SLA’s are incorporated. They effectively ensure the minimum levels of availability from suppliers and then lay out a plan to define what actions will take place in the event of disruption. The challenge comes when trying to link business continuity and SLA’s together as there are certain services which most definitely require service-level-agreements to be put in place. There are internal and external services which will require necessary SLA’s and they vary from RTO’s, RPO’s, review of BIA, risk assessment, network recovery, time required to recover and restart from failover etc. Such companies as IBM have developed a solution to organisations which enables them to improve business continuity much more efficiently and effectively to data protection strategy and storage infrastructure by applying service level concepts [2] [3].

Business continuity plan is devised to lessen down the distraction that could be caused by the disaster and keep the business competitive. The Business Continuity plan should include the occurrence of several events including equipment failure; disturbance in power supply or telecommunication; application failure or database corruption; human fault, disruption or strike; malicious Software (i.e. viruses, trojan horses or worms) attack; hacking; other Internet attacks; social disturbances or terrorist attacks, fire, theft and natural disasters like flood, hurricane, earthquake etc. [5].

2) Management

Managing the Business Continuity Policy or plan is essential to its success. Assessing the risk(s) that threaten(s) the company is an essential prerequisite to crafting a BCP. Conducting a risk assessment to develop response strategies is vital to a successful BCP. Another management priority is to frequently Rehearse, Maintain and Review the BCP [4]. Management from the top is crucial to the framework as there will be a clear outline of procedures and processes and the risks which need to be eliminated. The strategy of the organisation needs to be clearly defined in order to ensure the BCP is utilised appropriately and the management should also aim to create a culture of business continuity in the organisation and drive home the significance the BCP and this in turn will contribute to the success of it. If this isn’t driven home by the management then the business could be in jeopardy as the costs associated with business continuity could spiral. The Business Continuity Program should be aligned with the enterprise business objectives and that is the responsibility of the management [2].

3) Communication

Communication involves producing plans for training staff that would be involved in the business continuity process and also plans for testing the systems that are involved in the recovery. Identify key staff and potential backup staff in the event of a disaster. Hold staff meetings. Every employee should be made aware of the BCP and should be reminded of it on a regular basis. Test the BCP and put it into action sop that if the day arrives that it needs to be implemented then at least you have practice runs completed [1][5][3]. The idea of communication as part of the business continuity framework is a hugely important aspect as it allows for the framework to be tested before implementation. There is a huge gap here in the framework to utilise the medium of social networks and it is time that businesses start thinking about incorporating social media into their business continuity. One of the main reasons social media will be used during a business continuity plan is for communication during a crisis, disaster or planned and unplanned downtime. Through analysing the opportunities available to businesses through the use of social media to support the business continuity, tools such as ‘Yammer’ can support the HR team in terms of being able to communicate with employees and provide better care in the midst of an incident of downtime. Social media allows the employees a greater influence over an organisation than ever before whether they like to admit it or not. Other social media outlets include, Facebook, Twitter, LinkedIn, Google+, YouTube etc. By using in-house social media tools will aid in improving business processes and procedures due to feedback generated by employees whether it be good or bad and as a result this will help provide more information on areas for improvement which then in turn leads to better BCM. Also in order for a business continuity plan to work the professionals need to be in direct contact with the powers that be in a company in order to understand the company they are working with to ensure that the right risks are mitigated with effective approaches and methods [2].

4) Reporting

A document should be prepared outlining all the remedies in the event of a BCP been implemented and should be easily accessible in an identified location. Duplicate copies should be distributed to employees and also digitally and in an off-site location [3]. In reference to an off-site location this is where the cloud comes into the equation when an organisation is in partnership with a trusted cloud service. These reports, data and information can be stored in the cloud and that is one of the major advantages of utilising the cloud. In the event of planned or unplanned downtime the organisation can rely on the trusted cloud service to have the data readily available and easily accessible. However there may be certain issues when it comes to storing information depending on the jurisdiction and territory but this only applies to regulated organisations. Data integrity will also need to be addressed for the Business Continuity Plan [2].

5) Identify Critical Business Functions

If a business has a plan in place to deal with such events, then the essential functions of a business are fail safe and a business can provide an uninterrupted service. Identify critical external contacts which includes essential information about the contact and the contact list should also include solicitors, IT consultants, landlord etc. information. Identify essential equipment. Make sure there is a back-up system in place such as RAID in the event of a disaster or emergency. Also back up generators and hardware should be ready to use in the event there is a computer failure or power failure [3]. Identify Essential Documents. Documents regarding employee information, premises lease, tax papers, legal issues etc. should be duplicated and stored off site in the event of a fire or natural disaster. The business should be able to set up again [1]. The cloud can aid with the running of business critical functions in the event of downtime as when organisations are in partnership with a trusted cloud service they will have access to a secure and exclusive network with an extremely high availability and this will allow this critical business functions to operate [2].

6) Analysis

Analyse what roles and responsibilities are given to employees during disaster recovery, along with full contact details and capability profiles. Identify Essential Documents. Documents regarding employee information, premises lease, tax papers, legal issues etc. should be duplicated and stored off site in the event of a fire or natural disaster. The business should be able to set up again [1]. The purpose of the risk analysis is to identify procedures that could possibly prevent or reduce the effect of a disaster. These procedures include educating personnel about issues such as security, Vandalism, workplace violence and so on. Risk Analysis involves the analysis of the organisational environment to identify threats that could lead to a disastrous situation.

Areas to be reviewed for such threats are the actual physical location of the organisation, access security, the organisation’s policies, practices and the construction of any of the organisation’s facilities. The objective of this analysis is to identify the vulnerabilities that could cause the most damage to the organisation and to select the appropriate controls for providing effective protection.

The Business Impact Analysis (BIA) can be divided into 3 steps:

1)      Performing the BIA

2)      Determining the minimum processing requirements

3)      Analysing the risk.

Analysing the risk differ from the traditional risk analysis because it actually refers to the prioritisation of resources as well as the identification of possible loss situations for resources [5].

7) Implementation

Implementation involves providing details of services and equipment available to be utilized during recovery. Also, outlining details of all the steps in the recovery process, both to get an initial basic operation up and running, and for full restoration of business. Create a list of responsibilities for implementation of a BCP. This should identify which employee does what and how. Such as person who should phone the fire brigade, this person could be appointed as the Fire Safety Officer [1]. When the development of the strategies recovery is done or completed, then it is now time to implement these strategies. While waiting to implement or to develop these strategies much preparation is needed. For example set up procedures for backup, contracts and agreements. This would also involve assigning personnel to various tasks in case disaster strikes. These tasks are called emergency response practice and should be performed by a team [5].


Based on our above framework and from our previous blogs we feel that for business to continue during a disaster the organisation should follow the guidelines mapped out in our framework. By using the components discussed we feel that a business will be fully prepared in the event of planned or unplanned downtime which affects the performance of the business and thus in turn will lead to loss in revenue. Management needs to be involved from the outset in order to clarify the needs of the organisation and insure that critical business functions will be made a priority and aligned with the enterprise business objectives.


Source [1] https://sopinion8ed.wordpress.com/author/billynomates2012/

Source [2] https://sopinion8ed.wordpress.com/author/ericlynch1/

Source [3] https://sopinion8ed.wordpress.com/author/gashe2k12/

Source [4] https://sopinion8ed.wordpress.com/author/jamesdaly1990/

Source [5] https://sopinion8ed.wordpress.com/author/mirra2/


Group 5
Greg Ashe
Shane Counihan
James Stephen Daly
Ruth Kapinga
Eric Edward Lynch


How to Fail at Business Continuity

10 Feb

There are many factors that can contribute to a “less-than-perfect” business continuity program – or a program that truly fails to meet management expectations. What are those fatal mistakes that should be avoided and how can an organization prevent them from occurring? [1]

Not Understanding the Organisation;

One of the main jobs of business continuity professionals is to understand the organisation he or she is working with and that means being aware of how they work, their processes and key products. But here is where the problem lies as they often tend to enhance their program by overloading it in layers and software applications. And this in turn is a huge waste in resources and capital.

When talking about business continuity you are referring to a process which is put in place to alleviate risk within core areas of an organisation. And these risks have to predetermined and decided upon by the powers that be, the management. It all boils down to the top dogs in identifying the type of risk the organisation wants to alleviate, because realistically it is impossible to eliminate all risks. In order to be certain that you are mitigating the high priority risks the business continuity professionals need to have a concrete understanding of the organisation’s strategy, critical products and services and what the long-term goals are. It is from the very top that this information must come from in order to be sure of which risks to eliminate with effective approaches and methods. Without this there is a risk that the plan may be focusing on the wrong aspects of the organisation and not the core functions, services and processes.

Executing Methodology Instead of Managing a Program;

Businesses are always continually trying to improve how they create their business continuity programs and practices, and this is achieved through the use of business continuity methodologies and strategies. A strategic goal linking the activities together is crucial when building a program; otherwise the business continuity program will not provide the intended value. The majority of these methodologies recommend performing analysis activities and these types of analysis help aid the management in focusing on planning for the continuity of the organisations core functions and activities and identify the most appropriate risk mitigation, response and recovery strategies.

Unnecessarily Using Business Continuity Jargon;

When trying to communicate with business and technology stakeholders or the heads of organisations business continuity jargon can be very confusing to people not in the loop when it comes to the subject. Terms which include acronyms such as EOC, RTO, RPO, BIA etc. only help to cause more confusion to the situation. Using these terms in the end generally causes confusion and a lot of frustration. When using these terms it requires non-business continuity professionals to have to adapt to the terminology and learn it on the go which leads to a substantial amount of extra training in order to enable these employees to be able to participate in the business continuity planning. The vast majority of employees and personnel in an organisation will greatly appreciate when the business continuity professional avoids the jargon and speaks in a language they can understand which will result in less confusion and more productivity.

Unrealistic Recovery Objectives;

A lot of organisations out there, during the process of the analysis phase of business continuity planning, request that every business process and unit be defined by their OWN recovery objectives. The problem with this however, is that managers will often struggle to define the appropriate recovery timeframe.

Failing to Create a Culture of Business Continuity;

If a business continuity program does not have the support of the business and the business fails to think of risk mitigation and recoverability when making day-to-day decisions then it is destined to fail regardless if the organisation has the best systems, employees, analysis, strategies and plans. It is important to drive home the significance of a business continuity program into the culture of the business in order for it to be successful in the event of a disaster occurring. This logic also applies to the managers if they fail to take into consideration business continuity when making a decision as they could well be putting the business in jeopardy and the costs associated to business continuity could escalate.


  1. http://www.disaster-resource.com/index.php?option=com_content&view=article&id=820:the-top-five-ways-to-fail-at-business-continuity&catid=3:planning-and-management

Without a BCP Your DRP = NOTHING!!!

8 Feb

Throughout the last number of weeks as the topic of business continuity management, disaster recovery, the stages through which the continuity and recovery plans are made, the business continuity’s connection to risk management and even lessons learned from real life natural disasters such as Hurricane Katrina. Why they all have valid points and interesting ideas the purpose for this entry is to establish that without a BCP, (business continuity plan) then an organisations’ DRP (disaster recovery plan) will be useless and not worthwhile.

The issue here is that a lot of companies and IT organisations are under the illusion that once a DRP is in place then everything is covered and they assume that it is the same as the BCP. But this is where the huge error occurs because the BCP is a lot more fundamental than they believe. A business needs to plan and make changes for such an event. A DRP will only cover the processes in bringing up the system but what it fails to cover is a vital cog, and that is the human element in the equation. This is where the crucial BCP will come into play but it is often ignored.

Take for example a company’s system which is totally redundant and automated and is fully prepared in the event of failover where to occur. And then when it does, whether it be an earthquake, hurricane, a storm, massive blackouts etc. and the business system is up and running on some cloud based service due to the DR product that was chosen and the company’s DRP worked perfectly. Or so you thought?

But there’s one big problem and that is that there is no staff there to work on the system due to the disaster that is after occurring and with access to the office restricted, no electricity or internet connection and the phone networks are down. The business is up and running but essentially with nobody to run it. This is where the BCP will come into play as part of the DRP.

In reality a lot of enterprises out there when designing a DRP use tools advertised, and they do exactly what they say on the tin. From the IT side of the DRP, the cloud has made it significantly easier with services such as EC2 and Azure but by making the IT side easier to manage doesn’t address the entire issue. It is highly likely that the management of an organisation has not realistically thought of an event extreme enough where all staff are going to be unavailable due to a disaster as there are more important issues to deal in the wake of such an event. In other words business continuity is a company-wide problem and management needs to be made aware of such issues or else when the system ‘fails’ because no staff was available to work it the system will be to blame.

There are several questions which need to be addressed in case of such an event occurring and this is where the BCP will come into play in the overall DRP. Questions such as;

  • Who will run the system if the building or even worse the city is off limits?
  • Who will respond to queries on the website and run payroll?
  • Do the employees have somewhere to work?
  • Where can the PC’s go to keep up and running?

Some solutions to these problems can be to consider having an office at a separate location maybe with a mirrored data-centre and when the primary staff are unable to work then additional staff can continue the work from the separate location so business is not a standstill due to the disaster. Although the costs may be initially high, if an organisation needs to keep running and generating revenue, like most businesses, this should not be a big issue. A lot of organisations are ignorant to the business continuity as they believe that the ‘disaster’ or ‘major event’ will never affect their company or organisation, and as a result they fail to plan for it, or may only plan to the bare minimum while also ignoring the human factor.

IT is now a critical business function in nearly all businesses now and it would be extremely foolish to even consider recovery without thorough planning.

As the saying goes “Fail to prepare, prepare to FAIL”.


  1. http://www.ibmbusinesscontinuityindex.com/
  2. http://thenextweb.com/insider/2012/10/25/dr-needs-bc/
  3. http://en.wikipedia.org/wiki/Business_continuity_planning

Business Continuity and SLA’s

8 Feb

In today’s demanding business world, organisations have to be able to support global operations, meet demanding compliance requirements and manage the ever-growing data volumes. This means that companies of all sizes in order to remain competitive now have to be capable of ensuring rapid recovery from downtime and while also providing high data availability. Unforeseen downtime or disruptions to an organisation can be disastrous and lead to severe consequences, such as:

  • Damage to brand and reputation.
  • Loss of revenue due to interruption of business processes.
  • Loss of critical data and customer loyalty.
  • Reduced productivity of employees and critical resources.
  • Compliance failures and other legal consequences. [1]

In order to provide business continuity, then service level agreements (SLAs) are fundamental to achieving this. To simplify it SLAs help define your minimum levels of availability from key suppliers, and often determine what actions will be taken in the event of a serious disruption. [2]

SLAs are essential tools to ensure that the services the organisation obtains are acceptable. They apply to both the vendors and the internal departments. For those of you unaware of what SLAs are, then they specify that 1) a service to be provided; 2) expected performance with regard to what’s being delivered; 3) metrics against which performance will be judged; and 4) and remedies in case the agreed-upon deliverables aren’t satisfactorily provided.[3]

When linking the area of business continuity and SLAs together, there are certain services which should definitely have service-level-agreements in place. From an internal point of view a business continuity plan might require the following:

  • Satisfaction of agreed-upon recovery time objectives (rtos) in the event of a disruption, e.g., certain systems are restored within eight hours of the disruption
  • Satisfaction of agreed-upon recovery point objectives (rpos) in the event of a disruption, e.g., data being used can be recovered to within 0.25 hours of the disruption
  • Completion of one risk assessment for each business unit per year
  • Completion of one tabletop exercise for each bc/dr plan annually
  • Review and updating of business impact analysis (bia) data annually[3]

Furthermore, for services which are provided externally there are SLAs which are particularly necessary;

  • Recovery of network connectivity to the Internet following disruption of local access facilities
  • Time required to fail over from primary to backup servers, such as one hour
  • Time required to recover and restart downed systems via a cloud-based recovery service, such as one hour[3]

In addition to this IBM has developed a solution that addresses the needs for data and storage protection. This solution enables organisations to achieve a much higher rate of data and storage availability whilst also providing rapid recovery after an unplanned event or disruption. Simply called, “IBM’s business continuity service level protection solution” offers companies and global organisations the chance to help align storage management technologies and processes to business requirements.

IBM’s Business Continuity Service Level Protection solution can help you:

  • Improve your business continuity posture by applying service level management concepts to your data protection needs.
  • Align storage management technologies and processes more closely to business requirements, enabling prioritized recovery responses and better use of resources.
  • Enable your company to achieve higher levels of data and storage availability, and to recover more quickly after a disruptive event.
  • Combine industry-leading business continuity technologies and implementation services to provide a solution that meets your organization’s business needs.
  • Build a foundation for continuous improvement, where performance can be accurately measured against established recovery objectives.[4]

By using ‘IBM’s business continuity service level protection solution an organisation has the ability to improve their business continuity posture by being able to apply service level concepts much more effectively and efficiently to their data protection strategy and storage infrastructure by analysing significant concerns during the course of the process.





1)      http://www-01.ibm.com/software/tivoli/solutions/business-continuity/index.html

2)      http://www.disasterrecoveryworld.com/

3)      http://searchdisasterrecovery.techtarget.com/Free-service-level-agreement-template-for-disaster-recovery-programs

4)      http://www-01.ibm.com/software/tivoli/solutions/business-continuity/index.html

Business Continuity and Social Media

8 Feb

Ever since the introduction of the internet, web 2.0 and social media technology has been evolving and year on year. With this in mind and with the mass number of the global population out there now using social media is it time to start thinking about business continuity and the role that social media can play. This is the area I am going to cover in next entry and again it is a topic that has yet to be covered. Social media can have a dual effect on business continuity management as it is an important issue and an enabler.

By the year 2015 around three-quarters of organisations in order to aid their business continuity management strategy will use the medium of social media. One of the main reasons for this will be communication during a crisis or disaster.

Business continuity management (BCM) teams are already being given the task of analysing the opportunities available to businesses through the use of social media to support business continuity, according to Gartner.

With the advances in technology this has helped create new challenges for business continuity and social media is one the main contributing factors to these new challenges. They provide individuals and groups to exercise a far greater influence over an organisation and its employees than ever before. Some of the media being used are facebook, twitter, linkedin, google+, youtube etc.

Social Media

The main social media channels used within business continuity management systems


Social media can help support activities across multiple business functions and this could mean using social media monitoring tools, tools such as ‘Yammer’ and it could also support the HR team.  The monitoring tool could be used within the PR team for scanning activity and if required flagging issues which would be relevant to a certain department. To create clarity in terms of process, responsibilities and roles of teams and individuals, a tailored workflow can be created through the use of the social media monitoring tool and the tool would also lead to more informed decisions being made by an organisation by being able to identify problems being discussed and which are the biggest issues, through the empowerment gained by nature of social media.

The use of social media could also aid the HR team in terms of being able to communicate with employees and provide better care in the midst of an incident or a disaster by allowing them to be able to contact the employee from a remote location if a face-to-face meeting is not possible to discuss the issue at hand.

The use of a tool such as ‘Yammer’ is totally revolutionising the way organisations communicate and share experiences on a global scale. This in house social media tool helps improve business processes and procedures due to the in-depth feedback and insight generated from the employees whether it is good or bad. This allows an organisation to pinpoint the areas which need to be improved which in turn will affect the BCM.

One of the primary role of an organisations BCM nowadays is to create awareness to the importance of social media across the organisation and more importantly that this is recognised and addressed in their business continuity strategies and plans.

Enterprises simply cannot afford to ignore social media as a crisis communications tool,”  “In many cases, social media may represent the only available means of locating and contacting personnel; providing stakeholders with the information and assistance they need; informing citizens, customers and partners of product/service availability; and taking other business-critical actions following a disruptive event.” – Andrew Walls, research vice president at Gartner.



  1. http://www.dir.texas.gov
  2. http://www.sungard.co.uk
  3. http://www.computerweekly.com/news/2240118591/Social-media-to-support-business-continuity
  4. http://www.businesscontinuityblog.com
  5. http://www.continuitycentral.com
  6. http://www.computerweekly.com
  7. http://safeharborconsulting.biz


Surviving Disaster

7 Feb

Management may wonder what are the essential resources that the business needs to continue operations?

Five main types of resources necessary for the continuity of operations are identified by Duncan, Yeager, Rucks & Ginter 2011: facilities, communication, records and databases, supplies, and human resources.

Continuity of facilities:

As discussed in my second blog a second location for the conducting of business should be identified or else firms will feel the consequences of not being prepared as was the case with Caterpillar. When a tornado struck Oxford, Mississippi in 2008 and destroyed much of the Caterpillar operations there, it placed major hardships on the company and its employees. Caterpillar essentially put all its ‘eggs in one basket’ by locating the manufacturing facilities for all its high-pressure couplings–—used in bulldozers, dump trucks, and excavators–—in a single facility, which was rendered inoperable by the storm (‘‘Caterpillar and Disaster Preparedness,’’ 2008).

Continuity of Communication:

Communication is vital for a business to enable it to respond to, and recover from a crisis. Electronic, verbal, and written/paper are three components of essential communication. Electronic communication is likely to be the first to go with verbal communication also can decline in a crisis and so it is the written/paper communication channel that is the most reliable. Experts suggest experts suggest that all employees have a personal copy of the continuity of operations plan and the specific standard operating procedures for the positions they back up (Duncan, Yeager, Rucks & Ginter 2011).


Continuity of records and databases or (RIM):

“All records, information systems, and data management software required to support individuals accountable for accomplishing mission-critical functions must be identified, backed up, and safeguarded.” An example of safeguarding data is the First National Bank of Omaha when they decided to build its new operations facility partly below ground with reinforced walls designed to withstand winds of 260 miles per hour. In addition, the bank’s back office operations were powered completely by in-house, hydrogen-based fuel cell technology. As one bank spokesperson noted, ‘‘[even] if the whole city of Omaha loses power, [First National] won’t lose it’’ (Fest, 2009, p. 16).

Continuity of Suppliers:

Again a big issue as discussed in my third blog, when external services are required and materials are purchased, it is important to regularly review vendor and contractor agreements to ensure these firms also have continuity of operations plans in case of a disaster (Altman, 2006).

Continuity of Human Resources:

People have to be accounted for, and someone must be responsible for counting and reporting. Rally points need to be established, in the event that employees are separated or work at satellite locations. (Duncan, Yeager, Rucks & Ginter 2011)

These 5 resources would be identified in step 3 in my first blog in a business impact analysis.

Big Risks in 2013

6 Feb

Business interruption, natural catastrophes and fire represent the top three risks for companies in 2013, says a new global survey by Allianz.

Top 10 business risks for 2013

Business interruption and supply chain risk ranked as the top risk, with almost half (46%) of the responses ranking it as one of the three most important risks for their clients. With many businesses choosing to run lean supply chains to reduce costs, business interruption at a key supplier can cause a ripple effect felt across an entire industry. For example the flooding in Thailand in late 2011, caused a shortage of hard-drives impacting PC manufacturers globally, triggering contingent business interruption claims far outside the flood zone itself. “The flexibility that provides a modern supply chain with its cost advantages has also created its inherent vulnerability,” says Paul Carter, Global Head of Risk Consulting at AGCS. Today, companies are increasingly re-examining the trade-off between efficiency and operational redundancy (Allianz Risk Pulse 2013).

“To improve supply chain resilience many companies consider adding back some redundancy into lean supply chains, even if this reversal of widely used single-supplier sourcing incurs additional costs” (Paul Carter).

Checking a supplier’s own business continuity planning should also be embedded in the supplier selection process and ideally include even the suppliers of the primary suppliers. This would be good practice for business to incorporate this into their Business Continuity Management programmes. Not only should firms have a business continuity plan in place they should check the business continuity plans of those who they do essential business with.

The Article also revealed the breakdown of risks by large and small enterprises, by regions and by industry.

ICT risk

Another revealing issue of the survey was the underestimated business risks for 2013. One of which was Cyber Crime an area where the ICT industry does not underestimate as seen above. Another area of underestimated risk is power blackouts “Reliability of power supply will decrease in the future due to aging infrastructure and the lack of substantial investments,” (Michael Bruch, Head of R&D Risk at AGCS). A solution to this states Michael is to expand and to link decentralized sources of power generation, especially renewable energies, and to enable cross-border trading of power and grid services.

The BCM of a firm is now changing from merely planning a continuity plan for emergencies but it also has to be adaptable during a crisis if things don’t go to plan as discussed in my second blog and now to totally protect against disaster firms need to also check out the BCP’s of their suppliers.

Business Continuity in Action

5 Feb

Essential to the success of BCM is a thorough understanding of the wide range of threats (external and internal) and recognition that an effective response will be determined by employees’ behaviour during the business recovery process.

Morgan Stanley’s response to the September 11th attacks is an example of the benefits and limitations of business continuity planning.

Continuous training following the 1993 world trade centre bombing meant that most the company’s 3,700 employees survived the evacuation in 2001. The company then proceeded to re-establish contact with its dispersed employees using house calls, public broadcasts and one of its own call centres in Arizona. Simultaneously Morgan and Stanley set out to recover its operations at alternative facilities (but not those that were originally designated as they were in the inaccessible lower Manhattan area). A temporary recovery site was established in Brooklyn until the first recovery centre could be accessed.

Other firms such as Lehman Brothers, who also were affected by the denial of access to their recovery centre, drew on emerging processes in creative ways. Over half of Lehman Brothers staff worked from home in the immediate aftermath as a result of an extensive remote access programme. This shows that “crisis adaptability is the key to continuity” (Herbane, Elliot and Swartz (2004)). The actions that Morgan and Stanley had taken demonstrated both on-going organisational learning and adaptation before and during the crisis.

The Senior Vice president of the Federal Reserve Bank of New York commented that existing models of contingency planning in which single-site technical crises are considered should no longer exist. Instead priority should be the loss or lack of access to staff because without them nothing can be recovered, restored or retrieved. Business Continuity processes are more vital now than ever , the above organisations have showed that creative and flexible use of resources are required during a crisis and that can supersede the value gained from mimicking emergency plans. Such an approach requires on-going commitment and leadership, the foundations of which are provided by adopting a business continuity management approach as discussed in my last blog here.

Firms that recover quickly and thoroughly from crises will sustain little damage to their competitive position. However if a firm is unable to recover quickly, the effects on its reputation may outlast direct effects of the crisis.

The above blog and examples is based the paper: Herbane, Elliot and Swartz (2004) Business Continuity Management: time for a strategic role?

Business Continuity and the Cloud

4 Feb

For the last number of weeks there have been many blogs posted about what Business Continuity is, how it is defined and so on from members of my team.  In previous blogs from ‘billynomates2012 and ‘mirra2 they have given in introduction to the topic while progressing onto the planning behind business continuity, the creation of a plan for a SME, also touching on the topic of putting the plan into action after a disaster such as Hurricane Katrina and a then giving details on a disaster recovery plan (DRP). For this blog I will look to discuss something different from a business continuity side and also this area has not been looked upon yet. And that is business continuity and the cloud.

From the previous blogs that have been posted my understanding of business continuity is that in the event that a disaster occurs how can an organisation stay in business? The disaster can range from a localised incident to loss of power or an incident on a much bigger scale such as natural disaster like hurricane Katrina which billynomates2012 covered already. In having a business continuity plan in place in the wake of a disaster the organisation will be covered for the core functions, the data and the system.

With more and more organisations now outsourcing some of their key business elements to the cloud the executive needs to be a lot more involved with the Business Continuity Professional in identifying some of the crucial areas that need to be addressed when choosing the correct Cloud Service Provider.

When people talk about the cloud they mention high availability, scalability, on demand services (PaaS, IaaS, SaaS), redundancy and diversity. But the purpose of this blog is to determine how the cloud can help aid in the BCP. There are three areas which I am going to look at and they are information, technology and people and location.


The cloud has many benefits when it comes to storing information and data and this is one advantage for a business. In the event of a disaster having your data stored confidentially with a trusted Cloud based service can allow your data to be readily available and easily accessed. There are some issues though when it comes to storing an organisations data in certain jurisdictions and territory. This will only apply to regulated organisations and this will help determine their service provider. Also the matter of data integrity needs to be addressed for the BCP and DRP.


“Infrastructure as a Service (IaaS) is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components. The service provider owns the equipment and is responsible for housing, running and maintaining it. The client typically pays on a per-use basis.” [1]

When a BCP has to be provided for data centre(s) IaaS (definition above) provides a very strong case for being implemented. VoIP services could be used as a business continuity planning measure to provide adequate telephony cover,

People & Location

For many business and organisations the internet and broadband has changed the way in which business is conducted. Staff are located all over the world and communicate with each other instantly. When companies utilise the cloud based services and have a distributed workforce the issue of people and location are less of a concern. With regards to a business continuity scenario, in the wake of a disaster, the tangible option would be to inform to staff to work from home as they would be able to access the systems which are running in the cloud. For example, when organisations are in partnership with trusted cloud services they have access to a high availability network and exclusive connection to the network and it is because of this that critical business functions may still be performed in the event that internet is not available due to the trusted network connection.


  1. http://searchcloudcomputing.techtarget.com
  2. http://wordpress.com
  3. http://www.eweek.com/c/a/Cloud-Computing/How-to-Ensure-Business-Continuity-with-Cloud-Computing/
  4. http://www.businesscontinuityblog.com/

Recovering IT in a Disaster: Lessons from Hurricane Katrina

2 Feb

Key points in the article

  • Hurricane Katrina destroyed a datacentre and much of the communications infrastructure as well as a second datacentre of Northrop Grumman Corporation.
  • The scale of the disaster far exceeded the assumptions of most firms’ business continuity plans.
  • They did a fly over and took photographs to assess the damage – know scale of disaster so you can adapt recovery plan accordingly.
  • They provided good support to their employees after the disaster which was repaid in increased loyalty and performance.
  • In the days following the disaster rapid decision making became essential and managers were given license to make decisions with far less analysis and oversight than was customary.
  • In uncertain times good information is more important than management position in shaping direction.
  • The best form of crisis management is preparation , but a question that companies need to ask themselves is  – can you plan for a disaster of the magnitude of Katrina?
  • An alternative approach to disaster recovery planning is to consider a broader spectrum of disaster types such as the generic disaster categories of economic, information, physical, human resource, reputation, and natural disasters. While it’s impossible to prepare for every conceivable disaster in each category, it is possible to prepare for one in each, thus establishing a “disaster preparedness portfolio”. Disasters in the same category share common characteristics. Preparing for at least one in each category decreases an organisations overall vulnerability on an infinite disaster spectrum. Plan for generic disaster types e.g. modular plan and adjust usage based on the type of disaster that occurs.

Northrop Grumman had 2 sites 100 miles apart and both were hit. In the end they only lost a few hours of data and were back working within two weeks.

They had a plan and implemented it straight away.

10 lessons to be learned:

  • Keep data and data centres out of harm’s way
  • Don’t assume public infrastructure will be available (They used walkie- talkies)
  • Communication will be essential
  • Plan for civil unrest
  • Assume some people will not be available
  • Leverage your suppliers as critical team members e.g. secondment of staff
  • Expect the unexpected
  • Be prepared
  • Establish a strong leadership position
  • Empower decision makers
  • Exploit fresh start opportunities



The elements of survival guide:

  • Gives scope & capability
  • Outlines key roles and responsibilities
  • Summarises critical services required

But “the best laid plan lasts only until the first arrow leaves the bow”. If an element of a business continuity plan (BCP) is unavailable the plan can be undermined and collapse. To avoid this, organisations should use a modular approach to recovery planning which depends on the type of disaster that occurs and what areas are affected.

Organisations are now looking at loosely coupled modules that make up a plan and depending on the type of disaster they’ll use the required modules they need of the plan.

A company of the size of Northrop should be planning for a wipe-out not only on a regional basis (from a data perspective). Paidi said their plan should have different levels e.g. local, regional & national etc. and the appropriate responses required. They should also plan for the human element of a disaster (their staff).

The transport of data now is cheap and instantaneous so it’s as cheap to have a datacentre a thousand miles away as 100 miles away (could refer to virtualisation and cloud computing here).


Source 1: http://www.cio.com/article/11931/Lessons_from_Hurricane_Katrina_It_Pays_to_Have_a_Disaster_Recovery_Plan_in_Place

Source 2: http://www.ffiec.gov/katrina_lessons.htm

%d bloggers like this: