Since the horrific events of September 11, the federal government has been catalyzed into moving forward expeditiously in formation of business continuity plans (BCP) and associated risk management. What exactly is BCP and its associated risk management and what benefit does it have for the company, business partners, and employees?
All businesses, regardless of the industry they are in, should understand the value and necessity of sustaining the continuity of the business and/or sustaining or recovering functions and processes that provide assured reliability and availability of assets (i.e., asset management).
What Is Business Continuity Planning?
BCP/contingency management is a process that reduces the likelihood of a service interruption and provides documentation for the recovery of services that support critical customer business functions. The primary objective of any business resumption plan is to enable an organization to survive a disaster and to reestablish normal business operations.
Business continuity — emphasis on "continuity" — is the ability of a business to continue operations in the face of a disaster condition. This means a business with a viable business continuity plan will be better able to continue doing what it did before a disaster event while assets damaged by the disaster event are recovered — until "business as usual" is resumed.
- A risk analysis involves identifying the most probable threats to an organization and analyzing the related vulnerabilities of the organization to these threats.
- A risk assessment involves evaluating existing physical and environmental security and controls and assessing their adequacy relative to the potential threats to the organization.
- A business impact analysis involves identifying the critical business functions within the organization and determining the impact of not performing the business function beyond the maximum acceptable outage. Types of criteria that can be used to evaluate the impact include customer service, internal operations, legal/statutory, and financial.
- Business continuity means:
- Identifying critical business functions
- Identifying risks to critical functions
- Identifying ways to avoid or mitigate the risks
- Having a plan to continue business in the event of a disaster condition
- Having a plan to quickly restore operations to "business as usual"
Disaster recovery is an integral part of business continuity. Business continuity does not replace insurance. It is a form of insurance, and should include insurance for life, health, facilities, product, and business interruption.
Normally, personnel are assigned to recovery teams that are responsible for accomplishing defined objectives and actions. While the BCP provides a roadmap for recovery from significant service interruptions, occurrences of a less severe nature are controlled at appropriate management levels as part of normal operating procedures. Regardless of the type of threat, the goals of business continuity planning are to ensure the safety of customers and employees during and following a disaster.
Types of Contingency Plans
Contingency planning represents a broad scope of activities designed to sustain and recover critical business processes following an emergency. IT contingency planning fits into this much broader emergency preparedness environment that includes organizational and business process continuity and recovery planning. Ultimately, an organization would use a suite of plans to properly prepare response, recovery, and continuity activities for disruptions affecting the organization's business processes, systems, and facilities. The BCP serves as the umbrella under which all other contingency plans are couched. Because there is an inherent relationship between a system and the business process it supports, there should be coordination between or among the various plans during development and updates to ensure that recovery strategies and supporting resources neither negate each other nor duplicate efforts.
In general, universally accepted definitions for contingency planning and these related planning areas do not exist. Occasionally, this has led to confusion regarding the actual scope and purpose of various types of plans. To provide a common basis of understanding regarding contingency planning, this section identifies several types of plans and describes their purpose and scope relative to the umbrella BCP. Because of the lack of standard definitions for these types of plans, in some cases, the scope of actual plans developed by organizations may vary from the descriptions below.
Business Continuity Plan (BCP). The BCP serves as the umbrella plan and focuses on sustaining an organization's business functions and business processes during and after a disruption. An example of a business function may be an organization's payroll process or consumer information process. A BCP may be written for a specific business process or may address all essential business processes. The various systems are considered in the BCP only in terms of their support to the larger business processes. In some cases, the BCP may not address long-term recovery of processes and return to normal operations, solely covering interim business continuity requirements.
Business Recovery Plan (BRP — also called Business Resumption Plan). The BRP addresses the restoration of business processes after an emergency. The BRP is couched in the BCP, but unlike that plan, the BRP typically lacks procedures to ensure continuity of critical processes throughout an emergency or disruption.
Continuity of Operations Plan (COOP). The COOP focuses on restoring an organization's (most often a headquarter's element) essential functions at an alternate site and performing those functions for up to 30 days before returning to normal operations. Standard elements of a COOP include delegation of authority statements, orders of succession, and vital records and databases. Because the COOP emphasizes the recovery of an organization's operational capability at an alternate site, the plan does not necessarily include IT operations. In addition, minor disruptions that do not require relocation to an alternate site are typically not addressed. FEMA is the proponent agency governing COOP activities.
Continuity of Support Plan. This requires the development and maintenance of continuity of support plans for major applications or general support systems and contingency plans for major applications.
Disaster Recovery Plan (DRP). As suggested by its name, the DRP applies to major, usually catastrophic, events that deny access to the normal facility for an extended period. Frequently, DRP refers to an IT-focused plan designed to restore operability of the target system, application, or computer facility at an alternate site after an emergency. The DRP scope may overlap that of an IT contingency plan; however, the DRP is narrower in scope and does not address minor disruptions that do not require relocation.
Incident Response Plan (IRP). The IRP establishes procedures to address cyber attacks against an organization's IT system(s). These procedures are designed to enable security personnel to identify, mitigate, and recover from malicious computer incidents, such as unauthorized access to a system or data, denial of service, or unauthorized changes to system hardware or software (e.g., malicious logic such as a virus, worm, or Trojan horse).
Occupant Emergency Plan (OEP). The OEP provides the response procedures for occupants of a facility in the event of a situation posing a potential threat to the health and safety of personnel, the environment, or property. Such events would include a fire, hurricane, criminal attack, or a medical emergency. OEPs are developed at each facility level, specific to the geographic location and structural design of the building. (General Services Administration [GSA] owned facilities maintain plans based on the GSA OEP template.)
Bringing it All Together
The paramount priority for any business is the safety of people first and then the thorough analysis of business functions and the potential and probable threats (or impacts). The organization must develop mitigation strategies to sustain critical business functions and to effectively and efficiently recover impacted "critical" business functions. Organizations, both in the public and private sector, must also recognize business process automation. Information technology enablers have been developed to "automate" previously manual processes.
When looking at company operations, the critical business processes should be the initial focus. After identifying the critical business processes, the next step would be to identify how automation supports those processes. For those functions that have been automated (business process automation), it will be critical to involve the IT department in addition to the functional departments within the company, not only in supporting the identification analysis of risks, threats, and impacts, but also in potential restoration methods and procedures.
The initial step in a risk analysis is conducting a business impact analysis (BIA). The product of a comprehensive BIA will be the identification of critical functions, risks/threats, potential impacts associated with the risk, probability of occurrence, and then mitigation strategies for any residual risk that may exist. The development of any type of continuance or recovery plans takes time, comprehensive involvement, leadership, and motivation. In the end, your company, channel partners/business partners, and company employees will benefit by having developed a comprehensive program.
One last item: organizations must invest in training core personnel who will lead and manage your continuity efforts. These people must be supported by the executives and should be charged with educating your company and business partners.