Business Continuity Planning - Overview

Businesses are becoming increasingly dependent on IT services, the impact of loss of services has increased multi-fold. BCP ensures that the required IT infrastructure and IT services can be restored within specified time limits after a disaster, in case the disaster could not be avoided, thus ensuring continuity of the business' most critical processes.

The need today for business continuity planning is to overcome the loss incurred due to disasters such as fire, lightning, water damage, burglary, vandalism and violence, large scale power outages, hardware failure, terrorist attacks, Internet DDOS attacks etc. Once the risk to the business, rather than just the risk to the IT services has been identified, preventive investments can be made and measures such as recovery plans to deal with disasters, put into place. A few reasons for any company to think and plan for a BCP are (however not limited to) the following:

In a nutshell, this process involves identifying and prioritizing business processes and assets based on their importance to the business, assessing the impact of the disruption of IT services following a disaster, identifying services critical to the business that require additional measures, defining periods within which services have to be restored, taking measures to prevent, detect, prepare for and mitigate the effects of disasters, or to reduce their impact, defining the approach to be used to restore the services, developing, testing and maintaining a recovery plan with sufficient details to survive a disaster, and to restore normal services after a defined period.

Approach

Defining the scope of BCP: Similar to any project taken up in an organization which is expected to have repercussions at all levels, management intent and direction are very important for the success of BCP. Designing and communicating the Business Continuity Policy provides management intent and defining a scope provides direction to the project. While defining scope, the insurance requirements, security management standard compliance, methodology to be adopted for risk assessment and business impact analysis, and the management structure and process structure for coping with disasters, should be delved into in great detail. Subsequently, resources for this project should be identified and their roles and responsibilities should be created and communicated. This would enable the organization to kick-start the BCP project.

Risk Assessment and Business Impact Analysis: After defining the scope of the project, Risk Assessment is taken up. This would involve historical data analysis from disaster statistics, identification of the methodology for Risk Assessment, Asset Identification and Enumeration, identification of threats to each of the identified assets, the Likelihood Analysis, identification of the vulnerabilities to the assets identified, and finally, Risk Determination. Subsequently, impact analysis of IT services/processes/assets (that were earlier enumerated in this phase), to business is performed. This would result in the identification of essential and non-essential services/ processes/assets to the business. The identification of the dependencies between services and IT resources, inputs on Capacity Management, Availability Management and Service Level Agreement is used while performing Business Impact Analysis.
Continuity Strategy: Subsequent to the risk assessment and business impact analysis, the primary task in the Continuity Strategy is to try and prevent as many risks as possible. The Continuity Strategy should be defined with respect to computing, facilities, people, supplies and equipment. Risks that have not been eliminated by preventive measures should be addressed in Recovery Options. The Recovery Options would involve the following: Accepting the risk, Return to manual paper-based systems, Reciprocal agreements, Cold stand by, Warm stand by, Hot stand by or a combination of options.

Organization & Implementation: Once the Continuity Strategy has been defined and approved by the management, the next logical step is to implement the same. A very important aspect for the successful implementation of the project is appropriate and ongoing training and awareness of the employees.

To implement the Continuity Strategy the plans for IT facilities have to be developed in detail. It involves the identification/creation of the Crisis Manager, Salvage Team, Recovery Team, Normal Operations Resume Team and Other Recovery Issues Team. The overall plan should address the following: Emergency Response Plan, Damage Assessment Plan, Recovery Plan, Vital Records Plan (what to do with paper-based documents, data etc.,), and Crisis Management. The next level of detail would involve an Accommodation and Service Plan, Computer System and Network Plan, Telecommunications Plan (Accessibility and Links), Security Plan (integrity of data and networks), Personnel Plan, and Financial and Administrative Plans.

Once the management has approved the plans, they should then be tested for their viability at periodic intervals, through a structured mechanism.

Periodic Review: To ensure that the plans are live and continue to address the business requirements, the plans should be reviewed at periodic intervals.

Advantages: A few of the advantages of planning and implementing BCP are: