By Allan Graham (Part 2 in a 5-part series)
In part 1 of this series, we explored the drivers behind business continuity planning (BCP) and the necessity of taking a holistic approach in developing your plan. To be successful, a BCP plan must also be comprehensive and include:
- Risk Assessment: Plan for the Effect, Not the Threat – A key BCP lesson that has emerged after more than a decade of experience is that while it’s very important to understand the potential risks inherent in your location and business, trying to tailor your BC plan to address the specifics of every possible scenario can lead you into a bottomless pit of planning. Yes, you do need to make a risk assessment.
What are the potential threats to your location?
Are you in an area targeted by protestors or terrorists?
Are you in a flood or earthquake zone?
Is your area subject to hurricanes or heavy snow storms?
Is your particular building located near other businesses that could pose a threat, such as hazardous chemicals?
But since you can’t anticipate all threats, your goal is to understand how any of the various scenarios will impact your building and area. That is, you should focus on the effect: How will your organization respond to an unanticipated inability to access your production facility and connectivity services as a result of a local or regional event of a certain expected duration? How will your BCP be triggered and how will the immediate and longer-term impacts be assessed and handled? Staying focused on these questions will simplify your thinking about BC and help you target practical solutions related to your particular operation. The ultimate goal is for you and your entire management team to understand how your plan is triggered — no matter what the crisis may be — and how the immediate and longer-term impacts will be assessed and responded to.
- Business Impact Analysis – It is important to compare the cost to the business of downtime with the cost of implementing the BCP. By doing so, you can demonstrate the need for additional investment or devise a less costly plan. As a part of the BIA, determine which people and organizations are most important to revenue flow and customer satisfaction. Can you continue operations if you have data access but not phones? If some applications work but not others?The recovery time objective (RTO) is the minimum time required for getting the critical production capabilities back online — e.g, 24 hours, 12 hours, or immediate. The recovery point objective (RPO) is the measure of how current the data must be in order to resume business operations. By establishing these metrics, you can measure the potential costs of recovery against the business impacts. You should also consider “tiering” your recovery. By bringing people, infrastructure, and applications back online in stages, you can be assured of bringing the most important business elements back first. For example, consider the 80-20 rule in financial services. If five trading desks out of 20 account for 80 percent of revenue, you can put those five desks into tier 1 and leave the other 15 in a lower tier to be brought back at a later time.
- Business Continuity Plan – In addition to being holistic and comprehensive, the BCP should be clear and auditable by all relevant organizations, including appropriate regulators (very important for financial organizations), IT, human resources, risk management, the executive team, the board of directors, etc. And it must be thoroughly tested using a variety of planned and surprise scenarios, with the results properly recorded and available for review.
- Disaster Recovery Planning – The disaster recovery plan is a critical subset of the BCP. This plan includes the specific procedures and requirements for the recovery of IT systems and bringing an alternate production site online.
- Crisis/Incident Management – This program focuses on people and communication. What are the roles and responsibilities in the event the BCP is set in motion? Who has responsibility for triggering the plan? Who has backup responsibility if any individuals with primary responsibility are unavailable? How will people be informed that the plan has been set in motion? What if various communication platforms are not available?
- Education, Training, Testing, and Reassessment – No BCP can be successful if people don’t know about it, if they aren’t trained to handle both their primary and backup responsibilities, if the plan hasn’t been tested against a variety of scenarios, and if the plan isn’t continually updated to account for changing business conditions and potential threats.
In the next post of this series, we’ll begin exploring work area recovery, examining the challenges and strategies related to creating a backup trading room facility.