Every business faces minor downtimes, and major unknowns; hence
it is important to have plans in place which guarantee business
contingency. Before the September 2001 attack on America quite
a few business people said that they saw BCP as an inefficient
use of resources, i.e. an expenditure which does not bring any
return on investments. But statistics tell a different story, and
events like 9-11 serve as drastic reminders that it is vital for
every company to have plans in place to ensure business continuity,
and the continuity of our suppliers and logistics - especially
as globalization and our interdependence continues to grow. Business
Continuity Plans cost relatively little in comparison what the
company could potentially lose in a major incident. Therefore it
seems highly prudent that organizations of all sizes seriously
research and develop a plausible and efficient BCP.
Planning - A safety net for businesses
by Wanja Eric
The events of September 11, 2001 were a drastic reminder to all
companies that Business Contingency Planning (BCP) should not be
disregarded. According to the Info Security News Magazine (2000),
an effective BCP and disaster recovery plan can reduce losses by
90% in the event of an incident. According to another study 81%
of CEOs indicated their company plans would not be able to cope
with a catastrophic event like the 9-11 attacks.
There are numerous examples of companies suffering
due to poor Business Contingency Planning. In the 1993 World
Trade Center bombing,
150 companies went out of business (out of 350 affected)-scarcely
an encouraging statistic. But an incident does not need to be a
dramatic terrorist attack to have a massive impact on an organisation.
For instance, in the case of fires, 44% of businesses fail to reopen
and 33% of these failed to survive beyond 3 years. The examples
could be continued endlessly. The bottom line is businesses need
to have plans in place to cope with incidents (whether they be
major terrorist attacks or a minor hardware problem) and thereby
avoid major business interruptions.
The Business Continuity Management Process
Before even starting to create a Business Continuity
Plan it is of vital importance to get the full support of the
governance of your organization. Without it will be very difficult
push BCP plans through the entire company. Furthermore directors
should be involved in the strategic design of the BCP as it will
help to create a realistic plan which will be focused on the business
interests of the company.
After that one should start to man the team which will be responsible
for designing the BCP and to initiate the business continuity management
process. This is important as the team will serve as central focus
point during the entire Business Continuity Management Process.
It is also important to set a time scale for the BCP delivery and
create a budget for the process.
Next the BCP team has to identify threats and conduct a risk assessment,
which will help to design the areas on which the plan should focus
as it impossible to avoid or mitigate all risk. Hence, the team
will have to prioritise depending on likelihood of the risk and
business impact. It is very important to analysis all risk and
threats whether they be technical, economic, internal, external,
human or natural.
Once the risk assessment has been done, one has to do manage the
risks. Preventive, detective and reactive means have to be put
in place in order to protect the company. For example, it might
be possible to migrate risks by using insurance, contracting out
some services, implementing safeguards and controls and so. High
impact, but low probability risks which cannot be mitigated are
prime candidates for Business Continuity Planning.
Business Impact Analysis
A business impact analysis will help to define critical business
processes. This is useful since once a major incident happens all
efforts must be invested to return the primary business functions
to a predetermined level during the critical business resumption
phase and to establish the time span to achieve these objectives.
Both of these objectives must be determined by management beforehand
for the process to proceed as smoothly as possible. One has to
collect data in order to decide which are the primary business
processes and which are the secondary. As a company has limited
resources it is critical to understand where it needs to focus
on in order to recover in case of an incident.
Once that has been done the team can design the
Business Continuity Plan(s). It is important to make the plan
simple enough so that
it can be executed without any problems during a crisis and it
needs to be based on steps previously described. Also one has to
define the threshold for every incident so that appropriate measures
can be taken depending on the incident. Once the BCP plans has
been designed and approved it needs to be tested under realistic
conditions as untested BCPs historically fail. David Spinks, Director
of Information Assurance EDS, stresses that, "we see far too many
Business Continuity Plans and or Disaster Recovery Plans that whilst
they have been tested were done so in unrealistic ideal conditions
and thus we do not truly recognise what really happens in a crisis."
It is important to always tie aims during the Business Continuity
Management Process to the business needs. For example, it is not
the function of an Information Security to protect all information.
They just need to protect the information which the business needs
to protected. The same needs to be done with Business Continuity
Once the plan has been tested and designed, it is important to
revaluate the plan and retest it as business processes change periodically
as the requirements of companies are changing from time to time.
For example, a company buys new equipment on which it is heavily
dependent. Thus a BCP should be revised after purchases, upgrades
of equipment and so on. It is therefore important to realize that
the Business Continuity Plan is a living document, which needs
to be changed and adjusted if business requirements change.
Finally it is equally important to educate everyone
in the company of the BCP. Since it will be the employees who
are there to react
to (or in some cases prevent) an incident, a BCP's success or failure
depends largely on the way it is implemented by the employees.
If not properly trained regarding the BCP, its likelihood of success
is seriously diminished.
One aspect of BCP which deserves special attention
is media management. Business Continuity not only deals with
putting all the company's
effort in recovering the critical business processes. It is of
as much importance to have good media management during this process,
whether you do it yourself in a small company, or have professional
help in a larger company. This is because a company which recovered
after an incident, but did not communicate with its customers,
suppliers. stakeholders, shareholders, employees, or affected public
will have lost the trust of these groups. This will have an adverse
impact on the company's public perception, lead to a deterioration
of faith in the company, and in the end it will translate itself
into revenue losses. So BCP should also focus on what the military
like to call "hearts and minds" operations where the company tries
to maintain its public standing. Businesses should prepare public
statements beforehand as it would be very bad to have no comments
during a crisis as it will not prevent journalists from writing
about the event and turn the event into a PR nightmare.
Manufacturers are highly dependent on their suppliers; hence it
is important to work together with the important ones (at least
the ones that support the primary business functions) and make
sure that they have good BCP plans in place as it is of little
use to have effective BCP plans in place whilst the main suppliers
In conclusion businesses should have BCP in place
in order to resume functionality, and procedures in place in
case of an incident
which affects the company and which will enable them to recover
far quicker and with less losses than a company who disregards
such plans, thinking 'it would never happen to us.' Business Continuity
needs to be seen as safety net for businesses. Even though there
are costs involved, it is well worth having such plans as it will
save the business during an incident and help it react in an ordered
and timely matter. Good BCP plans, which are implemented successfully
during a crisis, will give the company good return of investments
and hence BCP can be seen as a business enabler.
IWS welcomes suggestions
regarding site content and usability. Please use our contact
form to submit your comments.
30 December, 2007
by Wanja Eric Naef
IWS Copyright © 2000 - 2008