Infocon Magazine Issue One, October 2003
Business Continuity Planning - A safety net for businesses
Wanja Eric Naef
Every business faces minor downtimes, and major unknowns; hence it is important to have plans in place which guarantee business contingency. Before the September 2001 attack on America quite a few business people said that they saw BCP as an inefficient use of resources, i.e. an expenditure which does not bring any return on investments. But statistics tell a different story, and events like 9-11 serve as drastic reminders that it is vital for every company to have plans in place to ensure business continuity, and the continuity of our suppliers and logistics - especially as globalization and our interdependence continues to grow. Business Continuity Plans cost relatively little in comparison what the company could potentially lose in a major incident. Therefore it seems highly prudent that organizations of all sizes seriously research and develop a plausible and efficient BCP.
The events of September 11, 2001 were a drastic reminder to all companies that Business Contingency Planning (BCP) should not be disregarded. According to the Info Security News Magazine (2000), an effective BCP and disaster recovery plan can reduce losses by 90% in the event of an incident. According to another study 81% of CEOs indicated their company plans would not be able to cope with a catastrophic event like the 9-11 attacks.
There are numerous examples of companies suffering due to poor Business Contingency Planning. In the 1993 World Trade Center bombing, 150 companies went out of business (out of 350 affected)—scarcely an encouraging statistic. But an incident does not need to be a dramatic terrorist attack to have a massive impact on an organisation. For instance, in the case of fires, 44% of businesses fail to reopen and 33% of these failed to survive beyond 3 years. The examples could be continued endlessly. The bottom line is businesses need to have plans in place to cope with incidents (whether they be major terrorist attacks or a minor hardware problem) and thereby avoid major business interruptions.
Before even starting to create a Business Continuity Plan it is of vital importance to get the full support of the management and governance of your organization. Without it will be very difficult push BCP plans through the entire company. Furthermore directors should be involved in the strategic design of the BCP as it will help to create a realistic plan which will be focused on the business interests of the company.
After that one should start to man the team which will be responsible for designing the BCP and to initiate the business continuity management process. This is important as the team will serve as central focus point during the entire Business Continuity Management Process. It is also important to set a time scale for the BCP delivery and create a budget for the process.
Next the BCP team has to identify threats and conduct a risk assessment, which will help to design the areas on which the plan should focus as it impossible to avoid or mitigate all risk. Hence, the team will have to prioritise depending on likelihood of the risk and business impact. It is very important to analysis all risk and threats whether they be technical, economic, internal, external, human or natural.
Once the risk assessment has been done, one has to do manage the risks. Preventive, detective and reactive means have to be put in place in order to protect the company. For example, it might be possible to migrate risks by using insurance, contracting out some services, implementing safeguards and controls and so. High impact, but low probability risks which cannot be mitigated are prime candidates for Business Continuity Planning.
A business impact analysis will help to define critical business processes. This is useful since once a major incident happens all efforts must be invested to return the primary business functions to a predetermined level during the critical business resumption phase and to establish the time span to achieve these objectives. Both of these objectives must be determined by management beforehand for the process to proceed as smoothly as possible. One has to collect data in order to decide which are the primary business processes and which are the secondary. As a company has limited resources it is critical to understand where it needs to focus on in order to recover in case of an incident.
Once that has been done the team can design the Business Continuity Plan(s). It is important to make the plan simple enough so that it can be executed without any problems during a crisis and it needs to be based on steps previously described. Also one has to define the threshold for every incident so that appropriate measures can be taken depending on the incident. Once the BCP plans has been designed and approved it needs to be tested under realistic conditions as untested BCPs historically fail. David Spinks, Director of Information Assurance EDS, stresses that, “we see far too many Business Continuity Plans and or Disaster Recovery Plans that whilst they have been tested were done so in unrealistic ideal conditions and thus we do not truly recognise what really happens in a crisis.”
It is important to always tie aims during the Business Continuity Management Process to the business needs. For example, it is not the function of an Information Security to protect all information. They just need to protect the information which the business needs to protected. The same needs to be done with Business Continuity Planning.
Once the plan has been tested and designed, it is important to revaluate the plan and retest it as business processes change periodically as the requirements of companies are changing from time to time. For example, a company buys new equipment on which it is heavily dependent. Thus a BCP should be revised after purchases, upgrades of equipment and so on. It is therefore important to realize that the Business Continuity Plan is a living document, which needs to be changed and adjusted if business requirements change.
Finally it is equally important to educate everyone in the company of the BCP. Since it will be the employees who are there to react to (or in some cases prevent) an incident, a BCP’s success or failure depends largely on the way it is implemented by the employees. If not properly trained regarding the BCP, its likelihood of success is seriously diminished.
One aspect of BCP which deserves special attention is media management. Business Continuity not only deals with putting all the company’s effort in recovering the critical business processes. It is of as much importance to have good media management during this process, whether you do it yourself in a small company, or have professional help in a larger company. This is because a company which recovered after an incident, but did not communicate with its customers, suppliers. stakeholders, shareholders, employees, or affected public will have lost the trust of these groups. This will have an adverse impact on the company’s public perception, lead to a deterioration of faith in the company, and in the end it will translate itself into revenue losses. So BCP should also focus on what the military like to call “hearts and minds” operations where the company tries to maintain its public standing. Businesses should prepare public statements beforehand as it would be very bad to have no comments during a crisis as it will not prevent journalists from writing about the event and turn the event into a PR nightmare.
Manufacturers are highly dependent on their suppliers; hence it is important to work together with the important ones (at least the ones that support the primary business functions) and make sure that they have good BCP plans in place as it is of little use to have effective BCP plans in place whilst the main suppliers have none.
In conclusion businesses should have BCP in place in order to resume functionality, and procedures in place in case of an incident which affects the company and which will enable them to recover far quicker and with less losses than a company who disregards such plans, thinking ‘it would never happen to us.’ Business Continuity needs to be seen as safety net for businesses. Even though there are costs involved, it is well worth having such plans as it will save the business during an incident and help it react in an ordered and timely matter. Good BCP plans, which are implemented successfully during a crisis, will give the company good return of investments and hence BCP can be seen as a business enabler.
IWS welcomes suggestions regarding site content and usability. Please use our contact form to submit your comments.
Last modified: 30 December, 2007 by Wanja Eric Naef
IWS Copyright © 2000 - 2008