Introduction

In recent times, there has been an increased pressure on organizations across all industries to have a well-documented recovery plan in place in the event of a disaster. Although there are many that have taken the necessary steps to ensure Business Continuity, there are several others that have pushed this issue onto the back-burner. Maybe it is time for these organizations to recognize the importance of the issue on hand and take the necessary steps to not only comply with regulations, but also to secure their business over the long run.

Some Interesting Facts…

Here are a few points that highlight the importance of Business Continuity Planning:
•    93% of the companies that suffer significant data loss are out of business within five years (U.S. Bureau of Labor).

•    43% of the companies experiencing disasters never reopen and 29% close within 2 years. (McGladrey and Pullen).

•    A company that experiences a computer outage lasting more than 10 days will never fully recover financially. 50% will be out of business within 5 years. (Disaster Recovery Planning: Managing Risk and Catastrophe in Information Systems by Jon Toigo).

•    Average hourly downtime cost for many businesses is $18,000. (Contingency Planning Research).

What is Business Continuity Planning?

According to the FFIEC, Business Continuity Planning is “the process whereby organizations ensure the maintenance or recovery of operations, including services to customers, when confronted with adverse events such as natural disasters, technological failures, human error, or terrorism.” The FFIEC agencies encourage the following phases to be included in a Business Continuity Planning process:

•    Risk Assessment
•    Business Impact Analysis
•    Risk Management
•    Risk Monitoring

The Business Continuity Framework provided by the FFIEC is very robust and can be used across all industries.

Role of Board and Senior Management

Senior Management and the board of directors are “responsible for identifying, assessing, prioritizing, managing and controlling risks.” As a preliminary step in initiating a Business Continuity Plan, it is essential to outline the objectives and scope of the plan. The various departments that need to be addressed as part of the BCP need to be identified along with any necessary assumptions. The core assumption of a BCP is that the IT department is partially or completely destroyed or physical access has been obstructed. It is also assumed that the key personnel necessary for implementing the BCP (or their backups) are available to perform the critical functions identified in the BCP.

It is imperative that Senior Management is committed towards the BCP. This helps ensure that each and every individual within the organization is committed towards the success of the BCP. Senior Management should also receive periodic status updates and address any issues and concerns that might crop up during the course of the project.

Risk Assessment (RA) and Business Impact Analysis (BIA)

Developing a BCP is by no means an easy task and requires the support and co-operation of a number of people from different departments. As part of a BCP initiative, it is important to gather as much relevant information as possible from all concerned departments in order to get a clear understanding of the various functions and activities of each department. The information gathered is crucial for the subsequent Risk Assessment and Business Impact Analysis.

The Risk Assessment involves the identification and documentation of all potential threats, the probability of their occurrence and also their impact. It also involves the documentation of all the critical applications and functions of each department and the activities that comprise each of these functions. For each of these activities, a level of criticality is established along with a time period for which the organization can live without it. Based on this assessment, it is possible to identify the areas of high exposure to the entity.

The Risk Assessment leads to a Business Impact Analysis. The Business Impact Analysis helps analyze the organization’s critical functions and processes and determine the impact that would be felt if these functions and processes were interrupted. This ensures that appropriate Business Continuity Planning can be performed.

Risk Management

a. Continuity Strategy Selection and Drafting of Emergency Procedures

Upon completion of the Risk Assessment and Business Impact Analysis, the next step is to identify strategies for the recovery of systems and business operations. Selecting the right strategy usually involves a tradeoff between cost and effectiveness. The more effective a strategy is, the more it costs. It is therefore important to select the recovery strategies keeping in mind the size and complexity of an organization. However, cost should not be the only criteria in strategy selection.

One method that could be used for strategy selection is the use of two metrics for each possible strategy: Weight and Satisfaction. For each strategy, a number of criteria are identified and each criterion is ranked based on its importance (Weight) and level of projected satisfaction. A score is arrived at for each possible strategy and the one with the highest score would represent the most effective strategy.

Next, emergency procedures are drafted for all critical functions and applications based on the strategy selected. Keep in mind that wherever possible, manual procedures need to be incorporated to circumvent the applications and systems in the event that the systems are not available immediately. Information technology is given the highest priority in planning for Business Continuity; however, it is always wise to have backup procedures that keep the operations running in the absence of network and system availability.

b. Formation of BCP Teams

This phase involves the identification of all key personnel who will play a crucial role in the recovery of all the different departments. One individual is designated as the Bank Wide BCP Coordinator who will coordinate all recovery efforts. Additionally, one person is designate as the BCP Communications Coordinator to handle media and customer enquiries. An individual within each department is assigned to lead a team of recovery members within their respective departments. Thus, the overall hierarchy and chain of command is clearly identified to ensure that the plan can be executed smoothly when activated.

Risk Monitoring

Upon formulation of the BCP, the plan needs to be tested to ensure effectiveness. It is important to test all manual and automated procedures, calling trees, backup and recovery configurations and contact lists. Testing should be conducted on at least an annual basis and parts of the plan that fail need to be revamped and retested as soon as possible.

It is also important to ensure that all employees are made familiar with the plan. Copies of the plan need to be distributed to all concerned individuals. The BCP Coordinator for each department is responsible to train all the recovery members and make them aware of their roles and responsibilities. Keep in mind that this phase, in all probability will make the difference between the success and failure of the BCP. It is one thing to have all procedures in place, but it is another to actually test it and provide awareness and training to validate and support the plan.

Conclusion

As we have seen, Business Continuity Planning is not an easy task, but requires commitment and cooperation amongst a number of people across the organization. However, taking the initiative to creating and maintaining a well documented BCP along with periodic training and testing could ensure that your organization survives any unforeseen disaster. As the old adage goes, it is better to be safe than sorry!