Business Continuity Planning

Business Continuity Planning from Bharath Rao

 

– published in the SICASA Newsletter of Mangalore ICAI in the month of August 2013

 

Business and enterprises of today depend heavily on information and communication technology (ICT) to conduct business. The ICT plays a central role in the operation of the business activities. This dependence on the systems means that all enterprises should have contingency plans for resuming operations of the business activities. For example, the stock market is virtually paperless. Banks and financial institutions have become online, where the customers rarely need to set foot in the branch premises. This dependence on the systems means that all enterprises should have contingency plans for resuming operations from disruption.

This disruption of business operations can be due to unforeseen man-made or natural disaster that mat result into revenue loss, productivity loss and loss of market share among many other impacts. Thus enterprises have to take necessary steps to ensure the continuity of operation in the event of disruptions.

Business continuity is the activity performed by an organization to ensure that critical business functions will be available to customers, suppliers, regulators, and other entities that must have access to those functions. These activities include many daily chores such as project management, system backups, change control, and help desk. Business continuity is not something implemented at the time of a disaster; Business Continuity refers to those activities performed daily to maintain service, consistency, and recoverability.

The objective of a Business Continuity Plan (BCP) is to enable an organization to continue to operate through an extended loss of any of its business premises or functions. The fundamental aim of BCP is to:

· Manage the risks which could lead to disastrous events.

· Reduce the time taken to recover when an incident occurs and,

· Minimize the risks involved in the recovery process.

The foundation of business continuity are the standards, program development, and supporting policies; guidelines, and procedures needed to ensure a firm to continue without stoppage, irrespective of the adverse circumstances or events. All system design, implementation, support, and maintenance must be based on this foundation in order to have any hope of achieving business continuity, disaster recovery, or in some cases, system support. Business continuity is sometimes confused with disaster recovery, but they are separate entities. Disaster recovery is a small subset of business continuity. It is also sometimes confused with Work Area Recovery (due to loss of the physical building which the business is conducted within); which is but a part of business continuity.

Steps in constructing an effective BCP:

1. Document internal key personnel and backups. These are people who fill positions without which a business absolutely cannot function – make this list as large as necessary but as small as possible.

· Consider which job functions are critically necessary, every day. Think about who fills those positions when the primary job-holder is on vacation.

· Create a list of all those individuals with all contact information including business phone, home phone, cell phone, business email, personal email, and any other possible way of contacting them in an emergency situation where normal communications might be unavailable.

2. Identify who can telecommute. Some people in an organization might be perfectly capable of conducting business from a home office. Find out those who can and who cannot work from home.

3. Document external contacts. If an organization has critical vendors or contractors, then build a special contact list that includes a description of the organization and any other absolutely critical information about them including key personnel contact information.

· Include in the list people like attorneys, bankers, IT consultants etc anyone that you might need to call to assist with various operational issues.

· Don’t forget utility companies, municipal and community offices (police, fire, water, hospitals) and the post office.

4. Document critical equipment. Personal computers often contain critical information

· Some businesses cannot function even for a few hours without a fax machine. Does the company rely heavily on the copy machine? Does the company have special printers that it absolutely must have?

· Don’t forget software – that would often be considered critical equipment especially if it is specialized software or if it cannot be replaced.

5. Identify critical documents. Articles of incorporation and other legal papers, utility bills, banking information, critical HR documents, building lease papers, tax returns. You need to have everything available that would be necessary to start your business over again. Critical Documents would include loan payment schedules, email services bill payments etc

6. Identify contingency equipment options. If your company uses trucks, and it is possible the trucks might be damaged in a building fire, where would you rent trucks? Where would you rent computers? Can you use a business service outlet for copies, fax, printing, and other critical functions?

7. Identify your contingency location. This is the place where the company would conduct business while the primary offices are unavailable.

· It could be a hotel – many of them have very well-equipped business facilities you can use. It might be one of the company’s contractors’ offices, or its attorney’s office.

· Telecommuting for everyone is a viable option.

· If you do have an identified temporary location, include a map in your BCP. Wherever it is, make sure you have all the appropriate contact information (including people’s names).

8. Make a “How-to”. It should include step-by-step instructions on what to do, who should do it, and how.

9. List each responsibility and write down the name of the person assigned to it. Also, do the reverse: For each person, list the responsibilities. That way, if you want to know who is supposed to call the insurance company, you can look up “Insurance

10. Put the information together! A BCP is useless if all the information is scattered about in different places. A BCP is a reference document – it should all be kept together in something like a 3-ring binder.

· Make plenty of copies and give one to each of your key personnel.

· Keep several extra copies at an off-site location, at home and/or in a safety-deposit box.

11. Communicate. Make sure everyone in the company knows the BCP. Hold mandatory training classes for each and every employee whether they are on the critical list or not. You do not want your non-critical staff driving through an ice storm to get to a building that has been damaged by fire then wondering what to do next.

12. Test the plan! You’ve put really good ideas down, accumulated all your information, identified contingency locations, listed your personnel, contacts and service companies, but can you pull it off?

· Pick a day and let everyone know what’s going to happen (including your customers, contractors and vendors); then on that morning, act as though your office building has been destroyed. Make the calls – go to the contingency site.

· One thing you will definitely learn in the test is that you haven’t gotten it all just exactly right. Don’t wait until disaster strikes to figure out what you should do differently next time. Run the test.

· If you make any major changes, run it again a few months later. Even after you have a solid plan, you should test it annually.

13. Plan to change the plan. No matter how good your plan is, and no matter how smoothly your test runs, it is likely there will be events outside your plan. The hotel you plan to use for your contingency site is hosting a huge convention. You can’t get into the bank because the disaster happened on a banking holiday. The power is out in your house. The copy machine at the business services company is broken. Your IT consultant is on vacation.

· Every time something changes, update all copies of your BCP.

· Never let it get out of date. An out-of-date plan can be worse than useless: it can make you feel safe when you are definitely not safe.