Business Continuity Planning: Are You Prepared?

Home > Publications > Universal Advisor > 2004 Issue No. 1

Are We There Yet? The Ongoing Evolution of Customer Relationship Management Business Continuity Planning: Are You Prepared? Business Intelligence: Transforming Data Into Usable Information Fraud Works in Mysterious Ways-- What to Look for, & What to Do If You Find It IT Assessments: An Interview with Plante & Moran's Doug Hockenbrocht IT Security-- How Important Is Patch Management? Keep Phone Bills Under Control: Review Your Charges Knowledge Management: Leveraging Your Organization's Information The Right to Privacy: Protecting Your Customers' Information Top Ten Technology Trends Washtenaw County's IT Department Reorganizes-- Change Can Be Good!

Business Continuity Planning: Are You Prepared?

By Jonathan Nobis & Dennis Bagley

Security Assurance
Universal Advisor, 2004 Issue No. 1

It’s been an interesting year. 2003 brought an unprecedented number of tornadoes wreaking havoc on businesses throughout the Midwest. July was marked by powerful thunderstorms, which caused many businesses to lose computer network access and power — in some cases, for days. And then there was the blackout that caught many of us in the dark. How did your organization fare during these events? Was it business as usual, or was your organization adversely impacted for minutes, hours, or even days? More importantly, was your organization prepared to deal with the operational changes required in the event critical information systems were not available?

Even if your organization wasn’t directly affected by these recent threats, it could be in the future. This is why it’s so critical to create and maintain a business continuity plan to protect your organization in the event of possible future threats.

Disaster Recovery vs. Business Continuity

Most disaster recovery plans include procedures for recovering data and the computing environment but fail to focus on the needs of the organization. A business continuity plan, which includes the disaster recovery plan, addresses the manual procedures and alternative processing for critical business functions; it keeps key operations operating while systems are recovered.

Today’s organizations are inextricably bound to technology, and that dependence will only continue to increase as organizations continue to invest, and rely on, information technology (IT). Consequently, if your IT systems go down, the likelihood that day to-day operations can continue is slim. This not only has an effect on productivity but, more importantly, on customer service, your customer’s perceptions of your organization, and profit opportunities that will affect the bottom line. To avoid these problems, it’s necessary to update and test your business continuity plan at least annually.

Business Continuity Planning

A complete business continuity plan includes a commitment to continued business operations, an assessment of risk and probability, a method for prioritizing systems, determining personnel responsibilities, a list of resource requirements, and an analysis of recovery strategies. The phases of business continuity planning are risk analysis, business impact analysis, recovery resource requirements and strategies, and business continuity plan development.

Risk Analysis

Risk analysis is an evaluation of the exposures present in your organization’s external and internal environment. The first step is to determine the probability that a particular threat will occur. The August 2003 blackout was the first of its kind since 1977, but lightening strikes are much more common — and can cause all kinds of localized power outages. Your systems may also be disabled due to a security incident or a virus. Generally, businesses should consider a one-to-five-year period for threat analysis.

Business Impact Analysis

The second step of business continuity planning is determining impact — the dollar amount of damage an organization will absorb when the threat occurs. Lowest impact events, like losing a workstation, need not be a concern; they’re everyday events, almost business as usual. However, higher impact events, like the loss of a disk drive, total loss of power, or a security incident, must be mitigated, as the financial impact to the business can be much greater. The business impact assessment will assist in justifying the cost of the business continuity program based on potential losses.

Recovery Resource Requirements & Strategies

The next step is to determine the recovery strategy resource requirements that support the organization’s mission and mitigate risks to an acceptable level. As illustrated in the chart below, organizations in the react mode have the lowest investment and the longest recovery time. Organizations in the transform mode rely on business continuity planning to differentiate themselves from the market; their recovery time is usually hours, sometimes minutes. These organizations have invested heavily in dual processing, high-availability environments. Overall, customer expectations have pushed most organizations from the react mode to the control and availability mode, which, in many cases, provides reasonable recovery times.

A business continuity plan will facilitate the restoration of business operations within a timeframe and level of function acceptable to management. Requirements used to support each business function include people, business records, software applications, work inflows and outflows, computers, communications, and office facilities. Critical recovery resource requirements and recovery time objectives (RTOs) should be set and will serve as a basis for analyzing alternative recovery strategies.

Business Continuity Plan Development

Once the RTOs and recovery resource requirements are determined, consider different strategies that will facilitate recovery, and develop the optimal plan. The business continuity plan should include:

• Core business functions to be recovered.

• Business continuity team members and responsibilities.

• People, equipment, processes, and supplies necessary for recovery of the core business functions.

• A business impact analysis for setting recovery priorities.

• Shared computers and communications required for the recovery.

• Backup listing and restoration procedures.

• Personnel required to respond to the crisis, make the transition to alternate facilities, and perform business functions and support services.

• Checklists of specific steps required to recover business processes in alternate facilities.

• Employee contact information.

• Service provider contact information (including insurance provider).

• A media relations plan.

• A plan for periodically testing and exercising the business continuity plan.

What To Do About Third Parties

Even if a disruption doesn’t affect you directly, it may affect any number of third parties or service providers that you rely on. This creates all kinds of other issues such as: Who owns the data? Are the third parties properly backing the data up? How will loss of their operations impact your business? It’s important to not only have your own business continuity plan but also to be vigilant about ensuring the organizations on which you have a significant reliance also have theirs. Therefore, it’s crucial to identify business functions that rely on third parties and review those providers’ plans to ensure RTOs can be met.

Protect Your Organization

Given recent events and organizations’ increasing dependence upon technology, it’s important to make business continuity planning a priority and carry it through. Do the analysis, make the logistical arrangements, and continually test and refine the plan — don’t let your organization get caught in the dark.

2008 Plante & Moran, PLLC. All rights reserved	PMSecure File Exchange \| Disclaimer \| Privacy Policy \| email webmaster

TO DOWNLOAD DOCUMENTS YOU MAY NEED TO INSTALL ADOBE ACROBAT	TO ENHANCE EXPERIENCE YOU MAY NEED TO INSTALL FLASH