Business continuity planning: Are you prepared?
Even if your organization hasn’t been directly affected by these threats, it could be in the future. This is why it’s so critical to create and maintain a business continuity plan to protect your organization in the event of possible threats.
Disaster recovery versus business continuity
Most disaster recovery plans include procedures for recovering data, but fail to focus on the needs of the organization. A business continuity plan, which includes a disaster recovery plan and addresses the manual procedures and alternative processing for critical business functions, keeps key operations running while systems are recovered.
Today’s organizations are inextricably linked to technology; and that dependence will continue to increase as organizations rely more on information technology (IT) and increase their yearly IT expenditures. Consequently, if an enterprise’s IT systems shut down, the likelihood is slim that day-to-day operations can continue. This not only has an effect on productivity but, more important, on customer service; your customer’s perceptions of your organization; and the profit opportunities they present to your enterprise. To avoid these problems, it’s necessary to annually update and test your business continuity plan.
Business continuity planning
A complete business continuity plan includes:
- Commitment to continued business operations
- Risk and probability assessment
- Method for prioritizing systems
- Determination of personnel responsibilities
- List of resource requirements
- Recovery strategy analyses
Business continuity planning is broken down into identifiable phases:
- Risk analysis
- Business impact analysis
- Resource recovery requirements and strategies
- Business continuity plan development
An evaluation is made of the exposures present in your organization’s external and internal environment. The first step is to determine the probability that a particular threat will occur. The August 2003 blackout was the first of its magnitude since 1977; but lightening strikes are much more common and can cause all kinds of localized power outages. Your systems may also be disabled due to a security incident or a virus. Generally, businesses should consider a one- to five-year period for threat analysis.
Business impact analysis
The second step of business continuity planning is determining impact — the dollar amount of damage an organization will absorb when the threat occurs. Lowest impact events, like losing a workstation, need not be a concern; they’re everyday events, almost business as usual. However, higher impact events, like the loss of a disk drive, total loss of power or a security incident must be mitigated because the financial impact to the business can be much greater. The business impact assessment assists in justifying the cost of the business continuity program based on potential losses.
Resource recovery requirements & strategies
The next step is to determine the resource recovery strategy requirements that support the organization’s mission to mitigate risks to an acceptable level. As illustrated in the chart, organizations in the reactive mode have the lowest investment and the longest recovery time. Organizations in the transformative mode rely on business continuity planning to differentiate them from the market; their recovery time is usually hours, sometimes minutes. These organizations have invested heavily in dual-processing, high-availability environments. Overall, customer expectations have pushed most organizations from the react mode to the control and availability mode, which, in many cases, provides reasonable recovery times.
A business continuity plan will facilitate the restoration of business operations within a timeframe and level of function acceptable to management. Requirements used to support each business function include people, business records, software applications, work inflows and outflows, computers, communications and office facilities. Critical recovery resource requirements and recovery time objectives (RTOs) should be set and will serve as a basis for analyzing alternative recovery strategies.
Business continuity plan development
Once the RTOs and recovery resource requirements are determined, consider different strategies that will facilitate recovery and develop the optimal plan. The business continuity plan should include:
- Core business functions to be recovered
- Business continuity team members and responsibilities
- People, equipment, processes and supplies necessary for recovery of the core business functions
- A business impact analysis for setting recovery priorities
- Shared computers and communications required for the recovery
- Backup listing and restoration procedures
- Personnel required to respond to the crisis, make the transition to alternate facilities, and perform business functions and support services
- Checklists of specific steps required to recover business processes in alternate facilities
- Employee contact information
- Service provider contact information, including insurance provider
- A media relations plan
- A plan for periodically testing and exercising the business continuity plan
The role of third parties
Even if a disruption doesn’t affect you directly, it may affect any number of third parties or service providers that you rely on. This creates all kinds of other issues such as:
- Who owns the data?
- Are the third parties properly backing the data up?
- How will the loss of their operations impact your business?
It is important not only to have your own business continuity plan, but to ensure that those organizations on which you rely also have a plan. Therefore, it’s crucial to identify business functions that depend on third parties and review those providers’ plans to ensure that RTOs can be met.
Protect your organization
Given recent events and organizations’ increasing dependence on technology, it’s important to make business continuity planning a priority and to effectively implement it. Do the analysis; make the logistical arrangements; and continually test and refine the plan. Do not let your organization get caught in the dark before you decide to make a plan.
About the authors
Raj Patel is a member of the MACPA and a manager in the Technology Consulting & Solutions practice at Plante & Moran, PLLC, in Southfield, Mich. He has more than ten years of information technology and financial audit experience, including IT strategic planning, IT risk assessments, global/local network security projects, system integration controls, business continuity management, IT audit and e-business security. Raj can be reached at email@example.com >>
Jon Nobis is a a member of the MACPA and a consultant in the Technology Consulting & Solutions practice at Plante & Moran, PLLC in Southfield, Mich. He has six years of experience with information systems auditing and information technology consulting. Jon can be reached at firstname.lastname@example.org >>