Business Continuity Planning – A Perspective
“ALL IS WELL”This quote has become widely famous and is most talked about whenever we confront a difficult situation; but sadly in a business we cannot have such assumptions. Businesses across the world have grown largely in both quantum and size. Hence to manage business and more over to keep it running is the challenge every business-man faces.
Business continuity is vital to business success as well as growth. In today's
World , where not only competitiveness but also maintenance of business reputation majorly influence and impact business. Today, virtually every aspect of a company's operation is vulnerable to disruption. They say, risk cannot be eliminated but definitely can be managed and minimized. Apart from a few known, we cannot manage every risk there may be a few other which may not be known to us. Of those some risks could take your business offline for days, and in a competitive environment, even two-three hours of downtime could prove fatal.
Every Business is has both internal and external forces which are controllable and uncontrollable. Elements inside the organization like management, personnel, organizational structure, etc…act as drivers of the organization. Sometimes they work in congruence of each other and sometimes otherwise. Similarly, there are external elements like competitors, Market forces, Clients, government etc…which also affect the organization to a great extent. In such a scenario interruptions in business are bound to occur. A few most evident instances like 9/11 terror attack, 2005 Mumbai flood, Twin tower tragedy, Strikes etc….clearly state that such situation cannot be easily tackled. As a result some businesses shut down, some others sustain, some face severity of losses.
So how do you determine the resiliency and recovery requirements of your business? How do you identify and integrate critical business? Which ones is a priority? How do you work within limits? Where do you start?
Every business needs Business Continuity Plan-BCP. Here’ an example; Say you are running a call center. Now there is lot of data that keeps on running in and out during the business hours. Let’s say that there is a power cut for four hours and your clientele business is at a progressive stage. How to handle this situation? Do you have an arrangement of UPS system? Do you have a back-up software? Whether you can re-coup the data lost and also in how much time? When a situation like this occurs you need some kind of preparedness.
There comes the concept of BUSINESS CONTINUITY PLANNING –BCP.
Business continuity planning refers to the process of developing advance arrangements and procedures that enable an organization to respond to an interruption in such a manner that critical business functions continue with planned levels of interruption or essential change .In simpler terms, BCP is the act of proactively strategizing a method to prevent, if possible, and manage the consequences of a disaster, limiting the consequences to the extent that a business can absorb the impact. . It is usually associated with the technological interruption but it includes inter-alia business, human and regulatory aspects. A BCP is a comprehensive statement of consistent actions to be taken before, during and after a disaster. Ideally, BCP enables a business to continue operations in the event of a disruption and survive a disastrous interruption to critical information systems. Not all of the operations can be a part of BCP but those critical to business.
Let me outline a successful BCP which got I got to know in a seminar. It was a flood situation at around 2 am during winters at UK. There was a power-failure and the streets were clogged-up. The hotel Staff had to manage around 600 to 700 people. They had information that until next few hours the situation cannot be improved. They collected people at one place, made them aware of the situation, provided them with food, blankets etc.. They had properties at other places in the city where they made arrangements for the safety of the people .They also had arrangements with bus service providers so that the people can be safely taken at other places .Thus having a BCP was very helpful for the hoteliers to manage the situation of panic and also create faith in people’s mind .As it suggests that a particular organization can not only stand strong but can also sustain and manage out the worst come situation.
Steps to plan a BCP?
Your organizational structure is a very important aspect when you need to design a BCP.Here are few steps which may be considered to plan a BCP:
1. Document internal key personnel s and related backups
Internal Key personnel are those without which your business absolutely cannot function. Consider which job functions are critically necessary. Identifythe person who fills the position in absence of the primary job-holder. List all those individuals with all contact information
2 Check on communication lines
If some people in your company work from home you can involve such people in emergency team .You might consider teaming these with the ones identified in step 1.
3. Document external contacts
If you have critical vendors or contractors, build a special contact list that includes them. Also, include in your list people like attorneys, bankers, IT consultants anyone that you might need to call to assist with various operational issues. You may even tie up with the utility companies, municipal and police, fire, water, hospitals.
4. Document critical equipment
Personal computers often contain vital information. Don’t forget software – that would often be considered critical equipment especially if it is specialized software or if it cannot be replaced.
5. Identify critical documents
Articles of incorporation and other legal papers, utility bills, banking information, critical HR documents, building lease papers, tax returns are important documents which you need to have available if it would be necessary to start your business over again. It may happen that you might be dealing with a total facility loss.
6. Identify contingency equipment options
What if you own the machinery and it gets severely damaged; So does your company has an arrangement with vendor for replacement of the equipment or with another company using similar equipment and can rent you until the down time? Can you use a business service outlet for copies, fax, printing, and other critical functions?
7. Identify your contingency location
Say you are providing banking services and there is fire. Make sure that you account for the people because the safety is the first priority. Now, the question arises is there a nearby branch where you can ask your customers to move i.e. an alternative location? Whether you have an arrangement with the branch in case of such a disaster? Whether you have extra staff available to cater the additional work load? If you do have an identified temporary location, include a map in your BCP.
8. Make a Chart
A chart gives a pictorial view and makes it easy to understand. It should include step-by-step instructions on what to do, who should do it, and how .Assign responsibility and write down the name of the person for the same.
9. Put the information together
Within a plan there can be various plans .A BCP is useless if all the information is scattered about in different places .A BCP is a reference document. Make plenty of copies and give one to each of your key personnel .Keep several extra copies at an off-site location.
Make sure everyone in your company knows the BCP. You may hold training sessions. You do not want your non-critical staff driving through an ice storm to get to a building that has been damaged by fire then wondering what to do next.
11. Test the plan
Testing the plan is essential .As it will suggest you how the plan really works. Don’t wait until disaster strikes to figure out what you should do differently next time. If you make any major changes, run it again a few months later. Even after you call your plan a fool-proof, you should test it annually.
12. Plan to change the plan
No matter how good your plan is, and no matter how smoothly your test runs, it is likely there will be events outside your plan .Business changes with time and so should the plan.
13. Review and revise
Every time something changes, update all copies of your BCP. Never let it get out of date. An out-of-date plan can be worse than useless: it can make you feel safe when you are definitely not safe.
We often consider ourselves relieved once we are done with the planning. But this is not the end .After BCP follows the BIA -Business Impact Analysis.
What would it cost your business to be shut down for 1 hour? 1 day? 1 week?
BIA involves the identification of critical business functions and workflow that most affect your revenue, your assets and your clients to help you prioritize the recovery strategies that might be needed during an extended business disruption, determines the qualitative and quantitative impact of a disruption, and priorities recovery time objectives (RTO’s).
Recovery time objectives in simpler words mean in how much time an organization can come back to normal functioning or regain to its normalcy. Like say the system was down due to technical reasons so how quick can this interruption are compensated? Now this is what is called the recovery time objective. The faster the time to recover the higher will be the cost. Hence there is a need to set the RTO in such a way that the work gets into the flow, the back-log is cleared and the cost involved is acceptable. It is this acceptability that counts much to decide the RTO.And not just the RTO but also the RPO i. e .Recovery point objective.
Recovery Point objectives( RPO) is up to what time in history do you want the data back updated; one hour, a week , a month , or a year…How much data can you restore in your system ?And this goes parallel with the RTO.
BIA also includes the risk that the business carries .Understanding the potential impacts of security threats is almost a pre-requisite to determine the most appropriate corrective and protective actions to take. The BIA phase can thus be considered to be the initial driver to sound security management. BIA is not just about the financials but also the non-financials like customer trust, security, market confidence, creditors etc…
How do we start?
Comprehensive evaluation of your business environment
Identify the areas of your business which fall in highly critical zone and that which fall in low critical zone .And also the level of protection required at each of these zones.
We need to ensure that during the happening of an event which interrupts the business workflow all the levels are checked and resources are rotated in required areas. Thus, identification of highly critical areas is necessary for a BIA
Develop a crisis management team
This team will get activated and will be functioning at the core of the organization .The team may have functions as follows:
1. Making decisions as to how to proceed with the action required
2. Declaring the emergency
3. Taking inputs from the Senior management, emergency back up team, communication channel
4. Making follow up with the situation and informing the senior management of the situation from time to time.
5. Assessing the planned processes are functioning or is there a need to make a way out of the plan
6. Directing the operational / functional personnel as to how and when to act
The Crisis Management team shall include senior managers, Functional heads, Few Executives, internal auditors’ .Internal auditors although not a part of management but have a very important role to play in such a scenario. Internal auditors know an organization very well. They can supplement the management with vital or key areas to look after. Moreover, they can also act as eyes and ears to senior management and make suggestions on how to improve the plan in future.
BIA suggests a few commandments which are as follows:
Protect – Organization should be able to protect its resources viz .Poeple, Assets, etc..
Respond -- Organization should be able to respond to an interruption on time and in a particular manner.
Sustain -- Organization should be able to absorb the impact of the situation and uphold itself and its people.
Recover -- Organization should make improvisations in the situation so that it can become operational and come back to its day-in day out functions.
Resume -- Organization should re-build and integrate its functions and become functional.
We always make plans and it’s never a bad idea to have one .There are organizations which provide with BCP and cater to organizational needs ,Today’s economic situation relatively demands preparedness of almost all business ,big -small .As goes the adage “ Prevention is better than cure”.