Business Continuity Plan amidst COVID-19 outbreak

The whole world is gasping to control the pandemic COVID-19 which is spreading across the countries. Organizations are largely affected in terms of loss of human resources.  In this crunch time, we should realize now, how vital it is, the implementation of healthy BUSINESS CONTINUITY PLAN (BCP)  and DISASTER RECOVERY PLAN(DRP).

When I was doing my post qualification course in ISA (Information System Audit), I had a gloomy outlook that how this is going to help in our profession other than getting few bank audit empanelment preferences.  But this view has been changed since we witnessed several disasters like Flood, earth quacks, fire and now the pandemic COVID-19.

Considering the various situations we are facing for the last few months, this article summarize the necessity of BCP/DRP implementation in business organizations.

INTRODUCTION

Nowadays, organizations are running business based on information using information technology and communication. Organizations worldwide are more and more dependent on computers, in assisting and carrying out the decision making processes and in recording business transactions. Information becomes critical and loss of which will affect the whole organization. There are businesses which work on real time basis. Whole system can fail if any disruption happens. It may be because of man-made or natural made. Disasters lead to loss of productivity there by loss of revenue and market share. Hence, organizations have to take necessary steps to ensure that the impact from such disasters is minimized and build resilience which ensures continuity of critical operation in the event of disruptions.

WHAT IS BUSINESS CONTINUITY PLAN:

Business Continuity Plan is a plan that contains the steps that would be taken by an entity to resume its business functions during its period of disruption. These plans are executed in parallel with the disaster recovery plans depending on the impact of the disaster. The primary objective of a BCP  is to enable an organization to continue to operate through an extended loss of any of its business premises or functions.

NEED OF BUSINESS CONTINUITY PLAN

Business Continuity is applicable to organizations of all sizes and types of business. Business Continuity is most crucial to organizations that use IT Resources for their critical business functions. BCP gives organization’s assurance to various stakeholders that how the business processes are recovered and functioned when disruption happens. The ultimate objective of a BCP is to recover from a crisis as fast as possible and at the lowest possible cost.

Having a business continuity plan will help to-

1. Managing the risk which could lead to disastrous events.
2. Reduce the time taken to recover when any incidents happens.
3. Minimize the risk involved in the recovery process.
4. Reduce the cost in reviving the business.

Thus BCP is all about planning in advance to meet future unforeseen events which may impact or disrupt business operations. It is a documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical products and services.

WHAT IS DISASTER RECOVERY PLAN

Before knowing this, we should know what is a disaster. Disasters are the major source of disruptions. A disaster can be defined as an unplanned interruption of normal business process. It can be said as a disruption of business operations that stops an organization from providing critical services caused by the absence of critical resources.

A disaster can be natural or man-made hazard resulting in an event of substantial extent causing significant physical damage or destruction, loss of life, or drastic change to the environment. A disaster can be defined as any tragic event stemming from events such as earthquakes, floods, catastrophic accidents, fires, or explosions. It can cause damage to life and property and destroy the economic, social and cultural life of people.

Natural disasters are caused by natural events and include fire, earthquake, tsunami, typhoon, floods, tornado, lightning, blizzards, freezing temperatures, heavy snowfall, pandemic, severe hailstorms, volcano etc.

Man-made disasters are artificial disasters arising due to human beings Include Terrorist Attack, Bomb Threat, Chemical Spills, Civil Disturbance, Electrical Failure, Fire, etc.

HOW DISASTERS IMPACT IN BUSINESS.

Disasters could result in-

1. Total destruction of the premises.(Earth quack, Terrorist attacks, etc)
2. Partial damage (in the case of flood.)
3. No physical damage but restricted access to the premises.(In case of evacuation)

Impact of disaster further results in:

Loss of human life: - Protection of human life is of utmost importance and, the overriding principle behind continuity plans

Loss of productivity:- When a system failure occurs, employees may be handicapped in performing their functions. This could result in productivity loss for the organization.

Loss of revenue:- For many organizations like banks, airlines, railways, stock brokers, effect of even a relatively short breakdown may lead to huge revenue losses.

Loss of market share:- In a competitive market, inability to provide services in time may cause loss of market share. For example, a prolonged non-availability of services from services providers, such as Telecom Company or Internet Service Providers, will cause customers to change to different service providers.

Loss of goodwill:- In case of a prolonged or frequent service disruption, customers may lose confidence resulting in loss of faith and goodwill.

Litigation:- Laws, regulations, contractual obligation in form of service level agreement govern the business operations. Failure in such compliance may lead the company to legal litigations and lawsuits.

DISASTER RECOVERY PLAN(DRP)

Disaster Recovery Plan is the set of plans which are to be executed initially at the moment of crisis. These plans include measures to control the disaster, mitigate them and to initiate the recovery of the resources that is needed for the continuity of business. These are the first plans that would be executed at the time of disaster.

NEED FOR DISASTER RECOVERY PLAN

To reduce disaster losses, it is crucial to have a comprehensive Disaster Recovery Plan for every business subsystem and operation within an organization.

Disaster recovery plan is implemented by using three basic strategies viz;

1. Preventive measures
2. Detective measured; and
3. Corrective measures

Preventive measures will try to prevent a disaster from occurring. These measures seek to identify and reduce risks. It helps in prevent an event from turning into a disaster.

When preventive measures fail, Detective measures are taken to discover the presence of any unwanted events within the IT infrastructure. They may detect or uncover unwanted events.

When both the preventive and detective measures fail, corrective measures taken place. These are aimed to restore a system after a disaster or otherwise unwanted event takes place.

Thus the overall objectives of this plan are to protect organization’s computing resources and employees, to safeguard the vital records of which Information Technology Systems and to guarantee the continued availability of essential Information Technology services.

One may often feel the difference in BCP and DRP. The primary objective of Business Continuity Plan is to ensure that mission critical functions and operations are recovered and made operational in an acceptable time frame. A BCP aims to sustain critical business process during an unplanned interruption period.

A disaster recovery plan (DRP) is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster. DRP is to re-establish the primary site into operation with respect to all business processes of the organization facing the disaster.

ROLE OF CAs 

Business Continuity and Disaster Recovery Planning is not just an IT issue, it is a business problem or it is a necessity and that’s where the planning needs to begin. CAs are multi talented who possess expertise in this field. Many organizations are already implemented BCP and DRP especially in real time businesses like banks, airlines, etc . No matter how big or how small, every organization should have a well thought out BC/DR Plan.

The IS auditor is expected to evaluate the processes of developing and maintaining documented, communicated, and tested plans for continuity of business operations and IS processing in the event of a disruption. IS Auditor is expected to identify risks which are not identified and provide recommendations to mitigate them.

Having a strong BCP/DRP not only protects the IT infrastructure, but the organization as whole. Audit in this field provides the management an evaluation of the organization’s preparedness in the event of a major business disruption.

Reference source: ISA publications by ICAI.