Business continuity planning is the process where senior management and security professionals develop a plan to ensure the continuous operation of the business before, during, and after an unplanned disruption in service. The primary goal of a Business Continuity Plan (BCP) is to focus on the core business functions and ensure that these services are continued in the event of a disaster. The most important element to a BCP is to first understand the most common internal and external threats that are directly relevant to the core functions of the business and also consider any associated vulnerabilities. In this article, we will discuss the 5 steps that make up the Business Continuity Planning process.
The Business Continuity Planning process has the following five steps:
- Develop the contingency planning policy statement
- Conduct the business impact analysis (BIA)
- Identify preventive controls
- Develop recovery strategies
- Develop an IT contingency plan
- Plan testing, training, and exercises
- Plan maintenance.
The 7 steps to Business Continuity Planning
Step 1 : Develop the contingency planning policy statement
In this first component of the BCP, the contingency planning policy statement is a plan that covers all possible emergency situations that are relevant to the organisation. With the driving goals of the project at the forefront, all factors from financial resources, technical resources and human resources are considered. This policy statement outlines everything that the planners need to work out and includes all available options in order to achieve the organisational goals. Here are the key points that the policy statement should address:
- What kind of disasters does the organisation intend to cover?
- How much time would it take in order to restore operations?
- What are the responsibilities of management and planners?
- What systems should be covered and the prioritisation of the systems?
Step 2 : Conduct the business impact analysis (BIA)
The Business Impact Analysis is the second step of the Business Continuity Planning process and it is the most important step as it looks at the threats that are posed to the critical business functions and what are the potential costs incurred outage caused by one of these threats.
IT systems can be very complex, with numerous components, interfaces, and processes. A system often has multiple missions resulting in different perspectives on the importance of system services or capabilities. The BIA step evaluates the IT system to determine the critical functions performed by the system and to identify the specific system resources required to perform them.
The main objectives of the BIA process are as follows:
- Estimate on what is the maximum tolerable downtime (MTD) the organization can survive without that function or service?
- Identify and estimate the amount of personnel required for the recovery operations.
- Estimate the recovery time required to have systems and operations back to normal.
- What will this outage cost? Will there be a loss of revenue or operational capital, or will we be held personally liable? Cost can be immediate or delayed. Other potential costs include any losses incurred because of failure in meeting the SLA requirements of customers.
- Regulatory requirements What violations of law or regulations could this cause? Is there a legal penalty?
- Organizational reputation Will this affect our competitive advantage, market share, or reputation?
The BIA builds the groundwork for determining how resources should be appropriated for recovery-planning efforts.
Step 3 : Identify preventive controls
Upon completion of the BIA, in most cases, the outage impacts that are identified can be mitigated by implementing preventative measures that deter, detect, and/or reduce impacts to the system. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs. Where feasible and cost-effective, preventive methods are preferable to actions that may be necessary to recover the system after a disruption. One great example of this would be implementing the use of a UPS (Uninterruptible Power Supply or a diesel-powered generator to provide short-term backup power to all system components (including environmental and safety controls);
Step 4 : Develop recovery strategies
Recovery strategies provide an organisation with some method to restore IT operations quickly and effectively following a service disruption. The importance of the BIA in earlier steps will be evident here as the information such as the threats that are outlined, the disruption impacts and allowable outage times will help shape the recovery strategy. The selected recovery strategy should address the potential impacts identified in the BIA and should be integrated into the system architecture during the design and implementation phases of the system life cycle. The strategy should include a combination of methods that complement one another to provide recovery capabilities over the full spectrum of incidents. Specific recovery methods should be considered and may include commercial contracts with cold, warm, or hot site vendors, mobile sites, mirrored sites, reciprocal agreements with internal or external organizations, and service level agreements (SLAs) with the equipment vendors. In addition, technologies such as Redundant Arrays of Independent Disks (RAID), automatic fail-over, uninterruptible power supply (UPS), and mirrored systems should be considered when developing a system recovery strategy. The main purpose of this stage is to select the types of recovery solutions that you will use to determine the scales of costs involved.
Step 5: Develop an IT contingency plan
Now that you have selected the most suitable recovery strategy, the contingency plan should detail guidance and procedures for restoring a damaged system. A contingency plan is a proactive strategy that describes the course of actions or steps the management and staff of an organization need to take in response to an event that could happen in the future. It plays a significant role in business continuity, risk management and disaster recovery.
It helps you stay prepared for unforeseen events and minimize their impact. It also outlines a plan for carrying out the normal business operations after the event has occurred.
Step 6 : Plan testing, training, and exercises
If you work in I.T, you will know that you work in a very fast-moving ecosystem with systems often changing regularly. Systems are constantly being updated, reconfigured or decommissioned. The Testing and training step is a critical element of a Business Continuity Plan contingency program. All of these constant changes to the systems play an important part in the performance of the Business Continuity Plan. The continuous testing of the plan enables you to identify the deficiencies that need to be addressed by validating one or more of the system components and the operability of the plan. Each information system component should be tested to confirm the accuracy of individual recovery procedures. Training for personnel who have contingency plan responsibilities should focus on familiarizing them with any changes in the systems and ensure all roles and responsibilities are assigned, especially any newly created responsibilities brought upon by new systems. Training prepares recovery personnel for plan activation and helps improve plan effectiveness and overall agency preparedness.
Step 7 : Plan maintenance
As mentioned in step 6, the IT systems undergo frequent changes because of shifting business needs, technology upgrades, or new internal or external policies. This ever-changing ecosystem will dramatically change the Business Continuity Plan and to be effective, the plan must be maintained in a ready state that accurately reflects system requirements, procedures, organizational structure, and policies. It is essential that the contingency plan be reviewed and updated regularly, as part of the organization’s change management process, to ensure new information is documented and contingency measures are revised if required. As a general rule, the plan should be reviewed for accuracy and completeness at least annually or whenever significant changes occur to any element of the plan.