Business Continuity > Develop your Business Continuity Plan Now

Do’s and Don’ts for Developing an Actionable Plan on a Budget

By: Gaston Boisson, CBCP, MBCI

Director, Business Resilience Services at BDA Global (www.bdaglobal.com)

The last decade produced multiple mass casualty events, from 9-11 to the Tsunamis in the South Pacific region, to the recent earthquake in Haiti. These events, while tragic, have served as painful evidence that investments in governmental, organizational, and community preparedness are important and necessary.

The Scenario

To survive a disaster, organizations must be concerned with responding to impacts to personnel, facilities, and technology. Forward thinking organizations also consider Corporate Social Responsibility and incorporate strategies for post-event Community Vulnerability Reduction. These organizations recognize that it is the right thing to do, and quite frankly, also realize that the chance of business failure increases exponentially when the local community is in chaos.

Figure 1 – Business Resources that Plans Must Address

Organizations must develop integrated Business Continuity Plans (BCPs) that incorporate strategies for addressing potential points of failure within business units and for the organization as a whole. BCPs must be designed to mitigate the risk of critical, cascading failures that may result from one or more single points of failure.
The Basic Approach

There are four main planning phases for developing business continuity plans –

(1) Pre-planning and data gathering,
(2) data analysis,
(3) planning, and
(4) exercising and deployment.

Each phase is equally important and hence it is critical that planners take a systematic approach to completing them. The following diagram highlights the key steps related to each planning phase:

Pre-Planning and Data Gathering	Data Analysis	Planning	Exercising and Deployment
1. Perform a Risk Assessment and develop strategies to mitigate Manageable Risks.	4. Perform critical path analysis and determine interdependency-related potential single points of failure.	7. Form BCP teams including Emergency Management Team and Emergency Operations Teams.	10. Train Teams and Develop Program to perform regular exercises and plan maintenance activities.
2. Perform Business Impact Analysis, prioritizing all functions and resources	5. Perform personnel, records, vendors, and resources analyses, using business case analysis tools to make good planning decisions.	8. Develop overarching plans, including escalation procedures for plan activation, crisis management, communications, succession, delegations of authority, and plans for managing operational reconstitution.	11. Integrate technologies to more effectively manage the immediate disaster aftermath, such as notification systems, and redundant vital records systems.
3. Report findings to Executive Management and facilitate subsequent analyses	6. Design specifications based on planning parameters for facilities, personnel, and technology.	9. Develop business unit plans that include specific instructions for time-sensitive functions in some form of alternate capacity.	12. Utilize creative workplace strategies in your business continuity plans, including remote access to work servers, teleworking strategies to maximize offsite productivity, and alternate site strategies to accommodate staff who must be onsite during and after a disruptive event.

Pre-Planning and Data Gathering

Data Analysis

Planning

Exercising and Deployment

1. Perform a Risk Assessment and develop strategies to mitigate Manageable Risks.

4. Perform critical path analysis and determine interdependency-related potential single points of failure.

7. Form BCP teams including Emergency Management Team and Emergency Operations Teams.

10. Train Teams and Develop Program to perform regular exercises and plan maintenance activities.

2. Perform Business Impact Analysis, prioritizing all functions and resources

5. Perform personnel, records, vendors, and resources analyses, using business case analysis tools to make good planning decisions.

8. Develop overarching plans, including escalation procedures for plan activation, crisis management, communications, succession, delegations of authority, and plans for managing operational reconstitution.

11. Integrate technologies to more effectively manage the immediate disaster aftermath, such as notification systems, and redundant vital records systems.

3. Report findings to Executive Management and facilitate subsequent analyses

6. Design specifications based on planning parameters for facilities, personnel, and technology.

9. Develop business unit plans that include specific instructions for time-sensitive functions in some form of alternate capacity.

12. Utilize creative workplace strategies in your business continuity plans, including remote access to work servers, teleworking strategies to maximize offsite productivity, and alternate site strategies to accommodate staff who must be onsite during and after a disruptive event.

Plan Deployment Solutions – Do’s and Don’ts for [Cost] Effective Planning

There are several do’s and don’ts I would recommend for your organization to ensure that planning efforts result in an actionable Business Continuity Plan, without blowing the budget or making it impossible to justify expenditures. This article intentionally does not promote any one solution, but instead highlights areas of concern. The following table highlights some considerations that might help guide your organization’s business continuity planning staff:

Do’s	Don’ts
If available and cost justified, use Risk Management Software to help track and manage risks. From a cost benefit perspective, most organizations will opt to not mitigate all risks after the risk assessment. Risk management tools can be helpful to maintaining a structured approach to mitigating vulnerabilities.	Do not pay tens of thousands of dollars annually for Risk Management Software Solutions. There are facility and risk tracking tools available for hundreds per month.
Use a web based Business Impact Analysis (BIA) tool. A good BIA tool should result in cost savings by expediting the data gathering and initial analysis, and by facilitating automated updates in future years.	Do not use a “BIA Application” that primarily includes questionnaires that could easily be generated in MS Word. Ensure that your tool has the analytic capability you need. There are solutions that are available for hundreds per month.
Deploy a web based business continuity planning tool, if your cost benefit analysis supports that it would be beneficial for plan management.	Do not use a “Business Continuity Planning Tool” that primarily does basic plan storage, even if it has a notification capability built in. BCP tools should allow you to build strategies, tie in with BIA data, and help process owners prioritize actions. There are many options available at over $20,000 per year that can do none of these. Interestingly, there are several better options for $10,000 or less. I would generally recommend a tool that has both the BIA and BCP capability integrated. The fact is, if you are really cost conscious, your BCP can just as easily be developed with any word processing software, though it becomes more time consuming to maintain.
Use Affordable Notification Technologies. This is an area of great potential savings for most companies. For a few dollars a month you can now have a basic voice-to-text and text-to-text notification capability, compatible with most smart devices.	Do not pay thousands per month for an emergency notification capability, without considering lower cost options. There are multiple leading companies in this field that sell very sophisticated notification tools at pricey annual subscriptions. Several of these are great tools which are appropriate for complex environments. Most companies do not need them. There are alternatives for a few dollars a month that will provide most of us with all we need to quickly corral and manage our teams after a disruption.
Implement effective backup and recovery strategies. Cron jobs can be used to schedule automated recovery tasks; commercial vendors can be a good backup option, depending on security architecture and needs. Additionally, there are now Network Attached Storage (NAS) systems that have become an affordable, faster, and less cumbersome alternative to tape backup.	Do not pay a vendor tens of thousands for backup and recovery services. Use backup and recovery vendors for disk or tape backup if you need it. Consider providing separate virtual backup, possibly using a remote data center vendor to improve the chances of data survival in a major event at your primary data center.
Implement Teleworking Strategies – VPN technologies are inexpensive today and cloud computing makes it safe and reliable to store large quantities of data. Additionally, ensure that personnel who are authorized to telework have the equipment and passwords they need, and are trained on how to work remotely.	Do not rely on a VPN strategy without testing. Ensure that you have enough bandwidth to allow everyone authorized to telework with simultaneous remote access servers. &nbs

Do’s

Don’ts

If available and cost justified, use Risk Management Software to help track and manage risks. From a cost benefit perspective, most organizations will opt to not mitigate all risks after the risk assessment. Risk management tools can be helpful to maintaining a structured approach to mitigating vulnerabilities.

Do not pay tens of thousands of dollars annually for Risk Management Software Solutions. There are facility and risk tracking tools available for hundreds per month.

Use a web based Business Impact Analysis (BIA) tool. A good BIA tool should result in cost savings by expediting the data gathering and initial analysis, and by facilitating automated updates in future years.

Do not use a “BIA Application” that primarily includes questionnaires that could easily be generated in MS Word. Ensure that your tool has the analytic capability you need. There are solutions that are available for hundreds per month.

Deploy a web based business continuity planning tool, if your cost benefit analysis supports that it would be beneficial for plan management.

Do not use a “Business Continuity Planning Tool” that primarily does basic plan storage, even if it has a notification capability built in. BCP tools should allow you to build strategies, tie in with BIA data, and help process owners prioritize actions. There are many options available at over $20,000 per year that can do none of these. Interestingly, there are several better options for $10,000 or less. I would generally recommend a tool that has both the BIA and BCP capability integrated. The fact is, if you are really cost conscious, your BCP can just as easily be developed with any word processing software, though it becomes more time consuming to maintain.

Use Affordable Notification Technologies. This is an area of great potential savings for most companies. For a few dollars a month you can now have a basic voice-to-text and text-to-text notification capability, compatible with most smart devices.

Do not pay thousands per month for an emergency notification capability, without considering lower cost options. There are multiple leading companies in this field that sell very sophisticated notification tools at pricey annual subscriptions. Several of these are great tools which are appropriate for complex environments. Most companies do not need them. There are alternatives for a few dollars a month that will provide most of us with all we need to quickly corral and manage our teams after a disruption.

Implement effective backup and recovery strategies. Cron jobs can be used to schedule automated recovery tasks; commercial vendors can be a good backup option, depending on security architecture and needs. Additionally, there are now Network Attached Storage (NAS) systems that have become an affordable, faster, and less cumbersome alternative to tape backup.

Do not pay a vendor tens of thousands for backup and recovery services. Use backup and recovery vendors for disk or tape backup if you need it. Consider providing separate virtual backup, possibly using a remote data center vendor to improve the chances of data survival in a major event at your primary data center.

Implement Teleworking Strategies – VPN technologies are inexpensive today and cloud computing makes it safe and reliable to store large quantities of data. Additionally, ensure that personnel who are authorized to telework have the equipment and passwords they need, and are trained on how to work remotely.

Do not rely on a VPN strategy without testing. Ensure that you have enough bandwidth to allow everyone authorized to telework with simultaneous remote access servers.

&nbs

Posted by orchid test on Apr 12, 2010 at 10:05 am

Login to comment! Register for a login.

Blogs

Business Continuity > Develop your Business Continuity Plan Now