Business Continuity Planning (BCP) is a methodology used to create a plan for how Department Council will resume critical function after a disaster.
BCP reduces risk with information controls and the practice of risk management.
Three very goods reasons for a BCP :
- 80% of businesses affected by a major incident close within 18 months,
- 90% of businesses that lose data from a disaster are forced to shut within 2 years
- 58% of organisations were disrupted by September 11th. One in eight was seriously affected.
A BCP cycle results in a manual available during disruptions. The disaster will represent natural disaster, man-made disaster, and disruptions. The regulations base on the formalized standards defined under ISO/IEC 17799 or BS 7799.
BCP methodology is for an organization of any size and complexity.
The methodology has roots in industries in United States. Any type of organization may create a BCP to ensure the organization's longevity. The firms do not invest enough time and resources into BCP preparations are evident in disaster survival statistics. Fires permanently close 44% of the business affected.
A BCP manual for Department Council may be a printed manual. It is store safely away from the main location.
It contains the names, addresses, and phone numbers of:
- Crisis management staff,
- General staff members,
- The location of the offsite data backup storage media,
- Copies of contracts,
- Others materials necessary for organization.
The development of a BCP manual has five main phases:
- Solution design,
- Organization acceptance
- Testing and maintenance.
Threat analysis, and impact scenarios with the resulting BCP plan requirement documentations.
An impact analysis results in the differentiation between critical and non-critical functions of Department Council. A function may be considered critical, if the implications of damage to the Department Council are unacceptable. Perceptions may be modified by the cost recovery solutions. A function may also be considered critical if dictated by law. Next, the impact analysis results in the recovery requirements for each critical function.
Recovery requirements consist of the following information:
- The time in which the critical function must be resumed after the disaster
- The business requirements for recovery of the critical function,
- The technical requirements for recovery of the critical function.
Some common threats include the following:
- Cyber attack
- Utility outage
For IT, the plan may cover the following elements:
- The applications and data require for critical business functions
- The manual workaround solutions
- The maximum outage allowed for the applications
- The peripheral requirements like printers, copier, etc.
The goal of the solution design phase is to identify the most cost effective solution. That meets two main requirements from the impact analysis stage. For IT applications, this is commonly express as:
- The minimum application and application data requirements: RPO (Recovery Point Objective)
- The time frame in which the minimum application and application data must be available: Recovery Time Objective (RTO)
- The crisis management command structure
- The location of a secondary work site
- Telecommunication architecture between primary and secondary work sites
- Data replication methodology between primary and secondary work sites
- The application and software required at the secondary work site,
- The type of physical data requirements at the secondary work site.
The purpose of solutions is achieving organizational acceptance. The business continuity solution must satisfy the organization's requirements.
Plans may fail to meet expectations due to insufficient or inaccurate recovery requirements or solution implementation errors.
- Crisis team call
- Technical primary and secondary work locations
- Application tests
- Business process
Problems identified in the initial testing phase may be rolled up into the maintenance phase and retested during the next test cycle.
The implementation phase is the execution of the elements identified in the solution design phase. Work testing may take place during the implementation of the solution. But it does not take the place of organizational testing.
Testing and maintenance
Maintenance and testing of a BCP manual is important. At minimum, testing is generally conducted on a biannual or annual schedule. The first activity is the confirmation of information in the manual. The second activity is the testing and verification of technical solutions. The last activity is the testing and verification of documented organization recovery procedures.
All organizations change over time, a BCP manual must change to stay relevant to the organization. Normally a test is conducted to evaluate the plan's efficiency. Some types of changes that should be identified and updated in the manual include:
- Staffing changes
- Changes to important clients and their contact details
- Changes to important vendors/suppliers and their contact details
- Departmental changes like new, closed or fundamentally changed departments.
- Are all work processes for critical functions documented?
- Have the systems used in the execution of critical functions changed?
- Are the documented work checklists meaningful for staff?