Friday, January 11, 2013

Business Continuity Planning

Business continuity can be defined as the

'strategic and tactical capability of the organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level*"

Business continuity planning is the main answer to the risk of an unexpected business interruption. The objectives of a BCP are

1. Survival
2. Protection of corporate assets
3. Control of risks and exposures
4. Preventative measures of business interruption - see physical protection and logical access.
5. Management business interruption

It should provide a balance between acceptable potential losses as a result of a disaster and acceptable one-off and recurring costs related to business continuity management. Other benefits include

- providing customer confidence/satisfaction
- protecting reputation

BS25999 1 - 2006 (code of practice) and 2 - 2007 (specification) are the standards related to business continuity.

Features of an effective plan per BS25999

1. BC management policy -
2. Managing the BCM programme
3. Understanding the organisation and its requirements (incl. sufficiently robust and wide-ranging business risk identification (e.g. scenario planning, stress testing, what if planning) MTPD, RTO setting, available resources etc)
4. Determining the BC strategy (timescales, sequence of recovery)
5. Developing the plan (link to actions taken to respond to specific threats, incident management teams)
6. Exercising and maintaining the BCP. - ie test ongoing effectiveness and adjust for biz changes
7. Embed into the business culture. Ensure all stakeholders understand their responsibilities within the overall plan. (incident management team)

The overall plan needs to be realistic and achievable or it will be useless when called into action.

Recovery options

- Inhouse v outsourced
- recovery sequence (usually customer focused systems first)
- partnership with a similar firm?
- Readiness of facilities - hot, warm, cold, mobile

*What is an acceptable predefined level? Business would describe MTPD = maximum time period of disruption meaning the time that a business process can remain functioning in a limited way. IT woudl target RTO = recovery time objective meaning the time beyond which the non-availability of a service or function would be unacceptable.