Critical. Authoritative. Strategic.


CBR is proudly produced & published
by Technews
Issue Date: October 2006

Making continuity work

October 2006
Ray Stride, managing director Global Continuity

Preparing and implementing business continuity plans is not an easy task, but it need not be overly complex.

Preparing and implementing business continuity plans is not an easy task, but it need not be overly complex.
Many of us, when faced with the task of developing business continuity or disaster recovery plans, do not have a clear idea of where to start and how to proceed. There is a good selection of guidelines available from authoritative sources that are all in approximate agreement as to what constitutes good practice.
These sources include CoBIT, ITIL, The UK Business Continuity Institute (BCI) and the British Standards Institute (BSI). All of these and many others have sound advice, which is available at little or no cost. The problem is that it requires a lot of time to decrypt, learn, analyse and organise into a form which is readily usable. Fortunately, the development of plans is not a complex exercise provided a few commonsense rules are observed:
Firstly, keep the plans simple. There are no prizes for having large plans. The bigger the plan the more difficult it is to use. The plan will be put to use when the organisation (and its people) is under extreme stress. Staff will thank you for simplicity. Remember that the plans are being developed to help you survive a disaster and not an audit.
Secondly, make the plans flexible. Since you have no real idea what the nature of the disaster is likely to be, it is impossible to predict exactly what you should do. You can never write a plan that covers all likely disaster scenarios, without shattering rule one above.
Thirdly, aim the plan at reminding personnel what tasks they need to perform, not how to perform the tasks. How to do the job should already be second nature to them. Under stress, they may forget to execute critical tasks, or may lose control of certain functions.
Understanding the terminology
There is a lot said about the subject and a lot of popular misconception. The most common misconception is that the terms business continuity plan (BCP) and disaster recovery plan (DRP) are synonymous and interchangeable. DRPs are commonly associated with the IT-related recovery in the event of a disaster, while BCPs are related with the recovery of end-user business functions after a disaster event. While this is true it may not be precise. It would be more appropriate to say that BCPs should include DRPs. The two disciplines are very closely related and are co-dependent. DRPs are therefore part of BCPs and generally used to recover failed IT functions in support of the recovery of failed business processes.
How should the plan be structured?
A simple but sound BCP could be constructed along the following lines:
* Define an invocation drill. Build the rules which show under what circumstances a disaster is declared. Define who is authorised to declare a disaster. Define who is to assemble, how quickly and where? (Provide an alternative venue as the boardroom may well be part of the disaster.) A flow chart is useful. This process should be aligned with your current evacuation and fire drills.
* Define a crisis management team structure with roles and responsibilities for all persons involved in managing the company through the disaster event. Note that job descriptions and normal objectives will probably be suspended and re-defined. Place someone in charge, disasters can get worse very quickly without decisive and focused leadership. Ensure that any and all crisis management team roles have alternates - sadly disasters can include the loss of key individuals.
* Include forms to record all events.

* A checklist of important company resources to assist with damage assessment.
Do not proceed with the disaster invocation until you have carried out a damage assessment as this will define your recovery and continuity actions.
* Include forms to record all decisions and delegation of tasks during a disaster or the recovery.

* Include a set of preprepared statements for press and public communications.
This is a critical subject and needs to be dealt with carefully. It is fair to say that your public response in the event of a disaster can have a major effect on your company's reputation. Poorly handled press statements will have negative effects. Consult with experts in this field if you are in any doubt.
* Include a target recovery time line for each business unit. This should be simple and based on the amount of downtime that can be afforded by each business unit. This is usually determined during a risk and/or impact analysis. If you have not carried out such an exercise, I suggest that you give the matter some thought.
* Include additional plans that are aimed at returning your company to normal operation after resumption of business activities. This can be a very difficult exercise. Consider it as you would an office move, which is sprung upon you at short notice, while you are ill equipped to deal with it. This can be very painful. Many companies can survive a disaster, but may fail during the return to normal operation.
* Provide a container (sometimes called a battle-box), which contains as much information as possible. Include at least the following:
- Telephone and address lists of staff, suppliers, clients, emergency services and any other persons you are likely to need.
- Copies of important company documents.
- Articles of incorporation, bank mandates, company registration documents, proxies etc.
- The company insurance policies (failure to include this could be a show-stopper).
- Copies of software, licences, and enabling keys.
- Operational procedures.
- Roll call lists.
- Copies of the BCP.
- Documentation that enables you to return to normal operation. This could include site building plans, technical plans, or the plans which you painstakingly developed for your last office move.
* Keep the contents up to date by reviewing regularly.

* Store the battle-box or a duplicate somewhere away from the premises to ensure that you have it when the office is inaccessible or destroyed.
What should be in the plan?
The plans must include checklists for all business units that explain which tasks need to be executed, by when and by whom. Keep such lists up to date and ensure that they make mention of critical dates (eg, Pay VAT on 25th of every odd numbered month).
Information technology should be viewed as a business unit with its own recovery objectives and checklists. During recovery the crisis management team should attempt to synchronise IT efforts with business needs. Therefore the IT checklist should be sequenced in such a fashion that it matches the business needs to recover. This is difficult to achieve since technical issues can often interfere.
How much detail should be in the plan?
At all costs avoid putting too much detail into any plan. Details should be included in operational procedures and these operational procedures should be placed in the battle-box. Just ensure that all essential tasks are covered. It is very easy to forget to do something while under stress.
There is no single definitive way to construct plans. The biggest benefit comes from the process of planning for a disaster rather than being in possession of plans. If you are in doubt as to how to proceed, consult with professionals or read up on the subject.
The development of a BCP is not a one-time exercise. Business needs change rapidly and frequently. BCPs should be reviewed regularly and updated to reflect current requirements.

Others who read this also read these articles

Search Site

Search Directory

  • Search for:


Previous Issues