Business Continuity Planning

• Business Continuity Planning

https://store.theartofservice.com/the-business-continuity-planning-toolkit.html

Business continuity planning

1 Business continuity planning



1 Business continuity planning (BCP) "identifies an organization's exposure to internal and external threats and synthesizes hard and soft assets to

provide effective prevention and recovery for the organization, while maintaining competitive advantage

and value system integrity”



1 Any event that could impact operations is included, such as

supply chain interruption, loss of or damage to critical infrastructure

(major machinery or computing/network resource). As such, risk management must be

incorporated as part of BCP.



1 In December 2006, the British Standards Institution (BSI) released an independent standard for BCP —

BS 25999-1



1 Business continuity management is standardised across the UK by British

Standards (BS) through BS 25999-2:2007 and BS 25999-1:2006



1 This document was superseded in November 2012 by the British

standard BS ISO22301:2012. (British Standards Institution, 2012)



1 In 2004, following crises in the preceding years, the UK government passed the Civil Contingencies Act 2004 (The Act). This provides the

legislation for civil protection in the UK.



1 The Act was separated into two distinct parts: Part 1 focuses on local

arrangements for civil protection, establishing a statutory framework of

roles and responsibilities for local responders. Part 2 focused on emergency powers, establishing a modern framework for the use of special legislative measures that might be necessary to deal with the effects of the most serious emergencies.



1 The Act is telling responders and planners that businesses need to

have continuity planning measures in place in order to survive and

continue to thrive whilst working towards keeping the incident as

minimal as possible. (Cabinet Office, 2004)


Business continuity planning - Business impact analysis (BIA)

1 A Business impact analysis (BIA) differentiates critical (urgent) and non-critical (non-urgent) organization functions/activities. Critical functions are those whose disruption is regarded as unacceptable. Perceptions of

acceptability are affected by the cost of recovery solutions. A function may also be

considered critical if dictated by law. For each critical (in scope) function, two values are

then assigned:



1 Recovery Time Objective (RTO) – the acceptable amount of time to restore the

function



1 The recovery point objective must ensure that the maximum tolerable

data loss for each activity is not exceeded. The Recovery Time Objective must ensure that the Maximum Tolerable Period of

Disruption (MTPoD) for each activity is not exceeded.



1 Next, the impact analysis results in the recovery requirements for each

critical function. Recovery requirements consist of the following

information:



1 The business requirements for

recovery of the critical function, and/or



1 The technical requirements for recovery of the critical function


Business continuity planning - Threat and risk analysis (TRA)

1 After defining recovery requirements, each potential threat may require unique recovery steps. Common

threats include:



1 The impact of an epidemic can be regarded as purely human, and may

be alleviated with technical and business solutions. However, if people behind these plans are

affected by the disease, then the process can stumble.



1 During the 2002–2003 SARS outbreak, some organizations grouped staff into separate teams, and rotated the teams between

primary and secondary work sites, with a rotation frequency equal to the incubation

period of the disease. The organizations also banned face-to-face intergroup contact during

business and non-business hours. The split increased resiliency against the threat of

quarantine measures if one person in a team was exposed to the disease.


Business continuity planning - Impact scenarios

1 After defining threats, impact scenarios form the basis of the business recovery plan. In

general, planning for the most wide-reaching impact is preferable. A typical impact

scenario such as "building loss" encompasses most critical business functions. A BCP may document scenarios for each building. More localized impact scenarios – for example loss of a specific floor in a building – may also be

documented.


Business continuity planning - Recovery requirement

1 After the analysis phase, business and technical recovery requirements precede the solutions phase. Asset

inventories allow for quick identification of deployable

resources. For an office-based, IT-intensive business, the plan

requirements may cover desks, human resources, applications, data, manual workarounds, computers and

peripherals.https://store.theartofservice.com/the-business-continuity-planning-toolkit.html

Business continuity planning - Recovery requirement

1 Other business environments, such as production, distribution,

warehousing etc. will need to cover these elements, but likely have

additional issues.


Business continuity planning - Solution design

1 The solution design phase identifies the most cost-effective disaster

recovery solution that meets two main requirements from the impact analysis stage. For IT purposes, this

is commonly expressed as the minimum application and data

requirements and the time in which the minimum application and

application data must be available.https://store.theartofservice.com/the-business-continuity-planning-toolkit.html


1 Outside the IT domain, preservation of hard copy information, such as

contracts, skilled staff or restoration of embedded technology in a process plant must be considered. This phase

overlaps with disaster recovery planning methodology. The solution

phase determines:



1 crisis management command structure



1 telecommunication architecture between

primary and secondary work sites



1 applications and data required at the secondary work site,

and



1 physical data requirements at the secondary work site.


Business continuity planning - Implementation

1 The implementation phase involves policy changes, material acquisitions, staffing and

testing.


Business continuity planning - Testing and organizational acceptance

1 The purpose of testing is to achieve organizational acceptance that the

solution satisfies the recovery requirements. Plans may fail to meet

expectations due to insufficient or inaccurate recovery requirements, solution design flaws or solution

implementation errors. Testing may include:



1 Crisis command team call-out testing



1 At minimum, testing is conducted on a biannual

schedule.



1 The 2008 book Exercising for Excellence, published by The British Standards Institution identified three

types of exercises that can be employed when testing business

continuity plans.


Business continuity planning - Tabletop exercises

1 Tabletop exercises typically involve a small number of people and

concentrates on a specific aspect of a BCP. They can easily accommodate complete teams from a specific area

of a business.



1 Another form involves a single representative from each of several teams. Typically, participants work through simple scenario and then

discuss specific aspects of the plan. For example, a fire is discovered out

of working hours.



1 The exercise consumes only a few hours and is often split into two or three sessions, each concentrating

on a different theme.


Business continuity planning - Medium exercises

1 A medium exercise is conducted within a "Virtual World" and brings

together several departments, teams or disciplines


Business continuity planning - Medium exercises

1 A medium exercise typically lasts a few hours, though they can extend over several days. They typically

involve a "Scenario Cell" that adds pre-scripted "surprises" throughout

the exercise.


Business continuity planning - Complex exercises

1 A complex exercise aims to have as few boundaries as possible. It

incorporates all the aspects of a medium exercise. The exercise

remains within a virtual world, but maximum realism is essential. This might include no-notice activation,

actual evacuation and actual invocation of a disaster recovery site.


Business continuity planning - Complex exercises

1 While start and stop times are pre-agreed, the actual duration might be unknown if events are allowed to run

their course.


Business continuity planning - Maintenance

1 Biannual or annual maintenance cycle maintenance of a BCP manual is broken down into three periodic

activities.



1 Confirmation of information in the manual, roll out to staff for

awareness and specific training for critical individuals.



1 Testing and verification of technical solutions established for recovery operations.



1 Testing and verification of organization

recovery procedures.



1 Issues found during the testing phase often must be reintroduced to the analysis phase.


Business continuity planning - Information/targets

1 The BCP manual must evolve with the organization. Activating the call tree verifies the notification plan's efficiency as well as contact data accuracy. Types of changes that

should be identified and updated in the manual include:



1 Organization structure changes



1 Communication and transportation

infrastructure such as roads and bridges


Business continuity planning - Technical

1 Specialized technical resources

must be maintained. Checks include:


Business continuity planning - Technical

1 Application security and service patch

distribution


Business continuity planning - Testing and verification of recovery procedures

1 As work processes change, previous recovery procedures may no longer be suitable. Checks

include:



1 Are all work processes for critical

functions documented?



1 Have the systems used for critical

functions changed?



1 Are the documented work checklists meaningful and

accurate?



1 Do the documented work process recovery tasks and supporting

disaster recovery infrastructure allow staff to recover within the

predetermined recovery time objective?


Business continuity planning - Notes

1 Jump up ^ Elliot, D.; Swartz, E.; Herbane, B. (1999) Just waiting for

the next big bang: business continuity planning in the UK finance

sector. Journal of Applied Management Studies, Vol. 8, No, pp.

43–60. Here: p. 48.



1 Jump up ^ Intrieri, Charles (10 September 2013). "Business

Continuity Planning". Flevy. Retrieved 29 September 2013.



1 Jump up ^ British Standards Institution (2006). Business

continuity management-Part 1: Code of practice :London



1 Jump up ^ British Standards Institution (2012). Societal security –

Business continuity management Systems – Requirements: London



1 Jump up ^ Cabinet Office. (2004). overview of the Act. In: Civil

Contingencies Secretariat Civil Contingencies Act 2004: a short.

London: Civil Contingencies Secretariat


Business continuity planning - Bibliography

1 Business Continuity Planning, FEMA,

Retrieved: June 16, 2012



1 Continuity of Operations Planning (no date). U.S. Department of Homeland

Security. Retrieved July 26, 2006.



1 Purpose of Standard Checklist Criteria For Business Recovery (no

date). Federal Emergency Management Agency. Retrieved July

26, 2006.



1 NFPA 1600 Standard on Disaster/Emergency Management

and Business Continuity Programs — PDF (2010). National Fire Protection

Association.



1 United States General Accounting Office Y2k BCP Guide (August 1998).

United States Government Accountability Office.


Business continuity planning - International Organization for Standardization

1 ISO/IEC 27001:2005 (formerly BS 7799-2:2002) Information Security Management

System



1 ISO/IEC 27002:2005 (renumerated ISO17999:2005) Information Security

Management – Code of Practice



1 ISO/IEC 27031:2011 Information technology - Security techniques -

Guidelines for information and communication technology readiness

for business continuity



1 ISO/PAS 22399:2007 Guideline for incident preparedness and operational continuity

management



1 ISO/IEC 24762:2008 Guidelines for information and communications

technology disaster recovery services



1 ISO 22301:2012 Societal security - Business continuity management systems -

Requirements



1 ISO 22313:2012 Societal security - Business continuity management systems - Guidance


Business continuity planning - British Standards Institution

1 BS 25999-1:2006 Business Continuity Management Part 1:

Code of practice


Business continuity planning - Others

1 "A Guide to Business Continuity Planning" by James C. Barnes



1 "Business Continuity Planning", A Step-by-Step Guide with Planning Forms on CDROM by Kenneth L

Fulmer



1 "Business Continuity Plan Design, 8 Steps for Getting Started Designing a Plan" By Richard

Kepenach



1 "Disaster Survival Planning: A Practical Guide for Businesses"

by Judy Bell



1 Harney, J.(2004). Business continuity and disaster recovery: Back up or shut down.



1 Dimattia, S. (November 15, 2001).Planning for Continuity. Library Journal,32–34.



1 Exercising for Excellence (Delivering successful business continuity

management exercises) by Crisis Solutions


Crisis management - Business continuity planning

1 When a crisis will undoubtedly cause a significant disruption to an

organisation, a business continuity plan can help minimize the disruption



1 Each critical function and or/process must have its own contingency plan

in the event that one of the functions/processes ceases or fails, then the business/organisation is

more resilient, which in itself provides a mechanism to lessen the

possibility of having to invoke recovery plans (Osborne, 2007)



1 A note of caution when planning training scenarios, all too often

simulations can lack ingenuity, an appropriate level of realism and as a consequence potentially lose their

training value



1 Following a simulation exercise, a thorough and systematic debriefing

must be conducted as a key component of any crisis simulation. The purpose of this is to create a link and draw lessons from the reality of

the simulated representation and the reality of the real world. (Borodzicz,

2005).https://store.theartofservice.com/the-business-continuity-planning-toolkit.html


1 The whole process relating to business continuity planning should be periodically reviewed to identify any number of changes that may

invalidate the current plan. (Osborne, 2007).


Facility management - Business continuity planning

1 All organisations should have in place a continuity plan so that in the event of a fire or major failure the business

can recover quickly. In large organisations it may be that the staff move to another site that has been

set up to model the existing operation. The facilities

management department would be one of the key players should it be

necessary to move the business to a recovery site.


Facilities management - Business continuity planning

1 All organizations should have in place a continuity plan so that in the event of a fire or major failure the business

can recover quickly. In large organizations it may be that the staff move to another site that has been

set up to model the existing operation. The facilities

management department would be one of the key players should it be

necessary to move the business to a recovery site.


Emergency procedure - Business Continuity Planning

1 Business continuity planning may also feed off of the emergency

procedures, enabling an organization to identify points of vulnerability and minimise the risk to the business by

preparing backup plans and improving resilience. The act of

producing the procedures may also highlight failings in current

arrangements that if corrected, could reduce the risk levels.https://store.theartofservice.com/the-business-continuity-planning-toolkit.html

For More Information, Visit:

• https://store.theartofservice.com/the-business-continuity-planning-toolkit.html

The Art of Servicehttps://store.theartofservice.com



Documents

Business Continuity Planning