Friday, January 4, 2008

Business Continuity Planning

Natural disasters like Katrina and the recent fires in Southern California have underscored the need for business continuity planning. According to U.S. government agencies, up to 40% of businesses fail to reopen following a disaster.

Management has a responsibility to recover from such incidents in the minimum amount of time and the least amount of disruption to the business as possible.

Business continuity plans (BCP) are required to ensure that key business functions continue operating in the event of an emergency - not just IT systems. It is the responsibility of each division manager (HR, Customer Service, Manufacturing, etc.) to own and maintain the BCP as it applies to personnel, processes, and business operations within their areas of responsibility.

Business continuity planning has 5 major elements:

Business Impact Analysis and Risk Assessment
Recovery Solution Planning
Implementation
BCP Testing
Maintaining the plan

An essential element of BCP is the business impact analysis and risk assessment. If this first step is not completed properly the rest of the plan is likely flawed. Business impact analysis and risk assessment involves the process of identifying the critical functions necessary for the organization to continue business operations, assessing potential risks to the organization, defining and measuring controls in place to reduce exposure, and evaluating the cost of such controls.

Recovery solution planning takes into account attributes including the number of locations, distribution of personnel, nature of business, interdependency of processes, disaster scenarios planned for, and requirements for alternative sites. Minimally, your recovery plan should cover personnel, payroll, Accounts Payable and Receivable, and shipping.

Step three is implementation. It includes training the response team, preparing the documentation, collecting and storing supplies, creating emergency authorization procedures, and preparing the alternate work site. Basically, you’ll be doing everything in preparation for executing the next step - testing the plan.

Testing the BCP is often viewed as too much of a disruption to business to be valuable. If you think testing is too much of a disruption to your business, imagine the chaos, impact on customers, shareholder and public opinion, and impact on revenue when you encounter an event that you aren’t prepared for. Testing your plan ensures that your solution assumptions are correct, that the plan doesn’t have operational gaps, and that you have practice at managing through an event.

Businesses aren’t static and neither should be your plan. As your business evolves through mergers and acquisitions, new products, and new suppliers, your BCP should also evolve. Maintenance of your BCP is critical to how well your organization is prepared to handle the inevitable.

Additional resources:
http://www.drj.com/
http://www.ready.gov/business/plan/planning.html
http://www.dsw.net/

About the author
Rocky Vienna, CISA, is President and Founder of the Vienna Technology Group, LLC. Vienna Technology Group is an IT management and business consulting firm focused on IT Governance, Strategic Planning, IT Compliance, IT Outsourcing, and Business Continuity Planning.

No comments: