”A train rams into the second floor conference room just before a meeting in the morning. It is just plain luck no-one is injured. The whole office building is evaluated due to risk of collapse.
During evacuation employees are instructed to also evacuate their laptops and personal belongings, if the situation allows and no immediate risk to human life is present. Company has ensured remote access capabilities, if the office becomes unavailable or employees are unable to come to the office. By following a testedand trained procedure the company is able to maintain the ability to continuebusiness even if the office building is unavailable.”
Unfortunately quite often business continuity planning is getting the attention it needs after a failure in incident management and recovery.
What is business continuity?
What is the difference between Business Continuity and Disaster Recoveryplanning? While Disaster Recovery documents the necessary actions to restore full or limited service during or after an incident, Business Continuity concentrates on describing the countermeasures against risks. A good example is a resilient network connection. If the main connection goes down, a backup connection is used to restore the full or limited service. The countermeasures must be evaluated against risks and measured against benefits and costs.
The Business Continuity plan is a set of documentation that states what the countermeasures are in different scenarios and how they are deployed. It must also contain all the procedures and instructions to the end users how the countermeasures are used. Quite often end users do not even see if a countermeasure is deployed enabling full service despite the fact, that normal operations are interrupted. This is called full resilience.
A limited continuity is justified in some cases. If the main service is down, the limited service is often enough. Limited service is better than no service. Not all services require full continuity countermeasures.
Business continuity from the technology perspective
Normally ICT already takes continuity into account when building the infrastructure. Duplicated power supplies, hot swap disks and RAIDs, resilient network connectivity, elimination of the single point of failure etc. are normal and common practices, when building the company infrastructure. The risks are mitigated with proper use of technology.
Unfortunately even if the continuity is considered while building the infrastructure, quite often the documentation is overlooked. Documents do not exist or are not updated accordingly. In addition the management of the technical entities and dependencies between them are not recognized.
Supply chains bring their own challenge into BCP. Usually the 3rd party is not enough and the chain goes deeper to 4th and even 5th party. The constant lack of resources also bring own difficulties into BCP. Obvious challenges when bearing in mind also BCP is not a light process either.
A good practice is to consider the continuity element for each service in the service catalogue and ensure that the continuity is documented and reviewed frequently. Furthermore the system chart can also include the continuity elements required.
Business continuity from the business process perspective
Even if technology allows quite substantial business continuity solutions, it is not enough in most cases. Continuity element must also be built in to business processes.
The basic principle and an absolute pre-requisite for BCP is that it is done in a close co-operation with the business and is based on business requirements. Business processes must be evaluated and categorized based on their criticality. Therefore the process descriptions must also cover continuity especially in cases, where process is dependent on service delivery.
The evaluation can be done through Risk Assessment. Countermeasures must be business justified and aligned based on to the costs versus risk.
Risk assessment considerations
How to ensure proper continuity?
While it is vital to involve the business and find the proper correspondent to support the process, the planning can also be started on the low level by making sure the existing documentation supports the business continuity and that continuity elements are considered for all services.