12810612 business continuity planning

8/6/2019 12810612 Business Continuity Planning

1/87

_______________________________________________________________

Symbiosis Institute of Telecom Management, Pune 1

TABLE OF CONTENTS

Chapter Contents Page

1.0 INTRODUCTION 1

2.0 BUSINESS CONTINUITY PLANNING 32.1 Real Time Enterprise & BCP 32.2 BC Components 42.3 Evolution of BCP 42.4 Creating Business Continuity Plans 52.5 The Business Continuity Organisation & Policy 6

3.0 PHASES OF BUSINESS CONTINUITYPLANNING

8

3.1 Stages of BCP 83.2 BC Models 83.3 BCM & Strategic Planning 93.4 Business Continuity Management &

Organisational Culture19

3.5 Key Drivers for BCM Cultural Change 22

3.6 BC Maintenance Process 26

3.7 BC Audit Process 263.8 Excercising BCM 273.9 Maintenance of BCM 283.10 Audit of BCM 283.11 Deliverables

4.0 DISASTER RECOVERY PLANNING 334.1 Organising and Executing DR projects 344.2 Business Impact Analysis & Goals 344.3 Disaster Recovery Team 364.4 Standardized sections of DR Plan 374.5 Implementing Recovery Processes and

Technologies38

4.6 Disaster Recovery Components 394.7 Ensuring Continued Effectiveness of DR Plan 41

5.0 BUSINESS CONTINUITY MANAGEMENT 425.1 The BCP Process 445.2 Crisis Classifications 505.3 Crisis management Teams 525.3 Availability of Specialist Support 555.6 Conclusions 56

LIVE PROJECT FOR LAWRENCE &


2/87

_______________________________________________________________


6.0 ASSOCIATES 586.1 Company Profile 586.2 Objective 586.3 Methodology 58

6.4 Findings 596.5 Recommendations 59

7.0 Future Trends 60

Annexure 1 Sample Questionnaire 62Annexure 2 Glossary 65


3/87

_______________________________________________________________


CHAPTER 1

INTRODUCTION

According to some experts, Disaster Recovery and Business Continuity are twoterms of advanced versions of old data backup and recovery tricks practised by ITManagers for many years. However, the solutions built around modern data storagetechnologies have transformed these basic data storage products into high-endsophisticated systems.

According to a recent survey done by KPMG to gauge the preparedness of IndianIndustry on Business continuity management, Majority of Indian companies including

those in the information and telecommunication sector do not have any BCM plan inplace.

Industry experts feel that the recent scare of war in the subcontinent and the recentGulf War and the War against terrorism has renewed the security concerns ofoverseas companies particularly after the September 11 episode. The companiesthat are already outsourcing to India or are planning to outsource in the future, arenow quite sensitive about the security related issues. Indian software and servicescompanies are facing immense pressure from the overseas clients to invest inbusiness continuity and disaster recovery plans.

Sanjay Dhawan, Executive Director, Information Risk management, KPMGconfirmed, the companies will be under pressure to comfort their clients. In fact,BCP has become a critical part of the delivery model and you cannot do businesswithout it.

According to the KPMG Survey, 79% of the companies did not have a documentedand tested BCM Plan and 64% of the companies that are highly dependant on IT donot have any plans in place to address business disruption risks. The survey alsorevealed that 64%of the organisations that responded, have not envisaged any kindof alternate facility to ensure continuity of business in case of a major disaster and21% of the organisations were storing their entire backup data on site locations only.

Ernst & Young Director of Information Systems Assurance and Advisory ServicesSunil Chandiramani also agrees in this regard. Companies will have to take upsecurity concerns more seriously to reassure their clients, hesaid..


4/87

_______________________________________________________________


This report analyses various issues related to the Business Continuity Planning andDisaster Recovery Systems. Chapter 2 deals in detail about the Business ContinuityPlanning. It also covers BCP Lifecycle, the SLA Management, and BusinessContinuity Components along with various issues in implementation. Asia Pacific

Market trends are also included. BCP phases are covered in detail in Chapter 3.

Chapter 4 deals with the Disaster Recovery Planning including the DisasterRecovery Architecture, Business Impact Analysis, Risk assessment, DR Strategiesand various phases in DR.

Chapter 5 deals with the Business Continuity management. Chapter 6 include a livebusiness case implemented for a Software Services company based in Chennai byour research team. Findings and recommendations of the case are presented.

Chapter 7 includes the conclusion and the future trends of the BCP solutions market

in India and Asia Pacific Region.

Annexure includes the pre-assessment form for the case included in Chapter 6 andthe Glossary.


5/87


CHAPTER 2

BUSINESS CONTINUITY PLANNING

Business Continuity Planning means ensuring the continuity or uninterruptedprovision of operations and services. Business Continuity Management is anon-going process with several different but complementary elements. Planningfor business continuity is a comprehensive process that includes disasterrecovery, business recovery, business resumption, and contingency planning.

Business Continuity Planning, therefore, is a comprehensive process to ensurethe continuation and improvement of business in the face of whateverchallenges a firm may face. Continuity planning requires that these manyprocesses be used together, to create a complete continuity plan. The planmust be maintained and updated as business processes change.

2.1 Real Time Enterprise and BCP

Real time enterprises cannot afford to accept the risks associated with businesscontinuity vulnerabilities because the consequences can be fatal. Business is movingfaster than ever before with real time enterprises concentrating on the businessprocess integration. There has been a significant reliance on partners in the valuechain with faster flows and immediate responses. Yet, less than 25% of the Global2000 enterprises have invested in Business continuity Planning and only 50% havefully tested disaster recovery plans. (Source: Gartner Symposium IT Expo 2002).

In this tough environment, it is tempting to cut resources in business continuityplanning. Many enterprises mistakenly view BCP as an insurance policy they willever need. Yet thousands of enterprises have invoked their recovery plans withSunGuard and IBM BCRS over the past 10 years.

Historically, BC was focussed on protection against unlikely but large events fire,flood, and natural disasters. With Real time enterprises, however even the smallestof interruption in service from a critical supplier or outside provider, or a potentialbusiness impact caused by the economy can have serious business consequences.Those enterprises which have BCP are confident in their ability to adapt and survive,

whether the incident or situation facing them.


6/87


2.2 BC Components

The five components of Business Continuity Planning are disaster recovery,business recovery, business redemption, contingency planning and crisismanagement. The crisis management component addresses the management of theevent, and the plans to protect the employees, and maintain the confidence in thebusiness regardless of the type of business interruption.

Real time enterprises do not change the five components of BCP. However, it places

more emphasis on the enterprises contingency and crisis management plansbecause of the public nature of outages and the increasing reliance on externalservice providers for processing. It also shortens recovery point and time objectivestowards real time-24 x 7 continuous availability.

2.3 Evolution of BCP

Business Continuity Planning had evolved significantly during the past 20 years. Inearly 90s,BCP was IT disaster recovery, which provided protection from naturaldisasters and critical component failure by enabling recovery in another data centerin about 72 hours. In the mid 90s,enterprises added business process protection,

and recovery plans were developed. In late 90s,as enterprises re-engineered theirbusiness processes from the year 2000 remediation perspective, it became apparentthat traditional recovery plans with 72 hour recovery periods were not good enough.Thus, enterprises significantly increased the spending to gain recovery times ofbetween 4 and 24 hours.The evolution toward e-commerce resulted in yet another discontinuity affectingBCP. For many real time enterprises; a 4 to 24 hour site outage would causeirreparable damage to the enterprise. Consequently, many enterprises are

DisasterRecovery

BusinessRecovery

BusinessRedemption

ContingencyPlanning

Objective Mission criticalOperations

Mission CriticalBusiness Proces

BusinessProcessworkarounds

External Event

Focus Site or

Component Outage(External)

Site Outage

(External)

Application

Outage(internal)

External Behavior

forcing change tointernal

Deliverable Disaster RecoveryPlan

BusinessRecovery Plan

AlternativeProcessingPlan

BusinessContingency Plan

Sample Events Critical server

failure

Electrical

outage ina building

Credit

Authorizationsystem down

Main supplier cannot

Ship due to its ownproblem

Sample Solutions Recovery site indifferent location

Recovery siteIn a different

power grid

Manual Proced 25% Backup of vitalproducts;

Backup supplierCrisis management


7/87


incorporating BCP into their business process, application and technologyarchitecture designs and building in continuous 24 x 7 availability. Businesscontinuity plan must now address new scenarios and BC processes must integratewith a greater number of enterprise processes. One of the most important lessonslearned is that people issues need to take center stage in planning safety,

communication and resiliency in workspace and process issues. As a result, crisismanagement plans and call trees are being created or updated, as are contingencyplans regarding availability of outside service providers and partners.

2.4 Creating Business Continuity Plans

PROCESS

Change Manageme Education Testing ReviewTesting

Group plans anprocedures

Risk reduction Implement Standfacilities

Create Planning organisationRecovery Strategy

Risk AnalysisBusiness Impact Analysis

Source: Gartner

The foundation of BCP success is senior management sponsorship andparticipation. Another critical success factor is building BC into enterprise culture byweaving BC processes into the life cycle of every project and change managementprocess. In the requirements phase, the Business Impact Analysis(BIA) identifies what the enterprise has at risk and which business process are mostcritical, thereby prioritising risk management and recovery investments.

The direct/indirect impact of business interruptions is assessed over time, resulting inrequirements for recovery time and point objectives. Risk analysis identifies theenterprises vulnerability to risks so that they can be mitigated in the project designphase. In the architecture and design phase, recovery strategies and processes are

developed. When cost of recovery is outside the project budget, enterprises mostoften go back to the business requirements to re-justify the investment or change therequirements. During construction, detailed plans and procedures are created bythose responsible for daily operation of the processes. The recovery process mustbe tested prior to implementation to ensure that requirements can be met. A processis then established to keep the plan current by initiating a review of every change tobusiness process or systems.

Business Continuity Planning Initiation

Policy Organisation Resources Scope


8/87


2.6 The BC Organisation and Policy

BCP is an important cross-enterprise process, yet many enterprises do it poorly orinconsistently. Although it is clearly in the interests of enterprises to apply bestpractices to BCP Processes, most struggle to marshall resources, support and focus.

From a pragmatic perspective, there needs to be a formal organisation, ideallyreporting to the head of risk management or the Chief Operating Officer.

The BC organisation is responsible for setting policy and structure, compliancemonitoring and status reporting. The BC manager however does not developdetailed recovery plans

All process are dependent on each other, so there must be a coordination processand resources to make sure dependencies are dealt with, but also to shareknowledge, best practice and resources. Most organisations organising businesscontinuity management within IT fail to develop effective enterprise wide BC Plans

because of lack of credibility, funding or governance.

BC Organisation

BCP Policy

Objective

Ensure that critical business activities are maintained or restored as quickly aspossible following a major disaster/failure affecting essential services/facilities.

Maintain confidence in the business, internally and externally following a disaster.

Executive Sponsor

BC Steering Council

BC Manager

BC Team

Crisis Management

Damage Assess

IT DR Team

Bus. Process Team

Audit


9/87


Scope

All work processes, computing systems, information and third party businesspartners, regardless of location.

Responsibilities

Information owners must ensure that

Critical processes are identified and prioritized. The potential impact of various types of disasters is regularly assessed.

Responsibilities and emergencies arrangements are defined. All procedures and responsibilities are documented.

The BC Plan is communicated to all necessary individuals. The business continuity plan is regularly tested.

The business continuity plan is correct, complete and up to date.

Compliance

Internal audit and the BCM will regularly monitor for compliance, includingpublication of test results.


10/87


CHAPTER 3

PHASES OF BUSINESS CONTINUITY PLANNING

3.1 Stages of BCP

Stage 1: Business Continuity Management Strategies

Strategy is a broad and all encompassing term. It usually refers to formation of a

vision and direction of an organization; setting mission statements, identifying

markets and objectives so that the raison detre of the organization can be achieved.

In the context of BCM, it concerns the determination and selection of alternative

operating strategies to be used to maintain the organisations mission critical

activities. Experience and good practice clearly identifies that the early provision of

an organizational (corporate) BCM strategy will ensure BCM activities are aligned

with and support the organisations overall Business strategy.

3.2 BC Models

There are three basic Business Continuity Management modules:

Active/ Backup model: This traditional BCM model is based on an

/active operating site with a corresponding backup site. This

includes both data processing and operations. The model relies on

relocating the staff from active top the backup site and maintaining

backup copies of technology and data.


11/87


Active/ Active (Split Operations) Model: This emerging BCM

model relies upon two or more widely \separated (geographically)

active operational sites for mission critical activities that inherently

backup for one another

Alternate site model: This BCM model provides a variation of the

Active Backup and Active/Active models where a backup site

periodically functions as a primary site for a period of time.

3.3 BCM & Strategic Planning

When developing an organisations (corporate) BCM strategy there are three levels

of strategic planning that need to be considered:

Organisation corporate BCM strategy

Process level BCM strategy

Resource recovery BCM strategy

The current business trend of developing a virtual organization raises a number of

specific issues that concern the intra-organisation sourcing and outsourcing of

mission critical activities. In particular the dependencies and single points of failure;

also the ability to provide alternative sources in the event of a catastrophic failure of

sourcing mission critical activity (IES) provider. This trend reinforces the need for

three level of strategic planning or Business Continuity management.

Organisation Business Continuity Management strategy:

It defines the highest level within which the BCM activities are aligned.

Experience identifies that it is usually developed as a afterthought by most

organizations when a no. of BCM approaches are already in existence andrequire to be incorporated in a cohesive and integrated BCM framework. The

parameters regarding work area recovery must also be defined and agreed

with this level; of strategy. If the very future of an organization depends on

timely provision of shared or subscription office accommodation then these

risks must be understood and agreed at the highest level.


12/87


Process Level business continuity Management Strategy:

Most organizations have adopted the concept of defining their mission critical

activities in the context of products and services. This applies equally to Missioncritical activities of industrial or commercial industries e.g. financial sector. As a

result, mission critical activities are not only products/ services in their own right but

also represent key systematic processes that sense they perform a dual role. This

differentiation is not only important to BCM but also provides a clear statement of

significance to other areas and also an industrial or commercial industry on a global

basis.

Due to their nature, these mission critical activities are so important that they justify

their own BCM strategy and planning. An example of a need for process level BCM

strategy is the Clearing House Automated payment system (CHAPS) that provides

for same-day, high-value, financial payments processing within the financial service

sector. In consequence of complexity and settlement coupling of CHAPS, there is a

specific detailed BCM strategy for the payments clearing system alone. A generic

BCM system is simply not strong enough for a process where failure would cause

severe liquidity problems and shake consumer confidence in the financial services

industry.

Resource recovery Business continuity management strategy:

It defines the strategy to employed for deploying appropriate resources as a

part of Business continuity plan (BCP0. This type of strategy provides the practical

link between Business impact analysis (BIA) and the development of Business

continuity Plans.

When developing any level of BCM strategy, there are a number of strategic options

that must be considered. These include:

Do nothing: A low risk criticality and a do nothing BCM strategy may be acceptable

within an organizations risk appetite.


13/87


Processing transfer: The diversion of mission critical activity to another

organization or alternative part of the host organization e.g. the high value/priority

Bank Automatic Clearing Service(BACS) payments via CHAPS. Reciprocalagreements can work in some selected services but due diligence must be taken

while establishing this type of arrangement. Such arrangements must be enforceable

and subject to testing via Service level Agreements (SLAs) or formal contracts.

Changing or Ending the service, product function or process: deciding to

change or end a service, product function or process must be considered a part of

the process strategy within the BCM process. This approach is cost likely to be seen

when where a product has a limited life span.

Insurance: Provides financial recompense/support in the event o\f a loss of

reputation, market share and/or shareholder value and/or damage to the brand

image. The organistions brand in\mage ort reputation are generally recognized and

frequently quotes as being of considerably higher value than all of the other

organization/ business asset but are often overlooked in favor of short-term financial

loss. Most organisations will have and increased cost of working policy that will

usually cover invocation costs of BCM solutions. In addition, business Interruption

insurance can be provided but this requires a detailed business impact Analysis to

be performed in order to evaluate correctly the level of insurance cover purchased.

Loss Mitigation: The provision of risk control management (threats, impact and

vulnerability) and action plans.

Business continuity Management: The improvement of an organizations business

resilience to loss, disruption or interruption of its Mission critical activities, their

dependencies and single points of failure by providing for their continuation at an

acceptable minimum level within the recovery time and recovery point of the


14/87


objectives. This approaches the three continuity strategies to enable an effective and

fit-for-purpose BCM acceptability.

Organisation (Corporate) Business Continuity Management Strategy

Introduction

An organizational (corporate) BCM strategy is key to positioning and advancingbusiness continuity. Most organisations require BCM to be designed and

implemented within organization design and structure I.e. a top-down framework

where BCM policy and strategy provide vision and direction.

AN organizational (corporate) BCM strategy is a living document that encompasses

and unifies other BCM related activities.

In developing the process Level and resource recovery BCM strategies, the

reference should be made to the organizational (corporate) BCM strategy as there

are clear dependencies and a direct transition between invocation of one progression

toi other(s).

Purpose

The purpose of an organizational (corporate) Business continuity Management

strategy is to provide a clearly defined and documented policy, framework and

operational direction to ensure the resilience and continuance of an organizations

mission critical activities , their dependencies and single points of failure.


15/87


Process Level Business Continuity Management Strategy:

Introduction

Every organization should, as a matter of good business practice have defined and

identifies its Mission critical activities via a Business Impact Analysis. This maxim

applies equally to systematic mission critical activities of industrial or commercial

industries e.g. financial markets. Consequently, mission critical activities are not only

products/services in their own right but can also represent key systematic processes

of an industry that are critical to customer service and stability of a particular industry

itself. In this sense, they perform a dual role. The global nature of modern business;

their (automated) processes, high reliance on technology, together with their

coupling and complexity, illustrates the catastrophic potential and scale of the

business impact consequent upon the failure of systematic mission critical activities.

This differentiation is not only important to business continuity management but also

provides a clear statement of significance to other areas of an organization e.g.

audit, operation, risk, information technology security and also an industrial or

commercial sector e.g. regulators and federal banks.

Examples of mission critical Activities at an organization level (service/products)

and/or a systematic nature of both a national international level include:

Financial payments processing and cleaning.

Just in time (JIT) supply chain

Data centers

Call centers


16/87


Due to the very nature and significance of these mission critical activities (processes)

each must have its own recovery strategy. This provides a clear statement of how

the organization/industry will provide protection and BCM that reflects both types of

Mission critical Activity.

In determining the process; level BCM strategies, reference must be made to the

organisation (corporate) BCM strategy as they have a direct relationship.

Resource Recovery Business Continuity Management Strategy

The resource recovery business continuity management strategy will of necessity

have a major influence on the business continuity plan for each mission critical

activity its dependencies and single point of failure. It is directly linked to the

Business Impact Analysis (BIA) e.g. if work area recovery is necessary, then the

strategy must evaluate and document specific parameters for :

Dedicated work area-scale, location and nature (in-house to third party)

Syndicated or subscription work area- scale, subscription ratio, exclusion

zone, etc.

Business response/ cold work area- scale, subscription ratio, exclusion zone,

etc.

Mobile recovery solutions- builds time, scale, subscription ratio, exclusion

zone, etc.


17/87


In determining the resource recovery BCM strategy reference must be made to both

the process level BCM strategy (ies) and the organisation(corporate) BCM

strategies.

Purpose

Purpose of a resource recovery Business continuity management strategy is to

provide a predetermined level of resources within a Business Continuity Plan (BCP

to enable the implementation of organization (corporate) BCM strategy and Process

level BCM strategy.

Stage 2:Develop And Implement A Business Continuity Management

Response.

Introduction

Crises and Business Continuity Management (BCM) events have historically

centered upon physical threats to geographic sites, buildings, people, mission critical

activities and their dependencies regardless of size or location. However as

organizations, business and communications dynamics change so do the type of

threats facing the organizations. Whilst still exposed to physical threats, an

organization is even more exposed to reputation threats attacks on its brand image.

Consequently, an organizations reputation, image and brand is judged by media,

market, stakeholders and regulators upon its ability to effectively manage a crisis or

business continuity event and continue to provide business as usual services and


18/87


products. The inability to fulfill these aims., or a badly positioned or a wrongly

perceived media response can result in a negative image and increased negative

media profile. These in turn may lead to regulatory, stakeholder or market pressures

through concerns over the effectiveness of the organisations crisis and/or BCMcompetence and capability.

As far as is reasonably possible, the different types of BCM and crisis management

plan(s) predefine the actions that are necessary and the resources needed to

achieve the objectives if the plan. The steps outlined in the plan are not intended to

provide an exhaustive list or cover even eventually, as by their nature all events and

crises are different. Consequently, the predefined procedures are not to be

interpreted as the only course of action as it is recognized, there may be an

exceptional case where they may need to be modified to meet the needs of a

specific business continuity or crisis event.

There are primarily three types of Business Continuity Management plan that may

also be divided into a number of sub plans, e.g., Communications.

Business Continuity Plan

Business Continuity Resource Recovery and Solutions Plan

Crisis Management Plan.

The content and level of detail within each type of plan is dependent upon the nature,

scale and complexity of the organization and based upon its risk profile, appetite and

the environment in which it operates.

A Business Continuity Management and Crisis Management Plan include a number

of key constructs that include:

Databases

Documents


19/87


Solutions

Time based Objectives

Tasks and activities required to achieve time-based objectives.

Procedures/Processes. Information

Structure

Teams

There are two main components to delivering an effective and fit-for-purpose

Business Continuity plan and Crisis Management Plan and their supporting

capability:

The formulation of business continuity/crisis solutions, logistics and structure

that support the plan.

The development and documentation of the plan itself.

A further critical factor in development of all different types of BCM plans is their

exercising, rehearsal and testing. In particular, no plan should be considered

complete until it has been exercised, rehearsed, tested and signed-off as effective

and fit-for-purpose by the plan owner and the organisations executive/senior

management. This latter aspect further highlights the critical element of competency

of human resources that enables the effective capability of the whole process.

Business Continuity Plan: addresses business disruption, interruption and loss from

the initial response of the point at which normal business operations are

resumed.They are based on the agreed business Continuity strategies and provide

procedures and processes for both business continuity and resource recovery

teams. In particular, the plans allocate the roles and their accountability,

responsibility and authority. The plans must also detail the interfaces and principles

for dealing with a number of key issues e.g. internal/external communications, key

suppliers, external bodies, emergency services and the media.


20/87


Business Continuity Recovery Solutions and Plan: concerns a number of BCM

resources, solutions and approaches available to the BCM practitioner e.g. technical

IT recovery (Server, WAN, LAN, etc.) work area recovery, offsite storage.

Crisis Management Plan: is usually developed by large corporate organizations. It

defines how the strategic issues of a crisis affecting the organization would be

addressed and managed. This component is vital in large and corporate

organizations to ensure there is a robust and cohesive response to any crisis. This

same crisis management response process and structure can be applied to any type

of crisis and is not restricted to natural crisis situations. E.g. earthquake, tornado, fire

or flood but man-made business and industrial crisis e.g. hostile take-over, credit

risk, reputation risk, environmental pollution, criminal activity and health.

Stage 3: Building and Embedding E-Business Continuity Management Culture

Introduction

The successful embedding of a Business Continuity Management (BCM) culture

within an organization is primarily dependent upon it becoming an integral part of the

strategic and day to day management ethos in contrast to its traditional organisation

(corporate) culture concerns the deep seated and embedded beliefs and values held

by members of an organisation and its strength should not be overlooked or

dismissed lightly. Organisational culture promotes shared values, operating norms,

styles and regularly pursued patterns of behavior and is frequently described as the


21/87


way to do things around here or what we have to do to get

on..

.

3.4 Business Continuity Management & Organisational Culture

Achieving cultural change is a difficult and lengthy process. It needs to be fully

understood and can encounter a level resistance that should not be underestimated.The use of education, awareness training and participation have all been used to

effect cultural change.

The documentation of a BCM strategy(ies) and plan(s) represents a narrow and

limited method of developing a BCM culture. The overall success depends upon

number of approaches.

A key element in developing a sustainable BCM culture within an organisation is the

preparation and delivery of a programme to create corporate awareness and

enhance the skills knowledge and experience required to implement, maintain,

manage and execute Business Continuity Management.


22/87


Equally important in establishing a BCM culture and operating environment is the

vision statement and visible proactive support of the organizations executive, senior

and middle management. Whilst commitment from the top is an essential condition

for developing a BCM culture, it is not sufficient. The key requirement is to win overthe middle managers and operational staff who have to implement Business

Continuity Management.

A further key consideration is that BCM should not be presented as solely a facilities

or IT specialist or otherwise ownership is actually and culturally seen as being within

these areas in contrast to the various parts of the organization where the operational

risk originates and should continue to reside.

It is also essential to commit to periodically maintaining and reviewing the

organisations BCM policy, strategies, plans, framework and solutions or the

investment made in its preparations will have been wasted. Similarly, training and

awareness must be undertaken to ensure that the entire organisation is confident,

competent and capable. All individuals must appreciate and recognize the

importance of BCM in an organisation and

their role within it.

This awareness should extend to those shareholders and third parties (sourced

service providers upon which the organisation depends in normal and crisis

situations. In adopting this change management approach, all those associated with

the organisation can have confidence in its ability to manage a crisis, and the

embedding of a successful culture will begin.

PurposeThe purpose of building and embedding a sustainable Business continuity

management culture within an organisation is to ensure that BCM becomes and

integral part of strategic and day-to-day business and usual operational

management.


23/87


Outcomes

The outcomes from a training, awareness and cultural development programme

include:

The acceptance and implementation of BCM as a professional management

discipline.

An organizational culture that ensures BCM activities and considerations are

integral to the business as usual activities throughout the organisation at all

levels.

The proactive hands-on promotion of BCM by the organisations executive,

senior and middle management.

An organizational, managerial and staff BCM competence to execute the

organisations BCM strategy.

An awareness and understanding by the organisations management and staff

of the importance of BCM and their roles, accountabilities and authorities

within it.

An ongoing BCM education and awareness programme.

A performance management and appraisal system that explicitly recognizes

and reinforces the importance of BCM.

Job descriptions and associated skills that include BCM at all levels within the

organisation.

A rewards and recognition system that explicitly recognizes and reinforces the

importance of Business Continuity Management.

An ongoing programme of BCM training for those directly involved in the

implementation, maintenance and execution of organisations BCM capability.

A clearly defined and documented management information system to monitor

and evaluate the BCM awareness and competency of the organisations staff

and managers.


24/87


3.5 Key Drivers for BCM Cultural Change

The key components in developing and embedding a Business Continuity

Management culture include:

A clearly defined and documented BCM vision and policy statement agreed

and signed off by organisations executive/senior management.

A clearly defined, documented and published BCM vision implementation

(change management) project plan agreed and signed off by organisations

executive/senior management.

Financial and other resources to implement the BCM vision project plan.

Financial and other resources to enable professional BCM training and

associated education.

A clearly defined and documented BCM education and awareness

programme agreed and signed off by the organisations executive./senior

management. This should facilitate and enable the organisation-wide

understanding of the organisations BCM strategy, in particular awareness of

why BCM is important and their individual roles, accountability responsibility

and authority within the BCM process. The awareness programme should

include all organizational staff and key external stakeholders e.g. key

customers and suppliers.

Rewards and recognition is one of the methods that can exert influence upon

what is seen as an important and how it is done. In particular, it makes explicit

to individuals and groups what the organization sees as important.

Performance management and appraisal system are a further process that

can exert influence on what is seen as important by the organization. The way

that individual and group performance is measured is of particular importance.

When performance measurement is linked to performance appraisal, it

acquires a systematic and hierarchical perspective. When performance and its

measurements are aligned to rewards and recognition, it provides a strong

incentive. This process ensures the active involvement of managers and staff


25/87


at all levels of the organization, especially the operational middle management

who have to implement and maintain Business Continuity Management.

A clearly defined and documented BCM awareness programme agreed and

signed-off by the organizations executive/senior management. A clearly defined and documented internal and external awareness and

education communication and public relations programme agreed and signed-

off by the organisations executive/senior management.

A clearly defined and documented BCM exercising programme agreed and

signed-off by the organizations executive/senior management.

A clearly defined and documented BCM maintenance programme agreed and

signed-off by the organizations executive/senior management.

A clearly defined and documented BCM audit programme agreed and signed-

off by the organizations executive/senior management.

Professional BCM trainers.

Professional change management facilitators/team.

Frequency And Triggers

An organizations Business continuity Management awareness, training and

cultural development programme is an ongoing process. However, there are

specific events that should determine its frequency or trigger its review. These

include:

The performance and appraisal process.

The BCM maintenance and review process.

The BCM audit process.

Formal induction process for all new staff and managers.

The exercising, rehearsal or testing of the BCM competence and

capability.

Live invocation of the BCM process.


26/87


Where the pace of business change is particularly aggressive.

Deliverables

The deliverables of Business Continuity Management training, awareness and

cultural development process include:

A clearly defined and documented BCM vision and policy statement

agreed and signed-off the organisations senior/executive management.

Business Continuity Management awareness aide-memoirs.

A clearly defined and documented management information report

concerning the monitoring and evaluation of the BCM awareness of

organisations staff and managers.

Stage 4: Exercising, Maintenance And Audit.

Exercising

An effective fit-for-purpose Business continuity Management (BCM) competence and

capability cannot be considered reliable until it has been exercised and proven as

workable, especially since false confidence may be placed in its integrity.

Consequently, exercising the Business continuity Plan assumes considerable

importance in establishing the BCM competence and capability of an organization.

Exercising can take various forms for the technical test of the communication

system, a desktop walkthrough to a full live exercise. No matter how well designed

and through-out a BCM strategy or Business continuity Plan; a series of robust and

realistic exercises will identify issues that require attention. In addition to suggesting


27/87


a perfect plan flawless exercising also suggests the adequacy and realism of

exercising he needs to be challenged and reviewed.

Time and resources spent in exercising BCM strategies and Business continuityPlans are crucial parts of BCM as they enable competence, instill confidence and

knowledge that lead to fit-for-purpose BCM capability that is essential at times of

crisis and uncertainty.

Highly automated systems require high reliability and should be designed to test

routinely in the course of normal operations. These tests may be invisible to

customers and operations staff alike. Testing such systems may entail switching off

items if equipment to monitor any service effects or transferring service to another

location without any or very limited service impact. There should be no sense of

crisis or diverting of resources to testing. It should all be catered for the design of

business as usual.

3.6 BC Maintenance Process

Most organizations exist in a dynamic environment and are subject to change in

people, process, market, risk environment, geography, and business strategy.

In essence to retain its effectiveness, it must be vigorously maintained. In particular it

ensures the continuity of competent and capable key people who clearly understand

their BCM roles and responsibilities to implement the BCM strategies and Business

Continuity Plan in the event of an incident occurring.

A clearly defined and documented BCM Maintenance programme and process must

be established further, effective documented change control procedures

implemented to ensure relevant stakeholders have the current and relevant parts of

the Business Continuity Plan. Business continuity Management maintenance

activities should be agreed and proactively supported by senior management, and

undertaken at all levels at which it is managed within an organization.


28/87


3.7 BC Audit Process

The BCM audit process also plays a key role in ensuring that an organization has

robust, effective and fit-for-purpose BCM competence and capability. It has five key

functions:

1. To independently verify and validate compliance with the organisations BCM

and crisis Management policy, strategies, framework and good practices

guidelines and/or standard adopted by the organization.

2. To independently review the organisations BCM solutions.

3. To independently verify and validate the organisations BCM and crisis

management.

4. To independently verify and validate the key exercising and maintenance

activities are taking place, in line with the relevant programs, processes and

the organisation BCM and crisis management framework and good practice

guidelines and/or standards adopted by the organization.

5. To highlight key material deficiencies and issues and ensure their resolution.

3.8 Exercising BCM

The development of a BCM competency and capabilities achieved through a

structured and consistently applied exercising programme. To be successful, an

exercising programme must begin simply and escalate gradually. It is also important

that only the resources that are planned to be available during the actual business

continuity event and/or available during the exercise. The adoption and application of


29/87


a structure and application of a structured and systematic approach to the

development and implementation of an exercising programme will promote a greater

understanding of the functioning of the BCM processes by all individuals associated

with it.

Exercise

An act of employing or putting into use.

Training

Rehearsal

A practice or drill

Test

A means of examination, a trial or proof.

A pass or fail situation. Failure in the testing context must not be seen as a

negative result. It is designed to ensure learning and continuous improvement.

As a result, failure is considered a positive or beneficial outcome.

3.9 Maintenance of BCM

In contrast to many narrow plan based Business Continuity management models, the

BCM maintenance process is about maintaining the whole of an organisations BCM

competence and capability and not just the Business Continuity plan. This critical

distinction is frequently overlooked by the organizations that consider BCM to be a

Business Continuity Plan.


30/87


The Business Continuity management Maintenance programme is concerned with a

complex BCM process and requires interaction with a wide range of managerial and

operational roles from both a business and technical perspective.

3.10 Audit of BCM

A key focus and maxim in the auditing of an organisations Business Continuity

Management capability is the audit of BCM process and consequently the BCM

competence and capability This approach recognizes and assumes that if the

process is correct and properly applied, then the outcome should provide an effective

and fit-for-purpose BCM competence and capability.

The business continuity management audit like BCM planning, implementation andmaintenance is concerned with a complex process and requires interaction with a

wide range of managerial and operational roles from both a business and technical

perspective.

A key issue is the role and perspective of the auditor and audit function; it is one of

the impartial reviews against defined standards. Whilst the audit (or) may be fully

aware and/or identify the reason for BCM shortcomings and organizational difficulties

and audit has no option but to clearly identify the BCM competence and capability

gaps; this is an integral part of the objective of auditing and non-compliance is

unacceptable. An integral part of the audit is to provide remedial recommendations.


31/87


A further key consideration is that each stage of BCM life cycle may require a

different audit approach. This audit approach is solely dependent on the maturity of

each stage of the BCM life cycle i.e. none, novice, intermediate, advanced and

mature.

Consequently the traditional proactive audit process should be seen as an enabling

process to achieve a particular management objective(s).

Purpose

The purpose of BCM audit is to scrutinize an organisations existing BCM

competence and capability; verify them against predefined standards and criteria and

deliver a structured audit opinion report.

Stage 5: Business Continuity Management: Programme Management

To be truly effective, business continuity management must be a business as usual

management process driven from the top of the organisation. It has to be clearly set

out in an organisation vision statement that is fully endorsed and actively promoted

by the Board of the Executive committee.

A member of the board or the executive should be given overall accountability for the

effectiveness of the BCM competence and capability. This ensures that a BCM

programme is given correct level of importance within the organisation and a greater

chance to effective implementation. The Financial Services Authority (FSA)

considers that BCM is a cost of doing business and needs to be funded properly.


32/87


Dependent upon the size of the organisation, a number of professional BCM

practitioners and staff from other management disciplines and departments may be

required to support and manage the program albeit this may use a virtual

management structure. A further consideration is the recognition and need tomanage the BCM programme at both operational and organisational levels.

It is also critical at the genesis of the organizations BCM programme to design and

fully integrate the management process and structure to assure the various elements

identified and described with the BCM lifecycle and Business continuity institute

Good practices guidelines.

A key to successful management of a BCM programme is the early appointment of

clearly defined and documented roles, accountabilities, responsibilities and

authorities within an organisation and is done because it adds value not just because

it is required by regulation or legislation.

3.4 Purpose

The purpose of management process is to provide effective and efficient ongoing

(virtual) management and assurance (performance management) of the

organisation's BCM (including crisis management) programme.

3.5 Outcomes

The outcomes of BCM (including crisis management) programme management

include"

The assurance of provision and maintenance of an effective, up-to-date and fit-

for-purpose BCM competence and capability.


33/87


The overall management of organisation's BCM programme is effective, efficient

and fit-for-purpose.

A management process that is an integral part of the organisation's BCM

programme and life-cycle. Business managers within the organisation are fully aware that BCM is a part of

their business as usual management accountability of BCM remains firmly within

a business line i.e. it cannot be outsourced.

The robust and ongoing challenge and review of organisation's risk profile and

appetite.

The provision of annual BCM budget bid/audit.

Assurance that BCM is undertaken and based on value based management

principles.

A management information system that provides details of the current state of the

organisation' BCM programme.

The focus of BCM upon organisation's mission critical activities, their

dependencies and single points of failure at a product and service level.

The BCM is based on end to end (E2E) approach in the context of product and

service delivery.

The optimizing of BCM companies efficiencies e.g. common infrastructures,

industry collaboration and standard work area recovery solutions.

The optimizing of business process, product and service resilience availability.

Assurance that organisation's BCM policy, strategies and operational framework

are up-to-date and fit-for-purpose.

Assurances that the suppliers of the organisations mission critical activities

and/or their dependencies have an effective, up-to-date and fit-for-purpose BCM

capability.

Assurance that all new projects are not signed-of without a business impact

analysis and BCM strategy being in place.

3.11 Deliverables


34/87


The deliverables of the management of the organisation's business continuity

management programme include:

A clearly defined and documented management programme respect of the

organisation's BCP programme that is agreed and signed-off by theorganisation's executive/senior management.

Business continuity management assurance reports at a predetermined

frequency that are agreed and/or signed-off by organisation's executive/senior

management.

The BCM programme annual budget bid and audit reports that are agreed and

signed-off by organisation's executive/senior management.


35/87


CHAPTER 4

DISASTER RECOVERYPLANNING

Change

ManagementEducation Testing Review

Backup/Recov

ery ProcessesDocumentation Standby

Facilities

Downtime

Impact

Critical

Applications

Recovery

Times

Recovery Strategy/Technology

Implementation

Test

Maintain

Ongoing

Process

P

R

O


36/87


RiskAssessment

BusinessImpactAnalysis(BIA)

IT RecoveryStrategyDevelopment

IT DisasterRecoveryPlan(DRP)

BusinessContinuityPlan(BCP)

PlanMaintenance

Is ourBusinessContinuityProgramSound?

What isEssential toThe survivalOf theBusiness?

Does the ITRecoveryStrategySupportwhat'sEssential?

Is the ITDisasterRecoveryplancomplete &Executable?

How doweContinuetoDeliveryProducts &

Servicesafterdisruption?

How do wekeep ourplans up-to-date andexecutable?

4.1 Organising and Executing Disaster Recovery Projects

Establish baseline by determining "as-is" position


37/87


Identify business recovery time objectives

Identify strengths and weaknesses Conduct gap analysis for risk mitigation

Identify process improvement alternatives Develop short-term and long-term risk-mitigation strategies

Develop "to-be" position Develop implementation plans

The first steps of a disaster recovery project are executed as part of a broaderbusiness continuity effort. The business continuity planning initiation phasedefines the project scope and goals, defines initial organizationalresponsibilities and assigns the resources required to undertake a businessimpact analysis. The BIA quantifies the risks and costs of various types ofoutages and provides the information needed for subsequent project steps. TheBIA identifies critical applications, recovery time objectives and recovery pointobjectives. Once these a re known the project work to determine a recoverystrategy and the appropriate technology can be completed.

The implementation phase focuses on the deployment of the backup processesneeded to support the recovery strategy and building and documenting theadministrative processes that will support business continuity. The next stage isiterative testing and improvement. This is followed by a maintenance phase thatrequires good change management processes, process integration with theapplication development cycle and periodic testing.

4.2 Business Impact Analysis Goals

There are three major goals for the business impact analysis phase: 1)Identification of the processes that are critical to the profitability and continuedviability of the business , 2) quantification of the financial and operational impactof an outage over time and 3) a determination of the recovery priority, recoverytime and recovery point for each application that supports a critical businessprocess. The business impact analysis is extremely important because itestablishes a business context for disaster recovery. An effective BIA can movedisaster recovery from a back office IT expense to a strategic project requiredto ensure the long-term viability of an enterprise. All too often, the ISorganization is given a disaster recovery budget and is left to make most of the

decisions. The BIA puts funding and priority decisions in the right place withthe business process owners. It can also generate the project support andfunding needed to implement and maintain an effective disaster recoveryprogram.

A comprehensive BIA examines all implications of an outage. The cost of anoutage will vary depending on the processes involved, the competitiveenvironment and the length of the outage. Costs can be incurred from lost sales


38/87


productivity and cancelled orders. Regulatory, legal, insurance and contractualexposures also need to be considered.

Many industries are facing an increased burden of regulatory requirements inthis area. The Gramm- Leach- Bliley Act, the expedited funds act and SAS70

audits all require effective business continuity plans for the financial servicesand banking industries.

Enterprises seeking business disruption insurance must submit the evaluationsand audits of the insurance industry. A BIA can highlight a downward spiral oflost revenue, shrinking cash flow, increased expenses and a loss ofshareholder confidence that could threaten the viability of the business.

Once the impacts of a business disruption are modeled, the next steps are to:1) identify the applications that support critical business processes, 2)determine a recovery time objective for each critical application and 3)

determine the recovery point objective. Once this information is organized,applications can be assigned to recovery tiers that bracket recovery timerequirements. This exercise is important because it enables an enterprise tofocus spending and effort on the most critical business processes. Enterprisesthat do not develop recovery tiers may find that the disaster recovery program iseither too expensive or does not deliver the required level of service to someapplications or business areas.

It is very important to express the business impact assessment simply, insummary form, and in terms that are meaningful to business areas. This is asample of a high level summary by application that expresses financial

impact, service impact, legal/ contractual impact and the resulting recoverypriority. It is useful to define three or four recovery properties. For example,priority 1 applications must be recovered in the first 24 hours, priority 2applications within four days and priority 3 applications within 10 days.

The key to effective risk- mitigation strategy development is knowing where weare today, knowing what our exposures are, understanding what the businessimpact is, knowing what the business requirements are from a recovery pointand time position, knowing that the recovery strategies that have beendeveloped truly support these business requirements, understanding where ourgaps are and what needs to be done in order to position our company to being

able to effectively recover all mission critical processes and functions requiredfor business resumption. Effective recovery strategy development can beaccomplished utilizing numerous technical strategies to achieve recovery timeobjectives ( RTOs) and recovery point objectives ( RPOs) that can beimplemented in a cost effective manner. Many companies that do not performthis function well end up spending more money than they should and more thanlikely still have gaps in their processes.


39/87


4.3 Disaster Recovery Team

A broad team is needed to develop and implement a disaster recovery plan.The application users and business process owners need to be involved andinformed, because they are the major stakeholders and because they have the

risks that need to be mitigated. The customer team needs to be involved indisaster recovery planning and testing, since the end user is the ultimate judgeof application function and data integrity. Application development and supportareas need to help with high- availability architectures and the development ofapplication recovery strategies. The system software group is responsible fordeveloping backup and recovery processes for operating systems.

Disaster Recovery Director

Customer

Team

IT

TeamManagement

Team

Security Application

DevelopmentIT

OperationsSystems

SoftwareSystem

Administration

Telecom Hardware Facili ties


40/87


Systems administration ensures that systems can be customized for specificuse and that the requisite user definitions are recoverable. It operations plays amajor role in both the development and ongoing execution of the system anapplication backup and recovery strategy. Network, hardware and facilitiesengineering groups are also needed to ensure the recovery of necessary IT

infrastructure components. We also think that it is a good idea to make thedisaster recovery position a 12 to 18 month assignment. The advantage is abuild up of trained disaster recovery managers within the organization overtime.

It is imperative that the plan development be generated utilizing a software tooldesigned for disaster recovery and business continuity plan generation in orderto simplify the plan maintenance and updating. There are numerous softwarepackages in the industry today that perform this task quite well and offerrelational database technologies for porting and exporting of information viaautomation techniques. The most important element of a successful plan is that

the recovery steps are documented in such detail that that technical knowledgeand special expertise are not required during execution of the documentedsteps. A common problem area that exists today in many companies is thatthey simply create a plan to satisfy an audit item and never truly validate or testthe plan to see if it is executable. A lesson learnt from September 11th is that itis not wise to learn that our plans dont support the business recovery effortsduring or following a disaster event. Test and validate our plans as part of ourrecovery strategies.

4.4 Standardized sections of DR Plan

Policy

Overview

Recovery Actions

Team Procedures

Command Post Guidelines

Organization

Notification List

Recovery Strategy

Offsite Data


41/87


Hardware Configuration

Software Configuration

Network Configuration

Damage Assessment

Vendors / Phones

Although the goal of DRP is to recover critical applications, the scope of theproject must encompass every It infrastructure element on which the applicationdepends. Recovery facilities are needed at an appropriate distance from theprimary site. The facility needs to be independent of the risks that are beingmitigated, and the appropriate distance will vary based on a number of factors.Arrangements must be made to provide required common systems servicessuch as directories, Domain Naming Systems (DNS), messaging andmiddleware. Network connectivity must be provided with the recovery site andthe location of end users that have not been affected by the disaster, as well asthose that may be relocated to user recovery areas.

4.5 Implementing Recovery Processes and Technologies

An application byapplication approach to disaster recovery projects providesthe most flexibility and supports a tiered recovery strategy. An effective strategyrequires understanding and documentation of all dependencies. Dependencies

exist at the network, hardware, operating system, application software, data,user administration and process levels. There may also be cross- applicationdependencies; One application might create data that is required by anotherapplication. This creates a requirement for synchronized backup and recoveryof both applications.

In many cases, application recovery is really the recovery of related sets ofapplications. The best method for data synchronization is inserting sync-pointtransactions enabling application/ data consistency. It is also important to testvarious application recovery scenarios, including out of order transactions,application server and integration broker recovery and user impacts.


42/87


4.6 Disaster Recovery Components

As UNIX and NT systems proliferate, many IS organizations are finding that thespeed of disaster recovery is constrained by the ability to recover the underlyingsystem infrastructure. System level recovery has become increasingly difficultas critical applications are deployed on less-scalable systems , because of thesheer number of system images involved. The recovery of a system is really therecovery of four distinct data types 1) standard system image the base OS,2) system software, 3) administrative data, including user definitions and

security information and 4)hardware configuration data parameters andconfiguration data that establish a unique OS and program product software. Itis possible to use products that automate the system creation process and toorganise system information and automate system level recovery in thecontext of disaster recovery.

Off-site tape provides cost effective disaster recovery for applications that donot require near real time recovery. The general approach to tape baseddisaster recovery is to duplicate local backup tapes and send them to an offsitevault. Enterprises should include tape duplication and off site mediamanagement capabilities in the backup product selection criteria. Enterprises

should review tape creation and vaulting processes to ensure that off-site tapestorage meets recovery time and recovery point objectives.

Although recovery times are typically measured in days, it is possible to achievefaster recoveries when parallelism is designed into the backup and recoveryprocesses. The general approach is to organize the data onto the backup tapessuch that a maximum number of tape devices can be employed simultaneouslyfor recovery. This usually requires a backup process that generates the same

SYSTEMS

COMMON SERVICES1. Directions

2. Messaging3. DNS4. Middleware

FACILITIES

APPLICATION DATA

APPLICATIONS


43/87


number of data streams that will be used for the recovery. It may also requirewasting tape media capacity or reorganizing off-site tapes contents toorganize tape data for fast recovery.

Disk remote copy uses back-end connections between a local and a remote

disk subsystem to replicate every local write to the remote disk subsystem. Thesecondary copy is not directly accessible as long as replication is active. Todate, most implementations have been synchronous. Enterprises should expecttheir DBMSs to restart in the event of a disaster and should provide normalrecovery at the disaster site, including database rollback to the last committedtransaction.

Journaling and shadowing products enable replication of databases by readingthe re-do logs, shipping the transactions to a target/secondary system andapplying the transactions to a replica database. The replicas can be used forhorizontal application scaling by moving query and reporting activity off the

production system. The requirement to employ a different replication method foreach database type and for non database information can result in higheroperational complexity than what is seen when a generic hardware solution isemployed across all systems.

Examples

Platform Product

OS/390 IMS and DB2 ENET RRDFOracle Database Oracle Standby DatabaseOracle Table space Quest Software Share PlexWindows SQL Server SQL Server EE- Log ShippingDB2/400 Data Mirror High Availability Suite

Host software replication products install functions that intercept write activity onthe primary system, ship the write over a network session to the secondarysystem and apply the write to a remote copy of the file system or logicalvolume. The primary advantage of this approach is lower cost when compared

to hardware-based replication with specific high-availability clusteringproduction.

4.7 Ensuring the Continued Effectiveness of a Disaster Recovery Plan

For disaster recovery plans to remain viable, configurations and capacities needto change at about the same rate as the primary environment. A static DRP will


44/87


no longer provide meaningful protection to an enterprise. Therefore, it isimperative that processes are developed to maintain the plan. There are twoprimary areas that need to be addressed: the deployment of new applications,and changes to existing applications. Disaster recovery requirements should bediscussed when operations and IT service requirements are initially determined.

This approach will most likely result in the funding of disaster recoverycapabilities out of the application project budget. The DR impact of changesshould be evaluated as part of a general change management program. Thechange management program should also evaluate the disaster recoveryapplications of changes to storage, server and network resources. In addition todiscovering changes that affect the DR plan, enterprises need to developprocesses that drive changes to the recovery site and provide timely updates torecovery processes and documentation. Periodic testing is needed to uncoverand address the changes that inevitably creep up undetected.

A disaster recovery plan must be documented at a detailed level toeliminate dependency on people from the primary site. A disaster recovery planmust be indexed by a database and should be readily accessible to all thatneed to update or reference it. A strong disaster recovery planning effortrequires strong management support and the active participation of manybusinesses and IT areas throughout a corporation. The effort begins with anassessment of business risks and a quantification of the cost of downtime byapplication. The risk assessment is used to set application recovery time andrecovery point objectives. These recovery point objectives in combination withthe cost of downtime can be used to determine the appropriate recovery or

high-availability technology. A DRP needs to be documented at a level of detailthat enables execution by non-experts. The plan needs to test on a regularbasis. Disaster recovery needs to become ingrained in the corporate cultureand imbedded in an enterprises change control and application developmentprocesses.


45/87


CHAPTER 5

BUSINESS CONTINUITY MANAGEMENT

There is an increasing awareness that any company wishing to remaincompetitive and successful must be protected, through the ability of theorganization itself, to continue profitably in the event of any serious businessinterruption.

This is where Business Continuity Management (BCM) can be effective intaking reasonable steps in response to unreasonable risks. This in turn leads toan ability to prevent chaos in a crisis where some or all of the following phasesunfold: -

Often, when a disaster recovery plan does exist, it has never been tested: these

tend to be paper plans only and their thickness and the 'confidential' stamp donot ensure they are relevant.

A Business Continuity Plan (BCP) should be an operational tool. Not just areference whose purpose is to reassure everyone when things are calm.


46/87


It should be the result of a continuous process, of which the document marked'plan' is only the written presentation of management competence to beadhered to in the event of a likely crisis.

Organizations sometimes fail when faced with the 'abrupt audit' of a crisis when

they could have actually prospered. This may have been a consequence of anyof the following: -

Key business functions and managers being unconnected within adisaster recovery or BCP.

Early signals that things were going wrong, or were about to go wrong,were not interpreted correctly.

The interdependency of key business functions was not fullyappreciated. Crisis in one area can have an immediate knock-on effect.

No recovery plan had been prepared and tested to respond to a suddenloss of IT systems and databases.

No training & awareness of the need for effective media handling in acrisis existed. Consequently organisations have been poorly portrayedand reputations suffered unnecessarily.

No one had been prepared to form a crisis team, to look at the totalsituation, and consequently time was lost. Crises induce chaos, resultingin disasters, even though the cause might not have been consideredserious to start with.

Following a disaster organisations have sometimes been unrealistic about thevalue of an insurance policy, or have concentrated solely on IT recovery. Whilstinsurance is especially important the fact remains that uninsured costs (fines,

loss of experience, adverse publicity, re-training etc.) frequently exceed insuredcosts after a crisis.

This is one reason why risk awareness should be integrated into the overallmanagement process so that it gets the proper amount of attention in relation toall the other business demands.

Similarly, being able to recover IT systems and databases is crucial for mostcompanies, but this should not risk ignoring the continuance of other keybusiness functions in a catastrophe. In particular, the ability of a CrisisManagement Team to act swiftly, with confidence and according to a tested

plan can, on its own, determine failure or success.

That is not to say that insurance cover is in any way unnecessary. It is veryimportant indeed, but it should be seen, similar to IT recovery strategies, onlyas part of the solution within effective Risk Management and, with a view tocrisis management, BCM.


47/87


When a crisis happens management is placed in the spotlight. This can, onoccasions, lead to a comparative increase in share value - where management,often acting as a Crisis Team, has demonstrably been efficient.

BCM is an ongoing process designed to link some special tasks all aimed at

keeping the business afloat should crisis strike.

BCM is a comparatively new approach to looking at our business risks andconsidering where it is exposed to the effects of disasters. Making judgmentsabout what is critical and planning to maintain the business beyond the event -should a catastrophe happen. Major international companies now do this as amatter of course.

Small and medium companies as well to ensure that the business will continueduring and after the crisis can use the lessons they have learned.

In an age where the unthinkable has become possible and the unlikelycommonplace, perhaps the question is not whether a business can afford toimplement BCM strategies but whether it can afford not to?

5.1 The BCM process

There are several variations in building up a BCM process. An alternative tostarting with BCM is first writing an actual Business Continuity Plan (BCP - seebelow) and then developing a BCM structure to ensure the BCP is ready foraction at all times. Wherever BCM starts it must have this as a keyresponsibility.


48/87


The diagram above shows typical BCM stages underpinning a BCP

1. Top level Commitment Secured2. Initiate the Management Process3. Identify the Threats and Risks4. Manage the Risks as part of Risk Management5. Business Impact Analysis (BIA)6. Develop Strategies7. Developing and implementing the Plan8. Test, exercise & maintain the plan

When connected they form a sequential process where the plan becomes awritten guide to be followed in the event of potential catastrophe.

1. Top level Commitment SecuredBoard level commitment is important. Without top down direction, support andownership, success in both the BCM process and activating BCP will bedifficult, if not impossible.

2. Initiate the Management Process

The next step is to initiate or develop the management process. This will bemore effective with top level support. It is a good idea to identify the team whowill see this through as a continuing process, rather than a one-off event. It willbe useful to agree some, or all, of the following :-

Time scale for key deliverables. Budget. Regulatory / Statutory / Contractual obligations. Where specialist help will be needed (see section 'Where to go for help'

). Who will form a Crisis Management Team.


49/87


Drawing up a 'belt and braces' BCP now, should catastrophe strikebefore the desired one has been fully prepared.

3. Identify the Threats and RisksRoutine and effective Risk Management, relating to all types of risk, is very

important to understanding this guide. BCM is more concerned with thosethreats and risks that can cause corporate catastrophes.

One way to record where basic risks or threats may arise is to first plot them ona framework ranging from People / Organisational to Technical / Economic,against Internal or External. The following diagram is an example showing justsome of the crisis types: -

4. Manage the Risks as part of Risk Management

If risks can be described sufficiently accurately for a calculation to be made ofthe probability of them happening, on the basis of past records, these arenormally called insurable risks. If the risk is met so infrequently that no accurateway of calculating the probability exists, no underwriter will insure against it andit becomes an uninsurable risk. Either risk, poorly handled, can result indisaster, if only through catastrophic damage to reputation.

Once threats and risks have been identified they can be plotted under the

headings of Severity, and Frequency:-


50/87


BCM, although firmly linked to Risk Management does not distinguish betweenthe two, although it can be especially effective in cases of high severity / lowfrequency incidents.

A simple way to assess the more physical risks, in this case to premises, is theABC method.

A. Area B. Building C. Contents

A - Area. The risk to our premises may result from something outside the actualbuilding. Perhaps another company, close by, may be thought of ascontroversial and may attract protestors, extremists groups or even terrorists.Also, within the immediate area, could be a compound storing, for example,toxic / hazardous chemicals, or an adjacent river is likely to swell in heavy rain.Neighbouring premises could have a history of suspicious fires? It is necessaryto think in terms of 360 degrees.

B - Building. The structure we work in may be vulnerable to, fire, sabotage, airconditioning failure (which could jeopardise IT systems) or may otherwise be

insecure. We might also share it with other occupiers about whom we knownothing. The power supply may be through one entrance point. Shared waterpipes could be susceptible to rupture etc. Telephone and/or ISDN lines may bealso exposed to damage.

C - Contents. What items or assets under our control might cause a problem?This could be as a result of theft, sabotage, overheating, contamination,pollution, flooding, equipment failure etc.


51/87


5. Business Impact Analysis (BIA)

The BIA is intended to identify the impacts resulting from disruptions to bothprimary and secondary business functions. Primary means those tasks criticalto the company (e.g. revenue generation) and may include supporting functions

to ensure primary tasks are completed. Secondary tasks are otherwise veryimportant but not so vital to recover as an extremely urgent need (e.g.personnel dept.) .Tasks that fall into neither category may form a third groupthat is valuable to the organisation in routine operations, but can be suspendedfor several days in a crisis.

Collecting accurate data on all business functions is very important. This isnormally by questionnaires and interviews and often requires specialist help(see section 'Where to go for help' ). This is the cornerstone to the BIA process.It is important to predict the likely sequence of business units 'collapsing' if oneor more primary functions cannot operate. That is why the BIA stage is crucial

to BCM and will underpin the effectiveness of the subsequent BCP.

The BIA helps to predict the disastrous impacts and to define the single pointsof dependency that could initiate these impacts.

6. Develop Strategies

This stage has several facets. At this part in the process variable recovery ideasor strategies can be looked at, including how to communicate with :-

Staff

Suppliers Shareholders The media Customers Regulators

It will also be necessary to calculate:-

Off-site recovery requirements (recommended).

The viability of Internal or external solutions (e.g. 3rd party IT recoverysites)

Which business units / functions should prepare individual recoveryplans (i.e. Primary & Secondary) as a sub-set of the BCP.


52/87


The most effective representatives (managers) from the various businessfunctions tasked with preparing local plans.

The most effective way to deal with inevitable media interest in a crisis.Avoid a reactive or 'grudge' style. Perception is influential - it is possibleto make a virtue of our situation and gain rather than lose. This cannotbe overstated.

Training, testing and exercising schedules. Testing determines theeffectiveness of the plan, to include all 3rd party crisis support.Exercising rehearses staff in their crisis roles.

Where to locate an Emergency Control Centre. This should be nearenough to the crisis site to allow the Incident Control Team (see below)to use, yet not risk being enveloped in the incident. Get the views of thePolice in advance. It should have:-

1. A location in a secure area under local control.2. Good communications. Dedicated telephone lines in and out

(confidential), fax/email.3. Adequate stationery, including purchase order forms, maps of the

premises, white boards, local routes etc.

4. Workstations for all team members with, ideally, network access.5. 24 hour access & parking.6. Refreshment & toilet facilities7. At least one meeting room.8. A quiet room or area with a telephone.

It will be a good idea to select alternative business recovery operating ideas forrecovering business and, most importantly, IT systems and databases. Theseshould be withi