Here's what you can do to make your
business continuity plan effective. by Avinash W. Kadam
security stands on three pillars: Confidentiality, Integrity
and Availability. Business Continuity Management (BCM)
depends on availability of information. Disasters and
security failures have become a way of life for us.
Despite all the uncertainties, we have to ensure that
critical business processes are protected, so that business
goes on with minimum interruption. Only adequate planning,
good design and documentation of business continuity
processes can achieve this. Regular training and testing
of business continuity plans ensures that everyone involved
in responding to a crisis will always be prepared to
cope with sudden failures.
Management is defined
as planning, organizing, directing and controlling the
business processes to achieve the business objectives.
The BCM process is no different.
Planning: The organization
depends on smooth functioning of a number of business
processes. Many of these processes are also dependent
on IT processes. An interruption of IT processes will
adversely impact the business processes, thus affecting
the business objectives. Plan an appropriate strategy
for ensuring business continuity in the face of business
interruptions, even disasters.
the strategy. Identify the impact of an interruption.
Decide in advance on the business priorities for recovery.
Make detail plans to implement the strategy. Indicate
who will be responsible for what portion of the plan.
regular testing of the plan. Make sure that there is
clear understanding about each person's roles and responsibilities
in the face of a crisis. The normal organization structure
may not be functioning, still the business must continue
a forum that leads the business continuity process.
This forum should be empowered to take necessary decisions,
including transferring the risk by taking insurance.
There are two important
activities that need to be performed meticulously. The
cost benefit of most subsequent actions will depend
on attention to detail given during this phase. These
- Risk assessment
- Business impact analysis
involves a lot of hard-nosed analysis of related, real-life
facts, and a little bit of gazing into the crystal ball,
and predicting the future. Nobody can say with certainty,
what could cause an interruption, and what will be the
cause of a disaster. And we read so many 'horror' stories
about disasters. Prudent risk assessment requires a
balanced view. Don't be an alarmist who expects the
worst to occur; do not be an optimist either, who believes
nothing could go wrong. Based on past experience, statistical
data, published incidences, which have affected similar
industries in similar environments, compile a list of
all threats. Assign a value of 'high,' 'medium,' or
'low' to the probability of such a threat turning into
a risk for you. Predict the worst possible scenarios
for each incident, preferably in actual rupee terms;
classify these as high, medium or low.
may not always be quantifiable, and may be something
intangible like damage to reputation. Take the opinion
of others in the organization. At the end of this exercise,
you should have a reasonable list of risks that you
and your colleagues believe to be realistic. You should
have identified a good balance of natural risks like
floods and rains; non-random risks like fires, explosions,
and virus attacks; human risks like insider threats,
hackers, industrial espionage etc. Prioritize the risks
based on the product of probability and consequences.
The high combination of threat and consequences has
to be tackled immediately. Remember, this exercise is
to be done with business priorities in mind, hence it
is not limited to IT resources. You have to consider
all the business processes, and take the opinion of
business process owners.
Next, you should
determine the business impact of each risk. Business
impact will consist of overall loss to the business,
as well as the time to recover to normalcy.
analysis helps in prioritizing the recovery sequence.
Sometimes a seemingly normal and routine activity may
require the highest priority to minimize the business
impact. For example, if a bank faces disaster due to
fire or a major fraud, there is an immediate run on
its ATMs as well as branches for cash withdrawal. Restoring
customer confidence is the topmost priority. Making
available a large amount of cash becomes the most important
Writing and implementing
"Write your plan
and then do what you write" is a time-tested maxim.
After an interruption or disaster, the business has
to recover as quickly as possible. You will not have
much time to think. This provides sufficient reason
to write all the emergency procedures and also to define
responsibilities. There will also be a number of services
that need to be restored within a given time. Some of
these will be external services. Document how to recover
each of these in the plan. Since time is a critical
element, the recovery procedure should take into account
the estimated time required for restore. Also identify
the dependencies. It may be critical to restore some
functions before others. For example, you may need to
restore the email communication before telephone communication
as this will help in reaching the entire world in shortest
possible time. Telephone communication may be overwhelmed
with too many calls in an emergency.
plan should ensure that someone, referring to this plan,
would be able to prioritize various actions to meet
the business objectives of restoring various customer
services in an acceptable timeframe.
Implement the plan
through appropriate delegation of responsibilities.
Provide appropriate staffing. Create backup arrangements.
The business continuity
plan may swell as more procedures are added, each written
to meet a specific condition. For large organizations
there may be departmental plans, unit-wise plans, location-wise
plans and region-wise plans in addition to corporate
plans. It is necessary to have a common and consistent
framework so that all these plans work in a coordinated
planning framework could be achieved by defining a few
- Each plan should have an
owner and individuals responsible for various components
of the plan. This will ensure that each plan is updated
regularly, and executed as the need arises. Also,
the plan owner should ensure availability of all resources
for execution of the plan. He should also be responsible
for all the backup arrangements, alternate arrangements
and resumption of business. This will ensure that
each plan gets appropriate attention from the owners
of business resources whose revival will depend on
proper execution of the plan.
Each plan should
have at least the following procedures:
- Condition for activating
the plans: How do you distinguish a temporary interruption
from a disaster? By defining the conditions you may
suppress yourself from crying wolf for every alarm.
The definition should be clear and concise so that
there is no delay in taking the decision.
- Emergency procedures that
describe the immediate actions to be taken. These
should define the priorities; human life should be
the first priority in every situation. Restoring business
operations, contacting government authorities, communicating
to stakeholders and the public, communicating to the
press should be covered in these procedures.
- Fallback procedures that
can restore essential business functions in a given
- Resumption procedures that
restore the business to complete normalcy.
- Maintenance schedule giving
a timetable of testing the plan and updating it.
- Awareness and education
activities, that prepare all the persons to act in
an appropriate manner, and not panic in a crisis.
- Responsibility allotments
to individuals so that each person knows what is expected
planning is based on a number of assumptions about risks,
the circumstances and availability of correct information.
Each of these gets refined while testing the plan. However,
it is not prudent to test the entire plan in the first
attempt. Systematic testing involves testing individual
components of the plan in such a way that the testing
does not interrupt routine business operations.
The various types
of tests recommended are:
- Basic: Single component testing
- Identify individual elements like availability and
currency of Business Continuity Plan, retrieval of
vital offsite records, contact list of staff, suppliers
and other contact persons, lead time of critical equipment,
readiness of the disaster recovery site etc.
- Walkthrough - or tabletop
testing of various scenarios: Go through the procedure
with the team and confirm the adequacy of plan.
- Integrated test: Involve
integrating a number of components in the order in
which they would occur during actual recovery procedure.
- Incident simulation: Write
a test scenario for a disaster event and simulate
the incidence. Document the observations.
- Technical recovery testing:
Test the restoration of information system based on
various backups as
well as the arrangements at
- Testing the supplier facilities
and services: Testing the preparedness of contractors
- Partial simulation: Involve
several business units.
- Full simulation: also called
full interruption or mock disaster test. This is an
ultimate business continuity plan test that activates
the complete business continuity plan.
As you will notice,
each of these tests requires various resources, and
causes different amount of disruption. Full simulation
is of course the fullest testing that will cause maximum
disruption. An annual calendar should be made to execute
each of the tests at a definite interval.
The outcome of
each test should be to re-assess the plan and improve
it. The plan owner should be responsible for maintaining
and improving the plan. Apart from the inputs received
from testing, the plans should also be updated whenever
there are changes in the systems, environment or business
requirements. By regularly reviewing the plans and keeping
them up-to-date, you will be sure that your Business
Continuity Plan serves you well.
Avinash Kadam is Director, Miel
e-Security, Pvt. Ltd. He can be reached at firstname.lastname@example.org