Training scope and objectives – Specific training modules must be designed for emergency response, crisis management, damage assessment, disaster recovery teams and so on.
Business Continuity Life Cycle - Part 2
Establish BCP Training & Awareness Program
- Basic training covers standard response procedures such as using a fire extinguisher, evacuating premises, controlling building flooding and so on.
- Specialized training ensures that response teams have the know how to execute specialized plans for specific areas such as Emergency response, First aid and CPR. Staff members are also constantly kept up to date on the latest threats and their respective mitigation strategies.
BCDR Training Highlights
Gap analysis – Training programs must be designed based on gaps between existing skill sets and desired levels of proficiency. You must also plan for contingencies such as attrition, new recruitments, role changes within the company and so on.
Training requirements – Lack of a budget can often hamper training initiatives. Your organization can work around this constraint by incorporating micro training modules into everyday tasks that familiarize employees with what is expected of them during a disruption. You can also facilitate additional guidance through readily available reference material in multiple formats.
Scheduling and timelines – Shorter training schedules are more effective. Employee engagement is more, and visible improvements can be seen in implementation. You organization must also ensure that training schedules don’t clash with the timely execution of mainstream business operations.
Evaluation – You must carefully choose the parameters against which training outcomes are evaluated. Skills acquisition must be segregated into categories such as physical, logical, technical and then gauged accordingly.
Training options include:
- Tabletop exercises
- Functional exercises
- Field drills &
- Full-fledged disruption testing
Coordinate BCP with Pertinent Laws, Regulations & Industry Standards
In many industries, a BCDR capability is mandated by law. These standards and regulations are modified over time which could imply marginal, significant or extensive changes in your existing solution to meet the new requirements.
Plan Development Project
Project Organization
BCDR projects need to be structured in such a manner that plan development can be commenced as soon as approval is obtained on the project’s scope, budget, schedule and other aspects.
Business Continuity Planning
The prime focus is to sustain business operations, especially those that generate income and address the company’s corporate obligations such as remuneration and insurance. BCDT teams have the choice of developing plans for single, multiple or all the business processes. If your organization’s scale of operations is huge, then you can develop individual plans for each business process which can then be collated to leverage a consolidated BCDR capability.
Continuity of Operations
BCDR teams work towards failing over mission critical operations to a backup facility. These backup facilities have the infrastructural capabilities to support operations during extended periods of time while operability at the main facility is being restored. Continuity of operations includes business continuity and disaster recovery plans as subcomponents.
Disaster Recovery Planning
This component of your BCDR project is deployed immediately after a major crisis. All DR plans include an IT segment that address the company’s crisis time technological needs and the restoration of business applications, servers, network infrastructure, and equipment and so on.
Crisis Communication
Crisis communication plans can be developed in parallel with BCDR plans. The ability of a company to transition business disruptions often depends on the effectiveness of its communication strategies and the relevance of its information sharing protocols in different scenarios. An already dire crisis situation can worsen if misinformed employees share inaccurate information with the press and media that further jeopardize the organization’s position. Strategies must be developed for both internal entities such as staff, teams and departments, as well as external entities such as suppliers, customers, stakeholders and investors.
Cyber Incident Response
Your organization’s IT department should ideally take responsibility for this component of the BCDR project. IT systems and infrastructure are an integral part of businesses today and a cyber security breach can severely compromise an organization’s commercial interests. These could include incidents such as:
- Unauthorized access
- Denial of service
- Data Loss
- Data manipulation
Cyber incident responses are developed as part of disaster recovery plans and their scope includes addressing cyber attacks, evaluating the damage done, mitigating the impact on systems, recovery and resuming operations.
Evacuation Procedures
Your organization’s facilities team designs evacuation procedures that can be implemented during fires, floods, earthquakes and similar catastrophes. These plans include:
- Where to assemble outside the premises or within the premises if a shelter-in-place is recommended
- Procedures for contacting official agencies such as fire, police and medical assistance
- Fire drills and other simulation exercises that can be practiced regularly to increase disaster preparedness
Risk Assessment
Your business is at risk when there is a possibility of a threat exposing one or more of your organization’s operational vulnerabilities. The first step involves creating an exhaustive list of all possible threats to your business. Data gathering techniques include questionnaires, interviews, document reviews and investigations. This is followed by assessing each threat across a range of relevant qualitative and quantitative parameters. The same procedure is then followed for the vulnerability assessment exercise. Finally, data is collated and a consolidated risk assessment report is generated.
Business Impact Analysis
This stage involves mapping your organization’s assets, resources, systems and infrastructure to the processes and operations they serve. Now your BCDR team assesses the impact on business when the availability of each of these components is disrupted. The impact on business can be further segregated into categories such as finance, operations, IT systems, legal and so on.
The main focus areas of the business impact analysis are:
- Outlining the enterprise’s mission critical objectives in a sequential order based on a combination of priority and time required for restoration
- Defining the maximum tolerable outage (MTO) for every business process
- Gathering information that can be used for developing contextually relevant recovery strategies
- Identifying internal and external dependencies for achieving crucial objectives
Business Continuity Strategy Development
The ISO 22301:2012 mandates the development of a business continuity strategy (BCS) after the business impact analysis (BIA) and risk assessment have been completed. Business continuity strategies include options for recovering and resuming mission critical processes at the least acceptable level within a specified time frame.
Business continuity strategies meet the requirements identified during the BIA exercise and consist of four broadly outlined categories:
- Processes and procedures
- Example: Crisis management teams and employees moving operations to a backup location</
- IT systems and infrastructure
- Example: Recovering IT systems and damaged IT components from an alternate facility
- Manufacturing and production
- Example: Recovering equipment that have been damaged
- Data and crucial documents
- Example: Reviving lost and damaged data
You can develop your business continuity strategy in phases.
- Outlining the prerequisites for recovery – These requirements are mainly obtained from the BIA exercise and detail the
- Mission critical tasks and activities in sequential order based on priority
- Timeframes – MTPD, WRT, RTO RPO
- Selecting the options for recovery – Now you have to look at all possible options for all the recovery areas based on the prerequisites defined in the previous phase. Recovery options can be:
- Pre-planned – systems are sourced, installed and kept on standby at the location and utilized when a disruption occurs
- Outsourced – an external vendor provides the required systems within a certain timeframe after a disruption occurs
- Assessing the options’ turnaround time – Your recovery option must restore operations within the stipulated timeframes. This can be gauged based on the expected availability time (EAT) for each business component. This can be broken down into three steps:
- Calculate the expected availability time (EAT) for each business component
- Compare the EAT with the MTPD, RTO and WRT time frames
- Choose the best possible recovery options
- Striking a balance between cost and capability
- Defining the required capabilities – Parameters can include:
- Effort
- Quality
- Safety
- Control
- Security
- Evaluating the cost for each recovery option – Costs for different options can be classified as low, medium, high and so on.
- Choosing the most feasible options – The most suitable option should take into consideration all the above factors, namely Effort, Quality, Safety, Control, Security and Cost. You can prioritize these factors based on your specific resiliency needs. For instance, if budget is not an issue you can opt for costlier recovery measures. On the other hand, if staffing is a constraint, then options that involve a lot of effort might not be suitable.
- Defining the required capabilities – Parameters can include:
BCP Development
Business continuity planning is essentially the identification of the internal and external business risks to your organization and developing a business recovery capability accordingly.
By developing a business continuity plan, you are assuring your customers, investors, stakeholders and other interest groups of a minimum service level during a business disruption.
Recommended Assumptions for BCP Development
- Business disruption can occur when operations are most vulnerable
- The disruption can have the worst possible impact on business or at least cause significant damage through a loss of assets, network/power outages or interrupted access to the facility
- Key personnel from your staff might not be available immediately after the incident
- Your organization must guarantee the availability of a backup location for mission critical operations within 4 hours of the incident
- Given the 4 hour fail over window, the backup location should be relatively close by
- A formal business continuity team structure should be adopted which includes a business continuity coordinator, a corporate crisis management team (CCMT) along with additional support
- The business continuity coordinator and the corporate crisis management team can give the go ahead to deploy the plan
BCP Testing
Testing Objectives
- Assess the ability of staff to execute plans in different scenarios
Checklist
- Does the BCDR plan have a modular framework?
- Have any processes or procedures been overlooked?
- Have interdependencies been identified?
- Does the BCDR plan prioritize mission critical operations?
- Are participants familiar with the sequential order of the plan?
- Have the plans been tested in all possible scenarios through simulated exercises?
- Are there suitable workarounds if primary response options are unavailable?
- Can manual procedures take over if automated systems are disrupted?
- Can manual systems function in tandem with automated systems?
- What are the controls in place for manual systems and procedures?
- What are the controls in place for manual systems and procedures?
- Have subject matter experts validated these tasks that are collectively executed by multiple teams? Validation parameters include but are not limited to:
- Sequential order of procedures
- Right balance between dependencies and autonomous functioning
- Accurate estimation of resource requirements
- Are procedures robust enough to withstand the complexities of collaborative efforts?
- Can issues while deploying these procedures be resolved quickly to avoid delays?
- Have subject matter experts validated these tasks that are collectively executed by multiple teams? Validation parameters include but are not limited to:
- Scrutinize all the tasks and activities at a granular level for every stage of the business continuity plan
- Are tasks listed out in the correct sequential order?
- Have errors, bugs and flaws been detected and fixed?
- Evaluate the contextual relevance of resources to be used
- Are the right resources such as personnel, equipment and provisions being used for each task and activity, and in the right quantity?
- Are employees familiar with how to use the assets, equipment and other material assigned to them for the execution of the tasks?
- Has it been ensured that employees with multiple tasks don’t have overlapping schedules?
- Have vendors been contacted to ensure the timely supply of equipment and provisions for these tasks?
- Ensure that training and awareness programs equip BCDR team members with the necessary skills and expertise
- What are the communication channels available for sharing information?
- What are the communication protocols in place for sharing information through these channels?
- Has the flow of information through these channels been tested for effectiveness and efficiency? Improvements in this stage can be incorporated into the organization’s daily activities
- Have the information sharing requirements for mission critical processes, ERT and CMT groups been defined?
- Have issues and concerns regarding information flow through IT systems been addressed?
- Detect loopholes and insufficiencies in the BCDR plan
-
- Have the plans been tested through checklists, paper walkthroughs and simulation exercises?
- Have gaps and weaknesses been identified and fixed?
- Have all key personnel along with their contact info been listed out?
- Who is responsible for attending to injured employees and providing replacement staff?
- Where is important information such as license details, stored?
- Are backup procedures compatible with existing IT components such as servers and CPUs?
- Have issues with the highest probability of occurrence been tested?
-
- Determine suitability based on cost and available budget
-
- What are the available testing strategies for precisely forecasting BCDR plan expenses?
- How accurate are the estimates for BCDR plan implementation, management and maintenance?
- Have these estimates been taken into consideration while adapting the BCDR plan to your organization’s budgetary constraints?
- What is the minimum budget required for protecting mission critical operations?
-
Criteria for Assessment
A crucial aspect of planning testing schedules is to establish the criteria for assessing the results. For this, you need to look at your existing BCDR plan and identify suitable evaluation parameters.
- How quickly is the primary team able to activate the plan?
- How many staff members are required for activation? Can the number be brought down?
- How quickly can these personnel be notified when a crisis occurs?
- Is all contact info accurate and up to date?
- Are employees more accessible on their primary or secondary numbers?
- How many employees were not notified while activating the plan?
- How many employees were erroneously notified?
- What are the different available options for notifying employees?
Maintaining Disaster Readiness
Time is of the essence during disasters and apart from having a fully fledged BCDR capability in place, it is equally important to be able to deploy plans quickly. This requires monitoring mechanisms that constantly keep BCDR teams updated on the status of various impending threats.
- What are the strategies for monitoring all business threats?
- Are BCDR teams notified when potential threats cross their critical thresholds?
- How quickly can response measures be deployed when a threat becomes imminent?
- Can the staffing requirements for different plans be addressed at short notice?
- What are the areas in BCDR preparedness that can be improved?
- Are there gaps in the skills of staff that can delay response times?
- What are the training requirements to bridge these gaps?
- Do existing plans need to be modified to reduce response times?
- Do delays in deploying BCDR solutions impact mission critical operations? If yes, how can these issues be resolved?
BCP Maintenance & Regular Testing
Plan Maintenance
- Implement a version control system so that BCDR team members can verify if the plan they are using has been updated with all the recent most changes
- Keep contact databases of employees, suppliers, business associates, customers, backup locations, facilities and other operational entities up to date
- Strategize the distribution of BCDR plans amongst employees based on their access permissions, including personnel in backup locations and remote sites
- Ensure the most recently updated BCDR plan version is always available at the alternate site
- Ensure that there are a sufficient number of hard copies of the recent most BCDR plan in case IT infrastructure is disrupted
- Regularly purge or archive obsolete versions of the BCDR plan
- Ensure that there are no version discrepancies and that all employees are using the same plan version
- Wherever possible, incorporate BCDR practices into the organization’s mainstream business activity to bring down maintenance efforts and expenditure
- Delegate the responsibility of monitoring and tracking plan changes to individuals who are part of the BCDR team
- Implement a clearly defined process for maintaining the plan and steering the project clear of additional risks
- Create a framework such that changes in the BCDR plan that affect people, processes and technology are immediately updated in the existing training modules
- Factor in the financial implications of BCDR plan maintenance and testing activities
Business Disruption
Business disruptions can impact your organization through a variety of factors. Some of them have been discussed below:
Cash Flow
Business disruptions heavily dent an organization’s cash flows through expenses such as payroll, health & business insurance, rent, utility services, travel expenditure, provisions and so on.
Revenue
An organization’s ability to generate revenue during a crisis is severely hampered. This is especially true in the case of activities such as accepting new orders, order fulfillment and shipment.
Sales
One of the most critical aspects of any business disruption is that your organization can’t sell its merchandise. For instance, if your customers purchase your products through a website that has been compromised, then sales will suffer. Similarly, customers won’t be able to get in touch with sales representatives and place orders if the company’s purchasing facility has been damaged.
Order Fulfillment
Receiving orders from customers during business disruptions can create backlogs in order fulfillments. If your storage facility has suffered an impact, then your products might be unavailable due to damage. Also, orders might take longer than usual to process due to procedural delays, which in extreme cases can lead to order cancellations and loss of customers to competitors.
Order Shipment
Even if your organization is able to take new orders and products at storage facilities haven’t suffered severe damage, you might still not be able to deliver due to logistical hassles and operational constraints such as damaged roads or unavailability of transport.
Accounts Receivable
Many organizations allow their customers a considerable leeway for making payments on orders. Following up on customer payment, ensuring error free shipments and preventing invoicing inaccuracies are some of the challenges that can arise due to business disruptions.
Increased Expenditure
While incoming revenue slows down during a business disruption, organizations also have to bear additional costs such as
- Moving operations to an alternate facility
- Putting aside cash for emergency activities such as
- Processing payrolls
- Contracting temporary staff
- Procuring backup supplies and equipment
These additional costs tend to be more in the case of organizations that don’t have a BCDR plan in place.
Impact on Cash Flow
The ability of an organization to survive a business disruption depends on factors such as
The ability of an organization to survive a business disruption depends on factors such as
- Cash reserves & Available credit – An organization would need more cash reserves and available credit if its revenue is limited and operational expenses are high.
- Type of disaster – Large scale catastrophes tend to disrupt infrastructure such as electricity and roads which take longer to restore.
- Extent of impact – Your organization’s recovery largely depends on whether your business has been fully, partially, directly or indirectly impacted.
- Recovery time needed – Businesses suffer a greater impact on cash flow if operations need to be restored very quickly. The longer the downtime, the greater the impact on revenue
- Other factors include –
- Type of employees on the company’s payroll –
- Permanent
- Temporary or
- Contractual
- The organization’s financial obligations
- Type of employees on the company’s payroll –
Valuation and the Ability to Raise Capital
Cash flow and valuation largely influence an organization’s ability to raise capital. Both these factors get severely affected during a disaster or business disruption.
Decreases in revenue have a direct impact on the organization’s market value. Obtaining loans from banks immediately after a disaster might be difficult, even in the case of businesses with a proven track record, since their ability to generate revenue in the immediate future is impaired. Banks might lend a loan, but at a considerably higher interest rate.
Executing Business Continuity Plans
Business continuity plan execution can be broadly broken down into the following three stages:
Situation Analysis
BCDR teams begin by responding first to the most severely affected operational segments of business.
BCP execution begins by carefully assessing the disaster at hand, the severity of the crisis and the feasibility of continuing operations. Influencing factors can include employee health & safety, property and infrastructural damage.
Stick to the Plan
It is equally important that BCDR members strictly follow the roles that have been outlined for them without deviating from the original plan.
This becomes possible when you have a comprehensive BCDR plan that has taken into consideration all possible business disruptions. BCDR plans should be universally accepted by all teams and departments in an organization leaving no room for conflict of opinions.
Restoring Normalcy
Your organization needs to restore key business processes within predefined timeframes. This is a crucial activity that involves both internal as well as external business entities.
Recovery
In this stage, BCDR teams are confronted with the immediate consequences of a business disruption such as a server malfunction, security violation or system failure. Infrastructure and operations are restored through precise procedures. Nevertheless, since crisis situations are erratic and unpredictable, these procedures are often improvised to address the specific disruption at hand.
Mitigating the impact of a disaster is a crucial objective during the recovery stage. This might even include temporarily stalling operations to detect the problem. Many of the activities in the recovery stage overlap with those of continuity of operations.
Analysis
Assessing business continuity plans provides valuable insights into how gaps in the existing BCDR capability can be bridged to render an improved performance during future incidents.
Assessments must span across all aspects of a BCDR solution such as:
- People
- Processes
- Infrastructure &
- Technology
One of the main purposes of evaluating a BCDR plan is to compare and contrast its performance with the organization’s resiliency goals & objectives to identify areas for improvement such as:
- Upgrading employee skills and expertise
- Processes
- Streamlining operations; reducing interdependencies through a more modular structure
- Introducing new technologies that could increase efficiencies