1. Introduction
Business continuity planning involves the assessment of a variety of possible risks to the organizational processes and creation of policies, plans and procedures to minimize the impact those risks might have on the organization if they were to occur. Your organization needs to develop a BCP to ensure continued provisions of Critical/core services or products that must be delivered to ensure survival, avoid causing injury, and meet legal or other obligations. Business Continuity Planning is a proactive planning process that ensures critical services and products are delivered even during a disruption. Your organization Business Continuity Plan will include;
a) Plans, measures and arrangements to ensure the continuous delivery of critical services and products, which permits the organization to recover its infrastructure, facility, data and assets.
b) Identification of necessary resources to support business continuity, including personnel, information, equipment, financial allocations, legal counsel, infrastructure protection and accommodations.
Every organization is at risk from potential disasters that include:
a) Natural disasters such as floods and earthquakes.
b) Manmade disasters such as accidents, sabotage, power and energy disruptions, communications breakdown, transportation failures, cyber attacks and hacker activity, safety and service sector failure.
c) Environmental disasters such as pollution and hazardous materials spill.
Creating and maintaining a BCP will help to ensure that your organization has the resources and information needed to deal with these emergencies.
2. Rationale
Having a BCP will enhance the image of your organization with employees, shareholders and customers by demonstrating a proactive attitude.
Your organization’s BCP will lead to improvement in overall organizational efficiency and identification of the relationship of assets, human and financial resources to critical services and deliverables.
3. Creating the Business continuity Plan
Creating a Business Continuity Plan will follow a formalized methodology that will comprise of four main steps that include;
1. Project scope and planning
2. Business impact analysis
3. Continuity planning
4. Approval and Implementation
3.1 Project scope and planning
This step in the BCP process will involve analysis of the organization business, BCP team selection, identification of resource requirements, and analysis of the legal and regulatory requirements.
3.1.1 Business organization analysis
This task will involve identification of all departments/units and individuals who have a stake in the BCP process. Some of the areas to be considered include the following;
i. Operational units that are responsible for the core services that your organization provides to its clientele.
ii. Critical support services such as ICT, transportation unit and other units that are responsible for the upkeep of systems that support the operational departments.
iii. Senior management and other key individuals essential to the ongoing viability of your organization.
This identification process is critical because it provides the groundwork for identification of potential members of the BCP team and it provides the foundation for the other stages of the BCP process.
3.1.2 Team Selection
Your organization’s BCP team will be representative of all core operational units/departments. The BCP team will include the following individuals;
i. Representatives from each of the departments responsible for the core services performed by the organization.
ii. Representatives from the key support departments identified by the organizational analysis.
iii. ICT representatives with technical expertise in the areas covered by the BCP.
iv. Security representatives with knowledge of the BCP process.
v. Legal representatives familiar with the law, regulatory and contractual responsibilities.
vi. Representatives from senior management.
3.1.3 Resource Mobilization
After business analysis the BCP team will determine the required resources to perform the other steps of the BCP development, testing, training and maintenance.
3.1.4 Legal and Regulatory Requirements
The BCP development will take into consideration the existing legal and regulatory requirements of the organization in executing its mandate and also in responding to disastrous situations.
3.2 Business Impact Analysis (BIA)
The BIA will identify the resources critical to the organization’s ongoing viability and the possible threats posed to those resources. It will also assess the likelihood that each threat will actually occur and the impact those occurrences will have on the organization and its operations. The results of the BIA will provide your organization with the quantitative measures that can help prioritize the commitment of business continuity resources to the various risks your organization faces. There are two types of analyses that will be used in the BIA to make decisions; quantitative decision making which involves using numbers and formulas to reach a decision such asset value in monetary terms and qualitative analysis which takes non numeric factors such as investor/government/development partner confidence, and workforce confidence among others.
3.2.1 Identification of Priorities
The BCP will identify the core day to day operations of your organization and rank them in order of their importance. The BCP team will make a comprehensive list of the organizational assets, determine their respective asset values, and determine the maximum tolerable downtime (MTD) for each operational function of the organization.
3.2.2 Risk Identification
The BCP team will identify possible risks both natural and manmade. It should be noted that some risks/disasters are less likely to occur in your environment and therefore can be ignored while risks those that are more likely to occur MUST be considered.
3.2.3 Likelihood assessment
This task involves determining the possibility of a given risk to occur. The assessment will be expressed in terms of an Annualized Rate of Occurrence (ARO) that reflects the number of times your organization expects to experience a given disaster each year for each risk. The data used in this task can be based on professional experience of the BCP team members, advice from experts like meteorologists, fire prevention professionals and other consultants as deemed necessary by the BCP development team.
3.2.4 Impact assessment
This task will involve analyzing the information generated from the likelihood assessment and risk identification and attempt to determine what impact each of the risks would have upon the business if it were to occur. The following metrics will be examined;
The Exposure Factor (EF) – this is the amount of damage a risk poses to a given asset, expressed as the percentage of the asset value. For example if a fire expert determines that a fire can cause 80% damage to building, then the exposure factor of the building to the fire is 80%.
The Single Loss expectancy (SLE) – this is the monetary loss that is expected each time a given risk materializes. It is computed as a product of the Exposure factor (EF) and the asset value (AV).
The annualized Loss Expectancy (ALE) – this is the monetary loss that a business expects to occur as a result of the risk harming the asset over the course of the year. It is computed as the product of the annualized rate of expectancy (ARO) and the asset value (AV).
3.3 Resource Prioritization
The final step of the BIA is to prioritize the allocation of business continuity resources to the various risks that were identified and assessed in the preceding tasks of the BIA by order of the ALE.
3.4 Continuity Planning
Continuity planning will focus on developing a continuity strategy to minimize the impact realized risks might have on valuable and protected assets. The BCP team will take the prioritized list of risks, the maximum tolerable downtime (MTD) and determine which risks are deemed acceptable and which risks must be addressed by the BCP provisions.
There are four responses to a risk; reduce, assign, accept and reject. The BCP team will determine which risks require mitigation and the level of resources that will be committed to each mitigation task, they are ready to move on to the provisions of the processes phase of continuity planning.
3.4.1. Provisions and Processes
In this task the BCP team will describe the specific procedures and mechanisms that will mitigate the risks deemed unacceptable during the strategy development stage. There are three kinds of assets that must be protected by the BCP provisions and processes; people, buildings/facilities and infrastructure.
3.4.1.1 People
People and not anything else, are the most valuable asset of any organization. The safety of people must come before the organizations business goals. People must be provided with all of the resources they need to complete their assigned tasks regardless of whether conditions dictate that they must be working for longer hours than usual or outside their normal working conditions such as off station assignments.
3.4.1.2 Buildings/organizational facilities
Information collected from the BIA provides basis to determine the critical parts of the building that play an important part in the organizations viability. To protect the building/organizational facilities, the team might consider recommending;
i. Hardening Provisions – these may include simple steps like patching up a leaking roof or as complex as installing reinforced fireproof walls.
ii. Alternate sites – in an event it is impossible to harden the existing facility, the BCP team should identify alternate sites where business can continue immediately (or at least in the possible shortest time that’s shorter than the maximum tolerable downtime (MTD) for all affected critical business functions).
3.4.1.3 Infrastructure
Every organization has core infrastructure on which they depend. This infrastructure must be protected jealously and the following provisions and processes can be considered;
i. Hardening systems – this involves introduction of proactive measures like use of Uninterruptible power supplies on servers and computers and power stabilizers on electrical gadgets.
ii. Alternate systems – business functions can also be protected using redundancy (use of either redundant components/systems/communication links that rely on different facilities.)
These principles apply on whatever infrastructure that serves your organization critically including transportation systems, electrical power grids, and water supplies among others.
4. Plan Approval and Implementation
The BCP team, on completion of the design phase of the BCP documentation, will seek for top level management approval for the BCP.
Once the BCP team has received approval from Top management, then the BCP team is ready to implement the plan. The BCP team will develop an Implementation schedule that utilizes the resources dedicated to the program. After all resources have been deployed the BCP team should supervise the development of a maintenance program to ensure that the plan remains responsive to evolving business needs.
5. Training and Education
This is a very important part of the BCP implementation. All individuals involved in the plan directly or indirectly should get some sort of training on the overall BCP and their responsibilities in implementation of the plan. The BCP team will develop a training schedule and provide an overview of the Plan to every employee in the organization to provide confidence to the employees that senior management has considered mitigation of possible risks to the organization.
Business continuity planning involves the assessment of a variety of possible risks to the organizational processes and creation of policies, plans and procedures to minimize the impact those risks might have on the organization if they were to occur. Your organization needs to develop a BCP to ensure continued provisions of Critical/core services or products that must be delivered to ensure survival, avoid causing injury, and meet legal or other obligations. Business Continuity Planning is a proactive planning process that ensures critical services and products are delivered even during a disruption. Your organization Business Continuity Plan will include;
a) Plans, measures and arrangements to ensure the continuous delivery of critical services and products, which permits the organization to recover its infrastructure, facility, data and assets.
b) Identification of necessary resources to support business continuity, including personnel, information, equipment, financial allocations, legal counsel, infrastructure protection and accommodations.
Every organization is at risk from potential disasters that include:
a) Natural disasters such as floods and earthquakes.
b) Manmade disasters such as accidents, sabotage, power and energy disruptions, communications breakdown, transportation failures, cyber attacks and hacker activity, safety and service sector failure.
c) Environmental disasters such as pollution and hazardous materials spill.
Creating and maintaining a BCP will help to ensure that your organization has the resources and information needed to deal with these emergencies.
2. Rationale
Having a BCP will enhance the image of your organization with employees, shareholders and customers by demonstrating a proactive attitude.
Your organization’s BCP will lead to improvement in overall organizational efficiency and identification of the relationship of assets, human and financial resources to critical services and deliverables.
3. Creating the Business continuity Plan
Creating a Business Continuity Plan will follow a formalized methodology that will comprise of four main steps that include;
1. Project scope and planning
2. Business impact analysis
3. Continuity planning
4. Approval and Implementation
3.1 Project scope and planning
This step in the BCP process will involve analysis of the organization business, BCP team selection, identification of resource requirements, and analysis of the legal and regulatory requirements.
3.1.1 Business organization analysis
This task will involve identification of all departments/units and individuals who have a stake in the BCP process. Some of the areas to be considered include the following;
i. Operational units that are responsible for the core services that your organization provides to its clientele.
ii. Critical support services such as ICT, transportation unit and other units that are responsible for the upkeep of systems that support the operational departments.
iii. Senior management and other key individuals essential to the ongoing viability of your organization.
This identification process is critical because it provides the groundwork for identification of potential members of the BCP team and it provides the foundation for the other stages of the BCP process.
3.1.2 Team Selection
Your organization’s BCP team will be representative of all core operational units/departments. The BCP team will include the following individuals;
i. Representatives from each of the departments responsible for the core services performed by the organization.
ii. Representatives from the key support departments identified by the organizational analysis.
iii. ICT representatives with technical expertise in the areas covered by the BCP.
iv. Security representatives with knowledge of the BCP process.
v. Legal representatives familiar with the law, regulatory and contractual responsibilities.
vi. Representatives from senior management.
3.1.3 Resource Mobilization
After business analysis the BCP team will determine the required resources to perform the other steps of the BCP development, testing, training and maintenance.
3.1.4 Legal and Regulatory Requirements
The BCP development will take into consideration the existing legal and regulatory requirements of the organization in executing its mandate and also in responding to disastrous situations.
3.2 Business Impact Analysis (BIA)
The BIA will identify the resources critical to the organization’s ongoing viability and the possible threats posed to those resources. It will also assess the likelihood that each threat will actually occur and the impact those occurrences will have on the organization and its operations. The results of the BIA will provide your organization with the quantitative measures that can help prioritize the commitment of business continuity resources to the various risks your organization faces. There are two types of analyses that will be used in the BIA to make decisions; quantitative decision making which involves using numbers and formulas to reach a decision such asset value in monetary terms and qualitative analysis which takes non numeric factors such as investor/government/development partner confidence, and workforce confidence among others.
3.2.1 Identification of Priorities
The BCP will identify the core day to day operations of your organization and rank them in order of their importance. The BCP team will make a comprehensive list of the organizational assets, determine their respective asset values, and determine the maximum tolerable downtime (MTD) for each operational function of the organization.
3.2.2 Risk Identification
The BCP team will identify possible risks both natural and manmade. It should be noted that some risks/disasters are less likely to occur in your environment and therefore can be ignored while risks those that are more likely to occur MUST be considered.
3.2.3 Likelihood assessment
This task involves determining the possibility of a given risk to occur. The assessment will be expressed in terms of an Annualized Rate of Occurrence (ARO) that reflects the number of times your organization expects to experience a given disaster each year for each risk. The data used in this task can be based on professional experience of the BCP team members, advice from experts like meteorologists, fire prevention professionals and other consultants as deemed necessary by the BCP development team.
3.2.4 Impact assessment
This task will involve analyzing the information generated from the likelihood assessment and risk identification and attempt to determine what impact each of the risks would have upon the business if it were to occur. The following metrics will be examined;
The Exposure Factor (EF) – this is the amount of damage a risk poses to a given asset, expressed as the percentage of the asset value. For example if a fire expert determines that a fire can cause 80% damage to building, then the exposure factor of the building to the fire is 80%.
The Single Loss expectancy (SLE) – this is the monetary loss that is expected each time a given risk materializes. It is computed as a product of the Exposure factor (EF) and the asset value (AV).
The annualized Loss Expectancy (ALE) – this is the monetary loss that a business expects to occur as a result of the risk harming the asset over the course of the year. It is computed as the product of the annualized rate of expectancy (ARO) and the asset value (AV).
3.3 Resource Prioritization
The final step of the BIA is to prioritize the allocation of business continuity resources to the various risks that were identified and assessed in the preceding tasks of the BIA by order of the ALE.
3.4 Continuity Planning
Continuity planning will focus on developing a continuity strategy to minimize the impact realized risks might have on valuable and protected assets. The BCP team will take the prioritized list of risks, the maximum tolerable downtime (MTD) and determine which risks are deemed acceptable and which risks must be addressed by the BCP provisions.
There are four responses to a risk; reduce, assign, accept and reject. The BCP team will determine which risks require mitigation and the level of resources that will be committed to each mitigation task, they are ready to move on to the provisions of the processes phase of continuity planning.
3.4.1. Provisions and Processes
In this task the BCP team will describe the specific procedures and mechanisms that will mitigate the risks deemed unacceptable during the strategy development stage. There are three kinds of assets that must be protected by the BCP provisions and processes; people, buildings/facilities and infrastructure.
3.4.1.1 People
People and not anything else, are the most valuable asset of any organization. The safety of people must come before the organizations business goals. People must be provided with all of the resources they need to complete their assigned tasks regardless of whether conditions dictate that they must be working for longer hours than usual or outside their normal working conditions such as off station assignments.
3.4.1.2 Buildings/organizational facilities
Information collected from the BIA provides basis to determine the critical parts of the building that play an important part in the organizations viability. To protect the building/organizational facilities, the team might consider recommending;
i. Hardening Provisions – these may include simple steps like patching up a leaking roof or as complex as installing reinforced fireproof walls.
ii. Alternate sites – in an event it is impossible to harden the existing facility, the BCP team should identify alternate sites where business can continue immediately (or at least in the possible shortest time that’s shorter than the maximum tolerable downtime (MTD) for all affected critical business functions).
3.4.1.3 Infrastructure
Every organization has core infrastructure on which they depend. This infrastructure must be protected jealously and the following provisions and processes can be considered;
i. Hardening systems – this involves introduction of proactive measures like use of Uninterruptible power supplies on servers and computers and power stabilizers on electrical gadgets.
ii. Alternate systems – business functions can also be protected using redundancy (use of either redundant components/systems/communication links that rely on different facilities.)
These principles apply on whatever infrastructure that serves your organization critically including transportation systems, electrical power grids, and water supplies among others.
4. Plan Approval and Implementation
The BCP team, on completion of the design phase of the BCP documentation, will seek for top level management approval for the BCP.
Once the BCP team has received approval from Top management, then the BCP team is ready to implement the plan. The BCP team will develop an Implementation schedule that utilizes the resources dedicated to the program. After all resources have been deployed the BCP team should supervise the development of a maintenance program to ensure that the plan remains responsive to evolving business needs.
5. Training and Education
This is a very important part of the BCP implementation. All individuals involved in the plan directly or indirectly should get some sort of training on the overall BCP and their responsibilities in implementation of the plan. The BCP team will develop a training schedule and provide an overview of the Plan to every employee in the organization to provide confidence to the employees that senior management has considered mitigation of possible risks to the organization.
