How did Business Continuity come about?

In its earliest stages of existence, continuity of communications and the effective and continual trade in data was the concern primarily of the Military. Lives depended on it and success demanded it (a ridged adherence to fundamental principles defined via trial and error over time).

These principles migrated to businesses as military personnel migrated there on release from Service. However, it became increasingly apparent that simply protecting data during a catastrophic event causing a business disruption was no guarantee that the business would survive.

The 1960’s saw the first Disaster Recovery Planning attempts. These attempts became more effective through the 1970’s, however considerable impetus was occasioned in the early 1980’s by the Telecommunication’s Fire in the Hinsdale (a suburb of Chicago) Central Office (Switching Station), leading to a clear focus on prevention as well as restoration.

First Responders (Fire & Police) were continuing to develop very effective Emergency Response Processes on their own, and with increasing incidents of overlap, it became appropriate to migrate some of the Emergency Preparedness Planning concepts into Business Preparedness Planning with identifiable benefits being realized.

The veritable explosion of Technology (PC’s), and the discovery of the Net, moving the large ‘main-frames’ out onto the work-place floor and spread throughout the enterprise, even taking some of the enterprise to the employee’s home, has exacerbated the problem of maintaining continuity procedures and processes. However with this Technology came increasing flexibility and redundancy opportunities. Planning Software became possible and an ever growing and more focused number of professionals developed, expanding to Global levels. Training and Certification has evolved standardizing the Planning Process.

More Executives are realizing that Disaster Recovery is not adequate on its own. Business Continuity is a required approach, increasingly being demanded by the current more sophisticated Customer. It is absolutely critical to doing business in the highly competitive Global Market Place. It is imperative that Businesses today, address: Business Continuity / Disaster Recovery / Emergency Management, as part of their Risk Management Program.

How do I get Senior Management Committed to the Business Continuity Plan (BCP)?

Senior Management’s involvement / sponsorship is critical for the development and maintenance of a Business Continuity Plan (BCP) .It is the first step and probably the most important step in the process if one is to co-ordinate a successful project.

• Increased business / profits
• Reduced cost of operations
• Recognition for performance

• Sustainability for business / profits
• Reputation risk protection
• Operation(s) risk protection (people, process & technology risks)

It needs two things:

• 1.Executive commitment:
  Champion / Sponsor
  Funding
  2.Staff dedication

Present to "business line" managers before you present to the “business line” executive.
They are the key to your success if you get the approvals you are looking for.
Determine if they want to be in attendance when you go to present to their executive.

• Partnership

• Don’t start at the top
• Build buy-in at senior levels
• Make initial presentations quick and informative, preferably face-to-face
• Tailor each presentation to the audience to answer the question,
  "What does it mean to me?"

• Chief Information Officer / Technology Director
• Internal Auditors
• Chief Financial Officer / Controller
• Head of Risk Management

• Make them aware of the BCP concept and how it can benefit the company.
• Even if they won’t personally take sponsorship, they will know what it is all about.

• Research attendees
• Obtain advance draft agenda
• Acquire “sample” presentation format
• Find out if there is advance distribution of presentations
• Satisfy yourself that you are slotted appropriately into the agenda
• Find out the presentation protocol

The Presentation Document:

• Define BCP (generic)
• Briefly state purpose (rationale) of presentation
• Outline existing conditions / history
• Detail request - be specific:
  Mandate
  Funding

  Completion target date, schedule, phasing

  Benefit / Risk commentary

  Propose next update

  Request approval

Presenting the Document:

• Tailor your presentation based on advance pre-reading
• Practice your presentation to finish early
• Assume responsibility
• Remember: You are presenting a solution!
• Don’t ….
  Suggest you are still developing a strategy, collecting info
  Clutter request with how it will be done
  Use words like "I think", "We hope", "If you agree"

Answering the Questions:

• "Why?" is the most frequently asked question…
• Why should we?
• Why should we?”
  To maintain existing customer relationships
  To be positioned for growth
  To protect our staff
  To maintain our reputation
  To avoid liability
  To maintain competitive edge
  
  

  Why now?

  Internal changes will always be taking place

  Recent world events

  The process will take time, however, we will provide ongoing progress reports

  Customers expect service
  
  

  Why does it cost so much?

  The numbers are based on preliminary estimates, however, we intend to improve on them where we can

  We are looking at recovery based on…

  Best practice in our industry suggests an investment of approximately…

Share the News…

• Ensure all your initial contacts are aware of the approval
• Set up schedule for BCP process milestones
• Arrange for quarterly / semi-annual reports to the board
• Take the message to others

Establish Partnerships…

• Partners for Success:
  Real Estate
  Human Resources
  Public Relations
  Technology
  Security
  Audit
  Risk Management
  
  

  Partnership(s) mean:

  Communication

  Emergency procedures

  Alternate locations

  Access to systems

  Prioritization of business processes

Communication

• Key Requirements:
  Set up a diary for scheduled contacts - health checks
  Obtain executive level BCP strategy commitments at least annually
  Provide quarterly / semi-annual status reports
  Be available for presentations
  Be enthusiastic!

Inform the Staff

• Benefits of BCP Process for Staff:
  Understand what to do when an incident occurs
  Be aware of where to meet, alternate work locations
  Know who to contact / who contacts them
  Be familiar with what tasks need to be performed
  Keep the company in business!
  
  

  Recognize the Contributors:

  Send notes of appreciation

  Tell their peers

  Advise their bosses
  
  

  Bring the Contributors Together:

  Information sessions

  Newsletter with highlights on individual successes, ideas

  BCP website

What are the key elements of Business Continuity Planning?

The Disaster Recovery Institute International (DRII) has standards of professional practice for business continuity professionals. These areas are critical for an effective Business Continuity Plan and they are listed as follows:

1. Project initiation and management.
   Obtain management support for a business continuity plan by demonstrating the need for a correctly developed and managed BCP.
   Organize the project team and manage the project to a successful conclusion.
   
   

   Risk evaluation and control.

   Conduct a comprehensive environmental risk analysis process. Establish the controls needed to mitigate or prevent any potential loss.
   
   

   Business impact analysis.

   Conduct an analysis to identify the effects of disruptions and disaster scenarios on the organisation. Identify the key functions and their inter-dependencies with other operations so that you can prioritise the recovery process.
   
   

   Developing business continuity strategies.

   Determine the choice of business recovery strategy by ensuring that the critical functions can be recovered within the set time, while maintaining the organisation's best operating performance (acceptable level of service).
   
   

   Emergency response and operations.

   Develop and implement procedures for response and stabilizing the situation following an incident or event, including establishing and managing an emergency operations centre to be used as a command centre during the emergency.
   
   

   Developing and implementing business continuity plans.

   Design, develop, and implement the business continuity plan to provide recovery within the recovery time objective.
   
   

   Awareness and training plans.

   Prepare a programme to create corporate awareness and enhance the skills required to develop, implement, maintain, and execute the business continuity plan.
   
   

   Maintaining and exercising business continuity plans.

   Pre-plan and coordinate plan exercises, and evaluate and document plan exercise results. Develop processes to maintain the currency of continuity capabilities and the plan document in accordance with the organisation's strategic direction. Verify that the plan will prove effective by comparison with a suitable standard, and report results in a clear and concise manner.
   
   

   Public relations and crisis coordination.

   Develop, coordinate, evaluate, and exercise plans to handle media during crisis situations. Develop, coordinate, evaluate, and exercise plans to communicate with and, as appropriate, provide trauma counselling for employees and their families, key customers, critical suppliers, owners/stockholders, and corporate management during crisis. Ensure all stakeholders are kept informed on an as-needed basis.
   
   

   Coordination with public authorities.

   Establish applicable procedures and policies for coordinating response, continuity, and restoration activities with local authorities while ensuring compliance with applicable statutes or regulations.

What is the difference between Disaster Recovery and Business Continuity?

Disaster Recovery is the activity that takes place during and after a catastrophic event to minimise business interruption and return the organisation as quickly as possible to a state of normalcy that existed prior to the event.

Business Continuity is the process of planning to ensure that an organisation can survive, by providing an acceptable level of service throughout, an event that causes interruption to normal business processes.