Posts Tagged ‘business continuity plan’

A Quick Guide to Business Continuity Planning

December 31st, 2011

What is Business Continuity Planning?

In simple terms Business Continuity is the process of planning and validating how to survive a disaster or incident that disrupts normal business. It describes how to prepare for, prevent, respond to, recover and restore critical functions and defines how a company will stay in business regardless of the source or scale of disruption – computer virus or crash, employee death or resignation, strike action, fire, flood, severe weather, terrorism, vandalism, robbery, pandemic illness, new legislation, random acts of God…

Why every company needs a Business Continuity Plan

There is evidence that companies without a business continuity plan are far more likely to collapse following an incident than those with a plan in place. This ability to demonstrate forward-thinking can also be very good for your company’s reputation, helping you secure funding or new business. Increasingly business continuity planning is a factor when customers are procuring or commissioning work from new suppliers. Insurance providers are also beginning to ask businesses about plans before agreeing to insure.

Investing in an effective approach to Business Continuity can be very attractive to senior or executive management as it brings numerous benefits to the business:

  • Reduced exposure of the business
  • Risk management process in place
  • More operational resilience as a result of identifying and reducing risks
  • Reduce downtime due to the identification of alternative processes and workarounds
  • Compliance issues can be identified and better managed
  • Compliance with Health & Safety legislation
  • Reduced exposure to liability actions
  • Improved security
  • Better protection of assets
  • Improved operational effectiveness as a result of process re-engineering
  • Ownership of key processes identified
  • Defined and documented recovery processes
  • Better record keeping
  • Share value protected
  • Supply chain resilience
  • Reduce insurance premiums
  • Competitive edge

The Business Continuity Planning Process

For Business Continuity Planning to be a success the Senior Management Team must buy-in to the process, this means supporting it with funding, resources, effective communication and if needed, training. A small team with wide experience from across the company should be appointed to take responsibility and the team’s coordinator should ideally have project management skills.

Phase 1 – Analysis & Development

The first step is to carry out a Business Impact Analysis and identify the most important aspects of the company’s operations and the likely weak points. It’s well worth doing some research on previous incidents that have happened in similar industries as well as the local area.

Resilience audits should be carried out to check systems and processes for dealing with disruption. These audits will highlight areas for improvement and the action needed.

All key personnel should be identified at this stage and succession plans created for them, key personnel are not necessarily senior managers it can be anyone with unique skills or knowledge.

Comments Off »

Posted in Planning

Tags:

What Is the Difference Between Hot, Warm and Cold Disaster Recovery?

December 17th, 2011

When it comes to implementing your business continuity plan what strategy do you adopt for the disaster recovery element? (for a description on the difference between Disaster Recovery and Business Continuity please see my article on Disaster Recovery or Business Continuity?).

You may have heard the terms hot, cold and warm recovery, but what do they mean, and what are the advantages and disadvantages of each service?

  • Hot Standby

Hot standby is normally available to the users within minutes of a disaster situation. This level of service is achieved by total duplication of the computer systems covered (hardware, software and data). There will also be a requirement for a resilient network connection into the Hot Site.

Benefits – Available immediately; dedicated to (customer).

Disadvantages – Cost; Complexity, management.

  • Warm Standby

Warm standby is normally available to the users within hours of a disaster situation. This is by far the most common type of service utilised by for I.T. disaster recovery, and typical recovery times range from 8 hours to 24 hours (dependant on complexity, location and data volumes).

The service can be delivered from a remote recovery centre, or alternatively, delivered to site in the event of a disaster. Depending on the equipment involved the configuration may be installed within an existing facility or a mobile recovery unit.

It should be noted that whilst the Hot standby option is normally dedicated to one customer, Warm standby is delivered on a subscription basis. Industry standards are between ten and twenty five subscribers per configuration. Availability is therefore not guaranteed in the event of a disaster. Testing is also normally to a predefined number of days P.A.

Benefits – Lower cost; reasonable availability.

Disadvantages – Availability; recovery timescales are longer; limited testing available; only available for a limited period following a disaster.

  • Cold Standby

Cold standby is the provision of computer and people facilities that are made available to the client within a few hours of the incident. Unless the service is backed up by a contract to supply the necessary computer equipment, the recovery period is likely to be several days. It is not unusual for Warm and Cold standby services to be combined, giving a very flexible approach to recovery.

Fully serviced office space is also available on a subscription basis. These are usually equipped with PCs, servers, printing facility and a network infrastructure. These would be described as Business Recovery Centres, and could also incorporate Cold space for central systems.

Benefits – Lower cost; large amount of available space (can accommodate large systems). Business recovery Centres can accommodate several hundred people.

Disadvantages – Availability; recovery timescales are longer; limited testing available; only available for a limited period following a disaster; additional recovery services needed.

Comments Off »

Posted in Guides

Tags:

Disaster Recovery Invocation Procedures

December 16th, 2011

The following procedure illustrates at high level the first 24 hours following disaster invocation. This procedure is based on a “warm” recovery service.

Following a disaster, clearly defined steps/actions need to be taken to enable business continuity. During the first 24 hours these steps will fall into the following categories.

Initial Assessment

Timescales – Immediately (T + 0)

Following a disaster situation the first step that must be taken is to assess the current situation. This will be carried out by the Disaster Co-ordinator, who will decide if the Disaster Management Team needs to be assembled. The team will need access to a Disaster Command Facility, if the primary location is not accessible for any reason. The Disaster Management Team and Command Centre should be detailed, along with relevant phone/mobile numbers and directions in the Business Continuity Plan.

The relevant emergency services should have already been notified of the situation. The Disaster Management Team would act as the main focal point for the emergency services.

It may be necessary to make a pre-invocation call to put the Disaster Recovery service on standby, thereby reducing the response time should the service be formally invoked.

Disaster Management Meeting

Timescales – within 1 hour (T + 1 hour)

If it is necessary to call a formal Disaster meeting, this should happen within 1 hour of the event. It may not be possible to get all members of the team together in these timescales, therefore all essential members should be agreed upon and documented in the plan.

The Disaster Management Team’s main role would be to:

­ Define the problem
­ Define the extent of the disruption
­ Determine the likely impact on your business
­ Estimate outage length (where possible)
­ Invoke Disaster Recovery service if applicable
­ Formally set up Disaster Command centre
­ Agree team’s objectives for next three hours
­ Agree formal verbal report for senior management
­ Agree on staffing levels needed at the present time
­ Send non-essential staff home (if during office hours)
­ Contact non-essential staff at home (if out of hours)
­ Call in additional staff (if out of hours)
­ Set up next meeting for T + 4 hours

Disaster Review Meeting

Timescales – within 2 hours (T + 2 hours)

At this stage you should have a much more detailed understanding of the situation. This will enable a full written report to be produced for senior management.

The Disaster Management Team will have by this time:

­ Invoked the disaster Recover Service (if applicable)
­ Set up a temporary Disaster Command centre
­ Mobilise essential staff members

If applicable the warm standby (Disaster Recovery) services should be available by this time to start configuration of the standby systems.

Configuration of Standby Equipment

Timescales – within 2 hours of invocation (T + 4 hours)

Warm Disaster Recovery configurations are normally scheduled to be available within 2 hours of invocation. By this time the site should be ready to receive the equipment. Power and Communications should be enabled and facilities for the essential staff should be available. Additional equipment needing to be purchased may arrive some time after this. The backup media will also have arrived onsite.

Restoration of Data and Testing

Timescales – within 20 hours of invocation (T + 22 hours)

Up to 8 hours may be required to restore and test the system. Comprehensive user acceptance test (UAT) procedures should be documented in your Disaster Recovery Plan to ensure the systems are fully operational before they are announced to be live to the end user.

Systems available to end users

Timescales – within 22 hours of invocation (T + 24 hours)

At this stage you should be able to resume some (or all) of your business activities (depending on the scope of the disaster). It is critical at this stage to plan for full business restoral. These steps should include:

­ Interim requirement such as larger temporary accommodation
­ Refurbishment of damaged offices (if applicable)
­ Identification of new premises (if applicable)
­ Replacement of damaged equipment

A full Business Resumption plan should also be produced, detailing the transition from the standby facility to permanent offices.

Comments Off »

Posted in Disaster Recovery

Tags: