Posts Tagged ‘Continuity’

A Quick Guide to Business Continuity Planning

December 31st, 2011

What is Business Continuity Planning?

In simple terms Business Continuity is the process of planning and validating how to survive a disaster or incident that disrupts normal business. It describes how to prepare for, prevent, respond to, recover and restore critical functions and defines how a company will stay in business regardless of the source or scale of disruption – computer virus or crash, employee death or resignation, strike action, fire, flood, severe weather, terrorism, vandalism, robbery, pandemic illness, new legislation, random acts of God…

Why every company needs a Business Continuity Plan

There is evidence that companies without a business continuity plan are far more likely to collapse following an incident than those with a plan in place. This ability to demonstrate forward-thinking can also be very good for your company’s reputation, helping you secure funding or new business. Increasingly business continuity planning is a factor when customers are procuring or commissioning work from new suppliers. Insurance providers are also beginning to ask businesses about plans before agreeing to insure.

Investing in an effective approach to Business Continuity can be very attractive to senior or executive management as it brings numerous benefits to the business:

  • Reduced exposure of the business
  • Risk management process in place
  • More operational resilience as a result of identifying and reducing risks
  • Reduce downtime due to the identification of alternative processes and workarounds
  • Compliance issues can be identified and better managed
  • Compliance with Health & Safety legislation
  • Reduced exposure to liability actions
  • Improved security
  • Better protection of assets
  • Improved operational effectiveness as a result of process re-engineering
  • Ownership of key processes identified
  • Defined and documented recovery processes
  • Better record keeping
  • Share value protected
  • Supply chain resilience
  • Reduce insurance premiums
  • Competitive edge

The Business Continuity Planning Process

For Business Continuity Planning to be a success the Senior Management Team must buy-in to the process, this means supporting it with funding, resources, effective communication and if needed, training. A small team with wide experience from across the company should be appointed to take responsibility and the team’s coordinator should ideally have project management skills.

Phase 1 – Analysis & Development

The first step is to carry out a Business Impact Analysis and identify the most important aspects of the company’s operations and the likely weak points. It’s well worth doing some research on previous incidents that have happened in similar industries as well as the local area.

Resilience audits should be carried out to check systems and processes for dealing with disruption. These audits will highlight areas for improvement and the action needed.

All key personnel should be identified at this stage and succession plans created for them, key personnel are not necessarily senior managers it can be anyone with unique skills or knowledge.

Comments Off »

Posted in Planning

Tags:

Business Continuity Testing Starts with the Risks

July 28th, 2011

All business continuity analysis should be risk based, and risk prioritised to deal with the important business risks first. This means that any risks to your business need to be identified, examined and dealt with.
There are 4 options for dealing with each risk:

1. Reduce the risk. Reducing the risk falls into 2 categories – reducing the likelihood of the problem occurring and reducing the impact of the problem if it does happen. A simple example is that by having a fire alarm you are reducing the likelihood of a fire spreading unseen and by installing a sprinkler system you are reducing the impact of fire.

Reducing the risk is often referred to as mitigation. For example, data backups are a form of mitigation. They reduce the impact if a problem occurs which affects the primary data source. Any mitigating actions require testing to provide assurance they work when required.

2. Transfer the risk. This is an interesting option which may be seen as a get-out, but which is a perfectly valid thing to do. By transferring a risk it becomes someone else’s problem and you therefore have the risk covered. We are not talking about blaming someone else, or even transferring the risk to someone else in the company.

For example, there could be a risk that office space will not be available in the case of a disaster in the main location. Therefore the risk can be transferred to a third party company which organises office space for disaster recovery and keeps offices available for companies who need such a recovery service.

3. Accept the risk. By accepting the risk of a potential problem you are at least aware of its existence and can plan for it happening. If it is a risk that would have no impact for an acceptable period of time it should still be noted but you may decide to take no action until it occurs.

Almost by definition, accepting a risk is also reducing the impact of the risk as you are aware of the potential problem and can write it into your business continuity plan.

4. Ignore the risk. This option should never be selected. There is never a reason for ignoring a risk once it has been identified. A risk can be accepted (acknowledged) but must never be ignored.

Once the actions for each risk have been identified, then anything put in place to help cope with a risk needs testing. However, many companies either test nothing at all or try testing every facet of a business continuity plan. Both methods are doomed to failure. The answer is to adopt a risk based testing approach from two perspectives: the business continuity plan is fit for purpose and it will work when invoked.

A health check (testing the plan is fit for purpose) needs to be performed by someone other than the authors of the business continuity plan. Ideally it’s performed by an independent third party that specialises in testing business continuity plans, but it could be a disinterested party from another part of the company. Independence is essential here for an objective assessment.

Comments Off »

Posted in Uncategorized

Tags: