No announcement yet.

Business Recovery Planning - Continuity Planning

  • Filter
  • Time
  • Show
Clear All
new posts

  • Business Recovery Planning - Continuity Planning

    This is something I've been involved with over the last few years and thought I would share some of what I've learned. At a certain stage in a company's growth it becomes really important to look at ways of mitigating risk. In this area there were two things we learned from the attacks on September 11, 2001, that have changed the overall approach to recovery planning. In fact, many companies today don't talk about recovery planning first, instead we start with continuity planning which includes recovery as a later step.The first thing we learned was that high impact, low probability events, can, and do happen. The second is that recovery from these events is possible.

    There are a number of large steps to take in formulating a BCP (business continuity plan):
    1. Business Impact Analysis
    2. Plans for Business Continuity
    3. Readiness Procedures
    4. Quality Assurance Techniques
    5. Continuation
    In this post I'm going to talk a little bit about #2, and, if there is any interest, can later elaborate on the others.

    Plans for Business Continuity
    The best approach is to break this down into several steps:

    Mitigating Threats and Risk
    After completing an impact analysis a company should be aware of what its main vulnerabilities are, and can then take steps to manage risks. Unlike many other parts of a BCP, mitigating risks should be an ongoing process. One example is installing redundant systems, and any good hospital can show us this in practice. They are particularly vulnerable to power failures which can result in fatalities, sot hey will install backup generators to cover critical areas. Another example in some companies I work with prohibit senior management members from traveling on the same flight, as they wish to avoid the risk of the company leaders being wiped out.

    Create continuity plans
    Now we turn to strategies to implement in response to a disruption. After identifying critical areas each one must be addressed with a continuity plan. A business that relies of computerized systems might have temporary paper based backups available to continue operations, or in extreme cases will build multiple geographically separated data centers so no one disaster can shut everything down.

    Response Preparation
    This is the human side of things. Almost every strategy will require people to put it into action. These people need to know what those strategies are, and exactly what is expected of them in an emergency. Typically there will be two kinds of team put together. Command and control teams for general oversight, and task oriented teams responsible for enacting specific elements of each continuity plan.

    IT based companies, including many finance companies, will sometimes take the extra step of setting up alternate facilities. Depending on their available resources these might be one of several kinds:
    • Cold Sites - basically bare, unfurnished facilities, that require full installations before they become operational
    • Warm Sites - usually fully furnished and partially electronically prepared, requiring minimal effort to get ready
    • Hot Sites - fully equipped and ready facilities that can be immediately activated in the case of an emergency, the more expensive option
    There is also what is called a hardened site. These are highly secured facilities with back-up generators, and high levels of physical security. Something I have yet to have any experience with.

    While many business look at these ideas and immediately balk at the costs involved, I do believe this kind of risk preparation is extremely valuable, although hopefully never needed.
    fcphdJim likes this.

  • #2
    Missing from most BCPs and similar recovery are the "unsaid" things. Any plan, for any part of this process, that is over 6-8 pages will never be completed. You will be lucky to get to the bottom of the first page - plan accordingly.

    Same with a plan that eschews a "command and control" panel, usually separate from the "task" teams, is doomed to fail, as there will be NO communication paths available to tie the two together and the "task" team will not move, until told to do so. Better to train for a small team of authorized "doers" who will act and ask forgiveness after the event. Plan accordingly.

    Secondly, ANYONE deemed critical or essential to the process, needs to be single - as NO ONE will be responding to a business crisis, unless they are 100% sure that their family is safe. And that can not be assessed or managed, while the employee is "at work". That critical employee is not going to do either entity any good. Plan accordingly.

    Thirdly, any business needs to understand that no matter how important they feel they are, there are always other companies with more money, leverage, power and access that will absorb any hardened/hot sites, leaving your company without a home. Plan accordingly.

    Lastly, what is the cost of "doing nothing"? No matter what the risk may be, the cost to mitigate or recover may be higher than the value of the company. Know when to say, throw in the towel and focus on the things that really matter. People are people, and few value the company as greatly as the owner or board of directors do.

    In decades of doing this, I have yet to see a "C" level manager at any test, trial, scenario, training. They are vocal at post mortems, but no where to be found during the test. Plan accordingly.


    • #3
      Sounds like you've had a really negative experience with these things in the past. Care to share?

      There's a range of possible disaster scenarios from minor disruptions to extinction level events and no one thinks they can plan for all of them. Of the companies I've worked with so far we put continuity plans in action in response to flooding, riots, and one forest fire. In all those cases, the preparations we went through allowed us to keep critical operations from being disrupted. This was particularly important when dealing with some international customers who had no idea, or sympathy for, what going on.

      The key in my experience has been getting buy-in from all levels of staff. Asia might be a bit easier in one sense as management is little more top-down, so people tend to do what they are told, but in any case getting participation from C level managers has not been a big issue.