Business continuity planning ( BCP ) is the creation and validation of a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical (urgent) functions within a predetermined time after a disaster or extended disruption. The logistical plan is called a business continuity plan .
In plain language, BCP is working out how to stay in business in the event of disaster. Incidents include local incidents like building fires, regional incidents like earthquakes, or national incidents like pandemic illnesses.
BCP may be a part of an organizational learning effort that helps reduce operational risk associated with lax information management controls. This process may be integrated with improving information security and corporate reputation risk management practices.
In December 2006, the British Standards Institution (BSI) released a new independent standard for BCP — BS 25999-1. Prior to the introduction of BS 25999, BCP professionals relied on BSI information security standard BS 7799, which only peripherally addressed BCP to improve an organization's information security compliance. BS 25999's applicability extends to organizations of all types, sizes, and missions whether governmental or private, profit or non-profit, large or small, or industry sector.
In 2007, the BSI published the second part, BS 25999-2 "Specification for Business Continuity Management", that specifies requirements for implementing, operating and improving a documented Business Continuity Management System (BCMS).
In 2004, the United Kingdom enacted the Civil Contingencies Act 2004, a statute that instructs all emergency services and local authorities to actively prepare and plan for emergencies. Local authorities also have the legal obligation under this act to actively lead promotion of business continuity practices amongst its geographical area.
Introduction
A completed BCP cycle results in a formal printed manual available for reference before, during, and after disruptions have occurred. Its purpose is to reduce adverse stakeholder impacts determined by both the disruption's scope (who and what it affects) and duration (how bad, implications last for hours, months etc). Measureable business impact analysis (BIA) "zones" (areas in which hazards and threats reside)include civil, economic, natural, technical, secondary and subsequent.
For the purposes of this article, the term disaster will be used to represent natural disaster, human-made disaster, and disruptions.
Before January 1, 2000, governments anticipated computer failures, called the Y2k problem, in important public utility infrastructures like banking, power, telecommunication, health and financial industries. Since 1983, regulatory agencies like the American Bankers Association and Banking Administration Institute (BAI) required their supporting members to exercise operational continuity practices (later supported by more formal BCP manuals) that protect the public interest. Newer regulations were often based on formalized standards defined under ISO/IEC 17799 or BS 7799.
Both regulatory and global business focus on BCP arguably waned after the problem-free Y2K rollover. Some believe this lax attitude ended September 11th 2001, when simultaneous terrorist attacks devastated downtown New York City and changed the 'worst case scenario' paradigm for business continuity planning.
BCP methodology is scalable for an organization of any size and complexity. Even though the methodology has roots in regulated industries, any type of organization may create a BCP manual, and arguably every organization should have one in order to ensure the organization's longevity. Evidence that firms do not invest enough time and resources into BCP preparations are evident in disaster survival statistics. Fires permanently close 44% of the business affected. In the 1993 World Trade Center bombing, 150 businesses out of 350 affected failed to survive the event. Conversely, the firms affected by the September 11 attacks with well-developed and tested BCP manuals were back in business within days.
A BCP manual for a small organization may be simply a printed manual stored safely away from the primary work location, containing the names, addresses, and phone numbers for crisis management staff, general staff members, clients, and vendors along with the location of the offsite data backup storage media, copies of insurance contracts, and other critical materials necessary for organizational survival. At its most complex, a BCP manual may outline a secondary work site, technical requirements and readiness, regulatory reporting requirements, work recovery measures, the means to reestablish physical records, the means to establish a new supply chain, or the means to establish new production centers. Firms should ensure that their BCP manual is realistic and easy to use during a crisis. As such, BCP sits alongside crisis management and disaster recovery planning and is a part of an organization's overall risk management.
The development of a BCP manual can have five main phases:
- Analysis
- Solution design
- Implementation
- Testing and organization acceptance
- Maintenance.
The above list is not exhaustive. There are a number of other considerations that could be included in your own plan / manual: - Risk Identification Matrix - Roles and Responsibilities (ensuring names are left out but titles are included, e.g. HR Manager) - Identification of top risks and mitigating strategies. - Considerations for resource reallocation e.g. skills matrix for larger organizations.
Much of the BCP material on the internet is sponsored by consultancies who offer fee-based services for BCP solution development, however basic tutorials are freely available on the Internet for properly motivated organizations.
Analysis
The analysis phase in the development of a BCP manual consists of an impact analysis, threat analysis, and impact scenarios with the resulting BCP plan requirement documentation.
Impact analysis (Business Impact Analysis, BIA)
An impact analysis results in the differentiation between critical (urgent) and non-critical (non-urgent) organization functions/ activities. A function may be considered critical if the implications for stakeholders of damage to the organization resulting are regarded as unacceptable. Perceptions of the acceptability of disruption may be modified by the cost of establishing and maintaining appropriate business or technical recovery solutions. A function may also be considered critical if dictated by law. For each critical (in scope) function, two values are then assigned:
- Recovery Point Objective (RPO) - the acceptable latency of data that will be recovered
- Recovery Time Objective (RTO) - the acceptable amount of time to restore the function
The Recovery Point Objective must ensure that the Maximum Tolerable Data Loss for each activity is not exceeded. The Recovery Time Objective must ensure that the Maximum Tolerable Period of Disruption (MTPD) for each activity is not exceeded.
Next, the impact analysis results in the recovery requirements for each critical function. Recovery requirements consist of the following information:
- The business requirements for recovery of the critical function, and/or
- The technical requirements for recovery of the critical function
Threat analysis
After defining recovery requirements, documenting potential threats is recommended to detail a specific disaster’s unique recovery steps. Some common threats include the following:
- Disease
- Earthquake
- Fire
- Flood
- Cyber attack
- Sabotage
- Hurricane
- Utility outage
- Terrorism
All threats in the examples above share a common impact: the potential of damage to organizational infrastructure - except one (disease). The impact of diseases can be regarded as purely human, and may be alleviated with technical and business solutions. However, if the humans behind these recovery plans are also affected by the disease, then the process can fall down. During the 2002-2003 SARS outbreak, some organizations grouped staff into separate teams, and rotated the teams between the primary and secondary work sites, with a rotation frequency equal to the incubation period of the disease. The organizations also banned face-to-face contact between opposing team members during business and non-business hours. With such a split, organizations increased their resiliency against the threat of government-ordered quarantine measures if one person in a team contracted or was exposed to the disease. Damage from flooding also has a unique characteristic. If an office environment is flooded with non-salinated and contamination-free water (e.g., in the event of a pipe burst), equipment can be thoroughly dried and may still be functional.
Definition of impact scenarios
After defining potential threats, documenting the impact scenarios that form the basis of the business recovery plan is recommended. In general, planning for the most wide-reaching disaster or disturbance is preferable to planning for a smaller scale problem, as almost all smaller scale problems are partial elements o
TD AMERITRADE Business Continuity Plan Statement
AMTD 5491 L 04/08 TD AMERITRADE is committed to providing our clients with secure and reliable access to their accounts. This commitment includes providing ...
Business Continuity Planning and Disaster Recovery: Getting it Right
The need for good business continuity planning is almost universally accepted. But how do you ensure that your business continuity plan meets your actual disaster recovery needs?
Business Continuity Plan
49479 SF0604(0108) Sentinel Investments is the unifying brand name for Sentinel Financial Services Co., Sentinel Asset Management, Inc., and Sentinel Administrative Services, Inc ...
Business Continuity Planning, BCP, Disaster Recovery & Crisis Planing ...
Continuity of Business Solutions, Crisis Planning and Management, Emergency Mass Notification
London Resilience Team | Business Continuity | Making Plans
Business Continuity Make your plan. Around half of all businesses experiencing a disaster with no effective plans for recovery fail within the following 12 months.
Business continuity planning - Wikipedia, the free encyclopedia
Business continuity planning (BCP) is the creation and validation of a practiced logistical plan for how an organization will recover and restore partially or completely ...
Business Continuity - Fosdick Fulfillment
Fosdick Fulfillment has developed a business continuity of operations plan in case of disaster
Ready.gov: Plan to stay in business
Business continuity planning must account for all hazards (both man-made and natural disasters). You should plan in advance to manage any emergency situation.
B. Riley - Research, Trading, Investment Banking |
Business Continuity Plan. B. Riley & Co., LLC has developed a Business Continuity Plan on how we will respond to events that significantly disrupt our business.
Business Continuity Plan | Home
Written by Joseph Roux Creating A Business Continuity Plan Those who need to create a business continuity plan will need to understand the process and what this type of ...