Business Continuity Planning Now Moves to Center Stage

By Scott McConnell, Kentucky

Since September 11 the need to be prepared for an event that would disrupt the continuity of your business operations should be more significant now than ever before. If there is some indecision within your organization about the need to be prepared for such an event, just ask some of your counterparts at the New York State Insurance Fund about their experiences.

Yes, it is true that the chances of another event similar to that September 11 affecting your business may be unlikely, but the causes of business interruptions are varied and they ultimately all have a negative effect on your organization.

The purpose of this article is to provide an overview and some common sense advice concerning the development and maintenance of a business continuity plan (BCP), some critical plan elements, and some common plan failures. My experience and role in the BCP process has been that of an auditor who has participated in or reviewed each phase of the BCP from development to testing.

Plan Components & Development

For any BCP to be successfully implemented there must be a commitment to the development and maintenance of the plan by management. Support for the plan must be unequivocal and understood throughout the organization. Resources must be dedicated in terms of capital and personnel.

To initiate the project, at least one person should be assigned the responsibility of plan development. This individual must establish a framework within which the plan will be developed that includes project timelines and budgets. Plan development assistance can be solicited from one of several vendors that specialize in BCP development. Assistance provided can range from simple consultation on how to initiate the project to assuming responsibility for the project. Software can also be purchased from vendors that assist in the development of the BCP.

One of the primary exercises that must be conducted during the BCP development process is to perform a business impact analysis. This analysis really provides the infrastructure of the BCP and in essence is an exercise in understanding your business. There are several goals associated with the analysis including identifying and quantifying organizational risks for business continuity, identifying critical business processes, determining maximum allowable downtimes for critical business processes, identifying the resources necessary to recover from an interruption, and quantifying the impact of an interruption to an organization.

Because business interruptions can range from something as minimal as a brief power outage to the complete destruction of a facility, this infrastructure must be detailed and it must be applicable to all interruption scenarios. It is during this phase of the BCP development that cooperation and support from staff is critical. The owners of the business processes must participate with enthusiasm knowing that management supports the BCP development effort.

After the infrastructure of the plan has been developed, an effort must be made to understand and document what business recovery strategies will be utilized for various types of interruptions. The primary factors that determine what recovery strategy will be employed is the length of time an interruption is expected to continue, whether or not the business premises and infrastructure can still be utilized, and the length of time an interruption can continue before risks to the organization in terms of financial loss, image degradation, or statutory non-compliance become unacceptable. Matching the correct recovery strategy to the business interruption is important for the recovery to be effective and efficient.

To this point, exercises in performing a business impact analysis, quantifying risk associated with the impact analysis, and defining appropriate recovery strategies have been performed. The BCP now needs to be implemented and personalized to the organization. Responsibility for recovery processes need to be understood and assigned on a role and personnel basis. Vendors that interact with your organization need to be identified and contact information documented. The plan needs to be disseminated to personnel in the organization so that responses to crisis situations will be uniform and understood.

After the development and implementation of the plan is complete, plan testing needs to be performed. Testing does not have to be an all-or-nothing proposition. On the contrary, to limit the disruptive effects of a BCP test, the test scope can be limited to a particular segment of the BCP. If testing is performed on a piecemeal basis, a rolling test schedule needs to be established to assure that all aspects of the plan are periodically tested. Regardless of scope, testing strategies and objectives should consider both the technical and administrative components of the plan and recovery strategy.

After the BCP has been established, it must be maintained. Just like plan development, the responsibility for plan maintenance must be assigned to an individual within the organization. Maintenance efforts must be consistent, follow an established schedule, and encompass both the technical and administrative components of the plan.

Critical Plan Elements

There are several plan elements that are absolutely critical to the success of a BCP.

• A data backup and management program must be established and maintained without failure;
• A variety of insurance coverages should be maintained in the appropriate amounts to provide financial support in the event of an interruption;
• Appropriate recovery facilities with the necessary infrastructure need to be available and contracted with for use;
• Complete and updated information with respect to the organization’s staff must be maintained; and
• Back-up procedures and infrastructure to facilitate communication with staff and customers must be established and transparent to both.

Maintaining the BCP in a current state of readiness is probably one of the most common plan failures encountered. Plan maintenance requires constant effort with respect to both the administrative and technical components of the plan. Another common problem is maintaining an appropriate level of plan awareness and preparedness with management and staff given the turnover ratios that are generally experienced. Inappropriate or inadequate plan testing is also a principle cause for plan failure.

Conclusion

The information presented in this article is limited and just begins to provide some of the details necessary to make informed business decisions with respect to the BCP development process. Much of what I have detailed is a direct result of my efforts to improve the business continuity plans of the organizations for which I have been employed.

With the advent of technology that is improved, more robust and more affordable, organizations now have options with respect to BCP recovery strategies that they have not had before. For example, some organizations are now opting to purchase redundant equipment and lease dedicated recovery facilities versus contracting for the right to share the use of a BCP vendor’s equipment and space.

Business continuity planning can be viewed as a necessary evil, but there is no doubt it is necessary. It is an insurance policy that we cannot afford to be without.

Download complete newsletter in PDF format

Home | About Us | Directory | News & Events | Library | Contact Us | Member Sign-in

Copyright © 2001-2002 American Association of State Compensation Insurance Funds.
All rights reserved.