the first few steps towards a business continuity management approach
can seem a very daunting task. Ian Dunlop provides some useful advice.
Picture the situation, you have just been landed
the job of ensuring your organisation has ‘business continuity’.
However, you don’t know the first place to start – what
to do, who to ask, and most importantly, how to go about it.
While it is tempting to bury your head in the
sand, it is important not to, as every organisation, no matter what
it’s size, needs to have some form of a business continuity
plan in place – especially with the increasing requirements
by direct or indirect regulation. It may well form part of the company’s
overall risk management approach, or a realisation that having an
IT focussed disaster recovery plan only covers one aspect of business
continuity. One thing is for sure, taking the first few steps towards
a business continuity management approach can seem a very daunting
Some organisations manage to formulate ‘own
grown’ approaches, ranging from gleaning information from
the Internet to asking what friends in other organisations have
done. However, with limited resources, and more importantly, limited
time to create what seems like the impossible, using external experienced
consultants is a way to help you to put together plans and processes
in a realistic timescale and to a satisfactory level.
No matter what business continuity approach
you decide on, there are certain steps you can take to help to kick
start the process, and make sure that it becomes part of an organisation’s
culture. The following list is intended to give a high level guided
approach that will at least start to build the solid foundation
for an effective business continuity management (BCM) process:
* It is essential to ensure that there is senior
management support and sponsorship before starting a business continuity
plan and it is important to get it on the board's agenda –
and to keep it there. In order to ensure the process does not stall,
the full support of the most senior committee of an organisation
is needed. One committee member needs to be the overall sponsor,
along with a clearly identified position for the initial project
management, as well as the ongoing drive and day-to-day management.
In addition, to keep dialogue about the issues at the forefront,
it is important to ensure that there is an agenda item relating
to business continuity at all meetings and also as part of the overall
risk managements quarterly reports. It is also important to agree
and publish the organisational structure that will apply when an
incident occurs and this should clearly indicate the command and
communication structure. It is worth remembering, in an abnormal
situation, normal democracy does not always apply.
* The motives for business continuity management
within the organisation need to be clearly defined. These can vary
from industry regulation to pressure from suppliers or more importantly,
good risk management as required by corporate governance codes.
Consider the risks for not having a formalised business continuity
plan e.g. fines from regulators, customers withdrawing orders and
so on. As with all processes, a balance needs to be achieved between
what is acceptable and cost effective and the overall organisational
overheads associated with any new or additional processes, especially
from the ongoing perspectives.
* Ownership must be from the business perspective,
not only IT – and it must remain there. In many organisations,
business continuity management is seen purely as an extension of
the IT departments’ disaster recovery process, and in many
people’s eyes it still is an IT process. However, business
continuity management, as the name suggests, is a management process
for the business, of which IT disaster recovery is part of that
process. It must therefore be owned by the business and although
the actual work and management can be delegated, the authority and
* Business continuity management is not just
about creating a plan - progression and ownership should continue
after the initial planning stage. Equally, business continuity management
should not be seen as just ticking boxes, instead it must form part
of the whole culture of an organisation. The perception of business
continuity management is often ‘all I have to do is create
a plan’ with lots of information and what appear to be reasonably
valid action points, with little thought as to how it can be seen
through should disaster confrontation occur. But there in lies the
problem; how do you obtain the information, how valid is it, would
the action points really work, and so on. The correct approaches
must be followed, e.g. board ownership and sponsorship, business
impact analysis, risk assessment, agreed strategy and so on. The
result will be a living and breathing process, with regular reviews
and effective change and version control.
* It is important to identify:
- what are the critical processes you need to recover,
- within what minimum timeframes will recovery be required,
- what resources will be needed to implement business continuity
The business impact analysis mentioned above
will give the ability to identify the resources equipment, staff,
systems etc, and this needs constant reviewing and confirmation.
One review is not sufficient - the information received needs to
be continually challenged, and once agreement reached, it is important
to ensure the process owners (business department heads or whoever)
sign the document off.
* You must identify how long you can survive
before the organisation needs to be back to normal operations -
this is largely from a financial perspective. The board (or equivalent)
will need to review and ratify what is acceptable to the organisation
as a whole once all the information is made available – and
only they can make those decisions.
* Look at what you may have already in respect
of alternative arrangements e.g.;
- Dual site IT;
- Maintenance contracts;
- Other 3rd party arrangements;
- Manual workarounds;
- Other alternative working arrangements.
Sometimes it may be apparent that existing
arrangements are not reviewed as part of the business continuity
management process. It can be possible (as an example) with a dual
IT site, with some changes of equipment, software configurations
and locations, as well as better resilience, a business continuity
answer is also achieved. When reviewing maintenance contracts, also
consider how long can the organisation wait for the repair before
it needs to invoke business continuity or disaster recovery arrangements
– and does that tie in with the business expectations of when
services will be available again.
* Don't re-invent documentation - if it already
exists, reference it, store it in a common place (both electronically
and physically) and ensure change management/version control procedures
exist. It is all too easy to cut and paste from existing documents
into business continuity plans – but that immediately creates
the problem of two versions of the same words – and how do
you maintain them? Any document should have version control –
from simple (different numbers in filename; different date in footer)
to using file management systems. Having documents stored in common
directories (with controlled access) that are regularly copied offsite
physically (or burnt to CD or mirrored to another server) still
means that when disaster strikes, the relevant up-to-date documents
that are needed to assist in the recovery will always be available.
* Perceptions and assumptions need to be challenged,
managed and documented. While there is nothing wrong with perceptions
and assumptions, you need to be aware of them and how they will
be handled. As part of the business continuity management process,
perceptions need to be addressed by understanding what the real
issues are and assumptions need to be answered and dealt with wherever
possible and if not, then documented within the business continuity
management process (probably the plans) as to what they are. At
all stages, there needs to be management understanding and awareness.
* KEEP IT AS SIMPLE AS POSSIBLE - if a business
continuity management approach varies too much from standard day-to-day
procedures, then when it comes down to that 2am call, it won't work.
This especially applies when writing plans and a common error is
to include tasks for a recovery process that are not actually part
of that process, or department’s normal working approach.
Identify who would deal with that particular item in normal working,
and ensure that it is part of their plan. There can still be a reference
to that item in the recovery plan, but not as a specific action,
but a confirmation the action is, or has, been taken.
* Document, exercise, review, amend and keep
at it! Business continuity management is a living, ongoing process
that will only be as good as the last time it was reviewed and exercised.
At least once a year the plans should be tested, but this depends
on the size and geographical locations for an organisation. One
site only may warrant a test once a year, but as an example, one
client with several sites around the UK, are exercising one site’s
business continuity plans along with IT disaster recovery every
month – but they have built up to this over a number of years!
Start simple with desktop walkthroughs, telephone cascade checks
and build up to combined exercises, and if you feel brave enough,
unannounced full recoveries!
These pointers are to give you a guide on how
to start business continuity and an indication of what is involved.
The fact that you are looking at this article means that you are
investigating a recognised source of information, so keep on the
right track and we may well meet up!
Ian Dunlop is senior business continuity consultant
print-friendly version (PDF)
2nd September 2004 •Region: UK/World •Type:
Article •Topic: BC
Rate this article or
make a comment - click