Monthly newsletter Weekly news roundup Breaking news notification    

How to prioritise the BCP effort with recovery timeframe objectives

Get free weekly news by e-mailDoug Kavanagh

An English proverb states, “A good beginning makes a good end.” It’s obvious and simple advice, but is sometimes forgotten in the business world, in particular in professions such as business continuity planning. BCP is often an under-funded afterthought that lacks a “good beginning.” Unfortunately, poor advanced planning can lead to a business continuity plan that provides a patchwork of false security.

To begin the planning process, a business impact analysis (BIA) should always be conducted. The BIA will identify processes or computing systems that may need continuity plans - in large, complex organisations, it may identify thousands of these processes and systems. If that is not intimidating enough, the people needed to document these plans may already be over-committed. This type of problem can occur in both small and large organisations and the public and private sectors. Organisations that have this type of problem are in the majority.

The BIA should provide recovery timeframe objectives (RTOs) for each process and the critical application systems needed to support the processes. The RTOs shouldn’t just be viewed as goals for recovery. In fact, RTOs can and should be used to prioritise the entire planning process.

First things first
In a perfect world, each department would assign a full-time business continuity planner that is responsible for assuring that plans are developed and tested to support the critical processes and supporting systems. However, our world is typically less than perfect! Therefore the planner must ask, “Who do I help first?” The answer should be, “The people with responsibility for creating plans for the most critical processes or systems.” In other words, the coordinator must identify the most critical plans needed, who will be developing those plans, and how severe the impact to the company would be if no plan existed when disaster strikes.

With an established RTO for each critical process and system, the planner can determine what efforts will provide the most benefit for the organisation. It is important to note that some key items will support the entire organisation including the development of risk mitigation strategies, the creation of an overall crisis management plan, the documentation and exercising of building evacuation plans, and the establishment of business continuity policy. For each of these the planner will work with departments such as property management, safety, security, human resources, and other business unit managers and these enterprise-wide plans should always be the first priority when writing continuity plans.

Crisis management plans for each business unit and a global plan for the entire organisation will support primary notification of management and identification of each critical process (as identified in the BIA). At the time of a disaster, these crisis management plans will support the adjustment of priorities for all processes and systems based on the current business conditions. These plans will be used to support management decision-making related to recovery resources that will be shared by departments when a disaster occurs. Building-centric continuity plans will contain evacuation procedures and provide for the safety of all employees. Most organisations already have these procedures in place because building owners and property management companies have responsibility for the safety of all building occupants.

The 30-day rule
Once the plans that support the entire organisation have been established, the planner must then concentrate on individual plans and procedures that support each department’s critical processes and required systems. With a small BCP organisation, attention should be focused on the plans that will provide the most benefit. Planners should follow the 30-day rule.

Recovery plans for departmental processes or supporting systems should be developed if:
* The process or system has an established RTO of less than 30 days, or
* The process or system is dependent on another process or system with an RTO of less than 30 days.

An organisation may have a vast number of processes within each business unit or department and should use an approach that will enable the development of detailed plans for the most critical processes first. This approach will support development of detailed plans for any process that must be restored in less than 30 days. (One potential issue with this described method of prioritising processes for plan development is that some interdependencies may not be discovered between processes until actual recovery requirements and procedures are developed.)

In order to determine which plans should be written and in what order, the following prioritisation steps should be followed:

1. Determine the critical processes for each business unit (from the BIA).
2. Input these processes (complete with RTOs and priorities) to BCP software.
3. Associate each process with the appropriate business unit crisis management plan.
4. Align critical processes within each RTO tier (zero days, 1-3 days, 4-7 days, 8-14 days, 14-29 days).

5. Within each tier assign a criticality rating (1-10); one should be reserved for processes or systems that are needed to support at least 25 percent of the revenue or critical services (e.g., life safety).
6. Identify known dependencies between processes and add those dependencies to the BCP software.
7. Identify owners of processes or systems in the shortest timeframe (zero days), and owners of processes and systems upon which these processes depend.
8. Identify what plan developer resources are available to support plan development for the zero day and dependent processes.
9. Coordinate and support the development of plans while using resources available.
10. If insufficient resources are available to support creation of multiple plans at once (e.g., one person needs to create procedures to support the recovery of 10 processes) then prioritise plan development by its criticality rating.
11. If some departments or business units do not have any plans that need to be developed supporting the zero day timeframe, identify the shortest RTO processes for those business units.
12. Support the development of plans for those processes, provided resources are available.
13. Continue to develop plans for processes where RTOs are the shortest until all critical processes and systems have procedures for recovery.

Filling in the gaps
In addition to prioritising the planning process, RTOs can also be used to determine the level of content required for a plan. For example, all RTOs of 15 to 29 days should have a plan that handles relevant employee protection mechanisms such as call trees, health and welfare issues, and their allocation to a pre-determined alternate site or stand-by mode.

Plans supporting RTOs of zero to 14 days should have requirements for pre-defined strategies (communication, locations, etc.), explicit teams and positions, task lists, recovery procedures, vendor management procedures (if required), and plan testing procedures. These plans may also require pre-positioned contingencies (e.g., stand-by equipment, work areas, and routable networks) to support the strategies.

Processes with an RTO of 30 days or more may not require a documented plan, but should at a minimum be subject to appropriate records management standards to assure the processes can be re-established within appropriate timeframes.

The BCP department, acting as the plan administrator and as the plan development support group, must clearly document the prioritisation approach at the business unit level. This documentation (typically in the form of a policy) should include the risks of pursuing a less than comprehensive approach. The overall policy will likely be the basis for audits of the business continuity program and auditors will scrutinise prioritisation of plan development as a measure of good governance.

While no plan can ever be considered foolproof, some are certainly better than others. The best involve advanced planning and a well-thought out process. Because, after all, with a good beginning, planners can help ensure a good end.

About the author
Doug Kavanagh has 23 years of experience in business continuity planning and is currently employed as a senior consultant with Strohl Systems, a global leader in BCP software and services. Kavanagh has helped organisations of all sizes in all industries build plans to help them survive disasters. He can be reached at DKavanagh@strohlsystems.com

DOWNLOAD PDF VERSION OF THIS ARTICLE

Date: 21st May 2004 •Region: N.America/World •Type: Article •Topic: BC plan d'ment
Rate this article or make a comment - click here



Copyright 2005 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help