An English proverb states, “A good beginning
makes a good end.” It’s obvious and simple advice, but
is sometimes forgotten in the business world, in particular in professions
such as business continuity planning. BCP is often an under-funded
afterthought that lacks a “good beginning.” Unfortunately,
poor advanced planning can lead to a business continuity plan that
provides a patchwork of false security.
To begin the planning process, a business impact
analysis (BIA) should always be conducted. The BIA will identify
processes or computing systems that may need continuity plans -
in large, complex organisations, it may identify thousands of these
processes and systems. If that is not intimidating enough, the people
needed to document these plans may already be over-committed. This
type of problem can occur in both small and large organisations
and the public and private sectors. Organisations that have this
type of problem are in the majority.
The BIA should provide recovery timeframe objectives
(RTOs) for each process and the critical application systems needed
to support the processes. The RTOs shouldn’t just be viewed
as goals for recovery. In fact, RTOs can and should be used to prioritise
the entire planning process.
First things first
In a perfect world, each department would assign a full-time business
continuity planner that is responsible for assuring that plans are
developed and tested to support the critical processes and supporting
systems. However, our world is typically less than perfect! Therefore
the planner must ask, “Who do I help first?” The answer
should be, “The people with responsibility for creating plans
for the most critical processes or systems.” In other words,
the coordinator must identify the most critical plans needed, who
will be developing those plans, and how severe the impact to the
company would be if no plan existed when disaster strikes.
With an established RTO for each critical process
and system, the planner can determine what efforts will provide
the most benefit for the organisation. It is important to note that
some key items will support the entire organisation including the
development of risk mitigation strategies, the creation of an overall
crisis management plan, the documentation and exercising of building
evacuation plans, and the establishment of business continuity policy.
For each of these the planner will work with departments such as
property management, safety, security, human resources, and other
business unit managers and these enterprise-wide plans should always
be the first priority when writing continuity plans.
Crisis management plans for each business unit
and a global plan for the entire organisation will support primary
notification of management and identification of each critical process
(as identified in the BIA). At the time of a disaster, these crisis
management plans will support the adjustment of priorities for all
processes and systems based on the current business conditions.
These plans will be used to support management decision-making related
to recovery resources that will be shared by departments when a
disaster occurs. Building-centric continuity plans will contain
evacuation procedures and provide for the safety of all employees.
Most organisations already have these procedures in place because
building owners and property management companies have responsibility
for the safety of all building occupants.
The 30-day rule
Once the plans that support the entire organisation have been established,
the planner must then concentrate on individual plans and procedures
that support each department’s critical processes and required
systems. With a small BCP organisation, attention should be focused
on the plans that will provide the most benefit. Planners should
follow the 30-day rule.
Recovery plans for departmental processes or
supporting systems should be developed if:
* The process or system has an established RTO of less than 30 days,
* The process or system is dependent on another process or system
with an RTO of less than 30 days.
An organisation may have a vast number of processes
within each business unit or department and should use an approach
that will enable the development of detailed plans for the most
critical processes first. This approach will support development
of detailed plans for any process that must be restored in less
than 30 days. (One potential issue with this described method of
prioritising processes for plan development is that some interdependencies
may not be discovered between processes until actual recovery requirements
and procedures are developed.)
In order to determine which plans should be
written and in what order, the following prioritisation steps should
1. Determine the critical processes for each
business unit (from the BIA).
2. Input these processes (complete with RTOs and priorities) to
3. Associate each process with the appropriate business unit crisis
4. Align critical processes within each RTO tier (zero days, 1-3
days, 4-7 days, 8-14 days, 14-29 days).
5. Within each tier assign a criticality rating
(1-10); one should be reserved for processes or systems that are
needed to support at least 25 percent of the revenue or critical
services (e.g., life safety).
6. Identify known dependencies between processes and add those dependencies
to the BCP software.
7. Identify owners of processes or systems in the shortest timeframe
(zero days), and owners of processes and systems upon which these
8. Identify what plan developer resources are available to support
plan development for the zero day and dependent processes.
9. Coordinate and support the development of plans while using resources
10. If insufficient resources are available to support creation
of multiple plans at once (e.g., one person needs to create procedures
to support the recovery of 10 processes) then prioritise plan development
by its criticality rating.
11. If some departments or business units do not have any plans
that need to be developed supporting the zero day timeframe, identify
the shortest RTO processes for those business units.
12. Support the development of plans for those processes, provided
resources are available.
13. Continue to develop plans for processes where RTOs are the shortest
until all critical processes and systems have procedures for recovery.
Filling in the gaps
In addition to prioritising the planning process, RTOs can also
be used to determine the level of content required for a plan. For
example, all RTOs of 15 to 29 days should have a plan that handles
relevant employee protection mechanisms such as call trees, health
and welfare issues, and their allocation to a pre-determined alternate
site or stand-by mode.
Plans supporting RTOs of zero to 14 days should
have requirements for pre-defined strategies (communication, locations,
etc.), explicit teams and positions, task lists, recovery procedures,
vendor management procedures (if required), and plan testing procedures.
These plans may also require pre-positioned contingencies (e.g.,
stand-by equipment, work areas, and routable networks) to support
Processes with an RTO of 30 days or more may
not require a documented plan, but should at a minimum be subject
to appropriate records management standards to assure the processes
can be re-established within appropriate timeframes.
The BCP department, acting as the plan administrator
and as the plan development support group, must clearly document
the prioritisation approach at the business unit level. This documentation
(typically in the form of a policy) should include the risks of
pursuing a less than comprehensive approach. The overall policy
will likely be the basis for audits of the business continuity program
and auditors will scrutinise prioritisation of plan development
as a measure of good governance.
While no plan can ever be considered foolproof,
some are certainly better than others. The best involve advanced
planning and a well-thought out process. Because, after all, with
a good beginning, planners can help ensure a good end.
About the author
Doug Kavanagh has 23 years of experience in business continuity
planning and is currently employed as a senior consultant with Strohl
Systems, a global leader in BCP software and services. Kavanagh
has helped organisations of all sizes in all industries build plans
to help them survive disasters. He can be reached at DKavanagh@strohlsystems.com
PDF VERSION OF THIS ARTICLE
21st May 2004 •Region: N.America/World •Type:
Article •Topic: BC
Rate this article or
make a comment - click