How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning The world has experienced a great deal of natural and man-made upheaval and destruction in the past few years, including tornadoes, hurricanes, earthquakes, tsunamis, floods, fires, uprisings, terrorist attacks, deliberate and accidental data breaches, and cyber attacks. Any organization that believes it is safe from loss due to a natural or manmade disaster is denying reality. Virginia A. Jones, CRM, FAI With the large number of high-profile disasters of the past decade, it is not surprising that the 2010 AT&T Business Continuity Study of 530 organizations showed that 83% of the business executive respondents indicated their organization had a business continuity plan (BCP). However, 12% indicated they did not have a plan, and 5% were not sure. While most organizations are aware that a BCP is necessary to keep their business operational during and immediately following a disruptive event, not all agree on what the plan is or what it should include. Understanding the BCP Business continuity planning is part of a business continuity management (BCM) process that identifies potential risks and vulnerabilities and their impacts on an organization. It provides processes and procedures for mitigating risks and effectively responding to a disruptive event in a way that safeguards the interests of the organization s key stakeholders, reputation, brand, and value-creating activities. To be successful, BCM must be fully integrated across the entire organization as a required management process. BCM includes business continuity planning, which focuses mainly on incident response and, depending on the organization, can include records and information security and risk management processes. According to the Contingency Planning Guide for Information Technology Systems from the National Institute of Standards and Technology, a BCP is the documentation of a predetermined set of instructions or procedures that describes how an organization s business functions will be sustained during and after a significant disruption. It functions as a roadmap that can be followed when a disruptive event occurs. BCP Goals The goal of business continuity planning, as identified by the U.S. Federal Emergency Management 36 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
Agency (FEMA), is to reduce the consequence of any disruptive event to a manageable level. The specific objectives of a particular organization s continuity plan may vary, depending on its mission and functions, its capabilities, and its overall continuity strategy. In general, according to FEMA, continuity plans are designed to: n Minimize loss of life, injury, and property damage n Mitigate the duration, severity, or pervasiveness of disruptions that do occur n Achieve the timely and orderly resumption of essential functions and the return to normal operations n Protect essential facilities, equipment, records, and assets n Be executable with or without warning n Meet the operational requirements of the respective organization. Continuity plans may need to be operational within minutes of activation, depending on the essential function or service, but certainly should be operational no later than 12 hours after activation. n Meet the sustainment needs of the respective organization. An organization may need to plan for sustained continuity operations for 30 days or longer, depending on resources, support relationships, and the respective continuity strategy adopted. n Ensure the continuous performance of essential functions and operations during an emergency, such as pandemic influenza, that require additional considerations beyond traditional continuity planning n Provide an integrated and coordinated continuity framework that takes into consideration other relevant organizational, governmental, and private sector continuity plans and procedures A BCP concentrates on the core business functions manufacturing processes, customer relations, client or patient interactions, research facilities, information technology infrastructure, and so on. Records and information management (RIM) are rarely included as separate entities. Often, the RIM procedures that should be considered, such as information technology incident response, recovery procedures, and vital records protection, are not included in the overall plan and may need to be part of subsidiary plans. However, RIM has an important role in all aspects of risk mitigation, disaster response, and disaster recovery. RIM s Role in the BCP RIM impacts an effective BCP in several ways: n Records and information are a critical resource throughout the organization, not only as part of ongoing business processes, but also as a resource during a disruptive event. n A current records and information inventory, including information systems and electronically stored information, is essential to implementing and maintaining a successful plan to identify and protect records. n A documented records classification and retrieval system, with organized and well-indexed records, is critical to timely and efficient resumption of operations following a disruptive event. n A documented and established vital records program is essential for the protection and recovery of mission-critical records and for identifying those records required during a disruptive event. n A manual that includes all RIM policies and procedures, including for records retention and disposition, is an important reference for use throughout the organization. Some preparation and data compilation must take place before a plan can be written and implemented. BCM relies on critical business process identification and risk management results to determine the various priorities, tasks, and procedures to include in the plan. Preparing to Write a BCP Some preparation and data compilation must take place before a plan can be written and implemented. BCM relies on critical business process identification and risk management results to determine the various priorities, tasks, and procedures to include in the plan. Preliminary preparation for business continuity planning includes: n Conducting a business impact analysis (BIA) n Developing and implementing a risk mitigation plan n Developing and implementing a vital records program (to identify and safeguard vital records, which are fundamental to the functioning of an organization and necessary to continue operation without delay under abnormal circumstances, according to Glossary of NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 37
Records and Information Management Terms, 3rd Ed.) n Determining the recovery time objective for records and information n Identifying and analyzing business processes to best determine those that are mission-critical Business Impact Analysis The BIA looks at critical processes and considers the operational, financial, and other impacts and exposures for each part of the organization if a serious disruption to those processes occurs. It identifies those processes that must be resumed urgently and those that may be resumed later. It can determine potential loss to the organization if a BCP is not in place and present recommendations to reduce or mitigate these losses, so it is an important step in the risk mitigation process. The BIA should also identify the minimum financial, human, and information resources needed to support the elements of the proposed plan. The ranking of the business processes also affects the records and information necessary for these processes and plays an important role in the vital records identification process. Risk Mitigation BCM focuses on mitigating risks defined by Dictionary.com as the exposure to the chance of injury or loss that the organization cannot absorb. Since it is a very expensive and resource-draining process to protect and recover everything, the organization must decide what cannot be fully protected, duplicated, or saved following an event. The cost of mitigating the risk of records and information loss must be weighed against the value of the information to the organization. This is done by determining the vulnerabilities of the records and by comparing the costs associated with the loss of the records and information against the cost of protecting or reconstructing them. Some organizations may want to expend only the minimum resources to mitigate risk to one or more critical a business continuity plan for records and information must include clearly identified vital records to best allocate resources for their protection and recovery. processes and accept the risk to the rest of the business. Other organizations may want to reduce as much risk as possible, no matter the cost. To achieve a cost and resource balance in risk mitigation, the organization must set its risk tolerance level, which is the maximum exposure to risk (for a given type of risk or across all exposures) that is acceptable based on the benefits and costs involved, according to Managing Risk for Records and Information by Victoria L. Lemieux, Ph.D. The organization should link its risk tolerance and risk objectives to its business goals and objectives. Vital Records Program A records and information disaster results in the loss of records and information essential to the organization s continued operation. Consequently, a business continuity plan for records and information must include clearly identified vital records to best allocate resources for their protection and recovery. Accurate identification of vital information is critical because this information establishes the legal status of the organization as a business entity, documents the assets and liabilities of the organization from a financial perspective, and documents the operations of the organization, which enable production processes or other work to be accomplished, according to Information and Records Management, by Mary F. Robek, Gerald F. Brown, and David O. Stephens. In Snap, Crackle & Pop, a 1985 Records Management Quarterly article, Richard E. Wolff wrote, An effective vital records management program includes descriptions of all vital records necessary to protect assets and ensure continuity of business operations, documentation of procedures and practices followed to protect and restore these records, and adequate operating instructions to permit the effective use of selected records in an emergency. The vital records program should be incorporated as part of the overall BCP. Types of Plans One other preparation for developing a BCP is determining the type(s) of plan(s) to be implemented. Some organizations include all the policies, processes, and procedures in one general plan. Others prepare a general policy and plan that references subsidiary plans for specific types of incidents or for specific core functions, such as information technology. Specific plans more fully address response and recovery for different types of incidents, such as radiation leaks, earthquakes, floods, fires, server crashes, power outages, data breaches, or hurricanes. Sometimes, recovery procedures are considered separate from the general BCP and also have their own referenced plans. 38 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
National and International Standards Provide a Foundation for Protection International Organization for Standardization n ISO 15489-1:2001 Information and documentation Records management Part 1: General n ISO/TR 15489-2:2001 Information and documentation Records management Part 2: Guidelines n ISO/IEC 27002:2005: Information technology Security techniques Code of practice for information security management National Fire Protection Association n NFPA 232: Standard for the Protection of Records, current edition 2012 n NFPA 75: Standard for the Protection of Information Technology Equipment, current edition: 2009 n NFPA 909: Code for the Protection of Cultural Resource Properties Museums, Libraries, and Places of Worship, Current edition: 2010 n NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs, Current edition: 2010 ARMA International n ANSI/ARMA 5-2010 Vital Records Programs: Identifying, Managing, and Recovering Business-Critical Records Creating a BCP Once the preparations are completed, developing the plan can begin. The process of developing a BCP varies for each organization depending on its business functions, risk tolerance level, the types of plan or subsidiary plans it is developing, and the amount of resources it is willing to assign to the process. Steps to Follow In general, the development of a BCP should include the following steps: 1. Establish a planning team. This includes appointing an owner for the plan and for each subsidiary plan and includes representation for all departments or core functions. 2. Conduct a BIA. 3. Decide on the structure, format, components, and content of the plan, and determine the circumstances that are beyond the scope of the BCP. 4. Identify preventive controls. 5. Create contingency strategies. Determine the strategies the plan will document and what will be documented in other plans. 6. Determine the response strategy. 7. Determine the recovery strategy. 8. Establish the vital records plan and an information systems plan. 9. Gather information to populate the plan. 10. Draft the plan. 11. Circulate the draft of the plan for consultation and review. 12. Gather feedback from consultation process. 13. Amend the plan as appropriate. 14. Review and update the plan. 15. Approve the plan and train personnel. 16. Test the plan. 17. Schedule ongoing exercises to ensure that the plan is maintained and remains current. Contents to Include Each BCP and any subsidiary plans should include, at a minimum, the following elements: n A policy statement n Roles and responsibilities who is responsible for doing each task or group of tasks, what is the chain of command and composition of the crisis team during an event, and who is ultimately responsible for initiating the response and/or recovery processes n Continuity or succession of authority a clear statement of alternates when key responsible persons are unavailable n Financial or funding information, including personnel expenses, operational expenses, material and supply expenses, ongoing costs, and contingency funding n Task organization what tasks must be done and in what order n Information distribution procedures n Results of the BIA and appropriate elements from the vital records program and the information systems plan n Response procedures n Recovery procedures (if relevant to the BCP) n Training programs n Testing procedures (used to review and update procedures) n Communications directory n Damage assessment procedures NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 39
Testing the BCP No BCP is successful without testing. The time to find out that some BCP concepts do not work is not while a disruptive event is occurring. There are several methods of testing plans, including two that are recommended by FEMA: Discussion-based exercises include seminars, workshops, tabletop exercises, and games. They highlight existing plans, policies, mutual aid agreements, and procedures, and they are tools to familiarize organizations and personnel with an entity s current or expected capabilities. Decision-based exercises typically focus on strategic, policy-oriented issues. Conducting these exercises do not create a large-scale disruption of daily routine and productivity. Operations-based exercises include drills, functional exercises, and fullscale exercises. They are characterized by actual response, mobilization of apparatus and resources, and commitment of personnel, usually held over an extended period of time. Operations-based exercises can be used to validate plans, policies, agreements, and procedures. Each test should include an evaluation of the test results and identification of weaknesses and lessons learned. These, in turn, are used to revise the plan. Once the organization is comfortable with all revisions, it can then approve and implement the plan. Maintaining the Plan A BCP is not a static document. Changes in core business functions, business locations, technology infrastructure, and other circumstances will require additional considerations and revisions of the plan. The BCP should be reviewed and tested at least yearly, and attention should be paid to any business elements that have been added since the last review. An organization s annual testing of the program, according to FEMA, should include: n Alert, notification, and activation procedures with recommended quarterly testing of such procedures for continuity personnel n Recovery of vital records (classified and unclassified), critical information systems, services, and data n Primary and back-up infrastructure systems and services (e.g., power, water, and fuel) testing at continuity facilities n Required physical security capabilities n Equipment to ensure the internal and external interoperability and viability of communications systems, through quarterly testing of the continuity communications capabilities (e.g., secure and nonsecure voice and data communications) n Capabilities required to perform an organization s essential functions n Formally documenting tests and reporting their results n Internal and external interdependencies identified in the organization s continuity plan, with respect to performance of an organization s and other organizations essential functions Arriving at the Best Solution Each organization s business continuity solution must rely on its unique impact and risk analyses. The best solution for business continuity planning and management will consist of the right mix of internal controls and tools with outsourced services that will meet the organization s requirements for managing the physical, technological, legal, regulatory, and human resource aspects of business continuity. Virginia A. Jones, CRM, FAI, can be contacted at vjones@nngov.com. See her bio on page 47. 40 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT