FORMULATING YOUR BUSINESS CONTINUITY PLAN

Similar documents
Why Should Companies Take a Closer Look at Business Continuity Planning?

Clinic Business Continuity Plan Guidelines

Mastering Disaster A DATA CENTER CHECKLIST

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

Clinic Business Continuity Plan Guidelines

BUSINESS CONTINUITY PLAN

Business Continuity and Disaster Recovery Planning

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

11 Common Disaster Planning Mistakes

Disaster Recovery Plan

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

What You Should Know About Cloud- Based Data Backup

PPSADOPTED: OCT BACKGROUND POLICY STATEMENT PHYSICAL FACILITIES. PROFESSIONAL PRACTICE STATEMENT Developing a Business Continuity Plan

Business Continuity and Disaster Recovery Planning

Interactive-Network Disaster Recovery

Preparing for the Worst: Disaster Recovery and Business Continuity Planning for Investment Firms An Eze Castle Integration ebook

TO AN EFFECTIVE BUSINESS CONTINUITY PLAN

Business continuity plan

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

Table of Contents... 1

How to Prepare for an Emergency: A Disaster and Business Recovery Plan

Business Continuity Planning in IT

Disaster Recovery Planning

White Paper AN INTRODUCTION TO BUSINESS CONTINUITY PLANNING AND SOLUTIONS FOR IT AND TELECOM DECISION MAKERS. Executive Summary

Managing business risk

Business Continuity Planning (800)

Andres Llana, Jr. INSIDE. Upper Management s Role; Delegating Responsibilities; Minimum Plan Outline; Business Impact Analysis

Continuity of Operations Planning. A step by step guide for business

Business Continuity and Disaster Survival Strategies for the Small and Mid Size Business.

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

DISASTER RECOVERY Steps You Need to Take (Before It s Too Late)

Disaster Recovery and Business Continuity Plan

Interagency Statement on Pandemic Planning

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

Testimony of. Edward L. Yingling. On Behalf of the AMERICAN BANKERS ASSOCIATION. Before the. Subcommittee on Oversight and Investigations.

Ohio Supercomputer Center

Creating a Business Continuity Plan for your Health Center

Running head: COMPONENTS OF A DISASTER RECOVERY PLAN 1

Business Continuity Glossary

Information Security Management: Business Continuity Planning. Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt.

DISASTER RECOVERY PLANNING GUIDE

Guideline on Business Continuity Management

Unit Guide to Business Continuity/Resumption Planning

Cisco Disaster Recovery: Best Practices White Paper

Disaster Recovery 81 Success Secrets. Copyright by Michelle Stein

Disaster Recovery Plan (DRP) / Business Continuity Plan (BCP)

Business Continuity and Disaster Recovery Planning from an Information Technology Perspective

Disaster Recovery and Business Continuity What Every Executive Needs to Know

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery

THE CXO S GUIDE TO MANAGING EXPANSION... WHILE CONTROLLING COSTS & COMPLIANCE CONSIDERATIONS

Matthias Machowinski, Directing Analyst for Enterprise Networks and Video, Infonetics Research, 20152

BUSINESS CONTINUITY PLAN OVERVIEW

Success or Failure? Your Keys to Business Continuity Planning. An Ingenuity Whitepaper

Workforce Solutions Business Continuity Plan May 2014

CONTINUITY OF OPERATIONS PLAN TEMPLATE

Temple university. Auditing a business continuity management BCM. November, 2015

Planning and Implementing Disaster Recovery for DICOM Medical Images

Building and Maintaining a Business Continuity Program

How to write a DISASTER RECOVERY PLAN. To print to A4, print at 75%.

HA / DR Jargon Buster High Availability / Disaster Recovery

IT Disaster Recovery and Business Resumption Planning Standards

Intel Business Continuity Practices

How To Manage A Business Continuity Strategy

GUIDELINES FOR BUSINESS CONTINUITY IN WHOLESALE MARKETS AND SUPPORT SYSTEMS MARKET SUPERVISION OFFICE. October 2004

Assessment of natural hazards, man made hazards, technical and societal related risks and associated impact.

The University of Iowa. Enterprise Information Technology Disaster Plan. Version 3.1

Disaster Recovery Strategies

Mass Casualty Incident Management. Whitepaper By

5 Essential Benefits of Hybrid Cloud Backup

SUPERVISORY AND REGULATORY GUIDELINES: PU BUSINESS CONTINUITY GUIDELINES

Boston Financial Data Services Business Continuity Executive Summary. November 2009

Building a strong business continuity plan

Colocation Hosting Primer Making the Business and IT Case for Colocation

a Disaster Recovery Plan

Business Continuity Planning (BCP) / Disaster Recovery (DR)

Disaster Preparedness Plan. "[Click Here and type your Company Name]" Prepared By: Date:

Risk Management Guidelines

NCUA LETTER TO CREDIT UNIONS

CISM Certified Information Security Manager

BACKUP ESSENTIALS FOR PROTECTING YOUR DATA AND YOUR BUSINESS. Disasters happen. Don t wait until it s too late.

Financial Services Need More than Just Backup... But they don t need to spend more! axcient.com

Transcription:

WHITE PAPER Page 0 Planning for the Worst Case Scenario: FORMULATING YOUR BUSINESS CONTINUITY PLAN 9 Wing Drive Cedar Knolls, NJ 07927 www.nac.net

Page 1 Table of Contents Overview... 2 What is Disaster Recovery?... 2 What Is Business Continuity?... 2 What is Business Continuity Planning?... 3 Business Continuity Planning Vs Disaster Recovery Planning... 3 The Planning Process... 4 Identifying Potential Disasters... 4 Employee Availability... 5 Workplace Accessibility... 5 IT Infrastructure Availability... 6 Data Accessibility... 7 Communication... 7 Communicating the Plan... 8 Evaluating the Plan... 8 Maintaining the Plan... 9 Conclusion... 9

Page 2 Overview Disasters are an unavoidable fact of everyday business. They come in all sizes, and usually without notice. Disasters can be caused by natural means, such as an earthquake or hurricane, they might be caused by accident, such as a fire or flood, and they may also be man-made, such as acts of war or terrorism. And in the business operations world, disaster has an expanded meaning, including events such as equipment failures, security breaches, and even labor strikes, as we have seen from telecommunications and energy providers in recent years. But in any case, a disaster is an unplanned event which has the potential to critically disrupt business operations, no matter the business size. When a disaster strikes, decisions concerning business operations must often be made at a moment s notice. And if the wrong choices are made, the consequences could be severe. There is no single best practice approach to disaster preparedness, and since technologies and capabilities are always evolving, thee plans cannot remain static. This paper offers an overview of the business continuity planning process and outlines some general issues that should be considered by any business preparing for unexpected disruptive events. What is Disaster Recovery? The notion of disaster recovery is all about the strategy used to minimize the effect of disruptions and restore mission-critical business functions after a disaster event. The event might be something huge-like an earthquake or the terrorist attacks on the World Trade Center-or something small, like malfunctioning software caused by a computer virus. Disaster recovery generally involves discussions of recovery point objectives (RPOs) and recovery time objectives (RTOs) along with the hardware, software and practices needed to achieve those objectives. Disaster recovery best practices dictate that plans are created to backup and restore technology assets, but the rest of your business should have a backup plan too. What Is Business Continuity? Business Continuity is the capability of a business to continue delivery of products or services at acceptable levels following a disruptive event. It includes proactively devising plans and

Page 3 strategies regarding the company s people, process and systems that can be quickly implemented to ensure that critical business functions will either continue to operate, or will be recovered to an operational state within a reasonably short period. What is Business Continuity Planning? In the event of a disaster, having a business continuity plan in place can mean the difference in survival. The term Business Continuity Planning refers to forward-thinking businesses putting procedures in place to ensure that they can resume operations as smoothly and quickly as possible during and after a disaster event, and to putting contingency plans in place to reduce the impact of damage and mitigate losses. It gives businesses a solid framework to lean on in times of crisis and provides stability and security. Business Continuity Planning starts with a company identifying its key products and services, and the most critical activities and employees that underpin them. This is a comprehensive, long term approach involving not just data and IT infrastructure contingencies, but also planning for disruptions to physical company facilities and equipment. This includes items like protecting all internal and external data and records, protecting physical items like inventory, and how and where the business will operate if it is forced to move to a temporary location. It identifies the long-term, crucial strategies that are needed to ensure that the business maintains stability and generates profits. These plans also contain a human element, addressing potential personnel disruptions including illness or departure of key staffers, supply chain partner problems or larger items like labor slowdowns or walkouts by employees or key business partners. Business Continuity Planning Vs Disaster Recovery Planning Disaster Recovery Planning is oriented towards business recovery following a disaster, and mitigating the negative consequences of a disaster. In contrast, Business Continuity Planning is more proactive, focusing on creating a plan of action that would prevent the negative consequences of a disaster from occurring at all. As such, Business Continuity Planning is more holistic than Disaster Recovery Planning, because it looks not just at a specific event and its immediate aftermath, but at the implications of a wide range of potential scenarios from catastrophic disasters to critical malware infections. Business Continuity Planning is the set of activities required to ensure the continuation of critical business processes when a disaster occurs. Disaster Recovery Planning is the set of activities concerned with the assessment, salvage, repair, and restoration of damaged facilities and assets that support critical business processes.

Page 4 The Planning Process At its heart, Business Continuity Planning is about constant communication, and coordination is key. Developing a plan requires coordination across multiple organizations within a company for both planning and execution. It requires a commitment of time and energy from senior management over three different phases, initial planning, maintenance of the plan, and review of the plan s effectiveness. And budget also plays a vital role in the process, because organizations will likely need to allocate monthly or annual funds for support. Three key areas that every Business Continuity Plan must address: Resiliency Ensure that critical business functions and the supporting infrastructure are designed and engineered in such a way that they are unaffected by most disruptions. Recovery - The plan must articulate the steps that should be taken to recover or restore critical and less critical business functions that fail for some reason. Contingency- a last-resort response if resilience and recovery arrangements should prove inadequate. This includes alternative plans for infrastructure, equipment, facilities (including office space) and even employees. All plans need to encompass how employees will communicate, where they will go and how they will keep doing their jobs. The details can vary greatly, depending on the size and scope of a company and the way it does business. For some businesses, issues such as supply chain logistics are most crucial and are the focus on the plan. For others, information technology may play a more pivotal role, and the plan may have more of a focus on systems recovery. A critical point is that the physical, IT and human resources plans cannot be developed in isolation from each other. Business, security and IT leaders need to work together to determine what type of plan is necessary and which systems and business units are most crucial to the company. Together, they should decide which people are responsible for declaring a disruptive event and mitigating its effects. Most importantly, the plan should establish a process for locating and communicating with employees after such an event. In a catastrophic event, the plan will also need to take into account that many of those employees will have more pressing concerns than getting back to work. Identifying Potential Disasters Rather than focus specifically on the wide range of possible disaster types, Business Continuity Planners should look more towards outcome the means by which a disaster affects a business. The vast majority or disasters damage a business ability to function by affecting one or more of:

Page 5 Employee Availability Workspace Accessibility IT infrastructure Availability Data Accessibility Communications Employee Availability Employees are the lifeblood of any company, but what if they cannot physically make it to the office? There are a number of factors that affect employees ability to report to work. Road flooding, transit strikes, union labor walkouts, severe weather conditions and even disease outbreak are all examples. These issues are unique in that they may only affect certain segments of a business rather than the whole. Most successful businesses have a well-defined organization chart hierarchy of communication and responsibility, so when key employees are out of the office that chain of command can break down and the organization can grind to a halt. Initial Business Continuity Planning Goals: 1. Identify, as accurately and comprehensively as possible, disasters that might occur, and the likelihood of encountering them. 2. Determine how, and to what degree, each of those disasters will impact the business. 3. Formulate a plan of action for each disaster to get the business up and running again as quickly as possible. In addition to clearly defining roles and responsibilities under normal operating conditions, many businesses also designate secondary or even tertiary responsibilities so that if a key employee is unavailable, another is able to seamlessly step in. For this line of succession to be effective, employees must know who to turn to when the main employee is unavailable. It s also important to keep in mind that employees who are expected to fill in for other positions will need to receive training in those positions. Workplace Accessibility Disasters that affect workplace accessibility are often caused by events that are generally thought of as disasters fire, floods, earthquakes, or other less severe events like blackouts, gas leaks or construction accidents. What happens if one or all of a company s office locations become inaccessible? Or if travel to an office location is compromised? These disasters affect a business in a fairly straightforward manner employees cannot work without a place to do so. Are key employees equipped to work at home at a moment s notice? Relocating people and operations is crucial to getting all business back up and running as soon as possible, but the people aspect is unfortunately minimized in most plans.

Page 6 There are a number of actions businesses can take to minimize the effects of losing office space in a disaster. Moving data and communications infrastructure to an off-site data center is one of the most effective. By moving key servers, systems and databases into the cloud employees can have secure access to mission-critical applications and data from remote locations. Likewise, for phone intensive business, utilizing a virtual hosted IP telephony system allows businesses to re-establish communications quickly after a disaster. Taking that idea to a logical extreme, by utilizing mobile solutions wherever possible laptops rather than desktop computers, mobile or IP phones rather than traditional land lines, and cloud-based services if a business office were to become completely inaccessible, employees could continue working from elsewhere. If working at home is not an option for a company, third party business continuity centers offer a great solution. They provide move-in ready office space at secure location with backup power and redundant network connectivity. This gives companies a place for their employees to work, even during a disaster which disrupts the power grid and network communications. These facilities often have reasonable long- and short-term lease options, and offer dedicated and shared (first-come, first-served) options. Researching and evaluating those office spaces in advance, and having a just in case agreement in place, can make an enormous difference in the amount of time it takes a business to resume operations after a disaster. IT Infrastructure Availability Equipment failure - from servers to printers to physical plant machines - could occur as the result of a natural disaster, but also could be caused by things like irregularities in the electrical supply and age. Losing this equipment can cause a great deal of grief in terms of data loss. However, a more direct effect lies in equipment replacement cost. A business that maintains its own equipment should document which equipment is essential versus unessential. Essential equipment should have a specific person (as opposed to a department) assigned to maintain the equipment and be responsible for it. That person should be aware of the equipment's location at all times and its cost of replacement. A more proactive solution is to maintain as little equipment as possible on the premises. Most essential business equipment is related to data processing, data storage, data retrieval, and communications. These functions can be accomplished with great efficiency, and often more cost-effectively, via outsourcing. Third party data center providers operate facilities are specifically built to house IT infrastructure, with redundant power supplies, cooling and network connectivity. Companies can rent space in these centers to co-locate their equipment, and have the option to maintain it themselves, or utilize the data center s support team to manage it.

Page 7 Virtualization is another option, where a business outsources their entire infrastructure, and its management, to a cloud provider. Cloud computing also moves financial expenditures from CAPEX to OPEX, and ensures that all equipment is state-of-the-art. Either way, equipment and key infrastructure, loss of equipment becomes one less continuity challenge to worry about. Data Accessibility Best practices for dataintensive business include: Back all data up on a regular basis Utilize onsite backup and offsite backup Include redundancy in your backup solution Prioritize your data back up some more frequently than others Paper documents should be digitized and stored electronically For many businesses, the loss of data means the loss of business. Transactional data, such as past and pending orders, customer information, billing records and accounting data, are critical parts of a business s ability to function. Administrative data, such as payroll and human resources information, are vital to the internal operations of a business. For many companies, this data would be nearly impossible to recreate. If the data became irretrievable, the business would be devastated. The two biggest causes of data loss are equipment failure and loss of workspace. A backup solution with built-in redundancy helps reduce the likelihood of a general equipment failure causing significant data loss. Storing all data remotely off-site (secondary office, third-party data center or remote storage specialist) reduces the likelihood that a disaster that destroys the workplace will also destroy business data. Off-site storage via the cloud also enables data to be accessed from anywhere so that if a business is forced to relocate suddenly, data access can be resumed with little delay or expense. Communication For any business, communications is an absolute necessity, and any disruption has significant effects. Communication can be impacted by disasters to workplace accessibility, or equipment operation. Business communications can be broadly divided into two categories: internal and external. Internal communications are necessary for coordination of projects between departments or geographically spread out organizations, and between regional offices. Of the two types of communication, the latter is the easiest to address should problems arise. External communications encompass all communications between the company and the outside world. This would include, for example, communications with customers, clients, suppliers, distribution partners, and outsourced contractors. It could be a website, email, or the customer

Page 8 service 1-800 phone number. Losing the ability to communicate externally makes it impossible to do business in any meaningful way. Re-establishing internal communications can be accomplished with relative ease, as most people maintain several personal means of communication. Maintaining a list of secondary contact methods for employees, such as personal cell phones, e-mail addresses or even social media accounts, is a simple exercise, but could prove vital during an emergency. External communications are more difficult to re-establish under adverse conditions. While using personal accounts and phones for communication between employees is acceptable, using personal phones to interact with customers or suppliers is generally considered inappropriate. Dire situations may force a business to relocate to a new office space and/or change phone numbers. In this case, the only real option is to preemptively contact clients, suppliers, and others who communicate regularly with the business to inform them of the changes in contact information. A preemptive solution is to utilize communications infrastructure that is more robust, and resistant to interruption. For instance, utilizing a mobile internet protocol or cloudbased communications platform makes relocating or rerouting the communications network without interrupting operations simple. Whether employees are working from home, a temporary office space, or a new permanent office, their telephone numbers and contact methods remain the same. Communicating the Plan Any plan is only as good as the people that implement it. Only when employees know their role and are confident in their ability to perform can business continuity plans be considered effective. This, once all potential disaster scenarios have been identified, and procedures have been documented, it is important that all employees are notified and trained. Effective employee training should address the following: Reasons the plan was put in place Circumstances under which the plan should be followed Each employee s specific role within the plan Anticipated issues under certain circumstances, and how plan intends to solve those problems Evaluating the Plan Business continuity plans are designed to accomplish one goal allowing a business to resume operations as quickly as possible after a disaster. Given the number of possible disasters to plan

Page 9 for, and the various ways they can be addressed, evaluating a business continuity plan can seem a complex undertaking. Evaluation of the Business Continuity Plan effectiveness is only necessary, and only possible, after the plan has been put into effect. After an identified disaster has occurred, and after the plan has been used to address the disaster. It is important to review the plan in order to determine its effectiveness in returning business operations back to normal. In actuality, the evaluation is simple. How quickly was the business able to resume normal operations, and is there a way to improve that outcome? Answering those two questions is often the only evaluation necessary. The review should generally be approached from the perspective of seeking the positive aspects of the plan, rather than extensive focus on where the plan failed. Maintaining the Plan Maintenance of the Business Continuity Plan consists of employee training in various aspects of the plan and regular review of the plan to ensure it reflects the current structure and operations of the business. Over time, a business can change drastically. People, processes and systems change on a regular basis, and a plan that was effective two years ago can be obsolete today. Although the types of disasters that can disrupt a business are unlikely to change drastically, the way those disasters might affect the business and the manner in which the business should respond could change drastically. At a minimum, the Business Continuity team should meet at least once a year to review the plan, but team members should be empowered to propose modifications to the plan as warranted. Conclusion It s always beneficial to plan for the worst case scenario. In life and in business there are things you can control, and some things that you can t. Disasters in the business sense can take many forms, and by definition are generally unexpected. Proactively planning ahead to address potential disasters is an absolute necessity. Formulating a Business Continuity Plan helps a business account for many specific situations, but allows them to remain flexible enough to deal with unanticipated situations. Successful business continuity planning requires an investment of time and other resources in the initial development stage, but also during maintenance and revision of the plan. One of the most effective ways for a business to disaster proof itself is to virtualize its IT infrastructure by utilizing resources like third party data centers, cloud providers and business continuity workspace facilities. These resources all separate critical functionality from the

Page 10 physical location of the business. The separation makes it easier to reestablish functionality after a serious disaster. In more general terms, the key to developing an effective business continuity plan is to assess the potential effects of various disasters, then formulate effective methods for minimizing those effects. Developing a business continuity plan requires time, effort and other resources. Compared to the cost of halted business operations due to a disaster, business continuity planning is well worth the effort. Again, it s always beneficial to plan for the worst case scenario. For enterprises and organizations who depend on the 24x7x365 availability of their vital IT infrastructure, Net Access provides a single source for the highest quality, most innovative and reliable technology services and solutions.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information