SlideShare a Scribd company logo

Business Continuation The Basics

G
guest13df88e8

Business Continuation The Basics

BusinessTechnology
1 of 8
Download to read offline
Business Continuation – The Basics Terminology The terms Disaster Recovery and Business Continuation / Business Continuity are sometimes used inter- changeably. However, the terms have two very different contexts. In the early days of data processing the mainframe computer was usually housed in a large room with very large windows so everyone could see the computer. This led to the term “Glass House”. The term “Disaster Recovery” originally was associated with restoring the “Glass House” environment. Now the term “Disaster Recovery” is commonly related to the restoration of the IT infrastructure and its many technical components. In today’s complex business work environment we not only have to take the “Glass House” into consideration, but also the client / server computer networks (which are spread all over the place). In today’s complex business environment there is also a particular focus on restoring a business unit’s processes and that is commonly referred to as “Business Continuation” or “Business Continuity”. Business Continuation also involves work-area space and needed facilities (i.e., desks, chairs, telephones, office supplies, etc.). Another very important aspect of Business Continuation, which is sometimes overlooked, is the human factor – the business unit staff who will actually perform the recovery of the business unit’s processes. What is a disaster? When asked about disasters most people normally think of fires, floods, tornadoes, earthquakes, and airplane crashes. These are certainly disasters. However, there are other types of events that many people don’t normally think of, but they can certainly be deemed a disaster too: A building is evacuated because of a gas leak. The building and all its contents are undamaged, but the building and all its contents are placed off-limits. A disgruntle employee sabotages essential computer hardware / software / data. A database becomes hopelessly corrupted. A person digging a ditch with a backhoe cuts a fiber optic cable. Network communications are disrupted. An employee downloads a file from the internet. The file just happens to be infected with a computer virus. The virus is unintentionally introduced into the company’s network and causes a multitude of significant problems. Major portions of the IT infrastructure has to be taken off- line during the cleanup process. So, with all this variety taken into consideration, the classic definition of a disaster is: an event, of significant proportion, that disrupts normal business activities for an extended period of time. Disasters occur everyday in varying degrees of magnitude. Sometimes there is little or no warning. Sometimes there is little, if anything, that you can do to prevent them. However, you and your company do have control over how you can prepare for a disaster. Page 1 of 8 Copyright 2009 All Rights Reserved. Business As Usual, Inc.
Why do we need Business Continuation? It should be fair to say that most operating companies would like to remain just that – operational. However, statistics have proven that a company experiencing a disaster without a Business Continuation Plan (Plan) usually ceases operating in a relatively short period of time. A prime reason for going out of business is lost computer data. Without critical computer data (i.e., Accounts Receivable, Order Entry, etc.) a company quickly loses its business focus. At least with a Plan a company can cripple along with its few critical processes. This buys time to determine the extent of the damage and to estimate the length of the outage. If you can’t take care of your customers while experiencing a disaster, your competition most certainly will. Once a customer is lost, it is extremely difficult to get them back. For publicly owned companies, the fiduciary duty to protect the business and corporate assets continues to gain legal standing. Senior management may be vulnerable to stockholder’s litigation if reasonable and prudent steps have not been taken to address risks that may threaten the company’s continued operation. In some industries, primarily financial institutions, the Federal Government has mandated that Business Continuation Programs be established and maintained. How is a Business Continuation Strategy developed? A Business Continuation Strategy can be described as a program (a continuous activity) as compared to a project (a one-time activity with a specific start and a specific end). A Business Continuation Strategy has a lifecycle: Business Impact Analysis (B.I.A.) Solutions Planning Testing Maintenance Each of these lifecycle components will be discussed in more detail below. Business Impact Analysis The classic first step in developing a Plan is conducting a B.I.A. survey. The B.I.A. is a consistent and objective way to gather data regarding a business unit and its processes. Elements of risk are also identified. The survey asks a wide variety of questions. To list only a very few questions: Questions regarding the Business Unit’s mission critical processes: What are these processes? What resources are needed to perform these processes? Who provides inputs to these process? Who receives the output from these processes? What are the process’s deadlines? Page 2 of 8 Copyright 2009 All Rights Reserved. Business As Usual, Inc.
How much (in terms of dollars) adverse financial impact would result from this business unit’s downtime? What is the bare minimum number of persons that would be needed to re-establish the business unit’s critical processes at the recovery site? Specifically, who will perform these critical processes? Specifically, who are their trained back ups? What computer applications are absolutely critical to the business unit’s processes? Who are the business unit’s customers and/or contacts (both internal and external to the company) that would be most affected by its downtime? Do you have their contact information stored off-site? Where is the original application software install media stored? Who are your critical vendors? Do you have their contact information and is this contact information stored off-site? What is the maximum amount of downtime that can be tolerated? Any vital documents, reports, or microfiche? If so, what are they and where are they stored? Are there fines or breach of contract conditions that can result from this business unit’s downtime? Are there highly modified or one-of-a-kind devices currently in production that are critical to the business unit’s operation? If so, do they have back ups? Are the business unit’s servers and/or PC hard drives backed up on a regular basis? If so, is the backup media taken to a secure off-site location in a timely manner? Another reason to perform a B.I.A. is to determine the relative degree of criticality of the company’s business units. If you asked all the company’s managers about their business unit’s degree of “criticality”, they would all say their business unit’s processes are very important to the company’s survival. No one wants to refer to their business unit as non-critical. However, in reality, there will be only a few business units that are truly mission critical, there will be many that are fairly important, and several business units that are non-critical. The reason for realistically classifying the business units to their degree of “criticality” is that you want to recover only the most critical business processes first. Business processes considered less critical can be recovered later in a phased manner. In many cases it is appropriate to tell non-critical business unit’s staff to stay home until instructed to return to work or commandeer the staff to assist mission critical business units. It is unwise, and probably impossible, to attempt restoring everyone at the same time. The B.I.A. process assists senior management in objectively making this criticality evaluation by providing facts and information that can be compared across the wide variety of business units. When is the frequency for conducting B.I.A.s?: It is common Business Continuation practice to conduct company wide B.I.A.s annually. It is recommended that a B.I.A. be reviewed anytime there is a major change in a business unit’s business processes, major changes in computer hardware/software, or when there has been a major business unit organizational change (i.e., merger or divestiture, etc.). Any significant changes identified should also be reflected in the business unit’s Plan in a timely manner. Page 3 of 8 Copyright 2009 All Rights Reserved. Business As Usual, Inc.
Another set of questions normally answered at the preliminary stage is a Risk Assessment. A Risk Assessment asks questions regarding events (i.e., Hurricane, ice/snow, riots, computer hardware failure, flood, etc.) that a particular company location may encounter, an estimate of the probability of an event occurring, and an estimate to the possible level of impact if this event occurs. Solutions Once a determination is made regarding which business units need a Plan, and many low criticality business units may not need a Plan, it is determined just what would be the most appropriate response / method(s) for recovering this business unit’s processes. These “Solutions” will be the foundation for the subsequent step – the actual writing of the Plan. Several factors are taken into consideration. For example: Based on the B.I.A., how quickly does the business unit really need to recover its critical business processes? The term for the recovery time aspect is Recovery Time Objective (R.T.O.). R.T.O. is the maximum length of time, in hours or days, that can elapse before the loss of a business process becomes unacceptable. How much money has been budgeted for the business units’ recovery efforts and/or recovery resources? Do mission critical business units depend on the output of this business unit for their continued processing? Is management willing, based on a cost justification analysis, to assume the risk / consequences of a business unit’s processes not being performed in the usual manner? Examples of common response solutions: Call Center – Re-route incoming calls to a sister site that handles similar calls. Out-source work to an external vendor. Go to a formal recovery site (i.e., internal/external to the company, or business unit staff work from home, etc.) for recovery efforts. “Hold Until Restored” – identify, hold, and manage incoming work until the computer system’s functionality is restored. Work is subsequently processed on a First In / First Out or on a prioritized basis. Planning The classic approach to prepare for a disaster is to create a detailed written Plan for each business unit as deemed appropriate via the B.I.A. Plans can be developed in a variety of ways: There are many commercial proprietary software packages (i.e., LDRPS, Paragon, etc.) that accommodate data input, plan generation, and reporting. Many organization (both large and small) use Microsoft WORD and internally developed templates. There are pro’s / con’s to each of the development methods (i.e., cost, flexibility, maintainability, etc.). Page 4 of 8 Copyright 2009 All Rights Reserved. Business As Usual, Inc.
Regardless of how the Plan is written, at a minimum, it should answer the following basic recovery questions: 1. Where do we go? There are several generic options: Recovery Sites can have a variety of preparedness: Hot-Site – with minimal preparation; walk in, sit down, and begin processing. Minimal delays are expected before a business unit can begin its recovery steps. Warm Site – some recovery resources are in place, but some degree of preparation is still needed (i.e., hardware may need to be reconfigured from a test environment to a production environment, etc.). Some delays can be expected before a business unit can begin its recovery steps. Cold Site – The bare basics are in place (i.e., raised floor, HVAC, etc.), but an extensive amount of preparation / build out is still needed in order to become fully functional for a recovery effort. Considerable delays are to be expected before a business unit can begin its recovery steps. The degree of preparedness depends on how quickly the business unit needs to be back in operation and what kind of budget has been allocated. The cost to recover increases exponentially as the recovery time objective shortens. There are several recovery location options available: An external commercial recovery resource provider. For a subscription fee, these companies will provide various resources (i.e., hardware, telecomm connectivity, work-area recovery space, system software, mobile recovery units, etc.) needed for a recovery. The recovery resources to be provided are specified in a contract. Recovering companies are responsible for supplying their respective application software, data, and personnel. Reciprocal recovery agreement between two companies or business units within a company. The agreement basically says that if one party experiences a disaster it can use the other party’s computer / facility / resources. This alternative is particularly suited to large companies that have large data centers located around the country that can serve as backups for each other. The creation of a Memorandum of Understanding document is common practice to formalize this recovery relationship. The relationship may be bilateral or unilateral. Commandeer internal work-area / resources – It is common for non-critical business unit staff’s work-area / resources to be taken over by mission critical business units during a recovery effort. With high speed networks and many computer applications being offered via the internet, recovering business units’ processes at employees’ homes may be an option. Page 5 of 8 Copyright 2009 All Rights Reserved. Business As Usual, Inc.
2. What should we do when we get there? When a business unit manager receives a phone call in the middle of the night informing them that their building is on fire is probably not the best time for them to start thinking about what needs to be done. It is really hard to think clearly, objectively, and rationally in this kind of situation. A better approach is to develop a portion of the Plan that is called the “Day 1 List”. This portion of the Plan summarizes the critical few (no more than 10 – 15) items that MUST be performed in the first twelve hours of a disaster. This way the business unit manager and/or their key personnel can go bing-bing right down the list and not overlook something important. If you can act in an efficient / organized manner in the first twelve hours of a disaster, you’re a long way down the road to survival, and hopefully, to recovery. A major aspect of the “Day 1 List” is contacting a wide variety of persons (internal and external to the business unit) and/or organizations and informing them that you are experiencing a problem. This portion of the Plan should detail their contact information (i.e., name, address, telephone number, FAX number, after hours telephone number, email address (office and home), pager number, and cell phone number, etc.). If the person to be contacted is a VIP, who within the organization should make the call? People normally can be very understanding and helpful if they know up front that you are experiencing a problem. However, what they don’t like are surprises. 3. What resources are needed at the recovery site? Some needed items (i.e., desk/chairs, PCs, general office supplies, copy of the Plan, etc.) can be pre-staged at the recovery site. However, there are some items (i.e., backup data from off-site storage, special pre-printed forms from your vendor’s warehouse, etc.) that the business unit will need to obtain once staff arrives at the recovery site. These items need to be detailed in the Plan along with the vendor’s contact information and the time frame in which the items are needed (i.e., immediate, 1 – 2 days, etc.). Another important aspect of the Plan is to have it stored at several secure off-site locations (i.e., key employees’ homes) so the Plan can be quickly and easily accessed. The Plan should be marked and treated as a confidential document. It is recommended that, on an annual basis, the individual Plans be presented to senior management for their review / approval. Testing The initial writing of the Plan is important, but even more important is subsequent testing of the Plan. A very lengthy, eloquently worded Plan can be written and place it in a fancy binder, but is this Plan really capable of doing its intended job (i.e., facilitating the recovery of the respective business unit’s critical business processes)? There is only one way to find out. Test It! As a Plan is tested there will be items identified that will necessitate additions and/or corrections to the Plan. A testing program should be established with a crawl, walk, run philosophy in mind. Begin with basic test goals and steadily increase the scope and complexity of the tests over time. This builds confidence of the test participants and ferrets out the most basic “Gaps In Excellence” first. Page 6 of 8 Copyright 2009 All Rights Reserved. Business As Usual, Inc.
There are a variety of ways that a Plan can be tested: A table-top exercise is conducted. Normally the exercise is set in the context of a specific scenario (i.e., building is inaccessible due to storm damage). Business unit staff discuss their response participation based on the steps outlined in the Plan. A formal scheduled test with limited and specific test objectives conducted with a limited number of business unit staff. Conducted in a test environment. A formal scheduled test of all the business unit’s mission critical recovery activities conducted by the business unit’s key staff. Conducted in a test environment. An unscheduled test of all the business units’ mission critical recovery activities conducted by the business unit’s key staff. Conducted in a production environment. This is the ultimate recovery test challenge. How frequently the Plan is to be tested depends on the business unit’s degree of criticality. Minimally, the Plan should be tested once a year. For Business Units that are deemed “mission critical” more frequently is recommended. It just depends on the business unit’s situation and criticality. Components of a good test: Specific test goals set prior to the test. Adequate preparation by testing participants. During the test the participants record specific issues that occur, recorded on an Issue Form, in a timely manner. A formal test Post-mortem should be conducted by the test participants to determine: What went well. What didn’t go so well and make specific recommendations to address the situation. Did the actual time for the recovery meet the business unit’s stated R.T.O. The goal of the Post-mortem is not to assign blame or point the finger. The Post-mortem’s goal is to determine how the response / recovery processes can be improved. The outcome of the Post-mortem should be a detailed list of action items needed to address the “Gaps In Excellence”. Each topic should be assigned a responsible person and a deadline for completion. The action items should be completed, at the latest, before the next test. It is recommended that the test results, Post-mortem documentation, and the improvement action items be presented to senior management for their review / approval. Some Business Continuation professionals grade the test’s outcome as pass / fail. In a recovery event either the business process is recovered or it isn’t. Not much middle ground. This may sound a little harsh, but Mother Nature/God won’t cut you any slack when you attempt a recovery. Even if you are successful with a test or a real recovery, the recovery event will be a learning experience. There will always be portions of the recovery event that can be improved in some fashion or form. Always look at a recovery event as a learning experience with the goal of improving the response / recovery process. Page 7 of 8 Copyright 2009 All Rights Reserved. Business As Usual, Inc.
Maintenance Have you ever seen a business unit that didn’t have personnel turnover and/or changes in its business processes? Probably not many. The Plan must be kept current and reflect an accurate picture of the business unit, its processes, supporting information, and its recovery / response strategies. Maintenance of the Plan should be periodically performed, minimally once a year, or when there is a significant change in: business unit staff computer hardware / software business processes significant business unit organizational change (i.e., merger or divestiture, etc.) Lifecycle Conclusion This lifecycle is iterative. Once we finish the sequence, we start all over again. So, we’re never really finished. Summary This article is obviously highly summarized and an over simplification of the Business Continuation Planning process. However, it at least illustrates some of the data gathering, data analysis, and thought processes that goes into developing a Business Continuation Strategy. Also, this article is meant to be thought provoking: If your senior management asked business unit managers some of the sample B.I.A. questions, what kind of answers do you think they’d get? Is your company / business units adequately prepared to address the three basic Business Continuation questions?: Where do we go? What should we do when we get there? What resources are needed at the recovery site? Today’s business environments are very complicated and the recovery window is ever shrinking. This places great challenges on management to be ready for whatever may come their company’s way. Being prepared for a disaster may mean the difference of the company staying in business or not. If there are any questions, please call: John Small, C.B.C.P. Business As Usual, Inc. 3532 Pinehurst Drive, Suite 350 Plano, Texas 75075 Office 972-743-2631 john-small@business-as-usual.com http://www.business-as-usual.com Page 8 of 8 Copyright 2009 All Rights Reserved. Business As Usual, Inc.

Recommended

Business Continuation - The basics according to John Small 2014-02-21
Business Continuation - The basics according to John Small 2014-02-21Business Continuation - The basics according to John Small 2014-02-21
Business Continuation - The basics according to John Small 2014-02-21
Business As Usual, Inc.
 
CloudSource-white paper
CloudSource-white paperCloudSource-white paper
CloudSource-white paper
Michelle Kelleher
 
Business Continuity Getting Started
Business Continuity Getting StartedBusiness Continuity Getting Started
Business Continuity Getting Started
mxp5714
 
Mtw03008 usen
Mtw03008 usenMtw03008 usen
Mtw03008 usen
rjstevens
 
Example business continuity plan
Example business continuity planExample business continuity plan
Example business continuity plan
Micheal Axelsen
 
Executive Primer on Business Continuity Planning
Executive Primer on Business Continuity PlanningExecutive Primer on Business Continuity Planning
Executive Primer on Business Continuity Planning
RickMark
 
2009_NYC_OpRiskUSA_Conf
2009_NYC_OpRiskUSA_Conf2009_NYC_OpRiskUSA_Conf
2009_NYC_OpRiskUSA_Conf
Peter Poulos
 
Fm computer roomcleaningguide
Fm computer roomcleaningguideFm computer roomcleaningguide
Fm computer roomcleaningguide
server computer room cleaning
 

Recommended

Business Continuation - The basics according to John Small 2014-02-21
Business Continuation - The basics according to John Small 2014-02-21Business Continuation - The basics according to John Small 2014-02-21
Business Continuation - The basics according to John Small 2014-02-21
Business As Usual, Inc.
 
CloudSource-white paper
CloudSource-white paperCloudSource-white paper
CloudSource-white paper
Michelle Kelleher
 
Business Continuity Getting Started
Business Continuity Getting StartedBusiness Continuity Getting Started
Business Continuity Getting Started
mxp5714
 
Mtw03008 usen
Mtw03008 usenMtw03008 usen
Mtw03008 usen
rjstevens
 
Example business continuity plan
Example business continuity planExample business continuity plan
Example business continuity plan
Micheal Axelsen
 
Executive Primer on Business Continuity Planning
Executive Primer on Business Continuity PlanningExecutive Primer on Business Continuity Planning
Executive Primer on Business Continuity Planning
RickMark
 
2009_NYC_OpRiskUSA_Conf
2009_NYC_OpRiskUSA_Conf2009_NYC_OpRiskUSA_Conf
2009_NYC_OpRiskUSA_Conf
Peter Poulos
 
Fm computer roomcleaningguide
Fm computer roomcleaningguideFm computer roomcleaningguide
Fm computer roomcleaningguide
server computer room cleaning
 
Mastering disaster e book Telehouse
Mastering disaster e book TelehouseMastering disaster e book Telehouse
Mastering disaster e book Telehouse
Telehouse
 
Dit yvol5iss10
Dit yvol5iss10Dit yvol5iss10
Dit yvol5iss10
Rick Lemieux
 
Mastering disaster a data center checklist
Mastering disaster a data center checklistMastering disaster a data center checklist
Mastering disaster a data center checklist
Chris Wick
 
Business Emergency Management PowerPoint Presentation Slides
Business Emergency Management PowerPoint Presentation Slides Business Emergency Management PowerPoint Presentation Slides
Business Emergency Management PowerPoint Presentation Slides
SlideTeam
 
Nucleus Research Study - Leave Management Cutting Labour Costs
Nucleus Research Study - Leave Management Cutting Labour CostsNucleus Research Study - Leave Management Cutting Labour Costs
Nucleus Research Study - Leave Management Cutting Labour Costs
Patrick Ryan
 
IS Failures - state of the art ?
IS Failures - state of the art ? IS Failures - state of the art ?
IS Failures - state of the art ?
Ghent University
 
Forrester: How Organizations Are Improving Business Resiliency with Continuou...
Forrester: How Organizations Are Improving Business Resiliency with Continuou...Forrester: How Organizations Are Improving Business Resiliency with Continuou...
Forrester: How Organizations Are Improving Business Resiliency with Continuou...
EMC
 
Brighttalk converged infrastructure and it operations management - final
Brighttalk converged infrastructure and it operations management - finalBrighttalk converged infrastructure and it operations management - final
Brighttalk converged infrastructure and it operations management - final
Andrew White
 
V mware quick start guide to disaster recovery
V mware quick start guide to disaster recoveryV mware quick start guide to disaster recovery
V mware quick start guide to disaster recovery
VMware_EMEA
 
IT Failure and Waste
IT Failure and WasteIT Failure and Waste
IT Failure and Waste
Michael Krigsman
 
Dit yvol3iss41
Dit yvol3iss41Dit yvol3iss41
Dit yvol3iss41
Rick Lemieux
 
Sea spin5 2013-notes
Sea spin5 2013-notesSea spin5 2013-notes
Sea spin5 2013-notes
Jeff Smith
 
Enterprise_Architecture_and_Disaster_Recovery_Planning
Enterprise_Architecture_and_Disaster_Recovery_PlanningEnterprise_Architecture_and_Disaster_Recovery_Planning
Enterprise_Architecture_and_Disaster_Recovery_Planning
David Rudawitz
 
Veritas Business Continuity White Paper
Veritas Business Continuity White PaperVeritas Business Continuity White Paper
Veritas Business Continuity White Paper
Ideba
 
Scenario based recovery metrics
Scenario based recovery metricsScenario based recovery metrics
Scenario based recovery metrics
Rod Davis
 
IT_Crisis_Problem_Management_Whitepaper
IT_Crisis_Problem_Management_WhitepaperIT_Crisis_Problem_Management_Whitepaper
IT_Crisis_Problem_Management_Whitepaper
Chuck Boutcher
 
The Five Myths of Cloud-Based Disaster Recovery
The Five Myths of Cloud-Based Disaster Recovery The Five Myths of Cloud-Based Disaster Recovery
The Five Myths of Cloud-Based Disaster Recovery
Axcient
 
Netreo whitepaper 5 ways to avoid it management becoming shelfware
Netreo whitepaper 5 ways to avoid it management becoming shelfwareNetreo whitepaper 5 ways to avoid it management becoming shelfware
Netreo whitepaper 5 ways to avoid it management becoming shelfware
Peter Reynolds
 
Home health software selection guide 2010
Home health software selection guide 2010Home health software selection guide 2010
Home health software selection guide 2010
carolrn2
 
Bill.com Survey Results
Bill.com Survey ResultsBill.com Survey Results
Bill.com Survey Results
Gandhi Legacy Tour
 
Files
FilesFiles
Files
Nancy MOede
 
Welcome To Inside Our Closet Presentation
Welcome To Inside Our Closet PresentationWelcome To Inside Our Closet Presentation
Welcome To Inside Our Closet Presentation
donnellascloset
 

More Related Content

What's hot

Business Emergency Management PowerPoint Presentation Slides
Business Emergency Management PowerPoint Presentation Slides Business Emergency Management PowerPoint Presentation Slides
Business Emergency Management PowerPoint Presentation Slides
SlideTeam
 
Nucleus Research Study - Leave Management Cutting Labour Costs
Nucleus Research Study - Leave Management Cutting Labour CostsNucleus Research Study - Leave Management Cutting Labour Costs
Nucleus Research Study - Leave Management Cutting Labour Costs
Patrick Ryan
 
Brighttalk converged infrastructure and it operations management - final
Brighttalk converged infrastructure and it operations management - finalBrighttalk converged infrastructure and it operations management - final
Brighttalk converged infrastructure and it operations management - final
Andrew White
 
V mware quick start guide to disaster recovery
V mware quick start guide to disaster recoveryV mware quick start guide to disaster recovery
V mware quick start guide to disaster recovery
VMware_EMEA
 
Enterprise_Architecture_and_Disaster_Recovery_Planning
Enterprise_Architecture_and_Disaster_Recovery_PlanningEnterprise_Architecture_and_Disaster_Recovery_Planning
Enterprise_Architecture_and_Disaster_Recovery_Planning
David Rudawitz
 
Scenario based recovery metrics
Scenario based recovery metricsScenario based recovery metrics
Scenario based recovery metrics
Rod Davis
 
IT_Crisis_Problem_Management_Whitepaper
IT_Crisis_Problem_Management_WhitepaperIT_Crisis_Problem_Management_Whitepaper
IT_Crisis_Problem_Management_Whitepaper
Chuck Boutcher
 
Netreo whitepaper 5 ways to avoid it management becoming shelfware
Netreo whitepaper 5 ways to avoid it management becoming shelfwareNetreo whitepaper 5 ways to avoid it management becoming shelfware
Netreo whitepaper 5 ways to avoid it management becoming shelfware
Peter Reynolds
 
Home health software selection guide 2010
Home health software selection guide 2010Home health software selection guide 2010
Home health software selection guide 2010
carolrn2
 

What's hot (20)

Mastering disaster e book Telehouse
Mastering disaster e book TelehouseMastering disaster e book Telehouse
Mastering disaster e book Telehouse
 
Dit yvol5iss10
Dit yvol5iss10Dit yvol5iss10
Dit yvol5iss10
 
Mastering disaster a data center checklist
Mastering disaster a data center checklistMastering disaster a data center checklist
Mastering disaster a data center checklist
 
Business Emergency Management PowerPoint Presentation Slides
Business Emergency Management PowerPoint Presentation Slides Business Emergency Management PowerPoint Presentation Slides
Business Emergency Management PowerPoint Presentation Slides
 
Nucleus Research Study - Leave Management Cutting Labour Costs
Nucleus Research Study - Leave Management Cutting Labour CostsNucleus Research Study - Leave Management Cutting Labour Costs
Nucleus Research Study - Leave Management Cutting Labour Costs
 
IS Failures - state of the art ?
IS Failures - state of the art ? IS Failures - state of the art ?
IS Failures - state of the art ?
 
Forrester: How Organizations Are Improving Business Resiliency with Continuou...
Forrester: How Organizations Are Improving Business Resiliency with Continuou...Forrester: How Organizations Are Improving Business Resiliency with Continuou...
Forrester: How Organizations Are Improving Business Resiliency with Continuou...
 
Brighttalk converged infrastructure and it operations management - final
Brighttalk converged infrastructure and it operations management - finalBrighttalk converged infrastructure and it operations management - final
Brighttalk converged infrastructure and it operations management - final
 
V mware quick start guide to disaster recovery
V mware quick start guide to disaster recoveryV mware quick start guide to disaster recovery
V mware quick start guide to disaster recovery
 
IT Failure and Waste
IT Failure and WasteIT Failure and Waste
IT Failure and Waste
 
Dit yvol3iss41
Dit yvol3iss41Dit yvol3iss41
Dit yvol3iss41
 
Sea spin5 2013-notes
Sea spin5 2013-notesSea spin5 2013-notes
Sea spin5 2013-notes
 
Enterprise_Architecture_and_Disaster_Recovery_Planning
Enterprise_Architecture_and_Disaster_Recovery_PlanningEnterprise_Architecture_and_Disaster_Recovery_Planning
Enterprise_Architecture_and_Disaster_Recovery_Planning
 
Veritas Business Continuity White Paper
Veritas Business Continuity White PaperVeritas Business Continuity White Paper
Veritas Business Continuity White Paper
 
Scenario based recovery metrics
Scenario based recovery metricsScenario based recovery metrics
Scenario based recovery metrics
 
IT_Crisis_Problem_Management_Whitepaper
IT_Crisis_Problem_Management_WhitepaperIT_Crisis_Problem_Management_Whitepaper
IT_Crisis_Problem_Management_Whitepaper
 
The Five Myths of Cloud-Based Disaster Recovery
The Five Myths of Cloud-Based Disaster Recovery The Five Myths of Cloud-Based Disaster Recovery
The Five Myths of Cloud-Based Disaster Recovery
 
Netreo whitepaper 5 ways to avoid it management becoming shelfware
Netreo whitepaper 5 ways to avoid it management becoming shelfwareNetreo whitepaper 5 ways to avoid it management becoming shelfware
Netreo whitepaper 5 ways to avoid it management becoming shelfware
 
Home health software selection guide 2010
Home health software selection guide 2010Home health software selection guide 2010
Home health software selection guide 2010
 
Bill.com Survey Results
Bill.com Survey ResultsBill.com Survey Results
Bill.com Survey Results
 

Viewers also liked

Eskema Blog InformáTica Ruby
Eskema Blog InformáTica RubyEskema Blog InformáTica Ruby
Eskema Blog InformáTica Ruby
guest2ee5e1
 

Viewers also liked (6)

Files
FilesFiles
Files
 
Welcome To Inside Our Closet Presentation
Welcome To Inside Our Closet PresentationWelcome To Inside Our Closet Presentation
Welcome To Inside Our Closet Presentation
 
Mouse over
Mouse overMouse over
Mouse over
 
Eskema Blog InformáTica Ruby
Eskema Blog InformáTica RubyEskema Blog InformáTica Ruby
Eskema Blog InformáTica Ruby
 
DBxtra Quick Tour
DBxtra Quick TourDBxtra Quick Tour
DBxtra Quick Tour
 
Getting Started with LinkedIn 0714
Getting Started with LinkedIn 0714Getting Started with LinkedIn 0714
Getting Started with LinkedIn 0714
 

Similar to Business Continuation The Basics

RUNNING HEADER Disaster Recovery Plan Information and Documentat.docx
RUNNING HEADER Disaster Recovery Plan Information and Documentat.docxRUNNING HEADER Disaster Recovery Plan Information and Documentat.docx
RUNNING HEADER Disaster Recovery Plan Information and Documentat.docx
anhlodge
 
Business Continuity and Disaster Recover Week3Part4-ISr.docx
Business Continuity and Disaster Recover Week3Part4-ISr.docxBusiness Continuity and Disaster Recover Week3Part4-ISr.docx
Business Continuity and Disaster Recover Week3Part4-ISr.docx
humphrieskalyn
 
Contingency Plan WAK BANKS ATM
Contingency Plan WAK BANKS ATMContingency Plan WAK BANKS ATM
Contingency Plan WAK BANKS ATM
Wajahat Ali Khan
 
Business continuity & disaster recovery
Business continuity & disaster recoveryBusiness continuity & disaster recovery
Business continuity & disaster recovery
George Coutsoumbidis
 
A to Z of Business Continuity Managment
A to Z of Business Continuity ManagmentA to Z of Business Continuity Managment
A to Z of Business Continuity Managment
Mark Conway
 
1. After a cyber attack, the organizational decision making and re.docx
1. After a cyber attack, the organizational decision making and re.docx1. After a cyber attack, the organizational decision making and re.docx
1. After a cyber attack, the organizational decision making and re.docx
jackiewalcutt
 
Business Continuity for Mission Critical Applications
Business Continuity for Mission Critical ApplicationsBusiness Continuity for Mission Critical Applications
Business Continuity for Mission Critical Applications
DataCore Software
 
Disaster Recovery Deep Dive
Disaster Recovery Deep DiveDisaster Recovery Deep Dive
Disaster Recovery Deep Dive
Liberteks
 

Similar to Business Continuation The Basics (20)

BUSINESS-CONTINUITY-AND-DISASTER-RECOVERY.pptx
BUSINESS-CONTINUITY-AND-DISASTER-RECOVERY.pptxBUSINESS-CONTINUITY-AND-DISASTER-RECOVERY.pptx
BUSINESS-CONTINUITY-AND-DISASTER-RECOVERY.pptx
 
Disaster Recovery: Develop Efficient Critique for an Emergency
Disaster Recovery: Develop Efficient Critique for an EmergencyDisaster Recovery: Develop Efficient Critique for an Emergency
Disaster Recovery: Develop Efficient Critique for an Emergency
 
Top 5 Steps to Disaster Preparedness for Businesses
Top 5 Steps to Disaster Preparedness for BusinessesTop 5 Steps to Disaster Preparedness for Businesses
Top 5 Steps to Disaster Preparedness for Businesses
 
Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop Final
 
RUNNING HEADER Disaster Recovery Plan Information and Documentat.docx
RUNNING HEADER Disaster Recovery Plan Information and Documentat.docxRUNNING HEADER Disaster Recovery Plan Information and Documentat.docx
RUNNING HEADER Disaster Recovery Plan Information and Documentat.docx
 
Business Continuity and Disaster Recover Week3Part4-ISr.docx
Business Continuity and Disaster Recover Week3Part4-ISr.docxBusiness Continuity and Disaster Recover Week3Part4-ISr.docx
Business Continuity and Disaster Recover Week3Part4-ISr.docx
 
Building a Business Continuity Capability
Building a Business Continuity CapabilityBuilding a Business Continuity Capability
Building a Business Continuity Capability
 
Disaster recovery white_paper
Disaster recovery white_paperDisaster recovery white_paper
Disaster recovery white_paper
 
Contingency Plan WAK BANKS ATM
Contingency Plan WAK BANKS ATMContingency Plan WAK BANKS ATM
Contingency Plan WAK BANKS ATM
 
Business continuity & disaster recovery
Business continuity & disaster recoveryBusiness continuity & disaster recovery
Business continuity & disaster recovery
 
The Ultimate Guide To Business Continuity
The Ultimate Guide To Business ContinuityThe Ultimate Guide To Business Continuity
The Ultimate Guide To Business Continuity
 
A to Z of Business Continuity Managment
A to Z of Business Continuity ManagmentA to Z of Business Continuity Managment
A to Z of Business Continuity Managment
 
A Top Down Business Impact Analyses Method V5
A Top Down Business Impact Analyses Method V5A Top Down Business Impact Analyses Method V5
A Top Down Business Impact Analyses Method V5
 
The cost of downtime
The cost of downtimeThe cost of downtime
The cost of downtime
 
1. After a cyber attack, the organizational decision making and re.docx
1. After a cyber attack, the organizational decision making and re.docx1. After a cyber attack, the organizational decision making and re.docx
1. After a cyber attack, the organizational decision making and re.docx
 
Dit yvol3iss20
Dit yvol3iss20Dit yvol3iss20
Dit yvol3iss20
 
Business Continuity for Mission Critical Applications
Business Continuity for Mission Critical ApplicationsBusiness Continuity for Mission Critical Applications
Business Continuity for Mission Critical Applications
 
Dit yvol5iss37
Dit yvol5iss37Dit yvol5iss37
Dit yvol5iss37
 
Disaster Recovery Deep Dive
Disaster Recovery Deep DiveDisaster Recovery Deep Dive
Disaster Recovery Deep Dive
 
Disaster Recovery vs. Business Continuity
Disaster Recovery vs. Business ContinuityDisaster Recovery vs. Business Continuity
Disaster Recovery vs. Business Continuity
 

Recently uploaded

Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
ZurliaSoop
 
obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...
obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...
obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...
yulianti213969
 
KALYANI 💋 Call Girl 9827461493 Call Girls in Escort service book now
KALYANI 💋 Call Girl 9827461493 Call Girls in Escort service book nowKALYANI 💋 Call Girl 9827461493 Call Girls in Escort service book now
KALYANI 💋 Call Girl 9827461493 Call Girls in Escort service book now
kapoorjyoti4444
 
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
pujan9679
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
allensay1
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
Roofing Contractor
 
KOTA 💋 Call Girl 9827461493 Call Girls in Escort service book now
KOTA 💋 Call Girl 9827461493 Call Girls in Escort service book nowKOTA 💋 Call Girl 9827461493 Call Girls in Escort service book now
KOTA 💋 Call Girl 9827461493 Call Girls in Escort service book now
kapoorjyoti4444
 
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowPARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
kapoorjyoti4444
 

Recently uploaded (20)

Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
 
obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...
obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...
obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
KALYANI 💋 Call Girl 9827461493 Call Girls in Escort service book now
KALYANI 💋 Call Girl 9827461493 Call Girls in Escort service book nowKALYANI 💋 Call Girl 9827461493 Call Girls in Escort service book now
KALYANI 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
WheelTug Short Pitch Deck 2024 | Byond Insights
WheelTug Short Pitch Deck 2024 | Byond InsightsWheelTug Short Pitch Deck 2024 | Byond Insights
WheelTug Short Pitch Deck 2024 | Byond Insights
 
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
 
HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
Buy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail AccountsBuy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail Accounts
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
 
KOTA 💋 Call Girl 9827461493 Call Girls in Escort service book now
KOTA 💋 Call Girl 9827461493 Call Girls in Escort service book nowKOTA 💋 Call Girl 9827461493 Call Girls in Escort service book now
KOTA 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowPARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
Cannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 UpdatedCannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 Updated
 
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTSJAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGBerhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 

Business Continuation The Basics

  • 1. Business Continuation – The Basics Terminology The terms Disaster Recovery and Business Continuation / Business Continuity are sometimes used inter- changeably. However, the terms have two very different contexts. In the early days of data processing the mainframe computer was usually housed in a large room with very large windows so everyone could see the computer. This led to the term “Glass House”. The term “Disaster Recovery” originally was associated with restoring the “Glass House” environment. Now the term “Disaster Recovery” is commonly related to the restoration of the IT infrastructure and its many technical components. In today’s complex business work environment we not only have to take the “Glass House” into consideration, but also the client / server computer networks (which are spread all over the place). In today’s complex business environment there is also a particular focus on restoring a business unit’s processes and that is commonly referred to as “Business Continuation” or “Business Continuity”. Business Continuation also involves work-area space and needed facilities (i.e., desks, chairs, telephones, office supplies, etc.). Another very important aspect of Business Continuation, which is sometimes overlooked, is the human factor – the business unit staff who will actually perform the recovery of the business unit’s processes. What is a disaster? When asked about disasters most people normally think of fires, floods, tornadoes, earthquakes, and airplane crashes. These are certainly disasters. However, there are other types of events that many people don’t normally think of, but they can certainly be deemed a disaster too: A building is evacuated because of a gas leak. The building and all its contents are undamaged, but the building and all its contents are placed off-limits. A disgruntle employee sabotages essential computer hardware / software / data. A database becomes hopelessly corrupted. A person digging a ditch with a backhoe cuts a fiber optic cable. Network communications are disrupted. An employee downloads a file from the internet. The file just happens to be infected with a computer virus. The virus is unintentionally introduced into the company’s network and causes a multitude of significant problems. Major portions of the IT infrastructure has to be taken off- line during the cleanup process. So, with all this variety taken into consideration, the classic definition of a disaster is: an event, of significant proportion, that disrupts normal business activities for an extended period of time. Disasters occur everyday in varying degrees of magnitude. Sometimes there is little or no warning. Sometimes there is little, if anything, that you can do to prevent them. However, you and your company do have control over how you can prepare for a disaster. Page 1 of 8 Copyright 2009 All Rights Reserved. Business As Usual, Inc.
  • 2. Why do we need Business Continuation? It should be fair to say that most operating companies would like to remain just that – operational. However, statistics have proven that a company experiencing a disaster without a Business Continuation Plan (Plan) usually ceases operating in a relatively short period of time. A prime reason for going out of business is lost computer data. Without critical computer data (i.e., Accounts Receivable, Order Entry, etc.) a company quickly loses its business focus. At least with a Plan a company can cripple along with its few critical processes. This buys time to determine the extent of the damage and to estimate the length of the outage. If you can’t take care of your customers while experiencing a disaster, your competition most certainly will. Once a customer is lost, it is extremely difficult to get them back. For publicly owned companies, the fiduciary duty to protect the business and corporate assets continues to gain legal standing. Senior management may be vulnerable to stockholder’s litigation if reasonable and prudent steps have not been taken to address risks that may threaten the company’s continued operation. In some industries, primarily financial institutions, the Federal Government has mandated that Business Continuation Programs be established and maintained. How is a Business Continuation Strategy developed? A Business Continuation Strategy can be described as a program (a continuous activity) as compared to a project (a one-time activity with a specific start and a specific end). A Business Continuation Strategy has a lifecycle: Business Impact Analysis (B.I.A.) Solutions Planning Testing Maintenance Each of these lifecycle components will be discussed in more detail below. Business Impact Analysis The classic first step in developing a Plan is conducting a B.I.A. survey. The B.I.A. is a consistent and objective way to gather data regarding a business unit and its processes. Elements of risk are also identified. The survey asks a wide variety of questions. To list only a very few questions: Questions regarding the Business Unit’s mission critical processes: What are these processes? What resources are needed to perform these processes? Who provides inputs to these process? Who receives the output from these processes? What are the process’s deadlines? Page 2 of 8 Copyright 2009 All Rights Reserved. Business As Usual, Inc.
  • 3. How much (in terms of dollars) adverse financial impact would result from this business unit’s downtime? What is the bare minimum number of persons that would be needed to re-establish the business unit’s critical processes at the recovery site? Specifically, who will perform these critical processes? Specifically, who are their trained back ups? What computer applications are absolutely critical to the business unit’s processes? Who are the business unit’s customers and/or contacts (both internal and external to the company) that would be most affected by its downtime? Do you have their contact information stored off-site? Where is the original application software install media stored? Who are your critical vendors? Do you have their contact information and is this contact information stored off-site? What is the maximum amount of downtime that can be tolerated? Any vital documents, reports, or microfiche? If so, what are they and where are they stored? Are there fines or breach of contract conditions that can result from this business unit’s downtime? Are there highly modified or one-of-a-kind devices currently in production that are critical to the business unit’s operation? If so, do they have back ups? Are the business unit’s servers and/or PC hard drives backed up on a regular basis? If so, is the backup media taken to a secure off-site location in a timely manner? Another reason to perform a B.I.A. is to determine the relative degree of criticality of the company’s business units. If you asked all the company’s managers about their business unit’s degree of “criticality”, they would all say their business unit’s processes are very important to the company’s survival. No one wants to refer to their business unit as non-critical. However, in reality, there will be only a few business units that are truly mission critical, there will be many that are fairly important, and several business units that are non-critical. The reason for realistically classifying the business units to their degree of “criticality” is that you want to recover only the most critical business processes first. Business processes considered less critical can be recovered later in a phased manner. In many cases it is appropriate to tell non-critical business unit’s staff to stay home until instructed to return to work or commandeer the staff to assist mission critical business units. It is unwise, and probably impossible, to attempt restoring everyone at the same time. The B.I.A. process assists senior management in objectively making this criticality evaluation by providing facts and information that can be compared across the wide variety of business units. When is the frequency for conducting B.I.A.s?: It is common Business Continuation practice to conduct company wide B.I.A.s annually. It is recommended that a B.I.A. be reviewed anytime there is a major change in a business unit’s business processes, major changes in computer hardware/software, or when there has been a major business unit organizational change (i.e., merger or divestiture, etc.). Any significant changes identified should also be reflected in the business unit’s Plan in a timely manner. Page 3 of 8 Copyright 2009 All Rights Reserved. Business As Usual, Inc.
  • 4. Another set of questions normally answered at the preliminary stage is a Risk Assessment. A Risk Assessment asks questions regarding events (i.e., Hurricane, ice/snow, riots, computer hardware failure, flood, etc.) that a particular company location may encounter, an estimate of the probability of an event occurring, and an estimate to the possible level of impact if this event occurs. Solutions Once a determination is made regarding which business units need a Plan, and many low criticality business units may not need a Plan, it is determined just what would be the most appropriate response / method(s) for recovering this business unit’s processes. These “Solutions” will be the foundation for the subsequent step – the actual writing of the Plan. Several factors are taken into consideration. For example: Based on the B.I.A., how quickly does the business unit really need to recover its critical business processes? The term for the recovery time aspect is Recovery Time Objective (R.T.O.). R.T.O. is the maximum length of time, in hours or days, that can elapse before the loss of a business process becomes unacceptable. How much money has been budgeted for the business units’ recovery efforts and/or recovery resources? Do mission critical business units depend on the output of this business unit for their continued processing? Is management willing, based on a cost justification analysis, to assume the risk / consequences of a business unit’s processes not being performed in the usual manner? Examples of common response solutions: Call Center – Re-route incoming calls to a sister site that handles similar calls. Out-source work to an external vendor. Go to a formal recovery site (i.e., internal/external to the company, or business unit staff work from home, etc.) for recovery efforts. “Hold Until Restored” – identify, hold, and manage incoming work until the computer system’s functionality is restored. Work is subsequently processed on a First In / First Out or on a prioritized basis. Planning The classic approach to prepare for a disaster is to create a detailed written Plan for each business unit as deemed appropriate via the B.I.A. Plans can be developed in a variety of ways: There are many commercial proprietary software packages (i.e., LDRPS, Paragon, etc.) that accommodate data input, plan generation, and reporting. Many organization (both large and small) use Microsoft WORD and internally developed templates. There are pro’s / con’s to each of the development methods (i.e., cost, flexibility, maintainability, etc.). Page 4 of 8 Copyright 2009 All Rights Reserved. Business As Usual, Inc.
  • 5. Regardless of how the Plan is written, at a minimum, it should answer the following basic recovery questions: 1. Where do we go? There are several generic options: Recovery Sites can have a variety of preparedness: Hot-Site – with minimal preparation; walk in, sit down, and begin processing. Minimal delays are expected before a business unit can begin its recovery steps. Warm Site – some recovery resources are in place, but some degree of preparation is still needed (i.e., hardware may need to be reconfigured from a test environment to a production environment, etc.). Some delays can be expected before a business unit can begin its recovery steps. Cold Site – The bare basics are in place (i.e., raised floor, HVAC, etc.), but an extensive amount of preparation / build out is still needed in order to become fully functional for a recovery effort. Considerable delays are to be expected before a business unit can begin its recovery steps. The degree of preparedness depends on how quickly the business unit needs to be back in operation and what kind of budget has been allocated. The cost to recover increases exponentially as the recovery time objective shortens. There are several recovery location options available: An external commercial recovery resource provider. For a subscription fee, these companies will provide various resources (i.e., hardware, telecomm connectivity, work-area recovery space, system software, mobile recovery units, etc.) needed for a recovery. The recovery resources to be provided are specified in a contract. Recovering companies are responsible for supplying their respective application software, data, and personnel. Reciprocal recovery agreement between two companies or business units within a company. The agreement basically says that if one party experiences a disaster it can use the other party’s computer / facility / resources. This alternative is particularly suited to large companies that have large data centers located around the country that can serve as backups for each other. The creation of a Memorandum of Understanding document is common practice to formalize this recovery relationship. The relationship may be bilateral or unilateral. Commandeer internal work-area / resources – It is common for non-critical business unit staff’s work-area / resources to be taken over by mission critical business units during a recovery effort. With high speed networks and many computer applications being offered via the internet, recovering business units’ processes at employees’ homes may be an option. Page 5 of 8 Copyright 2009 All Rights Reserved. Business As Usual, Inc.
  • 6. 2. What should we do when we get there? When a business unit manager receives a phone call in the middle of the night informing them that their building is on fire is probably not the best time for them to start thinking about what needs to be done. It is really hard to think clearly, objectively, and rationally in this kind of situation. A better approach is to develop a portion of the Plan that is called the “Day 1 List”. This portion of the Plan summarizes the critical few (no more than 10 – 15) items that MUST be performed in the first twelve hours of a disaster. This way the business unit manager and/or their key personnel can go bing-bing right down the list and not overlook something important. If you can act in an efficient / organized manner in the first twelve hours of a disaster, you’re a long way down the road to survival, and hopefully, to recovery. A major aspect of the “Day 1 List” is contacting a wide variety of persons (internal and external to the business unit) and/or organizations and informing them that you are experiencing a problem. This portion of the Plan should detail their contact information (i.e., name, address, telephone number, FAX number, after hours telephone number, email address (office and home), pager number, and cell phone number, etc.). If the person to be contacted is a VIP, who within the organization should make the call? People normally can be very understanding and helpful if they know up front that you are experiencing a problem. However, what they don’t like are surprises. 3. What resources are needed at the recovery site? Some needed items (i.e., desk/chairs, PCs, general office supplies, copy of the Plan, etc.) can be pre-staged at the recovery site. However, there are some items (i.e., backup data from off-site storage, special pre-printed forms from your vendor’s warehouse, etc.) that the business unit will need to obtain once staff arrives at the recovery site. These items need to be detailed in the Plan along with the vendor’s contact information and the time frame in which the items are needed (i.e., immediate, 1 – 2 days, etc.). Another important aspect of the Plan is to have it stored at several secure off-site locations (i.e., key employees’ homes) so the Plan can be quickly and easily accessed. The Plan should be marked and treated as a confidential document. It is recommended that, on an annual basis, the individual Plans be presented to senior management for their review / approval. Testing The initial writing of the Plan is important, but even more important is subsequent testing of the Plan. A very lengthy, eloquently worded Plan can be written and place it in a fancy binder, but is this Plan really capable of doing its intended job (i.e., facilitating the recovery of the respective business unit’s critical business processes)? There is only one way to find out. Test It! As a Plan is tested there will be items identified that will necessitate additions and/or corrections to the Plan. A testing program should be established with a crawl, walk, run philosophy in mind. Begin with basic test goals and steadily increase the scope and complexity of the tests over time. This builds confidence of the test participants and ferrets out the most basic “Gaps In Excellence” first. Page 6 of 8 Copyright 2009 All Rights Reserved. Business As Usual, Inc.
  • 7. There are a variety of ways that a Plan can be tested: A table-top exercise is conducted. Normally the exercise is set in the context of a specific scenario (i.e., building is inaccessible due to storm damage). Business unit staff discuss their response participation based on the steps outlined in the Plan. A formal scheduled test with limited and specific test objectives conducted with a limited number of business unit staff. Conducted in a test environment. A formal scheduled test of all the business unit’s mission critical recovery activities conducted by the business unit’s key staff. Conducted in a test environment. An unscheduled test of all the business units’ mission critical recovery activities conducted by the business unit’s key staff. Conducted in a production environment. This is the ultimate recovery test challenge. How frequently the Plan is to be tested depends on the business unit’s degree of criticality. Minimally, the Plan should be tested once a year. For Business Units that are deemed “mission critical” more frequently is recommended. It just depends on the business unit’s situation and criticality. Components of a good test: Specific test goals set prior to the test. Adequate preparation by testing participants. During the test the participants record specific issues that occur, recorded on an Issue Form, in a timely manner. A formal test Post-mortem should be conducted by the test participants to determine: What went well. What didn’t go so well and make specific recommendations to address the situation. Did the actual time for the recovery meet the business unit’s stated R.T.O. The goal of the Post-mortem is not to assign blame or point the finger. The Post-mortem’s goal is to determine how the response / recovery processes can be improved. The outcome of the Post-mortem should be a detailed list of action items needed to address the “Gaps In Excellence”. Each topic should be assigned a responsible person and a deadline for completion. The action items should be completed, at the latest, before the next test. It is recommended that the test results, Post-mortem documentation, and the improvement action items be presented to senior management for their review / approval. Some Business Continuation professionals grade the test’s outcome as pass / fail. In a recovery event either the business process is recovered or it isn’t. Not much middle ground. This may sound a little harsh, but Mother Nature/God won’t cut you any slack when you attempt a recovery. Even if you are successful with a test or a real recovery, the recovery event will be a learning experience. There will always be portions of the recovery event that can be improved in some fashion or form. Always look at a recovery event as a learning experience with the goal of improving the response / recovery process. Page 7 of 8 Copyright 2009 All Rights Reserved. Business As Usual, Inc.
  • 8. Maintenance Have you ever seen a business unit that didn’t have personnel turnover and/or changes in its business processes? Probably not many. The Plan must be kept current and reflect an accurate picture of the business unit, its processes, supporting information, and its recovery / response strategies. Maintenance of the Plan should be periodically performed, minimally once a year, or when there is a significant change in: business unit staff computer hardware / software business processes significant business unit organizational change (i.e., merger or divestiture, etc.) Lifecycle Conclusion This lifecycle is iterative. Once we finish the sequence, we start all over again. So, we’re never really finished. Summary This article is obviously highly summarized and an over simplification of the Business Continuation Planning process. However, it at least illustrates some of the data gathering, data analysis, and thought processes that goes into developing a Business Continuation Strategy. Also, this article is meant to be thought provoking: If your senior management asked business unit managers some of the sample B.I.A. questions, what kind of answers do you think they’d get? Is your company / business units adequately prepared to address the three basic Business Continuation questions?: Where do we go? What should we do when we get there? What resources are needed at the recovery site? Today’s business environments are very complicated and the recovery window is ever shrinking. This places great challenges on management to be ready for whatever may come their company’s way. Being prepared for a disaster may mean the difference of the company staying in business or not. If there are any questions, please call: John Small, C.B.C.P. Business As Usual, Inc. 3532 Pinehurst Drive, Suite 350 Plano, Texas 75075 Office 972-743-2631 john-small@business-as-usual.com http://www.business-as-usual.com Page 8 of 8 Copyright 2009 All Rights Reserved. Business As Usual, Inc.