This is the first in a series of articles in which we examine five basic steps to business continuity assurance: analyze, assess, plan, test, and manage. An overview of business continuity and step 1, analyze, are the topics of this installment.
The purpose of Business Continuity Planning (BCP) is to ensure the uninterrupted delivery of product and services to your customers. In essence, its goal is to help you perform your daily operations in order to stay in business by preventing:
- Loss of business to competitors
- Supply chain interruptions
- Injury to customers or employees
- Loss of reputation
Another way to look at BCP is as a path to business continuity assurance, assurance that unplanned service interruptions caused by probable events are identified and planned for. A key phrase in this definition is "probable events." As we'll see as we move through the BCP steps, it isn't necessary to plan for every event your team can imagine. Probability of occurrence must be considered. For example, a business in Wisconsin would not plan for a hurricane while an organization in Florida might place hurricane planning near the top of its list.
Many people think of BCP as synonymous with Disaster Recovery Planning (DRP). Although DRP is important, it’s only one piece of effective BCP. The probability that your business will suffer a catastrophic event is much less than the probability of experiencing a failed server or router. BCP should be integrated into all business processes, a standard part of any technology project or implementation plan. So how does an organization achieve a reasonable and appropriate level of business continuity assurance? The rest of this series is focused on answering that question.
There are five steps to achieving business continuity assurance. They are shown in Figure 1.
The purpose of the first step is business analysis. This goes far beyond a simple analysis of your network infrastructure. It also includes the following:
- An understanding of all processes that make your business function, including how those processes work together to produce business outcomes.
- The identification of vendors and other business partners whose contributions to your operation are critical for product and service delivery. Include why and in it what manner you interact with each entity. It’s also important to record contact information as well as the existence of agreements that contain clauses dealing with interruption of deliveries, service, support, payments, etc.
- A thorough understanding of your information processing infrastructure. It isn’t enough to understand your internal network. You must also understand how your network interfaces with those of your customers, banks, and suppliers. Your infrastructure assessment must include all required workstations, servers, storage devices, backup/restore systems, and communication services.
- An understanding of which people are critical to your business. These individuals are often not on your management team. Rather, they are the people who work in the trenches every day. Their understanding of how to get work done is a key element in maintaining business continuity. Additional information about them, and the tasks they perform, includes:
- The existence of cross-training to ensure more than one person can adequately perform business critical tasks.
- An assessment of how to maintain business continuity if key people are unable or unwilling to participate in recovery operations.
- The identification of vendors who will assist with your recovery. They might include:
- Computer hardware and software vendors
- Recovery site vendors
- Communication vendors
- The creation of a contact list including all key employees. Contact information should include:
- Home address
- Home phone
- Cell phone
- An assessment of all key support services, including:
- Email
- Voice communication
- Fax services
- Mail
- Shipping and receiving
Upon completion of the analysis step, you should have a clear view into the people, processes, and technologies necessary to continue delivering product and services. As we move to the next BCP step, we begin assessing the risk associated with the full or partial loss of one or more of them.
In Part 2, I'll discuss Steps 2 and 3.