With the advent of
globalization and the world becoming flat, companies are
forming partnerships and ventures in different geographies and
increasing their footprint to tap the best talent and
infrastructure to meet their business objectives. This change
in business environment increases the need to analyze business
risks which could arise due to disaster or operational
interruption. Disasters happen in all modes of business, but
what is important is how much penalty for such interruptions
can a business pay for?
Business Continuity
Plan (BCP) defines proactively working out a way to prevent,
if possible, and manage the consequences of a disaster,
limiting it to the extent that a business can afford. It
provides a blueprint for continuity of operations in a
situation where an enterprise experiences unanticipated
interruption -- whether from floods, hackers, power outages or
any other risk. A BCP plan would include parameters such as
backup power, redundant systems and alternative sites for
employees.
Need for
BCP
Businesses today
are exposed to various kinds to threats and vulnerabilities.
These could be catastrophic events such as floods, earthquakes
or acts of terrorism, accidents or outages due to an
application error, hardware or network failures. Though most
of them never happen, some of them come unwarned. The key to
having a BCP is being prepared to be able to respond to the
event when it does happen, so the organization survives, it’s
losses are minimized; it remains viable and it can be
“business as usual”, even before the customers feel the
effects of the downtime. Here are a few key issues for a
successful BCP.
A thorough risk
analysis will help an organization identify and analyze the
potential vulnerabilities and threats. These may vary
according to geography, industry and other factors, but
generally fall into one of the four distinct categories:
financial loss, damage to reputation, regulatory penalties
or operational disruption. The organization should prepare a
risk-benefit analysis statement highlighting detailed
threats and the estimated exposure together with contingency
and mitigation actions required, and also the benefits
arising out of covering the risk.
BIA is
essentially the process of identifying the critical business
functions and the losses and effects if these functions are
not available. It involves going through and analyzing every
department to understand which ones are critical, what are
the risks associated with each department, the estimated
costs of any downtime and how quickly you would need to
recover.
Once the analysis
is done, the organization should determine what kind of
technology or infrastructure will enable its systems or
network to remain in operation, or at least resume
operations quickly, in event of outages. Moreover, it may
also need to make plans for the affected employees to
relocate or travel to an identified alternate site, bringing
about additional travel and other costs. All data center
infrastructure needs and its impact must also be identified.
Once this analysis is done, the organization can decide what
capital needs to be invested to mitigate that risk. It`s
really important to understand the business needs, because
that`s what drives cost on the technology
side.
This
enables an organization to identify its risk profile based
on the likelihood of an incident happening. It is difficult
to plan for 100 different scenarios, but one must come up
with most likely scenarios that cover just about any type of
event that could occur. Scenarios can be telecom network
outage or power blackouts, fire, flood, and riots
anything.
Business
continuity requires active participation and signoff by
executive management, middle management and perhaps even the
lower levels of the organization. Equally important, is a
dedicated BCP team or management executives who can lead the
BCP’s development, mark its progress and put it throughout
the organization. The BCP plan should be available and
educated to employees within the
organization.
Testing and
maintenance of the BCP is an often-ignored activity.
Ignoring this exercise would mean that the plan gets tested
only when disaster actually strikes. This is certainly not a
risk that any business can afford to take. Preparing and
testing the plan gives an assurance that there is a means of
restoring back the normal operations when disaster
strikes.
Testing the plan
at least once a year, involving the stakeholders from
different business departments will throw up inconsistencies
and points where the actual and expected results differ.
Simulating various scenarios, and seeing how people respond
to it, provides a "non-threatening way" to conduct training
and amend the plan. The BCP team can then brainstorm on the
gaps found and amend the plan
accordingly.
Even though
Business Continuity Planning appears to primarily deal with
technology, it is equally associated with the business. It is
true that the operational aspect involves technology, but
knowledge of technology alone is not sufficient for this
exercise. It includes activities in risk management, crisis
management, identification of business processes, impact
analysis, cost benefit analysis, storage management, network
management, continuity planning, recovery planning, training,
communication and coordination. The team involved in business
continuity planning should ideally be a cross-functional team
with adequate domain knowledge, expertise in system and
recovery management and skills in planning.
Planning
for business continuity is all about being safe — safe from
the consequences of events that one hopes will never happen;
and the truth is — it is always better to be safe than
sorry.
Bhavesh Patel
The author is Director - IT at Motif, Inc., a knowledge based services provider where human judgment is essential to the workflow, providing services in customer support services, back office transaction processing and research and analytics.
(www.motifinc.com)
|
