BCP is more proactive. It focuses on avoiding or mitigating risks and maintaining minimal services while restoring an organization to 'business as usual.' BCP is best implemented on an enterprise level, instead of being a set or subset of equipment or service. Some organizations require a business continuity plan to meet fiduciary demands, while others need it for regulatory and compliance purposes. However, all organizations must have a viable business continuity plan if they expect the organization to survive a disaster and recover in the shortest possible time.
There are five stages, through which planning of BCP takes place.
• Business impact analysis
• Strategy selection
• Detailed plan
• Plan testing
• Plan maintenance
Under the business impact analysis stage of planning BCP, you have to take care of:
• Data collection and fact finding
• Critical functions and recovery timescales
• Resource identification for critical functions
• Threat assessment and risk reduction measures
• Disaster scenarios
Under strategy selection phase of planning BCP, you have to see to:
• Minimum recovery resources
• Recovery locations
• Vital records identification
• Backup strategies
• Recovery strategies with costs
Under the detailed plan part of planning BCP, you have to take care of:
• Plan development
• Identification of a command center
• Business recovery team organization
• Assignment of team personnel
• Team procedures
• Preparation & documentation of the plan
Under the plan testing stage of planning BCP, you have to see to the:
• Selection of testing methodology, whether active or passive
• Briefing of your own personnel or third parties, and then execution of a test
When it comes to planning BCP under the plan maintenance stage, you need to see to the:
• Nomination of a BCP officer
• Monitoring of business and IT strategy
• Periodical review of operational risks
• Updation of all documentation and changes
• Review of third-party contracts
• Review of the adequacy of insurance cover
• Distribution of copies to all concerned
• Conduct of regular drills
• Documentation of all that failed in the drills, and initiation of corrective action
There are certain standards formulated for planning BCP. These include:
• BS 25999-1, which is a code of practice for guidance and recommendations. It establishes the processes, principles and terminology of BCP, as well as provides a basis for understanding, developing and implementing business continuity.
• BS 25999-2, which specifies the process for achieving the certification.
Now, is there a simple mantra to keep in mind while planning BCP? Yes, the mantra is that BCP should be achievable, comprehensive, current and readily available.
About the author: Ashish Dandekar is the CIO of Power Exchange India. He is a certified Business Continuity professional and a Lead Auditor (ISO25999). He is also an ISMS implementer (ISO27001) and has a Quality Management Certification (ISO9001).
(As told to Jasmine Desai)
This was first published in June 2010