Business Continuity Planning Overview
Defining the Project Every organization is unique in its structure, culture, processes, products and services, and physical facilities. To build an effective disaster recovery plan, each organization needs to create documents that will fit their own unique requirements and train key personnel for the kinds of disasters that they anticipate. Copying other organizations' plans, or producing plans from "cookie-cutter" formulas does not work. Unique vulnerabilities of the organization cannot be identified or addressed using either of the above techniques. Consequently, every disaster recovery project (commonly referred to as a business continuity plan) should begin with an initial assessment to determine what the right steps will be. Once the assessment is completed, an organization can proceed with the documentation, implementation, and testing required to ensure the plan will be effective. The key to successful recovery is taking the proper steps before an event occurs. Creating effective plans and reducing or mitigating hazards and risks that exist in the environment are the two major activities that every organization should perform before disaster strikes. The plans that are created should address how the organization will manage through the two stages that occur after disaster strikes - emergency response and business recovery. Approaching the Project in Three Phases The best way to organize a disaster recovery project is to approach it in three phases. Phase 1 - Assessment and Business Impact Analysis (BIA) This phase determines the scope and design of the project, as well as identifies all activities required to document, implement, and test the plan. It should include an assessment of what the most critical functions are that the business needs to continue following an event, current system and communications recovery capabilities, and a risk analysis of both internal and external hazards. Business vulnerabilities should be identified and quantified to determine which should be minimized or eliminated during planning. Phase 2 - Documentation and Implementation During this stage of the project, all documents and plans are prepared, any additional equipment and supplies are identified and obtained that are needed to reduce the risks identified in the assessment, and all personnel are trained on their respective roles and responsibilities. Phase 3 - Testing Once documents have been prepared and people have been trained, drills and exercises should be conducted to ensure the plans will work and provide a continual means to update the information to adjust for organizational changes. Ongoing Maintenance of Plans Once the initial project is completed, every organization should at least annually perform drills and exercises, identify necessary changes, and update their plans. A way to effectively maintain this ongoing process should be built into the documents that are created to make sure the information will be reviewed and updated in a timely manner Creating the Project Every organization needs to know what activities it must engage in to create an effective plan. That is the purpose of the Assessment Phase. An initial assessment (business impact analysis) typically consists of the following steps. If you are the project coordinator, these are the steps you will want to take.
After completing the interviews, you will have a clear understanding of what functions are vital that will need to continue, either manually, or by having the systems restored that support these functions.
This information should provide the organization with the ability to clearly see the scope of the project and anticipated resources that will need to be involved. It should also be used as the tool to make critical decisions on the proper pace of the project. The detail included in this assessment should equip the organization with the ability to make strategic decisions on the magnitude of funding that will be required, the number of personnel that will be involved, and the timing of critical milestones that need to occur. A typical business continuity project will take 9 months to 2 years to fully implement. The Organization's Actions Following the Assessment: Once the coordinator has presented the material, the key decision-makers will need to decide how quickly they want to proceed. Key Items to Consider: 1. The coordinator should always be used as the facilitator during Phases 2 and 3. They should not be the one to "write the plan". A plan created solely by the coordinator will have little to no ability to be used when a real disaster strikes. Instead, the coordinator should be used to guide the project, work with the different organizations within the company, and provide expertise in all elements of the planning effort to minimize the time spent by others. 2. Pick the right person to be the project coordinator. Whoever is chosen should be relieved of other duties as much as possible for the duration of the project. They should possess a high amount of knowledge about the organization and wield enough clout to be able to talk with key decision-makers when necessary. They should also have strong Why the Assessment is Important - It Saves You Dollars! Business continuity plans cannot be created in a vacuum. Even though there are fundamental steps that every organization should take, each step can vary greatly in magnitude and financial impact. Therefore, the assessment phase provides the organization with a clear picture of exactly what they should do. Asking a coordinator to begin the project without performing an assessment leads to disaster for all. The coordinator needs to know all of the information gathered during the initial assessment to know what this project will really entail. Using A Consultant If your company is large enough to hire a consultant, they can be invaluable during the Assessment phase. A qualified consultant should be able to conduct an initial assessment and present you with information you can use to make decisions regarding the scope and extent of the effort your organization needs to engage in. This assessment should typically take no more than 30 to 60 days, depending on the size of your organization. The cost of an initial assessment can vary greatly, depending on whether your organization needs to address both emergency response elements and business recovery aspects. Assessment can range anywhere from $20,000 to over $100,000, with most costing $25,000 to $45,000 plus travel expenses. The Initial Assessment should be a stand-alone contract so that you are able to evaluate their skills without committing to using the consulting firm for the entire project. What to look for in a Consultant This is a relatively new industry. In late 1995 several industry organizations formed the Alliance of Continuity Managers International (ACMI) to combine what exists - terminology, core competencies, education and minimum qualification requirements (certification) for emergency management and organization continuity professionals. They are striving to create standards and certification requirements throughout the industry. Today, there are standard questions that your organization should ask: 1. Are the principals of the firm certified, and by whom?
2. What other clients has this consulting firm prepared disaster plans for? The consultant should be willing to show you examples of their work. Due to the confidential information contained in plans, the consultant should not be asked to provide you a copy. However, at your initial meeting, the consultant should bring example copies with them to show. The consultant should provide you with a list of past clients and contact information for all of them. If they don't provide you with a list of all their clients they have provided services for within the last two years, ask them to provide you that list. Call all of their past clients to get a good understanding of the consultant's strengths and weaknesses. Ask about timeliness and completeness of material produced, as well as the consultant's ability to provide proper recommendations. 3. What practical experience did the consultant have in disasters? Test to find out if they have textbook knowledge, or practical experience. Were they in the private sector or the public sector, and what were their exact duties? Look for experience broad enough for them to be comfortable in working with your top executives as well as your safety committee, emergency response teams, and department managers. 4. How long has the consulting organization been in business? What kind of personnel turnover do they have? Determine whether a consulting firm has trouble holding clients, or farms out a lot of its work to other consultants. If there are other consultants that will be used, what are their qualifications, and how does the principal consultant guarantee their work? 5. What is the consultant's reputation with other members of the disaster recovery industry? There are several organizations throughout the state that consultants in this field belong to. These associations consist of representatives from local governments and the private sector as well as consultants, emergency supplies providers, and other vendors who service this industry. Call members of your local association or attend one or two of their meetings to find out who has a good reputation and who does not. Those in the industry know whom the good And bad ones are, but as consultants, they cannot divulge this without appearing to be "bad-mouthing" their competition. It is wise to ask - some can present very professional credentials, yet their reputations and feedback from past clients is negative. Also, be aware that some consultants volunteer to become very active in these associations because it provides them high visibility. That may not have anything to do with their qualifications. Find out first hand from those who know them. Some of the major active associations in California are:
What to Ask For in an Assessment Proposal To make sure proposals you receive are comparable, ask the consultants to provide you a proposal that contains the following elements: Contract Objectives
Some Last Words of Advice There is a lot more to preparing successful business continuity plans than picking a "hot site" or training employees on First Aid and CPR. Time and again, staggering percentages of companies have not recovered from disasters. (Industry statistics continue to indicate 60% who experience major disasters are not in business two years later.) More and more organizations are beginning to realize that preparing an effective business continuity plan is no longer a discretionary budget item. Don't be penny wise, and dollar foolish. Find out up front what it will take to put a complete program in-place. My own experience has shown that most projects die of their own volition for one or more of the following reasons:
Make sure your efforts will count! Get the right help you need at the start. Plan Today...Survive Tomorrow!™ About The Author |