Archive for January, 2010

7 Habits of Highly Effective Business Continuity

Friday, January 29th, 2010

1. The Senior Executive actively supports Business Continuity

The CEO\Director\General Manager that believes in and wants a functional Business Continuity program in place is a critical success factor.

To have a senior Executive that is responsible for setting the priorities and vision for the organisation to stand behind BCP and communicate this to the staff is a powerful change motivator. 

2. A Whole of Business Approach

A business continuity program that prioritises the organisation from the Executive’s birdseye perspective as well as analysing business impacts across all business functions in a consistent manner will lead to a better informed business continuity strategy being proposed. It allows the Executive to see the requirements of the business in a single snapshot and make a cost benefit justified decision on the level of continuity required.

3. A Single Point of Business Continuity Management

Someone needs to be responsible for BCP at an organisational level. It needs to be in their job description and a priority for them, otherwise it runs the risk of falling between the cracks. With one person accountable for co-ordinating, aggregating, monitoring the overall Business Continuity program and reporting to the Executive, the program is more likely to stay visible and maintain momentum.

4. Testing, Testing, Testing

Business Continuity should be viewed as an ongoing continuous improvement program. And as such testing is vital. It highlights flaws and validates assumptions in your business continuity plans, giving opportunity to improve them. Testing builds confidence and competence within the business continuity team as it brings home how the strategy would actually work in a variety of scenarios and how the roles will interrelate. An untested Business Continuity Plan cannot be considered viable.

5. Embedding BCP into job descriptions and procedures

The various BCP roles such as BCP Manager, Command Team Leader, Business Unit Leader, etc should be written into position descriptions so that it is very clear that is a part of the responsibilities of the staff members. Procedures for new projects, business changes and IT changes should include provision for ensuring the change has BCP/ IT Disaster Recovery aspects taken into account. All changes should have an impact analysis conducted that includes impact on BCP/IT Disaster Recovery procedures.

6. Starting on the right foot

An induction training package that briefs new employees on the Business Continuity and Emergency Management strategies and plans in place is a great way to start them off on the right foot, highlighting the importance of this to the organisation.

7. Maintenance

The person responsible as BCP Manager should be tasked with ensuring maintenance of the documentation occurs on a regular basis. Outputs from changes and testing sessions all need to be fed into the plans.  Periodically the BIA should be revisited and organisation’s prioritisations and maximum tolerable outages reviewed.

Tags: , , , , , ,
Posted in Business Case, Business Continuity, Business Continuity Maintenance, Business Continuity Plan, Business Continuity Testing, Business Impact Analysis, Disaster Recovery | 1 Comment »

Business Continuity and Disaster Recovery Events Calendar

Monday, January 25th, 2010

OpsCentre have compiled the following list of Au/NZ Business Continuity and IT Disaster Recovery related exhibitions, expos, conferences and other events.

Hope to see you there at one or more of the events.

Feb 23/02/2010 Sydney Continuity Forum CF Experienced User Special Interest Group
Feb 24/02/2010 Wellington Conferenz 5th Annual Business Continuity Conference
March 22/03/10 & 23/03/10 Sydney CEBIT CEBIT – Future Proofing your data centre conference
March 23/03/2010 Sydney Continuity Forum Business Continuity Awareness Week Kick-off event
March 24/03/10 & 25/03/10 Sydney BCI Australasian Business Continuity Summit 2010
March 24-25 March 2010 Sydney Gartner Gartner Infrastructure, Operation and Data Centre Summit
May 5/05/2010 NZ Continuity Forum New Zealand Conference
May 19/05/10 -20/05/10 Canberra IQPC Enterprise Risk Management for Government 2010
May 24 – 26 May 2010 Sydney CEBIT CEBIT 2010
Sep 8/09/2010 Sydney Continuity Forum Continuity Forum Conference and Expo
Nov 10/11/2010 Sydney Continuity Forum BC in Government Conference

Further details canbe found on the websites of the respective companies organizing the events.

Tags: , , , ,
Posted in Business Continuity, Disaster Recovery | No Comments »

Making Sense of Business Continuity Frameworks, Standards & Guidelines

Monday, January 18th, 2010

There are about 50 or more Standards, Codes of Practice and Practice Guidelines for business continuity, risk management and IT disaster recovery around the world. Some are internationally applicable and some are country-specific.  

Below is some information about the various frameworks and standards that may relate to Australian organisations. This is not the complete list of all standards, rather a sampling of the most commonly referred to in Australia.

APRA (Australian Prudential Regulation Authority)
The overall objective of the APRA standard on Business Continuity Management (Prudential Standard APS232) is to ensure that all authorised deposit taking institutions, general insurers and life insurance companies implement a whole of business approach to business continuity.

Australian National Audit Office – Business Continuity Management 
In June 2009 ANAO released an updated version of their guide, titled Business Continuity Management. This guide is focused on building resilience in public sector entities.  It is freely available to download at the ANAO website

Australian Standards Handbooks
AS HB 292, A practitioners guide to business continuity management provides an overview of the best practice Business Continuity Management (BCM) used in Australia, USA and the UK. It can help in implementing and analysing your continuity plans. It also covers what is BCM, establishing and managing a BCM program, assessing risks and developing scenarios, developing BCM strategies, assessing and collating resources, writing the plan, activation and deployment. It also includes useful checklists, templates and tables for use. This is a non-auditable standard.

 AS HB 293, Executive guide to business continuity management, provides senior management with an overview of key concepts and processes to implement and maintain an integrated, robust BCM program. It provides navigation to the comprehensive information in HB 292. This is a non-auditable standard.

British Standards: BS25999  Code of Practice for Business Continuity Management
BS 25999 is a voluntary standard suitable for any organisation, large or small, from any sector. This is an auditable standard.

Part 1, the Code of Practice provides BCM best practice recommendations.
Part 2, the Specification provides the requirements for a Business Continuity Management System (BCMS) based on BCM best practice.

ISO/IEC 27001 Information Security
ISO/IEC 27001 is the only auditable international standard which defines the requirements for an Information Security Management System (ISMS). The requirement for business continuity planning is an aspect of this system. State Government departments in Australia are required to have certification to this standard.

Business Continuity Institute Good Practice Guidelines: BCI GPG (2007)
Guide to Implementing Global Good Practice in BCM compiled by the peak industry body. This is a best practice guide intended for organisations of all sizes. It is developed and updated in the context of the internationally auditable standards as they develop ie. BS 25999.

The list can go on. There is Sarbanes Oxley (SOX), COBIT, ITIL and many more. They all vary but typically have some fundamental aspects the same. Whatever your Standard, we can help you to develop and maintain business continuity that will comply.

If you’re starting from scratch and don’t know if or which standard or guideline to follow, talk to us. OpsCentre can help to simplify it.

Tags: , , , , , , , , , , , , ,
Posted in Business Continuity Standards | 1 Comment »

OpsCentre’s Business Continuity Blog is available on Feedburner

Sunday, January 17th, 2010

If you prefer to use Feedburner to subscribe to OpsCentre’s Business Continuity Blog go here…

http://feeds.feedburner.com/OpscentresBusinessContinuityBlog 

Feedburner allows you to subscribe using a choice of newsreader programs.

Tags: , , ,
Posted in Business Continuity | No Comments »

What type of Business Continuity Recovery Site do you need?

Monday, January 11th, 2010

The Recovery site is sometimes also referred to as the Alternate Site, Standby Site or Fallback Site.

Recovery sites can function purely as a standby data centre for your IT systems or they can be for business recovery as well, with desks, phones, desktop computers, meeting rooms and other facilities.

The data centre equipment and also the business recovery seats can be dedicated, by that meaning, totally reserved for your use only or shared, meaning first come first served in the event of a disaster. Which is why the ratio of clients to equipment is important as is the formula for how many clients from a given geographical area they subscribe to their ‘shared’ facility is as well.

One key decision when determining the most effective Business Continuity Strategy for an organization is the maximum readiness level of the recovery site (cold, warm, hot) that is required.

A cold recovery site is a facility that already has in place the environmental infrastructure required to recover critical business functions or information systems, but does not have any pre-installed computer hardware, telecommunications equipment, communication lines, etc. This scenario has the longest lead time to restoring live services because the equipment must be provisioned and setup after the event.

A warm recovery site is a site which is equipped with some hardware, and communications interfaces, electrical and environmental conditioning which is only capable of going live after additional provisioning, software or customization is performed, and the restoration of a database backup into the environment.

A hot recovery site is a facility that already has in place the computer, telecommunications, and environmental infrastructure required to recover critical business functions or information systems. Typically the organization’s data is synchronized to the hot site so that it can be switched across into live operation in a very short time, almost instantaneously in some instances. Because the data is mirroring at the data centre instantaneously or very frequently, the level of data loss in this scenario is usually minimal.

How to determine which type of recovery site is right for you?

Arising from your Business Impact Analysis, the Maximum Tolerable Outage for your business functions will give you the requirements by when the systems need to be up and running. The Recovery Point Objective, or the amount of acceptable data loss will help to inform these requirements as well. The right balance needs to be struck between the cost of the recovery solution and the cost of data loss, delays and downtime if you had to wait days or weeks to recover the systems.

This is why a wholistic, comprehensive Business Impact Analysis, involving the right business stakeholders and sponsored by Executive management is essential in order to determine the business continuity recovery strategy for your organization.

Tags: , , , , , , , , , , , , , ,
Posted in Alternate Site, Business Continuity, Business Impact Analysis | No Comments »

Are your service providers the weak link in your business continuity strategy?

Wednesday, January 6th, 2010

Business functions, systems or processes to be outsourced locally or internationally should comply with the organisation’s Business Continuity Management Policy and Outsourcing Policy.  It is the responsibility of business owners, in conjunction with the sourcing department, to conduct adequate due diligence on the business recovery capability of the outsourced partner, however the relevant Business Continuity Managers need to ensure that all operational aspects of the functions outsourced are captured and reflected in the contractual documents.

Are your outsourced service and other third party providers are considered in your business impact analysis and business continuity strategy?

Tags: , , ,
Posted in Business Continuity, Business Continuity Plan, Business Impact Analysis, Risk Evaluation | No Comments »

SunGard AS is 2009 Business Continuity Service Provider of the Year

Tuesday, January 5th, 2010

For a record 6th time SunGard Availability Solutions is Business Continuity Service Provider of the Year (2009), added to their previous 10 short-lists, 11 nominations and the 10 year award in 2008 this continues to demonstrate their commitment to service.

OpsCentre is proud to be the master distributor in Australia and New Zealand for the market leader in business continuity software.

Business Continuity Software Solutions

Tags: , ,
Posted in Business Continuity Software | No Comments »

Business Continuity Terminology – What’s the difference between MTO, RTO and RPO?

Sunday, January 3rd, 2010

A common query that we come across in business continuity consulting is, ‘what is the difference between MTO, RTO and RPO?’

MTO is the Maximum Tolerable Outage
The Maximum Tolerable Outage for a critical business process represents the maximum amount of time that an organization can survive without the business process in any form (manual or automated). Defining the MTO for a process gives you the deadline for when this process must be up and running in some form or another. 

The BCI describes MTO as ‘At what point in time do you need to either recover your business process, or invoke contingency procedures to prevent you from meeting your business objectives\targets.’

RTO is Recovery Time Objective
Recovery Time Objective is essentially the timeframe requirement for how long it should take to recover from the time of declaring the disaster (not the time of the actual incident) to when the critical process or system is available to users.

RPO is the Recovery Point Objective
The Recovery Point Objective  describes the age of the data you want to restore in the event of a disaster. For example if your RPO is 6 hours, you want to restore systems back to the state they were in no longer than 6 hours ago. This dictates your backup requirements, in this example you must be making data backups at least every 6 hours. Any data created up to the 6 hour RPO will be lost and will need to be recreated during your recovery process (if possible).

Tags: , , , , , , , , , , ,
Posted in Business Continuity, Business Continuity Plan, Disaster Recovery | No Comments »