What makes small businesses different to bigger ones when it comes to business continuity? Common risks for small businesses are linked to their operations being confined to one specific sector and one geographical location. They don’t have the possibilities of mitigation available to larger, more diverse, distributed companies. Disaster can strike all of their resources at once. Accordingly, larger customers often scrutinise their small company suppliers to see whether they have an effective business continuity strategy in place. (more…)
Archive for the ‘Business Impact Analysis’ Category
Research study finds SunGard’s BIA Professional and LDRPS is the most widely used Business Continuity SoftwareThursday, February 3rd, 2011
Results released from BC Management Inc’s 9th Annual BCM Study of over 2,644 study participants finds that SunGard’s BIA Professional and LDRPS is the most widely used Business Continuity Software.
For more information read on here.
OpsCentre is the Master Distributor for Australia\New Zealand for the SunGard business continuity software suite.
It is not enough just to look at the resilience strategies for within your organization, the entire supply chain needs to be considered for your critical business functions.
Are you reliant on a single supplier for any key products or services?
If you have alternate suppliers, are they geographically separate or in other ways diverse from your primary supplier? If your primary supplier was affected by a problem, how likely is it this backup supplier would be too?
Can you build the requirement for these suppliers to have robust and verified business continuity in place for themselves into your supply agreements?
What are your workarounds and strategies if supply of these products or services were cut-off?
All of these questions should be examined as part of a robust business impact analysis of your critical business functions. Having a BCP is more than just a tick in the box for your audit report. It is about having confidence in your organization’s resilience. What a great selling feature for your clients, if you can confidently state you’ve got a mature and resilient organization that will stay in operation when others may fail!
1. The Senior Executive actively supports Business Continuity
The CEO\Director\General Manager that believes in and wants a functional Business Continuity program in place is a critical success factor.
To have a senior Executive that is responsible for setting the priorities and vision for the organisation to stand behind BCP and communicate this to the staff is a powerful change motivator.
2. A Whole of Business Approach
A business continuity program that prioritises the organisation from the Executive’s birdseye perspective as well as analysing business impacts across all business functions in a consistent manner will lead to a better informed business continuity strategy being proposed. It allows the Executive to see the requirements of the business in a single snapshot and make a cost benefit justified decision on the level of continuity required.
3. A Single Point of Business Continuity Management
Someone needs to be responsible for BCP at an organisational level. It needs to be in their job description and a priority for them, otherwise it runs the risk of falling between the cracks. With one person accountable for co-ordinating, aggregating, monitoring the overall Business Continuity program and reporting to the Executive, the program is more likely to stay visible and maintain momentum.
4. Testing, Testing, Testing
Business Continuity should be viewed as an ongoing continuous improvement program. And as such testing is vital. It highlights flaws and validates assumptions in your business continuity plans, giving opportunity to improve them. Testing builds confidence and competence within the business continuity team as it brings home how the strategy would actually work in a variety of scenarios and how the roles will interrelate. An untested Business Continuity Plan cannot be considered viable.
5. Embedding BCP into job descriptions and procedures
The various BCP roles such as BCP Manager, Command Team Leader, Business Unit Leader, etc should be written into position descriptions so that it is very clear that is a part of the responsibilities of the staff members. Procedures for new projects, business changes and IT changes should include provision for ensuring the change has BCP/ IT Disaster Recovery aspects taken into account. All changes should have an impact analysis conducted that includes impact on BCP/IT Disaster Recovery procedures.
6. Starting on the right foot
An induction training package that briefs new employees on the Business Continuity and Emergency Management strategies and plans in place is a great way to start them off on the right foot, highlighting the importance of this to the organisation.
The person responsible as BCP Manager should be tasked with ensuring maintenance of the documentation occurs on a regular basis. Outputs from changes and testing sessions all need to be fed into the plans. Periodically the BIA should be revisited and organisation’s prioritisations and maximum tolerable outages reviewed.
The Recovery site is sometimes also referred to as the Alternate Site, Standby Site or Fallback Site.
Recovery sites can function purely as a standby data centre for your IT systems or they can be for business recovery as well, with desks, phones, desktop computers, meeting rooms and other facilities.
The data centre equipment and also the business recovery seats can be dedicated, by that meaning, totally reserved for your use only or shared, meaning first come first served in the event of a disaster. Which is why the ratio of clients to equipment is important as is the formula for how many clients from a given geographical area they subscribe to their ‘shared’ facility is as well.
One key decision when determining the most effective Business Continuity Strategy for an organization is the maximum readiness level of the recovery site (cold, warm, hot) that is required.
A cold recovery site is a facility that already has in place the environmental infrastructure required to recover critical business functions or information systems, but does not have any pre-installed computer hardware, telecommunications equipment, communication lines, etc. This scenario has the longest lead time to restoring live services because the equipment must be provisioned and setup after the event.
A warm recovery site is a site which is equipped with some hardware, and communications interfaces, electrical and environmental conditioning which is only capable of going live after additional provisioning, software or customization is performed, and the restoration of a database backup into the environment.
A hot recovery site is a facility that already has in place the computer, telecommunications, and environmental infrastructure required to recover critical business functions or information systems. Typically the organization’s data is synchronized to the hot site so that it can be switched across into live operation in a very short time, almost instantaneously in some instances. Because the data is mirroring at the data centre instantaneously or very frequently, the level of data loss in this scenario is usually minimal.
How to determine which type of recovery site is right for you?
Arising from your Business Impact Analysis, the Maximum Tolerable Outage for your business functions will give you the requirements by when the systems need to be up and running. The Recovery Point Objective, or the amount of acceptable data loss will help to inform these requirements as well. The right balance needs to be struck between the cost of the recovery solution and the cost of data loss, delays and downtime if you had to wait days or weeks to recover the systems.
This is why a wholistic, comprehensive Business Impact Analysis, involving the right business stakeholders and sponsored by Executive management is essential in order to determine the business continuity recovery strategy for your organization.
Business functions, systems or processes to be outsourced locally or internationally should comply with the organisation’s Business Continuity Management Policy and Outsourcing Policy. It is the responsibility of business owners, in conjunction with the sourcing department, to conduct adequate due diligence on the business recovery capability of the outsourced partner, however the relevant Business Continuity Managers need to ensure that all operational aspects of the functions outsourced are captured and reflected in the contractual documents.
Are your outsourced service and other third party providers are considered in your business impact analysis and business continuity strategy?
Persons new to recovery planning often find it difficult to differentiate between Business Continuity and Disaster Recovery. In its simplest form, Business Continuity differs from Disaster Recovery in that its focus is on people and the continuation of business processes and objectives rather than the availability of IT systems and infrastructure.
Business Continuity Planning deals with taking pro-active measures to ensure continuity of business as well as plans to manage the response and recovery from a business interruption. The Business Continuity Plan would include a plan for the Command Team who will co-ordinate and oversee the response as well as sub-plans for the business units.
The IT Disaster Recovery Plan supports the recovery effort by detailing the IT system recovery priorities and time constraints, plans and strategies for recovery as well as detailed restoration procedures. The priorities and time constraints need to be driven from the business continuity requirements identified in the business impact analysis.
Of vital importance is getting Business Continuity Plans and IT Disaster Recovery Plans to dovetail in and work together to support one another in a recovery effort.
Need help integrating the pieces of the puzzle? Disaster Recovery and Business Continuity Consulting
Many organisations utilise software to create, support, maintain, distribute and test their Business Continuity Plans and ensure business survival in any emergency. Regardless of size, most companies can benefit greatly from the use of Business Continuity software and many options exist for its implementation and plan maintenance strategies. Some of the direct benefits that Business Continuity software can provide an organisation are as follows:
• Conducting and automating the business impact analysis (BIA) process
• Applying relational database architectures to manage plan updates quickly and efficiently, keep documentation “alive” and synchronize it with interfacing applications (e.g. automatically updating plan emergency contact lists with employees’ latest contact information when the corporate employee database changes).
• Distributing Business Continuity Plans to each business unit for training, testing and other implementation events
• Providing document-format questionnaires to ensure thorough analysis and response planning.
• Prompt notification to employees of emergency actions to take, according to corporate protocol.
Business continuity software can provide for risk and business impact assessment tools, plan-building tools, databases and collaborative planning tools, emergency notification and incident management tools. A number of vendors offer integrated modules from which to choose. A company’s BCP project may require only one or all types, depending on its current level of BC maturity and the features and scope of its proposed plan. By using such tools, even first-timers can take advantage of the planning methodologies of experienced business continuity planners.
A Business Impact Analysis (BIA) allows an organisation to identify the criticality of processes, interdependencies with other business units and third party suppliers, critical system requirements (e.g. systems and applications), vital files, network drives and hardware, describe manual work arounds and prioritise business functions during a recovery situation. The BIA forms the basis for the Business Continuity Plans.
A business impact analysis should take into account tangible financial impacts (opportunity cost, increased cost of working expenses, revenue reduction, uninsured asset replacement, capital value and financial viability) as well as intangible, non-financial impacts (reputation, brand and presence, legal and contractual liabilities, quality of product and services, stakeholder confidence and support, staff morale and well being, operational and management control and environmental damage).
A clear understanding of these impacts will help form the justification for the level of business continuity\IT disaster recovery investment required.
A workaround is an alternative process used to replace the normal ‘business-as-usual’ process or IT system which may be unavailable during business disruption. When determining the Maximum Tolerable Outage (MTO) for a business function, whether or not there are manual, paper-based workarounds is a factor that can help work out how long you can afford to be offline from your IT systems and possibly allow you to implement a lower cost ‘warm’ or ‘cold’ solution’ instead of a ‘hot’ one.
These workaround procedures define the interim tasks to keep the process going whilst the IT systems or other resources are being recovered.
When considering how long a process can operate manually one area to beware of is the backlog effect. At time of incident, if the volume of work remains constant but the rate of processing is slower because it is manual, an increase in workload eventuates which will result in backlog. This backlog may increase exponentially for as long as you are not processing at full capacity. For each process there comes a time when no matter how much overtime you throw at it, it is very costly or impossible to catch up.
It is important to consider what this threshold may be for your process and what the absolute maximum period of time is that the process can operate manually and still feasibly recover. It is wise to allow some contingency between the MTO you select (when the process needs to be recovered by) and your absolute maximum time operating manually to ensure that you have some breathing space in case something goes wrong with the recovery efforts.
As a result, how long will your area will be able to function using manual workaround procedures should be revisited during your area’s BIA updates and tested as part of your business continuity exercise program.