William Comtois is managing director of Varicom Inc., and an authority on disaster preparedness and business continuity planning.
Tom Abruzzo is president of TAMP Systems, and a consultant for disaster recovery and business continuity.
Business continuity plans have long been a staple of corporate America and the public sector. Simply stated, they enable an organization to recover from the adverse impacts of a disaster as quickly as practical. Without a sound business continuity plan, or BCP, chances are far greater that the business will suffer unnecessarily or possibly see its demise when a disaster occurs. In effect, the BCP is an instrument for increasing the chances of the business surviving and prospering over its natural life cycle.
Over the past few years we've been starkly reminded of the importance of BCPs by the wave of major disasters and the unprecedented damage to businesses they've caused. Accompanying this wake-up call is the powerful lesson that it's not sufficient to merely have a business continuity plan - rather, it's essential and compelling to have one that is well crafted, up to date, and fully embraced by the entire organization.
In this first of a series of articles we'll cover the basics of developing a business continuity plan. Whether your organization already has a BCP that's in need of some updating or if you are starting out on your first BCP, the steps and pointers below will be of interest. In a future article we'll cover some finer points by sharing lessons learned and best practices.
Building the Plan Foundation
As a first step, the planner must clearly define the objectives of the BCP. This entails two primary considerations: (1) the manner in which the organization wishes to recovery from a disaster and (2) the types of disasters that the BCP will apply to. In regard to the former, you should set objectives in operative terms. For instance, the Recovery Timeframe Objective (RTO) defines the target timeframe to recover mission critical operations after a disaster.
Choosing and setting the BCP objectives should be guided by potential business impacts and tolerable limits thereof. Quantifying the business impacts can be relatively straightforward, e.g., "Shutdown of a regional distribution center for four hours will cause a backlog of shipments worth $50,000 in revenue." Answering the question "Is a $50,000 backlog tolerable?" may not be as straightforward. To find a reasonable set of limits the planner will inevitably need to blend cost-benefit and sound management judgment.
The RTO and other targets may vary with the type and severity of the disaster. For example, "... in the event of a category-3 hurricane, the corporate headquarters facility should be fully operational within two days after the storm; whereas, the facility should remain fully operational throughout category 1 and 2 storms." It may also be appropriate to set the targets according to a timeline. "Return to 50% operating capacity within 12 hours after resumption of power following a major power outage, 75% within 18 hours and 95% within 36 hours" is an example of such a time-indexed scale.
Designating what types of events will be considered "disasters" is an important part of defining objectives. It's here that you'll need to put on your "imagination" cap and look not just to history but anticipate what could happen in the future. The obvious types of events that can cause a disaster may immediately come to mind: fires, hurricanes, terrorist attacks and other events having man-made and natural origins. Less obvious or smaller-scale events should not be overlooked: server crashes, denial of service attacks, security breaches, power outages, loss of telecom land-line service, and many others may fall within the BCP's scope. Generally stated, as the planner, you should design the BCP to take into account any event that could cause inaccessibility, inoperability or impairment of the business's facilities, technology, functions or processes for an unacceptable duration.
The BCP's scope should address the organization and its geography when applicable. Does your BCP apply to the entire company / enterprise, or just your building? Are you focusing on a particular location, e.g., a single distribution center, or multiple facilities in a metro area or other territory?
Once objectives and scope are buttoned up, you'll want to build out your strategy, or the approach by which the BCP's objectives will be met. Foremost considerations in developing your strategy are the type of disaster and the applicable recovery objectives. Since there are many possible events that can cause a disaster, the most probable events should be examined carefully in terms of their potential business impact together with the applicable BCP objectives. The strategy should be devised for each disaster type deemed to be within the BCP's scope. Depending on the types of disasters on the list, a distinct strategy may be needed for each. For instance, a pandemic may call for a "work from home" strategy while a dirty bomb attack may warrant a "lock down/shelter-in" strategy.
Assembling the Plan
With the foundational pieces in order, three activities remain: (1) Define and document procedures that would be executed before and during a disaster event, (2) assemble a repository of information that would be utilized during and while recovering from the disaster event, and (3) deploy the plan throughout the organization.
Viewing scope, objectives and strategy as the "foundation" of the plan, procedures may be thought of as the "machinery" that runs during a disaster. When the term "procedures" is used in this context, it is inclusive of not just tasks but also decisions, protocols for communicating, company policies and perhaps even regulations dictated by governmental bodies. This collection should entail the following essential procedures:
Incident Response - When an incident occurs, the appropriate individuals must respond according to a pre-defined sequence of steps. This will include "declaring" the disaster and classifying it according to severity, scope and other characteristics. In addition to defining the incident response steps, the persons involved and their responsibilities should be clearly called out in the BCP.
Notification Procedures - Once a disaster is declared by management, notification of the various participants must begin immediately. The participants and their responsibilities should be clearly called out in the plan.
Recovery Teams Responsibilities, Staffing and Procedures - As soon as the BCP participants have been notified, they will become part of one or more recovery teams. Therefore, recovery roles and responsibilities should be documented in this section.
Emergency Procedures and Information - This section is a requirement by external regulators for plans. At a minimum, it should contain emergency contact information, alarm system response procedures and evacuation procedures.
Mission Critical Operating Specifications - Everything you will need to quickly establish your mission critical operations should be documented in this section, e.g., command center locations, service level agreements from your vendors, etc.
Rebuilding/Restoring Specifications and Inventories - At the same time that you are establishing your mission critical operations, attention should be given to restoring and rebuilding. The actual rebuilding/restoring should begin in earnest as soon as practical.
Testing & Maintenance Procedures - To ensure satisfactory execution, the plan should be tested and updated as a matter of routine procedure. Particulars as to the nature and frequency of tests as well as the "measures of performance" should be defined here. Identifying the elements of the plan that need maintenance, how often the maintenance should be performed and by whom should all be spelled out in the plan.
The next element, Information Resources, should be referenced or otherwise included within the plan. In either case, these resources should be made readily accessible by those persons who may have a need for their use during a disaster. While there is no hard and fast list, at a minimum the following should be included:
Equipment - An inventory of the equipment you had before the disaster as well as what equipment you will need for recovery.
Facilities - A description of the facilities, including contact information and directions, which would assist you in your recovery activities. These may include your offsite storage facility, hot site, command centers, alternate offices, etc.
Forms & Stationery - A description of any special forms or stationery items that would be necessary to achieve your RTO. For example, blank company checks, etc.
Personnel - Detailed contact information on all your personnel will be essential for recovery.
Recovery Tasks - A description of the tasks that need to be accomplished for recovery.
Software - An inventory of the software you had before the disaster as well as the software you will need for recovery, including any temporary software license keys
Supplies - A description of any special supply items that would be necessary to achieve your RTO -- for example, signature plates, etc.
Vendors & Customers - A description vendors and customers, including their contact information and agreements.
Vital Records - An inventory and description of the vital records you will need for recovery. The best recovery plan will not work without your vital records.
Glossary of Terms - Any terms deemed relevant to the plan, its execution or its maintenance should be defined in an appendix or a similarly appropriate section of the plan.
The third element, Deployment, brings us to perhaps the most commonly neglected aspect of a BCP. No matter how well thought out and meticulously documented a BCP may be, its efficacy will ultimately be judged by how well its people embrace and execute the plan during a disaster.
It is therefore advisable to take special care in making sure that the plan is formally endorsed by the company's senior management. In addition, deliberate steps need to be taken to ensure that all persons expected to act on or maintain the plan are fully trained on the plan. To this end, training programs, exercises and various other methods of disseminating the plan and its requirements should be thoughtfully developed. Such steps should be utilized in the initial deployment as well as whenever updates are made.
Business continuity planning is hardly a task to be taken lightly. While forethought and attention to detail are necessary requirements of the business continuity planner, deployment and acceptance by the organization are of critical importance to the overall success of the plan.
When viewed in the light of "benefit to the business", business continuity plans provide the opportunity to reduce risk to the business - risks that may not only damage profits or break budgets, but also lower the company's chances of survival. Not having a sound BCP and an organization that is ready to execute and maintain it will only allow an otherwise controllable element of risk to go uncontrolled.
About the Authors:
Tom Abruzzo is president of TAMP Systems (www.drsbytamp.com), maker of the Disaster Recovery System (DRS), a web-based software solution for building and maintaining disaster recovery and business continuity plans. Additionally, TAMP offers consultative services for disaster recovery and business continuity planning. Tom may be reached by email at firstname.lastname@example.org.
William Comtois is managing director of Varicom, Inc. (www.varicominc.com), a provider of leading solutions for crisis management and exercise management. He may be reached by email at email@example.com.