Business Continuity – Getting Started
The purpose of a Business Continuity Plan (BCP) is to enable the sustained execution of mission critical processes and information technology systems for your business, or your clients business, in the event of an extraordinary event that causes these systems to fail minimum production requirements. Your BCP should prepare you and your team to respond to the event in order to efficiently regain operation of the systems that are made inoperable from the event.
Create Your Team
Who needs to be at the table to ensure you have thought through various scenarios and gotchas?
- Operations – What specific team functionalities do you need to consider?
- Management – Who needs to be communicated to? Are there contractual impacts related to client or partner Service Level Agreements (SLA’s) you need to work into your plan?
- IT Support – What technology & systems do you rely on? Are there backups and redundancy in place?
- Executive Sponsor – Do you need help getting your plan executed? What other influences do you need to consider?
Identify Possible Scenarios
Start with the end in mind! What are the possibilities and probabilities you need to consider for your geography, type of operation, customer? Complete a THREAT RISK ANALYSIS.
The Purpose of a Risk Analysis
The purpose of the Threat Risk Analysis (TRA) is to identify which threats your organization should be prepared to respond. The impact of a disruption can be severe enough to threaten the very survival of an organization. Such disruptions cannot always be predicted or prevented, but effective planning can dramatically reduce the damage they cause.
Threats may range from those with a high probability of occurrence and low impact to the organization, such as brief power interruptions, to those with a low probability of occurrence and high impact to the institution, such as hurricanes or terrorist attacks. The most difficult threats to address are those that have a high impact on the institution but a low probability of occurrence.
Examples of the potential impact of various threats include the following:
- Critical personnel are unavailable and they cannot be contacted;
- Critical buildings, facilities, or geographic regions are not accessible;
- Equipment (hardware) has malfunctioned or is destroyed;
- Software and data are not accessible or are corrupted;
- Third-party services are not available;
- Utilities are not available (power, telecommunications, etc.);
- Liquidity needs cannot be met; and
- Vital records are not available.
- Identify possible threats with the potential to cause harm to the organization and the likelihood of a threat occurring.
- Identify vulnerabilities that exist that could be exploited by the potential threat.
- Identify and analyze the controls that minimize threats or mitigate vulnerabilities. Controls include protection devices, safeguards, and procedures that are in place to reduce the effects of threats and vulnerabilities.
- Determine an acceptable level of risk. Risk cannot always be avoided; therefore, organizations should determine the level of acceptable risk for each threat.
Threats can be categorized into three sets:
- Natural Threats – These are naturally-occurring, usually caused by weather
- Human Threats – These are things that people do to other people
- Technical Threats – These are equipment failures
The Threat Risk Analysis Tool is used to gather information about potential threats including applicability, level of impact, the likelihood of the threat occurring and the amount of forewarning.
Review the other items in this series:
- Part 1: Getting Started with Business Continuity
- Part 2: Business Continuity – You Have an Event!
- Part 3: Business Continuity – Maintaining Your Plan