From the April/May 2010 Issue
You’ve been tasked with either overseeing your own company’s initiative, or advising a client’s initiative, to implement a Business Continuity Plan (BCP). Although there are scores of books, whitepapers and other resource materials on this topic, which also includes the concepts of
“Disaster Recovery Planning” and “Business Resumption Planning,” the reality is that you need to start somewhere. And it is best if you think of this as a process, with distinct phases that provide measureable outcomes.
Rome was not built in a day. Elephants need to be eaten one bite at a time, and, similarly, BCP’s take time and planning in their own right, before they can achieve the desired outcome.
This article will provide you with a high-level overview of the phases of the BCP process, as well as provide insightful questions to address before commencing the effort. The BCP process and its outcome — the Plan — varies for every business. Some businesses are satisfied with just doing a data backup and are not concerned about other ramifications of an unplanned disaster, which, of course, is an irresponsible approach. Most businesses, however, spend their BCP efforts on what matters most to them — planning and addressing how they would manage significant, yet more “realistic” disasters. Either way, you’ll want to consider the questions below and how they influence how you go about doing the BCP exercise:
- How long can we be “down” before our business is affected in
such a way that we may not be able to recover (and what does “down”
mean to us)?
- How much does it cost us to be down?
- How long of an outage can our customers/clients accept before they go elsewhere
- How much business can we conduct if our computers are down, if our paper
files are water soaked from a pipe that exploded in the wall, if access to
our building is being denied for safety reasons, or if our operations manager
or IT leader goes missing for an extended period of time for any reason?
- Are there any regulatory requirements from local or federal government that require us to have a plan like this, and how do we know if we are staying within those requirements?
SO HOW DO WE START?
The next sections summarize the major phases of an effective BCP strategy and effort, which you can adapt to your own company’s specific needs and requirements. The first place to start, before Phase 1 is even explored, is to define the team within your organization that will be charged with managing this effort. This is an ‘all in’ process — any key processes or personnel left out can lead to an incomplete and ineffective plan, if and when the time comes to enact it.
PHASE 1: WHAT CONSTITUTES A DISASTER FOR US?
In this phase, business leaders in your organization discuss the many realistic causes that could impede or stop the flow of business. This brainstorming session will yield causes that include earthquakes or other Acts of God; intentional or accidental fire; theft; internal and/or external malicious intent; and even those as simple as spilled coffee on a keyboard or laptop, traffic incidents that delay deliveries of product or supplies, as well as a host of other instances. From our experience, we urge you, as a going concern, not to underestimate the impact that a disgruntled employee or competitor can have on a business’ ability to continue. You should also always plan for intellectual property theft and Internet-born hacking.
PHASE 2: BUSINESS IMPACT ASSESSMENT
In this phase, you will analyze the impact of the realistic disaster causes identified in Phase 1 on business processes and departments. The correlation of causes and effects on business processes is fundamental in the re-generation of the business process after a disaster scenario. During this phase, the team will gain a deeper understanding of what will need to be planned for, in each scenario, for each business unit/department. The result: a comprehensive matrix illustrating the impact of each disaster scenario on each significant business process.
PHASE 3: CREATE RESUMPTION SCENARIOS
During this phase, you will define and prioritize activities that would allow for resumption of business processes for each disaster/outage item. Specifically, the team needs to spell out activities that would allow for resumption of operations at an acceptable level. These activities include operational and IT infrastructure matters, IT and operational controls and processes, personnel matters, vendor and customer communications and notifications, etc. The result: a matrix outlining resumption solutions accompanied by time and cost estimates to implement.
PHASE 4: DRAFT THE FIRST REVISION OF THE PLAN
Begin to template the plan with sections or separate notebooks applicable to each scenario and resumption processes from Phase 3. During this phase, you will be able to see where your documentation or planned efforts may be missing a step or a critical resumption procedure. Always consider whether enough has been considered to satisfactorily mitigate the impact of the disasters defined in Phase 1, and that the level of resumed operations are likely to occur after implementing the resumptions strategies defined in Phase 3.
PHASE 5: IMPLEMENT SOLUTIONS AND TEST THE PLAN
In this phase, you will implement resumption solutions that would assure your business is ready for planned disaster scenarios. This often focuses on implementing contingency strategies for IT, operations, HR and other areas. This phase also includes the very important testing activities necessary to put your BCP to a reasonable and practicable test of its effectiveness. Many companies perform mock disaster drills where they artificially enact one or several disaster scenarios from Phase 1, and determine just how capable the plan can work.
For example, IT departments can simulate power outages for remote access and external services by disconnecting Internet access temporarily to see if the backup scenario works. Similarly, operations departments can lock the facility as though there is no access to the corporate offices of the business, and subsequently determine whether the BCP in fact can help resurrect the business without being physically able to access the business.
PHASE 6: FINALIZE THE PLAN
In this phase, you will finalize the plan, involve all members of the company in building awareness and responsibilities, and establish procedures that allow for the plan to be activated if and when needed. You will want to update the plan as changes in the business dictate and test the plan after updates are authored and provided for. The plan is a living document and can represent the lifeblood of the business if and when failure occurs, for almost any reason.
In order to obtain a successful BCP, each of these phases must be addressed. Your entire firm must adhere, and any missing components will likely lead to disastrous outcomes. Feel free to utilize these steps as a basis in your contingency plan, but also allow for growth within the process to fit the needs of your practice and your clients.
- - - - - - - - - - - - - - - -
Robert (Bob) Green, CPA.CITP/Partner and Rick Mark/Senior Manager are Information Management professionals in the Enterprise Risk Management Services group at Singer-Lewak, LLP, one of the western United States’ largest CPA and Consulting firms with six offices in California. This group provides CIO and CTO advisory services, as well as Governance, Risk and Compliance advisory/audit services to privately-held and SEC registrant enterprises. Bob presently serves on the AICPA’s Certified Information Technology Professional (CITP) credential committee. They can be reached at BGreen@SingerLewak.com and RMark@SingerLewak.com.