Business Continuity Planning

From the April/May 2010 Issue

You’ve been tasked with either overseeing your own company’s initiative, or advising a client’s initiative, to implement a Business Continuity Plan (BCP). Although there are scores of books, whitepapers and other resource materials on this topic, which also includes the concepts of

“Disaster Recovery Planning” and “Business Resumption Planning,” the reality is that you need to start somewhere. And it is best if you think of this as a process, with distinct phases that provide measureable outcomes.

Rome was not built in a day. Elephants need to be eaten one bite at a time, and, similarly, BCP’s take time and planning in their own right, before they can achieve the desired outcome.

This article will provide you with a high-level overview of the phases of the BCP process, as well as provide insightful questions to address before commencing the effort. The BCP process and its outcome — the Plan — varies for every business. Some businesses are satisfied with just doing a data backup and are not concerned about other ramifications of an unplanned disaster, which, of course, is an irresponsible approach. Most businesses, however, spend their BCP efforts on what matters most to them — planning and addressing how they would manage significant, yet more “realistic” disasters. Either way, you’ll want to consider the questions below and how they influence how you go about doing the BCP exercise:

• How long can we be “down” before our business is affected in such a way that we may not be able to recover (and what does “down” mean to us)?
  
• How much does it cost us to be down?
  
• How long of an outage can our customers/clients accept before they go elsewhere for services?
  
• How much business can we conduct if our computers are down, if our paper files are water soaked from a pipe that exploded in the wall, if access to our building is being denied for safety reasons, or if our operations manager or IT leader goes missing for an extended period of time for any reason?
  
• Are there any regulatory requirements from local or federal government that require us to have a plan like this, and how do we know if we are staying within those requirements?

SO HOW DO WE START?
The next sections summarize the major phases of an effective BCP strategy and effort, which you can adapt to your own company’s specific needs and requirements. The first place to start, before Phase 1 is even explored, is to define the team within your organization that will be charged with managing this effort. This is an ‘all in’ process — any key processes or personnel left out can lead to an incomplete and ineffective plan, if and when the time comes to enact it.