From the April/May 2010 Issue
You’ve been tasked with either overseeing your own company’s initiative,
or advising a client’s initiative, to implement a Business Continuity
Plan (BCP). Although there are scores of books, whitepapers and other resource
materials on this topic, which also includes the concepts of
“Disaster Recovery Planning” and “Business Resumption Planning,”
the reality is that you need to start somewhere. And it is best if you think
of this as a process, with distinct phases that provide measureable outcomes.
Rome was not built in a day. Elephants need to be eaten one bite at a time,
and, similarly, BCP’s take time and planning in their own right, before
they can achieve the desired outcome.
This article will provide you with a high-level overview of the phases of
the BCP process, as well as provide insightful questions to address before commencing
the effort. The BCP process and its outcome — the Plan — varies
for every business. Some businesses are satisfied with just doing a data backup
and are not concerned about other ramifications of an unplanned disaster, which,
of course, is an irresponsible approach. Most businesses, however, spend their
BCP efforts on what matters most to them — planning and addressing how
they would manage significant, yet more “realistic” disasters. Either
way, you’ll want to consider the questions below and how they influence
how you go about doing the BCP exercise:
- How long can we be “down” before our business is affected in
such a way that we may not be able to recover (and what does “down”
mean to us)?
- How much does it cost us to be down?
- How long of an outage can our customers/clients accept before they go elsewhere
- How much business can we conduct if our computers are down, if our paper
files are water soaked from a pipe that exploded in the wall, if access to
our building is being denied for safety reasons, or if our operations manager
or IT leader goes missing for an extended period of time for any reason?
- Are there any regulatory requirements from local or federal government
that require us to have a plan like this, and how do we know if we are staying
within those requirements?
SO HOW DO WE START?
The next sections summarize the major phases of an effective BCP strategy and
effort, which you can adapt to your own company’s specific needs and requirements.
The first place to start, before Phase 1 is even explored, is to define the
team within your organization that will be charged with managing this effort.
This is an ‘all in’ process — any key processes or personnel
left out can lead to an incomplete and ineffective plan, if and when the time
comes to enact it.
PHASE 1: WHAT CONSTITUTES A DISASTER FOR US?
In this phase, business leaders in your organization discuss the many realistic
causes that could impede or stop the flow of business. This brainstorming session
will yield causes that include earthquakes or other Acts of God; intentional
or accidental fire; theft; internal and/or external malicious intent; and even
those as simple as spilled coffee on a keyboard or laptop, traffic incidents
that delay deliveries of product or supplies, as well as a host of other instances.
From our experience, we urge you, as a going concern, not to underestimate the
impact that a disgruntled employee or competitor can have on a business’
ability to continue. You should also always plan for intellectual property theft
and Internet-born hacking.
PHASE 2: BUSINESS IMPACT ASSESSMENT
In this phase, you will analyze the impact of the realistic disaster causes
identified in Phase 1 on business processes and departments. The correlation
of causes and effects on business processes is fundamental in the re-generation
of the business process after a disaster scenario. During this phase, the team
will gain a deeper understanding of what will need to be planned for, in each
scenario, for each business unit/department. The result: a comprehensive matrix
illustrating the impact of each disaster scenario on each significant business
PHASE 3: CREATE RESUMPTION SCENARIOS
During this phase, you will define and prioritize activities that would allow
for resumption of business processes for each disaster/outage item. Specifically,
the team needs to spell out activities that would allow for resumption of operations
at an acceptable level. These activities include operational and IT infrastructure
matters, IT and operational controls and processes, personnel matters, vendor
and customer communications and notifications, etc. The result: a matrix outlining
resumption solutions accompanied by time and cost estimates to implement.
PHASE 4: DRAFT THE FIRST REVISION OF THE PLAN
Begin to template the plan with sections or separate notebooks applicable to
each scenario and resumption processes from Phase 3. During this phase, you
will be able to see where your documentation or planned efforts may be missing
a step or a critical resumption procedure. Always consider whether enough has
been considered to satisfactorily mitigate the impact of the disasters defined
in Phase 1, and that the level of resumed operations are likely to occur after
implementing the resumptions strategies defined in Phase 3.
PHASE 5: IMPLEMENT SOLUTIONS AND TEST THE PLAN
In this phase, you will implement resumption solutions that would assure your
business is ready for planned disaster scenarios. This often focuses on implementing
contingency strategies for IT, operations, HR and other areas. This phase also
includes the very important testing activities necessary to put your BCP to
a reasonable and practicable test of its effectiveness. Many companies perform
mock disaster drills where they artificially enact one or several disaster scenarios
from Phase 1, and determine just how capable the plan can work.
For example, IT departments can simulate power outages for remote access and
external services by disconnecting Internet access temporarily to see if the
backup scenario works. Similarly, operations departments can lock the facility
as though there is no access to the corporate offices of the business, and subsequently
determine whether the BCP in fact can help resurrect the business without being
physically able to access the business.
PHASE 6: FINALIZE THE PLAN
In this phase, you will finalize the plan, involve all members of the company
in building awareness and responsibilities, and establish procedures that allow
for the plan to be activated if and when needed. You will want to update the
plan as changes in the business dictate and test the plan after updates are
authored and provided for. The plan is a living document and can represent the
lifeblood of the business if and when failure occurs, for almost any reason.
In order to obtain a successful BCP, each of these phases must be addressed.
Your entire firm must adhere, and any missing components will likely lead to
disastrous outcomes. Feel free to utilize these steps as a basis in your contingency
plan, but also allow for growth within the process to fit the needs of your
practice and your clients.
– – – – – – – – – – – – – – – –
Robert (Bob) Green, CPA.CITP/Partner and Rick Mark/Senior Manager
are Information Management professionals in the Enterprise Risk Management Services
group at Singer-Lewak,
LLP, one of the western United States’ largest CPA and Consulting
firms with six offices in California. This group provides CIO and CTO advisory
services, as well as Governance, Risk and Compliance advisory/audit services
to privately-held and SEC registrant enterprises. Bob presently serves on the
AICPA’s Certified Information Technology Professional (CITP) credential
committee. They can be reached at BGreen@SingerLewak.com