BUSINESS CONTINUITY PLAN METHODOLOGY

Business Continuity Planning Methodology

Izzati Binti Mohd Ideris (uitm.izzati@gmail.com)

Faculty of Information Management

University Technology MARA, Campus Puncak Perdana

UiTM Puncak Perdana

Abstract

This paper’s main purpose is to discuss the main methods that involved in Business Continuity Planning. Besides that, this paper explained step taken to conduct a Business Continuity Planning. This paper also presented a multi-use business continuity planning methodology. It includes business continuity planning on the organizational and departmental levels. This study is a conceptual paper from the literature review. It is hoped, this article could give some contribution to organizations in their Business Continuity plan.

Keywords : Business continuity, Business Continuity planning methodology, Business Continuity Strategy

Introduction

Business Continuity Planning (BCP) indicates how well an organization prepares itself to survive in unexpected disasters, disruptions or changes, assuring that the critical business processes will continue to function in the most adverse circumstances with acceptable limitations (Manik Dey, 2011). The business continuity plan is part of the strategic steering instrument for senior management (Lindstrom and Hagerfors, 2009), but often not cared for properly (Kajava et al., 2006; Smith, 2004). The BCP is composed of a set of recovery options to be utilized as alternatives in the event that existing critical resources become unavailable.( Alberto G. Alexander, 2016). The purpose of a BCP is to allow critical critical business activities to continue when an unexpected situation such as large-scale disaster occurs. A BCP is an action plan for achieving the goals of business continuity (recovery time objectives for critical business activities) determined based on the analysis of the management environment, business structure and risk environment (Takeshi Ito, 2006). Every Business needs a BCP to face all possible disruptions and keep its operation running with acceptable downtime. The objectives are to protect human lives, minimize financial and reputational losses, continue serving the customers, and remain in compliance with the statutory laws and regulations (Manik Dey, 2011).

2. Business Continuity Planning Methodology

The methodology described using an example of an organization comprising senior management and departments reporting directly to senior management. An organization organized into functions or divisions can easily adapt the way the departments are described to prepare. The methodology description is intended to be used in organizations for explaining business continuity planning methodology to senior managements (and middle management). (John Lindström, Sören Samuelsson, Ann Hägerfors, 2010)

Source :  BCM Institute

This methodology is applicable to the crisis management, crisis communication and IT disaster recovery planning process. The adoption of a common methodology will allow the different plans to be aligned so as to integrate the common elements. For example, the threats and crisis scenarios can be aggregated to be part of the enterprise risk management's risk assessment process.( Goh Moh Heng, 2015)

1.       Project Management

The first step in implementing the BCM planning methodology in any organization is to set up the needed Executive Management structure, to support the BCM planning process.( Goh Moh Heng, 2015)

2.       Risk Analysis and Review

Risk Analysis and Review or RAR is a phase within the BCM Planning Process or Methodology. It is to identify existing risks and threats that the business organization is exposed to, particularly with respect to its geographic location, processes and procedures. (Goh Moh Heng, 2015) A risk assessment enables an organization to understand the threats to and vulnerabilities of its most critical activities and supporting resources, as well as the impact that would arise if an identified threat leads to a disruptive incident. (Avalution Consulting, 2017)

3.       Business Impact Analysis

The Business Impact Analysis (BIA) phase refers to the process of identifying an organization’s Critical Business Functions and analyzing the potential disruptive impact to the business. The Business Impact Analysis phase is to: (Goh Moh Heng, 2015) .Business impact analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency. A BIA is an essential component of an organization's business continuance plan; it includes an exploratory component to reveal any vulnerabilities and a planning component to develop strategies for minimizing risk. The result is a business impact analysis report, which describes the potential risks specific to the organization studied. (Margaret Rouse, 2015)

4.       Business Continuity Strategy

The development of the BC Strategy is the process to determine and select operating strategy to maintain or continue the critical business functions or product and services during a disaster (Goh Moh Heng, 2015) Establishing business continuity strategy starts with considering organization’s objectives, legal and regulatory requirements, personnel, and products or services, along with customers and clients. Before jumping in to identify and develop strategy and plans for business continuity, there are some preparations that can perform to help successfully implement a functional program. (Richard Long, 2017)

5.       Plan Development

5.In the plan development phase, it needs to identify all the procedures and resources necessary to initiate the BC documentation. The BC plan will contain all the pertinent details from the Business Impact Analysis and BC Strategy Phases. The completed plan is an important document, as all staff in the business units will rely on it for instruction and guidance in the event of a disaster. It is, therefore, necessary for the BC plan to be well structured and developed in a series of logical steps. As the team proceeds, please keep in mind that the BC procedures should be entirely self-contained and simple to use. The BC plan will be based on all the procedures and priorities agreed upon by the executive management so that the need to refer or make decisions in a disaster will be kept to an absolute minimum. ( Goh Moh Heng, 2015)

6.       Testing and Exercising

Testing & Exercising is needed to ensure the business continuity (BC) plan works. The BC plan must be tested to prove its validity. Testing is intended to find errors and omissions in the BC plan procedures. These corrected omissions or errors can be reported to all concerned parties and subsequently. (Goh Moh Heng, 2015). The best plans in the world though are of limited use until they have been thoroughly tested. Most Business Continuity professionals tend to refer to the testing process as exercising so as to emphasize that failure is not a negative result but a step towards a better outcome. Analysing the results of exercising identifies what parts of the plan work and where further work is required. Most organisations have historically exercised by, once a year, simulating the loss of a building on a weekend, relocating staff to their recovery site and resurrecting their systems from backup stored offsite. It would usually be considered a success if the key systems were restored within a few hours and users, firstly turned up and secondly, could log in. The outcome would invariably be a list of issues for IT to address and a few embarrassments for users who couldn’t remember their password.  (Tony Blunden, 2005)

7.       Program Management

Once the BCM planning project completes, the next challenge is to keep the BCM program effort alive. It is essential to emphasize continuously that, in the event of a disaster, BCM is the key to ensuring the safety of all people in the organization as well as the survivability of the organization. The objective of the Program Management phase is to establish an on-going system to ensure the validity of critical business functions, BC Strategy and documented recovery procedures. The ultimate goal is the recoverability of the business processes in the organization.

(Goh Moh Heng, 2015)

Conclusion

Business continuity Planning (BCP) is certainly ‘a must’ and every organization should initiate an appropriate BC plan, if not done already. It makes the business more resilient to adopt changes, prepare for uncertainties and remain in operation at adverse situations thus adding value to the business. This planning methodology covers the “Plan”, “Do”, “Check” and “Act” components of the Plan-Do-Check-Act.

REFERENCES

Alexanderser, S. (2016, May 4). A methodology for developing a business continuity strategy. Retrieved

from http://www.continuitycentral.com/index.php/news/business-continuity-news/1073-a-methodology-for-developing-a-business-continuity-strategy

Blunden, T. (2005). Business Continuity Management (5): Testing & Exercising. Retrieved 2017,

from http://www.chasecooper.com/press-release/published/96-business-continuity-management-5-testing-a-exercising.html

Consulting, A. (n.d.). Risk Assessment. Retrieved from http://www.avalution.com/risk-assessment

Dey, M. (2011, April). Business Continuity Planning (BCP) methodology — Essential for every business.

                Retrieved from http://ieeexplore.ieee.org/document/5752503/versions?part=1

Ito, T., Orikasa, H., & Yoshida, T. (2007, April). Fujitsu's Business Continuity Plan Development

Methodology. Retrieved from https://www.fujitsu.com/global/documents/about/resources/publications/fstj/archives/vol43-2/paper12.pdf

John Lindström, Sören Samuelsson, Ann Hägerfors, (2010) "Business continuity planning methodology",

Disaster Prevention and Management: An International Journal, Vol. 19 Issue: 2, pp.243-255, https://doi.org/10.1108/09653561011038039

Kajava, J., Varonen, R., Anttila, J., Savola, R. and Roning, J. (2006), “Senior executives’ commitment to

information security – from motivation to responsibility”, Proceedings of the International Conference on Computational Intelligence and Security, IEEE.

Lindstrom, J. and Hagerfors, A. (2009), “A model for explaining strategic IT- and information

security to senior management”, International Journal of Public Information Systems,

Vol. 2009 No. 1

M. H. Goh, Editor, Managing Your Business Continuity Planning Project (2nd ed., p. 166), GMH Pte

Ltd, Singapore. (2008). Retrieved from http://www.bcmpedia.org/wiki/BCM_Planning_Process_or_Methodology

M. H. Goh, “Developing a suitable business continuity planning methodology”, Information

Management & Computer Security, vol. 4, no. 2, (1996), pp. 11-13. Retrieved from http://www.bcmpedia.org/wiki/BCM_Planning_Process_or_Methodology

Rouse, M. (n.d.). What is business impact analysis (BIA)? - Definition from WhatIs.com. Retrieved from

                http://searchstorage.techtarget.com/definition/business-impact-analysis