Primer for CEO - How Business Continuity Management Works?

Primer for CEO - How Business Continuity Management Works?

Listed below are key steps for a comprehensive business continuity program.

 

1. Identification of mission critical activities that needs a continuity plan. In order to assess the requirement for BCP, one needs to understand enterprise context. We divide an organisation unit into mission critical teams/services such as revenue generating services (RGS) for profit making businesses, customer facing services for non-profit, essential infrastructure services (EIS) such as power, utilities, IT and security, and delayed start services (DSS) – services that can wait during emergency. This assessment helps you prioritise recovery. EIS – first to recover, RGS – second to recover and DSS – last to recover.

2. Maximum tolerable period of disruption (MTPOD) is a business term that determines the number of hours you are willing to be out of business. Different organisation/services have different degree of tolerance. For a bank it can be negligible for a service sector there can be little more . (Indicative not prescriptive). This term is important to agree as it determines the speed of recovery strategies.

3. Recovery time objective (RTO) – a measure of continuity planning. It answers question such as how fast ‘WE plan’ to recover’? This is generally set at 75% of the MTPOD value.

4. Minimum service levels (MSL) – determine is the minimum service target post disaster. For organisations whose service delivery is customer facing, the question can be ‘what minimum services are to be guaranteed as per SLA agreed’?. As an organisation you may have 2 or more layers of recovery starting with minimum recovery – immediately and then scale up recovery

5. Continuity Planning – Don’t plan for events (e.g. Fire) – plan for outages (building not available). Chances are that you already have event wise plans. Those plans are designed to prevent. Business continuity is planning for outages. They can be broadly 4. Site outage, people/skill outage, vendor outage and technology outages. (They can be more – but you got the point). You need plan for each. Assumption for planning is ‘all preventive controls have failed – now how do we restore?”

6. Continuity Strategies – For each outage there are 2-3 options to choose from. People outage includes skill transfer, suitable vendor, or increasing manpower. Vendor outage planning include skill insourcing, alternative vendor and/or increase capacity from the same vendor. Location outage includes work from home, work from alternate location, work from reciprocal location. Technology outage includes warm, cold or hot site. Risk and budget drives your choice of options.

7. Testing Strategies and Tests – Your testing is dependent on your continuity strategy. From table top/documents review to full-blown main power switch off – all options exist. Your test result should ensure recovery within RTO. Your BCP is as good (or bad as) as your testing success.

8. Monitoring – Create a dashboard for monitoring. Dashboard items should include dynamic and static events. Dynamic events include acquisition of a new customer that may challenge all your existing business continuity metrics. Static events include testing results and whether they match designed RTO. Spend 30 minutes every month on the BCM dashboard and you have a great continuity plan in place.

Hope this helps! Please share your feedback.