Building an Enterprise-wide Business Continuity Program
Most people I know in this industry started their careers as Business Continuity Planners by accident. They found themselves in a position at a company where their boss said to them “oh, by the way, in addition to all the other things you have on your plate, I want to you do the business continuity for the organization.” If they are lucky, the company then ships them off to an industry conference to “learn something about it.” Sometimes that helps and sometimes, it just overwhelms them even more.
If you are one of those people new to this field, here is some help. First, let me tell you something. It is not about the technology. It’s about the business. Technology recovery may be complex at times but it is easy. It is very black and white. It either works or it doesn’t. How well it works and how quickly you recover your technology is entirely dependent on two things. How much money you want to spend and how often you test your recovery.
Business recovery is hard because it involves people and people are not black and white. They have families and houses and lots of other issues that in a disaster are more important to them to recovering the business. It is your people who make your business successful or not successful. Technology is an enabler but without the people, nothing happens.
Unfortunately, selling the need to recover the technology environment is much easier than selling the need for an enterprise-wide plan. So how do you sell it and who do you sell it to? You sell it to the business people. The business makes the money and they are the ones who decide how the money that they have available to spend is spent. The technology people generally already understand the need for a recovery plan but they do not know how to sell it either and to be honest, they would much rather spend the money on new toys in their production environment rather than improving the recoverability of the business.
You have to ask them if they are serious about being recoverable or whether they just want to meet an audit requirement. If they are not really serious, then you are not going to get them give you what you will need to build a program. If they are serious, then the first thing you need them to do is provide you with one person from each functional area of the organization to work with you to build a plan. This group becomes your planning team.
You planning team will then be given a series of tasks to complete. The first is identifying the people they will need to be part of the recovery efforts for their area and building an Emergency Notification List (ENL). The theory being if you can at least get a hold of your people, even without a plan, then you have some hope of recovery.
The second task is to identify the “stuff” also known as Vital Records. Continuing the same theory, if you have your people and your stuff, even without a plan, you have even more hope of recovery. Most organizations are good about traditional vital records like server backups and legal documents but you must also consider things that would be unavailable in an emergency that people use on their desk every day. Things like procedural manuals, company letterhead and forms.
Next step is the Business Impact Analysis (BIA). You need your planning team to define what the impact would be to their area of the company in the event of an outage. Start with just these two events; loss of site and everything in it and loss of technology. The impact needs to be both quantitative for example, how much money we will lose and qualitative, such as how our reputation may be damaged. In addition, you need to define how quickly that impact will be felt. For example, if you have only one call center and the building the call center is located in has to be evacuated during business hours, the impact to your customers who are calling you is immediate. If you only get 10 calls an hour, the size of the impact may be different than if you get 10,000 calls an hour but it really depends on what those calls are about.
The results of the BIA are going to tell you what functions you need to recover and how much time you have to execute the recovery from the time of the disaster to the time to the time that function is operating again at the minimum acceptable level. Once you understand that, you can move to the next process, which is defining the resources you need to recover. Resources include physical space, network, phones, printers, fax machines, scanners, applications, hardware, software etc. Everything you need to rebuild that function.
Once you understand what you need to recover and what resources need to be available at the recovery site, you then need to go through the process of selecting a recovery strategy for each function. These may include a variety of options depending on the amount of time you have to recovery. The quicker a function needs to be back operational, the fewer options you have for recover. The more time you have, the more your options increase.
After selecting and implementing your recovery strategies, you then need to test. Test as often as you can. Test your communication plans, your alternate sites, your technology recovery, your business recovery. The key to being ready is testing.
Once you have implemented your plans, you need to transition from a project into an on-going program of plan reviews, testing, updating, training new planners and communicating the plans to all employees. You can also start to expand your plans to include other event types such as workforce impairment events like Pandemics or employee labor strikes or transportation strikes which are events where your building is fine, your technology is fine but your people are unwilling or unable to come to work.
Your program is a success when every single employee can answer the question, “where do I go if I cannot get back in my building?” If you were evacuated from your space right now and standing outside the building with your fellow employees and you can tell, either because of the smoke billowing from the windows or the National Guard blocking the entrance that you were not getting back into that space today, do you know what to do next? Does your staff? Does every single person who works for your company? If you can answer yes, that’s a plan.
=======================
This article is by Kelley Okolita, MBCP, author of the new book Building an Enterprise-wide Business Continuity Program, available from Rothstein Associates.
Tags: 1420088645, 978-1420088649, Business Continuity, enterprise, Okolita
