|
Great business continuity
management goes beyond the writing of a business continuity plan or
disaster recovery plan. It is the proactive approach whereby an
organisation provides the critical resources to ensure that the
critical business objectives continue to be met irrespective of the
type, or severity of a disruption to normal operations.
The key
benefits of strong business continuity management and a disaster
recovery program include:
-
Detailed understanding of what your business absolutely must
achieve (the critical objectives).
-
An understanding of what interruptions may be faced in
trying to achieve these critical objectives.
-
Able to predict the probable outcome of controls and other
mitigation strategies.
-
Procedures the business can follow to achieve the critical
objectives should interruptions take place.
-
Understanding the criteria or triggers for implementing
crisis and disaster recovery procedures.
-
All staff are aware of their roles and responsibilities when
a major disruption occurs.
-
A clear understanding throughout the organisation of what
accountabilities and responsibilities are in place when business
continuity and disaster recovery response are in effect.
-
Consensus and commitment to the requirements, implementation
and deployment of disaster recovery measures.
Commencement
When you first get started with your business continuity project,
the key questions that you need to ask yourself are:
Determine the need:
To be successful you must start well! You'll need to clearly
state your scope, objectives and desired outcomes of your project.
Suggested activities:
-
Utilize the critical business objectives identified in
business strategies, business plans, and performance
management tools
-
Consider geographical locations, functional units, client
groups, essential plant/assets that may require continuity
coverage.
-
Agree on a budget! Also consider any time constraints and
deadlines.
-
Consider if you'll develop your continuity plan in-house,
use an expensive expert consultant, or use a cost effective template (See
Disaster Recovery
and
Business Continuity Plan Template)
Business Impact Analysis
A good business impact analysis will allow you to determine
what the maximum amount of time can elapse without critical
resources.
The questions that you'll be asking yourself and the key
stakeholders will include:
-
What are our critical business resources?
-
What continuity procedures are in place at the moment?
-
What are the 'likely' scenarios that would effect our
business ability to operate?
Above you'll notice that likely is listed in quotes. This
is to highlight the importance of keeping it real. Risk level
is subjective by nature, however by keeping your continuity planning
efforts focused on scenarios that are feasible will strengthen your
project.
Impacts from a disruption can be categorised as either quantitative
or qualitative. Quantitative impacts are losses that are identified
in quantities, percentages, or factors of standard that can be
described in monetary terms.
Qualitative impact instances are
intangible losses that can impact operationally, but cannot easily
be quantified in monetary terms. Some examples of potential impacts
in the event of a disaster are as follows:
|
QUANTITATIVE IMPACTS |
QUALITATIVE IMPACTS |
|
-Opportunity cost
-Loss of clients
-Penalties & fines
-Increased operating costs
-Reduced capital value
-Loss due to physical damage
-Loss due to injuries
-Revenue and income
-Increase in expenses during recovery efforts
-Market Share |
-Reduced operational
efficiency
-Reputation
-Staff morale and well being
-Loss of management control
-Inter-departmental relationships
-Legal, contractual or regulatory liabilities
-Intellectual property, knowledge and data
-Comment and regulatory attention
-External relationships
-Client satisfaction |
The table below is an example of the impact to a
businesses operations over varying durations. The table allows
for normal times, when operations are at stable levels, and also
critical times when business activities may be increased - this may
be due to a number of factors however a good generic example is end
of financial month/year processing.
The legend is located below the table.
Illustrating the impact in this manner helps stakeholders agree on
an appropriate recovery time objective.
|
Outage Time |
Normal Times |
Critical Times |
|
1 hour |
0 |
0 |
|
½ day |
1 |
2 |
|
1 day |
2 |
3 |
|
2 days |
3 |
4 |
|
3 – 4 days |
4 |
5 |
|
5 – 8 days |
5 |
5 |
|
9 -14 days |
5 |
5 |
|
15 – 30 days |
5 |
5 |
|
0 – 60 days |
5 |
5 |
|
Over 60 days |
5 |
5 |
0
= No Interruption
1
= Minor Interruption – problem easily handled
2
= Moderate Interruption – business activity continues
3
= Major Interruption – business activity continues but with
some difficulty
4
= Severe Interruption – continuation of business activity
extremely difficult
5
= Complete Interruption – business activity ceases.
In the
example above, it is safe to assume that a 2 to 3 day recovery time
objective would be appropriate.
Next Process -
Risk Analysis
|
dark.jpg)