What is Business Continuity?
Dr. Akhtar Syed, Phd, CBRM, MABR, CISSP.
Disasters can strike quickly and without warning. Webster’s dictionary defines disaster as:
“A calamitous event, especially one occurring suddenly and causing great loss of life, damage, or hardship, as a flood, airplane crash, or business failure”.
Floods, earthquakes, tornadoes, and hurricanes are examples of major calamitous events.
Businesses are vulnerable to the impact of not only major calamities but also minor business disruptions. Factors such as increased dependency on technology and “speed to market” pressures have made businesses sensitive to even minor disruptions. Some examples of minor disruptive events are power outages, information technology (IT) system failures, manufacturing equipment failures, hazardous material contamination, voice and data communication failure, and computer viruses.
Over the past decade, the risks of natural disasters, technical and accidental failures, and malicious activities have increased the possibility of business disruptions. In spite of increased risks, studies show that many businesses have remained complacent. According to Gartner, “… many enterprises that experience a disaster never recover. Gartner estimates that two out of five enterprises that experience a disaster go out of business within five years”. These findings reflect the failure of businesses to invest in adequate disaster planning and preparations.
Serious consequences of business disruptions can be avoided through business continuity planning (BCP). BCP is a discipline that prepares an organization to maintain continuity of business during a disaster through an implementation of a business continuity plan. A business continuity plan is a document that contains procedures and guidelines to help recover and restore disrupted processes and resources to normal operational status within an acceptable time frame.
A business continuity plan cannot function effectively without the collective efforts of the people assigned to various roles and responsibilities defined in the plan. Continuity of business cannot be maintained without the continuous support of critical business processes—tasks and operations performed by business units or functions—and various resources required by these processes.
The figure below depicts the typical resources involved in a business continuity plan, namely, IT infrastructure, data centers, manufacturing and production facilities, critical machinery and equipment, critical records, office work areas, critical data, voice and data communication infrastructure, and off‑site storage facilities.
Conceptually, BCP can be divided into two areas:
Business continuity planning management (BCP management)
Business continuity planning process (BCP process)
The typical activities of BCP management and BCP process are shown in the figure below on a time line relative to a business disruption.
BCP management focuses on management and organizational components of BCP. Some of the key activities of BCP management are:
Issue an organization wide business continuity policy that directs management and staff of each business unit to take responsibility for maintaining continuity of critical business functions and processes in the event of a business disruption.
Establish a steering committee with members from senior management to define the BCP scope, provide ongoing BCP support and direction, monitor BCP status and progress, and allocate BCP funding.
Initiate a formal project for developing a business continuity plan that covers the entire organization.
Ensure that personnel involved in the development and implementation of the business continuity plan are adequately trained. Develop and implement a BCP awareness and training program for the entire organization.
Ensure that BCP is in compliance with pertinent government laws and regulations, and industry standards.
Coordinate BCP activities with relevant disaster recovery and business continuity agencies and local authorities.
Ensure that the business continuity plan remains in a state of readiness at all times.
Execute the business continuity plan at the time of disaster.
Together, BCP management and BCP process enable an organization to develop a business continuity plan, maintain it in a constant ready-state, and execute in the event of a business disruption.
The BCP process defines a life cycle for developing and maintaining a business continuity plan. The BCP process life cycle model consists of the following stages:
Stage 1—Risk Management
Stage 1, risk management, assesses the threats of disaster, existing vulnerabilities, potential disaster impacts, and identifies and implements controls needed to prevent or reduce the risks of disaster.
Stage 2—Business Impact Analysis (BIA)
Stage 2, business impact analysis, identifies mission-critical processes, and analyzes impacts to business if these processes are interrupted as a result of a disaster.
Stage 3—Business Continuity Strategy Development
Stage 3, business continuity strategy development, assesses the requirements and identifies the options for recovery of critical processes and resources in the event they are disrupted by a disaster.
Stage 4—Business Continuity Plan Development
Stage 4, business continuity plan development, develops a plan for maintaining business continuity based on the results of previous stages, specifically, risk management, BIA, and business continuity strategy development.
Stage 5—Business Continuity Plan Testing
Stage 5, business continuity plan testing, tests the business continuity plan document to ensure its currency, viability, and completeness.
Stage 6—Business Continuity Plan Maintenance
Stage 6, business continuity plan maintenance, maintains the business continuity plan in a constant ready state for execution.
Stages 1 through 5 are part of the “Plan Development Project” activities of BCP management. Stage 6 is part of “Maintain Disaster Readiness” activity of BCP management.
At the time of a disaster, business continuity plan becomes the most critical document to guide the organization towards timely and effective disaster recovery. Adequate and proper training of business continuity team is crucial in developing, maintaining and executing a comprehensive, effective and reliable business continuity plan.
For a comprehensive training and certification in business continuity planning, Audit and IT disaster recovery planning, contact BRCCI (www.brcci.org, 1-800-869-8460):
3-day CBRM (Certified Business Resilience Manager) is a comprehensive, all-in-one, 3-day Business Continuity Planning and Management Training and Certification course which is designed to teach practical methods to develop, test, and maintain a business continuity plan and establish a business continuity program.
3-day CBRITP (Certified Business Resilience IT Professional) his is a comprehensive training on how to assess, develop, test, and maintain an information technology (IT) Disaster Recovery Plan for recovering IT and telecommunications systems and infrastructure in the event of a disaster or business disruption. The training provides a step-by-step methodology to ensure a reliable and effective IT disaster recovery and continuity plan consistent with the industry's standards and best practices.
2-day CBRA (Certified Business Resilience Auditor) It provides 2 days of intensive, Business Continuity Audit training to enable students to determine the effectiveness, adequacy, quality and reliability of an organization’s Business Continuity Program. Students will learn an audit methodology to evaluate compliance of Business Continuity and IT Disaster Recovery Programs with the current industry's best practices and standards including:
ISO 22301: Business Continuity Management Systems – Requirements
NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs
ITIL v3: Information Technology Infrastructure Library