BCP / BIA – debunking the myths
Whilst many organisations have developed Business Continuity Plans, the basis for documenting business continuity requirements is often not clear. In many cases there is uncertainty as to what a Business Continuity Plan is, what it should facilitate and what it should contain, with the lines between emergency management and business continuity often blurred.
It is important that there is a clear understanding of the different disciplines and required plans:
- A Business Continuity Plan (BCP) is a documented collection of procedures and information that is developed, compiled, and maintained in readiness for use, to enable an organisation to continue to deliver its critical products and services at an acceptable predefined level in the event of some type of business disruption.
- A Disaster Recovery Plan (DRP) is a documented process or set of procedures to recover and protect an organisation’s IT infrastructure in the event of a disaster. Such a plan, ordinarily documented in written form, specifies procedures an organisation is to follow in the event of a disaster.
- The primary aim of an Emergency Management Plan is to establish an organisational structure and procedures for response to major emergencies, with the primary aim of safeguarding people.
- A Local Disaster Management Plan provides an outline for prevention, preparedness, response and recovery arrangements for a local government community in the event of a community-wide disaster. It provides direction and authority for a Local Disaster Management Group to coordinate disaster management functions.
In order for a BCP to be of any use, it must contain information relating directly to the continuity of the organisation’s critical functions during a disruption event. Often BCPs contain too much information about all activities undertaken by the organisation, not only critical ones. It is not uncommon to come across BCPs that are in excess of 100 pages. During a disruption event, it is vital for the most critical functions to be recovered first, and therefore the information contained in the BCP needs to focus directly on these critical functions in a succinct manner.
In order to identify these critical functions and prioritise them, a Business Impact Analysis, or BIA should be undertaken. A BIA is the process of analysing business activities and the effect that a business disruption might have upon them. This is an essential part of successful business continuity management as it identifies the most important functions in a methodical and objective manner. A BIA is best done in a workshop environment with stakeholders representing the range of departments or functions of the organisation.
The steps of undertaking a meaningful BIA include:
Step 1: Identifying Business Functions
Stakeholders are asked to list all tasks for which they responsible for in order to map out the extent of the BIA.
Step 2: Determine Critical functions
In line with agreed impact criteria, the risks to the organisation are identified and assessed relating to the loss of each of the identified functions, to determine functions that are critical. Functions which would have a catastrophic or major impact on the organisation if lost are considered to be critical functions.
Step 3: Resource and Workaround Identification
Once the critical functions have been identified, the resources required and any existing workarounds are then identified.
On completion of these steps, the requirements for the development of a BCP should be evident. That is, the BCP should contain the procedures and information to enable the organisation to continue to deliver its critical products and services at an acceptable predefined level.
Please contact QRMC for assistance to develop or review your business continuity management processes.