|
Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP) |
 My aim in this brief introduction to Business Continuity is to give you an insight into creating an effective BC plan using a 5 step process (based around the British standards BS 25999) we use as standard When creating BCP and DRP’s for our clients.
Let me start with a brief introduction to Prosyn Ltd and what relevance we can bring to today’s events.
- We have been trading in the City of London for the past 5 years with very demanding trading companies.
- Our marketing focus is on companies of sizes 5-150 users
- Our core business is the creation and maintenance of IT systems and as a direct result of that we now specialise in the creation of working BCP’s.
- We have a range of products and solutions designed to keep firms up and running.
The reality of creating a BCP is that it is cost overhead that does not directly generate any money. This normally results in it being the last item on the board agenda and by the time it is discussed the board members are looking forward to a drink in the pub.
So where do you start?
- Define why BCP is required and the cost per hour/day/week of not being able to complete your business functions.
- Ensure buy-in from all of the key department heads (without this you are fighting a losing battle!).
- Assign a project manager and then give them the power to run the project. It is important to understand the time it will take to create a working plan. For a 25 users organisation we allow 6 full consulting days to create the first phase of a plan (excluding testing).
- Define a realistic budget both in time and money.
Prosyn’s 5 step plan to effective BC Planning.
Now the project is agreed and underway let’s look at the steps required:
1. Analyse your business
2. Assess the risks
3. Create a BCP timeline
4. Develop your plan
5. Test and Mange your plan
Let’s looks at each of these in more detail:
1. Analyse your business
1)Work with all department heads to create a list of functions that will be needed in a DR event.
2)Work out the IT systems needed to continue trading and supporting your clients.
3)Work out the amount of time you can afford to be down before this will have a negative effect on the operation.
4)Work out who needs to be informed when an event occurs. This list should include Staff, Customers, Suppliers and partners.
5)Ensure your insurance policy covers you for DR events.
2. Assess the Risks
By planning for the worst case scenario lesser incidents are easy to deal with. Prosyn Ltd defines a number of effects rather than detailing individual event types (Fire, Flood, Terror attack etc).
1)Event type 1 - Loss, System failure, Phone system failure, Internet failure
2)Event type 2 - Loss of Location but systems OK
3)Event type 3 - Loss of systems but location OK
4)Event type 4 - Full loss of site and systems
5)Event type 5 - Loss of staff – Wholesale headhunting, Lotto syndicate, Bird flu etc.
3. Create a timeline
1)Under each event how long should the event be in progress before the planned BCP response is implemented?
2)What are the initial actions, communication with IT suppliers, staff, customers, suppliers and the media should be the first action.
3)Understand how long it will be before an operational business will be in play. This is only possible if proper BCP testing is carried out.
4. Develop your plan
The BCP plan should be used to increase the resilience of your network and systems. By addressing areas of weakness within an organisation productivity is often increased.
1)Address any risk areas identified in the business analysis by implementing changes or systems to minimise their impact.
2)Plan for a regularly updated offsite contact list to include staff (home and mobile), customers, suppliers, insurance companies, emergency services and any other relevant contacts.
3)Plan to have copies of letterheads, bank documents (cheque books and paying in slips) and any other items identified in the analysis required to carry out the daily tasks.
4)Ensure your data is offsite. The current online backup solutions are the best way to ensure this. Tape solutions require the correct management and testing.
5)Instruct your IT team to create a step by step recovery process for each of the critical services in your company (DR Plan).
6)For Event type 5 the options for fully replacing a large team of staff are limited. Engaging a recruitment consultancy can better prepare you for this.
5. Test and manage your plan.
Without thorough testing your BC Plan is not complete and is likely to fail. During the test at least one of each of the functions created in your initial analysis needs to be tested. Tests should be controlled but still a surprise – there is little point in scheduling a test weeks in advance. The current recommendation is to carry out two tests per year and a test after every major system change.
1)This proves the staff know what their individual actions are
2)This highlights any flaws in the offsite paperwork requirements
3)This highlights the length of time it will take to get the systems up and running
4)This ensure all the relevant data, system information and resources have been provided for.
5)Following a successful test it is important to keep you plan up to date. It should be reviewed every quarter to ensure changes in the organisation are accounted for.
Some facts to consider
80% of organizations with a tried and tested business continuity plan are likely to survive a major business discontinuity; only 20% of those without a business continuity plan are likely to survive.
Over 90% of organizations that suffer a significant data loss are not in business two years later.
The Business Continuity Institute's 2005 survey indicates that 30% of businesses still don't have a business continuity plan.
The data indicates that many of the existing plans are not comprehensive and that maintenance (testing and updating) is generally inadequate.
'Backup' is not the same as a business continuity plan, and terrorism should be specifically addressed.
Trackback(0)
 |
News 
TrackBack URI for this entry
Subscribe to this comment's feed
