Business continuity planning


Business continuity may be defined as "the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident", and business continuity planning is the process of creating systems of prevention and recovery to deal with potential threats to a company. In addition to prevention, the goal is to enable ongoing operations before and during execution of disaster recovery. Business continuity is the intended outcome of proper execution of both business continuity planning and disaster recovery.
Several business continuity standards have been published by various standards bodies to assist in checklisting ongoing planning tasks.
Business continuity requires a top-down approach to identify an organisation's minimum requirements to ensure its viability as an entity. An organization's resistance to failure is "the ability... to withstand changes in its environment and still function". Often called resilience, resistance to failure is a capability that enables organizations to either endure environmental changes without having to permanently adapt, or the organization is forced to adapt a new way of working that better suits the new environmental conditions.

Overview

Any event that could negatively impact operations should be included in the plan, such as supply chain interruption, loss of or damage to critical infrastructure. As such, BCP is a subset of risk management. In the U.S., government entities refer to the process as continuity of operations planning. A business continuity plan outlines a range of disaster scenarios and the steps the business will take in any particular scenario to return to regular trade. BCP's are written ahead of time and can also include precautions to be put in place. Usually created with the input of key staff as well as stakeholders, a BCP is a set of contingencies to minimize potential harm to businesses during adverse scenarios.

Resilience

A 2005 analysis of how disruptions can adversely affect the operations of corporations and how investments in resilience can give a competitive advantage over entities not prepared for various contingencies extended then-common business continuity planning practices. Business organizations such as the Council on Competitiveness embraced this resilience goal.
Adapting to change in an apparently slower, more evolutionary manner - sometimes over many years or decades - has been described as being more resilient, and the term "strategic resilience" is now used to go beyond resisting a one-time crisis, but rather continuously anticipating and adjusting, "before the case for change becomes desperately obvious".
This approach is sometimes summarized as: preparedness, protection, response and recovery.
Resilience Theory can be related to the field of Public Relations. Resilience is a communicative process that is constructed by citizens, families, media system, organizations and governments through everyday talk and mediated conversation.
The theory is based on the work of Patrice M. Buzzanell, a professor at the Brian Lamb School of Communication at Purdue University. In her 2010 article, "Resilience: Talking, Resisting, and Imagining New Normalcies Into Being" Buzzanell discussed the ability for organizations to thrive after having a crisis through building resistance. Buzzanell notes that there are five different processes that individuals use when trying to maintain resilience- crafting normalcy, affirming identity anchors, maintaining and using communication networks, putting alternative logics to work and downplaying negative feelings while foregrounding positive emotions.
While resilience theory and crisis communication theory share similarities, they are not the same. The crisis communication theory is based on the reputation of the company, but the resilience theory is based on the process of recovery of the company. There are five main components of resilience: crafting normalcy, affirming identity anchors, maintaining and using communication networks, putting alternative logics to work, and downplaying negative feelings while foregrounding negative emotions. Each of these processes can be applicable to businesses in crisis times, making resilience an important factor for companies to focus on while training.
There are three main groups that are affected by a crisis. They are micro, meso and macro. There are also two main types of resilience, which are proactive and post resilience. Proactive resilience is preparing for a crisis and creating a solid foundation for the company. Post resilience includes continuing to maintain communication and check in with employees. Proactive resilience is dealing with issues at hand before they cause a possible shift in the work environment and post resilience maintaining communication and accepting changes after an incident has happened. Resilience can be applied to any organization.
In New Zealand, the Canterbury University Resilient Organisations programme developed an assessment tool for benchmarking the Resilience of Organisations. It covers 11 categories, each having 5 to 7 questions. A Resilience Ratio summarizes this evaluation.

Continuity

Plans and procedures are used in business continuity planning to ensure that the critical organizational operations required to keep an organization running continue to operate during events when key dependencies of operations are disrupted. Continuity does not need to apply to every activity which the organization undertakes. For example, under ISO 22301:2019, organizations are required to define their business continuity objectives, the minimum levels of product and service operations which will be considered acceptable and the maximum tolerable period of disruption which can be allowed.
A major cost in planning for this is the preparation of audit compliance management documents; automation tools are available to reduce the time and cost associated with manually producing this information.

Inventory

Planners must have information about:
  • Equipment
  • People
  • Suppliers and Partners
  • Technology
  • Locations, including other offices and backup/work area recovery sites
  • Documents and documentation, including which have off-site backup copies:
  • * Business documents
  • * Procedure documentation

    Analysis

The analysis phase consists of:
Quantifying of loss ratios must also include "dollars to defend a lawsuit." It has been estimated that a dollar spent in loss prevention can prevent "seven dollars of disaster-related economic loss."

Business impact analysis (BIA)

A Business Impact Analysis is a process used to identify and evaluate the effects of disruptions on an organization's operations, and to determine recovery priorities and strategies appropriate to the organizational needs.
The main objectives of a BIA are to:
1. Identify critical activities and dependencies.
2. Assess the impact of disruptions on these activities.
3. Determine recovery time objectives and recovery point objectives.
4. Support the development of business continuity strategies and plans.
5. Inform risk assessment and mitigation efforts within the BCMS framework.
For each function, two values are assigned:
  • Recovery point objective – the acceptable latency of data that will not be recovered. For example, is it acceptable for the company to lose 2 days of data? The recovery point objective must ensure that the maximum tolerable data loss for each activity is not exceeded.
  • Recovery time objective – the acceptable amount of time to restore the function

    Maximum RTO

Maximum time constraints for how long an enterprise's key products or services can be unavailable or undeliverable before stakeholders perceive unacceptable consequences have been named as:
  • Maximum tolerable downtime
  • Maximum tolerable outage
  • Maximum acceptable outage
According to ISO 22301 the terms maximum acceptable outage and maximum tolerable period of disruption mean the same thing and are defined using exactly the same words. Some standards use the term maximum downtime limit.

Consistency

When more than one system crashes, recovery plans must balance the need for data consistency with other objectives, such as RTO and RPO.
Recovery Consistency Objective is the name of this goal. It applies data consistency objectives, to define a measurement for the consistency of distributed business data within interlinked systems after a disaster incident. Similar terms used in this context are "Recovery Consistency Characteristics" and "Recovery Object Granularity".
While RTO and RPO are absolute per-system values, RCO is expressed as a percentage that measures the deviation between actual and targeted state of business data across systems for process groups or individual business processes.
The following formula calculates RCO with "n" representing the number of business processes and "entities" representing an abstract value for business data:
100% RCO means that post recovery, no business data deviation occurs.

Risk Assessment(RA)

The purpose of the Risk Assessment phase is to identify risks that could lead to disruptions and to assess their likelihood and potential impact.
The main action of the Risk Assessment include:
1. Identify internal and external threats.
2. Analyze vulnerabilities and potential consequences.
3. Assessing each risk by determining the likelihood of occurrence and the severity of its impact.
4. Prioritizing risks for treatment and mitigation.
Common threats include:
The above areas can cascade: Responders can stumble. Supplies may become depleted. During the 2002–2003 SARS outbreak, some organizations compartmentalized and rotated teams to match the incubation period of the disease. They also banned in-person contact during both business and non-business hours. This increased resiliency against the threat.