info@iarminfo.com
info@iarminfo.com

BCP Simplified! Easy to understand BCP

IARM Information Security > Blog > BCP Simplified! Easy to understand BCP

Post outbreak of the coronavirus, the buzz word in the industry is ‘do we have a BCP to handle global pandemic outbreaks?’

This is our simple guide for Business Continuity Management Services and how to create an effective business continuity plan.

So, What is a Business Continuity Plan (BCP)?

A Business continuity plan (BCP) is a plan of action aimed at ensuring that business will continue during and after a disaster.

  1. That a (detailed) Business Continuity Plan (BCP) is not an ad-hoc, short-term solution.
  2. It is an important aspect of “planning and operations” that requires significant time, resources (money, people, knowledge, tools, etc.), and ‘contribution through collaboration’ from employees in the organization.
  3. A BCP is not a task based on a checklist, where we tick and proceed
  4. Business Continuity Planning is a real-time, ongoing activity that warns and protects you from all the elements all through the year.

Historical reference ‘on calamities’– Chanakya’s Arthashastra, 300 BC

According to Kautilya, a variety of calamities can afflict the population of a state as most people lived in the countryside outside the fortified town.

The sufferings of the people could be due to acts of god or men.

Calamities due to acts of god are fire, floods, diseases and epidemics and famine. Other calamities could include ‘divine origins’ like rats, wild animals, snakes and evil spirits. Calamities by men are many — for e.g. destructions by armies, internal fighting, etc.

Chanakya opines that it is the duty of the King to protect his subjects from all forms of calamities.

Reference

The ARTHASHASTRA — Calamities of the Population (book)
Why do we need Business Continuity Planning Services?
Starting point: Understanding the Business and underlying risks

A Business Organization (delivering products and/or services) has several stakeholders — Owners / Promoters, Management, Employees, Suppliers, Customers, Partners, Service Providers, Regulators, etc.

A ‘well run’ organization enjoys the patronage of customers, its own employees and enjoys an excellent reputation in the eyes of the general public.

However, on the flip side, it is the stark reality that every organization is at a risk of facing potential disruptions or disasters. (These are not to be confused with “common Operation impacting events’).

So, it is imperative that the Leadership Team

  1. Has a thorough understanding of the Business
  2. Understands the vulnerabilities that exist in the system
  3. Have a realistic understanding of threats that can manifest (because of the existing vulnerabilities)
  4. Predict which risks can impact your business in a big way
  5. Prioritize the risks that have the highest probability of occurring, and those that would cause the biggest impact.
  6. Conceptualizes and deploys — preventative and impact minimization procedures (as appropriate) in place.

In short — one of the biggest challenges for the ‘business’ is ensuring that the business keeps operating, even during adverse times.

Therefore, the Leadership Team has to recognize that “Risks to Business” can come in any form and are bound to happen, whatever may be the ‘Line of Business’.

So, apart from growing the organization and ensuring smooth operations, it’s the job of the Leadership Team to protect their own organizations from danger and harm.

Business Continuity Planning Solutions lists out the necessary steps and relevant processes that need to be put in use to identify and protect business processes required to maintain an acceptable level of operations during a crisis.

Steps to Developing an Effective Business Continuity Plan

Few of the key steps are listed below:

  • A clear understanding of the Business and scope of operations (including geographical spread)
  • Where is the organization ‘positioned’ in the “Business Chain?”
    • Am I a Service Provider / Supplier / Customer / Goods Producer etc.?
    • Understand the significance (i.e. the importance or seriousness)
  • Assign — Roles and Responsibilities of BC Team (to name a few)
    • Overall BC structure
    • Incident Response Team
    • Damage Assessment Team
    • Operations Recovery Team
    • Recovery Support Team
    • Partners, Vendors Support
    • People identified to perform BIA, RA, etc
  • Perform Business Impact Analysis (BIA) on key business processes (BIA is done Identify potential financial and non-financial impacts due to disruption in performing an activity/process and to arrive at Recovery Time frames)
    • Identify key business processes
      • If a process has a significant impact on (any one of the below attributes), then the process is taken up for BIA
      • Business Objectives / Financial loss in case of disruption / Regulatory issues / Impact on Customers / Vendor Relation / Employee Morale
    • Impact of the incident/disaster
      • customer deliverables / brand, reputation / organization assets / compromise on intellectual property / staff, associates / Legal or regulatory impact
  • Risk Analysis (RA)
    • On enablers (or drivers), stepwise of each of the key business processes
    • On General threats like (Flood, Fire, Civil unrest, etc)
    • On specific threats as identified in the organization’s context (i.e the environment in which the organization operates)
  • Decide on Recovery Strategy (based on 4 & 5)
  • Arrive at resources needed to execute BCP (manpower, IT infra, Physical infra, Vendor support, monetary support, etc)
  • BCP (Business Continuity Plan) Document captures a sequence of actions that counteracts the risk that has materialized covering 6 Rs
    • Reduce the impact of the incident
    • Response (immediate) — containment along with other actions
    • Recover critical processes or services at the defined recovery site
    • Resume critical services from the recovery site
    • Restore primary site (if possible and feasible cost-wise also)
    • Else continue and establish operations at the recovery site permanently.
    • Return to the primary site and start conducting business as usual
  • Communication Plan to
    • Employees including their emergency contacts
    • Customers, Suppliers, Vendors and Service Providers
    • Shareholders, Board
    • Regulatory authorities
    • General public
    • Media (Print Media, TV, etc)
  • Training and Awareness on BCP to staff, associates, vendors
  • BCP exercising and Testing
    • Call Tree
    • Table Top
    • Full systematic walk-through
    • Partsimulation
    • Learningial simulation
    • Full and Improving

When to invoke BCP

  1. The occurrence of an event (say civil unrest)
  2. Monitor the situation (the event is beginning to have a minor impact on the organization’s business)
  3. Event is unpredictable — either it can fall flat or blow up large scale
  4. Staff monitoring the situation — passes on developments to the BCMS team.
  5. Upon reaching a threshold, based on ground reality — BCP is invoked to prevent large scale disruption.

Here you need to find the best End-to-End Business Continuity Testing Service

Why is Business Continuity Important?

From the above, it is clear that every organization will have its own unique BCP and will not match with any other organization. ‘One size fits all’ does not work out here, and it can have tremendous backlash if implemented.

One cannot predict when an event will become an incident eventually leading to an emergency (or a disaster situation)

So, it is imperative that an organization has a structured “back up plan” to counteract disaster situations.

The BCP developed meticulously (exercised, tested and refined based on learnings) will ensure that the organization can continue to operate and deliver products or services, at an acceptable level (MBCO), even when a disaster strikes.

Few Advantages include

  1. Continued Service Delivery:
  2. Successful execution of a BCP ensures that the organization delivers services or products at an acceptable level (MBCO) which helps in retaining customers even in adverse situations.
  3. It can have an edge over competitors (in case they don’t have a BCP).
  4. Safety of Personnel:
  5. First and foremost, consideration in any planning exercise (taken care).
  6. Minimizing downtime:
  7. Organizations without BCP will be clueless as to what to do next when a disaster strikes. Time lost = money lost.
  8. Execution of a BCP will hasten up restoration of services, and hence the business too.
  9. Remote working:
  10. People can contribute ‘during the restoration phase’ and ‘post-restoration phase’ by working from remote locations

Why Bother? If you Not having a Business Continuity Plan

Few of the consequences of not having a BCP.

  1. Reputation Loss
    • Stakeholders expect adherence to contractual clauses. Clients operating on their ‘mission critical’ projects using an organization’s products/services expect quick recovery timeframes (in the event of an unexpected disaster), which is possible only through BCP.
    • Inability to address disruptions damages the reputation of the organization both from the existing customers’ standpoint as well as potential future customers.

       2. Unmanageable Financial Loss:

    • based on point no.1. Penalties due to regulatory noncompliance, contractual breaches, Lack of insurance backup can cause an irrecoverable collapse of the organization.

       3. Leading to shut down: based on pts 1 and 2, slowly but surely.

Popular Terms in BCP

Recovery Time Objective (RTO):

The recovery time objective (RTO) is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity. (measured in hours or days)

Maximum Allowable Outage (MAO):

The Maximum Acceptable Outage (MAO) is the maximum amount of time a system/service/process can be unavailable before its loss will compromise the organization’s objectives or survival (also known as MTPoD, Maximum Tolerable Period of disruption).

Minimum Business Continuity Objective (MBCO):

Minimum Business Continuity Objective (MBCO) is the minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during an incident, emergency or disaster.

Recovery Point Objective:

The amount of data an organization can afford to lose in the event of a disaster. Or, the data which an organization needs to have to resume operations, post a disaster scenario. Commonly referred to like the latest backup data just before the disaster (as decided by the Business).

Also, Refer BCP for Pandemics — Guideline
About the author

IARM, End to End Information Security Services and Solutions

Leave a Reply

GDPR

hi

error: Content is protected !!