Frequently asked questions
Why is business continuity planning important?
Bad things happen. The problem is that we don't know who will suffer them, how bad they will be and when they will occur. Developing a BCP is just like taking out insurance. Having insurance does not mean bad things won't happen, it will just mean your costs will be paid by your insurance company. With a well developed BCP, your organisation will suffer less from the disaster and recover more quickly (and the experience will be less stressful!).
Your organisation has spent great effort and money in getting to where it is - it would be a shame to lose it all if a disaster strikes.
Your organisation needs a Plan B. You should find a way by which your organisation can continue to do business - even if it is the victim of a really bad event.
Is the BCP only a Plan?
Having a well written document will be of no value if there is no underlying infrastructure that facilitates a smooth recovery from a disaster. The BCP must have the infrastructure required to recover within your Recovery Time Objectives and you need to test it at least annually. Having a well written plan, with no capability to implement a recovery is meaningless.
Why is regular testing important?
Nobody would think it reasonable to stage a new musical - without having rehearsed it thoroughly before opening night. You should exercise your BCP at least annually to ensure that it is fit for purpose and that your organisation can comfortably achieve the recovery targets the business has set.
The two most valuable aspects of testing is that it uncovers weaknesses in your plan and it is a great way of demonstrating to other staff that it would be difficult for them to do their jobs if they don't have access to their usual place of work.
Good risk management or Government regulation?
Developing a BCP is prudent risk management and a good practice in almost all circumstances. Not having a "Plan B" puts your organisation's welfare at risk and this exposure can be avoided with an appropriate BCP. Would you drive your car without having a spare tyre in the boot?
Some organisations have to develop a BCP because of Government regulations. A good example is the financial services industry which is regulated by APRA. APRA has very specific requirements that mandate how you carry out BCP and document the results.
How much effort is involved?
This varies by size of organisation. Like many of these initiatives, it is unwise to do too much or too little.
Having a BCP that is 1,000 pages long and reads like "War and Peace" will mean that it will never be used. Similarly, a two page document is unlikely to be helpful. For a small to medium sized organisation, an experienced practitioner should be able to develop a workable BCP in 30-40 person days.
Note that perfection is not the goal. Better is the goal - it's more important to get started and learn and improve through exercising the plan.
Who should do it?
As the primary purpose of a BCP is to keep the business going after a disaster - a business manager should have overall responsibility for the project.
Note that although information technology is an important component of a BCP, it is probably unwise to have an IT person head up the BCP initiative, as many of the key decisions require intimate knowledge of the business.
A critical factor to the success of the project is to ensure you have the energetic and strong support from a senior business executive - preferably the CEO.
You will find it very difficult to obtain the assistance you will need, without strong executive sponsorship. It is often very helpful to have a project steering committee to help you through the process and gain the support you will require.
How much time should be spent on the project?
If you are starting from scratch, you will probably need to allow at least three elapsed months as a minimum. Scheduling interviews with senior managers requires advanced planning and getting colleagues to review documentation often takes longer than anticipated.
A BCP for a large organisation can easily take twelve months to complete.
How much money should the business spend on BC and DR infrastructure?
The most critical stage of a BCP is the Business Impact Analysis, as it identifies what's important to the organisation. The main output of a BIA is a ranking of the most important business processes in the organisation - in terms of value ($ profit or sales per day) and the amount of time your organisation could survive without these being available - before it suffers irreparable harm.
Having identified the top ten to twelve critical business processes and their value will give you a good idea of the scale of investment you will need to protect the organisation. For example, if your most critical business process is worth $1M/day - you would not spend $10,000 on infrastructure to protect it. The value of the critical processes and the risk appetite of your organisation will provide you with a good guide on how much you should spend on its protection.
How do I get the appropriate support from my managers?
Ensure the project has a strong executive sponsor and establish a project Steering Committee that has representatives from key parts of the business. Report your progress regularly and avoid surprises. Leave key decisions to the Steering Committee.
What steps do I need to take to develop a BCP?
The key steps of a business continuity plan are:
Initiation: Establish the project, set scope and budget, obtain executive sponsorship, secure staff resources, develop a budget and schedule a kick off meeting.
Business impact analysis: Identification of the top 10-15 business processes, estimating their value on a per day basis and how long the organisation can survive without them - before suffering irreparable damage.
Risk assessment: Identification of key threats to your organisation, their likelihood and their potential impacts. Recommend mitigation strategies.
Strategy: Developing alternative strategies to enable the organisation achieve the recovery targets established in the BIA. A key result of this stage is a decision by the executives of the organisation on the preferred strategy.
Plan: Implementation and construction of the infrastructure chosen in the strategy stage. The BCP should contain details of the procedures the organisation will need to take to enable the recovery.
Training, exercising and maintenance: Training of key staff involved in the recovery, regular exercising of the BCP and ensuring that the plan is regularly maintained.