Executive Commitment

Before any project can commence and have a reasonable chance of success, a commitment must be secured from the highest levels of the organization. A ‘Management Committee’ (or ‘Steering Committee’) with significant senior management level participation needs to be assembled.  Within the Management Committee an executive level individual needs to be placed in charge of the entire project.  A management level individual needs to be designated as the ‘Project Manager’ to develop the actual documentation.  Sufficient authority and resources will have to be allocated to the entire project for it to be successful.

Projects

In order to develop and maintain a comprehensive Business Continuity Management Program, Disaster Management, Inc. suggests a multi-project approach that parallels industry best practices as follows:

Project 1 – After a commitment from management has been made; this first step involves the Collection of Information needed to complete the necessary projects.

Project 2 – The development of a Business Impact Analysis (BIA).  The BIA will include an assessment of the natural and man-made risks that face the business.  The BIA will also analyze the recovery priorities and set objectives for the BCP and the need for other support plans.

Project 3 – The development of a central or overarching plan or Business Continuity Plan (BCP) for the business.

Project 4 – The development of a Crisis / Risk Management Plan is needed to define emergency actions to respond to actual specific emergency situations.

Project 5 – The development or update of the Information Technology Plan needed to maintain the systems and communication capabilities of the business.

Project 6 – The development or update of the plans in place for the operational groups and support departments or the Business Unit Plans needed to maintain critical operational activities.

Project 7 – Involves the Implementation of the entire program.

Project 8 – Involves the Exercising, Training and Ongoing Requirements of the entire program.

Additional detail regarding these projects follows.

In order to assemble the information necessary to complete the planning process, the following action steps should be taken:

1.      Develop and confirm the details and projected timetable for the entire project.

2.      Conduct a site inspection and gather information about the overall business.

o       Identify risks & exposures

o       Review safety & security issues

o       Identify the level of planning in the technology area

3.      Meet with representatives from each major ‘business unit’ (the support departments, operational groups and other defined entities that comprise the business) and assess the current level of planning.

It is important to note that the Business Impact Analysis (BIA) is not a planning component; rather the BIA establishes the guidelines (or ‘road map’) for the development of the BCP and related plans.  The BIA is a report subject to executive management review and approval.

An important component of the BIA is an evaluation of the natural and manmade risks that threaten the organization.  This is referred to as a Risk and Vulnerability Analysis and this analysis is included as part of the BIA. 

All critical areas of the business that must remain operational or rapidly recover for normal activities to continue need to be identified.  It is widely acknowledged that it is not practical for most organizations to rapidly restore all normal operations following a disaster.  Therefore, a key component of the BIA is to establish and prioritize critical operations.  For most businesses, critical operations are either revenue-generating operations or activities that directly support revenue-generating operations.  Critical operations are also time sensitive – the loss of these capabilities will have an adverse financial impact in the very short term.  For each critical operation a Recovery Time Objective (RTO) is established.

Once critical operations, process flows and interdependencies are identified, strategies can be developed to ensure their ongoing function or rapid restoration.  The BIA develops strategic solutions to respond to potential disasters.  Solution strategies focus on the maintenance and restoration of critical services and/or products and do not necessarily attempt to replicate existing procedures. 

The BIA also reviews the level of existing planning both in the Information Technology department and throughout the other business units.  Recommendations regarding additional planning or improvements to existing procedures are identified.

The Business Continuity Plan (BCP) will develop the details of the response to a disaster situation by the business.  This is the overarching plan for the business and defines the overall actions of the organization during an emergency.  The central focus of a good BCP is to identify and develop solutions to maintain or rapidly restore critical operations.  Other objectives of the BCP are to prevent manmade disasters, minimize the disruption of business operations, mitigate damages, minimize legal exposures, comply with industry best practices and assure the safety of employees and other individuals. 

The Business Continuity Plan (BCP) is intended to establish policies, procedures and organizational structure for response to emergencies that are of sufficient magnitude to cause a significant disruption of the functioning of all or portions of the business.  The BCP is the official plan of the business and describes the roles and responsibilities of support departments, operational groups and personnel during emergency situations. 

Crisis response planning addresses the action steps to be taken to respond to specific disaster events.  The central focus of crisis response planning is first life safety and second asset protection.  

Planning should address all specific disasters of significance as identified in the BIA.  Planning includes steps to prepare for foreseen events (generally weather related events), actions to be taken during the event (almost entirely life-safety-steps) and recovery after the event.  Recovery planning includes a time-phase process after a major disaster where there is significant damage and the general environment also will likely be dangerous. 

The Information Technology Plan (‘Disaster Recovery Plan’) includes the need for planning in the following areas:

·        Project 5A – Critical Data Management.  This is a formal plan to secure, classify and retrieve electronic information and critical applications.

·        Project 5B – Data Center Recovery.  This is a formal plan to reconstruct systems & communication centers.

·        Project 5C – Alternate Site Plan.  Management determines the type of Alternate Site Plan that is needed based on the established recovery time objectives, levels of service degradation and the response that is cost justified.

·        Project 5D – Information Security Plan.  The need for additional Information Security Planning is based upon management's objectives, audit requirements, costs, and the effectiveness of existing controls. 

The operational effectiveness of the entire Business Continuity Management Program will be dependent on the proper actions being taken by all organizational business units (the business’s operational groups and support departments).  The Business Continuity Management Program will define the goals and objectives of each business unit.  Templates for Business Unit Plans are provided for critical support departments. 

Implementation includes the dissemination of information to the management team and to all employees.  Implementation also includes the actual assembly of all materials, contracts, subcontractors, etc. (as specified in the plan) that are necessary to be in place and ready in an emergency situation. 

Although the entire Business Continuity Management Program is completed it is never finalized.  Periodic testing (or ‘exercising’), training and update are required to maintain the effectiveness of the plan.  Meeting of the key teams should take place several times a year.  The BCP documentation defines maintenance and update procedures.