By Arnie Mascali with expert answers by Paul Kirvan
According to a recent analysis by FM Global, every $1 a business spends on hurricane preparedness can save an average of $105 in loss exposures. Combined with a well-organized business continuity (BC) or disaster response (DR) plan, organizations can significantly reduce business interruption or disruption, or worse. Procor Solutions is dedicated to assisting policyholders and property owners plan for these interruptions, and creating action plans that keep our clients in businesses when disaster strikes. Our experienced team, including Paul Kirvan, has worked with many large and small businesses over the last 20 years, to prepare, respond and recover from every catastrophe imaginable. Below, Paul Kirvan provides answers to some of the most common questions we are asked by clients.
WHAT IS A BC AND DR PLAN?
Business continuity (BC) and disaster recovery (DR) plans perform essentially the same function: they provide a framework and process structure for responding to unplanned events that could potentially disrupt or destroy business operations. The DR function has been around since the 1970s, when it was developed to protect large mainframe computers and their associated data centers from unplanned interruptions or system outages. BC as a viable activity first appeared in the early 1980s and addressed the challenge of how to protect an overall organization from a disaster. This includes protecting the people, operational processes, supporting technologies, and physical facilities needed to run the business. For many years the two terms were largely interchangeable, but today they address different activities.
WHY DO YOU NEED A BC AND DR PLAN?
As part of an organization’s commitment to success, it’s also important to ensure that the business will continue running, especially faced with a potentially disruptive event. While many small- to medium-sized businesses may not feel they need a BC/DR plan arrangement, a growing majority of larger businesses recognize the value of BC/DR plans and have full-time activities in those disciplines in place. An unplanned disruption to a business that does not have BC/DR plans could seriously damage the organization’s ability to provide products and services to its customer and stakeholders, with far-reaching implications, such as loss of business, damaged competitive position and reputational damage.
WHAT ARE THE DIFFERENCES BETWEEN A BC AND DR PLAN?
DR plans today address the information technology (IT) and networking infrastructures that support business activities. They identify processes and procedures to follow if servers are damaged, ancillary devices are non-functioning, systems are down, networks are compromised and inaccessible, and access to business data and systems has been disrupted. DR plans typically link to BC plans as the BC plans focus on identifying the critical business processes, the technology that makes those processes work, the people who perform the key processes, the data and vital records needed to run the business and many other business-focused factors. Ideally a BC plan will reference one or more associated DR plans that ensure continued operation of the critical systems and networks that support business operations.
WHO NEEDS TO BE INVOLVED IN CREATING A BC AND DR PLAN?
Before any BC/DR activities can be initiated, senior management in the company must buy in to the idea and value to the company and provide their leadership support and budgetary resources. Without those two factors, no BC/DR activity will ever occur. Once management understands the value of BC/DR plans and the risks of not having them, project funding must be considered, the program scope must be defined (e.g., the entire company or just the headquarters offices), and a project team must be assembled. Availability of qualified BC/DR professionals is improving, and many independent consultants are available to provide assistance. A key when considering BC/DR programs is the qualifications of the people who will lead and manage the project. Several credentialing organizations are available to address this. Two in particular are the Business Continuity Institute (BCI, www.thebci.org), based in the U.K. and DRI International (DRII, www.drii.org), headquartered in New York City. Credentials from these organizations are recognized globally as evidence of an individual’s experience.
WHAT ARE THE STANDARDS/BEST PRACTICES FOR A BC AND DR PLAN?
BC and DR plans come in many different sizes, shapes and flavors. A good way to learn how to structure plans is to refer to standards, good practice documents, reference books and guides, and even software designed for plan development, documentation and testing. Standards include International Organization for Standardization (ISO) Standard 22301:2012 (global business continuity standard), National Fire Protection Association (NFPA) Standard 1600 (emergency response and disaster recovery), and the National Institute for Standards and Technology (NIST) SP 800-34 (IT contingency planning). Good practice documents include the BCI’s Good Practice Guidelines and the DRII’s Professional Practices. An excellent source of reference materials is the Rothstein Catalog of Business Continuity at www.rothstein.com. Typical plans include emergency response procedures, contact data for first responders and employees assigned to emergency teams, contact data for employees, succession plans for key employees, lists of vendors and suppliers, lists of critical documents and records, potential incidents and events to be addressed by the plans, and step-by-step procedures for responding to the identified events, whether recovering specific business functions (BC plan) or recovering systems used to support those functions (DR plan).
HOW DO YOU DEVELOPMENT A BC AND DR PLAN?
Once approval and funding have been obtained, an overall project plan must be developed. The project team must be identified and chartered to perform the work. Next are a set of research and analysis activities that provide important information for developing the BC/DR plans. First of these is a business impact analysis (BIA), which carefully examine all critical business functions and processes in the organization, identifies the systems and technology that support the functions, identifies the people who manage the functions, identifies the data and databases needed to run the functions, identifies the key people who will be responding in an emergency, identifies other important resources (e.g., first responders, insurance carriers, legal firms, damage cleanup and other vendors), and identifies the tie frames in which the critical functions need to be brought back into service so that the organization can continue. Next is the risk analysis (RA), which identifies the internal and external threats and vulnerabilities that could disrupt the critical functions and systems identified in the BIA. Finally, with data from the BIA and RA in place, the business recovery strategy needs to be developed. This includes identifying how the organization will respond to events identified in the RA. These strategies can include backing up critical system profiles and data to cloud-based repositories, launching rapid backups of data so that available data will be as current as possible, and identifying alternate work areas so that the business can recover at an alternate site if needed. Once these activities have been completed, development of BC/DR plans can commence.
HOW SHOULD EMPLOYEES BE TRAINED ON THE BC AND DR PLANS?
Employees should be trained on plans at least annually, so they will know what to do, where to go, and who to contact when an emergency occurs. If certain employees are members of emergency teams, they must also be trained in activities they must be prepared to perform relevant to their duties during an emergency. Emergency team members should have refresher training at least twice per year. This is in addition to any other training, such as evacuation drills, that may be required by building management or other entities, for all employees. It is also important to establish awareness activities, such as posters on bulletin boards, periodic emails reminding of the importance of the BC/DR program, an internal web site dedicated to BC/DR activities, and periodic employee briefings (e.g., in company cafeterias or conference rooms) to reinforce the value of and management’s support for BC/DR activities.
Special Thanks To: Paul Kirvan FBCI, CISA Connect on LinkedIn>