Business continuity plan enables critical services or products to be continually delivered to the clients. Instead of focusing on resuming a business after a disaster, a business continuity plan endeavors to ensure that critical operations for delivery of products and services continue to be available without interruption. So there has been a shift from Business Resumption Planning to Business Continuity Planning.
Meaning and Scope of BCP
BCP includes the strategies, actions and procedures to prevent disasters proactively as far as possible or else to manage the consequences of a disaster. So it has two distinct phases:
1. Preventive Phase:-This is a phase in which all measures to eliminate the manageable risks are put in place.
2. Recovery phase:-This is a phase in which if a risk manifests due to systemic failure or on occurrence of disruption event, which is beyond the control of the organization, the laid down systems and procedures are activated to bring the business functions back to normalcy without the least delay and cost.
The BCP focuses on workability and enforceability rather than idealistic approach. In a crisis situation, all the functions cannot be resumed simultaneously. Customers’ and clients’ preference and priority attached is the guiding factor for resumption of functions. Sometimes disruption of delivery of some goods and services create tremendous reputation risks, which need to be protected. Business Continuity Planning is a proactive planning process that ensures critical services or products are delivered during a disruption. Critical services or products are those that must be delivered to ensure survival, avoid causing injury, and meet legal or other obligations of an organization.
A Business Continuity Plan covers the following areas:
• A robust plan which includes measurement of damage and all round arrangements to ensure the continuous delivery of critical products and services.
• Identification of necessary resources and its’ location to support business continuity, including personnel, information, equipment, financial allocations, legal counsel, infrastructure protection and accommodations.
• Planned BCP enhances an organization's image with employees, shareholders and customers by demonstrating a proactive attitude.
Every organization is at risk from potential disasters that include:
• Natural disasters such as tornadoes, floods, blizzards, earthquakes and fire
• Accidents
• Sabotage
• Power and energy disruptions
• Communications, transportation, safety and service sector failure
• Environmental disasters such as pollution and hazardous materials spills
• Cyber attacks and hacker activity.
BCP Methodology: Plan-Do-Check-Act Principle
The organization shall establish its BCP policy on the basis of PLAN-DO-CHECK-ACT principle. The methodology aims for developing standards, implementing, maintaining and improving its business continuity management system (BCMS)
PLAN:
1. The organization shall develop its BCP policy clearly defining the scope and the objectives of the policy, resource allocation with appropriate competency, accountability for implementation and maintenance of the policy
2. Training and competency management for those involved in the BCP shall be taken care of
3. BCP shall become a central part of the management outlook and an ongoing BCP education and information program shall be in place.
4. BCP shall contain the Documentation formats and record management procedures.
DO:
1. Organization shall carry out Business Impact Analysis (BIA) in a structured and documented manner and record the results.
2. Organization shall analyze the threats it faces and vulnerabilities to those threats from a particular risk and measure it against its critical activities and resources. From this, all departments of corporate office shall develop a structured response strategy for a particular risk.
3. These response strategies shall be tested on an ongoing basis.
CHECK:
1. BCP policy shall be monitored and reviewed by independent agencies as well as management on an annual basis. The objective of this is to check whether the BCP is meeting the organizational needs at that point.
ACT:
1. The organization shall keep its BCP policy as a “living document” by continuously updating the policy with the changes in the business activities. They shall take both preventive as well as corrective actions for continuous improvement in the general effectiveness of the BCP strategies.
BCP typically includes five sections:
A. BCP Governance
B. Business Impact Analysis (BIA)
C. Plans, measures, and arrangements for business continuity
D. Readiness procedures
E. Quality assurance (exercises, maintenance and auditing) and management control
A.BCP Governance
The ultimate responsibility and oversight of the BCP activity of the organization rests with the Board of Directors. They approve the policy on Business Continuity Plan of the Organization. Senior Management is responsible for overseeing the BCP process which includes following responsibilities.
• Determining how the organization will manage and control identified risks
• Allocating knowledgeable personnel and financial resources to implement the BCP
• Prioritizing critical business functions
• Designating a BCP committee, who will be responsible for the Business Continuity Management.
• The senior management will annually review the adequacy of the institution’s business recovery, contingency plans and the test results and put up the same to the Board
• The senior management will consider evaluating the adequacy of contingency planning and their periodic testing by service providers whenever critical operations are outsourced
• Ensuring that the BCP is independently reviewed and approved at least annually
• Ensuring employees are trained and aware of their roles in implementation of the BCP
• Review the BCP testing program and test results on a regular basis
• Ensuring the BCP is continually updated to reflect the current operating environment
Roles and responsibilities of BCP Committee or Crisis Management Team
• To exercise, maintain and to invoke business continuity plan as needed
• Communicate and promote awareness about the BCP
• Ensure that the Business Continuity Plan fits with other plans and requirement of concerned authorities.
• Budgetary issues
• Co-coordinating the activities of other recovery, continuity, response teams and handling key decision making
• To determine the activation of BCP
• Coordinates and oversees the BIA (Business Impact Analysis) process
• Other functions entail handling legal matters evolving from the disaster, and handling public relations and media inquiries
BCP committee should meet within 30 minutes of critical disruption with available members and for this concerned functional heads whose business segment is affected shall convene the meeting. Security Officer works with the coordinator to ensure that all aspects of the BCP meet the security requirements of the organization. Chief Information Officer (CIO) cooperates closely with the BCP coordinator and IT specialists to plan for effective and harmonized continuity. Business unit representatives provide input, and assist in performing and analyzing the results of the business impact analysis. The BCP committee is commonly co-chaired by the executive sponsor and the coordinator.
B. Business Impact Analysis (BIA)
1) The organization shall conduct the exercise of identifying and analyzing the potential vulnerabilities and threats. The said exercise of analyzing the sources of risk shall be on an ongoing activity. Each of the sources identified shall be evaluated keeping in view the magnitude of risk and the probability of its occurrence to judge the extent of risk exposure.
2) Planning shall be done for both prevention and control. Accidents and sabotage shall be prevented using measures of physical security and better HR practices. Vulnerability assessment and review of existing security measures shall be part of internal control. This shall be subjected to continuous periodical validation by the Audit and Inspection department and official feedback from field level.
3) The organization shall initiate steps for Business Impact Analysis which is essentially the process of identifying the critical Business Functions and ascertain losses and effects, if functions are not carried out.
4) Business Impact Analysis shall be conducted on account of any disaster on critical information apart from analysis on cessation of activities and services
Objectives of Business Impact analysis
I. Impact:
• Identify the critical operations, which need to restart as soon as possible after disaster has occurred.
• Identify the minimum resources needed for the essential operations to restart.
• Establishing the time window in which recovery must take place.
II. Evaluation of the impact:
• Impact on the customers and relationships
• Financial and nonfinancial impact
• Regulatory and legal impact or any violation of service level agreements, Regulatory requirements, any contractual liabilities, penalty, and/or possible legal issues.
Business impact Analysis and Risk assessment shall be done to arrive at gaps in the system and prepare an active plan for resuming or recouping normal business operation.
III. Business Impact Rating
Business Impact Analysis shall be carried out taking into account major factors which could impact stakeholder’s value. Based on the analysis, Business Impact Rating shall be given taking into account the impact on factors such as direct loss, reputation risk, staff dissatisfaction, regulatory and customer concerns.
The following business impact rating may be considered as per amount of monetary loss
• Insignificant:-Direct loss upto Rs 1.00 lakh. No impact on reputation, customer service, regulatory risk.
• Minor:-Direct loss upto Rs 25.00 lakh. The impact is negligible.
• Moderate:-Direct loss upto Rs 250.00 lakh. Significant staff losses, regulatory investigation launched to make customers aware of the problems and encounter inconveniences.
• Major:-Direct loss upto Rs 10.00 crs. Some areas of the organization suffer frequent/prolonged failure, penalties or fines levied, regulatory investigations launched.
• Massive:-Direct loss in excess of Rs 10.00 crs. Loss of confidence by public, share price crash, customers/clients suffer frequent/prolonged service failure.
IV. Additional expenses if any
Sometimes extra outside personnel are to be hired to rehabilitate the functions. The period and the amount paid for the hiring can be taken into consideration. Unavailability of services may affect the organization in so many ways. Due to unavailability of services there may be breached of legal obligations, agreements, or governmental regulations which may attract penalties. The quantum of such penalties may be taken into consideration.
V. Intangible loss to the organization
Many losses are there of intangible nature. Though initially it has no monetary value, in future it has tremendous business impacts. Such losses are customers' and investors' ‘confidence', reputation, competitiveness, market share, and violation of laws and regulations. Such losses are analyzed very scrupulously with proper value.
VI. Insurance
The need of insurance coverage and the level of coverage must be carefully analyzed. Both over and under insurance are harmful for the organization. All possible eventualities are considered while purchasing insurance. As the burden of proof while making a claim rest with the policy holder, accurate documentation must be made to avoid claim denial.
VII. Ranking
After determining and compiling all relevant information, critical services and products are ranked. The ranking is primarily based on potential revenue loss, recovery time and severity of impact on disruption of goods and services delivery.
VIII. Identify dependencies
In the time of disruption, factors of internal and external dependencies play very crucial role to revive normal function.
Internal dependent factors include skilled employee availability, equipments, computer applications, data, tools, vehicles, financial budget, human resources, security services and information technology support services.
External dependent factors include supplies, any external equipments, computer applications, data, tools, vehicles, utilities, communications, transportation, finance institutions, insurance services, government services, legal services, and health and safety service.
C. Plans, measures, and arrangements for business continuity
This is nothing but step by step line of actions or recovery plans for ensuring critical business continuity. These plans and preparations are the road maps to ensure critical products and services are delivered at a minimum service levels within tolerable down times. Continuity plans should be made for each critical product and service.
1) Mitigating threats and risks
Business threats and risks are identified through Business Impact Analysis. Risk moderation is an ongoing process. Suppose an organization requires electricity for its production process to mitigate temporary power cut, installation of stand by generator is proposed.
2) Effectiveness of current recovery capabilities
Current recovery capabilities are thoroughly analyzed. If the same is relevant that may be incorporated in BCP.
3) Create continuity plans
Plans are to be made for reducing levels of severity of impact from a disruption. Suppose the office building is situated in a flood prone area, arrangement for sand bags may be made to meet the response. If water level rises to the first floor of the building, work could be moved to another company building or higher floor of the same building. If the flood situation is severe, the relocation of critical departments of the business to another area until flood totally normalized.
The risks and rewards of each possible option for the plan should be analyzed, keeping cost, flexibility and probable disruption situation in mind. The most realistic and effective option must be planed for each critical service or product when creating the overall plan.
4) Alternate arrangements
If an organization is working on assets like Information Technology, networks, software applications and hardware system, there should be an alternate arrangement within the organization. Alternative arrangements are of three types.
Cold site:-It is an alternate arrangement that is not fully equipped for operation. For full operation, other equipments need to be installed. It needs substantial time and effort. Cold sites are installed with least expense.
Warm site:- It is an alternate arrangement that is almost completely equipped and furnished for operation. It can be fully operational within few hours. Warm sites are comparatively more expensive than cold sites.
Hot site:-This is an alternative site which is fully equipped, furnished, and fully staffed. Hot sites can be operational within minutes or seconds. Hot sites are the most expensive option.
BC Strategies in case of disasters due to natural calamities like Earth quake, Flood & cyclone
Earthquake
Disaster Preparedness
• Office existing in earthquake V/IV zone should be checked by qualified Engineer and retrofitted if needed.
• Close liaison should be maintained with local Disaster Management Cell, Defence Unit or other related units.
•Important telephone numbers should be kept handy
• Proper planning, formation of various teams and delegation of responsibilities
• Heavy furniture and fixtures should be anchored. Nothing should be kept on top of almirahs or cabinets.
• Insurance cover must be taken
• A first Aid Box and a Emergency kit with torch light with cell, candles, matchbox, crowbar, picks and shovels ropes etc should be handy.
• All the staff members should be trained in recue and First aid operations
• Fire fighting appliances should be periodically serviced and checked
• Important documents should be duplicated and kept at off site location.
• Suitable alternate office site must be identified
Flood and Cyclone
Disaster Preparedness
• Ensure that the premises are in good state of repairs and maintenance
• Windows and doors should be properly closed and latched at the time of closing the premises.
• No file should be kept on the floor
• Electronic equipments like computers, adding machines, etc should be kept at high levels
• Back up documents to be kept at safer premises in consultation with higher office.
• Torch light and spare batteries should be kept handy
• Survival First aid unit to be checked out and kept ready before monsoon season.
• Keep track of weather warning and maintain close liaison with flood control /disaster management cell
• Alternate office location for emergency operation of activities
Tentative work Flow Chart for an event related Disaster
(CSA-Chief Security Advisor, DMC-Disaster Management Committee, RMC-Risk Management Cell)
Some of the event related disruption compels the organization to shut down operation and evacuate the employees like earthquakes, cyclones& floods, tsunami, widespread release of noxious gas or industrial effluents, fire, bombing/terrorist attack, storm/hurricane, war/enemy aggression, civil riots, sabotage, pandemic, any such act of God.
• Survival First aid unit to be checked out and kept ready before monsoon season.
• Keep track of weather warning and maintain close liaison with flood control /disaster management cell
• Alternate office location for emergency operation of activities
D. Readiness procedures
(CSA-Chief Security Advisor, DMC-Disaster Management Committee, RMC-Risk Management Cell)
Some of the event related disruption compels the organization to shut down operation and evacuate the employees like earthquakes, cyclones& floods, tsunami, widespread release of noxious gas or industrial effluents, fire, bombing/terrorist attack, storm/hurricane, war/enemy aggression, civil riots, sabotage, pandemic, any such act of God.
• Survival First aid unit to be checked out and kept ready before monsoon season.
• Keep track of weather warning and maintain close liaison with flood control /disaster management cell
• Alternate office location for emergency operation of activities
1) 1) Staff Training
Business continuity plans can be effectively implemented if all staff know their roles and responsibilities. They must be briefed on the contents of the BCP and their involvement to tackle the disaster effectively. Employees having direct responsibilities must be trained for tasks they are required to perform, and be aware of other teams' functions.
2) Exercises
After completion of the training, appropriate exercises should be developed and institutionalized in order to achieve and maintain competence and preparedness. During exercise, validation of methods should be kept in mind so that resources utilized for mock test can be optimally utilized. Each exercise must have a specific goal and objectives. A brief narration and background information should be given to the participants with appropriate circumstances for display of action. It is important to include factors such as time, location, method of discovery and sequence of events. Appropriate result can be achieved by giving access to all participants to emergency contact personnel who are the part of the exercise
3) Testing and Post-Exercise Evaluation
The exercise should be monitored impartially to determine whether objectives were achieved. Performance of participants, including attitude, decisiveness, command, coordination, communication, and control should be assessed. Participant’s feedback should also be incorporated in the exercise evaluation. Exercise complexity level can also be enhanced time to time.
E. Quality assurance techniques
1) Internal review
It is always recommended that organizations review their BCP on regular basis:
• On a scheduled basis (annually or bi-annually)
• On change threat of environment
• On substantive changes to the organization
• After an exercise where changes are incorporated
2) External audit
When auditing the BCP, the auditors are to verify:
• Procedures used to determine critical services and processes
• Methodology, accuracy, and comprehensiveness of continuity plans
• What to do when a disruption occurs
3) Incident management in BCP
Incident management includes the following measures:
• Notifying management, employees, and other stakeholders;
• Assuming control of the situation;
• Identifying the range and scope of damage;
• Implementing plans;
• Identifying infrastructure outages; and
• Coordinating support from internal and external sources.
4) Communications management
Communications management is essential to control rumors, maintain contact with the media, emergency services and vendors. It also assures employees, the public and other affected stakeholders. Communications management is to create a communications plan to adequately address all requirements.
5) Operations management
An Emergency Operations Center (EOC) can be used to manage operations in the event of a disruption. Having a centralized EOC where information and resources can be coordinated, managed and documented helps ensure effective and efficient response.
6) Continuation, recovery and restoration
Ensure that all time-sensitive critical services or products are continuously delivered or not disrupted for longer than is permissible. The goal of recovery and restoration operations is to recover the facility or operation and maintain critical service or product delivery on continuous basis. This includes
• Re-deploying manpower
• Decide, whether to repair , relocate or establishing a new one
• Procuring the additional resources if necessary
• Re-assuring normal operations
• Resuming operations at pre-disruption status
Conclusion
Business Continuity Plan of any organization is necessary to ensure undisrupted delivery of goods and services of critical nature to the customers or clients. Otherwise the organization has to face severe consequences even sometimes affecting the existence of the organization. Organizational preparedness to face disaster challenges can save the reputation and goodwill of the organization. This goodwill and reputation is normally due to good deeds of so many workers in the past and gathered through so many years of good services provided.
Author
Dibakar Lenka, M.SC (Ag), CAIIB, 28 years of banking experience. Centre In-charge, Union Bank of India, Staff Training Centre, Bhubaneswar,
E-Mail: [email protected]