Business continuity planning

Last updated
Business continuity planning life cycle BCPLifecycle.gif
Business continuity planning life cycle

Business continuity may be defined as "the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident", [1] and business continuity planning [2] [3] (or business continuity and resiliency planning) is the process of creating systems of prevention and recovery to deal with potential threats to a company. [4] In addition to prevention, the goal is to enable ongoing operations before and during execution of disaster recovery. [5] Business continuity is the intended outcome of proper execution of both business continuity planning and disaster recovery.

Contents

Several business continuity standards have been published by various standards bodies to assist in checklisting ongoing planning tasks. [6]

Business continuity requires a top-down approach to identify an organisation's minimum requirements to ensure its viability as an entity. An organization's resistance to failure is "the ability ... to withstand changes in its environment and still function". [7] Often called resilience, it is a capability that enables organizations to either endure environmental changes without having to permanently adapt, or the organization is forced to adapt a new way of working that better suits the new environmental conditions. [7]

Overview

Any event that could negatively impact operations should be included in the plan, such as supply chain interruption, loss of or damage to critical infrastructure (major machinery or computing/network resource). As such, BCP is a subset of risk management. [8] In the U.S., government entities refer to the process as continuity of operations planning (COOP). [9] A business continuity plan [10] outlines a range of disaster scenarios and the steps the business will take in any particular scenario to return to regular trade. BCP's are written ahead of time and can also include precautions to be put in place. Usually created with the input of key staff as well as stakeholders, a BCP is a set of contingencies to minimize potential harm to businesses during adverse scenarios. [11]

Resilience

A 2005 analysis of how disruptions can adversely affect the operations of corporations and how investments in resilience can give a competitive advantage over entities not prepared for various contingencies [12] extended then-common business continuity planning practices. Business organizations such as the Council on Competitiveness embraced this resilience goal. [13]

Adapting to change in an apparently slower, more evolutionary manner - sometimes over many years or decades - has been described as being more resilient, [14] and the term "strategic resilience" is now used to go beyond resisting a one-time crisis, but rather continuously anticipating and adjusting, "before the case for change becomes desperately obvious".

This approach is sometimes summarized as: preparedness, [15] protection, response and recovery. [16]

Resilience Theory can be related to the field of Public Relations. Resilience is a communicative process that is constructed by citizens, families, media system, organizations and governments through everyday talk and mediated conversation. [17]

The theory is based on the work of Patrice M. Buzzanell, a professor at the Brian Lamb School of Communication at Purdue University. In her 2010 article, "Resilience: Talking, Resisting, and Imagining New Normalcies Into Being" [18] Buzzanell discussed the ability for organizations to thrive after having a crisis through building resistance. Buzzanell notes that there are five different processes that individuals use when trying to maintain resilience- crafting normalcy, affirming identity anchors, maintaining and using communication networks, putting alternative logics to work and downplaying negative feelings while foregrounding positive emotions.

When looking at the resilience theory, the crisis communication theory is similar, but not the same. The crisis communication theory is based on the reputation of the company, but the resilience theory is based on the process of recovery of the company. There are five main components of resilience: crafting normalcy, affirming identity anchors, maintaining and using communication networks, putting alternative logics to work, and downplaying negative feelings while foregrounding negative emotions. [19] Each of these processes can be applicable to businesses in crisis times, making resilience an important factor for companies to focus on while training.

There are three main groups that are affected by a crisis. They are micro (individual), meso (group or organization) and macro (national or interorganizational). There are also two main types of resilience, which are proactive and post resilience. Proactive resilience is preparing for a crisis and creating a solid foundation for the company. Post resilience includes continuing to maintain communication and check in with employees. [20] Proactive resilience is dealing with issues at hand before they cause a possible shift in the work environment and post resilience maintaining communication and accepting changes after an incident has happened. Resilience can be applied to any organization. In New Zealand, the Canterbury University Resilient Organisations programme developed an assessment tool for benchmarking the Resilience of Organisations. [21] It covers 11 categories, each having 5 to 7 questions. A Resilience Ratio summarizes this evaluation. [22]

Continuity

Plans and procedures are used in business continuity planning to ensure that the critical organizational operations required to keep an organization running continue to operate during events when key dependencies of operations are disrupted. Continuity does not need to apply to every activity which the organization undertakes. For example, under ISO 22301:2019, organizations are required to define their business continuity objectives, the minimum levels of product and service operations which will be considered acceptable and the maximum tolerable period of disruption (MTPD) which can be allowed. [23]

A major cost in planning for this is the preparation of audit compliance management documents; automation tools are available to reduce the time and cost associated with manually producing this information.

Inventory

Planners must have information about:

Analysis

The analysis phase consists of:

Quantifying of loss ratios must also include "dollars to defend a lawsuit." [24] It has been estimated that a dollar spent in loss prevention can prevent "seven dollars of disaster-related economic loss." [25]

Business impact analysis (BIA)

A business impact analysis (BIA) differentiates critical (urgent) and non-critical (non-urgent) organization functions/activities. A function may be considered critical if dictated by law.

Each function/activity typically relies on a combination of constituent components in order to operate:

For each function, two values are assigned:

Maximum RTO

Maximum time constraints for how long an enterprise's key products or services can be unavailable or undeliverable before stakeholders perceive unacceptable consequences have been named as:

  • Maximum tolerable period of disruption (MTPoD)
  • Maximum tolerable downtime (MTD)
  • Maximum tolerable outage (MTO)
  • Maximum acceptable outage (MAO) [27] [28]

According to ISO 22301 the terms maximum acceptable outage and maximum tolerable period of disruption mean the same thing and are defined using exactly the same words. [29] Some standards use the term maximum downtime limit. [30]

Consistency

When more than one system crashes, recovery plans must balance the need for data consistency with other objectives, such as RTO and RPO. [31] Recovery Consistency Objective (RCO) is the name of this goal. It applies data consistency objectives, to define a measurement for the consistency of distributed business data within interlinked systems after a disaster incident. Similar terms used in this context are "Recovery Consistency Characteristics" (RCC) and "Recovery Object Granularity" (ROG). [32]

While RTO and RPO are absolute per-system values, RCO is expressed as a percentage that measures the deviation between actual and targeted state of business data across systems for process groups or individual business processes.

The following formula calculates RCO with "n" representing the number of business processes and "entities" representing an abstract value for business data:

100% RCO means that post recovery, no business data deviation occurs. [33]

Threat and risk analysis (TRA)

After defining recovery requirements, each potential threat may require unique recovery steps (contingency plans or playbooks). Common threats include:

  • Epidemic/pandemic
  • Earthquake
  • Fire
  • Flood
  • Cyber attack
  • Sabotage (insider or external threat)
  • Hurricane or other major storm
  • Power outage
  • Water outage (supply interruption, contamination)
  • Telecomms outage
  • IT outage
  • Terrorism/Piracy
  • War/civil disorder
  • Theft (insider or external threat, vital information or material)
  • Random failure of mission-critical systems
  • Single point dependency
  • Supplier failure
  • Data corruption
  • Misconfiguration
  • Network outage

The above areas can cascade: Responders can stumble. Supplies may become depleted. During the 2002–2003 SARS outbreak, some organizations compartmentalized and rotated teams to match the incubation period of the disease. They also banned in-person contact during both business and non-business hours. This increased resiliency against the threat.

Impact scenarios

Impact scenarios are identified and documented:

These should reflect the widest possible damage.

Tiers of preparedness

SHARE's seven tiers of disaster recovery [38] released in 1992, were updated in 2012 by IBM as an eight tier model: [39]

Solution design

Two main requirements from the impact analysis stage are:

This phase overlaps with disaster recovery planning.

The solution phase determines:

Standards

ISO Standards

There are many standards that are available to support business continuity planning and management. [40] [41] The International Organization for Standardization (ISO) has for example developed a whole series of standards on Business continuity management systems [42] under responsibility of technical committee ISO/TC 292:

British standards

The British Standards Institution (BSI Group) released a series of standards which have since been withdrawn and replaced by the ISO standards above.

Within the UK, BS 25999-2:2007 and BS 25999-1:2006 were being used for business continuity management across all organizations, industries and sectors. These documents give a practical plan to deal with most eventualities—from extreme weather conditions to terrorism, IT system failure, and staff sickness. [62]

In 2004, following crises in the preceding years, the UK government passed the Civil Contingencies Act of 2004: Businesses must have continuity planning measures to survive and continue to thrive whilst working towards keeping the incident as minimal as possible. The Act was separated into two parts: Part 1: civil protection, covering roles & responsibilities for local responders Part 2: emergency powers. [63] In the United Kingdom, resilience is implemented locally by the Local Resilience Forum. [64]

Australian standards

United States

Implementation and testing

The implementation phase involves policy changes, material acquisitions, staffing and testing.

Testing and organizational acceptance

The 2008 book Exercising for Excellence, published by The British Standards Institution identified three types of exercises that can be employed when testing business continuity plans.

While start and stop times are pre-agreed, the actual duration might be unknown if events are allowed to run their course.

Maintenance

Biannual or annual maintenance cycle maintenance of a BCP manual [76] is broken down into three periodic activities.

Issues found during the testing phase often must be reintroduced to the analysis phase.

Information and targets

The BCP manual must evolve with the organization, and maintain information about who has to know what:

Technical

Specialized technical resources must be maintained. Checks include:

Testing and verification of recovery procedures

Software and work process changes must be documented and validated, including verification that documented work process recovery tasks and supporting disaster recovery infrastructure allow staff to recover within the predetermined recovery time objective. [79]

See also

Related Research Articles

IT disaster recovery (also, simply disaster recovery (DR)) is the process of maintaining or reestablishing vital infrastructure and systems following a natural or human-induced disaster, such as a storm or battle. DR employs policies, tools, and procedures with a focus on IT systems supporting critical business functions. This involves keeping all essential aspects of a business functioning despite significant disruptive events; it can therefore be considered a subset of business continuity (BC). DR assumes that the primary site is not immediately recoverable and restores data and services to a secondary site.

Given organizations' increasing dependency on information technology (IT) to run their operations, business continuity planning covers the entire organization, while disaster recovery focuses on IT.

Information security standards are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

A backup site is a location where an organization can relocate following a disaster, such as fire, flood, terrorist threat, or other disruptive event. This is an integral part of the disaster recovery plan and wider business continuity planning of an organization.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

<span class="mw-page-title-main">BSI Group</span> British standards development organization

The British Standards Institution (BSI) is the national standards body of the United Kingdom. BSI produces technical standards on a wide range of products and services and also supplies certification and standards-related services to businesses.

The ISO/IEC 27000 family comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO/TC 223 Societal security was a technical committee of the International Organization for Standardization formed in 2001 to develop standards in the area of societal security: i.e. protection of society from and response to incidents, emergencies, and disasters caused by intentional and unintentional human acts, natural hazards, and technical failures.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

ISO/IEC 27040 is part of a growing family of International Standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in the area of security techniques; the standard is being developed by Subcommitee 27 (SC27) - IT Security techniques of the first Joint Technical Committee 1 of the ISO/IEC. A major element of SC27's program of work includes International Standards for information security management systems (ISMS), often referred to as the 'ISO/IEC 27000-series'.

Storage security is a specialty area of security that is concerned with securing data storage systems and ecosystems and the data that resides on these systems.

<span class="mw-page-title-main">ISO/TC 292</span>

ISO/TC 292 Security and resilience is a technical committee of the International Organization for Standardization formed in 2015 to develop standards in the area of security and resilience.

ISO 22313:2020, Security and resilience - Business continuity management systems – Guidance to the use of ISO 22301, is an international standard developed by technical committee ISO/TC 292 Security and resilience. This document provides guidance for applying the requirements for a business continuity management system (BCMS) in accordance with the requirements set out in ISO 22301:2019.

The Annex SL is a section of the ISO/IEC Directives part 1 that prescribes how ISO Management System Standard (MSS) standards should be written. The aim of Annex SL is to enhance the consistency and alignment of MSS by providing a unifying and agreed-upon high level structure, identical core text and common terms and core definitions. The aim being that all ISO Type A MSS are aligned and the compatibility of these standards is enhanced.

The NIST Cybersecurity Framework (CSF) is a set of voluntary guidelines designed to help organizations assess and improve their ability to prevent, detect, and respond to cybersecurity risks. Developed by the U.S. National Institute of Standards and Technology (NIST), the framework was initially published in 2014 for critical infrastructure sectors but has since been widely adopted across various industries, including government and private enterprises globally. The framework integrates existing standards, guidelines, and best practices to provide a structured approach to cybersecurity risk management.

ISO 22301:2019, Security and resilience – Business continuity management systems – Requirements, is a management system standard published by International Organization for Standardization that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. It is intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization.

ISO 22300:2021, Security and resilience – Vocabulary, is an international standard developed by ISO/TC 292 Security and resilience. This document defines terms used in security and resilience standards and includes 360 terms and definitions. This edition was published in the beginning of 2021 and replaces the second edition from 2018.

References

  1. BCI Good Practice Guidelines 2013, quoted in Mid Sussex District Council, Business Continuity Policy Statement, published April 2018, accessed 19 February 2021
  2. "How to Build an Effective and Organized Business Continuity Plan". Forbes . June 26, 2015.
  3. "Surviving a Disaster" (PDF). American Bar.org (American Bar Association). 2011. Archived (PDF) from the original on 2022-10-09.
  4. Elliot, D.; Swartz, E.; Herbane, B. (1999) Just waiting for the next big bang: business continuity planning in the UK finance sector. Journal of Applied Management Studies, Vol. 8, No, pp. 43–60. Here: p. 48.
  5. Alan Berman (March 9, 2015). "Constructing a Successful Business Continuity Plan". Business Insurance Magazine.
  6. "Business Continuity Plan". United States Department of Homeland Security. Archived from the original on 7 December 2018. Retrieved 4 October 2018.
  7. 1 2 Ian McCarthy; Mark Collard; Michael Johnson (2017). "Adaptive organizational resilience: an evolutionary perspective". Current Opinion in Environmental Sustainability. 28: 33–40. Bibcode:2017COES...28...33M. doi:10.1016/j.cosust.2017.07.005.
  8. Intrieri, Charles (10 September 2013). "Business Continuity Planning". Flevy. Retrieved 29 September 2013.
  9. "Continuity Resources and Technical Assistance | FEMA.gov". www.fema.gov.
  10. 1 2 "A Guide to the preparation of a Business Continuity Plan" (PDF). Archived from the original (PDF) on 2019-02-09. Retrieved 2019-02-08.
  11. "Business Continuity Planning (BCP) for Businesses of all Sizes". 19 April 2017. Archived from the original on 24 April 2017. Retrieved 28 April 2017.
  12. Yossi Sheffi (October 2005). The Resilient Enterprise: Overcoming Vulnerability for Competitive Enterprise. MIT Press.
  13. "Transform. The Resilient Economy". Archived from the original on 2013-10-22. Retrieved 2019-02-04.
  14. "Newsday | Long Island's & NYC's News Source | Newsday".
  15. Tiffany Braun; Benjamin Martz (2007). "Business Continuity Preparedness and the Mindfulness State of Mind". AMCIS 2007 Proceedings. S2CID   7698286. "An estimated 80 percent of companies without a well-conceived and tested business continuity plan, go out of business within two years of a major disaster" (Santangelo 2004)
  16. "Annex A.17: Information Security Aspects of Business Continuity Management". ISMS.online. November 2021.
  17. "Communication and resilience: concluding thoughts and key issues for future research". www.researchgate.net.
  18. Buzzanell, Patrice M. (2010). "Resilience: Talking, Resisting, and Imagining New Normalcies Into Being". Journal of Communication. 60 (1): 1–14. doi:10.1111/j.1460-2466.2009.01469.x. ISSN   1460-2466.
  19. Buzzanell, Patrice M. (March 2010). "Resilience: Talking, Resisting, and Imagining New Normalcies Into Being". Journal of Communication. 60 (1): 1–14. doi:10.1111/j.1460-2466.2009.01469.x. ISSN   0021-9916.
  20. Buzzanell, Patrice M. (2018-01-02). "Organizing resilience as adaptive-transformational tensions". Journal of Applied Communication Research. 46 (1): 14–18. doi:10.1080/00909882.2018.1426711. ISSN   0090-9882. S2CID   149004681.
  21. "Resilient Organisations". March 22, 2011.
  22. "Resilience Diagnostic". November 28, 2017.
  23. ISO, ISO 22301 Business Continuity Management: Your implementation guide, published, accessed 20 February 2021
  24. "Emergency Planning" (PDF). Archived (PDF) from the original on 2022-10-09.
  25. Helen Clark (August 15, 2012). "Can your Organization survive a natural disaster?" (PDF). RI.gov. Archived (PDF) from the original on 2022-10-09.
  26. May, Richard. "Finding RPO and RTO". Archived from the original on 2016-03-03.
  27. "Maximum Acceptable Outage (Definition)". riskythinking.com. Albion Research Ltd. Retrieved 4 October 2018.
  28. "BIA Instructions, BUSINESS CONTINUITY MANAGEMENT - WORKSHOP" (PDF). driecentral.org. Disaster Recovery Information Exchange (DRIE) Central. Archived (PDF) from the original on 2022-10-09. Retrieved 4 October 2018.
  29. "Plain English ISO 22301 2012 Business Continuity Definitions". praxiom.com. Praxiom Research Group LTD. Retrieved 4 October 2018.
  30. "Baseline Cyber Security Controls" (PDF). Ministry of Interior - National Cyber Security Center. 2022. p. 12.
  31. "The Rise and Rise of the Recovery Consistency Objective". 2016-03-22. Archived from the original on 2020-09-26. Retrieved September 9, 2019.
  32. "How to evaluate a recovery management solution." West World Productions, 2006
  33. Josh Krischer; Donna Scott; Roberta J. Witty. "Six Myths About Business Continuity Management and Disaster Recovery" (PDF). Gartner Research. Archived (PDF) from the original on 2022-10-09.
  34. "Medical supply location and distribution in disasters". doi:10.1016/j.ijpe.2009.10.004.{{cite journal}}: Cite journal requires |journal= (help)[ clarification needed ]
  35. "transportation planning in disaster recovery". SCHOLAR.google.com. Archived from the original on 2022-10-09.
  36. "PLANNING SCENARIOS Executive Summaries" (PDF). Archived (PDF) from the original on 2022-10-09.
  37. Chloe Demrovsky (December 22, 2017). "Holding It All Together". Manufacturing Business Technology.
  38. developed by SHARE's Technical Steering Committee, working with IBM
  39. Ellis Holman (March 13, 2012). "A Business Continuity Solution Selection Methodology" (PDF). IBM Corp. Archived (PDF) from the original on 2022-10-09.
  40. Tierney, Kathleen (21 November 2012). "Disaster Governance: Social, Political, and Economic Dimensions". Annual Review of Environment and Resources. 37 (1): 341–363. doi: 10.1146/annurev-environ-020911-095618 . ISSN   1543-5938. S2CID   154422711.
  41. Partridge, Kevin G.; Young, Lisa R. (2011). CERT® Resilience Management Model (RMM) v1.1: Code of Practice Crosswalk Commercial Version 1.1 (PDF). Pittsburgh, PA: Carnegie Mellon University. Retrieved 5 January 2023.
  42. "ISO - ISO/TC 292 - Security and resilience". International Organization for Standardization.
  43. "ISO 22300:2018". ISO. 12 July 2019.
  44. "ISO 22301:2019". ISO. 5 June 2023.
  45. "ISO 22313:2020". ISO.
  46. "Iso/Ts 22317:2021".
  47. "Iso/Ts 22318:2021".
  48. "ISO/TS 22330:2018". ISO. 12 July 2019.
  49. "ISO/TS 22331:2018". ISO.
  50. "Iso/Ts 22332:2021".
  51. "ISO/IEC TS 17021-6:2014". ISO.
  52. "ISO/IEC 24762:2008". ISO. 6 March 2008. Retrieved 5 January 2023.
  53. "ISO/IEC 27001:2022". ISO. Retrieved 5 January 2023.
  54. "ISO/IEC 27002:2022". ISO. Retrieved 5 January 2023.
  55. "ISO/IEC 27031:2011". ISO. 5 September 2016. Retrieved 5 January 2023.
  56. "ISO/PAS 22399:2007". ISO. 18 June 2012. Retrieved 5 January 2023.
  57. "IWA 5:2006". ISO. Retrieved 5 January 2023.
  58. "BS 7799-1:1995 Information security management - Code of practice for information security management systems". BSI Group. Retrieved 5 January 2023.
  59. "BS 25999-1:2006 Business continuity management - Code of practice". BSI Group. Retrieved 5 January 2023.
  60. "BS 25999-2:2007 (USA Edition) Business continuity management - Specification". BSI Group. Retrieved 5 January 2023.
  61. "BS 25777:2008 (Paperback) Information and communications technology continuity management. Code of practice". BSI Group. Retrieved 5 January 2023.
  62. British Standards Institution (2006). Business continuity management-Part 1: Code of practice :London
  63. Cabinet Office. (2004). overview of the Act. In: Civil Contingencies Secretariat Civil Contingencies Act 2004: a short. London: Civil Contingencies Secretariat
  64. "July 2013 (V2) The role of Local Resilience Forums: A reference document" (PDF). Cabinet Office. Retrieved 5 January 2023.
  65. "HB HB 292—2006 Executive Guide to Business Continuity Management" (PDF). Standards Australia. Retrieved 5 January 2023.
  66. "HB 293—2006 Executive Guide to Business Continuity Management" (PDF). Standards Australia. Retrieved 5 January 2023.
  67. NFPA 1600, Standard on Disaster/Emergency Management and Business Continuity Programs (PDF) (2010 ed.). Quincy, MA: National Fire Protection Association. 2010. ISBN   978-161665005-6.
  68. "A Comprehensive Overview of the NFPA 1600 Standard". AlertMedia. 29 January 2019. Retrieved 4 January 2023.
  69. 1 2 "Business Continuity Plan | Ready.gov". www.ready.gov. Retrieved 5 January 2023.
  70. "NATIONAL CONTINUITY POLICY IMPLEMENTATION PLAN Homeland Security Council August 2007" (PDF). FEMA. Retrieved 5 January 2023.
  71. "Continuity Resources and Technical Assistance | FEMA.gov". FEMA. Retrieved 5 January 2023.
  72. "Continuity of operations: An overview" (PDF). FEMA. Retrieved 5 January 2023.
  73. "Business | Ready.gov". www.ready.gov. Retrieved 5 January 2023.
  74. "Business Continuity Planning Suite | Ready.gov". www.ready.gov. Retrieved 5 January 2023.
  75. ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems - Requirements with Guidance for Use (PDF). American National Standards Institute. 2009. ISBN   978-1-887056-92-2.
  76. "Business Continuity Plan Template".
  77. "Glossary | DRI International". drii.org.
  78. "Disaster Recovery Plan Checklist" (PDF). CMS.gov. Archived (PDF) from the original on 2022-10-09.
  79. Othman. "Validation of a Disaster Management Metamodel (DMM)". SCHOLAR.google.com.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.