Business Continuity Plan

This involves the development of a Business Continuity Plan (BCP) designed to ensure the recovery of critical business activities from natural or man-made failures or disasters to an acceptable level within a predefined time frame, thereby minimising the impact of losses to the organisation. Implementing a BCP is essential for every business.

Business continuity planning involves the following five major processes:

Major Processes of Business Continuity Planning

Critical Business Activities Identification

It is crucial to understand where a company needs to focus on in order to recover in case of an incident. The first step in business continuity planning is to identify the most critical business activities to your company's survival. You need to have a good understanding of your business, including its objective, products, services, resources, facilities, suppliers, customers, and their interdependencies.

Critical business activities are those that must be present to sustain the continuity of business, where failing to performing them would lead to:

Major revenue losses;

Failure to meet regulatory or contractual requirements;

of operational efficiency, or

Loss of customer / damage of reputation.

Once the critical activities are identified, you should perform analysis on each of them to determine the priority and objective on the recovery of critical business activities based on their importance to the company's achievement of strategic goals. Typical questions to be considered include:

What are the operational, financial and other competitive impacts to the company if the activities are not functioned?

How quickly do the activities need to be back in production for your company to survive?

How much data and financial losses can you afford?

For each of the critical business activity identified, it is also necessary to find out all the supporting resources needed to perform the activity and the effect on the business of the unavailability of the resources. Listed below are the areas of resources you should consider:

People;

Information technology (service, application, network, data);

Data and voice communication;

Paper-based documents and records;

Physical infrastructure, key equipment and facilities; and

External services / products dependencies.

Business Continuity Risk Assessment

A disaster could happen to any company – no matter the business size. Risk assessment on critical business activities should be conducted, identifying possible risks and assessing the likelihood and impact of disruptive events. It is vital that you understand the disruptions that would be disastrous to the running of your business. Different disaster scenarios should be considered, some common threats include:

Natural disaster, such as earthquake, fire, typhoon, flood;

Loss of key equipment / information system / facility;

Disruption of external telecommunications services;

Utility outage, such as failure of power supply;

Loss of life, disease, health & safety issues; and

Terrorism & cyber attack.

Risk assessment against different threats may result in different outcomes. Some may require no action, while some require continuity planning to be developed and supported with additional resources. This will help a company to explore the possible effects of disaster incidents. After that, risks can be prioritised against objectives relevant to the organisation, including critical resources, impacts of disruptions, allowable outage times, and recovery priorities.

Business Continuity Plan Development

Business Continuity Plan (BCP) allows you to prepare for the worst situation that would keep your business from being operational and to minimise service disruption as well as financial loss. The plan only needs to include the business activities that are most critical to keep your company up and running.

Based on the results from the analysis made on critical business activities and possible risks, you can start developing business continuity and recovery strategies. The selection of strategy may depend upon the criticality of business activities, cost, time for recovery and security.

Listed below are the typical items included in a BCP:

Individual roles and responsibilities;

Conditions for its activation;

Processes to be followed;

Escalation plan;

Emergency procedure to handle incident;

Temporary operational procedure;

Resumption procedure;

Fallback procedure; and

Maintenance schedule and process for testing the plan.

For a small company, a BCP may be simply a printed manual stored safely away from main working location, with emergency contact information, location of offsite data backup storage media, copies of insurance contracts, and other critical material necessary for survival of the business.

The purchase of suitable insurance may be considered as part of the overall business continuity process to recoup losses from risks that cannot be completely prevented or controlled. The decision to obtain insurance should be based on the likelihood and degree of loss identified. Please note that insurance should not be treated as a substitute for an effective BCP since it does not deal with the recovery of business.

Before the plan is put into practice, testing should be conducted to ensure it is effective. Testing may include simulations, business process test, technical recovery and resumption testing, recovery processes testing at alternate site, supplier facilities and services testing etc.

Plan Approval and Implementation

Once a Business Continuity Plan (BCP) is developed, it is important that endorsement should be sought for approval and support.

Points to note during the implementation of BCP:

BCP should be documented and disseminated to all staff to follow before, during and after disruptive event occurred.

Awareness training and education for staff should be conducted to help them understanding the business continuity processes and their individual responsibilities and actions to be taken when the plan is invoked. This is to ensure the processes would be carried out effectively.

Copies of BCP should be stored at remote location and kept updated with the same level of security protection as at the main site.

Other material necessary to execute the BCP and for organisational survival should also be stored at the remote location, such as offsite data backup storage media and copies of insurance contracts.

A company may also need to have pre-arrangement with external parties to ensure timely resumption of operations, such as facilities access and telecommunication systems.

Regular Review and Ongoing Maintenance

In order to validate the business continuity arrangements, testing, review and ongoing maintenance should be conducted regularly to ensure they are up-to-date and effective.

Points to note during the implementation of BCP:

Regular review, testing & verification of documented Business Continuity Plan (BCP) and the technical solutions should be conducted regularly, say annually.

When any new or major change in business requirements / environment are identified, the existing procedures should be updated as appropriate.

Procedures should be included within the organisation's change management programme to ensure that business continuity matters are always addressed appropriately.

BCP and the test results should also be subject to independent audit and review.