INDUSTRY

What Is Business Continuity Planning?
How Does It Differ From Disaster Recovery Planning?

By JOHN GLENN

There are many articles addressing how to create a business continuity plan, but few actually describe the purpose of business continuity planning. This then is my biased attempt to explain what business continuity is and what it is intended to accomplish; it is not intended to describe a business continuity plan or how a to create a business continuity plan.

Business Continuity Defined
Business continuity – emphasis on “continuity” – is the ability of a business to continue operations in the face of a disaster condition.
This means a business with a viable business continuity plan will be better able to continue doing what it did before a disaster event while assets damaged by the disaster event are recovered – until “business as usual” is resumed.
Business continuity means:
• identifying critical business functions
• identifying risks to critical functions
• identifying ways to avoid or mitigate the risks
• having a plan to continue business in the event of a disaster condition
• having a plan to quickly restore operations to “business as usual.”
Disaster recovery is an integral part of business continuity. Business continuity does not replace insurance. It is a form of insurance, and should include insurance for life, health, facilities, product and business interruption.

Disasters vs. Disaster Conditions
A disaster, according to this planner, is any event that results in death or serious injury, or a business going out of business as a result of an event.
A disaster condition is an inconvenience from which everyone and everything can be recovered – not necessarily exactly as before the event, but restored to an equal, or better footing.
“Inconvenience” may be too mild a term for some who experienced a disaster condition, but consider this scenario:
A tornado roars through and flattens the business. If the business has a continuity plan that includes an alternate site, plans to rapidly transfer operations to the site, and includes support services to relieve its employees of worry about their families and possessions, the business can be doing business within an acceptable time, meeting its customers’ needs and fending off competitors while restoring the operation to “business as usual” condition.
There is an interruption. There most certainly is an inconvenience.
There usually is added cost – overtime, rental facilities, expedited ordering and shipping, additional services such as catered meals – but, and this is the critical issue, business continues, income continues – perhaps at a slightly reduced level, but it continues nonetheless. Competitors won’t succeed in stealing the business’ customers due to missed commitments.
Was the event – regardless of type: fire, flood, wind, etc. – a disaster? No.
Was it a disaster condition? Yes.

Critical Business Functions
Critical business functions are functions a business must perform in order to stay in business. That means different things to different organizations.
If the business’ primary function – the one that generates income – is to produce valves, then a disruption to valve production puts the business at risk. There may be IT concerns such as CAD/CAM, customer lists, accounts receivable and accounts payable, but the primary function of the business is to make valves. If the production line is down, if raw material cannot be accepted and finished goods cannot be shipped, the company shuts down.
For the valve company, the production line is the critical business and any risks associated with production – no matter how far removed from the actual production line – are legitimate concerns for the planner.
Non-profits and governments need business continuity to assure that they can perform their mandated functions. When an assistance payment fails to arrive, there is a ripple effect – the person can’t buy necessities, the business selling the necessities either loses business (and product stays in stock) or sells on credit, the wholesaler loses sales to the retailer (or sells on credit), the manufacturer loses an order from the wholesaler, and on and on.

Avoid, Mitigate, Absorb
Once critical functions and risks to those functions are identified, planners have three options:
• Avoid a risk, typically through redundancy.
• Mitigate a risk by implementation of “work-arounds.”
• Absorb the risk.
The decision to avoid, mitigate, or absorb is a management decision. The planner makes recommendations based on cost vs. effectiveness and efficiency.
Is it really necessary to have a very expensive hot site for a valve manufacturing production line? Probably not.
Is it really necessary to have a very expensive hot site for a 24 hour-a-day data intensive operation (such as Web-based securities sales)? Most assuredly.
In some cases, the decision to avoid, mitigate, or absorb is made for the planner and management by regulatory bodies which demand certain performance levels.
In all cases, “fiduciary responsibility” plays a major role in management’s decision. Management is liable if it fails to take reasonable and prudent measures to protect investors and employees.
Avoiding a risk is a fairly obvious option. It usually is the most expensive and requires the most readiness.
Mitigation options may be fairly obvious; if the business is located in a flood plain, move all critical operations to floors above the 100-year flood level.
Absorbing a risk is another matter. Letting an event take its toll seems counter to business continuity’s purpose, but consider a company with obsolete equipment – from “AT” class computers to inefficient furnaces. If the obsolete equipment is insured, replacing it with modern equipment might improve the bottom line. Since insurance, an integral part of a business continuity plan, is footing at least part of the replacement cost, the business can buy replacement gear at a “discount.”
Business Continuity For The Small Business
Everyone – small business, big business, non-profits, government, even the individual family – needs a business continuity plan, a way to continue their business or personal lives in face of a disaster condition.
Business continuity is as much – perhaps more – for the small business as it is for the giant corporation.
Unlike giant corporations, smaller enterprises typically are less able to survive a disaster (condition); they lack the financial clout and personnel resources of a Fortune 100. The small business does have some special financial assistance available from federal and state sources. These sources normally look more favorably on an enterprise with a business plan that includes a business continuity plan. Some insurance companies may offer discounts to businesses which implemented planner recommendations.

Business Continuity For The Community
The Federal Emergency Management Agency (FEMA) under former director James Watt made a strategic change following Hurricane Andrew. FEMA went from a “disaster recovery” agency to a “disaster avoidance and mitigation” agency – in other words, FEMA got into business continuity.
FEMA created “Project IMPACT” to help municipalities expand their federally-mandated emergency preparedness operations to include protection of the commercial and residential tax base through what effectively amounts to business continuity planning.
Project IMPACT makes a number of resources available to both the small business and to the community’s residents to identify risks (will a facility withstand high winds?) and to implement preventive measures.

The Differences In Business Continuity, Disaster Recovery & Contingency Planning
A person builds a house on an ocean beach. A storm washes away the beach. The house collapses.
Business continuity would suggest building a barrier reef or moving the house farther inland.
Disaster recovery rebuilds the house in time for the next storm.
Contingency planning takes the same scenario and says: “A storm will come ashore and damage the house; make sure there is someplace to live while the house is rebuilt.”

What To Expect In A Business Continuity Plan
Business Continuity planning typically is a multi-stage (deliverable) process.
Phase 1 – BIA
The minimum expectation from a business continuity plan is a business impact analysis, a “BIA.” The BIA:
• identifies business functions critical to the business’ survival
• identifies risks to those functions
• rates (prioritizes) risks by probability of occurrence and impact on the business
• identifies ways to avoid or mitigate identified risks
• prioritizes recommended avoidance and mitigation options.
The plan may include suggested vendors, available financial resources, and other resources which may prove beneficial to implementation of avoidance and mitigation measures. The availability of this supplemental information is determined before planning commences and is in large measure dependent on how much time the planner has for research. (Resources constantly change and a planner should not be held to what was known “yesterday.”)
The business continuity process normally is suspended for a brief period while management reviews its options. The shorter the break the better since, as with most planning operations, momentum is a valuable asset.
Phase 2 – Disaster Recovery Plan
The disaster recovery plan includes:
• reporting hierarchy, including executive management
• identifying primary and alternate disaster recovery team members; these are the people responsible to sustain the business operations and to restore or replace physical assets
• detailed description of each team member’s responsibilities during a disaster condition
• a list of internal and external vendors and contact information
• a list of regulatory agencies and contact information
• a list of public service agencies and contact information
• appendix of control forms (report forms, expenses, etc.)
• minimum resources required to sustain the business operation while physical assets are restored or replaced.
Phase 3 – Disaster Recovery Team Training & Testing
This phase includes:
• development of a test methodology and scenarios
• training disaster recovery team personnel to respond to a disaster condition with confidence
• revision of Business Continuity Plan as deficiencies are discovered during plan testing.
No plan is perfect the first time out; if it is, there is something wrong with the test.
Phase 4 – Plan Maintenance
Plan maintenance is in two parts:
• develop a maintenance policy and procedure
• maintain the plan.
Plan maintenance is by both calendar and by “trigger” events.
Calendar events are regularly scheduled reviews to assure all minor changes to the business are incorporated into the revised plan. Review frequency depends upon the business’ dynamics.
Trigger events are events which “trigger” plan maintenance. Such events include equipment, personnel, policy, procedural, product, and vendor changes.

A Few Quick Words About Vendors
All businesses depend on vendors.
If a critical business function depends directly or indirectly on a vendor, make certain the vendor has a tested and maintained business continuity plan. The plan for your business is defective if the:
• vendor lacks a plan
• vendor’s plan has never been tested
• vendor’s plan was updated more than a year ago.
The vendor’s client is responsible to assure the vendor has a viable (tested and maintained) plan.
v
John Glenn is a certified business continuity/disaster recovery planner. He has been involved with business continuity planning since 1994. You may contact him at JGlennCRP@yahoo.com.

To comment on this article, go to 1501-15 at www.drj.com/feedback.

 

 

 

«BACK to the Articles Index
©Copyright 2002 Systems Support Inc. All rights reserved. Reproduction in whole or in part in any form or medium without the express written permission of System Support Inc. is prohibited.