What you do have is a need (and presumably a desire) to develop a Business Continuity Plan (BCP) for the company! So, how do you make that happen with a limited staff and budget?
First of all, face the facts...and the facts are, if you really want to develop good business continuity plans, you really do have to address all of the planning issues that the big companies do....you are just going to have to do it with fewer people and less money.
And what are those issues? Well, the definition of the major components required in a contingency planning project may vary according to whose book you read.
A. Defining the scope, objectives, and assumptions associated with your planning project doesn't have to be a time consuming and costly process. However, since this lays the groundwork for the entire project, it does deserve consideration. Get a decision making group together and make some decisions. You don't have to have a formal Steering Committee, or any other committee for that matter. You do have to have management support, define reasonable goals, define your assumptions, establish reasonable time frames for completion, and allocate a reasonable amount of resources to the project. If your company is small, then the decision making group can be small as well. Just be sure that you have the support you need right from the "get go." If you can't get that support up front, you should seriously consider whether continuing the project is a good idea.
B. How about information gathering? Does the thought of conducting a Risk and Business Impact Analysis conjure up images of vast armies of interviewers working their way through the company interviewing every employee in sight? Well ... RAs and BIAs aren't quite that bad, but almost. The truth is that the best method of gathering information is to sit down face to face and interview the company's employees....and the more you interview, the better your data. Fortunately, if your company is small, the number of personnel will probably also be small. In any event, gathering information, if done properly, will be one of the most time consuming and expensive phases of your project. Still, this process doesn't have to break the bank'.and we are talking about how to get the job done with limited resources. Here are some thoughts:
- Combine the information gathering effort for the RA and the BIA. This will definitely save you time and money....but it isn't going to be easy. Identifying "risks" and identifying "impacts" are two different things. It is difficult even for the most experienced planner to gather information for both during the same interview'.not to mention the fact that asking questions about "risks" and "impacts" at the same time will quite often confuse the person being interviewed. Still, with a good questionnaire and the concepts clearly separated in your mind, it can be done and it will definitely save time and money.
- How about sending out questionnaires (on paper, website, or e-mail) that have to be completed and returned. This CAN help, but it's not the total answer. The problem is that the people answering the questionnaires are not contingency planners, and they're not oriented to the project and what type of information you need. The result is that questions go unanswered or are answered incorrectly because of being improperly framed.
For example: An accountant might respond that he could operate for a week without access to the network because he works with PC applications like spreadsheets and all he/she needs is a PC with a spreadsheet program installed. What she/he may not realize is that the data files are probably stored on a network server.
Distributing questionnaires certainly can reduce the amount of time spent in the interviewing process, but they can't replace it. If you send them out, follow up with an interview.
- So, you can't get away from doing interviews, but you can, and should, economize on the number of interviews that you do. Just don't confuse economizing with skimping. If you can interview with one person per department, instead of two, then you have reduced your interviewing effort by half. Not bad. If you can't get the information from a single person in a department, can you interview two or three people together? And for that matter, how about group Facilitative Sessions? What's a Facilitative Session? Next paragraph please.
To conduct a Facilitative Session, get a group of people together representing a logical group of business units or departments in the company, then conduct an information gathering session with the whole group at one time. A powerful concept and a great idea that can work. The results will never be as good as one-on-one discussions, but depending on the size of the company, this can be a viable means of reducing the amount of time and money spent during the RA and BIA phase. It's something to consider when laying out your planning project.
- How about an Executive Committee that simply meets and agrees on what the "risks" are and what the "impacts" would be, if an interruption does occur. This happens all the time and it does work. It works because decisions have been made that can be acted on. They may not be the best decisions, or even the correct decisions, but they are decisions. Obviously, this approach simply bypasses the time-honored process of conducting a Risk and Impact Analysis, which may not be a good idea. Still, executive committees get it close to right, most of the time.
Congratulations! If you have gotten through the information gathering phase of your project, you have also gotten through the most time consuming (and usually the most expensive part) of a Business Continuation Planning project. You are now on a virtually level playing field with the "big guys." The next step is to identify how you are going to continue to do business (until you fully recover) and identify what your recovery options are. Neither of these steps should be extremely costly or take up huge amounts of time.
C. The whole point of Business Continuity Planning is to be able to continue doing business following an interruption. An integral part of your planning must be the development of Interim Procedures. Remember, Interim Procedures are not recovery procedures. They are procedures that specify how the business units will continue to perform their mission critical processes until recovery is complete. In other words, they are operating procedures for the "interim" period. But before Interim Procedures can be written, you have to know what your business continuation options are.
D. That brings us to the Options Analysis or OA. You will need to identify and analyze options for both Interim Procedures and Recovery Procedures, but let's talk about options for your Interim Procedures first.
- Interim Procedure options! How do you gain enough expertise and knowledge about each business unit to identify and analyze continuation options without consuming huge amounts of time? First of all, you already have a pool of expertise, the personnel that do the job every day. Identifying options should be performed by personnel within the business units; after all they're the ones who are supposed to know their job. What you as a planner need to do is learn enough about each business unit to assist them in identifying and analyzing their options. Yes, you should provide them with guidance, direction, templates, standards, and expertise, but don't try to tell them how they should do their job following an interruption. Delegate whenever possible. By the way, the same philosophy holds true for actually documenting the Interim Procedures. Don't attempt to write the procedures for them. If you do, the document will end up being your version of what you think their procedures should be. Besides, our original purpose was to identify how we could develop a business continuity plan with minimal expense. While leveraging against the existing personnel and knowledge base may not save money, at least it's not an additional expense.
- OK now, how about recovery options? This will require some work, but there are some things that can be done to reduce the amount of work required. First, restrict your work to options that come reasonably close to satisfying the recovery time frame objectives identified in the Business Impact Analysis. The fewer options that you have to analyze, the less time this task will consume. If you have easy access to management, work with them to eliminate marginal options as they are identified. As you begin to identify costs associated with the recovery options, continue to work closely with management. If decisions can be made with general "discussion" figures, there may be no need to develop detailed cost figures.
For example: If the Business Impact Analysis indicated that the company would be severely impacted unless the Customer Service Center was functional within less than 2 hours following a disaster, then it would be reasonable to examine an option that includes a facility with telephones, seating, air conditioning, and computer network already installed. Now, let's just say that a first look at creating this facility indicates a cost between 300k and 400k. If management doesn't intend to fund any options that cost more than 100k, then it will do us no good to refine this cost figure and we may as well toss out this option now.
E. The Risk Analysis is done, the Business Analysis is done, and the Options Analysis is done. Now you are ready for documentation. Nothing to it. After all, by this time you should already have all the information you need. So, it simply becomes a matter of putting it down on paper. Once again, don't try to write the Interim Procedures for the business units, let them do it. Whenever possible, do the same thing for the recovery plans. Documentation should not be the most time consuming part of your project; so, don't get bogged down in the process of putting your efforts on paper.
F. Are there ways to economize when testing plans? Sure! How about testing a group of plans together? If you have plans for Accounting, Human Resources, and Recruiting and they are all on the same floor, it might make sense to test their plans at the same time using the same scenario. Likewise, if they are on different floors, but use common infrastructure resources (such as a common server or PBX), they could be tested with the same simulated failure. Pick the least disruptive times to conduct tests. Devise reasonable (and realistic) test scenarios and strive to make the testing process enjoyable and educational. One word of caution here! The natural reaction from management is to try to minimize the number of personnel that participate in a test, when (in actuality) as many people as possible should be included in the testing procedure. Make it one of your tasks to educate management to this need. After all, the people that are denied the opportunity to participate in the testing procedure can't be expected to execute their part of the plan when a disruption occurs.
G. Now that your plan has been developed, documented, and tested, you need to establish a proactive maintenance schedule to keep it current and usable. In general, the most efficient method of maintaining your plan is to do so on an ongoing basis. This will keep your plan up to date at all times and keep maintenance costs to a minimum. However, there are some parts of your plan, such as the BIA, Risk Analysis, and Options Analysis, that can't readily be addressed on a continuing basis. So how do you determine a reasonable review frequency for these major plan components? Consider the following:
Establish a regular schedule for reviewing and maintaining the major components of your plan. The desired frequency for reviewing these items should be dependent upon internal changes within the business units. In general, your plan should be maintained on an on-going basis and tested no less than once per year. You should, however, actively determine when more frequent maintenance or testing is necessary. Some of the items that might prompt more frequent plan reviews are:
- Changes in personnel,
- Changes in computer equipment,
- Changes in computer software,
- New physical facilities,
- Departmental reorganization,
- Changes in mission statement,
- Changes in operational procedures,
- Fundamental process changes.
Remember, that as important as it is to keep your plan maintained, it is also advisable to avoid over maintaining. Over maintaining will only increase costs and cause contingency planning "burn out."
To further reduce maintenance costs, you should maintain a high level of user involvement, including education regarding contingency planning. Users should be a major source of information regarding when changes are necessary to the plan. Remember, if users are providing you with information regarding changes in their departments that require plan modifications, then you won't have to go to them for this information.
H. Plan execution - We all hope that your Business Continuity Plan never has to be used. But if it does, you probably will be more concerned about regaining function than saving money and cutting costs. That's why the secret to saving money at this stage of the game is the plan itself. The entire purpose of having a plan in the first place is to be able to recover as quickly and efficiently as possible. If your plan, has been developed correctly, the cost cutting measures will be built in. If it's not in the plan by this time, it's too late.
Contingency Planning on a budget is difficult, but not impossible. It often involves compromises that we would prefer not to make. Still, a plan is a plan and it is certainly better than no plan at all. If you're on a limited budget, simply do the best you can with what you have and remember the words of General Eisenhower concerning the planning for D-day, "The plan is nothing. Planning is everything."
Thomas L. Weems, President of PreEmpt Inc., is responsible for coordinating all business continuation planning efforts for the company. PreEmpt is based in the Dallas/Fort Worth metroplex and is involved with all facets of business continuation planning, from turnkey consulting to PC based products. For more information about the products and services offered by PreEmpt, set your browser to www.PreEmptInc.com.
Printed In Fall 1999