DEVELOPING BUSINESS CONTINUITY PLANNING METHODOLOGY

by
Syazwani Izzatie binti Muhamad Yazid
Universiti Teknologi Mara (UiTM) Kampus Puncak Perdana, Selangor

Abstract

Many businesses are not completely prepared for emergency incidents and/or hazards that will
potentially jeopardize their operations. This is where business continuity planning does the
work by preparing strategic plans that provide for normal continuation of operations with real-
time backup of processes in an events of disasters. Therefore, the purpose of this paper is to
understand the concept of business continuity planning and focusing on developing business
continuity planning methodology.

Keywords: Business Continuity Plan Methodology, Record Management, Risk Management

INTRODUCTION

According to Praveen Sinha, John Vargo and Steven Jensen (2014), emergencies, crises, and/or
disasters (hereinafter collectively referred to as incidents) adversely affect immeasurable
numbers of human lives every year. The impact from such incidents often weighs heavily upon
households in terms of property damage and destruction; they also weigh heavily upon
organizations, most particularly small businesses. Pre-incident planning can help businesses to
continue their operations during an incident, recovering from an incident and to restore
operations. These pre-incident plans can also be referred as business continuity plan (BCP).
Business continuity plan (BCP) is the preparation and implementation of strategic plans
that provide for normal continuation of operations with real-time backup of processes and
procedures in an events of natural or human error disasters (Karim, 2011). The disruptive
events to business continuity that usually happened include flood, fire, major information
system failure, power blackout, political activities, economic events or water system problems.

Development of a Business Continuity Planning Methodology

The beginning of the development of business continuity planning methodology starts from
acknowledging the definition of the scope of the plan, what is a disaster, the objectives of the
plan and its assumptions.
According to Martin (2002), scope of plan is to develop a business continuity plan for
the main business units which prepare a more efficient and effective recovery effort after a

1
disaster has occurred within the acceptable time frame to be able to resume the business
operation. A disaster is any sudden or unplanned calamitous event that can cause a significant
disruption in operational and/or computer processing capabilities for a period of time, which
affects the operations of the business (Martin, 2002).
Business continuity planning primary objective is to safeguard an organization when a
part or all part of its computer services or operations are rendered unusable (Heng G., 2015).
According to Shulmistra (2017), one of the most fundamental goals is to guide the company’s
disaster recovery teams. Identify disaster recovery personnel is one of the most important
objectives of BCP. Another crucial purpose of creating a BCP is identifying the various threats
to the operations and their impacts. The plan will provide the specific procedures that need to
be followed to assist in recovery because when personnel will most likely won’t remember
exactly what they’re supposed to do when disaster strikes so they can consult the documents to
follow the protocols as they have already listed. Identifying where critical data and other assets
are being kept is one of the most important IT BCP objectives.
The few assumptions that were common with BCP according to Heng G. (2015) are no
access to the building that was affected for the next seven days, disaster occurs at the most
unguarded time for each function, not more than one building will be affected all together by a
disaster, disaster or IT recovery plan is in place and tested and only recovered the critical
business function and postponed the less essential business functions.

Business Continuity Planning Methodology

In Figure 1, the Business Continuity Management (BCM) planning methodology is like any
other planning process. They provide framework for effort, requirements and deliverables
where each phase lead to the next in an endlessly repeating cycle. Many of the steps or phases
can be manage contemporaneously in real life. However, these steps are used as a references
and the visual clues does not represent the absolute percentage of the time.

2
 Figure 1 BCM Planning Methodology

According Heng G. (2015), to ensure the consistency, quality and comprehensiveness

of the completed business continuity plans, the selection of BCP standards or methodology is
needed in all organization except the smallest organization and that a standard methodology
can provide maximum affirmation that the plan of related activities is organize properly at both
country level and global level. Many methodologies have been developed based on various
practitioners’ own perspectives and their organization needs considering that most business
continuity plan methodologies varies from the classical project management methodology as
similar traits are required in managing any other project.

Areas of Focus during the Development of the Methodology

This methodology is the result of reviews and adaptation from several established frameworks
and methodologies. In summary, the key areas for consideration are explained next.

Project Management
According to H. Frank Cervone (2017), BCP is concerned with the resumption and recovery
of business activities across the organization. In most organizations, people who are
responsible for organization daily operations are asked to create detailed procedures and plans
that become part of the BCP to recover operations based on different scenarios, such as set up
a new data center after a flood or relocating the offices after an earthquake. The development
of these plan and procedures is prioritized based on the probability of a particular event
happening to an organization. The entire project management process involves the following
steps:
1. Establish the need for BCM planning.
2. Research the work in the areas of BCM.
3. Develop a BCM planning framework.
4. Define the scope, objectives, and assumptions.

3
 5. Manage the BCM planning process.
6. Establish a BCM project planning committee and team.
7. Develop an action plan and schedule.
8. Establish a budget.
9. Obtain commitment and approval.
10. Manage deadlines and milestones.
11. Build and maintain teamwork.

Risk Analysis and Review

According to Business Continuity Management Institute, Risk Analysis and Review or RAR
is a phase within the BCM Planning Process or Methodology. It is to identify existing risks and
threats that the business organization is exposed to, particularly with respect to its geographic
location, processes and procedures. This phase along with the business impacts analysis phase
are the basic elements of business continuity planning program. The purpose of this phase is to
minimize the risks and threats of the organization. The major considerations during the Risk
Analysis and Review include assessing the risk, control options, and the cost and effectiveness
of risk controls.

Business impact analysis (BIA)

According to the Department of Homeland Security (Ready.gov), business impact
analysis (BIA) foresee the consequences of disruption of a business function, process and
gathers information needed to develop recovery strategies. During the risk assessment,
potential loss scenarios should be identified. Operations may also be intervened by the delayed
deliveries or failure of a supplier of goods or services. There are many possible scenarios which
should be considered. Heng G. (2015) indicated that analyse risk involved the ranking of
resources and the identification of potential resource loss situations which differs from the
actual risk analysis where the need to evaluate the responsibilities for key recovery groups and
to emphasize that business managers should be held responsible once they are assigned by
senior management. This step is usually a step taken after the management has agreed on the
project by which key business managers are selected to manage the project. However, Heng G.
also stated that after the methodology was reviewed, it was found that this phase will be needed
only after the BIA is completed.

4
Business Continuity Strategy
According to Robert Withcher (2006), business continuity strategy is an approach by
an organization that will ensure its recovery and continuity in the face of a disaster or other
business disruption or major incident. The purpose of a BCP is to enable an organization to
recover or maintain its activities in the event of a disruption to normal business operations.
Meanwhile, the development of the business continuity strategy is the process to determine and
select operating strategy to maintain or continue the critical business products and services or
functions during a disaster (Heng G., 2015).

Plan Development
This phase is to determine the procedures for notifying the right people, assessing the
operational impact as well as to develop specific steps for minimizing the risks of an outage,
and restoring normal operations after the outage. The result from this step is the Business
Continuity Plan or Disaster Recovery Plan. The Business Continuity plan will be based on all
the procedures and priorities agreed upon by the executive management so that the need to
refer or make decisions in a disaster will be kept to an absolute minimum (Heng G., 2015).

Testing and Exercising

According to Tammineedi (2010), testing and exercising is a way to evaluate and
confirm the soundness of policies and procedures through in-depth discussions, training, and
drills. Exercises are conducted to review disaster recovery procedures and the ability to meet
the Recovery Time Objectives (RTO). It is important to conduct testing in a way that exercises
the defined business continuity plan to avoid the likelihood of developing a separate and unique
“testing” plan. Exercises should be conducted at least once a year and the results should be
documented and communicated to executive management. The entire Testing and Exercising
process involves the three main stages:
1. Designing the Test Program.
2. Executing the Test.
3. Assessing and correcting the results of the tests and exercises.

Program Management
The next challenge is to keep the BCM program effort alive once the BCM planning
project has completed. The program management provides the ability to establish and maintain
business continuity in a manner appropriate to the size and complexity of the organization
(BS25999, 2006; Fasolis, Vassalos, and Kokkinaki, 2013). This phase is where the policy of

5
the objectives of the business continuity management being developed by the organization is
stated. The key element of this phase is to gain commitment from the top management as well
as assigning the appropriate roles and responsibilities to the program team. Some of the
activities that have to be completed under the Program Management phase, and they ensure
that the:
1. BC Plan is consistent with the most current business operational setup.
2. BC Plan is available, accessible and distributed to the recovery team.
3. Maintain BC Plan to an acceptable standard, efficiency, and effectiveness.
4. Planning efforts enable the prompt and correct response of the staff in a
disaster.
5. BC Plan is consistent with international standards.
References
Allen, D., & Westerblad, H. (2004). Physiology. lactic acid--the latest performance
enhancing drug. Science (New York, N.Y.), 305(5687), 1112-1113.
Bethany, M. P. (2014). Business continuity planning: Identifying gaps, patterns and
justifications (Order No. 1526894). Available from ProQuest Dissertations & Theses
Global. (1618227782). Retrieved from
http://search.proquest.com.ezaccess.library.uitm.edu.my/docview/1618227782?accou
ntid=42518
Fasolis, E., Vassalos, V., & Kokkinaki, A. (2013). Collaborative, trusted and privacy- Aware
e/m-Services: 12th iFIP wG 6.11 conference on e-Business, e-Services, and e-
Society, i3E 2013, athens, greece, april 25-26, 2013. proceedings. In Designing and
developing a business continuity plan based on collective intelligence (pp. 278-285).
Berlin, Heidelberg: Springer Berlin Heidelberg: Springer. doi:10.1007/978-3-642-
37437-1_23
H. Frank Cervone, (2017) "Disaster recovery planning and business continuity for
informaticians", Digital Library Perspectives, Vol. 33 Issue: 2, pp.78-81,
https://doi.org/10.1108/DLP-02-2017-0007
Heng, G. (2015). Business continuity management planning methodology. International
Journal of Disaster Recovery and Business Continuity, 6, 9-16.
doi:10.14257/ijdrbc.2015.6.02
Shulmistra, D. (2017, January 19). 9 Critical Business Continuity Plan Objectives. Retrieved
from https://www.linkedin.com/pulse/9-critical-business-continuity-plan-objectives-
dale-shulmistra
Tammineedi, R. L. (2010). Business Continuity Management: A Standards-Based Approach.
Information Security Journal: A Global Perspective, 19(1), 36-50.
doi:10.1080/19393550903551843.
Whitcher, R. (2009, June). BS 25999 – a framework for resilience and success. Retrieved
May 25, 2018, from http://www.efectus.cl/upload_files/documentos/27102009085025-
141381139.pdf