Business Continuity Planning

_______________________________________________________________ TABLE OF CONTENTS Chapter 1.0 2.0 2.1 2.2 2.3 2.4 2.5 3.0 3.1 3.2 3.
3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 5.0 5.1 5.2 5.3 5.3 5.6 Contents INTRODUCTION BUSINESS CONTINUITY PLANNING Real Time Enterprise & BCP BC Components Evolution of BCP Creating Business Continuity Plans The Business Continuity Organisation & Policy PHASES OF BUSINESS CONTINUITY PLANNING Stages of BCP BC Models BCM & Strategic Planning Business Continuity Management & Organisational Culture Key Drivers for BCM Cultural Change BC Maintenance Process BC Audit Process Excercising BCM Maintenance of BCM Audit of BCM Deliverables DISASTER RECOVERY PLANNING Organising and Executing DR projects Business Impact Analysis & Goals Disaster Recovery Team Standardized sections of DR Plan Implementing Recovery Processes Technologies Disaster Recovery Components Ensuring Continued Effectiveness of DR Plan BUSINESS CONTINUITY MANAGEMENT The BCP Process Crisis Classifications Crisis management Teams Availability of Specialist Support Conclusions LIVE PROJECT FOR LAWRENCE Page 1 3 3 4 4 5 6 8 8 8 9 19 22 26 26 27 28 28 33 34 34 36 37 and 38 39 41 42 44 50 52 55 56 & 1
Symbiosis Institute of Telecom Management, Pune
_______________________________________________________________ 6.0 6.1 6.2 6.3 6.4 6.5 7.0 Annexure 1 Annexure 2 ASSOCIATES Company Profile Objective Methodology Findings Recommendations Future Trends Sample Questionnaire Glossary 58 58 58 58 59 59 60 62 65
_______________________________________________________________
CHAPTER 1 INTRODUCTION
According to some experts, Disaster Recovery and Business Continuity are two terms of advanced versions of old data backup and recovery tricks practised by IT Managers for many years. However, the solutions built around modern data storage technologies have transformed these basic data storage products into high-end sophisticated systems. According to a recent survey done by KPMG to gauge the preparedness of Indian Industry on Business continuity management, Majority of Indian companies including those in the information and telecommunication sector do not have any BCM plan in place. Industry experts feel that the recent scare of war in the subcontinent and the recent Gulf War and the War against terrorism has renewed the security concerns of overseas companies particularly after the September 11 episode. The companies that are already outsourcing to India or are planning to outsource in the future, are now quite sensitive about the security related issues. Indian software and services companies are facing immense pressure from the overseas clients to invest in business continuity and disaster recovery plans. Sanjay Dhawan, Executive Director, Information Risk management, KPMG confirmed, the companies will be under pressure to comfort their clients. In fact, BCP has become a critical part of the delivery model and you cannot do business without it. According to the KPMG Survey, 79% of the companies did not have a documented and tested BCM Plan and 64% of the companies that are highly dependant on IT do not have any plans in place to address business disruption risks. The survey also revealed that 64%of the organisations that responded, have not envisaged any kind of alternate facility to ensure continuity of business in case of a major disaster and 21% of the organisations were storing their entire backup data on site locations only. Ernst & Young Director of Information Systems Assurance and Advisory Services Sunil Chandiramani also agrees in this regard. Companies will have to take up security concerns more seriously to reassure their clients, he said..
_______________________________________________________________ This report analyses various issues related to the Business Continuity Planning and Disaster Recovery Systems. Chapter 2 deals in detail about the Business Continuity Planning. It also covers BCP Lifecycle, the SLA Management, and Business Continuity Components along with various issues in implementation. Asia Pacific Market trends are also included. BCP phases are covered in detail in Chapter 3. Chapter 4 deals with the Disaster Recovery Planning including the Disaster Recovery Architecture, Business Impact Analysis, Risk assessment, DR Strategies and various phases in DR. Chapter 5 deals with the Business Continuity management. Chapter 6 include a live business case implemented for a Software Services company based in Chennai by our research team. Findings and recommendations of the case are presented. Chapter 7 includes the conclusion and the future trends of the BCP solutions market in India and Asia Pacific Region. Annexure includes the pre-assessment form for the case included in Chapter 6 and the Glossary.
CHAPTER 2 BUSINESS CONTINUITY PLANNING

Business Continuity Planning means ensuring the continuity or uninterrupted provision of operations and services. Business Continuity Management is an on-going process with several different but complementary elements. Planning for business continuity is a comprehensive process that includes disaster recovery, business recovery, business resumption, and contingency planning. Business Continuity Planning, therefore, is a comprehensive process to ensure the continuation and improvement of business in the face of whatever challenges a firm may face. Continuity planning requires that these many processes be used together, to create a complete continuity plan. The plan must be maintained and updated as business processes change.
2.1 Real Time Enterprise and BCP Real time enterprises cannot afford to accept the risks associated with business continuity vulnerabilities because the consequences can be fatal. Business is moving faster than ever before with real time enterprises concentrating on the business process integration. There has been a significant reliance on partners in the value chain with faster flows and immediate responses. Yet, less than 25% of the Global 2000 enterprises have invested in Business continuity Planning and only 50% have fully tested disaster recovery plans. (Source: Gartner Symposium IT Expo 2002). In this tough environment, it is tempting to cut resources in business continuity planning. Many enterprises mistakenly view BCP as an insurance policy they will ever need. Yet thousands of enterprises have invoked their recovery plans with SunGuard and IBM BCRS over the past 10 years. Historically, BC was focussed on protection against unlikely but large events fire, flood, and natural disasters. With Real time enterprises, however even the smallest of interruption in service from a critical supplier or outside provider, or a potential business impact caused by the economy can have serious business consequences. Those enterprises which have BCP are confident in their ability to adapt and survive, whether the incident or situation facing them.
2.2 BC Components
Disaster Recovery
Objective Mission critical Operations Site or Component Outage (External) Disaster Recovery Plan Critical server failure Recovery site in different location
Business Recovery
Business Contingency Redemption Planning

External Event
Focus
Mission Critical Business Business Processing Process workarounds Site Outage Application (External) Outage (internal) Business Recovery Plan Electrical outage in a building Recovery site In a different power grid Alternative Processing Plan Credit Authorization system down
External Behavior forcing change to internal Business Contingency Plan Main supplier cannot Ship due to its own problem
Deliverable
Sample Events
Sample Solutions
Manual Procedure 5% Backup of vital 2 products; Backup supplier
Crisis management
The five components of Business Continuity Planning are disaster recovery, business recovery, business redemption, contingency planning and crisis management. The crisis management component addresses the management of the event, and the plans to protect the employees, and maintain the confidence in the business regardless of the type of business interruption. Real time enterprises do not change the five components of BCP. However, it places more emphasis on the enterprises contingency and crisis management plans because of the public nature of outages and the increasing reliance on external service providers for processing. It also shortens recovery point and time objectives towards real time-24 x 7 continuous availability. 2.3 Evolution of BCP Business Continuity Planning had evolved significantly during the past 20 years. In early 90s,BCP was IT disaster recovery, which provided protection from natural disasters and critical component failure by enabling recovery in another data center in about 72 hours. In the mid 90s,enterprises added business process protection, and recovery plans were developed. In late 90s,as enterprises re-engineered their business processes from the year 2000 remediation perspective, it became apparent that traditional recovery plans with 72 hour recovery periods were not good enough. Thus, enterprises significantly increased the spending to gain recovery times of between 4 and 24 hours. The evolution toward e-commerce resulted in yet another discontinuity affecting BCP. For many real time enterprises; a 4 to 24 hour site outage would cause irreparable damage to the enterprise. Consequently, many enterprises are Symbiosis Institute of Telecom Management, Pune 6
incorporating BCP into their business process, application and technology architecture designs and building in continuous 24 x 7 availability. Business continuity plan must now address new scenarios and BC processes must integrate with a greater number of enterprise processes. One of the most important lessons learned is that people issues need to take center stage in planning safety, communication and resiliency in workspace and process issues. As a result, crisis management plans and call trees are being created or updated, as are contingency plans regarding availability of outside service providers and partners. 2.4 Creating Business Continuity Plans PROCESS Change Management ducation E Testing Testing Group plans and Risk reduction procedures Create Planning organisation Recovery Strategy Risk Analysis Business Impact Analysis Policy Organisation Resources
Review Implement Standby facilities
Scope
Business Continuity Planning Initiation

Source: Gartner
The foundation of BCP success is senior management sponsorship and participation. Another critical success factor is building BC into enterprise culture by weaving BC processes into the life cycle of every project and change management process. In the requirements phase, the Business Impact Analysis (BIA) identifies what the enterprise has at risk and which business process are most critical, thereby prioritising risk management and recovery investments. The direct/indirect impact of business interruptions is assessed over time, resulting in requirements for recovery time and point objectives. Risk analysis identifies the enterprises vulnerability to risks so that they can be mitigated in the project design phase. In the architecture and design phase, recovery strategies and processes are developed. When cost of recovery is outside the project budget, enterprises most often go back to the business requirements to re-justify the investment or change the requirements. During construction, detailed plans and procedures are created by those responsible for daily operation of the processes. The recovery process must be tested prior to implementation to ensure that requirements can be met. A process is then established to keep the plan current by initiating a review of every change to business process or systems.
2.6 The BC Organisation and Policy BCP is an important cross-enterprise process, yet many enterprises do it poorly or inconsistently. Although it is clearly in the interests of enterprises to apply best practices to BCP Processes, most struggle to marshall resources, support and focus. From a pragmatic perspective, there needs to be a formal organisation, ideally reporting to the head of risk management or the Chief Operating Officer. The BC organisation is responsible for setting policy and structure, compliance monitoring and status reporting. The BC manager however does not develop detailed recovery plans All process are dependent on each other, so there must be a coordination process and resources to make sure dependencies are dealt with, but also to share knowledge, best practice and resources. Most organisations organising business continuity management within IT fail to develop effective enterprise wide BC Plans because of lack of credibility, funding or governance. BC Organisation Crisis Management Executive Sponsor Damage Assess BC Steering Council IT DR Team BC Manager Bus. Process Team
BC Team Audit
BCP Policy Objective Ensure that critical business activities are maintained or restored as quickly as possible following a major disaster/failure affecting essential services/facilities. Maintain confidence in the business, internally and externally following a disaster.
Scope All work processes, computing systems, information and third party business partners, regardless of location. Responsibilities Information owners must ensure that Critical processes are identified and prioritized. The potential impact of various types of disasters is regularly assessed. Responsibilities and emergencies arrangements are defined. All procedures and responsibilities are documented. The BC Plan is communicated to all necessary individuals. The business continuity plan is regularly tested. The business continuity plan is correct, complete and up to date. Compliance Internal audit and the BCM will regularly monitor for compliance, including publication of test results.
CHAPTER 3 PHASES OF BUSINESS CONTINUITY PLANNING

3.1 Stages of BCP
Stage 1: Business Continuity Management Strategies
Strategy is a broad and all encompassing term. It usually refers to formation of a vision and direction of an organization; setting mission statements, identifying markets and objectives so that the raison detre of the organization can be achieved. In the context of BCM, it concerns the determination and selection of alternative operating strategies to be used to maintain the organisations mission critical activities. Experience and good practice clearly identifies that the early provision of an organizational (corporate) BCM strategy will ensure BCM activities are aligned with and support the organisations overall Business strategy. 3.2 BC Models There are three basic Business Continuity Management modules:
Active/ Backup model: This traditional BCM model is based on an /active operating site with a corresponding backup site. This includes both data processing and operations. The model relies on relocating the staff from active top the backup site and maintaining backup copies of technology and data.
10
Active/ Active (Split Operations) Model: This emerging BCM model relies upon two or more widely \separated (geographically) active operational sites for mission critical activities that inherently backup for one another
Alternate site model: This BCM model provides a variation of the Active Backup and Active/Active models where a backup site periodically functions as a primary site for a period of time.
3.3 BCM & Strategic Planning When developing an organisations (corporate) BCM strategy there are three levels of strategic planning that need to be considered: Organisation corporate BCM strategy Process level BCM strategy Resource recovery BCM strategy
The current business trend of developing a virtual organization raises a number of specific issues that concern the intra-organisation sourcing and outsourcing of mission critical activities. In particular the dependencies and single points of failure; also the ability to provide alternative sources in the event of a catastrophic failure of sourcing mission critical activity (IES) provider. This trend reinforces the need for three level of strategic planning or Business Continuity management. Organisation Business Continuity Management strategy: It defines the highest level within which the BCM activities are aligned. Experience identifies that it is usually developed as a afterthought by most organizations when a no. of BCM approaches are already in existence and require to be incorporated in a cohesive and integrated BCM framework. The parameters regarding work area recovery must also be defined and agreed with this level; of strategy. If the very future of an organization depends on timely provision of shared or subscription office accommodation then these risks must be understood and agreed at the highest level. Symbiosis Institute of Telecom Management, Pune 11
Process Level business continuity Management Strategy: Most organizations have adopted the concept of defining their mission critical activities in the context of products and services. This applies equally to Mission critical activities of industrial or commercial industries e.g. financial sector. As a result, mission critical activities are not only products/ services in their own right but also represent key systematic processes that sense they perform a dual role. This differentiation is not only important to BCM but also provides a clear statement of significance to other areas and also an industrial or commercial industry on a global basis.
Due to their nature, these mission critical activities are so important that they justify their own BCM strategy and planning. An example of a need for process level BCM strategy is the Clearing House Automated payment system (CHAPS) that provides for same-day, high-value, financial payments processing within the financial service sector. In consequence of complexity and settlement coupling of CHAPS, there is a specific detailed BCM strategy for the payments clearing system alone. A generic BCM system is simply not strong enough for a process where failure would cause severe liquidity problems and shake consumer confidence in the financial services industry. Resource recovery Business continuity management strategy: It defines the strategy to employed for deploying appropriate resources as a part of Business continuity plan (BCP0. This type of strategy provides the practical link between Business impact analysis (BIA) and the development of Business continuity Plans.
When developing any level of BCM strategy, there are a number of strategic options that must be considered. These include: Do nothing: A low risk criticality and a do nothing BCM strategy may be acceptable within an organizations risk appetite.
12
Processing transfer:
The diversion of mission critical activity to another
organization or alternative part of the host organization e.g. the high value/priority Bank Automatic Clearing Service(BACS) payments via CHAPS. Reciprocal agreements can work in some selected services but due diligence must be taken while establishing this type of arrangement. Such arrangements must be enforceable and subject to testing via Service level Agreements (SLAs) or formal contracts. Changing or Ending the service, product function or process: deciding to change or end a service, product function or process must be considered a part of the process strategy within the BCM process. This approach is cost likely to be seen when where a product has a limited life span. Insurance: Provides financial recompense/support in the event o\f a loss of reputation, market share and/or shareholder value and/or damage to the brand image. The organistions brand in\mage ort reputation are generally recognized and frequently quotes as being of considerably higher value than all of the other organization/ business asset but are often overlooked in favor of short-term financial loss. Most organisations will have and increased cost of working policy that will usually cover invocation costs of BCM solutions. In addition, business Interruption insurance can be provided but this requires a detailed business impact Analysis to be performed in order to evaluate correctly the level of insurance cover purchased. Loss Mitigation: The provision of risk control management (threats, impact and vulnerability) and action plans. Business continuity Management: The improvement of an organizations business resilience to loss, disruption or interruption of its Mission critical activities, their dependencies and single points of failure by providing for their continuation at an acceptable minimum level within the recovery time and recovery point of the
13
objectives. This approaches the three continuity strategies to enable an effective and fit-for-purpose BCM acceptability. Organisation (Corporate) Business Continuity Management Strategy
Introduction An organizational (corporate) BCM strategy is key to positioning and advancing business continuity. Most organisations require BCM to be designed and implemented within organization design and structure I.e. a top-down framework where BCM policy and strategy provide vision and direction. AN organizational (corporate) BCM strategy is a living document that encompasses and unifies other BCM related activities. In developing the process Level and resource recovery BCM strategies, the reference should be made to the organizational (corporate) BCM strategy as there are clear dependencies and a direct transition between invocation of one progression toi other(s). Purpose The purpose of an organizational (corporate) Business continuity Management strategy is to provide a clearly defined and documented policy, framework and operational direction to ensure the resilience and continuance of an organizations mission critical activities , their dependencies and single points of failure.
14
Process Level Business Continuity Management Strategy:
Introduction Every organization should, as a matter of good business practice have defined and identifies its Mission critical activities via a Business Impact Analysis. This maxim applies equally to systematic mission critical activities of industrial or commercial industries e.g. financial markets. Consequently, mission critical activities are not only products/services in their own right but can also represent key systematic processes of an industry that are critical to customer service and stability of a particular industry itself. In this sense, they perform a dual role. The global nature of modern business; their (automated) processes, high reliance on technology, together with their coupling and complexity, illustrates the catastrophic potential and scale of the business impact consequent upon the failure of systematic mission critical activities. This differentiation is not only important to business continuity management but also provides a clear statement of significance to other areas of an organization e.g. audit, operation, risk, information technology security and also an industrial or commercial sector e.g. regulators and federal banks.
Examples of mission critical Activities at an organization level (service/products) and/or a systematic nature of both a national international level include:
Financial payments processing and cleaning. Just in time (JIT) supply chain Data centers Call centers 15
Due to the very nature and significance of these mission critical activities (processes) each must have its own recovery strategy. This provides a clear statement of how the organization/industry will provide protection and BCM that reflects both types of Mission critical Activity.
In determining the process; level BCM strategies, reference must be made to the organisation (corporate) BCM strategy as they have a direct relationship. Resource Recovery Business Continuity Management Strategy
The resource recovery business continuity management strategy will of necessity have a major influence on the business continuity plan for each mission critical activity its dependencies and single point of failure. It is directly linked to the Business Impact Analysis (BIA) e.g. if work area recovery is necessary, then the strategy must evaluate and document specific parameters for :
Dedicated work area-scale, location and nature (in-house to third party) Syndicated or subscription work area- scale, subscription ratio, exclusion zone, etc. Business response/ cold work area- scale, subscription ratio, exclusion zone, etc. Mobile recovery solutions- builds time, scale, subscription ratio, exclusion zone, etc.
16
In determining the resource recovery BCM strategy reference must be made to both the process level BCM strategy (ies) and the organisation(corporate) BCM strategies.
Purpose Purpose of a resource recovery Business continuity management strategy is to
provide a predetermined level of resources within a Business Continuity Plan (BCP to enable the implementation of organization (corporate) BCM strategy and Process level BCM strategy.
Stage 2:Develop And Implement A Business Continuity Management Response.
Introduction Crises and Business Continuity Management (BCM) events have historically centered upon physical threats to geographic sites, buildings, people, mission critical activities and their dependencies regardless of size or location. However as organizations, business and communications dynamics change so do the type of threats facing the organizations. Whilst still exposed to physical threats, an organization is even more exposed to reputation threats attacks on its brand image. Consequently, an organizations reputation, image and brand is judged by media, market, stakeholders and regulators upon its ability to effectively manage a crisis or business continuity event and continue to provide business as usual services and
17
products. The inability to fulfill these aims., or a badly positioned or a wrongly perceived media response can result in a negative image and increased negative media profile. These in turn may lead to regulatory, stakeholder or market pressures through concerns over the effectiveness of the organisations crisis and/or BCM competence and capability.
As far as is reasonably possible, the different types of BCM and crisis management plan(s) predefine the actions that are necessary and the resources needed to achieve the objectives if the plan. The steps outlined in the plan are not intended to provide an exhaustive list or cover even eventually, as by their nature all events and crises are different. Consequently, the predefined procedures are not to be interpreted as the only course of action as it is recognized, there may be an exceptional case where they may need to be modified to meet the needs of a specific business continuity or crisis event.
There are primarily three types of Business Continuity Management plan that may also be divided into a number of sub plans, e.g., Communications. Business Continuity Plan Business Continuity Resource Recovery and Solutions Plan Crisis Management Plan.
The content and level of detail within each type of plan is dependent upon the nature, scale and complexity of the organization and based upon its risk profile, appetite and the environment in which it operates.
A Business Continuity Management and Crisis Management Plan include a number of key constructs that include: Databases Documents
18
Solutions Time based Objectives Tasks and activities required to achieve time-based objectives. Procedures/Processes. Information Structure Teams
There are two main components to delivering an effective and fit-for-purpose Business Continuity plan and Crisis Management Plan and their supporting capability: The formulation of business continuity/crisis solutions, logistics and structure that support the plan. The development and documentation of the plan itself.
A further critical factor in development of all different types of BCM plans is t eir h exercising, rehearsal and testing. In particular, no plan should be considered
complete until it has been exercised, rehearsed, tested and signed-off as effective and fit-for-purpose by the plan owner and the organisations executive/senior management. This latter aspect further highlights the critical element of competency of human resources that enables the effective capability of the whole process.
Business Continuity Plan: addresses business disruption, interruption and loss from the initial response of the point at which normal business operations are resumed.They are based on the agreed business Continuity strategies and provide procedures and processes for both business continuity and resource recovery teams. In particular, the plans allocate the roles and their accountability, responsibility and authority. The plans must also detail the interfaces and principles for dealing with a number of key issues e.g. internal/external communications, key suppliers, external bodies, emergency services and the media.
19
Business Continuity Recovery Solutions and Plan: concerns a number of BCM resources, solutions and approaches available to the BCM practitioner e.g. technical IT recovery (Server, WAN, LAN, etc.) work area recovery, offsite storage.
Crisis Management Plan: is usually developed by large corporate organizations. It defines how the strategic issues of a crisis affecting the organization would be addressed and managed. This component is vital in large and corporate organizations to ensure there is a robust and cohesive response to any crisis. This same crisis management response process and structure can be applied to any type of crisis and is not restricted to natural crisis situations. E.g. earthquake, tornado, fire or flood but man-made business and industrial crisis e.g. hostile take-over, credit risk, reputation risk, environmental pollution, criminal activity and health.
Stage 3: Building and Embedding E-Business Continuity Management Culture
Introduction The successful embedding of a Business Continuity Management (BCM) culture within an organization is primarily dependent upon it becoming an integral part of the strategic and day to day management ethos in contrast to its traditional organisation (corporate) culture concerns the deep seated and embedded beliefs and values held by members of an organisation and its strength should not be overlooked or dismissed lightly. Organisational culture promotes shared values, operating norms, styles and regularly pursued patterns of behavior and is frequently described as the
20
way
to
do
things
around
here
or
what
we
have
to
do
to
get
on..
. 3.4 Business Continuity Management & Organisational Culture Achieving cultural change is a difficult and lengthy process. It needs to be fully understood and can encounter a level resistance that should not be underestimated. The use of education, awareness training and participation have all been used to effect cultural change.
The documentation of a BCM strategy(ies) and plan(s) represents a narrow and limited method of developing a BCM culture. The overall success depends upon number of approaches.
A key element in developing a sustainable BCM culture within an organisation is the preparation and delivery of a programme to create corporate awareness and enhance the skills knowledge and experience required to implement, maintain, manage and execute Business Continuity Management.
21
Equally important in establishing a BCM culture and operating environment is the vision statement and visible proactive support of the organizations executive, senior and middle management. Whilst commitment from the top is an essential condition for developing a BCM culture, it is not sufficient. The key requirement is to win over the middle managers and operational staff who have to implement Business Continuity Management.
A further key consideration is that BCM should not be presented as solely a facilities or IT specialist or otherwise ownership is actually and culturally seen as being within these areas in contrast to the various parts of the organization where the operational risk originates and should continue to reside.
It is also essential to commit to periodically maintaining and reviewing the organisations BCM policy, strategies, plans, framework and solutions or the investment made in its preparations will have been wasted. Similarly, training and awareness must be undertaken to ensure that the entire organisation is confident, competent and capable. All individuals must appreciate and recognize the importance of BCM in an organisation and their role within it.
This awareness should extend to those shareholders and third parties (sourced service providers upon which the organisation depends in normal and crisis situations. In adopting this change management approach, all those associated with the organisation can have confidence in its ability to manage a crisis, and the embedding of a successful culture will begin. Purpose The purpose of building and embedding a sustainable Business continuity management culture within an organisation is to ensure that BCM becomes and integral part of strategic and day-to-day business and usual operational
management.
22
Outcomes
The outcomes from a training, awareness and cultural development programme include: The acceptance and implementation of BCM as a professional management discipline. An organizational culture that ensures BCM activities and considerations are integral to the business as usual activities throughout the organisation at all levels. The proactive hands-on promotion of BCM by the organisations executive, senior and middle management. An organizational, managerial and staff BCM competence to execute the organisations BCM strategy. An awareness and understanding by the organisations management and staff of the importance of BCM and their roles, accountabilities and authorities within it. An ongoing BCM education and awareness programme. A performance management and appraisal system that explicitly recognizes and reinforces the importance of BCM. Job descriptions and associated skills that include BCM at all levels within the organisation. A rewards and recognition system that explicitly recognizes and reinforces the importance of Business Continuity Management. An ongoing programme of BCM training for those directly involved in the implementation, maintenance and execution of organisations BCM capability. A clearly defined and documented management information system to monitor and evaluate the BCM awareness and competency of the organisations staff and managers.
23
3.5 Key Drivers for BCM Cultural Change The key components in developing and embedding a Business Continuity Management culture include: A clearly defined and documented BCM vision and policy statement agreed and signed off by organisations executive/senior management. A clearly defined, documented and published BCM vision implementation (change management) project plan agreed and signed off by organisations executive/senior management. Financial and other resources to implement the BCM vision project plan. Financial and other resources to enable professional BCM training and associated education. A clearly defined and documented BCM education and awareness programme agreed and signed off by the organisations executive./senior management. This should facilitate and enable the organisation-wide understanding of the organisations BCM strategy, in particular awareness of why BCM is important and their individual roles, accountability responsibility and authority within the BCM process. The awareness programme should include all organizational staff and key external stakeholders e.g. key customers and suppliers. Rewards and recognition is one of the methods that can exert influence upon what is seen as an important and how it is done. In particular, it makes explicit to individuals and groups what the organization sees as important. Performance management and appraisal system are a further process that can exert influence on what is seen as important by the organization. The way that individual and group performance is measured is of particular importance. When performance measurement is linked to performance appraisal, it acquires a systematic and hierarchical perspective. When performance and its measurements are aligned to rewards and recognition, it provides a strong incentive. This process ensures the active involvement of managers and staff
24
at all levels of the organization, especially the operational middle management who have to implement and maintain Business Continuity Management. A clearly defined and documented BCM awareness programme agreed and signed-off by the organizations executive/senior management. A clearly defined and documented internal and external awareness and education communication and public relations programme agreed and signedoff by the organisations executive/senior management. A clearly defined and documented BCM exercising programme agreed and signed-off by the organizations executive/senior management. A clearly defined and documented BCM maintenance programme agreed and signed-off by the organizations executive/senior management. A clearly defined and documented BCM audit programme agreed and signedoff by the organizations executive/senior management. Professional BCM trainers. Professional change management facilitators/team.
Frequency And Triggers An organizations Business continuity Management awareness, training and
cultural development programme is an ongoing process. However, there are specific events that should determine its frequency or trigger its review. These include: The performance and appraisal process. The BCM maintenance and review process. The BCM audit process. Formal induction process for all new staff and managers. The exercising, rehearsal or testing of the BCM competence and capability. Live invocation of the BCM process.
25
Where the pace of business change is particularly aggressive. Deliverables The deliverables of Business Continuity Management training, awareness and cultural development process include: A clearly defined and documented BCM vision and policy statement agreed and signed-off the organisations senior/executive management. Business Continuity Management awareness aide-memoirs. A clearly defined and documented management information report concerning the monitoring and evaluation of the BCM awareness of organisations staff and managers. Stage 4: Exercising, Maintenance And Audit.
Exercising An effective fit-for-purpose Business continuity Management (BCM) competence and capability cannot be considered reliable until it has been exercised and proven as workable, especially since false confidence may be placed in its integrity. Consequently, exercising the Business continuity Plan assumes considerable importance in establishing the BCM competence and capability of an organization.
Exercising can take various forms for the technical test of the communication system, a desktop walkthrough to a full live exercise. No matter how well designed and through-out a BCM strategy or Business continuity Plan; a series of robust and realistic exercises will identify issues that require attention. In addition to suggesting
26
a perfect plan flawless exercising also suggests the adequacy and realism of exercising he needs to be challenged and reviewed.
Time and resources spent in exercising BCM strategies and Business continuity Plans are crucial parts of BCM as they enable competence, instill confidence and knowledge that lead to fit-for-purpose BCM capability that is essential at times of crisis and uncertainty.
Highly automated systems require high reliability and should be designed to test routinely in the course of normal operations. These tests may be invisible to customers and operations staff alike. Testing such systems may entail switching off items if equipment to monitor any service effects or transferring service to another location without any or very limited service impact. There should be no sense of crisis or diverting of resources to testing. It should all be catered for the design of business as usual. 3.6 BC Maintenance Process Most organizations exist in a dynamic environment and are subject to change in people, process, market, risk environment, geography, and business strategy.
In essence to retain its effectiveness, it must be vigorously maintained. In particular it ensures the continuity of competent and capable key people who clearly understand their BCM roles and responsibilities to implement the BCM strategies and Business Continuity Plan in the event of an incident occurring. A clearly defined and documented BCM Maintenance programme and process must be established further, effective documented change control procedures
implemented to ensure relevant stakeholders have the current and relevant parts of the Business Continuity Plan. Business continuity Management maintenance activities should be agreed and proactively supported by senior management, and undertaken at all levels at which it is managed within an organization.
27
3.7 BC Audit Process The BCM audit process also plays a key role in ensuring that an organization has robust, effective and fit-for-purpose BCM competence and capability. It has five key functions: 1. To independently verify and validate compliance with the organisations BCM and crisis Management policy, strategies, framework and good practices guidelines and/or standard adopted by the organization. 2. To independently review the organisations BCM solutions. 3. To independently verify and validate the organisations BCM and crisis management. 4. To independently verify and validate the key exercising and maintenance activities are taking place, in line with the relevant programs, processes and the organisation BCM and crisis management framework and good practice guidelines and/or standards adopted by the organization. 5. To highlight key material deficiencies and issues and ensure their resolution. 3.8 Exercising BCM
The development of a BCM competency and capabilities achieved through a structured and consistently applied exercising programme. To be successful, an exercising programme must begin simply and escalate gradually. It is also important that only the resources that are planned to be available during the actual business continuity event and/or available during the exercise. The adoption and application of
28
a structure and application of a structured and systematic approach to the development and implementation of an exercising programme will promote a greater understanding of the functioning of the BCM processes by all individuals associated with it. Exercise Test A means of examination, a trial or proof. A pass or fail situation. Failure in the testing context must not be seen as a negative result. It is designed to ensure learning and continuous improvement. As a result, failure is considered a positive or beneficial outcome. An act of employing or putting into use. Training
Rehearsal A practice or drill
3.9 Maintenance of BCM
In contrast to many narrow plan based Business Continuity management models, the BCM maintenance process is about maintaining the whole of an organisations BCM competence and capability and not just the Business Continuity plan. This critical distinction is frequently overlooked by the organizations that consider BCM to be a Business Continuity Plan.
29
The Business Continuity management Maintenance programme is concerned with a complex BCM process and requires interaction with a wide range of managerial and operational roles from both a business and technical perspective. 3.10 Audit of BCM
A key focus and maxim in the auditing of an organisations Business Continuity Management capability is the audit of BCM process and consequently the BCM competence and capability This approach recognizes and assumes that if the process is correct and properly applied, then the outcome should provide an effective and fit-for-purpose BCM competence and capability.
The business continuity management audit like BCM planning, implementation and maintenance is concerned with a complex process and requires interaction with a wide range of managerial and operational roles from both a business and technical perspective. A key issue is the role and perspective of the auditor and audit function; it is one of the impartial reviews against defined standards. Whilst the audit (or) may be fully aware and/or identify the reason for BCM shortcomings and organizational difficulties and audit has no option but to clearly identify the BCM competence and capability gaps; this is an integral part of the objective of auditing and non-compliance is unacceptable. An integral part of the audit is to provide remedial recommendations.
30
A further key consideration is that each stage of BCM life cycle may require a different audit approach. This audit approach is solely dependent on the maturity of each stage of the BCM life cycle i.e. none, novice, intermediate, advanced and mature. Consequently the traditional proactive audit process should be seen as an enabling process to achieve a particular management objective(s). Purpose The purpose of BCM audit is to scrutinize an organisations existing BCM competence and capability; verify them against predefined standards and criteria and deliver a structured audit opinion report. Stage 5: Business Continuity Management: Programme Management
To be truly effective, business continuity management must be a business as usual management process driven from the top of the organisation. It has to be clearly set out in an organisation vision statement that is fully endorsed and actively promoted by the Board of the Executive committee.
A member of the board or the executive should be given overall accountability for the effectiveness of the BCM competence and capability. This ensures that a BCM programme is given correct level of importance within the organisation and a greater chance to effective implementation. The Financial Services Authority (FSA) considers that BCM is a cost of doing business and needs to be funded properly.
31
Dependent upon the size of the organisation, a number of professional BCM practitioners and staff from other management disciplines and departments may be required to support and manage the program albeit this may use a virtual management structure. A further consideration is the recognition and need to manage the BCM programme at both operational and organisational levels.
It is also critical at the genesis of the organizations BCM programme to design and fully integrate the management process and structure to assure the various elements identified and described with the BCM lifecycle and Business continuity institute Good practices guidelines.
A key to successful management of a BCM programme is the early appointment of clearly defined and documented roles, accountabilities, responsibilities and
authorities within an organisation and is done because it adds value not just because it is required by regulation or legislation.
3.4 Purpose
The purpose of management process is to provide effective and efficient ongoing (virtual) management and assurance (performance management) of the
organisation's BCM (including crisis management) programme. 3.5 Outcomes
The outcomes of BCM (including crisis management) programme management include" The assurance of provision and maintenance of an effective, up-to-date and fitfor-purpose BCM competence and capability.
32
The overall management of organisation's BCM programme is effective, efficient and fit-for-purpose. A management process that is an integral part of the organisation's BCM programme and life-cycle. Business managers within the organisation are fully aware that BCM is a part of their business as usual management accountability of BCM remains firmly within a business line i.e. it cannot be outsourced. The robust and ongoing challenge and review of organisation's risk profile and appetite. The provision of annual BCM budget bid/audit. Assurance that BCM is undertaken and based on value based management principles. A management information system that provides details of the current state of the organisation' BCM programme. The focus of BCM upon organisation's mission critical activities, their dependencies and single points of failure at a product and service level. The BCM is based on end to end (E2E) approach in the context of product and service delivery. The optimizing of BCM companies efficiencies e.g. common infrastructures, industry collaboration and standard work area recovery solutions. The optimizing of business process, product and service resilience availability. Assurance that organisation's BCM policy, strategies and operational framework are up-to-date and fit-for-purpose. Assurances that the suppliers of the organisations mission critical activities and/or their dependencies have an effective, up-to-date and fit-for-purpose BCM capability. Assurance that all new projects are not signed-of without a business impact analysis and BCM strategy being in place.
3.11 Deliverables
33
The deliverables of the management of the organisation's business continuity management programme include: A clearly defined and documented management programme respect of the organisation's Business BCP programme that is agreed and signed-off by the
organisation's executive/senior management. continuity management assurance reports at a predetermined
frequency that are agreed and/or signed-off by organisation's executive/senior management. The BCM programme annual budget bid and audit reports that are agreed and signed-off by organisation's executive/senior management.
34
CHAPTER 4 DISASTER RECOVERY PLANNING
Change Management
Education
Testing
Review
Ongoing Process Maintain Test
Backup/Recov ery Processes
Documentation
Standby Facilities
Implementation Recovery Strategy/Technology

Downtime Impact Critical Applications
Recovery Times
P R 35 O J
Risk Assessment Is our Business Continuity Program Sound?
Business Impact Analysis(BIA) What is Essential to The survival Of the Business?
IT Recovery IT Disaster Strategy Recovery Development Plan(DRP) Does the IT Recovery Strategy Support what's Essential?
Business Continuity Plan (BCP) Is the IT How do Disaster we Recovery Continue plan to complete & Delivery Executable? Products & Services after disruption?
Plan Maintenance
How do we keep our plans up-todate and executable?
4.1 Organising and Executing Disaster Recovery Projects Establish baseline by determining "as-is" position 36
Identify business recovery time objectives Identify strengths and weaknesses Conduct gap analysis for risk mitigation Identify process improvement alternatives Develop short-term and long-term risk-mitigation strategies Develop "to-be" position Develop implementation plans
The first steps of a disaster recovery project are executed as part of a broader business continuity effort. The business continuity planning initiation phase defines the project scope and goals, defines initial organizational responsibilities and assigns the resources required to undertake a business impact analysis. The BIA quantifies the risks and costs of various types of outages and provides the information needed for subsequent project steps. The BIA identifies critical applications, recovery time objectives and recovery point objectives. Once these a re known the project work to determine a recovery strategy and the appropriate technology can be completed. The implementation phase focuses on the deployment of the backup processes needed to support the recovery strategy and building and documenting the administrative processes that will support business continuity. The next stage is iterative testing and improvement. This is followed by a maintenance phase that requires good change management processes, process integration with the application development cycle and periodic testing. 4.2 Business Impact Analysis Goals There are three major goals for the business impact analysis phase: 1) Identification of the processes that are critical to the profitability and continued viability of the business , 2) quantification of the financial and operational impact of an outage over time and 3) a determination of the recovery priority, recovery time and recovery point for each application that supports a critical business process. The business impact analysis is extremely important because it establishes a business context for disaster recovery. An effective BIA can move disaster recovery from a back office IT expense to a strategic project required to ensure the long-term viability of an enterprise. All too often, the IS organization is given a disaster recovery budget and is left to make most of the decisions. The BIA puts funding and priority decisions in the right place with the business process owners. It can also generate the project support and funding needed to implement and maintain an effective disaster recovery program. A comprehensive BIA examines all implications of an outage. The cost of an outage will vary depending on the processes involved, the competitive environment and the length of the outage. Costs can be incurred from lost sales Symbiosis Institute of Telecom Management, Pune 37
productivity and cancelled orders. Regulatory, legal, insurance and contractual exposures also need to be considered. Many industries are facing an increased burden of regulatory requirements in this area. The Gramm- Leach- Bliley Act, the expedited funds act and SAS70 audits all require effective business continuity plans for the financial services and banking industries. Enterprises seeking business disruption insurance must submit the evaluations and audits of the insurance industry. A BIA can highlight a downward spiral of lost revenue, shrinking cash flow, increased expenses and a loss of shareholder confidence that could threaten the viability of the business. Once the impacts of a business disruption are modeled, the next steps are to: 1) identify the applications that support critical business processes, 2) determine a recovery time objective for each critical application and 3) determine the recovery point objective. Once this information is organized, applications can be assigned to recovery tiers that bracket recovery time requirements. This exercise is important because it enables an enterprise to focus spending and effort on the most critical business processes. Enterprises that do not develop recovery tiers may find that the disaster recovery program is either too expensive or does not deliver the required level of service to some applications or business areas. It is very important to express the business impact assessment simply, in summary form, and in terms that are meaningful to business areas. This is a sample of a high level summary by application that expresses financial impact, service impact, legal/ contractual impact and the resulting recovery priority. It is useful to define three or four recovery properties. For example, priority 1 applications must be recovered in the first 24 hours, priority 2 applications within four days and priority 3 applications within 10 days. The key to effective risk- mitigation strategy development is knowing where we are today, knowing what our exposures are, understanding what the business impact is, knowing what the business requirements are from a recovery point and time position, knowing that the recovery strategies that have been developed truly support these business requirements, understanding where our gaps are and what needs to be done in order to position our company to being able to effectively recover all mission critical processes and functions required for business resumption. Effective recovery strategy development can be accomplished utilizing numerous technical strategies to achieve recovery time objectives ( RTOs) and recovery point objectives ( RPOs) that can be implemented in a cost effective manner. Many companies that do not perform this function well end up spending more money than they should and more than likely still have gaps in their processes.
38
4.3 Disaster Recovery Team

Disaster Recovery Director
Customer Team
IT Team
Management Team
Security
Application Development
IT Operations
Systems Software
System Administration
Telecom
Hardware
Facilities
A broad team is needed to develop and implement a disaster recovery plan. The application users and business process owners need to be involved and informed, because they are the major stakeholders and because they have the risks that need to be mitigated. The customer team needs to be involved in disaster recovery planning and testing, since the end user is the ultimate judge of application function and data integrity. Application development and support areas need to help with high- availability architectures and the development of application recovery strategies. The system software group is responsible for developing backup and recovery processes for operating systems.
39
Systems administration ensures that systems can be customized for specific use and that the requisite user definitions are recoverable. It operations plays a major role in both the development and ongoing execution of the system an application backup and recovery strategy. Network, hardware and facilities engineering groups are also needed to ensure the recovery of necessary IT infrastructure components. We also think that it is a good idea to make the disaster recovery position a 12 to 18 month assignment. The advantage is a build up of trained disaster recovery managers within the organization over time. It is imperative that the plan development be generated utilizing a software tool designed for disaster recovery and business continuity plan generation in order to simplify the plan maintenance and updating. There are numerous software packages in the industry today that perform this task quite well and offer relational database technologies for porting and exporting of information via automation techniques. The most important element of a successful plan is that the recovery steps are documented in such detail that that technical knowledge and special expertise are not required during execution of the documented steps. A common problem area that exists today in many companies is that they simply create a plan to satisfy an audit item and never truly validate or test the plan to see if it is executable. A lesson learnt from September 11th is that it is not wise to learn that our plans dont support the business recovery efforts during or following a disaster event. Test and validate our plans as part of our recovery strategies. 4.4 Standardized sections of DR Plan Policy Overview Recovery Actions Team Procedures Command Post Guidelines Organization Notification List Recovery Strategy Offsite Data
40
Hardware Configuration Software Configuration Network Configuration Damage Assessment Vendors / Phones
Although the goal of DRP is to recover critical applications, the scope of the project must encompass every It infrastructure element on which the application depends. Recovery facilities are needed at an appropriate distance from the primary site. The facility needs to be independent of the risks that are being mitigated, and the appropriate distance will vary based on a number of factors. Arrangements must be made to provide required common systems services such as directories, Domain Naming Systems (DNS), messaging and middleware. Network connectivity must be provided with the recovery site and the location of end users that have not been affected by the disaster, as well as those that may be relocated to user recovery areas. 4.5 Implementing Recovery Processes and Technologies An application by- application approach to disaster recovery projects provides the most flexibility and supports a tiered recovery strategy. An effective strategy requires understanding and documentation of all dependencies. Dependencies exist at the network, hardware, operating system, application software, data, user administration and process levels. There may also be cross- application dependencies; One application might create data that is required by another application. This creates a requirement for synchronized backup and recovery of both applications. In many cases, application recovery is really the recovery of related sets of applications. The best method for data synchronization is inserting sync-point transactions enabling application/ data consistency. It is also important to test various application recovery scenarios, including out of order transactions, application server and integration broker recovery and user impacts.
41
4.6 Disaster Recovery Components
SYSTEMS APPLICATIONS
APPLICATION DATA
FACILITIES
COMMON SERVICES 1. Directions 2. Messaging 3. DNS 4. Middleware
As UNIX and NT systems proliferate, many IS organizations are finding that the speed of disaster recovery is constrained by the ability to recover the underlying system infrastructure. System level recovery has become increasingly difficult as critical applications are deployed on less-scalable systems , because of the sheer number of system images involved. The recovery of a system is really the recovery of four distinct data types 1) standard system image the base OS, 2) system software, 3) administrative data, including user definitions and security information and 4)hardware configuration data parameters and configuration data that establish a unique OS and program product software. It is possible to use products that automate the system creation process and to organise system information and automate system level recovery in the context of disaster recovery. Off-site tape provides cost effective disaster recovery for applications that do not require near real time recovery. The general approach to tape based disaster recovery is to duplicate local backup tapes and send them to an offsite vault. Enterprises should include tape duplication and off site media management capabilities in the backup product selection criteria. Enterprises should review tape creation and vaulting processes to ensure that off-site tape storage meets recovery time and recovery point objectives. Although recovery times are typically measured in days, it is possible to achieve faster recoveries when parallelism is designed into the backup and recovery processes. The general approach is to organize the data onto the backup tapes such that a maximum number of tape devices can be employed simultaneously for recovery. This usually requires a backup process that generates the same Symbiosis Institute of Telecom Management, Pune 42
number of data streams that will be used for the recovery. It may also require wasting tape media capacity or reorganizing off-site tapes contents to organize tape data for fast recovery. Disk remote copy uses back-end connections between a local and a remote disk subsystem to replicate every local write to the remote disk subsystem. The secondary copy is not directly accessible as long as replication is active. To date, most implementations have been synchronous. Enterprises should expect their DBMSs to restart in the event of a disaster and should provide normal recovery at the disaster site, including database rollback to the last committed transaction. Journaling and shadowing products enable replication of databases by reading the re-do logs, shipping the transactions to a target/secondary system and applying the transactions to a replica database. The replicas can be used for horizontal application scaling by moving query and reporting activity off the production system. The requirement to employ a different replication method for each database type and for non database information can result in higher operational complexity than what is seen when a generic hardware solution is employed across all systems. Examples
Platform
OS/390 IMS and DB2 Oracle Database Oracle Table space Windows SQL Server DB2/400
Product
ENET RRDF Oracle Standby Database Quest Software Share Plex SQL Server EE- Log Shipping Data Mirror High Availability Suite
Host software replication products install functions that intercept write activity on the primary system, ship the write over a network session to the secondary system and apply the write to a remote copy of the file system or logical volume. The primary advantage of this approach is lower cost when compared to hardware-based replication with specific high-availability clustering production. 4.7 Ensuring the Continued Effectiveness of a Disaster Recovery Plan For disaster recovery plans to remain viable, configurations and capacities need to change at about the same rate as the primary environment. A static DRP will
43
no longer provide meaningful protection to an enterprise. Therefore, it is imperative that processes are developed to maintain the plan. There are two primary areas that need to be addressed: the deployment of new applications, and changes to existing applications. Disaster recovery requirements should be discussed when operations and IT service requirements are initially determined. This approach will most likely result in the funding of disaster recovery capabilities out of the application project budget. The DR impact of changes should be evaluated as part of a general change management program. The change management program should also evaluate the disaster recovery applications of changes to storage, server and network resources. In addition to discovering changes that affect the DR plan, enterprises need to develop processes that drive changes to the recovery site and provide timely updates to recovery processes and documentation. Periodic testing is needed to uncover and address the changes that inevitably creep up undetected. A disaster recovery plan must be documented at a detailed level to eliminate dependency on people from the primary site. A disaster recovery plan must be indexed by a database and should be readily accessible to all that need to update or reference it. A strong disaster recovery planning effort requires strong management support and the active participation of many businesses and IT areas throughout a corporation. The effort begins with an assessment of business risks and a quantification of the cost of downtime by application. The risk assessment is used to set application recovery time and recovery point objectives. These recovery point objectives in combination with the cost of downtime can be used to determine the appropriate recovery or high-availability technology. A DRP needs to be documented at a level of detail that enables execution by non-experts. The plan needs to test on a regular basis. Disaster recovery needs to become ingrained in the corporate culture and imbedded in an enterprises change control and application development processes.
44
CHAPTER 5 BUSINESS CONTINUITY MANAGEMENT

There is an increasing awareness that any company wishing to remain competitive and successful must be protected, through the ability of the organization itself, to continue profitably in the event of any serious business interruption. This is where Business Continuity Management (BCM) can be effective in taking reasonable steps in response to unreasonable risks. This in turn leads to an ability to prevent chaos in a crisis where some or all of the following phases unfold: -
Often, when a disaster recovery plan does exist, it has never been tested: these tend to be paper plans only and their thickness and the 'confidential' stamp do not ensure they are relevant. A Business Continuity Plan (BCP) should be an operational tool. Not just a reference whose purpose is to reassure everyone when things are calm.
45
It should be the result of a continuous process, of which the document marked 'plan' is only the written presentation of management competence to be adhered to in the event of a likely crisis. Organizations sometimes fail when faced with the 'abrupt audit' of a crisis when they could have actually prospered. This may have been a consequence of any of the following:
Key business functions and managers being unconnected within a disaster recovery or BCP. Early signals that things were going wrong, or were about to go wrong, were not interpreted correctly. The interdependency of key business functions was not fully appreciated. Crisis in one area can have an immediate knock-on effect. No recovery plan had been prepared and tested to respond to a sudden loss of IT systems and databases. No training & awareness of the need for effective media handling in a crisis existed. Consequently organisations have been poorly portrayed and reputations suffered unnecessarily. No one had been prepared to form a crisis team, to look at the total situation, and consequently time was lost. Crises induce chaos, resulting in disasters, even though the cause might not have been considered serious to start with.
Following a disaster organisations have sometimes been unrealistic about the value of an insurance policy, or have concentrated solely on IT recovery. Whilst insurance is especially important the fact remains that uninsured costs (fines, loss of experience, adverse publicity, re-training etc.) frequently exceed insured costs after a crisis. This is one reason why risk awareness should be integrated into the overall management process so that it gets the proper amount of attention in relation to all the other business demands. Similarly, being able to r cover IT systems and databases is crucial for most e companies, but this should not risk ignoring the continuance of other key business functions in a catastrophe. In particular, the ability of a Crisis Management Team to act swiftly, with confidence and according to a tested plan can, on its own, determine failure or success. That is not to say that insurance cover is in any way unnecessary. It is very important indeed, but it should be seen, similar to IT recovery strategies, only as part of the solution within effective Risk Management and, with a view to crisis management, BCM.
46
When a crisis happens management is placed in the spotlight. This can, on occasions, lead to a comparative increase in share value - where management, often acting as a Crisis Team, has demonstrably been efficient. BCM is an ongoing process designed to link some special tasks all aimed at keeping the business afloat should crisis strike.
BCM is a comparatively new approach to looking at our business risks and considering where it is exposed to the effects of disasters. Making judgments about what is critical and planning to maintain the business beyond the event should a catastrophe happen. Major international companies now do this as a matter of course. Small and medium companies as well to ensure that the business will continue during and after the crisis can use the lessons they have learned. In an age where the unthinkable has become possible and the unlikely commonplace, perhaps the question is not whether a business can afford to implement BCM strategies but whether it can afford not to? 5.1 The BCM process There are several variations in building up a BCM process. An alternative to starting with BCM is first writing an actual Business Continuity Plan (BCP - see below) and then developing a BCM structure to ensure the BCP is ready for action at all times. Wherever BCM starts it must have this as a key responsibility.
47
The diagram above shows typical BCM stages underpinning a BCP 1. 2. 3. 4. 5. 6. 7. 8. Top level Commitment Secured Initiate the Management Process Identify the Threats and Risks Manage the Risks as part of Risk Management Business Impact Analysis (BIA) Develop Strategies Developing and implementing the Plan Test, exercise & maintain the plan
When connected they form a sequential process where the plan becomes a written guide to be followed in the event of potential catastrophe. 1. Top level Commitment Secured Board level commitment is important. Without top down direction, support and ownership, success in both the BCM process and activating BCP will be difficult, if not impossible. 2. Initiate the Management Process The next step is to initiate or develop the management process. This will be more effective with top level support. It is a good idea to identify the team who will see this through as a continuing process, rather than a one-off event. It will be useful to agree some, or all, of the following :
Time scale for key deliverables. Budget. Regulatory / Statutory / Contractual obligations. Where specialist help will be needed (see section 'Where to go for help' ). Who will form a Crisis Management Team.
48
Drawing up a 'belt and braces' BCP now, should catastrophe strike before the desired one has been fully prepared.
3. Identify the Threats and Risks Routine and effective Risk Management, relating to all types of risk, is very important to understanding this guide. BCM is more concerned with those threats and risks that can cause corporate catastrophes. One way to record where basic risks or threats may arise is to first plot them on a framework ranging from People / Organisational to Technical / Economic, against Internal or External. The following diagram is an example showing just some of the crisis types: -
4. Manage the Risks as part of Risk Management If risks can be described sufficiently accurately for a calculation to be made of the probability of them happening, on the basis of past records, these are normally called insurable risks. If the risk is met so infrequently that no accurate way of calculating the probability exists, no underwriter will insure against it and it becomes an uninsurable risk. Either risk, poorly handled, can result in disaster, if only through catastrophic damage to reputation. Once threats and risks have been identified they can be plotted under the headings of Severity, and Frequency:-
49
BCM, although firmly linked to Risk Management does not distinguish between the two, although it can be especially effective in cases of high severity / low frequency incidents. A simple way to assess the more physical risks, in this case to premises, is the ABC method. A. Area B. Building C. Contents A - Area. The risk to our premises may result from something outside the actual building. Perhaps another company, close by, may be thought of as controversial and may attract protestors, extremists groups or even terrorists. Also, within the immediate area, could be a compound storing, for example, toxic / hazardous chemicals, or an adjacent river is likely to swell in heavy rain. Neighbouring premises could have a history of suspicious fires? It is necessary to think in terms of 360 degrees. B - Building. The structure we work in may be vulnerable to, fire, sabotage, air conditioning failure (which could jeopardise IT systems) or may otherwise be insecure. We might also share it with other occupiers about whom we know nothing. The power supply may be through o entrance point. Shared water ne pipes could be susceptible to rupture etc. Telephone and/or ISDN lines may be also exposed to damage. C - Contents. What items or assets under our control might cause a problem? This could be as a result of theft, sabotage, overheating, contamination, pollution, flooding, equipment failure etc. Symbiosis Institute of Telecom Management, Pune 50
5. Business Impact Analysis (BIA) The BIA is intended to identify the impacts resulting from disruptions to both primary and secondary business functions. Primary means those tasks critical to the company (e.g. revenue generation) and may include supporting functions to ensure primary tasks are completed. Secondary tasks are otherwise very important but not so vital to recover as an extremely urgent need (e.g. personnel dept.) .Tasks that fall into neither category may form a third group that is valuable to the organisation in routine operations, but can be suspended for several days in a crisis. Collecting accurate data on all business functions is very important. This is normally by questionnaires and interviews and often requires specialist help (see section 'Where to go for help' ). This is the cornerstone to the BIA process. It is important to predict the likely sequence of business units 'collapsing' if one or more primary functions cannot operate. That is why the BIA stage is crucial to BCM and will underpin the effectiveness of the subsequent BCP. The BIA helps to predict the disastrous impacts and to define the single points of dependency that could initiate these impacts. 6. Develop Strategies This stage has several facets. At this part in the process variable recovery ideas or strategies can be looked at, including how to communicate with :
Staff Suppliers Shareholders The media Customers Regulators
It will also be necessary to calculate:
Off-site recovery requirements (recommended).
The viability of Internal or external solutions (e.g. 3rd party IT recovery sites)
Which business units / functions should prepare individual recovery plans (i.e. Primary & Secondary) as a sub-set of the BCP.
51
The most effective representatives (managers) from the various business functions tasked with preparing local plans.
The most effective way to deal with inevitable media interest in a crisis. Avoid a reactive or 'grudge' style. Perception is influential - it is possible to make a virtue of our situation and gain rather than lose. This cannot be overstated.
Training, testing and exercising schedules. Testing determines the effectiveness of the plan, to include all 3rd party crisis support. Exercising rehearses staff in their crisis roles.
Where to locate an Emergency Control Centre. This should be near enough to the crisis site to allow the Incident Control Team (see below) to use, yet not risk being enveloped in the incident. Get the views of the Police in advance. It should have:1. A location in a secure area under local control. 2. Good communications. Dedicated telephone lines in and out (confidential), fax/email. 3. Adequate stationery, including purchase order forms, maps of the premises, white boards, local routes etc. 4. Workstations for all team members with, ideally, network access. 5. 24 hour access & parking. 6. Refreshment & toilet facilities 7. At least one meeting room. 8. A quiet room or area with a telephone.
It will be a good idea to select alternative business recovery operating ideas for recovering business and, most importantly, IT systems and databases. These should be within ideal recovery times identified in advance.
52
5.2 Crisis classifications Very few disasters suddenly happen. Many start as a crisis, which becomes progressively worse - when no intervention techniques are applied. Often this is compounded by an inability to make best use of press / TV coverage (see above). The objective here is to work out variable or strategic options rather then a simple 'all out' or 'all in' response and also plot where to intervene if the impact is spreading. This results in an 'action plan' that reduces the likelihood of under or over reacting. It is wise to invoke only the necessary response to deal with the incident and stop it spreading, based on classifying the event - for example, Minor, Intermediate or Major .
53
7. Developing and implementing the plan These are some of the considerations when writing a Business Continuity Plan :
It is an action plan. It must be 'Crisis Friendly'. That is, easy to understand in a crisis. Constructed on the basis of a risk assessment, set around achievable recovery objectives.
54
Dovetailed to individual departmental recovery plans. Copies must be kept of-site. The listed Crisis Team Management should be a natural extension of routine management, not a collection of unfamiliar staff. Endorsed by top level management. The product of reality above idealism and be 'owned' by all those with a role to play in a crisis. It should list basic media holding statements to avoid 'no comment'. Easy to maintain & tested - often 8. Test, exercise & maintain the plan.
Exercising the BCP is a way to rehearse staff in their roles. However, first test to see if it works. Perhaps start with a 'paper walk-through', then a 'table top' test and feed back the results. 3rd party help may be needed. 5.3 Crisis Management Teams During a sudden crisis the usual 'mental control panels' seem to stop working: all the dials go into the red zone, the data becomes misleading and the normal measurements can mean nothing. Experience has shown that when suddenly faced with a catastrophe, many crisis managers have a tendency, from the outset, to try and follow familiar references. The more disturbing the situation the stronger the urge to take refuge in familiar procedures. Yet such procedures are frequently the most inappropriate ones to take. This is why leading a Crisis Management Team is so important, with a clear definition of what, how and when things have to be accomplished. In order to achieve the tasks and to hold the team together certain key functions have to be performed. A function is what you do, as opposed to a quality, which is what you are. John Adair, a specialist in leadership techniques, lists three ingredients, or variables, when people are working together as a team. This is especially true in a crisis where the leader should keep the balance between three key needs with his or her team. These are shown in the following diagram :-
55
A high performance Crisis Management Team has the following characteristics.

Clear realistic objectives Trust in the Continuity plan A shared sense of purpose The best use of resources An atmosphere of openness Reviews progress Builds on experience Holds together under stress
There are two other important aspects of preventing chaos in a crisis shown in the next diagram. These are :A. Management 'styles', ranging from dealing with strategic / top level issues away from the activity of the crisis, to operational or urgent directions, often at the actual scene of the crisis and, B. The range of different tasks. These broadly fall into two categories. Controlling the incident, or recovering from it. Both can be applied simultaneously to avoid wasting time. Management style refers to understanding the different management considerations needed to minimise the risk of 'trying to do everything'. Some decisions might urgently be needed at the scene, while others have a more strategic impact and can be considered in more depth. For example, Strategic / medium - long term style, often at more senior level, would include
56
the Restoration Phase (see above), reassuring shareholders, potential investors, subsequent product alterations, media relations etc. The Operational or more urgent style applies to a 'quick time' environment where the focus is on the immediate problem, without any medium or long-term considerations. This would be the case when trying to stop the impact (e.g. flooding) from spreading at the actual scene. Once the initial crisis has been replaced by the recovery phase, it is wise to stop referring to the 'Crisis' Team since it gives the wrong impression. The different types of task are equally important. It is necessary to distinguish those tasks aimed at controlling the actual incident (e.g. liaising on site with the Fire Brigade, Loss Assessor / Adjuster etc.) and those tasks aimed at Recovery. (e.g. making sure off-site back up systems are operational, how to transport staff to an alternative site etc).
Also shown on the above diagram are the types of tasks when completed. For example, A. could be holding a second media interview (by the MD?) to reassure stakeholders that recovery is well under way. Task B. on the other hand, could be setting up the Emergency Control Center. 5.3 Availability of Specialist Support There are numerous companies willing to supply support services to anyone starting the BCM process, or stuck somewhere in the middle! These range from very large IT recovery operations that can mirror our own operations to enable a seamless transfer of IT systems and databases in the event of a crisis, to one man consultants specialising, for example, in antique restoration after a flood or fire.
57
However, it is a good idea to first determine where, exactly, you may need help? Then to identify who may be qualified to give you support. The following ten headings represent the key areas where professional help may be an advantage. They are also the core skills required by the Business Continuity Institute (BCI) for membership to that organisation. 1. Project Initiation And Management Help in establishing the need for BCM / a BCP including obtaining management support and organising and managing the project to completion within agreed time and budget limits. 2. Risk Evaluation And Control Support to help determine the events and environmental surroundings that can adversely affect the organisation i.e., how to provide cost-benefit analyses to justify investment in controls to mitigate risks. 3. Business Impact Analysis Knowing how to identify the impacts resulting from disruptions and disaster scenarios that can affect the organisation and techniques that can be used to quantify and qualify such impacts. Help to establish critical functions, their recovery priorities, and inter-dependencies so that recovery time objective can be set. 4. Developing Business Continuity Strategies
Support in determining and guiding the selection of alternative business recovery operating strategies, while maintaining the organisations critical functions. 5. Emergency Response And Operations Advice on how to develop and implement procedures for responding to and stabilising the situation following a crisis, including establishing and managing an Emergency Control Center. 6. Developing & Implementing A BCP Help in the design, development, and implementation of a BCP that provides recovery within the recovery time objective. 7. Awareness and Training Programmes
58
Advice on preparing a programme to create corporate awareness and enhance the skills required to develop, implement, maintain, and practice BCM. 8. Maintaining and Exercising Business Continuity Plans Support showing how to pre-plan and co-ordinate plan exercises, and evaluate and document plan exercise results. Verifying that the plan will prove effective by comparison with a suitable standard. 9. Public Relations And Crisis Co-Ordination Helping to develop, co-ordinate, evaluate and exercise plans to handle the media during crisis situations. Assisting to develop, co-ordinate, evaluate and exercise plans. Suggestions on providing trauma counselling for employees and their families. 10. Co-Ordination With Public Authorities Helping to establish applicable procedures and policies for co-coordinating continuity and restoration activities with local authorities, while ensuring compliance with applicable statutes or regulations 5.4 Conclusions In many organisations the concept of effective and routine Risk Management in parallel with regular Business Continuity Management, should crisis threaten, is being introduced and managed for the first time. However, in the final analysis it is the board of directors who must effect policies to ensure the company is acting responsibly and is suitably prepared to deal with crises. Ideally the same emphasis should be placed on all initiatives to sustain and grow any company. This includes initiatives solely related to profits, such competitiveness, forming winning, partnerships with people etc. and those that are equally business critical - and thus equally profit orientated - but related to reducing risks and preventing chaos in a crisis by avoiding the pitfalls of catastrophe.
59
60
Chapter 6
BCM Assessment for Lawrence & Associates
CHAPTER 6 LIVE PROJECT FOR LAWRENCE & ASSOCIATES

6.1 Company Profile Since 1996, St. Louis-based Lawrence & Associates Inc., (LAI) has set a new standard for US consulting companies by effectively tapping the capabilities of southern India's fast-growing Chennai information technology corridor. From Tidel Park in Chennai, India's premier dedicated information technology complex, LAI is able to deploy world-class software engineers and testing experts at a moment's notice, anywhere in the world, at a fraction of the cost of traditional consultants. A team of experienced IT professionals based at the companys headquarters in St. Louis, and regional offices across the globe anchors LAIs consulting operations. LAI senior executives oversee each assignment, working closely with clients to ensure that every aspect of the project achieves its stated objectives. 6.2 Objective The objective of this project is to evaluate the preparedness of the company with reference to the implementation of business continuity planning and disaster recovery strategies and to recommend suitable strategies for the same. 6.3 Methodology The Research Methodology included the pre-assessment of the company's current practices for the implementation of BCP and DRP. The pre assessment was carried out using a questionnaire along with the interviews from the network administrator of the company. As a result of the evaluation, the recommendations were sent to the company with the deployment plan for the BCP & DR strategies.
6.4 Findings Following are the key findings of the pre-assessment. 1.The company follows documented procedures as per the ISO 9001:2000 guidelines and has a security policy in the quality manuals.
61
Chapter 6
BCM Assessment for Lawrence & Associates
2.The criticality of the projects was evaluated and the cost of downtime is found to be less for the projects. 3.Since the company has its head quarters in St.Louis, USA; major backups are maintained in the server in the head office. 4.As per the security policy of the company, regular system audits are conducted at planned intervals. 5.Communication failures are very minimal, as the company has entered into service level agreements with the service provider, VSNL. 6.Periodic project backups of the software are taken and placed in the remote place other than the office premises under the custody of the system administrator in a fireproof environment. 7.The physical infrastructure including the office premises, computers, servers and other peripherals are protected against fire and other natural disasters by the systems provided by the Tidel Park authorities. 8.Regular safety drills are conducted at periodic intervals by the Tidel Park authorities for all the occupants. 9.The awareness level for the BCP and DRP is at the average level. 10. Although the company recognizes the fact for efficient Business Continuity Management, there are no concrete measures to implement the same. 6.5 Recommendations Disaster recovery projects should be executed within a broader business continuity initiative that includes a business impact analysis to establish business drivers for disaster recovery. Enterprises should use off-site tape for cost-effective recovery of applications that do not have stringent recovery time requirements and should also use data replication for rapid recovery.
Enterprises should integrate disaster recovery planning with existing application development and change management processes. The organisational support and commitment should start from the senior management and the BCP processes should be integrated with the companys culture.
62
Chapter 7
Future Trends
CHAPTER 7 FUTURE TRENDS

After our extensive research on this topic, the following are our observations and the trends likely to mark the future of Business Continuity Management and Disaster Recovery Management. One indicator that the business continuity profession is continuing to evolve from its disaster recovery origins is the change in how disasters are perceived. Gone are the days of recovery professionals focusing primarily on low-probability, high-impact natural disasters. Presently, companies consider the causes of business interruption to be multifaceted, from operational disruptions, such as human error and service provider failure, to technical disruptions, such as power outages and hardware and software failure. Companies are recognizing the complexities of business and are seeking to mitigate disruption from all fronts. There is an increased awareness amongst the corporate for implementing BCM practice in their organisation and it will continue to increase in the coming years. Because of 9/11, we may see an increase in interruptions due to facility moves, as organizations distribute their IT resources; companies may be decentralizing and relocating out of the primary regional production office in order to split or continue operations during a disaster The number of respondents reporting that they had to activate documented data center, network, and data/storage recovery steps increased an average of almost 6 percent this year (Source: Benchmark BCP report) Key to any program is goal setting, and for business continuity programs, that comes in the form of downtime tolerances, or recovery time objectives (RTOs). The recovery window continues to decrease in size year on year. One of the most encouraging trends in our study is an increasing need for the business continuity programs for being integrated into other areas of the enterprise. This will continue in the future as per the business dynamics.
63
Chapter 7
Future Trends
Likewise encouraging is the continuing upward trend of BCP ownership in the hands of corporate or general management. This is clearly indicated by the fact that the CIOs taking the responsibility for BCP/DR Management. One disturbing trend is the low budgets allocated by the companies to provide sufficient BCP training. A possible explanation for the decrease is that departments involved in business continuity (especially IT departments) became understaffed in the slumping economy, which led to less time and money for training and less opportunity for testing plans all while demand for rapidly changing and complex computing environments increased. BCM is still under the evolution stage and it will need some time to mature as a discipline. Companies realize the huge expenditure associated with the implementation of BCP programs and hence BCP mitigation programs needs to compete for resources with revenue generating programs. Another challenge before the companies implementing BCP is that what percent of revenues should be allocated for low probability, high impact business threatening risks?
64
Annexure
ANNEXURE 1 Pre Assessment Questionnaire Please help us in filling this sheet to assess your current position on the Business Planning and Disaster Recovery Systems. The data provided here will be kept strictly confidential.
1.Please mention the number of projects currently running in your company? a. Domestic: b. International:
2.What is the availability time for the project? a. Highly Critical (24x7x365) b. Critical c. Less Critical
3.The maximum length of time that the systems can be afforded to be down is: a. b. c. d. Less than 1 Hour Between 1-5hours Less than 24 hours Greater than 24 hours
4.The point in time in which the data must be restored in order to resume processing transactions: a. Less than 1 Hour b. Between 1-5hours c. Less than 24 hours d. Greater than 24 hours
5.Does your company have any Service Level agreements with the clients regarding the above issues of downtime, availability, and restoration time? a. Yes Symbiosis Institute of Telecom Management, Pune 65
Annexure b. No
6.Are there any disaster recovery systems in place? a. Yes b. No 7.Have any IT disaster happened in your company earlier? a. Yes b. No 8.What do you think as the major cause of IT disaster? Please prioritise them. a. Software Error b. Hardware Error c. Service Failure d. Human Error e. Network Outrage f. Power sabotage g. Employee Sabotage h. Force de majuere 9.Do you maintain any kind of periodical backups at alternate sites? a. Yes b. No 10. If Yes, What kind of backup policy do you have in your company?
11.Have you deployed any Business Continuity solution before? a. Yes b. No 12.Is there any kind of local mirroring, replication, archiving techniques followed in your company? a. Yes b. No
66
Annexure
13.If Yes, Please specify the type of local backups taken? a. Backup on Zip drives, CDs b. Backup on tape libraries. c. Remote backups in a non-disaster zone. d. Others, Please Specify.
14.Are your backups kept outside the disaster zone? a. Yes b. No 15.Please specify the type of Communication link along with the maximum bandwidth available for communication in your company?
Thanks for your patience for answering this questionnaire. Your answers will give us insight into the further planning of appropriate continuity solutions for your organization.
Name: Designation: Dated:
67
Annexure
ANNEXURE 2 GLOSSARY
A Absolute risk Pure risk without the mitigating effects of internal controls. See also managed risk. Accepting risk A risk management technique that allows management to weigh the cost of managing the risk versus the benefits of reducing the risk. See also cost/benefit analysis. Risk acceptance is a matter for the governance team of senior management and the board. The amount of acceptable risk should be determined beforehand. Alert A formal notification that an incident has occurred that may develop into a disaster. Alternative site An alternative operating location for predetermined business functions, I.e. support departments, information systems and manufacturing operations, when the primary facilities are inaccessible. See also back up site. Asset Components of a business process. Assets can include people, accommodation, computers, networks, paper files, electronic support machines, fax machines for example. Assurance A system of corporate governance that provides feedback on the efficiency and effectiveness of operations, compliance with laws and regulations, and accuracy and reliability of financial information. Both internal audit and risk management are part of the assurance process. Audit An examination or review that compares what is with what should be and provides feedback for corrective action. Audit plan Sometimes used interchangeably with audit schedule or audit programme (individual audit plan) - so watch for contextual clues.
68
Annexure B BCM lifecycle The entire set of activities and processes involved in successfully managing business continuity. Bias In models, the tendency to favour one set of outcomes regardless of the variability of the inputs. A distortion (intentional or unintentional) due to a point of view, set beliefs, or cognitive filters. BS7799 The UK standard for information security management. Section nine deals with business continuity management. Now also established as an ISO standard ISO17799. Business continuity A proactive process which identifies the critical functions of an organisation and the probable threats to those functions. From this, plans and procedures are drawn up that ensure that critical functions continue whatever the circumstances. Business continuity management The processes, procedures, decisions and activities to ensure that an organisation can continue to function through an operational interruption. Business continuity plan The documentation of the contingency plans made to ensure business continuity. Business continuity planning The advance planning and preparations which are necessary to identify the impact of potential losses; to formulate and implement viable recovery strategies; to develop recovery plan(s) which ensure continuity of organisational services in the event of a crisis, emergency or disaster; and to administer a comprehensive training, testing and maintenance programme. (Associated terms: contingency planning, disaster recovery planning, business recovery planning) Business continuity programme Synonymous term with business continuity planning. Business critical point The latest moment at which the business can afford to be without a critical function or process.
69
Annexure Business function A business unit within an organisation. For example a department, a division or a branch. Business impact analysis (BIA) A technique for identifying both tangible and intangible impacts on a business process, function or department, usually over time based on given criticalities. It provides senior management with information to devise a recovery strategy and recovery prioritisation. Business process A collection of business activities undertaken by an organisations functions in pursuit of a common objective. Such processes are often inter-dependent on other functions within the organisation. Business recovery plans Documents describing the roles, responsibilities and actions necessary to resume business processes following an interruption or event. See also disaster recovery plans and business continuity plans. Business recovery team A defined number of personnel responsible for implementing the business recovery plan.
Captive The term for an insurance company that is owned by the company it insures. It is a risk financing strategy to lower the cost of insuring risk. Chaos theory A systems theory that includes a number of specific parts, such as the "strange attractor" (an orderly pattern in seemingly disordered conditions), "reliance on initial conditions" (the so-called butterfly effect - that the weather in Utah can be affected by the flapping of a butterfly's wings in Brazil), fractals, the genetic algorithm, and entropy. Cold site One or more data centres or office space facilities equipped with sufficient prequalified environmental conditioning, electrical connectivity, communications
70
Annexure access, configurable space and access to accommodate the installation and operation of equipment by critical staff required to resume business operations. Collaborative techniques In risk assessment, a range of methods to incorporate multiple assessments, estimations and judgements about risk into a single consensus. Common body of knowledge The essential knowledge in a particular field. Contingency fund An operating expense that exists as a result of an interruption or disaster which seriously affects the financial position of the organisation. (Associated term: extraordinary expense) Contingency plan A plan of action to be followed in the event of a risk event occurring. A business continuity plan may contain many different contingency plans. Contingency planning Examines one uncertainty at a time as a base case and develops a response to that uncertainty. Can also be the sum of all such plans that deal with many different uncertainties. Control That functional part of a system that provides feedback on how the system is accomplishing its purpose or objectives. See internal control. Control risk The tendency of the internal control system to lose effectiveness over time and to expose, or fail to prevent exposure of, the assets under control. Cost Of activities, both direct and indirect, involving any negative impact upon assets. Costs may include money, time, labour, disruption, goodwill, political and intangible losses. Cost/benefit analysis A risk management tool used to make decisions about accepting risk or using some other risk management technique. Crisis An abnormal situation, or perception, which threatens the operations, staff, customers or reputation of an enterprise.
71
Annexure Crisis management team (CMT) A group of managers and/or executives who direct recovery operations whilst taking responsibility for the survival and the image of the enterprise. Crisis plan or crisis management plan A plan of action designed to support the crisis management team when dealing with a specific situation. Criteria Principles or standards that a thing is judged or assessed by. Critical data point The point to which data must be restored in order to achieve recovery objectives. Critical service Any service which is essential to support the survival of the enterprise. Critical uncertainties In scenario-building, the essential unknowns to the scenario. Opposite of predetermineds.
Decision point The latest moment at which the decision to invoke emergency procedures has to be taken. Declaration (of disaster) A formal statement that a state of disaster exists. Delphi technique A collaborative technique for building consensus involving independent analysis and voting by experts giving feedback as to how their judgement matches that of the remainder of the group as a whole. Used in both scenario building and risk assessment. Denial of access (premises) Any damage, failure or other condition which causes inability to access a building or a working area within the building, e.g. fire, flood, contamination, loss of services, air conditioning failure, forensics.
72
Annexure Disaster Any event which threatens or disrupts normal operations, or services, for sufficient time to affect significantly, or to cause failure of, the enterprise. Disaster recovery (DR) The process of returning a business function to a state of normality following a disaster or risk event. The term is often restricted to information technology and telecommunications services. Disaster recovery plan (DRP) A plan to resume, or recover, a specific essential operation, function or process of an enterprise. The term is often restricted to information technology and telecommunications services. Discontinuity In risk management, an event or consequence that cannot be predicted or extrapolated from prior actions or events. Unpredictably new. Diversify risk A risk management technique that seeks to spread the risk from a single task or asset to multiple tasks or assets so as to avoid losing everything at once. Driving forces In strategic planning and scenario building, these are the key external pressures that will shape the future for the organisation. Dynamic scenarios Scenario building in a complex and dynamic environment. The dynamic environment is thought to be nonlinear and discontinuous.
Emergency control centre The location from which disaster recovery is directed and tracked; it may also serve as a reporting point for deliveries, services, press and all external contacts. Emergency data services Remote capture and storage of electronic data, such as journalling, electronic vaulting and database shadowing.
73
Annexure Emergency management plan A plan that supports the emergency management team by providing them with information and guidelines. Emergency management team The group of staff who command the resources needed to recover the enterprise's operations. Emergency response The initial reaction to an incident, focused on protecting life and the organisations assets. Enablers Forces and capabilities that are a positive assistance to reaching goals. Environment The external forces, conditions and circumstances that are the source of risk in the immediate vicinity. Environmental approach The approach to risk assessment from the perspective of the external environment. Event An incident or situation, which occurs in a particular place during a particular interval of time. Extrapolation A measurement process of locating unknowns by measuring past data and extending the trend line. See also trend extrapolation.
Failure mode and effects analysis (FMEA) A procedure by which potential failure modes in a technical system are analysed. A FMEA can be extended to perform what is called failure modes, effects and criticality analysis (FMECA). In a FMECA, each failure mode identified is ranked according to the combined influence of its likelihood of occurrence and the severity of its consequences.
74
Annexure Fault tree analysis A systems engineering method for representing the logical combinations of various system states and possible causes which can contribute to a specified event, called the top event. Fault trees A method of risk identification and risk scenario building where the end result of an event is traced backwards to all possible causes. Feedback In systems and models, the flow of information about the present condition of variables to the originator or source for the purposes of monitoring the achievement of objectives. Focus group A survey research tool using small group of people who are led through a structured interview process for the purpose of developing their individual and group opinions. Forecasting Predicting future events or outcomes, often using complex mathematical tools, such as Box-Jenkins models. Not to be confused with scenario building. Framing In model building, during the framing stage the project team tries to develop and share with the decision board a set of wide-ranging alternative strategies that force it to test many tactical elements and to think about many uncertainties. Future backward A deductive scenario building technique where the future is imagined and the logical path to that future is worked backward to the present. See also Backward from perfect and Future forward. Future forward An inductive scenario building technique where the future is imagined as a result of examining clues in the present and working out the logical paths that they may take. Future backward. simulation models and influence diagrams are subsets of this technique. Future mapping Using the end state vision process and current evidence to build a logical map (sequence of steps, decisions and events) from evidence to end state.
75
Annexure G
Global risks External or environment risks that are outside of the immediate political or government regulatory risk boundaries. Governance team The team of senior managers and the board which exercises corporate governance over the enterprise.
Hard assets Physical assets (land, buildings, equipment) and financial assets (cash, credit, financial instruments). Hard assets are usually on the records of account in an organisation and subjected to inventory and/or custodial safeguards. See also soft assets. Hazard A source of potential harm or a situation with a potential to cause loss. Hot site A data centre facility or office facility with sufficient hardware, communications interfaces and workspace capable of providing almost immediate backup data processing support. See also warm site and cold site.
Immediate recovery team The team with responsibility for implementing the business continuity plan and formulating the organisation's initial recovery strategy. Impact scenario Description of the potential effect on a business that may follow business
76
Annexure disruption. Usually relating to a business function, the scenario will always refer to a period of time. Incident Any event which may be, or may lead to, a disaster. Information security management The securing or protecting of all sensitive information, electronic or otherwise, which is owned or generated by an organisation. Insurance A contract to finance the cost of risk. Should a named risk event (loss) occur, the insurance contract will pay the holder the contractual amount. See risk financing. Integrated risk management The consideration of risk at all levels of the organisation. Internal control All the means, tangible and intangible that can be employed or used to ensure that established objectives are met. Invocation A formal notification to a service provider that its services will be required. IS Information systems. ISM Information security management
L Learning organisation An organisation that actively seeks to monitor change in the environment and adapt and learn from the change. Such organisations often incorporate scenario building in their planning efforts. Logistics/transportation team A team comprised of various members of departments associated with supply acquisition and material transportation, responsible for ensuring the most effective acquisition and mobilisation of hardware, supplies and support materials.
77
Annexure
Managed risk The risks and consequences after the application of internal control. Management framing A dysfunctional problem in scenarios that causes managers to look at issues from a narrow perspective. Master plan A business recovery plan which supports overall coordination and control of the recovery effort. Matrix approach In risk assessment, an approach that matches system components with risks, threats or controls with the object of measuring and examining the combinations of the two axes. Mid term The planning or time horizon that deals with events in the middle period between short-term and long-term, typically beyond the current year and for one or two years further. Mobile standby A transportable operating environment, usually complete with accommodation and equipment, which can be transported and set up at a suitable site at short notice. Mobilisation The activation of the recovery organisation in response to an emergency or disaster declaration. Mode A measure of statistical central tendency that notes the most frequent value in the distribution of values. The mode is also the peak (highest) value of the curve. See normal curve. Multidimensional approach An approach to risk assessment that views risk and opportunity through various
78
Annexure time horizons or dimensions as manifestations of the same uncertainty. This approach best approximates senior management's strategic planning.
Normal curve A statistical tool that represents a distribution with properties where mode = mean = median. Normative tables A risk measurement technique that describes what certain characteristics look like at different levels of risk (high, medium, low). See also bipolar tables.
Off site location A storage facility at a safe distance from the primary facility which is used for housing recovery supplies, equipment and vital records. Operational impact An impact upon the day-to-day working systems of a company. Outage The interruption of automated processing systems, support services or essential business operations. P
Pair-wise comparison The assignment of preference weights to risk factors and/or system components using a voting technique that compares all possible pairs of choices. See also direct assignment and analytic hierarchy process (AHP). Paradigm shift A significant change from one fundamental view to another.
79
Annexure Pay offs In decision theory, the net benefits received from alternative choices. Period of tolerance The period of time in which an incident can be accepted before escalating to a potential disaster. Pervasive risk The type of risk found throughout the environment. The focus is on the environment of the business activity instead of the activity itself. Think of it as the "corporate culture." Planning risk The risk that the planning process is flawed. In risk assessment, it is the risk that the assessment process is inappropriate or improperly implemented. Plausible Believable, grounded in some logical extension of known facts. Pre-positional resource Material (i.e. equipment, forms and supplies) stored at an off-site location to be used in business resumption and recovery operations. (Associated terms: prepositioned inventory) Process failure risk model A specialised risk model that makes use of multiple risk scenarios and exposure assessments as well as feedback loops to continuously update scenarios and exposures to changes in the process. Process risk The risk in a business process.
R Ranking The process of establishing the order or priority. Reciprocal agreement An agreement in which two parties agree to allow the other to use their site, resources or facilities during a disaster. Recovery exercise An announced or unannounced execution of business continuity plans intended
80
Annexure to implement existing plans and/or highlight the need for additional plan development. (Associated terms: disaster recovery test, disaster recovery exercise, recovery test, recovery exercise) Recovery management team A team of people, preplanned and assembled in an emergency, who are charged with recovering an aspect of the enterprise, or obtaining the resources required for the recovery. Recovery plan A plan to resume a specific essential operation, function or process of an enterprise. Recovery site A designated alternative site for the recovery of computer or other operations, which are critical to the enterprise. Recovery strategy A pre-defined, pre-tested, management approved course of action to be employed in response to a business disruption, interruption or disaster. Recovery team A group of individuals given responsibility for the co-ordination and response to an emergency or recovering a process or function in the event of a disaster. Recovery window The time scale within which time sensitive functions or business units must be restored, usually determined by means of a business impact analysis Reinsurance Insurance contracts are sometimes sold by the originating insurance company to specialist insurance companies as a hedging strategy to reduce high risk exposure to a particular type of risk or customer. An insurance company that issued policies/contracts for earthquake insurance in Southern California might want to hedge that exposure by buying insurance contracts (re-insuring) some of the portfolio. Reperformance The oldest form of internal auditing, involving the counting and observing of operations - in essence, re-doing the task. Residual risk The remaining risk after risk management techniques have been applied.
81
Annexure Restoration The process of planning for and implementing full scale business operations which allow the organisation to return to a normal service level. Resumption The process of planning for and/or implementing the recovery of critical business operations immediately following an interruption or disaster. Retention The risk financing strategy of retaining some of the cost of risk in the insurance contract. 100 percent retention is known as self-insurance. Return to normal phase The phase within a business continuity plan which re-establishes normal operations. Risk A measure of uncertainty. May involve positive or negative consequences. Risk acceptance An informed decision to accept the consequences and the likelihood of a particular risk. Risk assessment The overall process of risk analysis and risk evaluation. Risk avoidance An informed decision not to become involved in a risk situation. Risk based auditing Audits that focus on risk and risk management as the audit objective. Risk control That part of risk management which involves the implementation of policies, standards, procedures and physical changes to eliminate or minimise adverse risks. Risk engineering The application of engineering principles and methods to risk management. Risk evaluation The process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria.
82
Annexure Risk event The manifestation of a risk into a reality. Risk financing Methods applied to fund the risk management and residual risk consequences. Examples include insurance contracts, self-insurance, captives and sinking funds. Risk framework A Model of risks in the organisation. Risk frameworks typically enumerate the various classes of risk and the degree of risk management expected. Risk management The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects. Risk management process The systematic application of management policies, procedures and practices to the tasks of identifying, analysing, evaluating, treating and monitoring risk. Risk matrix. A form of risk measurement and risk prioritisation in one step that uses risks on the horizontal axis and system components or audit steps on the left axis. Both axes are sorted to the left corner (high), creating a matrix with quadrants of high, medium and low groups of elements and risks. Risk measurement The evaluation of the magnitude and likelihood of risk. Risk model A mathematical, graphical or verbal description of risk for a particular environment and set of activities within that environment. Useful in risk assessment for consistency, training and documentation of the assessment. Risk prioritisation The relation of acceptable levels of risks among alternatives. See also risk ranking. Risk ranking The ordinal or cardinal rank prioritisation of the risks in various alternatives, projects or units. Risk reduction A selective application of appropriate techniques and management principles to reduce either likelihood of an occurrence or its consequences, or both.
83
Annexure Risk reduction or mitigation The implementation of the preventative measures which risk assessment has identified. Risk retention Intentional (or unintentional) retaining the responsibility for loss or risk financing within the organisation Risk scenarios... A method of identifying and classifying risks through creative application of probabilistic events and their consequences. Typically a brainstorming or other creative technique is used to stimulate "what might happen." Risk transfer Shifting the responsibility or burden for potential loss to another party through legislation, contract, insurance or other means. Risk treatment Selection and implementation of appropriate options for dealing with risk. S Scenario A pre-defined set of events and conditions which describe an interruption, disruption or disaster related to some aspect(s) of an organisation's business for purposes of exercising a recovery plan(s). Scenario building The exercise of developing scenarios. Scenario planning The use of scenarios in (usually) strategic planning. Scenario plots Various standard forms of organising the scenario-building process. Security review A periodic review of the security of tangible and intangible assets which should cover security policy, effectiveness of policy implementation, restriction of access to the assets, accountability for access and basic safety. Service level agreement (SLA) An agreement between a service provider and service user as to the nature, quality, availability and scope of the service to be provided.
84
Annexure Sharing risk A risk management technique for distributing the possible consequences of risk among several parties. Insurance and other contracts are methods used to share or transfer risk. Short term The planning or time horizon that deals with events within the current cycle, typically one year or occasionally two. Site access denial . Any disturbance or activity within the area surrounding a physical location which renders the site unavailable, e.g. fire, flood, riot, strike, loss of services, forensics. The site itself may be undamaged. Skew A measure of deviation from the normal curve. Skewness can be negative or positive, representing which side of the normal curve mode the skew appears (left = negative and right = positive). Social impact Any incident or happening that affects the well-being of a population and which is often not financially quantifiable. Soft assets Human resources (people, skills and knowledge) and intangible assets (information, brands, and reputation. Specific risk The type of risk that is found in specific activities. The level of this risk is expected to vary from activity to activity, even though all activities may have it. Standby service The provision of the relevant recovery facilities, such as cold site, warm site, hot site and mobile standby. Strategic planning Long-term plans based on the organisations overall business objectives. Strategic plans are typically multiple years and reach out five or ten years (or more) using scenarios or other planning methods that identifies assumptions, risks, and environmental factors. Structured interview A survey technique that uses a standard questionnaire administered to each person in the interview pool. The use of the same questions allows for crosstabulation of the answers.
85
Annexure System denial A failure of a system for a protracted period. System recovery The procedures for rebuilding a computer system to the condition where it is ready to accept data and applications. System recovery depends on having
Table top exercise The exercising and testing of a BCP, using a range of scenarios whist not effecting the enterprise's normal operation. Task list Defined tasks, allocated to recovery teams and individuals, within a given phase of a plan. Threat A combination of the risk, the consequence of that risk, and the likelihood that the negative event will take place. Threat matrix A matrix of threats and usually system components or elements, e.g. tasks, functions, hardware, processes, software and people, for purposes of measuring and estimating influences or the internal control of various combinations. See also risk matrix. Threat scenarios Similar to risk scenarios, except the focus is on the negative consequences of uncertain events. Time horizons Planning horizons used in risk scenarios and strategic planning to represent different time periods. Often: short term, mid term and long term. Tolerance threshold The maximum period of time which the business can afford to be without a critical function or process.
86
Annexure Trend The direction and path of a series of data points, usually thought of as a positive trend or negative trend, although trends do not have to be linear. See also extrapolation. Trend extrapolation A forecasting technique that assumes you can predict tomorrow if you know yesterday and today. See also extrapolation. V Vulnerability analysis Introduced by William Perry, includes the expected value approach with the added dimension of time horizons. W Warm site A data centre or office facility which is partially equipped with hardware, communications interfaces, electricity and environmental conditioning capable of providing backup operating support. See also hot site and cold site. Wild cards In strategic planning, these are major surprises that are high-impact events coming from "out of the blue." Work area standby A permanent or transportable office environment, complete with appropriate office infrastructure. Z Zero-sum game In models or scenarios, a zero-sum game describes a situation where, in order for one to win, one or more must lose. Acknowledgement This section provides a listing of terms common to business continuity. Assembling this list we acknowledge the following sources: the Business Continuity Institute (BCI), the Disaster Recovery Institute (DRI) and MC2 Consulting.
87

Business Continuity Planning

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Business Continuity Planning

Hochgeladen von

Copyright:

Verfügbare Formate

_______________________________________________________________ TABLE OF CONTENTS Chapter 1.0 2.0 2.1 2.2 2.3 2.4 2.5 3.0 3.1 3.2 3.

Symbiosis Institute of Telecom Management, Pune

Symbiosis Institute of Telecom Management, Pune

Symbiosis Institute of Telecom Management, Pune

Symbiosis Institute of Telecom Management, Pune

CHAPTER 2 BUSINESS CONTINUITY PLANNING

Symbiosis Institute of Telecom Management, Pune

Business Contingency Redemption Planning

Manual Procedure 5% Backup of vital 2 products; Backup supplier

Review Implement Standby facilities