{"id":50491,"date":"2014-02-19T09:34:13","date_gmt":"2014-02-19T14:34:13","guid":{"rendered":"http:\/\/www.ict-pulse.com\/?p=50491"},"modified":"2014-02-19T11:03:31","modified_gmt":"2014-02-19T16:03:31","slug":"5-critical-questions-preparing-business-continuity-plan","status":"publish","type":"post","link":"https:\/\/ict-pulse.com\/2014\/02\/5-critical-questions-preparing-business-continuity-plan\/","title":{"rendered":"5 critical questions to ask when preparing a business continuity plan"},"content":{"rendered":"

Business continuity plans have become an essential requirement for organisations, and where there is an even greater reliance on IT\/ICT, it is critical to minimise downtime and disruption to the organisation, its employees and customers.<\/em><\/p>\n

\"ArrowsFor countries that are prone to natural disasters, business continuity in frequently considered primarily in that context, for example, \u201chow to recover in the aftermath of a hurricane?\u201d However, business continuity, especially IT\/ICT business continuity, is a critical element in today\u2019s environment, which organisations can no longer overlook. It is not only following a major disaster such systems are appropriate, they are essential to minimise the effects of a broad range of disruptions and to ensure that business operations are maintained within acceptable limits<\/p>\n

Increasingly, organisations, their employees and customers are relying on technology, IT and ICT for seamless, efficient and effective operations, which they cannot afford to have malfunction, period. However, developing a business continuity plan (even for an IT\/ICT department) can be an involved process, and may be a bit overwhelming to those charged with spearheading its preparation. As a starting point, this post outlines five critical questions that should be answered by an organisation (or an IT\/ICT department) to improve its understanding of the impact of disruptive incidents, and provide essential inputs for the discussions and efforts required to produce the final plan.<\/p>\n

Definition and context<\/h3>\n

Business continuity is a well-developed concept for which a number of internationally accepted standards have been developed. One of the most widely accepted is that of the International Standards Organisation (ISO 22301:2012), which defines business continuity as,<\/p>\n

\u2026 the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident…\u00a0<\/em><\/p>\n

(Source: Business Continuity Institute<\/a>)<\/p>\n<\/blockquote>\n

By extension, business continuity management encompasses<\/p>\n

\u2026a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities…\u00a0<\/em><\/p>\n

(Source: ISO 22301:2012, Business Continuity Institute<\/a>)<\/p>\n<\/blockquote>\n

The established standards would set out a detailed approach and requirements to comprehensively address business continuity. The questions below in no way replace those standards and processes, but hope to begin to orient organisations to mindset and thinking needed to begin developing such a critical plan and supporting systems.<\/p>\n

Q1.\u00a0 What are the organisation\u2019s purpose, core roles and functions?<\/h3>\n

To establish the correct context for the business continuity planning process, it is important from the outset to identify the organisation\u2019s core roles and functions. In the exercise, it is likely that a number of items will be listed; hence it is necessary to also rank them by how critical they are to the organisation and its mandate.<\/p>\n

From an IT\/ICT perspective, this process should also be followed. However, the questions should first be answered from an organisational perspective. (If an organisational business continuity plan exists, that information might be readily available.) However, thereafter, the focus should be on identifying what might be the IT\/ICT department\u2019s mandate, or the role of IT\/ICT within the organisation, and ensuring that they are aligned with the overarching organisational obligations.<\/p>\n

Q2.\u00a0 What are the critical products and\/or services that must be delivered?<\/h3>\n

Following on from the previous question, this question encourages a fuller recognition and examination of the products and\/or services that must be delivered by the organisation to its clients and customers. Generally, the results of that engagement are a key source of revenue for the business, or are otherwise used to gauge its performance.<\/p>\n

Again, it may be necessary to rank the listed goods and services in order of priority, as acceptable delivery levels and downtime are likely to be more stringent for the most critical ones, and ultimately may vary across the list of products and services.<\/p>\n

Q3.\u00a0 What are the types of disruptions the organisation can experience?<\/h3>\n

Although a key purpose of a business continuity plan is to focus on minimising and managing the aftermath of a disruptive incident, it is critical to ensure that the plan also includes preventative measures that can be implemented and provide some redundancy against failure. Hence it is recommended that attention be given to identifying the types of disruptive incidents to which the organisation could be subject, and arranging them by likely frequency and potential impact on the organisation.<\/p>\n

Factors such as geographic and physical location, country and civil stability, the actual products and services offered, among other things, are likely to influence the types of disruptions listed, and how they are ranked. For example, tropical storms and hurricanes frequently occur across most of the Caribbean \u2013 from the Bahamas to Saint Vincent and the Grenadines, and so should feature prominently in plans developed in those countries. However, for plans developed in Cura\u00e7ao or Guyana, for example, that specific type of storm might be considered a rare occurrence, as those countries generally lie outside the hurricane belt.<\/p>\n

Within the context of an IT\/ICT business continuity plan, disruptive incidents may be scheduled or unexpected, or may be internal to the network, or due to external forces. Examples of disruptive incidents that could affect an organisation\u2019s IT\/ICT infrastructure and ought to be listed and considered would include, but not limited to:<\/p>\n