Every organisation needs a business continuity plan. Very few often go for a formal ISO 22301.
How many times did you come across a statement like this – “we have a BCP but I am not sure whether it really covers every part of the business”. Well if this is not an unfamiliar statement, the flaw lies in not having a good business impact analysis (BIA). BIA is a comprehensive exercise that brings every part of your business together to establish what is really urgent to be recovered in case of an outage.
Most organisations build their BCMS around IT – well it is a good investment made but that does not guarantees full return on investment. If you wish to get a good return on investment consider Business impact analysis. You will be surprised that a good BIA can reduce your overall budget and save costs.
Business Impact Analysis (BIA) is the analysis of identifying and prioritizing an organization’s services (internal and external) that should be up and running in the event of disaster. Combined with maximum tolerable period of disruption(MTPOD), Recovery time objective (RTO), return point objective (RPO) and minimum business continuity objectives (MBCO), it gives the CEO the ‘requirement’ for the Business continuity plan. Note that this is not IT strategy, it is business strategy first.
Here are the key steps:
Take a look at your organization structure (some call it organigram) and identify the teams.
For each team identify whether they are revenue generating service (RGS) , and/or a supporting team. Easier than said, you need to have a specific questionnaire that helps you identify this. One of the the way to identify an RGS is to ask – does your discontinuity results in cash loss? If the answer is Yes, the team is RGS. All other teams are supporting ser
Assess how long the RGS team can afford to be ‘completely out of work’ resulting in no loss – this will give the MTPOD value; A team which can afford to be out for 7 days cannot be (in my experience) a RGS.
Assess how many resources – people, applications, information systems, internal support teams and external service providers needed to resume (not restore) operations. This will give you RTO, RPO and MBCO. Note that this a temporary readiness, you also need a questionnaire for ‘how long can you remain in MBCO?’.
Now classify the pending teams/services as either essential infrastructure or delayed start service. EIS is a service that needs to be restored before a RGS teams comes into play. Whereas a DSS team is the last to be restored. I don't wish to write any team as an example here as it is ‘unique in every organization’. Classifying a team such as Human resources as DSS without knowing what they actually do will be a big mistake.
Now you have a list for RGS, EIS and DSS in the organization.
Having this in place now you can design risk assessment questionnaire which can reveal either single point of failures (SPOF) on one side, and readiness for different outage scenario on the other.
In order to identify single point of failures, you need to verify what within each of the list of services has no redundancy. This can be a role, network infrastructure, physical location and/or an external services provider. What you derive is a list of weaknesses which if implemented makes your business inherently stronger and more resilient.
In order to identify outage-preparedness you need to then verify preparedness. Site outage, people outage, network/IT infrastructure outage and external service provider outage are sample outages that you need to check and verify the readiness.
This whole exercise could have taken anywhere between two weeks to two months depending the scale and complexity of your organization.
ISO 22301 BIA will then get formally closed when you have the following in place:
1. Organisation list of services – internal and external
2. Classification of organisation services as RGS, EIS and DSS
3. Inherent vulnerability in the business processes such as single point of failures
4. Readiness against each identified outage.
Each of the above points should be summarised and presented to management for further action. The inputs so given will help the management then decide the scope of business continuity. Your business continuity strategy can be ‘lets prepare for site outage’ across the organisation. Such decisions are taken because you have a limited budget.
Next time someone says that “we have a BCP but I am not sure whether it really covers every part of the business”‘ you now know what went wrong.
Hope this helps!