Business continuity plans--step by step.

Be it an art or a science, writing a business continuity plan on a blank piece of paper is almost impossible to get right. Yet this is what many people set out to do when they begin to develop a business continuity plan for their business.

The work of writing a plan should start way back, thinking about the risks faced by your business and the scope and scale of any impacts that may result. If you don't don't

1. Contraction of do not.

2. Nonstandard Contraction of does not.

n.
A statement of what should not be done: a list of the dos and don'ts. have a clear idea of what you are trying to protect--and what you are trying to protect it from--how can you know what to put in the plan and what to leave out?

The key to getting this right is to follow a very simple, sequential process, like the one illustrated.

This is not the only model for implementing effective business continuity management, it may not even be the best, but it is amongst the simplest. And for those of you just starting out, I feel this is important; you can always refine it and make it more sophisticated later--if you want to!

Taking this model step-by-step:

1) Risk

Many organisations have good risk management processes, but not all. At its simplest, you should identify the risks facing your business. Think about physical things like the local environment, buildings and services, infrastructure and IT. Consider also some of the softer risks like loss of information, failure of a supplier, dependencies on key staff and critical deadlines. Having identified the sources of risk, evaluate them, then prioritise Verb 1. prioritise - assign a priority to; "we have too many things to do and must prioritize"
prioritize

grade, rate, rank, place, range, order - assign a rank or rating to; "how would you rank these students?"; "The restaurant is rated highly in the food and manage accordingly. Some risks may be too expensive or impossible to mitigate mit·i·gate
v.
To moderate in force or intensity.

miti·gation n. , this is often where insurance comes in.

2) Impact

There may be hundreds of risks facing your business, but the ones you should be most interested in are those that will have a huge impact. Consider, function by function, both the financial impact (lost revenue, cash flow, contract penalties) and the operational impact (on your customers, on your reputation, on management control) of a disruption disruption /dis·rup·tion/ (dis-rup´shun) a morphologic defect resulting from the extrinsic breakdown of, or interference with, a developmental process. to your business. Use this information to decide which functions are most critical in the first few days following a disruption and identify the minimum level of resources (people, equipment, systems) needed to keep them working. This step is often referred to as the Business Impact Analysis (BIA BIA
abbr.
Bureau of Indian Affairs ).

3) Strategy

Using the information from the risk assessment and the business impact analysis, consider the options for increasing your resilience resilience (r

·zilˑ·yens),
n to the key risks you face and also for developing a response/recovery capability. For example, you could make a function more resilient See resiliency. to a disruption affecting one location by splitting it across two locations or by cross-training cross-training Multiskilling Sports medicine 1. The regular participation in multiple sports–eg, basketball and long-distance running 2. The exercising of muscle groups or participation in a sport differing from than an athlete's primary sport. See Training. staff in another area. Resilience to network failure can be increased by implementing dual-routing or using two providers.

In terms of response/recovery, in the event of a building-related disruption you may decide to move people to an alternative location, either one of your own or one provided by someone else. In response to IT failure, you may decide to purchase new servers and rebuild/restore at the time. If you can't wait that long, you may decide to contract for specialist IT disaster recovery services. The Important thing is that you document your preferred strategy and implement it.

4) Plan

Finally, we've we've

Contraction of we have.

we've have reached it. The plan should simply set out in a clear logical order what your (or your colleagues) will do in the immediate aftermath of a disruption. I suggest that at the front of the plan you list the things to be done first--together with the name or role of the person doing them sometimes referred to as 'initial response actions'. Next, list those tasks necessary to invoke To activate a program, routine, function or process. your agreed recovery strategy and, at the back of the plan, include any supporting information that would be helpful at the time of an incident (names, contact numbers, location maps, checklists, etc). Remember, it should be an action-orientated document, not a management report; keep background material and introductions to a minimum.

5) Test

Having implemented your response/recovery arrangements and written a plan that ensures they can be invoked successfully, it make a great deal of sense to prove that they will work. One of the simplest exercises to perform is a tabletop walkthrough A step-by-step review of a specification, usability features or design before it is handed off to the technical team for development. See use-case analysis and pair programming. ; bring together the various member of your response/recovery teams--with their plans--and talk through a potential scenario. This kind of event will drive out most errors, omissions and false assumptions that exist. It also provides something tangible to what some people consider a very dry, abstract subject.

In addition, of course there are 'real' things that can be tested: restoring back-up In cartography, an image printed on the reverse side of a map sheet already printed on one side. Also the printing of such images. tapes, connecting to remote servers, switching telephone lines, trying out manual workarounds and so on.

6) Maintain

By this point, you will have invested time and money in developing proven business continuity arrangements. It is important that this investment does not decay The reduction of strength of a signal or charge.

decay - [Nuclear physics] An automatic conversion which is applied to most array-valued expressions in C; they "decay into" pointer-valued expressions pointing to the array's first element. over time simply through neglect. Implement a simple maintenance routine, perhaps in conjunction with your internal audit team, to ensure that once every three to six months or so, each team meets to review their plan and check that nothing has changed. If it has, update the strategy and/or the plans and re-issue.

Eventually, you may need to go back to the beginning and re-assess your risks and check the business impacts. For some fast-moving businesses, this might be an annual event, while for others once every two to three years may suffice suf·fice
v. suf·ficed, suf·fic·ing, suf·fic·es

v.intr.
1. To meet present needs or requirements; be sufficient: These rations will suffice until next week. . You will be able to define this as part of your maintenance process.

And there we have it: A very simple process that will take your business through the various stages of the business continuity lifecycle. This should ensure that you engage your colleagues at each stage in the process and avoid the common pitfall pit·fall
n.
1. An unapparent source of trouble or danger; a hidden hazard: "potential pitfalls stemming from their optimistic inflation assumptions" New York Times. of writing a plan in isolation; a plan that few will use and even fewer will understand.

I believe it was Eisenhower who said "plans are nothing; planning is everything", I think he was right!

Steven Garrod--Garrison Continuity

[ILLUSTRATION OMITTED]

Garrison Continuity will be exhibiting at Business Continuity--The Risk Management Expo 2007 which is the UK's most Definitive Event for Managing Risk, Resilience and Recovery combining an exhibition, free seminars and a paid for high level conference. To be hem at London's Excel A full-featured spreadsheet for Windows and the Macintosh from Microsoft. It can link many spreadsheets for consolidation and provides a wide variety of business graphics and charts for creating presentation materials. Docklands from 28th-29th March 2007.

COPYRIGHT 2006 A.P. Publications Ltd.
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:	DATABASE AND NETWORK INTELLIGENCE
Author:	Garrod, Steven
Publication:	Database and Network Journal
Date:	Dec 1, 2006
Words:	1044
Previous Article:	Survey--2007 set to be year of online customer engagement.
Next Article:	Cyber-Ark ranked in the 2006 Deloitte Technology Fast 500 EMEA.
Topics:	Business planning Business plans

Related Articles
Proposed change to continuity-of-shareholder-interest requirement in acquisitive reorganizations.
Saskatchewan organization internationally recognized as champion in strategic alliance. (Off the Wire).
Firms go west for 'disaster recovery' space.
Getting more intelligent about storage management.
Evaluating high-availability solutions for Microsoft Exchange.
Does your contact center have a business continuity plan?
Taking the road to exit planning.
Information miscues lead to bad targeting decisions.
Successful business continuity strategies: how to conduct business as usual in unusual times.
Planning for resiliency: why regular testing of your business continuity and availability plan is more critical than ever.