“The only thing
harder than planning for an incident, is having to explain why you didn't.”
 |
| John Bartlett CBCI, DBCI |
A number of organisations believe that, somehow, they are different
and unlikely to experience or suffer from an incident, the “it will never
happen to me” attitude. More often than not, they are wrong. No organisation
wants to be affected by an incident or expects it, but that does not mean that
they should not consider and plan a response in case it does happen.
Developing and implementing a response to incidents and disruptions
is at the core of Business Continuity. It can determine how your organisation
is perceived and whether your business survives. It consists of ensuring the
appropriate plans are developed and communicated; the required infrastructure
and facilities are implemented to support the plans; and completing the
necessary risk treatments to achieve the desired Business Continuity strategy
defined and agreed (see previous article).
Stages
No matter what the incident or serious disruption, there are five
overlapping stages of the response, each of which needs to be considered and
included within the planning. These stages are:
Emergency – the immediate response and actions that should be considered and if necessary taken, for example evacuation of a building;
Incident Management – the management and coordination of a response to an incident, for example deciding priorities and communicating with stakeholders.
Continuity – the initial response to ensure that essential activities can continue at their minimum level (as defined in the Continuity Requirements Analysis).
Recovery – the actions and activities required to recover additional important activities and increase the essential activities up to a sustainable level above the minimum level.
Resumption – the activities and actions required to return the organisation back to its desired state of operation, which is considered to be “normal” operations. This stage is sometimes referred to as the “Return to normal” stage.
Incident Management – the management and coordination of a response to an incident, for example deciding priorities and communicating with stakeholders.
Continuity – the initial response to ensure that essential activities can continue at their minimum level (as defined in the Continuity Requirements Analysis).
Recovery – the actions and activities required to recover additional important activities and increase the essential activities up to a sustainable level above the minimum level.
Resumption – the activities and actions required to return the organisation back to its desired state of operation, which is considered to be “normal” operations. This stage is sometimes referred to as the “Return to normal” stage.
Within each of these stages, most organisations will need to
consider activities that fall within either a strategic, tactical or
operational context. These three levels should be considered and addressed for
each of the 5 response stages above.
Plans
Once you have discussed and decided on appropriate responses for
your organisation, the appropriate individuals to be involved in each context
(strategic, tactical and operational) should be identified along with how
decisions, actions and communication will operate between them. The responses
and corresponding structure should then be documented.
The purpose of a Business Continuity Plan (BCP) is to provide guidance,
not to be too prescriptive, detailed and complex. This will defeat its purpose,
reduce the likelihood of it being used and make it time consuming to maintain.
A BCP should include all the necessary and essential information, but be
concise, accessible and easy to follow. There is no “one size fits all”
definitive structure that is appropriate for all organisations, but there are
numerous examples of BCP’s on the internet. The ones which are appropriate for
you will depend upon your organisation. However, Business and BCM knowledge
should be combined to determine the optimum Business Continuity response structure
for your organisation, and each plan should have an owner, be regularly
reviewed, tested and validated - then updated if necessary.
Within large organisations it is reasonable to expect there to be a
number of different plans covering aspects of the recovery stages, for example
a Crisis/Incident Management Plan, Business continuity/recovery plans for each
department, IT disaster Recovery plan and a “return to normal” plan. These may
be complimented with specialist plans or procedures to deal with different
types of incident such as evacuation, product recall, stakeholder/media
communication, social media management, pandemics (not to be confused with
specific threat scenarios). Within small organisations or SMEs, a number of
these plans may be combined together.
Infrastructure and facilities
All Business Continuity responses and strategies will require
resources, including people, infrastructure and facilities, whether the
strategy is to operate from someone’s home, or commercial premises. Someone
will need to do something and will need to use something to do it. The BIA and
CRA previously undertaken will identify the essential items required and how
quickly they are required; the agreed strategy will define how they should be
provided. The essential part in planning and implementing the response is to
ensure these requirements can be provided when needed, and the necessary
provisions are implemented and tested to ensure this can happen.
Technology is at the core of most businesses these days and most
organisations struggle to operate without it. Whether it be a large data centre
with multiple, complex servers, data storage and communication links, or
whether it is simply a GSM, laptop and internet connection. Developing a
response, includes implementing the strategy for technology and proving its
capability to support the business during the response stages. This may be
spare GSMs, a backup data centre, replication of data storage, spare
maintenance parts, additional supplies of PCs, laptops and printers or
duplicate communication links.
In addition to the technology, people require somewhere to work and
facilities to assist their working. This is true of a Crisis/Incident response
team and also the people required to continue essential business activities. Facilities
may include office space, desk, chair, telephone, fax, photocopier, filing
cabinets and such forth. If the organisation is involved in manufacturing,
there may also be a requirement for plant and machinery. These should be
identified and provisions implemented to ensure they can be available when
required.
Risk Treatment
As part of achieving the desired and agreed business continuity
strategy, it is important that the agreed treatment for business continuity
risks have been implemented, thereby reducing the likelihood or impact if
certain incidents or disruptions do occur. The response plans should integrate
into the risk treatment plans and ensure methods are implemented to identify
when a risk materialises and the point at which escalation is required in case
it develops into an incident or disruption which requires activation of part or
all of the response plans. The risk treatments should also be regularly
reviewed and monitored to ensure they are still appropriate and achieve the
desired results.
No comments:
Post a Comment