Loss prevention professionals are increasingly challenged with new corporate responsibilities. One such area is business continuity. Understanding the steps for implementing an effective business continuity program is a necessity as loss prevention organizations transition from traditional safety and emergency response roles to new value-added responsibilities designed to maintain critical business processes and continued operations both during…and after…a disaster.
The Need for Business Continuity
Having a thoroughly prepared and tested business continuity plan is a critical component of an effective disaster readiness program. Without it, companies risk the loss of critical business operations and face potential financial ruin.
Once referred to as disaster recovery planning, business continuity planning (BCP) is distinctly different. Disaster recovery refers to the immediate and temporary restoration of business operations after a natural or man-made disaster within defined timeframes. Conversely, business continuity is the ability to maintain constant availability of systems, applications, and information across the enterprise during a disaster, as well as afterward.
Business continuity planning is the process of performing the advanced planning and preparations necessary to ensure an organization stays in business and maintains competitive advantage. A business continuity plan will help organizations
- Identify the impacts of potential operational disruptions and data loss,
- Formulate and implement viable recovery plans that ensure the continuity and availability of applications, data, and services, and
- Develop, implement, and administer a comprehensive training, testing, and maintenance program.
The importance of having an effective business continuity plan can be best demonstrated by some alarming statistics. According to an IBM study, 43 percent of companies that experience a major disaster never reopen and 29 percent close within two years. A PriceWaterhouse/British Standards Institute survey showed that 15 percent of firms experiencing a disaster lost more than $1.5 million in revenues while 20 percent lost between $350,000 and $1.5 million.
With these statistics in mind, one would think that having viable business continuity plans would be a top priority among most companies. However, the results of a Harris Interactive study indicate that only 15 percent of U.S. business executives believe their companies are prepared to maintain their critical business infrastructures in the event of a disaster.
These results are further supported by a study that measured the economic impact of the August 2003 U.S. blackout. This study revealed that, despite significant loss of production and man hours, relatively few businesses are putting measures in place to prepare for similar crises in the future. Of the 142 leading executives within the affected area who were surveyed, more than two thirds lost at least a full business day of productivity due to the blackout, and 25 percent lost more than $50,000 per hour of downtime, which converts to at least $400,000 of losses for an eight-hour day. Yet surprisingly, more than a third said they have no risk management or business continuity plans in place.
The protection of critical information is also an important reason to have an effective business continuity plan. According to a recent study, 46 percent of the United State‘s fastest growing companies have suffered a recent breach of their information security, despite beefed-up precautions since September 11th. In most cases, these businesse swere victims of computer viruses or worms, with hackers and email the usual door openers. As a result, 83 percent of victims experienced monetary loss, while nearly one in four suffered network downtime.
Through a clearer understanding of business continuity steps, loss prevention organizations can more easily transition from their traditional roles and be better prepared for these new value-added responsibilities.
In another recent study of IT professionals, it was determined that around 85 percent of U.S. companies rarely or never back up desktop or notebook computers, leaving them vulnerable to significant data loss. While most companies in the study adequately back up servers, the same companies failed to back up desktop and notebook computers, where as much as 90 percent of company data resides.
Regulatory Compliance
An effective business continuity plan is also an important component in fulfilling requirements for several newly enacted business regulations.
In 2002, the Federal Trade Commission issued a final rule under the Graham-Leach-Bliley Act (GLB) entitled “Standards for Safeguarding Customer Information.” Also called the “Safeguards Rule,” it became effective in May 2003 and established privacy standards for consumer and customer information.
In addition, in April, 2003, the Department of Health and Human Services final security regulations under the Health Insurance Portability and Accountability Act (HIPAA) became effective requiring certain entities to protect electronic health information, including paper records, from reasonably anticipated threats or hazards.
And in June 2003, the Securities and Exchange Commission published the final rules for Section 404 of the Sarbanes-Oxley Act, which became effective in 2004 requiring CEOs and CFOs of public companies to provide a written internal control report and certification that assesses the effectiveness of their company’s internal control system and financial reporting procedures.
The GLB Safeguards Rule and the HIPAA security regulations both mandate the adoption of processes that are designed for the protection and preservation of designated personal information. Sarbanes-Oxley not only mandates the existence of internal controls, but also requires that transactions are properly recorded and preserved. Having an effective business continuity program in place will ensure that important documentation, data, procedures, and systems are properly protected from loss.
Management Support
In order to establish an effective business continuity program, it is important to gain high-level management support and commitment for the process. This support should include not only the financial support to put into place the resources, procedures, and systems to ensure the company can effectively recover in the event of an emergency, but must also include ongoing support for the continued maintenance and testing of business continuity plans to ensure their viability.
Much like purchasing insurance, a practice that most companies identify as a necessary component of doing business, the business continuity planning process must be thought of as an equally, if not more, important necessity to ensure that critical business operations can be immediately restored.
The plan must be part of the strategic business plan, and the company must budget appropriately and separately for the continuity planning program.
An important component of this support is the development and distribution of a top-level policy statement. A well written policy statement provides the following benefits:
- Affirms the value of business continuity.
- Acknowledges and accepts the associated costs.
- Documents management’s responsibilities.
- Includes the goals and expectations of the plan, as well as any organizational assumptions or parameters.
In addition to a policy statement, the establishment of a steering committee is also an important first step in gaining support and developing effective plans. The steering committee provides the necessary oversight to the process and monitors the effectiveness of business continuity planning.
Having effective communications is one of the most important criteria to effectively managing a crisis.
In most cases, the steering committee should be composed of high-level members of company leadership from core infrastructure support functions, such as accounting, auditing, information technology, facilities, human resources, legal, public relations, investor relations, operations, purchasing, records management, risk management, safety, loss prevention, distribution, and telecommunications.
The steering committee should meet at least twice annually to review the status of the business continuity planning and development process.
BCP Program Management
Once management support has been gained and a steering committee established, having the appropriate level of human resources available to manage the business continuity process is a critical requirement.
In this respect, some companies may choose to outsource this function and have business continuity plans built and managed by an outside vendor. Vendors such as IBM and Sungard can provide a wide range of services ranging from simple consulting to full plan development.
Other companies may find that hiring an in-house business continuity manager is a more effective strategy. Similar to other specialized professions, those who are certified in business continuity planning must fulfill a training and experience requirement and must complete a testing process in order to receive certification by the Disaster Recovery Institute in one of three categories:
1. Associate Business Continuity Planner (ABCP) Skill Level: Basic
This entry-level certification is for individuals who have knowledge of business continuity planning and disaster recovery, but have not yet acquired the necessary experience to become a CBCP.
2. Certified Business Continuity Professional (CBCP) Skill Level: Intermediate
This skill level is designed for the planner with a minimum of two years of experience as a business continuity/disaster recovery planner.
3. Master Business Continuity Planner (MBCP) Skill Level: Advanced
This certification is for the experienced, master-level disaster recovery planner with at least five years of industry experience.
BCP Software
If a company chooses to keep business continuity plan management in-house, it may wish to procure business continuity planning software. The purpose of the software is to provide a dynamic and user friendly solution to managing the large amounts of information often required for developing, maintaining, and updating effective plans.
Through the use of several commercially available software packages at various levels of sophistication and cost, those responsible for managing business continuity plans can ensure that a “living document” is maintained at all times.
Many business continuity planning software packages include preformatted templates that ensure greater consistency with plan development and significantly reduce the amount of time required to build plan documents.
In addition, several software packages also include on-line tutorials that can provide added benefits for those who will be using the system. A large company with many employees and facilities may choose a web-enabled software package, which allows users to access the software remotely.
Comparative information regarding the various software packages that are available can be found at www.drj.com/vendor/drj5pcb.html.
Risk Assessments
The next step in developing effective business continuity plans is to conduct risk assessments of each of the company facilities that are considered critical to the continuing business operations of the company. These may include corporate offices, data centers, distribution centers, and other important facilities.
The purpose of the risk assessment is to determine the potential vulnerabilities of each facility, the likelihood of business interruption, and the criticality of the facility to the continuing operations of the company.
Typically performed by the outsourced consultant or the business continuity manager in conjunction with teams from loss prevention and building operations, risk assessments may include an evaluation of the incident history, including instances of severe weather, power outages, floods, fires, earthquakes, and workplace violence, just to name a few.
In addition, risk assessments should evaluate general facility issues, such as the existence of an emergency generator or the presence of other tenants in the building, as well as review the current systems, practices, and procedures for facility security, life safety, data center/technology security, and hazardous materials.
A final element of the risk assessment should include a review of the various departments or business units that operate within the facility.
Business Impact Analysis
Another critical component of developing an effective business continuity plan is the completion of a business impact analysis (BIA). The goal of the BIA is to identify mission-critical business functions, processes, and applications in order to understand the potential financial and non-financial impact on the business should an unforeseen disruption to the business occur.
In addition, the BIA helps to prioritize the recovery of business processes and technology to ensure that a company can continue to meet the needs of its customers, employees, and shareholders.
Through a series of questions completed by knowledgeable members of each business unit or department, business continuity planners can more accurately assess the company’s business requirements. The results of the BIA provide direction for the detailed recovery procedures to be documented in the business continuity plans and enable companies to make sound investment choices on the most cost effective way to resume business operations. BIA templates are often packaged as a part of business continuity planning software, but can be purchased separately as a stand-alone package.
BCP Strategy
Upon completion of the risk assessments and business impact analysis for each facility, a strategic plan must be developed to ensure business continuity plans are developed in a logical sequence, beginning with company facilities that have been ranked highest in terms of their level of risk and/or criticality to the ongoing operations of the company.
Because building effective business continuity plans and maintaining them can be a time-consuming process, it is important to have a properly developed implementation strategy. During this planning stage, each facility should be evaluated in terms of the business units that operate within it with special attention to those identified as critical to continuing business operations.
The planning stage should also identify the level of disaster impact that will be used as the basis for writing the plans. By utilizing the results from the risk assessments, business continuity planners can properly assess and rank order the facilities that are most likely to experience business interruption and ensure plans are built to address the multiple disaster scenarios that were defined in each facilities assessment and their impact on each facility. At a minimum, plans should be developed to recover important business processes that are disrupted due to loss of the facility, loss of technology, or both. Using this methodology will ensure that plans are prepared for any possible disaster event.
Business Continuity Plan Development
The next step in the business continuity planning process is the actual development and documentation of business continuity plans. In order to accomplish this task, individuals from each business unit must be chosen and trained for the purpose of writing the plan details. Referred to as “planners,” these individuals should be carefully chosen, since having a planner who is knowledgeable about the critical infrastructure and processes associated with that business unit is key.
In many cases, the employee assigned to complete the BIA may also be the best candidate to be the planner. In other cases, the business unit or pyramid head may choose a different individual(s) who will be assigned this responsibility. In either case, by having knowledgeable employees within each business unit or department write the plan for that business unit (as opposed to it being written by the business continuity manager), multiple goals can be achieved:
- Knowledgeable employees in each business unit know best what the day-to-day activities are. Thus their plans more accurately reflect what is needed to recover.
- Different business units can be generating plans at the same time for greater efficiency.
- Plan ownership and buy-in is gained from the business unit management and employees.
Once the planners have been chosen, they must be trained on how to write effective plans with the available business continuity planning tools. In the case of purchased planning software, planners must become familiar with how to navigate the software and populate the various information templates that have been established.
Once training has been completed, it is now time to populate the various templates. This will include insertion of the emergency notification protocol such as a “call tree,” as well as life safety procedures and emergency contact information for all of the employees in the respective business unit. Employee contact information should include the office, home, mobile, and pager numbers, as well as the name and information for backup employees and managers.
In addition, the planner should carefully prepare and include the required sequential steps needed to recover critical business processes, making certain to include persons responsible for each step as well as the systems, equipment, and resources that will be required.
Other templates requiring completion may include important vendors and their contact information, computer and technology requirements, document and forms requirements, and the office furniture and supply needs.
As each planner populates their templates with the required information, the data can be rolled-up and combined with the data from other business units in order to create a global picture of the recovery needs for a particular facility.
Plan Documentation and Distribution
Some continuity planning software vendors sell web-based services that make your plan available from any computer. The drawback to these services, however, is that if you do not have access to a PC or if the disaster also makes the vendor’s site inaccessible, you may not be able to access the plan.
Because of this, each planner and key members of company leadership should carry a soft copy of the plan on a CD as well as have access to a printed hard copy both at their offices and homes. This ensures immediate accessibility of the plans should a disaster occur.
The results of a Harris Interactive study indicate that only 15 percent of U.S. business executives believe their companies are prepared to maintain their critical business infrastructures in the event of a disaster.
The business continuity manager should also maintain copies of each completed business continuity plan to ensure that plans can be retrieved in case all other copies of a particular continuity plan are destroyed. Copies should be maintained both on-site in data safes and at the company’s off-site data storage vaults.
Mainframe and Server Recovery
Recovery of the mainframe and critical servers is of paramount importance. The ability to maintain systems and application functionality and to restore critical data and information is, for most companies, the most crucial element required for effectively maintaining business processes and information. Without the availability of mainframe computers and servers, many companies run the risk of significant business interruption.
Typically the responsibility of the IT department, establishing an infrastructure and procedure to maintain and recover the mainframe and servers must rank high on their list of priorities.
In many cases, this recovery can be established through the utilization of redundant systems that can be located in a vendor-supplied “hot site” that will allow for immediate recovery should the company’s main systems go down. Other companies may have the luxury of maintaining their own back-up mainframe and servers in a separate location far from the primary systems. In either case, once established, it is critical that regular testing of the back-up mainframe and server systems be performed to ensure viability.
Recovery of Workstations
Equally important to recovering the mainframe and servers is the ability to recover key workstations for those employees who are essential to maintaining ongoing business operations. This is especially important where employee responsibilities require direct communication with customers or vendors in order to maintain business operations, or where access to critical business processes is required.
An example of this may be the employees at a credit call center who have responsibilities for responding to customer issues or approving new customer accounts. A good business continuity plan will identify those employees or positions that are critical to recover and will provide a solution to enable them to perform their responsibilities with little or no interruption.
An alternate workstation solution should provide both PC and telephone capabilities with the appropriate level of network capacity if required. In addition, the solution should be located far enough away from the facility so as not to also be negatively affected by the same disaster as the facility, yet close enough to allow employees the ability to easily and quickly travel to the new workstation site. A good rule of thumb is to locate alternate workstations approximately twenty-five miles from the facility.
In some cases, especially with smaller businesses, establishing alternate workstations within each employee’s home may be a cost-effective solution. In other cases, leasing or purchasing a separate building or office space may be required due to the number or positions or employees that require recovery according to their plans. Several vendors provide “bricks-and-mortar” solutions, which encompasses buildings where companies can lease pre-configured work space and workstations.
Some vendors also provide mobile recovery solutions that consist of self contained trailers complete with desks, PCs, phones, generators, and satellite network connectivity. Requiring only a place to be parked, these self-contained recovery units provide a flexible and scalable workstation recovery solution.
Regardless of the workstation recovery solution chosen, the following considerations must be taken into account:
- Ensuring the alternate workstation site has adequate network and phone capability.
- Verifying that the power to the site is adequate and is on a separate power grid from the primary facility.
- Ensuring the site has adequate facilities and equipment, such as restrooms, HVAC, and lighting, to support the employees in the event of a disaster.
- Verifying that the site is not in a direct storm path from the primary facility and is not located in a flood plane or fault line.
- Partnering with local governmental agencies to ensure the recovery site is in compliance with capacity, zoning,and fire code standards.
The process of writing business continuity plans requires the involvement of knowledgeable employees from each business unit to ensure that information, such as employee and vendor contacts, computer and technology requirements, and the sequential steps needed to recover systems and processes, are accurately completed.
Exercising Plans
Once business continuity plans have been completed and reviewed by the business continuity manager and key members of management in each business unit or department, arrangements should be made to exercise or test the plans to ensure their viability. When planning the exercise, several options can be considered.
Tabletop Exercise. This exercise is a dry run of the business continuity plan conducted by the business unit planner, team leaders, and recovery team members. Typically held around a conference table, the business unit is provided with a real-life scenario that they must respond to using the information contained in their plan. The objectives of conducting a table top exercise of the plan are to:
- Provide a realistic scenario,
- Give participants the ability to use only their plan documentation to walk through the recovery process from the scenario provided,
- Identify any content that may be missing, and
- Update the plan with lessons learned from the exercise.
Component Exercise. This procedure tests only portions of a plan due to its complexity or the criticality of the functions within the plan. In many cases, this will include application connectivity tests as well as telephony, recovery procedures, and vendor support. Information technology support will be required for this type of exercise.
Full-Scale Exercise. This is a scenario-based rehearsal of all the business continuity plans for either a single business unit or an entire facility for the purpose of testing total plan viability in as realistic a setting as possible. Full-scale testing at either the business unit or total facility level should include activation of the alternate recovery site.
Following the performance of a plan exercise, issues such as deficient procedures or missing information should be documented with a follow-up plan for completion. Planners should then ensure their plans have been revised.
Plan Updates
Once business continuity plans have been completed, tested, and revised, it will be important to develop and communicate a schedule by which plans are maintained and updated. The old adage that business continuity plans are considered outdated the day after they are finalized can hold true if the business unit has a large employee population with frequent turnover or is often changing technologies, business processes, or vendors.
In order to keep the plans maintained and current as possible, they should be incorporated in a living document, one which will always be in a state of revision and change. In this respect, planners should be encouraged to update the plan on a regular basis, especially if changes involve new systems, applications, or processes that are critical or that impact other business units. As a minimum, plans should be reviewed and updated at least once quarterly.
Emergency Response
In addition to developing viable business continuity plans, there are also several important emergency response components that should be considered to ensure life safety and to minimize damage to company assets in the event of a disaster.
Emergency Response Teams. Emergency response teams provide a common coordination and communication focal point for emergency response and recovery activities. Developing effective emergency response teams at the corporate, division, and facility level will be an important component for effective disaster readiness.
At the corporate level, these teams will be responsible for critical decision making. By utilizing the knowledge, expertise, and vast resources of key people in the company, an appropriate response can be identified for every emergency situation. Accordingly, members of this team should be comprised of high-level corporate leadership, including operations, IT, LP, logistics, legal, government affairs, vendor relations, finance, HR, store planning, facility maintenance, and risk management.
Crisis Command Centers. To improve the effectiveness of coordination and communication, crisis command centers should be identified for use by the emergency response teams. These command centers should have adequate space to convene a meeting of all response team members and should have available adequate technology and communications equipment, including multiple phone lines, speaker phones, network connections, internet connections, cable or satellite television feeds, printers, copiers, fax machines, maps, and flip charts.
In the event of an emergency, a sign in log should be established for the command center and notes should be taken of all emergency response team communications and decisions.
Redundant Communications. Having effective communications is one of the most important criteria to effectively managing a crisis. As experienced during the terrorist attacks of September 11th, communication systems can experience damage or become overloaded with calls following a significant crisis.
The use of cellular telephones from multiple carriers, pagers and Blackberry devices, satellite communication systems, and radio communication devices can help to ensure that emergency response team members have the ability to receive important information and coordinate an effective response.
Conclusion
Developing effective and viable business continuity plans is an important component of an effective disaster readiness program. Although statistics indicate that most companies fall shortof having adequate and executable plans in place in order to maintain and recover critical business processes during an emergency event, continued threat of both natural and man-made disasters, as well as newly enacted regulations, such as the Sarbanes-Oxley Act, are providing additional incentive for investment in this area.
Gaining management commitment and support for the process is an important first step, and articulating this commitment in the form of a policy statement provides further legitimacy and emphasis for the process.
Identifying how the program will be managed, either by outsourcing or by managing it in-house, as well as identifying what information tools or software will be needed to build the plans, must be priorities.
Once these key components are in place, thorough risk assessments and business impact analysis reports will help to prioritize facilities as well as identify mission-critical business functions, processes, and applications and their impact on the business should a disaster occur.
The process of writing business continuity plans requires the involvement of knowledgeable employees from each business unit to ensure that information, such as employee and vendor contacts, computer and technology requirements, and the sequential steps needed to recover systems and processes, are accurately completed.
In addition, plans should also include mainframe/server recovery and recovery of employee workstations at an alternate facility.
Testing the plans using one or more of several methodologies, as well as distributing the plans and updating them regularly, will ensure that an accurate and executable strategy is maintained and communicated on a routine basis.
The establishment of emergency response teams, crisis command centers, and redundant communication tools are further components needed for an effective program.
Through a clearer understanding of business continuity steps, loss prevention organizations can more easily transition from their traditional roles and be better prepared for these new value added responsibilities.