Business Continuity Planning (BCP)
MSIS 4253/5253
What is a Business Continuity Plan?
A Business Continuity Plan is a structured approach to looking at your business, identifying what can go wrong and then putting plans in place to reduce those risks.
You want to protect people and property and to be able to resume your critical business operations/work processes.
2
Definition
Business continuity planning (or business continuity and resiliency planning) is the process of creating systems of prevention and recovery to deal with potential threats to a company
A subset of risk assessment
Primary focus is any event that could negatively impact operations is included in the plan, such as interruption, loss of or damage to critical infrastructure (major machinery or computing /network resource).
BCPs are tailored to fit the business
Getting started
Emergency Contact Persons
Organization Policy
Business Description
Office Locations
Alternative Physical Locations of Employees
Data Back-up and Recovery (Hard copy and electronic)
Financial and Operational Assessments
Mission Critical Systems
Alternative Communications Between Organization and Customers, Employees, and Regulators
Critical Business Constituents, Banks, and Counter-Parties
Regulatory Reporting
Disclosure of Business Continuity Plan
Updates and Annual Review
Senior Management Approval
Emergency Contact Persons
Identify the people that will kick off BCP in the event of a disruption
Position should be codified in writing
Should be in contact 24/7
Include name, title, mailing address, email address, telephone number and any other relevant contact information
Organization Policy
State organization’s objective for business continuity:
Our organization’s policy is to respond to a Significant Business Disruption (SBD) by safeguarding employees’ lives and firm property, making a financial and operational assessment, quickly recovering and resuming operations, protecting all of the organization’s books and records, and allowing our customers to transact business. In the event that we determine we are unable to continue our business, we will assure customers prompt access to….
Signification Business Disruptions
Internal: Affects only our ability to communicate and do business
External: Prevents others from doing business
Approval Authority
Plan Location and Access
Business Description and Office Locations
State the type of business the organization conducts
Include major functional areas
Include major inventories held on site
Office Locations
List location of all offices
Include the means of transportation employees use to get to office
Identify which mission critical systems take place at each location
Alternative Physical Location of Employees
Locations organization will use in the event an SBD affects the operation of the main office
Where will employees work?
Think beyond IT work (this is a BCP)
Data Back-up and Recovery (Hard copy and electronic)
Identification of location where primary books and records are stored
Describe how back-ups are accomplished
How will organization recover data in the event of a SBD
Financial and Operational Assessments
Operational Risk
Organization’s ability to maintain communications with customers and to retrieve key activity records through its mission critical systems
Financial Risk
Involves the organization’s ability to fund operations and maintain adequate financing and sufficient capital.
May also involve a credit risk which could also hinder the ability of the organization’s counterparts to fulfill their obligations
Mission Critical Systems
Could include:
Order taking
Order entry
Order execution and delivery
Other services provided to customers
Supply chain
Clearly describe each
Explain how each will be accomplished in the event on SBD
Alternative Communications
Customers
Employees
Regulators
Financial Insitutions
Critical Business Constituents, Banks, and Counter-parties
Business constituents: What if they can no longer provide needed goods or services due to a SBD?
Identify alternative suppliers
Banks: Can they continue to provide financing
Identify alternative banks and financial institutions
Counter-Parties: Can our competitor process some of our orders
Regulatory Reporting
How will the organization file regulatory reports in the event of an SBD
Describe how it is normally done and when
Determine which means are still available
Written
Oral
Disclosure of BCP
Disclosure statement
How to contact
Basics of the BCP
Communications
Back-ups
How business will be conducted during SBD
Varying disruptions
POC for more information
Issues and Pitfalls (same as DRP)
Lack of buy in
Incomplete RTO and RPOs
System myopia (vpn example, cell phone example)
Lack of security
Outdate plans
Changes in organization structure
Changes in technology
Changes in mission
Failure to test
Summary
BDP is subset of risk assessment
Focus is on keeping the business operational
Customers, Banks, Counter-parties, Suppliers
BCP, DRP and Risk Assessments all draw on the same data