A project planning process for business continuity

Discusses the formulation of a business recovery plan. As a starting point, presents the business recovery timeline model. Gives a framework of components to be considered in a business continuity project planning process, i.e. a risk reduction programme. In the last few years, disaster recovery (DR) practitioners (for IT systems) and business recovery (BR) practitioners (for core business activities) have both agreed that recovering IT systems and services will not ensure the survival of the business. As a result of “real-life lessons learned” from disaster situations, recovery practitioners are constantly inundated with a vast array of contingency methodologies, tools, templates, consulting services, etc. Auditors are also finding themselves in constant “refinement mode” as they review their audit processes and methodologies to ensure the right questions are asked when conducting reviews of BR/DR plans, frameworks, strategies, guidelines, policies and standards. A never ending story – or is it? Based on such “never ending” real-life experiences, one crucial element has surfaced: “consider all risks when building a business recovery plan and if you think your disaster scenario based plan will save your business if a problem escalates for whatever unforeseen reason, you are in for a big shock!” Arnott’s recent product tampering (poisoning of biscuit products) in Australia is just one case. Would your business continuity process handle product tampering? Disaster scenario based plans are basically plans built around a specific disaster. Just ask those who have “been there, done that”; they will tell you that comprehensiveness and flexibility must be built into the business continuity process. Figure 1 is an excellent starting point: it clearly shows the path taken in the event of a problem escalating to a disaster, or of some event that necessitates the declaration of a disaster. A requirement of the business continuity planning process is to instigate a “risk reduction programme”. This will ensure that company threats (refer to Tables I and II) are identified and assessed accordingly. After having identified the risks, “managing” them within the business recovery timeline should be a straightforward process. The end result being a “business continuity – the total solution” process. A business continuity project planning process comprises the following components and should be used in conjunction with a broad risk management process, i.e. risk reduction programme: 1 Obtain top management approval and support. 2 Establish a business continuity planning (BCP) committee. 3 Perform business impact analyses. 4 Evaluate critical needs and prioritize business requirements. 5 Determine the business continuity strategy and associated recovery process. 6 Prepare business continuity strategy and its implementation plan for executive management approval. 7 Prepare business recovery plan templates and utilities, finalize data collection and organize/develop the business recovery procedures. 8 Develop the testing criteria and procedures. 9 Test the business recovery process and evaluate test results. 10 Develop/review service level agreement(s) (SLAs). 11 Update/revise the business recovery procedures and templates.