Wednesday, 24 June 2015

Why Every Organization Must Have A Business Continuity, Emergency Preparedness Plan




Food for thought:
True genius resides in the capacity for evaluation of uncertain, hazardous, and conflicting information’’. – Winston Churchill

Meaning and Scope of a Business Continuity Plan

Business Continuity Planning (BCP) also known as Business Continuity and Resilience Planning (BCRP) is a process of identifying potential threats, risks or worst-case-scenarios that can possibly undermine the day-to-day operation of an organization while also ensuring that Staff and assets are protected and able to function in the event of unforeseen circumstances.
A Business Continuity Plan is sometimes used interchangeably with a Disaster Recovery Plan (DRP) or Disaster/Emergency Preparedness Plan though a Business Continuity Plan is more comprehensive – a BCP deals with the resilience and continuity of the entire organization while a Disaster Recovery Plan or Emergency Preparedness Plan is not all-encompassing – it is aimed at ensuring that an organization quickly recovers or adapts to a disruption of its activities due to power failure, data breach etc. Here preparedness is defined by the Department of Homeland Security as ‘’a continuous cycle of planning, organizing,, training, equipping, exercising, evaluating and taking corrective action in an effort to ensure effective coordination during incidence response’’. On the other hand, a Business Impact Assessment (BIA) is a subset of a Business Continuity Plan which identifies the impact of sudden business functions usually in terms of costs by looking at the organizations processes and determining which are most critical. All of these aforementioned constructs are interwoven hence let’s temporarily excuse the nomenclature or scope and dwell on the end result which is handling unforeseen circumstances. To this effect, this essay will dwell more on Business Continuity Planning.

Business Continuity Planning is multidisciplinary; cuts across the purview of security discipline known as ‘Enterprise Security Risk Management’ (ESRM) and ‘Security Convergence’ (SC). Enterprise Security Risk Management entails identifying risks/vulnerabilities in an establishment and mitigating them while Security Convergence deals with the inter-dependence of Information Technology (IT), Physical Security, Safety etc. in an organization. It follows that every serious-minded CEO, Enterprise Security Risk Management Professional or Chief Security Officer of an organization must strive to articulate an effective Business Continuity Plan for his organization.

The Importance of a Business Continuity Plan (BCP)
According to Mark Sekula, President of Facility Futures Inc, a ‘Business Continuity Plan or an ’Emergency Preparedness is an organizations lifeline…because a successful organization can collapse in a heartbeat without such plans’’. 

The essence of a Business Continuity Plan lies in the fact that every organization/business whether big or small, strives to remain in business and to be ahead of the competition. Even families that dwell on disaster-prone environments will do well to articulate a Disaster Preparedness Plan. The wise saying of the Greek historian-Herodotus more than two thousand years ago that ‘’great deeds are usually wrought at great risks’ remains valid today. Risk scenarios can vary from flood, fire outbreaks, tornadoes, disease epidemic (e.g. Ebola outbreak etc.), malicious cyber-attacks or data breach, political uncertainty, interruptions in energy/power supply, the list is almost endless. It is dicey when the risk involved has no prior warning or antecedent. Even when there are prior warnings, things can still go wrong especially if a rigorous Business Continuity Plan (BCP) is not in place. A good BCP aims to eliminate or mitigate such air of uncertainty. The capacity of an organization to effectively curtail or handle such adverse outcomes boosts the organization’s reputation, market value and increases client confidence. 

Elements of a Business Continuity Plan:
An effective Business Continuity Plan (BCP) must have answers to the following four basic scenarios:
1.                A plausible disruption in the workplace as a result of any of the aforesaid risk scenarios.
2.                A reduction of the workforce
3.                A possible interruption of Information Technology (IT) services and
4.                Interruptions from 3rd party vendors: While the first three components are directly within the confines of an organization to handle, the fourth component is always dicey because you can’t really guarantee the capacity of your vendor to handle its own end of the bargain. To this end, experts recommend that in addition to having your own water-tight Business Continuity Plan, your organization must to the extra mile of vetting the resiliency or the ability of your organization’s vendors to continue rendering services or supplying products in the event of unforeseen circumstances.

How To Make An Effective Business Continuity Plan (BCP:
To produce an efficient Business Continuity Plan, an organization or those tasked with the responsibility must:

1.                Identify the scope of the Business Continuity Plan
2.                Establish the key business areas or services rendered by the organization
3.                Establish the critical functions
4.                Establish the interconnectedness of the various business areas and functions
5.                Ascertain acceptable period of time for such critical functions
6.                Create a workable plan to maintain operations even if it is not full operations
7.                Subject the Business Continuity Plan to a rigorous test to determine if it will achieve the anticipated outcome. Best practice recommends testing a Business Continuity Plan (BCP) say 2-4 times annually depending on the type of organization involved.
8.                Periodically review, improve and create adequate awareness of the Business continuity Plan within the organization.

A basic Business Continuity Plan can be set down in the form of a checklist to contain amongst other information:

(a)             Names, contact information and addresses of clients and 3rd party vendors
(b)            Inventory of suppliers and equipment’s
(c)             Location (websites, companies/individuals) responsible for data backups
(d)            Contact information of key personnel and emergency responders

Testing A Business Continuity Plan (BCP):
There are 3 ways of testing a Business Continuity Plan. They are:

1.    Table-top exercises – This can be done in a conference room and entails having the BCP team look for possible shortcomings and ensuring that all business units are duly represented in the Business continuity Plan.

2.    Structured walk-throughs – Here, each person involved in designing, testing the effectiveness of the BCP rehearses his or her own component of the BCP in detail with a view to identifying weaknesses, if any. Drills and disaster evacuation role-playing are usually incorporated into such structured walk-throughs. 

3.    Disaster simulation testing: This literarily entails creating an environment or a situation which mimics an actual emergency or disaster factoring in equipment’s, supplies, personnel and 3rd party vendors.

Some Business Continuity Recommendations:
 
1.    Cybersecurity: It is highly recommended that EVERY organization with an online presence or relies on technology (Computers, servers, internet, social media etc.) for its daily operation MUST be abreast with cybersecurity best practices to guard against breaches – hacking (Sony data breach), cyber-espionage (Stuxnet), cyber fraud (Carbanak), Cyber-terrorism (Syrian electronic Army, CyberCaliphate) or malicious data breaches by disgruntled employees (Edward Snowden). Given the prevalence and negative implications of technology: the phenomenon of Bring Your Own Device (BYOD) and the ‘tyranny of connectedness’, organizations must put in place well-defined social media policies, regularly backup and safely store their data offsite, if possible on Cloud storage platforms. Financial institutions and other critical national security establishments must have stringent cybersecurity measures such as banning use of personal flash drives on office computers or installing software that automatically forbids the installation of external drives.

2.    Alternative source(s) of power supply: The socio-economic impact of the recent scarcity of petroleum products (Petrol, Diesel) in Nigeria with its attendant negative multiplier-effect on every fabric of the country is a case in point. Check out the recent scenario in Nigeria: patients dying in hospitals because there was no electricity and no diesel or petrol to power generators. The manufacturing sector which relies on generators came to a standstill. Telecommunication firms witnessed serious strain on their services to the point of threatening to shut down due to acute shortage of diesel. Transport fares skyrocketed. Potable water was in short supply because there was no diesel or petrol to power water pumping machines.

It follows that conventional ‘Business Continuity Planning’ is not the exclusive preserve of organizations; how does a family ensure that unforeseen scenarios in the society – non-availability of petrol, loss of job, disasters etc. does not grind the family to a halt. Banks ran skeletal services; some Automatic Teller Machines were nonfunctional due to lack of power. Airlines cancelled flights because of lack of aviation fuel. It was total chaos! To forestall such an experience in the future, individuals and thoughtful organizations across Nigeria must begin to divest reliance on powering their appliances, homes with diesel/petrol or electricity from mainstream vendors (PHCN). Solar energy, Inverters and wind turbines should be explored.

3.    Alternative source(s) of energy supply - While many countries of the world contend with and sufficiently manage the impact of natural disasters, Nigerians endlessly resign to fate, look up to God to come and fix our most basic societal challenge. Majority of the problems bedeviling Nigeria are man-made and not caused by the devil or supernatural forces as some erroneously believe. Far from been rocket science, refining crude oil is simple chemistry. The defunct Biafran republic refined its own oil some 45 years ago even in the midst of war with their not-so-sophisticated technology. So-called illegal refineries abound in the Niger-Delta. Tell it to the Marines, an extenuating reason why the vaunted giant of Africa, the 6th largest producer of crude oil in the world, continues to import refined petroleum products for its subsistence. Where are the policy makers, given that fuel scarcity is intermittent in Nigeria, why can’t the Nigerian government or its relevant establishments (the NNPC, DPR, etc.) build facilities for storing petroleum products that can last several weeks or months which the country can resort to during an emergency or if there’s a drop in supply? Take a cue from the United States’ Strategic Petroleum Reserve (SPR) initiative – the largest emergency storage and supply of fuel in the world with the capacity to hold up to 727 million barrels (115,600,000m3). As at 27 February 2015 the United States’ SPR inventory is said to have 691.0 million barrels which equates to about 37 days of Oil at 2013 daily US consumption levels of 18.49 million barrels per day. This currently amounts to approximately $43.5 billion worth of crude in the United States SPR reserve.

4.    Alternative Vendors – Recall we discussed a fourth element (interruptions from 3rd party vendors) of a Business Continuity Plan which is always not within the ambit of an organization. In addition to ascertaining that your vendor has its own effective Business Continuity Plan, it’s advisable to have alternative vendors (Plan B) that can render similar services in the event of an emergency. The Mafia Manager asserts the importance of a business owner switching its vendors or having alternative vendors. Talking about having Plan B’s, the very poor services of Telecommunication firms during the petrol scarcity in Nigeria made one appreciate the need to have alternative GSM number(s) or internet network provider(s) just in case any of the platforms experiences problems. Failure to have a Plan B means you(r) organization will be incommunicado if your sole provider experiences hitches, a case of putting all your eggs in one basket.

Conclusion:
From the foregoing, we can appreciate the importance of having up-to-date Business Continuity, Emergency Preparedness or Disaster Recovery Plans. The very essence and implication of a Business Continuity Plan or Emergency Preparedness Plan is summarized in the popular saying that, ‘if you fail to plan, you plan to fail’. Again, it is better to be too careful than too careless’’.

References:
1.    ‘’How to create an effective business continuity plan’’
2.    www.cio.com

Written By:
©Don Okereke
(Entrepreneur, Security Analyst/Consultant, Ex-Serviceman, Writer/Blogger, Change Agent)
Contact me On: donnuait (a) yahoo.com
Follow me on Twitter: @DonOkereke

June, 2015