Food
for thought:
True
genius resides in the capacity for evaluation of uncertain, hazardous, and
conflicting information’’. – Winston Churchill
Meaning and Scope of a Business Continuity Plan
Business Continuity Planning (BCP) also known as
Business Continuity and Resilience Planning (BCRP) is a process of identifying potential threats, risks or
worst-case-scenarios that can possibly undermine the day-to-day operation of an
organization while also ensuring that Staff and assets are protected and able
to function in the event of unforeseen circumstances.
A Business Continuity
Plan is sometimes used interchangeably with a Disaster Recovery Plan (DRP) or
Disaster/Emergency Preparedness Plan though a Business Continuity Plan is more
comprehensive – a BCP deals with the resilience and continuity of the entire
organization while a Disaster Recovery Plan or Emergency Preparedness Plan is
not all-encompassing – it is aimed at ensuring that an organization quickly
recovers or adapts to a disruption of its activities due to power failure, data
breach etc. Here preparedness is defined by the Department of Homeland Security
as ‘’a continuous cycle of planning,
organizing,, training, equipping, exercising, evaluating and taking corrective
action in an effort to ensure effective coordination during incidence response’’.
On the other hand, a Business Impact
Assessment (BIA) is a subset of a Business Continuity Plan which identifies the
impact of sudden business functions usually in terms of costs by looking at the
organizations processes and determining which are most critical. All of
these aforementioned constructs are interwoven hence let’s temporarily excuse
the nomenclature or scope and dwell on the end result which is handling
unforeseen circumstances. To this effect, this essay will dwell more on Business
Continuity Planning.
Business Continuity Planning is multidisciplinary;
cuts across the purview of security discipline known as ‘Enterprise
Security Risk Management’ (ESRM) and ‘Security Convergence’ (SC). Enterprise Security
Risk Management entails identifying risks/vulnerabilities in an establishment
and mitigating them while Security Convergence deals with the
inter-dependence of Information Technology (IT), Physical Security, Safety etc.
in an organization. It follows
that every serious-minded CEO,
Enterprise Security Risk Management Professional or Chief Security Officer of
an organization must strive to articulate an effective Business Continuity Plan
for his organization.
The Importance
of a Business Continuity Plan (BCP)
According to Mark Sekula, President of Facility
Futures Inc, a ‘Business Continuity Plan or
an ’Emergency Preparedness is an organizations lifeline…because a successful
organization can collapse in a heartbeat without such plans’’.
The essence of a Business Continuity Plan lies in
the fact that every organization/business whether big or small, strives to remain
in business and to be ahead of the competition. Even families that dwell on
disaster-prone environments will do well to articulate a Disaster Preparedness
Plan. The wise saying of the Greek historian-Herodotus more than two thousand
years ago that ‘’great deeds are usually
wrought at great risks’ remains valid today’. Risk scenarios can vary from flood, fire outbreaks, tornadoes,
disease epidemic (e.g. Ebola outbreak etc.), malicious cyber-attacks or data
breach, political uncertainty, interruptions in energy/power supply, the list
is almost endless. It is dicey when the risk involved has no prior warning or
antecedent. Even when there are prior warnings, things can still go wrong
especially if a rigorous Business Continuity Plan (BCP) is not in place. A good
BCP aims to eliminate or mitigate such air of uncertainty. The capacity of an
organization to effectively curtail or handle such adverse outcomes boosts the
organization’s reputation, market value and increases client confidence.
Elements of a Business
Continuity Plan:
An effective Business Continuity Plan (BCP) must
have answers to the following four basic scenarios:
1.
A plausible
disruption in the workplace as a result of any of the aforesaid risk scenarios.
2.
A reduction of
the workforce
3.
A possible
interruption of Information Technology (IT) services and
4.
Interruptions
from 3rd party vendors: While the first three components are
directly within the confines of an organization to handle, the fourth component
is always dicey because you can’t really guarantee the capacity of your vendor
to handle its own end of the bargain. To this end, experts recommend that in
addition to having your own water-tight Business Continuity Plan, your
organization must to the extra mile of vetting the resiliency or the ability of
your organization’s vendors to continue rendering services or supplying
products in the event of unforeseen circumstances.
How To Make An Effective
Business Continuity Plan (BCP:
To produce an efficient Business Continuity Plan, an
organization or those tasked with the responsibility must:
1.
Identify the
scope of the Business Continuity Plan
2.
Establish the key
business areas or services rendered by the organization
3.
Establish the
critical functions
4.
Establish the interconnectedness
of the various business areas and functions
5.
Ascertain
acceptable period of time for such critical functions
6.
Create a
workable plan to maintain operations even if it is not full operations
7.
Subject the
Business Continuity Plan to a rigorous test to determine if it will achieve the
anticipated outcome. Best practice recommends testing a Business Continuity
Plan (BCP) say 2-4 times annually depending on the type of organization
involved.
8.
Periodically
review, improve and create adequate awareness of the Business continuity Plan
within the organization.
A
basic Business Continuity Plan can be set down in the form of a checklist to
contain amongst other information:
(a)
Names, contact
information and addresses of clients and 3rd party vendors
(b)
Inventory of
suppliers and equipment’s
(c)
Location
(websites, companies/individuals) responsible for data backups
(d)
Contact
information of key personnel and emergency responders
Testing A
Business Continuity Plan (BCP):
There are 3 ways of testing a Business Continuity
Plan. They are:
1.
Table-top exercises – This can be done in a conference room and entails
having the BCP team look for possible shortcomings and ensuring that all
business units are duly represented in the Business continuity Plan.
2.
Structured walk-throughs
– Here, each person involved in designing, testing the effectiveness of the BCP
rehearses his or her own component of the BCP in detail with a view to
identifying weaknesses, if any. Drills and disaster evacuation role-playing are
usually incorporated into such structured walk-throughs.
3.
Disaster simulation testing: This literarily entails creating an environment or
a situation which mimics an actual emergency or disaster factoring in
equipment’s, supplies, personnel and 3rd party vendors.
1.
Cybersecurity:
It is highly recommended that EVERY organization with an online presence or
relies on technology (Computers, servers, internet, social media etc.) for its
daily operation MUST be abreast with cybersecurity best practices to guard
against breaches – hacking (Sony data breach), cyber-espionage (Stuxnet), cyber
fraud (Carbanak), Cyber-terrorism (Syrian electronic Army, CyberCaliphate) or
malicious data breaches by disgruntled employees (Edward Snowden). Given the
prevalence and negative implications of technology: the phenomenon of Bring
Your Own Device (BYOD) and the ‘tyranny of connectedness’, organizations must
put in place well-defined social media policies, regularly backup and safely
store their data offsite, if possible on Cloud storage platforms. Financial
institutions and other critical national security establishments must have
stringent cybersecurity measures such as banning use of personal flash drives
on office computers or installing software that automatically forbids the
installation of external drives.
2.
Alternative source(s) of power supply: The socio-economic impact of the recent scarcity of
petroleum products (Petrol, Diesel) in Nigeria with its attendant negative
multiplier-effect on every fabric of the country is a case in point. Check out
the recent scenario in Nigeria: patients dying in hospitals because there was
no electricity and no diesel or petrol to power generators. The manufacturing
sector which relies on generators came to a standstill. Telecommunication firms
witnessed serious strain on their services to the point of threatening to shut
down due to acute shortage of diesel. Transport fares skyrocketed. Potable water
was in short supply because there was no diesel or petrol to power water
pumping machines.
It follows that conventional ‘Business Continuity
Planning’ is not the exclusive preserve of organizations; how does a family
ensure that unforeseen scenarios in the society – non-availability of petrol,
loss of job, disasters etc. does not grind the family to a halt. Banks ran
skeletal services; some Automatic Teller Machines were nonfunctional due to
lack of power. Airlines cancelled flights because of lack of aviation fuel. It
was total chaos! To forestall such an experience in the future, individuals and
thoughtful organizations across Nigeria must begin to divest reliance on
powering their appliances, homes with diesel/petrol or electricity from mainstream
vendors (PHCN). Solar energy, Inverters and wind turbines should be explored.
3.
Alternative source(s) of energy supply - While many
countries of the world contend with and sufficiently manage the impact of
natural disasters, Nigerians endlessly resign to fate, look up to God to come
and fix our most basic societal challenge. Majority of the problems bedeviling
Nigeria are man-made and not caused by the devil or supernatural forces as some
erroneously believe. Far from been rocket science, refining crude oil is simple
chemistry. The defunct Biafran republic refined its own oil some 45 years ago
even in the midst of war with their not-so-sophisticated technology. So-called
illegal refineries abound in the Niger-Delta. Tell it to the Marines, an
extenuating reason why the vaunted giant of Africa, the 6th largest
producer of crude oil in the world, continues to import refined petroleum
products for its subsistence. Where are the policy makers, given that fuel
scarcity is intermittent in Nigeria, why can’t the Nigerian government or its
relevant establishments (the NNPC, DPR, etc.) build facilities for storing
petroleum products that can last several weeks or months which the country can
resort to during an emergency or if there’s a drop in supply? Take a cue from
the United States’ Strategic Petroleum Reserve (SPR) initiative – the largest
emergency storage and supply of fuel in the world with the capacity to hold up
to 727 million barrels (115,600,000m3). As at 27 February 2015 the United
States’ SPR inventory is said to have 691.0 million barrels which equates to
about 37 days of Oil at 2013 daily US consumption levels of 18.49 million
barrels per day. This currently amounts to approximately $43.5 billion worth of
crude in the United States SPR reserve.
4.
Alternative Vendors – Recall we discussed a fourth element (interruptions from 3rd party vendors) of a Business Continuity Plan which is always not
within the ambit of an organization. In addition to ascertaining that your
vendor has its own effective Business Continuity Plan, it’s advisable to have
alternative vendors (Plan B) that can render similar services in the event of
an emergency. The Mafia Manager asserts the importance of a business owner
switching its vendors or having alternative vendors. Talking about having Plan
B’s, the very poor services of Telecommunication firms during the petrol
scarcity in Nigeria made one appreciate the need to have alternative GSM
number(s) or internet network provider(s) just in case any of the platforms
experiences problems. Failure to have a Plan B means you(r) organization will
be incommunicado if your sole provider experiences hitches, a case of putting
all your eggs in one basket.
Conclusion:
From the foregoing, we can appreciate the importance
of having up-to-date Business Continuity, Emergency Preparedness or Disaster
Recovery Plans. The very essence and implication of a Business Continuity Plan
or Emergency Preparedness Plan is summarized in the popular saying that, ‘if you fail to plan, you plan to fail’. Again,
it is better to be too careful than too
careless’’.
References:
1. ‘’How to create an effective business continuity
plan’’
2. www.cio.com
Written By:
©Don Okereke
(Entrepreneur, Security Analyst/Consultant, Ex-Serviceman,
Writer/Blogger, Change Agent)
Contact
me On: donnuait (a) yahoo.com
Follow
me on Twitter: @DonOkereke
June, 2015
No comments:
Post a Comment