Business Continuity Management: Preparation and Risk
The BCM objectives as defined within the standard are “to counteract interruptions to business activities and to protect processes from the effects of major failures of information systems or disasters and to ensure timely resumption”. Usually, the better prepared you are, the more likely you will be to meet this objective, and the more effective will be your recovery.
Unfortunately, many organizations do not properly embrace risk assessment, and often start their business continuity project ill prepared.
PREPARATION: It is important at the outset to have the full commitment of the Board or Governing Body of the organization. Without this, problems downstream are inevitable. An awareness campaign should follow, to ensure that all staff are notified of that commitment. The business continuity project can then be initiated (central to which is the delivery of a business continuity plan). It is essential, however, that this project is formal and structured.Initial steps for the project itself will include defining scope, and obtaining copies of all appropriate documents and information. A formal risk assessment exercise must follow.
RISK ASSESSMENT: Initial emphasis on effective risk assessment will enable you to predict different types of incidents with more accuracy. It will help ensure that focus is applied to those areas to which it is most needed.
This aspect of BCM involves analyzing the business processes and identifying vulnerabilities through risk assessment and probability analysis. It includes the establishment of critical business timeframes including recovery time objectives (RTO) and maximum tolerable period of disruption (MTPD).
The RTO will represent the time interval between the incident occurring and the time when a measurable negative impact will result on the business whereas the MTPD will represent the time interval between the incident occurring and the time when the impact from the incident will become extremely serious for the business.
Following a detailed risk analysis of the business and its processes, suitable levels of safeguards and controls should be implemented that will protect the business processes and product delivery. It is important to understand that none of the above tasks can be short cut.
Proper planning and preparation may seem to be a burden, but the pay back could well be the survival of the organization itself.
FURTHER INFORMATION. Fortunately, this is a well trodden path, and specialist portals like the Disaster Recovery Planning Guide provide sound advice on how to take the initial steps described above.