Business Continuity Planning (BCP)
The purpose of the Business Continuity Planning (BCP) is to enable a business to continue critical services in case of an event of a disruption. The goal of a BCP is to produce a reduced but sufficient level of functionaltiy in the business operations immediately after encountering an interruption and while recovery is taking place.
Business Continuity Planning (BCP) is the process of identifying, developing, acquiring, documenting, and testing procedures and resources that will ensure continuity of a firm's key operations in the event of an accident, disaster, emergency, and/or threat. It involves:
- risk mitigation planning, reducing the possibility of the occurrence of adverse events, and
- business recovery planning, ensuring continued operation in the aftermath of a disaster.
Any event that could negatively impact operations is included in the plan, such as supply chain interruption, loss of or damage to critical infrastructure (major machinery or computing/network resources).
The analysis phase consists of impact analysis, threat analysis and impact scenarios.
- A Business Impact Analysis (BIA) differentiates critical (urgent) and non-critical (non-urgent) organisation functions/activities. Critical functions are those whose disruption is regarded as unacceptable. Perceptions of acceptability are affected by the cost of recovery solutions. A function may also be considered critical if dictated by law. For each critical (in scope) function, two values are then assigned:
- Recovery Point Objective (RPO) must ensure that the maximum tolerable data loss for each activity is not exceeded;
- Recovery Time Objective (RTO) is the acceptable amount of time to restore the function.
The impact analysis results in the recovery requirements for each critical function. These recovery requirements consist of business and technical requirements.
- Threat and Risk Analysis (TRA). After defining recovery requirements, each potential threat such as epidemic, earthquake, fire, flood, cyber-attack, etc. may require unique recovery steps.
- After identifying the applicable threats, impact scenarios are considered to support the development of a business recovery plan. Business continuity testing plans may document scenarios for each of the identified threats and impact scenarios. More localised impact scenarios – for example loss of a specific floor in a building – may also be documented..
The solution design phase identifies the most cost-effective disaster recovery solution that meets two main requirements from the impact analysis stage.
For IT purposes, this is commonly expressed as the minimum application and data requirements, plus the time in which the minimum application and application data must be available.
Outside the IT domain, it is important to consider preserving hard copy information, such as contracts, skilled staff or restoration of embedded technology in a process plant.
The implementation phase involves policy changes, material acquisitions, staffing and testing.
Testing and organisational acceptance
The purpose of testing is to achieve organisational acceptance that the solution satisfies the recovery requirements. Plans may fail to meet expectations due to insufficient or inaccurate recovery requirements, solution design flaws or solution implementation errors.
Issues found during the testing phase often must be reintroduced to the analysis phase.
Biannual or annual maintenance cycle maintenance of a BCP manual is broken down into three periodic activities:
- Confirmation of information in the manual, roll out to staff for awareness and specific training for critical individuals.
- Testing and verification of technical solutions established for recovery operations.
- Testing and verification of organisation recovery procedures.