Disaster Resource

HOW TO PLAN FOR ENTERPRISE-WIDE BUSINESS AND SERVICE CONTINUITY

By Pat Moore

Singular, isolated business or service disruptions as well as large-scale, community-wide disasters have shown us that a well designed and tested enterprise-wide recovery and continuity plan must be in place. Ensuring that an organization's assets, operations, commitments and relationships enterprise-wide are protected is a critical element of staying in business. The frequency and severity with which singular and regional disasters are occurring today prove that planning for the emergency response phase of disaster recovery alone is simply not enough.

As organizations look to extend their recovery planning efforts beyond the life safety and emergency response incident management issues, and move beyond data center and critical applications recovery concerns, the spectrum of enterprise-wide planning can seem overwhelming. There are, however, certain planning elements which are common to all organizations, no matter how large or small.

A successful planning methodology, which will assist you not only in recovering, but ensuring continuity of your core strategic revenue-generating business/service units, operations and processes, will include:

PREVENTION

Prevention addresses the positioning of those measures and activities that will lessen the possibility or the impact of an adverse incident occurring in your organization. The primary goals and objectives of the Prevention phase of a business continuity program are to protect the organization's assets and to manage risk.

RESPONSE

Response is the reaction to an incident or emergency to assess the damage or impact and to ascertain the level of containment and control activity required. In addition to addressing matters of life safety, Response also addresses the policies, procedures and actions to be followed in the event of an emergency.

RESUMPTION

Resumption refers to the process of planning for and/or implementing the resumption of only the most time-sensitive business operations immediately following a disaster.

RECOVERY

Recovery is the process of planning for and/or implementing expanded operations to address less time-sensitive business operations immediately following an interruption or disaster.

RESTORATION

Restoration is the process of planning for and/or implementing procedures for the repair or relocation of the primary site and its contents, and for the restoration of normal operations at the primary site.

THE PLAN

Step 1: Project Initiation
When developing your business/ service continuity program, you will need to determine its objectives, gain senior management support, and allocate the necessary time and resources to develop, exercise and maintain the plan.

Your plan's objectives should include:

• Minimize interruptions to business/service operations
• Resume critical operations within a specified time after a disaster
• Minimize financial loss
• Assure clients/customers/community that their interests are protected
• Limit the severity of the disruption
• Expedite the restoration of services
• Establish awareness so that management and staff understand the implications of a disaster upon services
• Maintain a positive public image of the organization

As you begin to develop the plan, the following assumptions should be defined (and questions answered):

• The organization's business/service goals and objectives
• The organization's policy on business/service continuity planning
• Business/service interruption scenarios that pertain to each plan's functional area and/or location
• A "minor interruption" and "major disaster" in terms of business/service impact and anticipated duration of outage
• What will be reused/recovered and to what capacity levels over what period of time
• Which business/service operations will be resumed immediately
• Which business/service operations will not be resumed immediately and when they will be available
• Which business/service operations are expendable
• What resumption and recovery strategies are to be employed, and what are the priority sequences associated with each
• What resources need to be pre-positioned

Step 2: Business Impact Analysis
A Business Impact Analysis is a proven method of determining this cost of risk by identifying the impact of business or service disruptions, and helping you to target operations and processes which require recovery planning.

A Business Impact Analysis will identify:

• Financial and Operational Impacts (when they begin and when they're most severe.) For example:

Financial Impacts
Lost sales
Lost trade discounts
Contractual penalties/fines

Operational Impacts
Negative public image
Loss of shareholder confidence
Employee morale

• Extraordinary Expenses
Rental of temporary premises/equipment
Moving equipment and supplies
Media reconstruction

• Current State of Preparedness
• Technology Requirements for Recovery
• Special Recovery Resources
• Critical Information Systems Support

The key steps in conducting a Business or Service Impact Analysis are:

• Define the assumptions and scope of the project
• Develop a survey to gather the needed information
• Identify survey recipients and provide needed education
• Distribute the survey; collect and review responses
• Conduct follow-up interviews where needed
• Modify survey responses based on interviews
• Analyze survey data
• Verify results with business/service unit management
• Prepare a report -- present findings to management

Today's automated technology can expedite the data gathering and analysis process and help you present the information to senior management.

When you've completed your Business or Service Impact Analysis, you will be ready to develop your recovery strategies and build your business/ service continuity plans.

Step 3: Plan Construction

Consider the following when building your plans:

• Write your plans so that you can recover equally well in a singular, community-wide or hazardous material disaster.
• Ensure that your pre-qualified, critical suppliers of services and supplies will be available to you when you need them. Your vendors must have their own disaster recovery and business continuity plans, and responding to your needs must be a part of their plans. Ask to see documentation of this response commitment.
• Establish a notification list that identifies who needs to be notified in the event of a disaster at any of your locations, and provides procedural information on how they will be contacted (whether or not there is available power).
• Pre-identify critical resources (communications equipment, supplies, hardware, specialized workforce, etc.) and determine the time frames needed to not only mobilize them but fulfill delivery commitments.
• Establish telecommunications recovery procedures for voice and data, including switching capabilities and backup networks.
• Address the possibility of denied access to your facility due to assessment of structural integrity, forensic investigations, and/or toxic contamination. (Plan for at least a 24 - 72 hour delay in getting back into your facility -- even for just site/damage assessment. If it is necessary to test for hazardous materials, your access can be delayed several weeks or longer.)
• Determine the parameters for declaring a disaster and moving off-site to your hot site, cold site or internal warm site.
• Determine who authorizes this move and other emergency acquisitions, and what special accounting procedures need to be established for tracking these disaster-specific costs.
• Determine the location of your command center(s), its requirements, and what special security/access control procedures you need to establish in advance.
• Determine when you implement your Crisis Management Plan.
• Identify and arrange for the relocation of your strategic revenue-generating and administrative/ staff support functions. Determine what special needs these departments and personnel have.
• Ensure that the pre-identified locations will be available in both a community-wide and singular disaster.
• Research what real estate transactions need to be completed prior to a move.
• Determine how you will resume your production and distribution capabilities and get your finished goods to market.
• Determine how your Crisis Communications Plan will address the continuity of positive communications to your clients, employees and the public regarding your recovery progress.
• Determine what issues you must address to be sensitive to global cultural and philosophical differences.
• Identify your recovery teams and their tasks.

Note: This checklist encompasses only a portion of the business/service continuity planning effort.

Step 4: Exercising and Maintaining the Plan
The litmus test for any business/service continuity plan is that it works when executed. To ensure your plans work, test them. Make certain that the logistics, procedures and tactical strategies you developed are sound.

Plans must be exercised to determine whether:

• Your organization and its critical vendors are prepared to cope with a business/service interruption or disastrous event---anywhere in the world you have operations.
• Backed-up data and documentation stored off-site are adequate to support resumption, recovery and restoration operations.
• Inventories, tasks and procedures are adequate to support resumption and recovery operations.
• Plans have been properly maintained and updated to reflect actual resumption and recovery needs, and, in particular, any changes to the organization.

The information contained in a business/service continuity plan must be kept alive. Organizations are constantly changing --- businesses are acquired, merged and divested; new operations and processes begin, some cease; people leave, are hired, promoted, etc.; customer commitments and supplier relationships change; locations change; responsibilities change; priorities change; etc. You cannot rely on outdated information.

In today's constantly changing environment, where people are often asked to do more with less, it's a challenge to maintain a living plan. Although you may maintain the text portion of your plan, such as corporate policy in a word processing document, if a disaster occurs, you don't want to have to be searching through a manual looking for action lists, notification procedures, critical vendor information, etc. Automated planning systems are invaluable in developing and maintaining your continuity plans and helping you quickly access the information you need in the event of a disaster. We have available to us today cutting edge technology which provides for easy integration and expansion of existing plans, as well as customization within these planning tools to address industry specific terminology and needs.

The challenge of enterprise-wide planning can be more easily met through the utilization and implementation of the above recovery and continuity planning methodology.