State of emergency

How can I assess when my firm needs a BC/DR programme?

Business continuity and disaster recovery has become a crucial element for most large enterprises, and the Middle East is no exception. Assessing when exactly a business needs a BC/DR option and getting together a business continuity plan (BCP) are, however, easier said than done.

“In simple terms if your business process downtime affects your profits and customers, and the cost to avoid this is less than the losses or penalties resulting from lost customer contracts or not adhering to regulations, you need a business continuity plan for the organisation,” says Mohammed Fouz, CEO of eHosting Datafort (EHDF).

Rohit Kumar, business head for the Middle East at Paladion Networks believes that companies have to ask themselves critical questions and answer them honestly before planning for BC/DR.

“Do you have time based service level agreements and penalty clauses with your customers? For example, we will respond to customer service requests within two hours. Does your organisation depend upon centralised IT systems, application and data for your day to day business operations? Does your organisation manufacture goods and lose revenue significantly due to production downtime? Is loss of reputation (public image and standing with customers/vendors/partners) due to business/system down time significant? If the answer to one or more of these questions is a yes then you would want to consider a BCP,” says Kumar.

NME recommends:The major consideration is data loss and the impact it would have on your organisation. If downtime at the network and infrastructure level could affect your company’s operations adversely and cause damage in financial and reputation terms then its already time to create a business continuity plan.

How can I convince my management to invest in a BC/DR facility?

“Show them the business benefits of having a BC/DR capability and indicate how the examination of impact and risk can help them better manage and ensure continued availability of the business, brand protection and company image,” says Norbert Stevens, business unit manager for BCRS MEMA CEE and Germany at HP.

Fouz says that results of past disasters, reports on downtime and financial losses as well as competitor initiatives and any existing audit or BCP reports can help in getting the management to understand the need for BC and DR.

NME recommends:Analyse your business thoroughly and be sure of why you believe the company needs a BC/DR plan. Ensure that you cover potential threats and possible calamities as well as the financial impacts of these on your business. Present these to your management after you believe it to be comprehensive enough to support the case in question.

What organisational resources have to be in place for creating a BC/DR plan?

For DR planning and IT continuity, it is necessary to understand what IT services are needed, in what timeframe (Recovery Time Objective) and with what level of data currency (RPO) and priority order, says Stevens. BCP requires a similar understanding of all business processes to ensure that service to customers is maintained.

“Develop a strategy for recovering your most critical business operations and systems in the least possible time. You will require good templates and tools to carry out these exercises effectively in a time bound manner. Active participation from business owners for business impact analysis (BIA) and visible commitment from the management are important to ensure the success of any BC/DR plan,” suggests Kumar.

Most standards, such as the ones proposed by DRII, the institute for continuity management, provide a set of templates to guide the BCP. However, most organisations may find this too complicated and would be well advised to customise templates as per their requirements while creating a plan for BC/DR.

While all of the BCP need not be outsourced to third party providers, consultants can be used wisely to ensure that all elements are covered in the organisational plan, especially if this is being done for the first time.

NME recommends:Ensure that you have management buy-in for the BC/DR activity. Some of the other resources you should keep in mind are people, processes and premises or workplaces. Refer to templates – there are a whole lot of ones you can find on the net – as well as the standards as often as possible. They can provide an initial ground to base your plan structure on.
What does a typical BC/DR plan include? What are the absolute basics the plan should incorporate?

The plan should clearly prioritise your business operations; in other words, what needs to be recovered during an emergency and in which order. IT managers should keep in mind that during an emergency, business operations will be running in low capacity, where only critical activities will be carried out.

“The resources needed, the people involved, the crisis managers and facilities, business recovery procedures, maintenance plan and the testing process should all be included in the BCP,” states Kumar.

Fouz adds that the plan should comprise of detailed contact lists, the escalation process, administration information, recovery inventories, time frames, action plans and information on alternate facilities in as much detail as possible.

NME recommends:A BCP should ideally cover every eventuality that a disaster could throw up. It should take into account immovable assets such as property and combine them with people and process to form a cohesive and workable framework in the event of a disaster. Don’t forget to test it out as often as possible.

How important are business impact analysis and risk assessment to the formation of a BC/DR plan?

“A BIA and risk assessment (RA) are key elements of a BC/DR programme as this allows the organisation to fully understand the true impact of significant business interruption and also the many risks that are most likely to cause any such business interruption,” says Stevens.

RA and BIA are the beginning phases of forming a BCP. The results of this activity provides the basis for the construction of the entire plan and provides the team with a clear idea of the critical areas that they should be concentrating on.

Risk analysis has to be performed to identify the real threats to the continuity of business operations. A good RA therefore will help install preventive controls. A BIA will help identify operational priorities and resource requirements, and provide information on the timeframe in which data has to be recovered.

NME recommends:The importance of RA and BIA to a BCP cannot be overrated; they form the foundation of any comprehensive plan for BC/DR. Time and effort should be dedicated in the formation of a clear and structured RA and BIA.

How can I assess the effectiveness of a BC/DR plan?

“A pilot or a proof of concept may help to gauge the effectiveness of a plan,” says Wael Abdoush, manager of systems and technology group at IBM Middle East, Egypt and Pakistan.

Stevens adds that the most important part of the business continuity management programme is exercising the plan and the people responsible for its implementation and success. This can range from awareness training, plan walkthroughs, scenario-based crisis management exercising, crisis communication training and exercising, and of course IT recovery rehearsals.

NME recommends:Often the only way of validating a BCP is to keep testing it in different circumstances and probably testing each element of it – people, process and premises – at different points in time.

Is an independent audit by a third party necessary in the final stages of a BC/DR plan?

“It is important that BC/DR Plans are known and understood by everyone in the organisation and therefore it is also right that they should be subjected to independent audit and review and fully supported by the board, as ultimately it is the board of directors who are responsible and indeed liable in law for the management of risk within their organisations,” says HP’s Stevens.
Internal and external audits can be planned to audit aspects like readiness and completeness of BC/DR plan, says Ahmed Baig, manager of the security consulting practice for EHDF. Kumar however states that while approval from the board of directors is essential to the BCP, it is not necessary to have it audited, especially if it has been formulated with help from relevant consultants.

NME recommends:If a BCP has been formed from scratch by your own team, whether with help from consultants or not, it would be better to put the plan through a grilling process with the board and accredited third party auditing firms.

Should the BC/DR plan be updated or revised periodically? How and why?

The plan has to be updated periodically, say once a year, and based on events such as business expansions, change in infrastructure or other such alterations. Periodic testing will expose weaknesses and inadequacies in the plan which would have to be updated based on test results.

“The revision and updating of the plan is very critical for the success of BCP reflecting the changed conditions of the organisations. These can be done using the existing BCP management and improvements programs. The change in people, technology or business process can be the main catalyst for reviewing the BC/DR plans,” says Baig.

NME recommends:Fix six-month or annual periodic cycles for plan review and changes. Testing the plan before the review cycle will help you understand any new inadequacies and address them better during the review process. Remember that personnel is not a static resource and it will be necessary to review and redraft the details of the BC/DR plan when people move from the organisation.

How do I include personnel issues and an escalation process in a BC/DR plan?

Personnel is one of the major criteria to take into account in any BCP and the one where most organisations fail miserably.

“Recovery following a significant business interruption or disaster depends primarily on the people within your organisation and therefore it is extremely important that they are exercised as well as the recovery process itself. This can be done by conducting scenario-based exercises where people have to adapt their planning to meet a developing incident. BC awareness training can be incorporated into HR employee induction programmes,” states Stevens.

Kumar points out, “IT managers tend to miss out the people aspects in a BCP and concentrate only on the IT aspects. People may not be available during a BCP or they don’t want to leave their families during a crisis. A plan not considering this element has a high probability of failure during an emergency.”

NME recommends:Take people into consideration from the initial phases of the plan. Teach your staff to take business continuity seriously and hand-pick the people who are possible candidates to take charge during an emergency. Include them down in a strict escalation process as part of the plan. Continuously train and test people in the organisation on their capability and adaptability.

Are there any standards that I should adhere to during the formation of the BC/DR plan?

“Currently BS25999 is the standard being followed in many countries. The planning, implementation and other processes are also conducted utilising practices promoted by BCI (Business Continuity Institute) and DRII,” says Baig.

Stevens agrees saying, “The BCI’s Good Practice Guide in conjunction with the new Standard BS25999 is an excellent starting point. Similarly, there are a number of other good guides from Australia and Singapore that can be very useful.”

“Ultimately, however, if in doubt about how to start, develop or implement your Continuity Planning, seek professional advice from accredited BC practitioners who can help you speed your way to a successful and fully tested and embedded business continuity programme,” he concludes.

NME recommends:Do detailed research on standards and the templates they advise. Pull in some relevant consultant help. But keep in mind that standards can only guide you in plan formulation. You will have to tweak it as necessary to better fit your particular organisation.