Corporate information systems face multiple threats. A power outage in a datacenter, a virus attack, or even a fire caused by a faulty air conditioning unit creates a risk that could compromise the system and result in serious consequences for the company's business. The economic, legal, and public relations impact can be significant if an effective Business Continuity Plan (BCP) hasn’t been implemented to manage unforeseen crises effectively.
The BCP allows a company to remain resilient, i.e. maintain its ability to continue operating despite the occurrence of a major disaster. However to be effective, the BCP must be flexible and adapted to the company’s environment, maturity and size.
The basic steps to implement an operational BCP are:
1. Identify major disasters that could impact the company and its critical business activities
First the company must identify the potential major disaster areas (e.g. building disaster, computer disaster, unavailability of skilled personnel, etc.).
Next, the company should create an operational Business Continuity Plan. In the case of an incident, this plan assesses the effect of a disaster on the critical assets of the company and prioritizes which asset needs to be addressed first. An evaluation methodology known as Business Impact Analysis (BIA) identifies the activities, applications, and critical infrastructure of the company and helps set those priorities. The most frequently used indicators are Recovery Point Objective (RPO) and Recovery Time Objective (RTO). After analysis of all business entities, the tolerance levels established for the resumption of activities helps define the scope of business activity and information system to which the BCP is applied.
2. Develop strategies for activities and critical IT systems
Once risks and vulnerabilities have been mapped; strategies need to be established for each activity and its associated IT systems. These strategies are essential to building a successful BCP and must be able to meet scheduling needs while providing solutions that meet the company’s budget.
The BCP must identify key personnel and backups who will be required to restore the company’s most critical systems in the first hours following the disaster. Next, the BCP should list all system configuration elements required to resume activity within a defined time limit. It should also outline the best way to reduce data loss. Finally, there needs to be an assessment of all hardware and software infrastructure (number of workstations, servers, network access), applications (business, IT), and human resources (skills needed to implement the BCP) necessary to resume operations.
Based on the previously determined risk priority list, some trade-offs may need to be made in terms of expected budget or performance.
3. Develop and Implement the Business Continuity Plan
The third step is to document the Business Continuity Plan itself. Plans for getting the IT system back up and running following a major disaster will be detailed in the plan. In fact, the BCP consists of different plans essential to performance such as employee directories, evacuation procedures, and application repositories. All these elements must be grouped in a “crisis briefcase” and made available to all the continuity plan stakeholders.
The implementation of a global Business Continuity Plan along with overall business management plans allows a company to identify the members of the Crisis Unit and to formalize disaster recovery procedures prior to a crisis. These plans should be prepared in advance and be available at all times. Subsequently, companies should also build specific continuity plans for each activity, keep them updated, and ensure that they are relevant to the current operation and IT systems.
4. Ensuring the BCP is kept operational
To better prepare for and be able to respond to a disaster, the company must conduct simulation exercises. In addition to optimizing the management of the BCP, these tests can, in some cases, help meet regulatory requirements. In addition, by conducting simulations on the BCP, companies can test the limits of the plan and are more likely to discover any weaknesses in the developed plans and to identify erroneous assumptions. Through regular audits, the company can implement improvement actions that address any discovered weaknesses.
To be effective, the BCP must also take into account the evolution of the company data centers (number, scope, etc.). Different types of exercises can be performed depending on the maturity of the business and the allocated budget, ranging from unit tests for the recovery of a server to a complete switch of a data center to its backup site. This ongoing review maximizes the reliability of the BCP, ensures it is up to date, helps develop the skills and confidence of key stakeholders, and educates all employees about the plan.
Another priority in the implementation of a BCP is to create a link between the process of change management and the BCP. IT or organizational changes are incorporated into the new version of the plan. Companies who wish to go further and certify their Business Continuity Plan can refer to the international standard ISO 22301 or similar accreditation standards.
The BCP can not only be a significant competitive advantage, but might also be a prerequisite during certain RFQ bids where the customer wants to rely on a long-term partner.
Companies that develop an operational BCP are adopting a proactive, mature approach tailored to its evolving needs. They are not only better able to respond to major disasters, to organize a structured user shutdown, and to manage a crisis effectively, but they also increase the confidence and loyalty of their customers.