Tuesday, February 4, 2014

The Core Documents of Business Continuity Planning – Getting Started

By Tom Ryan

Congratulations!  You've just landed a job or assignment in the Business Continuity department for your company and its time to get started.  As you navigate the though the issues, it is important to remember the mission is to reduce risk to the organization by minimizing the impact of a disruptive event.   To do this you will rely on many members of the organization, from senior management to the mailroom. 

There are several core documents to be developed and revised over the course your business continuity career.  They are the Business Impact Analysis (BIA), the Risk Assessment, the Business Continuity Plan (BCP), the exercise/test plans, and the governance reporting.   But the true core deliverable, in the moment of need, is the business continuity plan.

I put the BIA first on the list of documents to create over the Risk Assessment.  You will learn that there are different schools of thought as with any discipline.  In my view, understanding what is critical to the organization is a prerequisite to scoping the risk assessment.  For example, if you run a warehousing business the critical processes will be different from that of a hospital or a financial services company.  These processes will have their own risk profiles and understanding those risks are important.

The true core document is the business continuity plan.  This is the document that will address the risk to the organization; this is the operational document to use in the event of a disaster or lesser incident.  Again, there are schools of thought on the scope and development of the BCP.  One school will look only at the impact and begin at the point of the outage.  My view is that scenario plans can be useful, particularly for events that occur on a regular basis (e.g. hurricanes and blizzards).

To ensure that the BCP is valid, sufficient, and effective one needs to test it.  Each organization will develop a test plan(s) according to its situation.  Some organizations may not be able to conduct a test.  In these less than ideal circumstances, the business continuity planner should conduct a series of desktop exercises to discuss the plan, procedures that need to be followed, and potential issues.

The conclusion of tests and/or exercises then leads to governance reporting.  Typically this will be to the business managers associated with the tests.   These reports will review the scope and objectives of the test, issues raised as a result of the tests, and the action plan to resolve or mitigate those issues.   A summary of the tests should be sent to the sponsoring senior manager, senior stakeholders, and appropriate risk committees.

The communication with senior management should illustrate the nature and means that the business continuity plan will reduce the impact of a disaster to the organization.

Tom Ryan has worked as the global business continuity manager for RBS Sempra Commodities, starting their program from a scratch to cover six trading locations with two recovery sites with data centers.  He has done business impact analysis and emergency management consulting work with Datalink, Inc.  Previous to his roles in business continuity, Tom managed a software QA testing department and was an auditor for major investment banks.



Post a Comment