By Tom Ryan
Congratulations!
You've just landed a job or assignment in the Business Continuity
department for your company and its time to get started. As you navigate the though the issues, it is
important to remember the mission is to reduce risk to the organization by
minimizing the impact of a disruptive event.
To do this you will rely on many members of the organization, from senior
management to the mailroom.
There are several core documents to be developed and revised
over the course your business continuity career. They are the Business Impact Analysis (BIA),
the Risk Assessment, the Business Continuity Plan (BCP), the exercise/test
plans, and the governance reporting.
But the true core deliverable, in the moment of need, is the business
continuity plan.
I put the BIA first on the list of documents to create over
the Risk Assessment. You will learn that
there are different schools of thought as with any discipline. In my view, understanding what is critical to
the organization is a prerequisite to scoping the risk assessment. For example, if you run a warehousing
business the critical processes will be different from that of a hospital or a
financial services company. These
processes will have their own risk profiles and understanding those risks are
important.
The true core document is the business continuity plan. This is the document that will address the
risk to the organization; this is the operational document to use in the event
of a disaster or lesser incident. Again,
there are schools of thought on the scope and development of the BCP. One school will look only at the impact and
begin at the point of the outage. My
view is that scenario plans can be useful, particularly for events that occur
on a regular basis (e.g. hurricanes and blizzards).
To ensure that the BCP is valid, sufficient, and effective
one needs to test it. Each organization
will develop a test plan(s) according to its situation. Some organizations may not be able to conduct
a test. In these less than ideal
circumstances, the business continuity planner should conduct a series of
desktop exercises to discuss the plan, procedures that need to be followed, and
potential issues.
The conclusion of tests and/or exercises then leads to
governance reporting. Typically this
will be to the business managers associated with the tests. These reports will review the scope and
objectives of the test, issues raised as a result of the tests, and the action
plan to resolve or mitigate those issues.
A summary of the tests should be sent to the sponsoring senior manager,
senior stakeholders, and appropriate risk committees.
The communication with senior management should illustrate
the nature and means that the business continuity plan will reduce the impact
of a disaster to the organization.
Tom Ryan has worked as the global business continuity
manager for RBS Sempra Commodities, starting their program from a scratch to
cover six trading locations with two recovery sites with data centers. He has done business impact analysis and
emergency management consulting work with Datalink, Inc. Previous to his roles in business continuity,
Tom managed a software QA testing department and was an auditor for major
investment banks.
