NationMaster - Encyclopedia: Business continuity planning

Business Continuity Planning (BCP) is an interdisciplinary peer mentoring methodology used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined time after a disaster or extended disruption. The logistical plan is called a Business Continuity Plan. For open source BCP "how-to" guidelines, see Wikibooks - Business and economics Image File history File links BCPLifecycle. ... Image File history File links BCPLifecycle. ... Interdisciplinary work is that which integrates concepts across different disciplines. ... Peer Mentoring is a form of mentoring that takes place in learning environments such as schools, usually between an older more experienced student and a new student(s). ... Methodology is defined as the analysis of the // == Headline text == principles of methods, rules, and postulates employed by a discipline or the development of methods, to be applied within a discipline a particular procedure or set of procedures. [1]. It should be noted that methodology is frequently used when method... Logistics is the art and science of managing and controlling the flow of goods, energy and information. ... A plan is a proposed or intended method of getting from one set of circumstances to another. ... It has been suggested that Organizing be merged into this article or section. ... A critic (derived from the ancient Greek word krites meaning a judge) is a person who offers a value judgement or an interpretation. ... Common description Commonly the term Guideline denotes one or more rules that describe a process. ... Wikibooks logo Wikibooks, previously called Wikimedia Free Textbook Project and Wikimedia-Textbooks, is a wiki for the creation of books. ...

In plain language, BCP is how an organization prepares for future incidents that could jeopardize the organization's core mission and its longterm health. Incidents include local incidents like building fires, regional incidents like earthquakes, or national incidents like pandemic illnesses.

BCP may be a part of an organizational learning effort that helps reduce operational risk associated with lax information management controls. This process may be integrated with improving information security and corporate reputation risk management practices. Organizational learning is an area of knowledge within organizational theory that studies models and theories about the way an organization learns and adapts. ... According to Â§644 of International Convergence of Capital Measurement and Capital Standards, known as Basel II, operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. ... Information management is the cibai collection and lancau management of information from one or more sources and distribution to fuck one or more audiences who have a stake in that information or a right to that information. ... Security is everyoneâ€™s responsibility. ... For non-business risks, see risk or the disambiguation page risk analysis. ...

In December 2006, the British Standards Institute released a new independent standard for BCP — BS 25999. Prior to the introduction of BS25999, BCP professionals relied on BSI information security standard BS7799, which only peripherally addressed BCP to improve an organization's information security compliance. BS25999's applicability extends to organizations of all types, sizes, and missions whether governmental or private, profit or non-profit, large or small, or industry sector. British Standards is the new name of the British Standards Institute and is part of BSI Group which also includes a testing organisation. ... BS 25999 is BSIs standard in field of Business Continuity Management (BCM). ... BS7799 (or BS7799-1) is a standard published by the British Standards Institute (BSI) in 1995 and most recently revised in 2005. ...

In 2004, the United Kingdom enacted the Civil Contingencies Act, a statute that instructs all emergency services and local authorities to actively prepare and plan for emergencies. Local authorities also have the legal obligation under this act to actively lead promotion of business continuity practices amongst its geographical area.

Introduction

A completed BCP cycle results in a formal printed manual available for reference before, during, and after disruptions have occurred. Its purpose is to reduce adverse stakeholder impacts determined by both the disruption's scope (who and what it affects) and duration (how bad, implications last for hours, months etc). Measureable business impact analysis (BIA) "zones" (areas in which hazards and threats reside)include civil, economic, natural, technical, secondary and subsequent. Printing is an industrial process for reproducing copies of texts and images, typically with ink on paper using a printing press. ... Look up manual in Wiktionary, the free dictionary. ... The term stakeholder has two distinct uses in the English language: The traditional usage, in law and notably gambling, a third party who temporarily holds money or property while its owner is still being determined. ... This article or section is not written in the formal tone expected of an encyclopedia article. ...

For the purposes of this article, the term disaster will be used to represent natural disaster, human-made disaster, and disruptions. Mount Pinatubo eruption, 1991 A natural disaster is the consequence of a natural hazard (e. ... Man-made hazards are threats having an element of human intent, negligence, error or involving a failure of a system. ...

Prior to January 1, 2000, governments anticipated computer failures, called the Y2k problem, in important public utility infrastructures like banking, power, telecommunication, health and financial industries. Since 1983, regulatory agencies like the American Bankers Association and Banking Administration Institute (BAI) required their supporting members to exercise operational continuity practices (later supported by more formal BCP manuals) that protect the public interest. Newer regulations were often based on formalized standards defined under ISO/IEC 17799 or BS 7799. is the 1st day of the year in the Gregorian calendar. ... 2000 (MM) was a leap year starting on Saturday of the Gregorian calendar. ... The year 2000 problem (also known as the Y2K problem and the millennium bug) was a flaw in computer program design that caused some date-related processing to operate incorrectly for dates and times on and after January 1, 2000. ... For other uses, see Bank (disambiguation). ... For delivered electrical power, see Electrical power industry. ... Copy of the original phone of Alexander Graham Bell at the MusÃ©e des Arts et MÃ©tiers in Paris Telecommunication is the transmission of signals over a distance for the purpose of communication. ... Finance addresses the ways in which individuals, business entities and other organizations allocate and use monetary resources over time. ... The American Bankers Association (ABA) is a free-trade and professional association that promotes and advocates issues important to the banking industry in the United States. ... BAI (Banking Administration Institute) is the leading professional organization for the financial services industry, especially in the United States. ...

Both regulatory and global business focus on BCP arguably waned after the problem-free Y2K rollover. Some believe this lax attitude ended September 11th 2001, when simultaneous terrorist attacks devastated downtown New York City and changed the 'worst case scenario' paradigm for business continuity planning. ^[1] A sequential look at United Flight 175 crashing into the south tower of the World Trade Center The September 11, 2001 attacks (often referred to as 9/11â€”pronounced nine eleven or nine one one) consisted of a series of coordinated terrorist[1] suicide attacks upon the United States, predominantly... New York, New York and NYC redirect here. ... Since the late 1960s, the word paradigm (IPA: ) has referred to a thought pattern in any scientific discipline or other epistemological context. ...

BCP methodology is scalable for an organization of any size and complexity. Even though the methodology has roots in regulated industries, any type of organization may create a BCP manual, and arguably every organization should have one in order to ensure the organization's longevity. Evidence that firms do not invest enough time and resources into BCP preparations are evident in disaster survival statistics. Fires permanently close 44% of the business affected.^[2] In the 1993 World Trade Center bombing, 150 businesses out of 350 affected failed to survive the event. Conversely, the firms affected by the Sept. 11 attacks with well-developed and tested BCP manuals were back in business within days. ^[3] In telecommunications and software engineering, scalability indicates the capability of a system to increase performance under an increased load when resources (typically hardware) are added. ... You may be looking for one of the following: Dimensions: length, width, height Clothing measurements such as shoe size or dress size Geometry Measurement Gelatinous or glutinous substance made from glue, wax, clay or similar Or the following command-line Unix tool: Size (Unix) This is a disambiguation page: a... Complexity in general usage is the opposite of simplicity. ... Category: ... Longevity is a term that generally refers to long life or great duration of life.[1] Reflections on longevity have usually gone beyond acknowledging the basic shortness of human life and have included thinking about methods to extend life. ... â€œWTCâ€ redirects here. ...

A BCP manual for a small organization may be simply a printed manual stored safely away from the primary work location, containing the names, addresses, and phone numbers for crisis management staff, general staff members, clients, and vendors along with the location of the offsite data backup storage media, copies of insurance contracts, and other critical materials necessary for organizational survival. At its most complex, a BCP manual may outline a secondary work site, technical requirements and readiness, regulatory reporting requirements, work recovery measures, the means to reestablish physical records, the means to establish a new supply chain, or the means to establish new production centers. Firms should ensure that their BCP manual is realistic and easy to use during a crisis. As such, BCP sits along side crisis management and disaster recovery planning and is a part of an organization's overall risk management. For other uses, see Data (disambiguation). ... In information technology, backup refers to the copying of data so that these additional copies may be restored after a data loss event. ... The terms storage (U.K.) or memory (U.S.) refer to the parts of a digital computer that retain physical state (data) for some interval of time, possibly even after electrical power to the computer is turned off. ... Secondary can mean: An ordinal adjective indicating Second or second hand, see Primary The secondary in American football refers to the group of (usually four) defensive backs. ... In the context of government and public services regulation (as a process) is the control of something by rules, as opposed to its prohibition. ... Crisis management involves identifying a crisis, planning a response to the crisis and confronting and resolving the crisis. ... For other uses, see DRP (disambiguation). ... For non-business risks, see risk or the disambiguation page risk analysis. ...

The development of a BCP manual can have five main phases:

The above list is not exhaustive. There are a number of other considerations that could be included in your own plan / manual: - Risk Identification Matrix - Roles and Responsibilities (ensuring names are left out but titles are included, e.g. HR Manager) - Identification of top risks and mitigating strategies. - Considerations for resource reallocation e.g. skills matrix for larger organizations. Making a saline water solution by dissolving table salt (NaCl) in water This article is about chemical solutions. ... Look up Implementation in Wiktionary, the free dictionary. ... User acceptance testing (UAT) is one of the final stages of a software project and will often be performed before a new system is accepted by the customer. ... Maintenance, Repair and Operations or Maintenance, Repair and Overhaul (MRO), is fixing any sort of mechanical or electrical device should it get out of order or broken (repair) as well as performing the routine actions which keep the device in working order (maintenance) or prevent trouble from arising (preventive maintenance). ...

Much of the BCP material on the internet is sponsored by consultancies who offer fee-based services for BCP solution development, however basic tutorials are freely available on the internet for properly motivated organizations. ^[4]

Analysis

The analysis phase in the development of a BCP manual consists of an impact analysis, threat analysis, and impact scenarios with the resulting BCP plan requirement documentation.

Impact analysis

An impact analysis results in the differentiation between critical and non-critical organization functions. A function may be considered critical if the implications for stakeholders of damage to the organization resulting are regarded as unacceptable. Perceptions of the acceptability of disruption may be modified by the cost of establishing and maintaining appropriate business or technical recovery solutions. A function may also be considered critical if dictated by law. Next, the impact analysis results in the recovery requirements for each critical function. Recovery requirements consist of the following information: Differentiation can mean the following: In biology: cellular differentiation; evolutionary differentiation; In mathematics: see: derivative In cosmogony: planetary differentiation Differentiation (geology); Differentiation (logic); Differentiation (marketing). ... A critic (derived from the ancient Greek word krites meaning a judge) is a person who offers a value judgement or an interpretation. ... A stakeholder is a person who holds money or other property while its owner is being determined. ... Wall Street, Manhattan is the location of the New York Stock Exchange and is often used as a symbol for the world of business. ... A technical is a fighting vehicle. ... Recovery is the first e-book and seventh installment of The New Jedi Order series set in the Star Wars galaxy. ... Lady Justice or Justitia is a personification of the moral force that underlies the legal system (particularly in Western art). ...

The time frame in which the critical function must be resumed after the disaster
The business requirements for recovery of the critical function, and/or
The technical requirements for recovery of the critical function

Threat analysis

The coronavirus suggested as a causative agent for the SARS outbreak in 2002

After defining recovery requirements, documenting potential threats is recommended to detail a specific disaster’s unique recovery steps. Some common threats include the following: A coronavirus that may cause SARS. From the CDC http://www. ... A coronavirus that may cause SARS. From the CDC http://www. ... Coronavirus is a genus of animal virus belonging to the family Coronaviridae. ... Sars may refer to any of the following: Severe acute respiratory syndrome, commonly abbreviated as SARS Michael Sars, a Norwegian biologist, father of Georg Sars Georg Sars, a Norwegian biologist, son of Michael Sars Special Administrative Regions, commonly abbreviated as SARs Sars, Perm Krai, an urban settlement in Perm Krai...

All threats in the examples above share a common impact: the potential of damage to organizational infrastructure - except one (disease). The impact of diseases can be regarded as purely human, and may be alleviated with technical and business solutions. However, if the humans behind these recovery plans are also affected by the disease, then the process can fall down. During the 2002-2003 SARS outbreak, some organizations grouped staff into separate teams, and rotated the teams between the primary and secondary work sites, with a rotation frequency equal to the incubation period of the disease. The organizations also banned face-to-face contact between opposing team members during business and non-business hours. With such a split, organizations increased their resiliency against the threat of government-ordered quarantine measures if one person in a team contracted or was exposed to the disease. Damage from flooding also has a unique characteristic. If an office environment is flooded with non-salinated and contamination-free water (e.g., in the event of a pipe burst), equipment can be thoroughly dried and may still be functional. The term disease refers to an abnormal condition of an organism that impairs function. ... An earthquake is a result from the sudden release of stored energy in the Earths crust that creates seismic waves. ... A forest fire Fire is a rapid oxidation process that creates light, heat, smoke, and releases energy in varying intensities. ... Flooding in Amphoe Sena, Ayutthaya Province, Thailand. ... Hacker, as it relates to computers, has several common meanings. ... Bribery is a crime implying a sum or gift given alters the behaviour of the person in ways not consistent with the duties of that person. ... This article is about weather phenomena. ... Power Outage is an episode of The WB drama series, Charmed. ... Terrorist redirects here. ... Also see: 2002 (number). ... Year 2003 (MMIII) was a common year starting on Wednesday of the Gregorian calendar. ... Sars may refer to any of the following: Severe acute respiratory syndrome, commonly abbreviated as SARS Michael Sars, a Norwegian biologist, father of Georg Sars Georg Sars, a Norwegian biologist, son of Michael Sars Special Administrative Regions, commonly abbreviated as SARs Sars, Perm Krai, an urban settlement in Perm Krai... FreQuency is a music video game developed by Harmonix and published by SCEI. It was released in November 2001. ... Incubation period, also called the latent period or latency period, is the time elapsed between exposure to a pathogenic organism, or chemical or radiation, and when symptoms and signs are first apparent. ... This article or section does not cite any references or sources. ... A flood (in Old English flod, a word common to Teutonic languages; compare German Flut, Dutch vloed from the same root as is seen in flow, float) is an overflow of water, an expanse of water submerging land, a deluge. ...

Definition of impact scenarios

After defining potential threats, documenting the impact scenarios that form the basis of the business recovery plan is recommended. In general, planning for the most wide-reaching disaster or disturbance is preferable to planning for a smaller scale problem, as almost all smaller scale problems are partial elements of larger disasters. A typical impact scenario like 'Building Loss' will most likely encompass all critical business functions, and the worst potential outcome from any potential threat. A business continuity plan may also document additional impact scenarios if an organization has more than one building. Other more specific impact scenarios - for example a scenario for the temporary or permanent loss of a specific floor in a building - may also be documented.

Recovery requirement documentation

After the completion of the analysis phase, the business and technical plan requirements are documented in order to commence the implementation phase. A good asset management program can be of great assistance here and allow for quick identification of available and re-allocateable resources. For an office-based, IT intensive business, the plan requirements may cover the following elements which may be classed as ICE (In Case of Emergency) Data: This article includes a list of works cited or a list of external links, but its sources remain unclear because it lacks in-text citations. ... Information and communication technology spending in 2005 Information technology (IT), as defined by the Information Technology Association of America (ITAA), is the study, design, development, implementation, support or management of computer-based information systems, particularly software applications and computer hardware. ...

The numbers and types of desks, whether dedicated or shared, required outside of the primary business location in the secondary location
The individuals involved in the recovery effort along with their contact and technical details
The applications and application data required from the secondary location desks for critical business functions
The manual workaround solutions
The maximum outage allowed for the applications
The peripheral requirements like printers, copier, fax machine, calculators, paper, pens etc.

Other business environments, such as production, distribution, warehousing etc will need to cover these elements, but are likely to have additional issues to manage following a disruptive event. This does not cite any references or sources. ... A small, much-used Xerox copier in a high school library. ... This is a list of types of calculators, many of which are obsolete but hoarded by legions of admiring collectors. ... A blank sheet of paper Paper is a commodity of thin material produced by the amalgamation of fibers, typically vegetable fibers composed of cellulose, which are subsequently held together by hydrogen bonding. ... A ballpoint pen A pen (Latin penna, feather) is a writing instrument that applies ink to a surface, usually paper. ...

Solution design

The goal of the solution design phase is to identify the most cost effective disaster recovery solution that meets two main requirements from the impact analysis stage. For IT applications, this is commonly expressed as: For other uses, see DRP (disambiguation). ...

The minimum application and application data requirements
The time frame in which the minimum application and application data must be available

Disaster recovery plans may also be required outside the IT applications domain, for example in preservation of information in hard copy format, or restoration of embedded technology in process plant. This BCP phase overlaps with Disaster recovery planning methodology. The solution phase determines: For other uses, see DRP (disambiguation). ...

the crisis management command structure
the location of a secondary work site (where necessary)
telecommunication architecture between primary and secondary work sites
data replication methodology between primary and secondary work sites
the application and software required at the secondary work site, and
the type of physical data requirements at the secondary work site.

A backup site is a location where a business can easily relocate following a disaster, such as fire, flood, or terrorist threat. ...

Implementation

The implementation phase, quite simply, is the execution of the design elements identified in the solution design phase. Work package testing may take place during the implementation of the solution, however; work package testing does not take the place of organizational testing.

Testing and organizational acceptance

The purpose of testing is to achieve organizational acceptance that the business continuity solution satisfies the organization's recovery requirements. Plans may fail to meet expectations due to insufficient or inaccurate recovery requirements, solution design flaws, or solution implementation errors. Testing may include:

Crisis command team call-out testing
Technical swing test from primary to secondary work locations
Technical swing test from secondary to primary work locations
Application test
Business process test

At minimum, testing is generally conducted on a biannual or annual schedule. Problems identified in the initial testing phase may be rolled up into the maintenance phase and retested during the next test cycle. A year (from Old English gÄ“r) is the time between two recurrences of an event related to the orbit of the Earth around the Sun. ...

Maintenance

Maintenance of a BCP manual is broken down into three periodic activities. The first activity is the confirmation of information in the manual, roll out to ALL staff for awareness and specific training for individuals who's roles are identified as critical in response and recovery. The second activity is the testing and verification of technical solutions established for recovery operations. The third activity is the testing and verification of documented organization recovery procedures. A biannual or annual maintenance cycle is typical.

Information update and testing

All organizations change over time, therefore a BCP manual must change to stay relevant to the organization. Once data accuracy is verified, normally a call tree test is conducted to evaluate the notification plan's efficiency as well as the accuracy of the contact data. Some types of changes that should be identified and updated in the manual include:

Staffing changes
Staffing persona
Changes to important clients and their contact details
Changes to important vendors/suppliers and their contact details
Departmental changes like new, closed or fundamentally changed departments.

Testing and verification of technical solutions

As a part of ongoing maintenance, any specialized technical deployments must be checked for functionality. Some checks include:

Virus definition distribution
Application security and service patch distribution
Hardware operability check
Application operability check
Data verification

A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. ...

Testing and verification of organization recovery procedures

As work processes change over time, the previously documented organizational recovery procedures may no longer be suitable. Some checks include:

Are all work processes for critical functions documented?
Have the systems used in the execution of critical functions changed?
Are the documented work checklists meaningful and accurate for staff?
Do the documented work process recovery tasks and supporting disaster recovery infrastructure allow staff to recover within the predetermined recovery time objective?

Treatment of test failures

As suggested by the diagram included in this article, there is a direct relationship between the test and maintenance phases and the impact phase. When establishing a BCP manual and recovery infrastructure from scratch, issues found during the testing phase often must be reintroduced to the analysis phase.

References

Notes

^ http://www.continuitycentral.com/feature003.htm
^ http://www.iwar.org.uk/infocon/business-continuity-planning.htm
^ http://howe.stevens.edu/Research/ATT/ReportAllSep1004_v3.pdf
^ http://nonprofitrisk.org/tutorials/bcp_tutorial/intro/1.htm

Bibliography

Burtles, Jim (no date). Building a capable emergency management team. Continuity Central.
More on Business Continuity and British Standard 25999 Continuity Forum
Continuity of Operations Planning (no date). U.S. Department of Homeland Security. Retrieved July 26, 2006.
Purpose of Standard Checklist Criteria For Business Recovery (no date). Federal Emergency Management Agency. Retrieved July 26, 2006.
NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs — PDF (2007). National Fire Protection Association.
United States General Accounting Office Y2k BCP Guide (August 1998). United States Government Accountability Office.

The United States Department of Homeland Security (DHS) is a Cabinet department of the federal government of the United States that is concerned with protecting the American homeland and the safety of American citizens. ... New FEMA seal The Federal Emergency Management Agency, or FEMA, is an agency of the United States Department of Homeland Security (DHS). ... The National Fire Protection Association (established 1896) is an independent, voluntary-membership, nonprofit (tax-exempt) organization. ... General Accounting Office headquarters, Washington, D.C. The Government Accountability Office (GAO) is the non-partisan audit, evaluation, and investigative arm of Congress, and an agency in the Legislative Branch of the United States Government. ...

External links

The external links in this article or section may require cleanup to comply with Wikipedia's content policies.
Please improve this article by removing excessive or inappropriate external links. Please remove this tag when this is done. This article has been tagged since January 2007 . (talk)

Wikibooks: Business Continuity Planning (BCP) life cycle
Business Continuity Planners Association - adapting anticipatory thinking for mutual benefit.
Business Continuity Plan Writing Tutorial
Continuity Forum Continuity Forum BCM Good Practice Public and private sector
Federal Financial Institutions Examination Council's Information Technology Examination Handbook
Globalcontinuity.com
DIR Texas Department of Information Resource
The Disaster Recovery Institute International
Department of Homeland Security Emergency Plan Guidelines

Image File history File links Information. ... Systems thinking is an approach to integration that is based on the belief that the component parts of a system will act differently when isolated from the systems environment or other parts of the system. ... // Interdependence is a dynamic of being mutually responsible to and sharing a common set of principles with others. ...

BSI 17799 supplements

Competency certification ventures

Disaster Recovery Institute International - CBCP, MBCP
AT&T: Business continuity quiz - Test your IT/IQ
The Business Continuity Institute
Business Continuity World

Categories: Wikipedia external links cleanup | Anticipatory thinking | Business continuity and disaster recovery | Collaboration

Results from FactBites:

Business Continuity Planning & Disaster Recovery Planning World (1088 words)
	Prior to creation of the plan itself, it is essential to consider the potential impacts of disaster and to understand the underlying risks: these are the foundations upon which a sound business continuity plan or disaster recovery plan should be built.
	Whether you are entirely new to business continuity and disaster recovery planning, or whether you already have a proven and established plan, the directory should hopefully prove to be of real value.
	The first step in a sensible business continuity process is to consider the potential impacts of each type of disaster or event.

Business Continuity Planning (2310 words)
	Business Continuity Planning is the process of identifying critical data systems and business functions, analyzing the risks of disruption to the data systems and business functions, determining the probability of a disruption occurring and then developing business resumption plans (BRP's) to enable those systems and functions to be resumed in the event of a disruption.
	The goal of an effective business resumption plan and recovery process is to facilitate and expedite the resumption of business after a disruption of critical or impacting data systems and operations has occurred.
	Planning and conducting test exercises should be the joint responsibility of the data center, application administrators and the user(s).

More results at FactBites »

COMMENTARY

Share your thoughts, questions and commentary here

Want to know more?
Search encyclopedia, statistics and forums:

Feeds | Contact
The Wikipedia article included on this page is licensed under the GFDL.
Images may be subject to relevant owners' copyright.
All other elements are (c) copyright NationMaster.com 2003-5. All Rights Reserved.
Usage implies agreement with terms.

Contents