This paper was developed to provide general background to assist clients in decisions related to outsourcing IT. Please note that this paper presents professional opinions intended to apply generally and that clients must take appropriate care to evaluate them in light of their specific needs. Technology & Business Integrators, Inc. makes no representations, warranties or guarantees of any sort as to the applicability of the opinions presented in this paper.
The purpose of this document is to describe the process and deliverables of a Business Continuity Plan for TBI clients. Technology & Business Integrators (TBI) provides the vision and supporting framework that identifies internal and external risks (risk assessment – RA) and the potential impact (business impact analysis – BIA) on the client’s operations. Based on the results of the BIA, TBI works with client personnel to develop continuity plans for selected mission critical business processes by business unit and to “roll-up” the individual business unit plans into an enterprise-wide Client Business Continuity Plan.
The Need for Business Continuity Planning
The need for a client enterprise-wide Business Continuity Plan (BCP) is self-evident. The primary motivators for developing a BCP have always been:
- Keep the business running
- Lower the impact of any business disruption
- Protect shareholder value
- Reduce liability
- Conform to regulatory requirements.
However business continuity planning has changed dramatically today – the underlying assumptions are different. Companies have to plan for a worst-case scenario – not only may physical facilities no longer be available, but communication facilities as well as the recovery team itself may not be available. Therefore a BCP must not only focus on the worst case scenario, there will have to include multiple levels of back-up of facilities and people, as well as a virtual Command and Control Center (vCCC) to manage the continuity process.
In addition to the cost of multiple back-up capabilities, there is also the reality that the further removed from the primary back-up source, the less efficient the back-up will be either because the personnel involved will know less about the business process at hand or the back-up facilities/equipment/service will be less easily adaptable. More extensive documentation will be necessary to compensate for the loss of facilities, knowledge and knowledgeable staff.
Planning and Risk Assessment Phase
In the planning phase, TBI develops a customized template to be used as an information-gathering tool in the Business Impact Analysis Phase. The Client template includes TBI’s Risk Assessment (RA) and will be constructed specific to client requirements. The RA begins with a series of high-level management interviews, a brief documentation review, and selected process observations with the TBI project team and Client personnel to determine the scope of the risks/impacts to be investigated in detail. A simplified TBI RA format is shown below.
The Client RA will include, but not be limited to, the following major categories of risk (defined as the relative criticality of a specific disruption):
- Human Resource disruption/loss
- Technology systems loss
- Supply chain interruption
- Physical site loss
- Market access loss
- Cash flow disruption
- Risks related to business partner loss or severe disruption in their business.
Business Impact Analysis Phase
In this second phase, TBI conducts a series of detailed interviews with key Client Business Unit personnel. For each identified major business process TBI, with help of Client Business Operating Unit management, develops an understanding of the following:
- Major business processes
- Customer interfaces
- Supply chain business partners
- Technology support platforms
- Legal and contractual
- Regulatory issues and constraints
- External environmental interfaces (e.g. power, communications)
- Physical site constraints
- Primary and back-up staffing.
As part of this phase, TBI develops a high level “process map” that shows:
- The interactions between processes
- The interactions between Business Units
- The interactions with suppliers, vendors and customers
- The interactions with the external physical and business environment information and workflow
- Staffing and skills requirements.
This process map becomes quite complicated as all of the interactions multiply rapidly. But it is critical to being able to understand how a problem in one process can impact many other processes.
For each major process and interface identified above TBI, again with the help of the Client Business Unit Management, addresses the following:
- Assessing the risks of a business interruption with each process and interface
- Estimating the impact of the interruption on the process, Business Unit, other business units and the organization as a whole, (i.e. a high level quantification in dollars and/or service levels). Impact may change over time, moving from low to high depending upon the length of the disruption. Definitions of impact might be as follows:
- A high impact would/prevent Client from achieving its mission, seriously interrupt operations and/or shut down the business.
- A medium impact would make it difficult for Client to achieve its mission but still remain in business
- A low impact would result in a tolerable degradation of service and would probably not be considered for a business continuity plan effort.
- Identify the options for lessening the risk of a disruption in the first place
- Identify the options for lessening the impact of a disruption once it occurs
- Provide an estimate of the length of time to repair or replace the disrupted process/service
- Identify secondary as well as primary back-up scenarios.
TBI develops a prioritized list of Client Business Processes using two different but interrelated views. First, TBI looks at the high-level dollar quantification of the impact and the time/cost to repair the disruption. This will provide a financial impact analysis.
The second view is to look at the processes along a continuum of how their loss would impact the Client’s ability to maintain services, again from marginal impact to critical impact. Direct financial losses are only part of the potential business interruption impact. Loss of business because the Client cannot deliver services will impact their ability to survive if, for example, there is significant negative publicity even without direct financial impact.
The results of this second view will be blended with those of the first to develop a “risk-prioritized” list of the business processes following the matrix structure in Exhibit 2 below.
Business Continuity Plan Development Phase
Based on the findings and conclusions from the Business Impact Analysis Phase, continuity processes must be developed that are reasonable and cost effective. Client management must decide on the level of redundancy necessary to insure that a major business process can be fully functional in a disaster.
Levels of redundancy can be broken down as follows:
- Full Redundancy – primarily for mission critical processes that Client must have operational to maintain service levels and eliminate potential harmful situations.
- Partial redundancy – for Client processes that must be operational, but their absence would not present a dangerous or harmful scenario.
- No Redundancy – for Client processes where it is neither feasible nor practical to implement a business resumption strategy.
After gaining agreement with the appropriate Client Business Unit management, TBI develops a Business Continuity Plan for each Business Unit. The content of each BCP will be cross-referenced with other Business Unit BCP’s and checked for conformity to Client risk management standards. The Business Unit BCP’s are then rolled up into an enterprise BCP.
Each enterprise BCP will include, at a minimum, the elements shown in Exhibit 3.
Testing & Implementation Phase
The appropriate Client Business Unit Manager reviews each BCP with TBI. A test plan is then developed for each Business Unit. Individual BCP’s will be fine-tuned based on actual test experiences and results. Testing should be an ongoing process and therefore needs to be integrated with other day to day tasks. If testing and updating the plan are separates tasks, they will often be ignored in light of day to day work requirements.
The test plan includes:
- A formal “walk through” with BCP team members
- A “dress rehearsal” for selected team members
- A live test
- Revisions to plan based on test results
- Date of the next test.