Taking BCP to the Next Level
So you have your Business Continuity Plan or Plans written and ready... What now? What should you do next?
I've been asked this question a number of times recently, perhaps a reflection
on the uncertain times we currently live in. Here are some possible answers,
depending upon where you are in your Business Continuity process:
Put procedures in place to keep the plan up to date. Will the update process
automatically happen when something changes? Or will you only find out during
your annual review (or when something happens) that the plan is out of date.
Test and Exercise the plan. Not necessarily an expensive fully-fledged disaster
rehearsal, but desktop tests, and technical backup and recovery tests. The aim
is to assure yourself that you know what to do in the event of a major incident,
and that the information and resources required to continue or recover
operations are actually in place. Such tests can be carried out internally, or
with the assistance of independent observers to create test scenarios and to
evaluate the results.
Third Party Readiness Review. Not as formal (or expensive) as an audit, a third
party consultancy (such as ourselves) examines the plan (as written) and your
company or organization's operations and looks for risks that haven't been
addressed, unrealistic or missing assumptions in the plans, and forms an opinion
as to how well the plan will work in various scenarios. Unlike an audit, it is
assumed that the facts in the plan are correct. For example, if your plan says
you have a backup generator which will has sufficient capacity to run your
entire building, no check is made that this is true or that all electrical
systems are connected to the generator. Opinions may be expressed, however,
that it is unlikely that this is true, and that the statement should be checked.
Plan Audit. More formal than a third party review, an audit attempts to give a
great deal of assurance that what is stated in the plan is actually correct and
that procedures are being followed. Since it requires data gathering and fact
checking, it is more expensive than a third party readiness review.
Plan Certification. While it's great that you are sure your plan will work, how
do you prove this to your customers? While the plan protects your business
interests, will it protect those of your customers? How do they know if your
opinion is correct? You say that it will. An independent consultancy has
reviewed the plan and states that it will. But how can the customer distinguish
a meaningful opinion from a meaningless one? It could review the plan. It could
review the reviewer. But in a world with multiple key suppliers, this is too
expensive. To solve this problem, you need standards and independent
certification. Although there are several standards available for Business
Continuity and Disaster Recovery (eg. NFPA 1600, CSA 1600Z, ...) currently only
one has a certification component. In a similar manner to the Quality Assurance
ISO 9000 series, the BS 25999 standard allows an organization to be certified as
having an effective business continuity process in place. One day there may be
an ISO standard in this area: there is a good chance that any future ISO
standard will be based upon this one.
Organizations without a large number of business-to-business customers may
not find full certification cost-effective, but each level will provide
additional confidence that the company's plan will function in an emergency.
Michael Z. Bell
You can comment on this article at the Risky Thinking Blog.
Want to know when a new article is available? Subscribe to the Risky Thinking Newsletter
up to date. It's free for people working in business continuity, disaster recovery, or risk management.
[ Back To Top ]
Note. Where trademarks are mentioned, they belong to their respective owners.
© Albion Research Ltd. 2013