Business Continuity Management
Dave Carlson - February 19, 2008
If nothing ever went wrong, there would be no need for business continuity plans. Unfortunately, it is not reasonable to assume that nothing will go wrong. The only prudent assumption a business manager can make is that everything may go wrong. Risk analysis identifies risks to a business and determines what affects those risks pose to the organization. It is important to determine how a particular disaster is recognized and who is responsible for the action plan. Continuity planning begins with risk analysis and continues with plan preparation. After the plan is prepared it must be implemented. The most important part of implementation is testing to ensure the plan works and meets organization needs. Prudent managers keep the plan current.
Business Continuity Management
A long time ago, it was proven that the present level of technology allows for the elimination of pilots from the cockpits of large commercial jets. A huge jumbo jet is able to take off, fly to the opposite side of the globe, and land safely without human intervention. With this knowledge, we must wonder why airline pilots spend do much time on flight simulators, and why pilots are still needed in the front of the plane. The answer is really quite simple—they are rigorously trained to handle emergency situations. (Janczewski & Colarik, 2005, p. 213)
If nothing ever went wrong, there would be no need for business continuity plans. Unfortunately, it is not reasonable to assume that nothing will go wrong. The only prudent assumption a business manager can make is that everything may go wrong. “Business continuity management is a process aimed at reducing disruptions caused by disasters and security failures that could be the results of natural phenomena, accidents, failure of equipment, or deliberate human acts” (Janczewski & Colarik, 2005, p. 213).
Swaroop (2008) taught that the basic philosophy behind risk analysis is that every part of an organization relies on each other part, but some parts are more crucial than others and require a greater amount of attention to avert disaster. Swaroop (2008) illustrated his point by comparing the importance of the cafeteria with the importance of an information system. Business would continue with little interruption if the cafeteria closed, but could grind to a complete halt if the information system were inaccessible.
The purpose for risk analysis is to identify various risks to a business and determine what affects those risks pose to an organization. Management must identify events that may disrupt regular business processes. Janczewski and Colarik (2005) presented these four interconnected questions as the basis for a business risk analysis:
- What type of disaster can strike, and what is the probability of it?
- In what way can the disaster be detected?
- In what ways can the disaster spread and cause additional damage?
- What overall damages are possible in physical, financial, and marketing aspects? (p. 215)
Janczewski and Colarik (2005) taught that “the first point in the development of a business continuity plan is determining how a particular disaster is recognized and who is responsible for the overall action plan to handle it” (p. 216). Janczewski and Colarik (2005) suggested that “a good business continuity plan should address the following issues”:
- Procedures for the activation of emergency procedures must include who is involved, what sort of authority is required, and who is going to assess the situation.
- A description of the basic emergency procedures relating to a particular accident type. The plans should include arrangements for cooperation with appropriate public authorities (e.g., fire, police, and local government) and tasks for public relations officers.
- Escalation procedures including the possibility of moving the essential services to a backup location and launching operations from there.
- After a direct danger ceases to exist, there must be plans for activities leading to the return to normal business operations.
- Training of staff for handling the emergency procedures.
- A plan for implementing the business continuity plans and the methods of verification and introduction of updates.
- Listing of the people responsible for a particular part of the plan. (pp. 216-217)
The most important part of a business continuity plan implementation is to test the plan to ensure it works as expected. Gosling (2008) warned that the first time you attempt to recover destroyed files it will invariably take much longer than expected, “and it is not a good idea to find this out when the system is being recovered for real” (p. 18). Janczewski and Colarik (2005) explained that the purpose for testing a plan is to find “incorrect assumptions, oversights, and changes in the conditions of organizational functions and personnel” (p. 218).
A factor related to effectiveness of a business continuity plan is how well the plan reflects the reality of an organization (Janczewski & Colarik, 2005). Outdated plans that do not match the organizational needs may make emergencies worse. When forced into a stressful situation people tend to follow written plans without verifying the information is correct. Janczewski and Colarik (2005) illustrated this point with a story about a bank that listed a specific repair shop in their recovery plan. Investigation of the current situation revealed that the designated repair shop had changed, but the change was not reflected in the recovery plan instructions.
The National Aeronautics and Space Administration (NASA) directed that their emergency response programs “be continually maintained to mitigate crisis” (NASA, 2006, ¶ 1). NASA is one of the most authoritative organizations on the planet when it comes to continuity planning. It would be prudent for organization managers to follow their lead.
Continuity planning begins with risk analysis and continues with preparation. After the plan is prepared it must be implemented. The most important part of implementation is testing to ensure the plan works and meets organization needs. Prudent managers keep the plan current.
Gosling, M. (2008). Have you tested the recovery of your critical systems? Disaster Resource Guide: Technologies to protect, 12(2), 16-18.
Janczewski, L. and Colarik, A. (2005). Managerial guide for handling cyber-terrorism and information warfare. Hershey, PA: Idea Group Publishing.
NASA. (2006). Emergency preparedness program. NASA policy directive NPD 8710.1D. Retrieved February 15, 2008 from http://nodis3.gsfc.nasa.gov/displayDir.cfm?t=NPD&c=8710&s=1D
Swaroop, S. (2008, Winter). A paradigm shift in a service-oriented industry. Disaster Recovery Journal, 21(1). [Electronic version]. Retrieved February 15, 2008 from http://www.drj.com/index.php?option=com_content&task=view&id=801&Itemid=505&ed=10