Business continuity plans have become an essential requirement for organisations, and where there is an even greater reliance on IT/ICT, it is critical to minimise downtime and disruption to the organisation, its employees and customers.
For countries that are prone to natural disasters, business continuity in frequently considered primarily in that context, for example, “how to recover in the aftermath of a hurricane?” However, business continuity, especially IT/ICT business continuity, is a critical element in today’s environment, which organisations can no longer overlook. It is not only following a major disaster such systems are appropriate, they are essential to minimise the effects of a broad range of disruptions and to ensure that business operations are maintained within acceptable limits
Increasingly, organisations, their employees and customers are relying on technology, IT and ICT for seamless, efficient and effective operations, which they cannot afford to have malfunction, period. However, developing a business continuity plan (even for an IT/ICT department) can be an involved process, and may be a bit overwhelming to those charged with spearheading its preparation. As a starting point, this post outlines five critical questions that should be answered by an organisation (or an IT/ICT department) to improve its understanding of the impact of disruptive incidents, and provide essential inputs for the discussions and efforts required to produce the final plan.
Definition and context
Business continuity is a well-developed concept for which a number of internationally accepted standards have been developed. One of the most widely accepted is that of the International Standards Organisation (ISO 22301:2012), which defines business continuity as,
… the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident…
(Source: Business Continuity Institute)
By extension, business continuity management encompasses
…a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities…
(Source: ISO 22301:2012, Business Continuity Institute)
The established standards would set out a detailed approach and requirements to comprehensively address business continuity. The questions below in no way replace those standards and processes, but hope to begin to orient organisations to mindset and thinking needed to begin developing such a critical plan and supporting systems.
Q1. What are the organisation’s purpose, core roles and functions?
To establish the correct context for the business continuity planning process, it is important from the outset to identify the organisation’s core roles and functions. In the exercise, it is likely that a number of items will be listed; hence it is necessary to also rank them by how critical they are to the organisation and its mandate.
From an IT/ICT perspective, this process should also be followed. However, the questions should first be answered from an organisational perspective. (If an organisational business continuity plan exists, that information might be readily available.) However, thereafter, the focus should be on identifying what might be the IT/ICT department’s mandate, or the role of IT/ICT within the organisation, and ensuring that they are aligned with the overarching organisational obligations.
Q2. What are the critical products and/or services that must be delivered?
Following on from the previous question, this question encourages a fuller recognition and examination of the products and/or services that must be delivered by the organisation to its clients and customers. Generally, the results of that engagement are a key source of revenue for the business, or are otherwise used to gauge its performance.
Again, it may be necessary to rank the listed goods and services in order of priority, as acceptable delivery levels and downtime are likely to be more stringent for the most critical ones, and ultimately may vary across the list of products and services.
Q3. What are the types of disruptions the organisation can experience?
Although a key purpose of a business continuity plan is to focus on minimising and managing the aftermath of a disruptive incident, it is critical to ensure that the plan also includes preventative measures that can be implemented and provide some redundancy against failure. Hence it is recommended that attention be given to identifying the types of disruptive incidents to which the organisation could be subject, and arranging them by likely frequency and potential impact on the organisation.
Factors such as geographic and physical location, country and civil stability, the actual products and services offered, among other things, are likely to influence the types of disruptions listed, and how they are ranked. For example, tropical storms and hurricanes frequently occur across most of the Caribbean – from the Bahamas to Saint Vincent and the Grenadines, and so should feature prominently in plans developed in those countries. However, for plans developed in Curaçao or Guyana, for example, that specific type of storm might be considered a rare occurrence, as those countries generally lie outside the hurricane belt.
Within the context of an IT/ICT business continuity plan, disruptive incidents may be scheduled or unexpected, or may be internal to the network, or due to external forces. Examples of disruptive incidents that could affect an organisation’s IT/ICT infrastructure and ought to be listed and considered would include, but not limited to:
- electrical outages
- equipment damage and malfunction
- software glitches
- the effects of system breaches/network hacking
- equipment/system servicing, upgrades, changeovers.
Q4. What is the likely impact of disruptions?
Having identified the organisation’s critical products and services and the types of disruptions that may be experienced, it now possible to synthesise those outputs to begin to determine the impact of those disruptions. It is emphasised that it is not enough to state that a particular incident might be “highly disruptive”, or have “minimal impact”. Instead, it is recommended that the exercise consists of determining, among other things:
- how long could the organisation function without a particular product or service?
- how long customers might be prepared to be inconvenienced by the absence of a product or service?
Q5. What are the consequences to the organisation?
In order to truly drive home the importance of business continuity, the final question to be answered is regarding the consequences to the organisation. Again, it is best to be thorough and, to the extent possible, quantify the losses that could result, for example with respect to:
- loss of revenue
- additional expenses that may be incurred, such as for penalties and fines, for interim arrangements, and to rectify to problem, and
- other losses that might be incurred, such as sanctions that might be imposed, or losses to the organisation’s reputation, market share, or stock price.
In summary, the above five questions would provide organisations with a solid foundation upon which to develop their business continuity plans, and to appreciate the resources that may be needed for its successful implementation. It is therefore emphasised that the effort made to thoroughly address these questions will have an impact on the final quality of the plan developed.
Image credit: nirots (FreeDigitalPhotos.net)