Business Continuity Planning (BCP) and Disaster Recovery are essential tools for organizations of any size and maturity level; but what may not be apparent is the appropriate amount of resources required to ensure organizations are prepared with an effective BCP. All too often, the task of constructing and maintaining the organizations Business Continuity Plan falls to a select few or even a single team member. This is due to many reasons but will likely lead to a sub-par solution or ineffective reaction in the event of a BCP incident without proper thought and planning from senior leadership. The inability to react to an incident effectively could lead to possible loss of business functions, revenue opportunities, or even the loss of life and sustainability of the organization. An appropriate level of organizational resource commitment to the BCP effort should be a priority.
What is Business Continuity Planning?
BCP is the process of planning for the continuous operation of an organization, prior to an event, with the intended purpose of ensuring that business services and functions remain operable during and after an incident.
For many years Business Continuity was viewed as an extension of the Information Technology department due to the cross-departmental nature of the systems in which IT were historically responsible. The IT department also garnered their image as those holding the keys to the Disaster Recovery program because the ability to backup data at an alternate site and restore a semblance of critical systems was all some believe is required for an effective DR program.
At a high-level this may make sense, as technology recovery has become essential for the operations of organizations of any size, especially those spanning multiple geographic locations. But for those working at an operational level, Business Continuity requires much more than the ability to recover data and systems – after all, what good are those data backups if the organization is unable to recover personnel, critical infrastructure, and organizational governance?
Maintaining an Effective BCP Team
Developing, implementing, and maintaining an effective Business Continuity Plan requires buy-in and coordination from across the organization. As such, this is not a task that can be delegated to a single individual such as a compliance coordinator or IT manager without a committed team and organizational focus. Nor is it a task that, once complete, can be packaged up and placed on a shelf, never to be seen again until an incident occurs. An effective BCP is an organic and fluid program that should accurately represent the organization at the current moment in time and which requires regularly scheduled updates and revisions.
The scope and size of the teams discussed below may feel excessive at first glance, depending on the organization’s current maturity, but the requirement should become clear after understanding the roles and responsibilities each member fulfills.
Business Continuity Steering Committee
The organization should maintain a Business Continuity Plan that is able to address a wide variety of possible incidents which may pose a danger to operations, continuity of governance, and business survivability. Constructing a comprehensive plan to safeguard against these dangers requires representatives from critical departments to speak to department specific risk and recovery efforts. These personnel should be brought together to form the Business Continuity Steering Committee and will likely be comprised of the following departments:
The Business Continuity Steering Committee is largely responsible for the effective implementation and adherence to the Business Continuity Plan and maintains the following responsibilities:
- Ensure the Business Continuity Plan aligns with business objectives
- Ensure the developed plans are routinely tested
- Update plans and procedures as changes within the organization occur
- Make strategic decisions regarding recovery and continuity operations
- Meet frequently during the design and implementation phase of the BCP/DR program
- Gain and maintain executive and organizational buy-in
- Ratify the BCP policy as the authoritative governance document for the program
Business Continuity Incident Response Team
Once the Business Continuity Plan has been generated and implemented across the organization, an additional team is responsible for carrying out the predetermined objectives. Those individuals are responsible for understanding the Business Continuity Plan procedures intimately and maintaining the capacity to implement them during a Business Continuity Incident. These team members are assembled into a functional element known as the Incident Response Team (IRT), which is made up of representatives from each critical area of the organization. This provides the team with the ability to speak to and operate intelligently with regards to critical functional areas without undue delay. Due to the immediate and reactive nature of the Incident Response Team, an IRT should be constructed at each geographic location across the organization.
The Incident Response Team is the immediate reactive force an organization maintains for restoring business continuity while reducing the incident impact and is generally composed of the following positions:
The responsibilities for each position are outlined below and should all work together to ensure minimal impact to business operations and the quick and efficient restoration of lost services.
Conclusions
The number of personnel and effort required to establish and maintain an effective organizational Business Continuity Plan is much greater than a single team member or department could provide. This substantial effort put forth by the organization to assign appropriate personnel and develop the BCP should be guarded. As such, it is necessary to ensure organizational change is implemented with BCP in mind. It’s easy to overlook those auxiliary duties which BCP Team members have been assigned. If a new team member will be required to fulfill BCP roles due to employee turn-over, effective change over procedures, knowledge transfer, and management oversight is necessary.
Special care is to be taken in order to maintain the effectiveness of the cross-functional teams that make up the BCP steering committee and Incident Response Team. Do not join the ranks of companies who’ve discovered their BCP program is lacking – after an incident.
Thanks Lisa! Be sure to stay tuned for much more BCP content to be published next month during Business Continuity Awareness Week.
That’s a great question. Both digital and physical document management is crucial in business continuity planning and management process for several reasons.
1) Revision Control: When an organization adheres to the practice of continuously updating, improving, and revising its business continuity management system the risk of outdated material being referenced is very real. To mitigate this risk a formal and effective change management protocol should be in place to ensure that only the current version is published. Some documents which may clearly demonstrate the importance of revision control are:
a. Evacuation Procedures
b. Contact Lists
c. Regulatory and Legal requirements
2) Access Control: Ensuring that proper access control measures are in place to ensure that only authorized changes, preferably from the Business Continuity Manager or leadership team, are published is critical. This will ensure that all documentation aligns with the organization’s overall business continuity strategy.
3) Distribution and Retrieval: In all organizations, particularly in those with distributed global locations, it is crucial to ensure all response and management personnel are utilizing the same recovery and preparedness documentation. Maintaining these documents digitally allows for easy retrieval and access both during preparedness and training situations as well as during times of emergencies.
There are many other roles in which document management comes into play to support business continuity but these few listed should help frame the discussion on how to begin approaching it within your own organization.
Thanks again for the great question! I’ll expand upon this further in a future release.