BUSINESS CONTINUITY PLANNING (BCP) METHODOLOGY – ESSENTIAL FOR EVERY BUSINESS

Dr. Manik Dey PhD, CISSP

Kuwait Institute for Scientific Research (KISR), mdey@kisr.edu.kw

ABSTRACT

Business Continuity Planning (BCP) indicates how well an organization prepares itself to survive in unexpected disasters, disruptions or changes, assuring that the critical business processes will continue to function in most adverse circumstances with acceptable limitations. BCP is also one of the domains of Information Security management. It has been emphasized by BS 25999 standard that an organization must have a Business Continuity (BC) program in place to fulfill its obligations in this world of uncertainty. The main objectives are that in all unusual situations the business should sustain, maintain regulatory compliances and deliver its products and services with minimum losses to its employees, customers, vendors, and to the society at large. This paper illustrates the concept of BCP along with its implication to business in adverse circumstances and enunciates a methodology about how a Business Continuity Planning framework can be established in an organization.

Index Terms— Business Continuity (BC), Business Continuity Planning (BCP), Business Continuity Management (BCM), BS 25999 standard, Information Security

1. INTRODUCTION Business Continuity (BC) deals with the continuation of business in adverse circumstances. Business comprises of people, processes, various assets, products and services. Any incident such as market crash, pandemic diseases, natural disasters, technological failures, human errors, cyber attacks, fraud or terrorism which causes disruption to any of these entities, can affect the continuity of business either for a short term or for a long term basis. Business Continuity Planning (BCP) and Management (BCM) are the acts of anticipating disruptions, ensuring prevention or less chance of occurrences and responding to any such incident in a planned and rehearsed manner so as to recover the losses and bring the business back into operation. Disruptions can be with or without warning and the results may be predictable or unknown. The term Disaster Recovery Planning (DRP) is used

more frequently but it is actually a part of the broader BCP framework. DRP normally takes care of the continuity of information technology (IT) services and is mostly technical in nature. Every Business needs a BCP to face all possible disruptions and keep its operation running with acceptable downtime. The objectives are to protect human lives, minimize financial and reputational losses, continue serving the customers, and remain in compliance with the statutory laws and regulations [7]. Most organizations maintain ‘Plan B’ (contingency) if ‘Plan A’ (regular business plan) does not work due to some incident, accident or disaster. However, very recently the world has seen some of the most unprecedented disasters such as collapse of twin towers (9/11, 2001 attack), US black-out (2003), Tsunami, Katrina, Rita and Iceland Volcano (2010). These, in conjunction with the corporate corruption cases of WorldCom, Enron, Satyam, etc, have made organizations realize that lack of proper Business Continuity or Disaster Recovery Planning can make them out-of-business at any time. One report from US department of Labor suggests that 40% of the companies facing such disasters never reopen and 25% of the remaining companies close within two years [9]. In fact, after the 9/11 attack, majority of the affected companies in the World Trade Center went out of business due to lack of adequate DR and BC Planning. Organization’s dependency on IT demands that IT-related resources are secured and protected well against all possible devastations. The recent increase of cyber terrorism has also given an additional dimension to the problem. That is why Business Continuity is associated with the Information Security Management System (ISMS). As per the ISO/IEC 27031 standard, the Information and Communication Technology (ICT) infrastructures should ensure the confidentiality, integrity and availability (CIA) of IT services in all circumstances and hence play a major role in maintaining Business Continuity [8]. In general, BCP will have IT and non-IT areas. In case of disruptions, the IT unit will be busy with restoration and recovery of related services using DRP processes whereas the non-IT areas will be busy with other facilities and business matters so that the overall business prevails.

2011 IEEE GCC Conference and Exhibition (GCC), February 19-22, 2011, Dubai, United Arab Emirates

978-1-61284-119-9/11/$26.00 ©2011 IEEE 229

Through implementation of appropriate BCP frameworks, organizations can maintain continuity and get benefit from most adverse situations in this world of uncertainty. There are numerous examples, case studies and success stories of organizations benefitting from Business Continuity (BC) initiatives. KPMG’s white paper http://www.kpmg.com/CN/en/IssuesAndInsights /ArticlesPublications/Documents/business_resilience_china_0903.pdf describes their case studies in China where various organizations have been benefiting from BCP initiatives in the competitive market of economic downturn since September 2008. The broader prospect of BCP is called Business Resilience Planning (BRP) which covers all the changes the business may face including the disruptions covered by BCP as well as other changing situations of challenges and opportunities [2, 5].

2. BCP COMPONENTS Businesses are subject to various threats and vulnerabilities that continuously induce risks [4]. If the risks are not handled appropriately, they may disturb the continuity of business as depicted in Figure 1.

Figure 1. Threat, Vulnerability and Risks in BC Analysis of risks along with their impact on business is

therefore an important component of BCP [1]. Also, it is essential to identify the priority and classify time-critical areas or functions of the business along with their assets. Analyzing existing and future risks to all the critical business functions and calculating the effect of these functions being non-operative for a maximum period of time (Maximum Tolerable Downtime, MTD) along with their Mean Time to Recovery (MTTR) in each case is called Business Impact Analysis (BIA).

Once any disruption occurs, the organization must

know how to handle the situation immediately. This is called incident handling or crisis management. After the incident has been taken into control, the other business continuity processes will do what is necessary to continue delivery of products and services to the intended parties within the acceptable and already agreed ‘Service Level Agreement’ (SLA). The final step will be to recover the damages or losses and restore the operation into its original status.

Putting it all together - Business Impact Analysis (BIA), Risk Management, Incident Handling, Disaster Recovery and Restoration are the main components of Business Continuity Planning [3]. All these are linked into an end-to-end system with planning, analysis, design, training, implementation, review, maintenance,

audit, and documentation covering the full cycle of Business Continuity Planning and Management framework as shown in Figure 2.

Figure 2. BCP Lifecycle

3. BCP STANDARDS In order to ensure that a BCP framework is meaningful and fully comprehensive in tackling all aspects of business continuity in the current and future situations of uncertainty, organizations must follow some already established standards and guidelines. These standards provide a systematic management approach to adopt the best practice controls, quantify the level of acceptable risk and implement the appropriate measures for continuity and recovery of business thus protecting the organization and its stakeholders’ interests. Some of these standards are:

� BS 25999-1/2: Code-of-Practice and

specifications for Business Continuity (British Standard Institute) [7]

� ISO-27031: Business Continuity in ICT [8] � ISO-22399: Incident Management & Business

Continuity � MS 1970: Business Continuity standard in

Malaysia � HB 221: Business Continuity standard in

Australia � TR 19: Business Continuity Reference

Singapore � NFPA 1600: Disaster Recovery & BC

standard (National Fire Protection Association USA)

In addition to these standards, there are compliances, regulations and industry best practices such as HIPPA, SOX, GLBA, COSO, Patriot Act, BC 177, ITIL, COBIT, etc which need to be followed in order to make the BCP initiative more effective in meeting the challenges.

Threat agent �induces Threat�exploits Vulnerability� induces Risk�affects Business Process/Function�affects Business Continuity

230

4. BCP DESIGN AND IMPLEMENTATION While designing BCP for a specific disruption or change, various factors and parameters need to be considered. For example, the list below shows some of the requirements, which were learnt from the September 2001 World Trade Center disaster:

� A BCP plan must be there in every business. The plan must be updated and tested frequently considering all types of threats with the worst possible consequences. Even with known limitations, an existing BCP is indispensable to face any disaster.

� Dependencies and interdependencies of business functions must be analyzed carefully.

� Employee counseling is important. Key personnel may not be available at the time of need. Communication facilities, though essential, may be unavailable.

� Alternate sites of IT backup should not be close to the primary site.

� BCP/DRP policies, procedures, guidelines should be kept safe in off-site location.

� The entire area may be surrounded by law enforcement not allowing employees to approach the disaster site. Uncertainty of the situation may lengthen the time of recovery.

Keeping in mind similar factors along with the

business mandate, organization should carry out the Business Impact Analysis (BIA) in the following way:

� Identify the primary business mandate and

critical aspects (including compliances) of the organization.

� Prioritize time-critical services or products. Identify dependencies (internal, external, and legal).

� Identify threats, vulnerabilities and risks associated with the critical services or products. Correlate IT service unavailability risks with the associated business risks, wherever applicable.

� Estimate how long critical business functions can survive without the availability of critical services or products and their average recovery time thus arriving at the MTDs and MTTRs for the critical functions.

� Do ranking of services and products based on potential loss of revenue, time of recovery (MTD, MTTR) and severity of disruptions.

� Document the findings as part of the BIA report. During BIA, raising the following questions can help

in identifying the critical processes, functions or assets of the entire business:

� What are the different equipments required for the business function and how they are used? What are the critical outsourced items and their

sources? � How the business function will work if the

computers and network accesses are not available and is there any need for redundancy of these resources?

� What single point of failure exists and how significant are the risks associated with it?

� What is the minimum manpower, physical space and other resources (communication etc) required for the recovery site?

� Has the business unit defined critical personalities and their roles in case of sudden disruptions of business and have the employees received sufficient training?

� Have the family care and support needs of the employees been adequately considered?

Once the BIA is completed, the next step should be the risk management of the possible threats and disruptions. While doing this, the probabilities and frequencies of threats, the impact of disruptions on business and the associated costs need to be considered. Accordingly, as depicted in Figure 3, risks can be prevented (taking precautionary measure), mitigated (reduced by insurance for example), controlled (making contingency plan) or accepted (ignored) depending on the characteristics of the risk and the possible damage it can impose on the organization.

Figure 3. Risk Management

The above set of exercises will end up more-or-less with the completion of design phase. The following is a summary of steps, which can be followed while implementing a Business Continuity Framework in line with the principles established earlier.

1) Form a BCP/DRP team or section with a head

designated as say, Business Continuity Officer (BCO). Identify and allocate roles to the team members.

2) Exercise BIA and risk analysis to establish BCP requirements. Include and involve business leaders in this phase in respective areas of business.

3) Prepare the BCP project proposal with an implementation plan along with the additional resource requirements (budget) giving importance to leveraging

231

existing resources, if possible. Present the project proposal to the management for approval. Include the recommended changes, if any and arrive at the final approved proposal.

4) Write down ‘Policies’, and ‘Procedures’ documents covering all pertinent areas of BCP and DRP as analyzed before [6]. Present the policies and procedures documents to the management for refinement and final approval. Ensure that the policies and procedures are circulated to all divisions and departments and to outside parties, if applicable.

5) Implement the project in phases according to priorities. Procurements or hiring of necessary equipment, accessories, hardware, software, physical space, manpower, etc should be linked with the implementation phases.

6) For IT (DRP), arrangements for redundancy such as alternate network link, cold-site, warm-site, hot-site, etc with appropriate relocation policy should be organized as per the business requirements outlined in the design phase and in line with the ISMS processes, if already available.

7) Achieve and maintain the standards (particularly BS 25999 and ISO 27031), compliance, regulations and industry best practices as applicable to the business.

8) Link the BCP activities with the Change Management process so that any change in the business process is automatically included in the BCP.

9) Organize awareness training for the employees to make them understand the BCP policies, procedures and guidelines to be implied upon them. Maintain appropriate documentations for the entire BCP cycle.

10) Establish routines for periodic BC tests and incident handling at sensitive areas. Various levels of testing such as false alarm, walk-through, simulation, parallel and live tests should be conducted to ensure that people involved are fully trained and they know what to do in order to maintain business continuity. The tests should be conducted with proper planning and co-ordination so that these tests do not cause any significant business disruptions. Define emergency response or crisis management teams in respective areas with updated contact details. Motivate super performers (champions) through appropriate appreciations.

11) Review and iterate (Plan, Do, Check & Act) the BCP framework and its operation. In this context, a Business Continuity Forum (BCF) can be formulated to review the status and effectiveness of the BC framework periodically. Audit the BCP framework by a competent and recognized auditor with the ultimate objective of getting BCP/BCM 25999 certification.

Implementing BCP framework may require additional investment, which is like an insurance cost that will protect and assist the business in becoming more resilient with increased preparedness to face various disastrous situations and adding value to business. Such investment

should not outweigh the business functions and the risks being protected. The CSI/FBI (2004) and other Surveys indicate that most organizations spend 10-13% of their IT budget on Information Security including BCP.

5. CONCLUSION Business continuity Planning (BCP) is certainly ‘a must’ and every organization should initiate an appropriate BC plan, if not done already. It makes the business more resilient to adopt changes, prepare for uncertainties and remain in operation at adverse situations thus adding value to the business. The Information Security Management System (ISMS), which ensures security of information and related services, plays a major role in establishing business continuity in today’s IT-centric world.

BCP is not a one-time project or a technical solution

with a start and an end for good. Rather, it is a continuous process and should be followed as a regular business culture. Understanding the importance of BCP implementation and participating in it wholeheartedly by the employees is very crucial. The senior management, being the prime sponsor and motivator, plays a vital role in this matter from the very beginning.

The BC solution should be business driven and carefully designed to achieve cost-effectiveness and return-of-investment (ROI). A successful BCP needs the best combination of People, Processes, Policies, Procedures, Standards, Compliances and Technology.

6. REFERENCES [1] “Risk-Intelligence-Security-Control (R.I.S.C.)”, The Business Continuity Journal, Vol. 2, No. 4, January 2008 [2] IBM Business Resiliency & Continuity - www.ibm.com [3] Geary W. Sikich, Business Continuity: Maintaining Resilience in Uncertain Times, Pennwell Books, 2003 [4] Maria Cirino, The Art of Comprehensive Vulnerability Management (Black Book Series), Larstan Publishing, 2007 [5] Business Resilience Model, Business Resilience Certification Consortium International (BRCCI) [6] Charles Cresson Wood, Information Security Policies Made Easy, Information Shield Inc.2002. [7] “BS 25999:2006 Code of Practice for Business Continuity Management (BCM)”, http:// www.bsi-global.com [8] ISO/IEC 27031–Business Continuity Standards for ICT [9] The Hartford & US Small Business Administration 2002, Page 14.

232