Business Continuation Planning (BCP)

Business continuity planning encompasses planning and preparation to ensure that an organization can continue to operate in case of serious disasters, incidents, or cyber attacks and is able to recover to an operational state within a reasonably short period (preferably under 24 hours).

Key Points

  • Build a resilient network.
  • Create a recovery plan.
  • Have staff well aware of contingency plans.
  • Be sure that your backup systems are offsite and away from your primary datacenter.
  • Your plans include the regular testing of systems.
  • An alternate way to communicate with staff in the event your primary systems are unusable.
  • Set benchmarks when you set your back systems live, for a two-hour outage it might not be worth it but when your facility, datacenter and potentially other office equipment is severely damaged or destroyed it would be.

The three main elements

Business continuity includes three key elements: Resistance, Recovery, and Contingency.

Since most companies don’t have unlimited resources it is important that the most cost-effective disaster recovery solution that can be implemented while meeting two main requirements which are often referred to as the minimum application and data requirements (what applications and files are essential) and a reasonable amount of time they they can be back up and running:

For the IT purposes, there are three general types of backup solutions:

  • Hot where your backup site site is up 99.999%* of the time and mirrors your production environment in real-time and can be used with little or no work from your IT department. This is also the most expensive since enterprise-level software licensing and robust hardware comes into play
  • Warm with this sort of backup site is up and parts of it might mirror your production environment in real-time, while other parts might take a few hours or a day or two to bring online. This is what many organizations see as a nice balance between cost and need.
  • Cold is when a site set up AFTER it is needed. Systems are restored from backup media and brought online as ready. This is the least expensive but also takes the longest to recover. This works best for archived data such as old employee or client

    *This also referred to as the five 9s.

Outside the IT are, there is a need for the preservation of paper (hard copy) information that you might keep in a file cabinet, your physical office space.

Testing an organizational acceptance

The purpose of testing is to achieve organizational acceptance that the solution satisfies the recovery requirements. Plans may fail to meet expectations due to insufficient or inaccurate recovery requirements, solution design flaws or solution implementation errors. Testing may include:

  • Emergency Response Team: Made up of part of your management team, members of your IT department, at least one person from facilities/office admin, and at least one HR department representative
  • Members of the technical team two switch some tasks/processes from primary to secondary datacenters
  • Application testing
  • Business process testing

At minimum, testing should be conducted on a biannual schedule.


Key elements of a well-planned out Business Continuation Plan (BCP) are:

  1. Resilience: critical business functions and the supporting infrastructure must be designed in such a way that they are materially unaffected by relevant disruptions, for example through the use of redundancy and spare capacity;
  2. Recovery: arrangements have to be made to recover or restore critical and less critical business functions that fail for some reason.
  3. Contingency: the organization establishes a generalized capability and readiness to cope effectively with whatever major incidents and disasters occur, including those that were not, and perhaps could not have been, foreseen. Contingency preparations constitute a last-resort response if resilience and recovery arrangements should prove inadequate in practice.

Testing

Tabletop exercises
Tabletop exercises typically involve a small number of people and concentrates on a specific aspect of a BCP. They can easily accommodate complete teams from a specific area of a business.

Another form involves a single representative from each of several teams. Typically, participants work through simple scenario and then discuss specific aspects of the plan. For example, a fire is discovered out of working hours.

The exercise consumes only a few hours and is often split into two or three sessions, each concentrating on a different theme.

Medium exercises
A medium exercise is conducted within a “Virtual World” and brings together several departments, teams or disciplines. It typically concentrates on multiple BCP aspects, prompting interaction between teams. The scope of a medium exercise can range from a few teams from one organization co-located in one building to multiple teams operating across dispersed locations. The environment needs to be as realistic as practicable and team sizes should reflect a realistic situation. Realism may extend to simulated news broadcasts and websites.

A medium exercise typically lasts a few hours, though they can extend over several days. They typically involve a “Scenario Cell” that adds pre-scripted “surprises” throughout the exercise.

Complex exercises
A complex exercise aims to have as few boundaries as possible. It incorporates all the aspects of a medium exercise. The exercise remains within a virtual world, but maximum realism is essential. This might include no-notice activation, actual evacuation and actual invocation of a disaster recovery site.

While start and stop times are pre-agreed, the actual duration might be unknown if events are allowed to run their course.