Business Continuation Planning (BCP)

Business continuity planning encompasses planning and preparation to ensure that an organization can continue to operate in case of serious incidents or disasters and is able to recover to an operational state within a reasonably short period.
Key Points
  • Build a network for resilience.
  • Create a plan for recovering.
  • Contingency plans that are well communicated with staff.
  • Backup systems should be off-site and away from the main office, to help reduce issues and disasters.
  • Test systems on a regular basis.
  • Procedures to communicate to staff in the event of a disaster.
  • Assess the damage of the building, equipment, servers, etc. Verify what can or cannot be salvaged, after a disaster.

The three main elements

Business continuity includes three key elements and they are: Resistance, Recovery, and Contingency.

Since most companies don't have unlimited resources it is important that the most cost-effective disaster recovery solution that can be implimented while meeting two main requirements:

For the IT purposes, this is commonly referred to as the minimum application and data requirements (what applications and files are essential) and the time in which the minimum application and application data must be available to be used. There are three general types of backup solutions:

  • Hot This type site is up 99.999% of the time and mirrors your production environment in real-time and can be used with little or no work from your IT department. This is also the most costly since Enterprise-level software licensing comes into play

  • Warm This sort of backup site is up and parts of it might mirror your production environment in real-time, while other parts might take a few hours or a day or two to bring online. This is what many see as a nice balance between cost and need.

  • Cold A cold site is set up AFTER it is needed. Systems are restored from backup media and brought online as ready
Outside the IT are, there is a need for the preservation of paper (hard copy) information that you might keep in a file cabinet, your physical office space.

Testing and organizational acceptance
The purpose of testing is to achieve organizational acceptance that the solution satisfies the recovery requirements. Plans may fail to meet expectations due to insufficient or inaccurate recovery requirements, solution design flaws or solution implementation errors. Testing may include:
  • Emergency Response Team: Made up of part of your management team, members of your IT department, at least one person from facilities/office admin, and at least one HR department representative
  • Members of the technical team two switch some tasks/processes from primary to secondary datacenters
  • Application testing
  • Business process testing
At minimum, testing should be conducted on a biannual schedule.

Key elements of a well-planned out Business Continuation Plan (BCP) are:

  1. Resilience: critical business functions and the supporting infrastructure must be designed in such a way that they are materially unaffected by relevant disruptions, for example through the use of redundancy and spare capacity;

  2. Recovery: arrangements have to be made to recover or restore critical and less critical business functions that fail for some reason.

  3. Contingency: the organization establishes a generalized capability and readiness to cope effectively with whatever major incidents and disasters occur, including those that were not, and perhaps could not have been, foreseen. Contingency preparations constitute a last-resort response if resilience and recovery arrangements should prove inadequate in practice.


Tabletop exercises
Tabletop exercises typically involve a small number of people and concentrates on a specific aspect of a BCP. They can easily accommodate complete teams from a specific area of a business.

Another form involves a single representative from each of several teams. Typically, participants work through simple scenario and then discuss specific aspects of the plan. For example, a fire is discovered out of working hours.

The exercise consumes only a few hours and is often split into two or three sessions, each concentrating on a different theme.

Medium exercises
A medium exercise is conducted within a "Virtual World" and brings together several departments, teams or disciplines. It typically concentrates on multiple BCP aspects, prompting interaction between teams. The scope of a medium exercise can range from a few teams from one organisation co-located in one building to multiple teams operating across dispersed locations. The environment needs to be as realistic as practicable and team sizes should reflect a realistic situation. Realism may extend to simulated news broadcasts and websites.

A medium exercise typically lasts a few hours, though they can extend over several days. They typically involve a "Scenario Cell" that adds pre-scripted "surprises" throughout the exercise.

Complex exercises
A complex exercise aims to have as few boundaries as possible. It incorporates all the aspects of a medium exercise. The exercise remains within a virtual world, but maximum realism is essential. This might include no-notice activation, actual evacuation and actual invocation of a disaster recovery site.

While start and stop times are pre-agreed, the actual duration might be unknown if events are allowed to run their course.