BCP/DR
BCP/DR: Business Continuous Plan/Disaster Recovery
Why is business continuity planning important?
Every organisation is at risk from potential disasters that include:
- Natural disasters such as tornadoes, floods, blizzards, earthquakes and fire
- Accidents
- Sabotage
- Power and energy disruptions
- Communications, transportation, safety and service sector failure
- Environmental disasters such as pollution and hazardous materials spills
- Cyber attacks and hacker activity.
A Business Continuity Plan includes:
- Plans, measures and arrangements to ensure the continuous delivery of critical services and products, which permits the organization to recover its facility, data and assets.
- Identification of necessary resources to support business continuity, including personnel, information, equipment, financial allocations, legal counsel, infrastructure protection and accommodations.
Creating a business continuity plan
A BCP typically includes five sections:
- BCP Governance
- Business Impact Analysis (BIA)
- Plans, measures, and arrangements for business continuity
- Readiness procedures
- Quality assurance techniques (exercises, maintenance and auditing)
Establish control
Senior managers or a BCP Committee would normally:
- approve the governance structure;
- clarify their roles, and those of participants in the program;
- oversee the creation of a list of appropriate committees, working groups and teams to develop and execute the plan;
- provide strategic direction and communicate essential messages;
- approve the results of the BIA;
- review the critical services and products that have been identified;
- approve the continuity plans and arrangement;
- monitor quality assurance activities; and
- resolve conflicting interests and priorities.
This BCP committee is normally comprised of the following members:
- Executive sponsor has overall responsibility for the BCP committee; elicits senior management’s support and direction; and ensures that adequate funding is available for the BCP program.
- BCP Coordinator secures senior management’s support; estimates funding requirements; develops BCP policy; coordinates and oversees the BIA process; ensures effective participant input; coordinates and oversees the development of plans and arrangements for business continuity; establishes working groups and teams and defines their responsibilities; coordinates appropriate training; and provides for regular review, testing and audit of the BCP.
- Security Officer works with the coordinator to ensure that all aspects of the BCP meet the security requirements of the organization.
- Chief Information Officer (CIO) cooperates closely with the BCP coordinator and IT specialists to plan for effective and harmonized continuity.
- Business unit representatives provide input, and assist in performing and analyzing the results of the business impact analysis.
Business impact analysis
- Identify the mandate and critical aspects of an organization
- Prioritize critical services or products
- Identify impacts of disruptions
- Identify areas of potential revenue loss
- Identify additional expenses
- Identify intangible losses
- Insurance requirements
- Ranking
- Identify dependencies
Plans for business continuity
- Mitigating threats and risks
- Analyze current recovery capabilities
- Create continuity plans
- Response preparation
- Alternate facilities
Readiness procedures
- Training
- Exercises
- Goal
- Objectives
- Scope
- Artificial aspects and assumptions
- Participant Instructions
- Exercise Narrative
- Communications for Participants
- Testing and Post-Exercise Evaluation
Quality assurance techniques
- Internal review
- On a scheduled basis (annually or bi-annually)
- when changes to the threat environment occur;
- when substantive changes to the organization take place; and
- after an exercise to incorporate findings.
- External audit
- Procedures used to determine critical services and processes
- Methodology, accuracy, and comprehensiveness of continuity plans
What to do when a disruption occurs
Disruptions are handled in three steps:
- Response
- Incident management
- notifying management, employees, and other stakeholders
- assuming control of the situation
- identifying the range and scope of damage
- implementing plans
- identifying infrastructure outages; and
- coordinating support from internal and external sources
- Communications management
- Operations management
- Continuation of critical services
- Recovery and restoration
Recovery and restoration
- Re-deploying personnel
- Deciding whether to repair the facility, relocate to an alternate site or build a new facility
- Acquiring the additional resources necessary for restoring business operations
- Re-establishing normal operations
- Resuming operations at pre-disruption levels
Conclusion
- When critical services and products cannot be delivered, consequences can be severe.
- All organizations are at risk and face potential disaster if unprepared.
- A Business Continuity Plan is a tool that allows institutions to not only to moderate risk, but also continuously deliver products and services despite disruption.
Items
- plans must be updated and tested frequently;
- all types of threats must be considered;
- dependencies and interdependencies should be carefully analyzed;
- key personnel may be unavailable;
- telecommunications are essential;
- alternate sites for IT backup should not be situated close to the primary site;
- employee support (counselling) is important;
- copies of plans should be stored at a secure off-site location;
- sizable security perimeters may surround the scene of incidents involving national security or law enforcement, and can impede personnel from returning to buildings;
- despite shortcomings, Business Continuity Plans in place pre September 11 were indispensable to the continuity effort; and
- increased uncertainty (following a high impact disruption such as terrorism) may lengthen time until operations are normalized.
Reference: https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/bsnss-cntnt-plnnng/index-en.aspx
Wang's Tech Blog 
Reply