With the increasing number of natural disasters, terrorism events, and unrest around the globe, the importance of business continuity planning and disaster recovery planning is becoming more apparent. The recent onslaught of these events has highlighted the importance of system availability and forced senior management of many organizations to think seriously about contingency planning. Senior management understands if systems are not available, financial losses occur by the hour and their business reputation drops rapidly. While business continuity issues don’t always occur on a daily basis, it is important to prepare for the day a disaster does occur.
Contingency planning is a critical function that involves many different departments over multiple phases. As with many business continuity programs, an iterative process is most effective in developing a refined set of procedures.
This strategy allows an institution to take advantage of knowledge gained and lessons learned through the development, testing, and maintenance of a business continuity program. The best practices of a business continuity program reviewed in this paper are categorized into four sections:
- Management oversight—Strategic and decisionmaking responsibilities with a top-down management approach for overseeing the overall business continuity program
- Risk management—Procedures and steps taken to identify, prepare, and respond to threats and vulnerabilities
- Recovery strategies—Business continuity strategies to increase likelihood of recovery in the event of a disaster
- Program management—Governance of business continuity program through people, policy, and process
For successful achievement of an institution’s availability risk management goals, the business impact analysis process should include the following:
- Identify critical assets, key business processes, vital dependencies, and the impact of potential business interruptions.
- Document recovery time objectives for critical systems and processes.
- Establish minimum requirements and recovery point objectives to restore business operations to an acceptable level.
- Prioritize recovery procedures from the identified recovery time objectives.
- Analyze service level agreements with vendors and suppliers.
- Identify and document critical assets
A key aspect to business continuity program management includes the handling of documented plans and maintaining the plans on a regular basis. Dedicated personnel should be employed to manage the business continuity program and associated plans. These business continuity planning professionals are tasked with documenting the business continuity policies and plans and updating when necessary.
In addition to managing the recovery documentation, business continuity planning personnel should devise and oversee the awareness and skills training for recovery plan team members and general employees. Training should occur on a regular basis so that employees are knowledgeable and prepared to respond appropriately in the time of a disaster.
Plan maintenance should also include following the plan reviews and testing schedules as outlined by senior management. Testing schedules should be established when yearly budgets and schedules are established. This minimizes surprises and unforeseen costs. An organization should test their recovery plans on an annual basis. Incorporating multiple types of testing will increase the effectiveness of an organization’s response in an actual disaster. Business continuity plan testing types include:
- Tabletop—Conference room review and discussion of mock scenarios of the business and/or technology plan(s).
- Functional—Actual enactment of the people, processes, and technologies involved in a business and/or technology plan(s). These can occur parallel or in line with production locations and systems.