Business continuity planning projects, like disaster recovery projects,
are initiated for many reasons, such as:
- Auditor reporting.
- Regulatory compliance.
- Stakeholders demands.
- Experience with an event or disruption.
Whatever the reason, committing funds, resources and time to activating
a business continuity project, as well as understanding the ongoing
cultural change that will become a long term, integral part of day-to-day
business, is critical to the success of the project.
Find out what is really important to your management and use that
information to show value to the project. It may be that they are
concerned about:
- Product delivery.
- Customer service.
- Satisfying board members.
- Auditors.
It is important to find out what management really cares about in
running the business and which elements are critical in their minds,
to keeping the business doors open even in the face of disaster. When
necessary, a cost/benefit analysis should be prepared to demonstrate
the benefits of ensuring the protection and availability of those
critical elements. A cost/benefit analysis should include:
-
Business continuity plan start-up and ongoing costs associated
with the resources, time and effort necessary to the plan, as
well as any third party contracts that may need to be created.
An ongoing annual cost should also be calculated to include plan
maintenance, administration, awareness, training and testing.
-
An estimate of the rebuild costs if a business continuity plan
is not developed. Things like potential employee recruitment and
new hire costs, technology replacement and potential moving costs
should be included. Financial and/or operational impacts related
to the critical functions of the business not being performed
should also be estimated.
- Potential savings to the business should also
be investigated and reported to management. These savings could
include:
- Discounted insurance premiums to the business for
having recovery plans in place.
- Opportunities to outsource technology maintenance,
support and/or upgrades which might be more cost-effective than
providing in-house service.
- Off-site vaulting vs. providing appropriate environments
and structure on-site.
Phase I - Information Gathering...
Structure - Once the approval of senior management is obtained,
a high level message should go out to all employees expressing the
following:
- Management support for the planning project.
- Employee cooperation is expected.
- A brief overview of the objectives of the planning
effort.
A project team should be established consisting of:
- A project manager who coordinates the activities
of the team, manages timelines and budget, and reports to senior
management.
- Departmental representatives and a backup that
understand the inner workings of each functional area and are
able to answer questions contained in a Business Impact Analysis.
- One or two key resources from technology who would
understand the underlying technical issues as recovery requirements
are prioritized.
- A project liaison, someone who would have access
to current employee organizational charts, insurance polices,
third party contracts, etc.
Budget - This phase requires the most participation from the
employee population but should be the closest to "true" cost as we
are mainly dealing with employee time. This one-time cost could have
been reported in the cost/benefit analysis.
Timelines - Timelines should be establishes based on employee
availability but should be as aggressive as possible while everyone
is still aware and supportive of the initiative. Probably the longest
and most time consuming of the three phases.
Milestones - Milestone during Phase I can include:
- Completion of the risk analysis/assessment and reporting the results
to senior management.
- Completion of the business impact analysis and reporting appropriate
recovery alternatives to senior management.
- Establishment of the emergency response teams, their responsibilities
and informing employees of who those team members are.
- Management decision on a recovery strategy that will best suit
the established recovery requirements.
Phase II - Plan Development...
Structure - Once an appropriate recovery strategy has been
chosen by management, the following additions to the project team
may be necessary:
- Legal counsel to complete any necessary third party contract negotiations.
- Senior management with signing authority for third party contracts.
- Technical writers for plan documentation.
- Human resources/property management and the local emergency authorities
to document emergency response procedures.
- Communications representative with media training to develop corporate
first response scripts.
Budget - Budget items could include:
- Consultant or contract resources.
- Media management and communications courses.
- Plan documentation software and training.
- Any third party contracts that are established.
Timelines - Timelines will vary depending on:
- Whether third party contracts are evaluated and established.
- Participation and availability of departmental planning resources.
- Whether technical writers are used for plan documentation.
- Software training.
Milestones - Milestones for this phase could include:
- Completion of third party recovery provider contracts.
- Completion of each departments or business units recovery plan.
- Completion of the technical recovery solutions to reflect established
Recovery Time Objectives (RTO).
Phase III - Business Continuity Process...
Structure - The two main focuses of the project manager in
this phase are:
- Developing initial awareness and recovery training for all employees.
- Coordinating and scheduling the first recovery test for the organization.
The project team should continue to forward status reports to senior
management however, the frequency of those reports may drop down to
once a month. The project team for employee training might consist
of:
- The project manager who coordinates the activities of the teams,
manages timelines and budget, and reports to senior management.
- Representation from human resources or the internal training department.
- Representation from one or two key divisions to review and evaluate
the training material.
- Outside resources (if necessary) which specialize in employee
awareness and training for business continuity.
The other set of activities that will be happening at the same time
is for a team to develop a test plan, script and schedule for an initial
restoration and/or recovery. To accomplish this, a project team needs
to be assembled which includes:
- A project manager.
- Technology support representatives.
- Human resource representatives to facilitate travel or other related
issues (if necessary).
- Representatives from the departments to be tested.
- Representatives from the recovery site provider (if necessary).
Budget - Budget estimates will vary depending on whether training
and awareness programs are developed in-house or purchased from an
outside vendor. In addition, creating a testing budget will depend
on whether the testing will be done in-house or at an off-site or
third party facility. Charges for using these facilities should be
determined during the negotiation process in order to facilitate the
testing budget process.
Timelines - Timelines for this phase are never ending as testing
and education should be ongoing. Testing and education schedules should
be developed for each new year and far enough in advance to ensure
appropriate participation.
Milestones - Milestones for this phase could include the announcement
that all employees had completed initial awareness/training classes
as well as the completion of the first recovery testing.
|