Business Continuity: An introduction
The sole purpose of Business Continuity is to
Maintain a minimum level of service while
Restoring the organization to business as usual
Who needs it?
Commerce and industry need it to protect the customer
Charities need it to assure continued funding
Government agencies need it to assure continued
funding and existence
Managers need it to assure their positions
The difference between Business Continuity and
Business Continuity is PROACTIVE; its focus is to avoid
or mitigate the impact of a risk
Disaster Recovery is REACTIVE; its focus is to pick up
the pieces and to restore the organization to business as
usual after a risk occurs
Disaster Recovery is an integral part of a Business
Why Business Continuity?
An organization which fails to provide a minimum
level of service to its clients following a disaster
event may not have a business to recover
Customers may go to a competitor
Funding may disappear
A need may be re-evaluated and deemed
What to protect
Functions which provide products or services
Critical support functions
Functions without which the Business Functions cannot
function (e.g. Facilities, IT)
Corporate level support functions
Functions required for effective operation of Business
Functions (e.g. HR, Finance)
Most important resource
Although there are other critical resources, the actual
product or service in most organizations depends on
actions performed by, and decisions made by, people.
Who is involved?
In a word, EVERYONE
Municipal Emergency Management
Support is required for successful plan
Provides high-level overview of organization’s
Provides long-range planning to assure the Business
Continuity plan compliments the organization’s
Provide departmental direction
Provide department-level overviews
Provide an insight into external (to the
Offer suggestions on how to enhance critical business
Provide operational details
Offer suggestions on how to enhance critical business
Provide information about services which assure the
critical Business Functions can be performed at a
minimum level of service or better
Provide information about protecting resources
Support may include
Vendors provide services and products
Courier services and mail
Communications (telephone, fax, email)
Insurance (business, health, property)
Necessities (municipal services)
Utilities (electricity, fuel)
Municipal Emergency management must be
included in the plan to
Assure personnel safety
Mitigate damage from risks
Train personnel to avoid risks and to protect themselves
and the organization
No man – or department – is an island
Protect all to protect one
In order to protect any single Business Function, the
enterprise must be protected.
There are too many easily identifiable dependencies to
create successful “function-only” or “resource-only”
A few risks
Aircraft accident Espionage
Bond rating Fire
Civil unrest Flood
Communications Hacked database
Competition HazMat incident
Customer failure (K-Mart) Heat
Electrical failure Industry image (airlines)
A few more risks
Internet failure Snow
Intranet failure State law
IT/MIS Stock value
Legal action Tornado
Lender reluctance Traffic accident
Local statues Vendor failure
Loss of key personnel Wildfire
Rail accident Work action
Recession Ubiquitous “other”
Rating a risk
Not all risks present the same danger to an
Risks are rated based on
Probability of occurrence
Impact on the organization
Avoid the risk
Usually the most expensive option
Required by some 24*7*365 operations
Mitigate the risk
Less expensive than avoidance
Reduces the impact of the “inevitable”
Absorb the risk
The process or product is antiquated anyway
The plan – Part 2
Create business continuation processes
Create organization recovery processes
Create a training program
Establish a plan maintenance procedure
Train, train, and train some more
Business continuation processes are designed so the
organization maintains “at least a minimum level of
service” to assure there will be a business to recover
Each Business and Support function must have a
How quickly the process must be functioning depends
on the maximum allowable outage
Recover the business
This may be in multiple stages:
Recovery to a minimum level of service
Recovery to business as usual
There may be intermediate stages between the two
recovery stages shown above
The training program has two primary goals:
To assure personnel will be able to efficiently and
effectively respond following a disaster event
To develop self-confidence in the personnel to perform
their assigned functions
A plan that lacks maintenance quickly becomes a
Plan maintenance is based on the calendar
Plan maintenance is based on “trigger” events
Process, procedure change
Creating a plan
Do it yourself
Can you think of everything?
Can you think objectively?
Who will review your plan?
Call a professional
Network to help think of almost everything
Only objective is to create a successful plan
Plan Purpose Scope
Business Continuity Provide procedures for sustaining essential Addresses business processes; IT
business operations while recovering from a addressed only in the context of
Plan (BCP) significant disruption supporting business process
Business Recovery (or Provide procedures for recovering business Addresses business processes; not
operations immediately following a disaster IT-focused
Continuity of Establish procedures and capabilities to Addresses subset of an
sustain an organization’s essential, strategic organization’s missions deemed
Operations Plan functions at an alternate site for up to 30 days critical; not IT-focused
Continuity of Support Establish procedures and capabilities for Similar to IT contingency plan;
recovering a major application or general addresses IT system disruption; not
Plan support system business process focused
Disaster Recovery Provide detailed procedures to facilitate Often IT-focused; limited to major
recovery of capabilities at an alternate site disruptions with long-term effects
Incident Response Define strategies to detect, respond to, and Focuses on information security
limit consequences of malicious cyber responses to incidents affecting
Plan incident systems and/or networks
Occupant Emergency Provide coordinated procedures for Focuses on personnel and property
minimizing loss of life or injury and protecting particular to the specific facility; not
Plan property damage in response to a physical business- or IT-focused
1) Develop a business continuity / disaster recovery plan
- Establish a disaster-recovery team of employees who know your
business best, and assign responsibilities for specific tasks.
- Identify your risks (kinds of disasters you're most likely to
- Prioritize critical business functions and how quickly these must
- Establish a disaster recovery location where employees may work
off-site and access critical back-up systems, records and supplies.
- Obtain temporary housing for key employees, their families and
- Update and test your plan at least annually.
2) Alternative operational locations
Determine which alternatives are
available. For example:
- A satellite or branch office of your business.
- The office of a business partner or even an
- Home or hotel.
3) Backup site.
Equip your backup operations site with critical equipment, data
files and supplies:
- Power generators.
- Computers and software.
- Critical computer data files (payroll, accounts payable and
receivable, customer orders, inventory).
- Equipment and spare parts.
- Vehicles, boats and spare parts.
- Digital cameras.
- Common supplies.
- Supplies unique to your business (order forms, contracts, etc.).
- Basic first aid/sanitary supplies, potable water and food.
4) Safeguard your property
Is your property prepared to survive a
hurricane or other disaster:
- Your building?
- Your equipment?
- Your computer systems?
- Your company vehicles?
- Your company records?
- Other company assets?
5) Contact information
Do you have current and multiple contact
information (e.g., home and cell phone
numbers, personal e-mail addresses) for:
- Key customers?
- Important vendors, suppliers, business
- Insurance companies?
- Is contact information accessible electronically
for fast access by all employees?
Do you have access to multiple and reliable
methods of communicating with your employees:
- Emergency toll-free hotline?
- Cell phones?
- Satellite phones?
- Two-way radios?
7) Employee preparation
Make sure your employees know:
- Company emergency plan.
- Where they should relocate to work.
- How to use and have access to reliable methods of
communication, such as satellite/cell phones, e-mail,
voice mail, Internet, text messages, BlackBerry(TM),
- How they will be notified to return to work.
- Benefits of direct deposit of payroll and subscribe to
- Emergency company housing options available for them
and their family.
8) Customer preparation
Make sure your key customers know:
- Your emergency contact information for sales
and service support (publish on your website).
- Your backup business or store locations
(publish on your website).
- What to expect from your company in the
event of a prolonged disaster displacement.
- Alternate methods for placing orders.
- Alternate methods for sending invoice
payments in the event of mail disruption.
9) Evacuation order
When a mandatory evacuation is issued, be prepared to grab and
leave with critical office records and equipment:
- Company business continuity / disaster recovery plan and
- Insurance policies and company contracts.
- Company checks, plus a list of all bank accounts, credit cards,
- Employee payroll and contact information.
- Desktop/laptop computers.
- Customer records, including orders in progress.
- Photographs/digital images of your business property.
- Post disaster contact information inside your business to alert
emergency workers how to reach you.
- Secure your building and property.
10) Cash management
Be prepared to meet emergency cash-flow needs:
- Take your checkbook and credit cards in the event of an
- Keep enough cash on hand to handle immediate needs.
- Use Internet banking services to monitor account
activity, manage cash flow, initiate wires, pay bills.
- Issue corporate cards to essential personnel to cover
emergency business expenses.
- Reduce dependency on paper checks and postal service
to send and receive payments (consider using electronic
payment and remote deposit banking services).
11) Post-disaster recovery procedures
- Consider how your post-disaster business may
differ from today.
- Plan whom you will want to contact and when.
- Assign specific tasks to responsible employees.
- Track progress and effectiveness.
- Document lessons learned and best practices.