Business continuity may be defined as "the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident", and business continuity planning (or business continuity and resiliency planning) is the process of creating systems of prevention and recovery to deal with potential threats to a company. In addition to prevention, the goal is to enable ongoing operations before and during execution of
disaster recovery. Business continuity is the intended outcome of proper execution of both business continuity planning and disaster recovery.
Several business
continuity standards have been published by various standards bodies to assist in check listing ongoing planning tasks.
An organization's resistance to failure is "the ability ... to withstand changes in its environment and still function".
Often called resilience, it is a capability that enables organizations to either endure environmental changes without having to permanently adapt, or the organization is forced to adapt a new way of working that better suits the new environmental conditions.
[
]
Overview
Any event that could negatively impact operations should be included in the plan, such as supply chain
In commerce, a supply chain is a network of facilities that procure raw materials, transform them into intermediate goods and then final products to customers through a distribution system. It refers to the network of organizations, people, acti ...
interruption, loss of or damage to critical infrastructure (major machinery or computing/network resource). As such, BCP is a subset
In mathematics, Set (mathematics), set ''A'' is a subset of a set ''B'' if all Element (mathematics), elements of ''A'' are also elements of ''B''; ''B'' is then a superset of ''A''. It is possible for ''A'' and ''B'' to be equal; if they are ...
of risk management. In the U.S., government entities refer to the process as ''continuity of operations planning'' (COOP). A Business Continuity Plan outlines a range of disaster scenarios and the steps the business will take in any particular scenario to return to regular trade. BCP's are written ahead of time and can also include precautions to be put in place. Usually created with the input of key staff as well as stakeholders, a BCP is a set of contingencies to minimize potential harm to businesses during adverse scenarios.
Resilience
A 2005 analysis of how disruptions can adversely affect the operations of corporations and how investments in resilience can give a competitive advantage
In business, a competitive advantage is an attribute that allows an organization to outperform its competitors.
A competitive advantage may include access to natural resources, such as high-grade ores or a low-cost power source, highly skilled ...
over entities not prepared for various contingencies extended then-common business continuity planning practices. Business organizations such as the Council on Competitiveness
The Council on Competitiveness is an American non-profit organization based in Washington, D.C. The Council’s goal is to increase the United States' economic competitiveness in the global marketplace. The Council also works to bring high-value ...
embraced this resilience goal.
Adapting to change in an apparently slower, more evolutionary manner - sometimes over many years or decades - has been described as being more resilient, and the term "strategic resilience" is now used to go beyond resisting a one-time crisis, but rather continuously anticipating and adjusting, "before the case for change becomes desperately obvious".
This approach is sometimes summarized as: preparedness
Preparedness is a research-based set of actions that are taken as precautionary measures in the face of potential disasters. Preparedness is an important quality in achieving goals and in avoiding and mitigating negative outcomes.
There are differ ...
, protection, response and recovery.
Resilience Theory can be related to the field of Public Relations. Resilience is a communicative process that is constructed by citizens, families, media system, organizations and governments through everyday talk and mediated conversation.
The theory is based on the work of Patrice M. Buzzanell, a professor at the Brian Lamb School of Communication at Purdue University
Purdue University is a public land-grant research university in West Lafayette, Indiana, and the flagship campus of the Purdue University system. The university was founded in 1869 after Lafayette businessman John Purdue donated land and money ...
. In her 2010 article, "Resilience: Talking, Resisting, and Imagining New Normalcies Into Being" Buzzanell discussed the ability for organizations to thrive after having a crisis through building resistance. Buzzanell notes that there are five different processes that individuals use when trying to maintain resilience- crafting normalcy, affirming identity anchors, maintaining and using communication networks, putting alternative logics to work and downplaying negative feelings while foregrounding positive emotions.
When looking at the resilience theory, the crisis communication theory is similar, but not the same. The crisis communication theory is based on the reputation of the company, but the resilience theory is based on the process of recovery of the company. There are five main components of resilience: crafting normalcy, affirming identity anchors, maintaining and using communication networks, putting alternative logics to work, and downplaying negative feelings while foregrounding negative emotions. Each of these processes can be applicable to businesses in crisis times, making resilience an important factor for companies to focus on while training.
There are three main groups that are affected by a crisis. They are micro
Micro may refer to:
Measurement
* micro- (μ), a metric prefix denoting a factor of 10−6
Places
* Micro, North Carolina, town in U.S.
People
* DJ Micro, (born Michael Marsicano) an American trance DJ and producer
*Chii Tomiya (都宮 ちい ...
(individual), meso (group or organization) and macro (national or interorganizational). There are also two main types of resilience, which are proactive and post resilience. Proactive resilience is preparing for a crisis and creating a solid foundation for the company. Post resilience includes continuing to maintain communication and check in with employees. Proactive resilience is dealing with issues at hand before they cause a possible shift in the work environment and post resilience maintaining communication and accepting chances after an incident has happened. Resilience can be applied to any organization.
Continuity
Plans and procedures are used in business continuity planning to ensure that the critical organizational operations required to keep an organization running continue to operate during events when key dependencies of operations are disrupted. Continuity does not need to apply to every activity which the organization undertakes. For example, under ISO 22301:2019, organizations are required to define their business continuity objectives, the minimum levels of product and service operations which will be considered acceptable and the maximum tolerable period of disruption (MTPD) which can be allowed.
A major cost in planning for this is the preparation of audit compliance management documents; automation tools are available to reduce the time and cost associated with manually producing this information.
Inventory
Planners must have information about:
* Equipment
* Supplies and suppliers
*Locations, including other offices and backup
In information technology, a backup, or data backup is a copy of computer data taken and stored elsewhere so that it may be used to restore the original after a data loss event. The verb form, referring to the process of doing so, is "back up", w ...
/work area recovery (WAR) sites
* Documents and documentation, including which have off-site backup copies:
** Business documents
** Procedure documentation
Analysis
The analysis phase consists of
* impact analysis
* threat and risks analysis and
* impact scenarios.
Quantifying of loss ratios must also include "dollars to defend a lawsuit." It has been estimated that a dollar spent in loss prevention can prevent "seven dollars of disaster-related economic loss."
Business impact analysis (BIA)
A Business impact analysis (BIA) differentiates critical (urgent) and non-critical (non-urgent) organization functions/activities. A function may be considered critical if dictated by law.
Each function/activity typically relies on a combination of constituent components in order to operate:
* Human resources (full-time staff, part-time staff, or contractors)
* IT systems
* Physical assets (mobile phones, laptops/workstations etc.)
* Documents (electronic or physical)
For each function, two values are assigned:
* Recovery Point Objective (RPO) – the acceptable latency of data that will not be recovered. For example, is it acceptable for the company to lose 2 days of data? The recovery point objective must ensure that the maximum tolerable data loss for each activity is not exceeded.
* Recovery Time Objective (RTO) – the acceptable amount of time to restore the function
Maximum RTO
Maximum time constraints for how long an enterprise's key products or services can be unavailable or undeliverable before stakeholders perceive unacceptable consequences have been named as:
* (MTPoD)
* Maximum Tolerable Downtime (MTD)
* Maximum Tolerable Outage (MTO)
* Maximum Acceptable Outage (MAO)
According to ISO 22301 the terms ''maximum acceptable outage'' and ''maximum tolerable period of disruption'' mean the same thing and are defined using exactly the same words.
Consistency
When more than one system crashes, recovery plans must balance the need for data consistency with other objectives, such as RTO and RPO.
Recovery Consistency Objective (RCO) is the name of this goal. It applies data consistency
Data consistency refers to whether the same data kept at different places do or do not match.
Point-in-time consistency
Point-in-time consistency is an important property of backup files and a critical objective of software that creates backups. ...
objectives, to define a measurement for the consistency of distributed business data within interlinked systems after a disaster incident. Similar terms used in this context are "Recovery Consistency Characteristics" (RCC) and "Recovery Object Granularity" (ROG).
While RTO and RPO are absolute per-system values, RCO is expressed as a percentage that measures the deviation between actual and targeted state of business data across systems for process groups or individual business processes.
The following formula calculates RCO with "n" representing the number of business processes and "entities" representing an abstract value for business data:
100% RCO means that post recovery, no business data deviation occurs.
Threat and risk analysis (TRA)
After defining recovery requirements, each potential threat may require unique recovery steps. Common threats include:
The above areas can cascade: Responders can stumble. Supplies may become depleted. During the 2002-2003 SARS
Severe acute respiratory syndrome (SARS) is a viral respiratory disease of zoonotic origin caused by the severe acute respiratory syndrome coronavirus (SARS-CoV or SARS-CoV-1), the first identified strain of the SARS coronavirus species, ''sever ...
outbreak, some organizations compartmentalized and rotated teams to match the incubation period
Incubation period (also known as the latent period or latency period) is the time elapsed between exposure to a pathogenic organism, a chemical, or radiation, and when symptoms and signs are first apparent. In a typical infectious disease, the i ...
of the disease. They also banned in-person contact during both business and non-business hours. This increased resiliency against the threat.
Impact scenarios
Impact scenarios are identified and documented:
* need for medical supplies
* need for transportation options
* civilian impact of nuclear disasters
* need for business and data processing supplies
These should reflect the widest possible damage.
Tiers of preparedness
SHARE's seven tiers of disaster recovery released in 1992, were updated in 2012 by IBM as an eight tier model:
* Tier 0 - No off-site data • Businesses with a Tier 0 Disaster Recovery solution have no Disaster Recovery Plan. There is no saved information, no documentation, no backup hardware, and no contingency plan. Typical recovery time: ''The length of recovery time in this instance is unpredictable''. In fact, it may not be possible to recover at all.
*Tier 1 - Data backup with no Hot Site • Businesses that use Tier 1 Disaster Recovery solutions back up their data at an off-site facility. Depending on how often backups are made, they are prepared to accept several days to weeks of data loss, but their backups are secure off-site. However, this Tier lacks the systems on which to restore data. Pickup Truck Access Method (PTAM).
*Tier 2 - Data backup with Hot Site • Tier 2 Disaster Recovery solutions make regular backups on tape. This is combined with an off-site facility and infrastructure (known as a hot site) in which to restore systems from those tapes in the event of a disaster. This tier solution will still result in the need to recreate several hours to days worth of data, but ''it is less unpredictable in recovery time''. Examples include: PTAM with Hot Site available, IBM Tivoli Storage Manager.
*Tier 3 - Electronic vaulting • Tier 3 solutions utilize components of Tier 2. Additionally, some mission-critical data is electronically vaulted. This electronically vaulted data is typically more current than that which is shipped via PTAM. As a result there is ''less data recreation or loss after a disaster occurs''.
*Tier 4 - Point-in-time copies • Tier 4 solutions are used by businesses that require both greater data currency and faster recovery than users of lower tiers. Rather than relying largely on shipping tape, as is common in the lower tiers, Tier 4 solutions begin to incorporate more disk-based solutions. ''Several hours of data loss is still possible'', but it is easier to make such point-in-time (PIT) copies with greater frequency than data that can be replicated through tape-based solutions.
*Tier 5 - Transaction integrity • Tier 5 solutions are used by businesses with a requirement for consistency of data between production and recovery data centers. There is ''little to no data loss'' in such solutions; however, the presence of this functionality is entirely dependent on the application in use.
*Tier 6 - Zero or little data loss • Tier 6 Disaster Recovery solutions ''maintain the highest levels of data currency''. They are used by businesses with little or no tolerance for data loss and who need to restore data to applications rapidly. These solutions have no dependence on the applications to provide data consistency.
*Tier 7 - Highly automated, business-integrated solution • Tier 7 solutions include all the major components being used for a Tier 6 solution with the additional integration of automation. This allows a Tier 7 solution to ensure consistency of data above that of which is granted by Tier 6 solutions. Additionally, recovery of the applications is automated, allowing for restoration of systems and applications much faster and more reliably than would be possible through manual Disaster Recovery procedures.
Solution design
Two main requirements from the impact analysis stage are:
* For IT: the minimum application and data requirements and the time in which they must be available.
* Outside IT: preservation of hard copy (such as contracts). A process plan must consider skilled staff and embedded technology.
This phase overlaps with Disaster recovery disaster recovery planning.
The solution phase determines:
* crisis management
Crisis management is the process by which an organization deals with a disruptive and unexpected event that threatens to harm the organization or its stakeholders. The study of crisis management originated with large-scale industrial and envir ...
command structure
* telecommunication architecture between primary and secondary work sites
* data replication
Replication in computing involves sharing information so as to ensure consistency between redundant resources, such as software or hardware components, to improve reliability, fault-tolerance, or accessibility.
Terminology
Replication in comp ...
methodology between primary and secondary work sites
* backup site
A backup site or work area recovery site is a location where an organization can relocate following a disaster, such as fire, flood, terrorist threat or other disruptive event. This is an integral part of the disaster recovery plan and wider busine ...
with applications, data and work space
ISO Standards
There are many standards that are available to support Business continuity planning and management. ISO has for example developed a whole series of standards on Business continuity management systems under responsibility of technical committee ISO/TC 292
ISO/TC 292 Security and resilience is a technical committee of the International Organization for Standardization formed in 2015 to develop standards in the area of security and resilience.
The Technical Management Board of ISO (TMB) decided in ...
:
* ISO 22300:2021 Security and resilience – Vocabulary
* ISO 22301
ISO 22301:2019, ''Security and resilience – Business continuity management systems – Requirements'', is a management system standard published by International Organization for Standardization that specifies requirements to plan, establish, im ...
:2019 Security and resilience – Business continuity management systems – Requirements
* ISO 22313
ISO 22313:2020, ''Security and resilience - Business continuity management systems – Guidance to the use of ISO 22301'', is an international standard developed by technical committee ISO/TC 292 Security and resilience. This document provides guid ...
:2020 Security and resilience – Business continuity management systems – Guidance on the use of ISO 22301
* ISO/TS 22317:2021 Security and resilience – Business continuity management systems – Guidelines for business impact analysis
* ISO/TS 22318:2021 Security and resilience – Business continuity management systems – Guidelines for supply chain continuity
* ISO/TS 22330:2018 Security and resilience – Business continuity management systems – Guidelines for people aspects on business continuity
* ISO/TS 22331:2018 Security and resilience – Business continuity management systems – Guidelines for business continuity strategy
* ISO/TS 22332:2021 Security and resilience – Business continuity management systems – Guidelines for developing business continuity plans and procedures
* ISO/IEC/TS 17021-6:2015 Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 6: Competence requirements for auditing and certification of business continuity management systems
* ISO/IEC 27031:2011 Security techniques — Guidelines for information and communication technology readiness for business continuity.
British standards
The BSI Group British Standards Institution (BSI) released a series of standards:
* 1995: BS 7799
BS 7799 was a standard originally published by BSI Group (BSI) in 1995. It was written by the United Kingdom Government's Department of Trade and Industry (DTI), and consisted of several parts.
The first part, containing the best practices for In ...
, peripherally addressed information security procedures. (withdrawn)
* 2006: BCP — BS 25999-1 Business Continuity Management. Code of Practice (withdrawn)
* 2007: BS 25999-2 Specification for Business Continuity Management, which specifies requirements for implementing, operating and improving a documented business continuity management system (BCMS). (withdrawn)
* 2008: BS 25777, specifically to align computer continuity with business continuity. (withdrawn March 2011)
These standards has been withdrawn and replaced by the ISO standards above. Within the UK, BS 25999-2:2007 and BS 25999-1:2006 were being used for business continuity management across all organizations, industries and sectors. These documents give a practical plan to deal with most eventualities—from extreme weather conditions to terrorism, IT system failure, and staff sickness.
ITIL
The Information Technology Infrastructure Library (ITIL) is a set of detailed practices for IT activities such as IT service management (ITSM) and IT asset management (ITAM) that focus on aligning IT services with the needs of business.
ITIL de ...
has defined some of these terms.
Civil Contingencies Act
In 2004, following crises in the preceding years, the UK government passed the Civil Contingencies Act of 2004: Businesses must have continuity planning measures to survive and continue to thrive whilst working towards keeping the incident as minimal as possible.
The Act was separated into two parts:
* Part 1: civil protection, covering roles & responsibilities for local responders
* Part 2: emergency powers
Australia and New Zealand
United Kingdom and Australia[ have incorporated resilience into their continuity planning. In the United Kingdom, resilience is implemented locally by the Local Resilience Forum.
In New Zealand, the Canterbury University Resilient Organizations programme developed an assessment tool for benchmarking the Resilience of Organizations. It covers 11 categories, each having 5 to 7 questions. A ''Resilience Ratio'' summarizes this evaluation.
]
Implementation and testing
The implementation phase involves policy changes, material acquisitions, staffing and testing.
Testing and organizational acceptance
The 2008 book ''Exercising for Excellence'', published by The British Standards Institution
The British Standards Institution (BSI) is the national standards body of the United Kingdom. BSI produces technical standards on a wide range of products and services and also supplies certification and standards-related services to busines ...
identified three types of exercises that can be employed when testing business continuity plans.
* Tabletop exercises - a small number of people concentrate on a specific aspect of a BCP. Another form involves a single representative from each of several teams.
* Medium exercises - Several departments, teams or disciplines concentrate on multiple BCP aspects; the scope can range from a few teams from one building to multiple teams operating across dispersed locations. Pre-scripted "surprises" are added.
* Complex exercises - All aspects of a medium exercise remain, but for maximum realism no-notice activation, actual evacuation and actual invocation of a disaster recovery site is added.
While start and stop times are pre-agreed, the actual duration might be unknown if events are allowed to run their course.
Maintenance
Biannual or annual maintenance cycle maintenance of a BCP manual is broken down into three periodic activities.
* Confirmation of information in the manual, roll out to staff for awareness and specific training for critical individuals.
* Testing and verification of technical solutions established for recovery operations.
* Testing and verification of organization recovery procedures.
Issues found during the testing phase often must be reintroduced to the analysis phase.
Information and targets
The BCP manual must evolve with the organization, and maintain information about who has to know what:
* a series of checklists
** job descriptions, skillsets needed, training requirements
** documentation and document management
* definitions of terminology to facilitate timely communication during disaster recovery,
* distribution lists (staff, important clients, vendors/suppliers)
* information about communication and transportation infrastructure (roads, bridges)
Technical
Specialized technical resources must be maintained. Checks include:
* Virus
A virus is a submicroscopic infectious agent that replicates only inside the living cells of an organism. Viruses infect all life forms, from animals and plants to microorganisms, including bacteria and archaea.
Since Dmitri Ivanovsky's 1 ...
definition distribution
* Application security and service patch distribution
* Hardware operability
* Application operability
* Data verification
* Data application
Testing and verification of recovery procedures
Software and work process changes must be documented and validated, including verification that documented work process recovery tasks and supporting disaster recovery infrastructure allow staff to recover within the predetermined recovery time objective.
See also
References
Further reading
United States
Bibliography
Business Continuity Planning, FEMA
Retrieved: June 16, 2012
(no date). ''U.S. Department of Homeland Security
The United States Department of Homeland Security (DHS) is the U.S. federal executive department responsible for public security, roughly comparable to the interior or home ministries of other countries. Its stated missions involve anti-terr ...
''. Retrieved July 26, 2006.
Purpose of Standard Checklist Criteria For Business Recovery
(no date). ''Federal Emergency Management Agency
The Federal Emergency Management Agency (FEMA) is an agency of the United States Department of Homeland Security (DHS), initially created under President Jimmy Carter by Presidential Reorganization Plan No. 3 of 1978 and implemented by two Exec ...
''. Retrieved July 26, 2006.
* NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs (2010). ''National Fire Protection Association
The National Fire Protection Association (NFPA) is an international nonprofit organization devoted to eliminating death, injury, property and economic loss due to fire, electrical and related hazards. As of 2018, the NFPA claims to have 50,000 mem ...
''.
United States General Accounting Office Y2k BCP Guide
(August 1998). ''United States Government Accountability Office
The U.S. Government Accountability Office (GAO) is a legislative branch government agency that provides auditing, evaluative, and investigative services for the United States Congress. It is the supreme audit institution of the federal govern ...
''.
* SPC.1-2009, "Organizational Resilience: Security, Preparedness, and Continuity Management Systems—Requirements with Guidance for Use", approved by American National Standards Institute
The American National Standards Institute (ANSI ) is a private non-profit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States. The organi ...
International Organization for Standardization
* ISO 22300:2018 Security and resilience - Vocabulary
* ISO 22301
ISO 22301:2019, ''Security and resilience – Business continuity management systems – Requirements'', is a management system standard published by International Organization for Standardization that specifies requirements to plan, establish, im ...
:2019 Security and resilience – Business continuity management systems – Requirements
* ISO 22313
ISO 22313:2020, ''Security and resilience - Business continuity management systems – Guidance to the use of ISO 22301'', is an international standard developed by technical committee ISO/TC 292 Security and resilience. This document provides guid ...
:2013 Security and resilience - Business continuity management systems - Guidance on the use of ISO 22301
* ISO/TS 22315:2015 Societal security – Business continuity management systems – Guidelines for business impact analysis (BIA)
* ISO/PAS 22399:2007 Guideline for incident preparedness and operational continuity management (withdrawn)
* ISO/IEC 24762:2008 Guidelines for information and communications technology disaster recovery services
* ISO/IEC 27001:2013 (formerly BS 7799-2:2002) Information technology — Security techniques — Information security management systems — Requirements
* ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls
* ISO/IEC 27031:2011 Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity
* IWA 5:2006 Emergency Preparedness (withdrawn)
British Standards Institution
* BS 25999-1:2006 Business Continuity Management Part 1: Code of practice (superseded, withdrawn)
* BS 25999-2:2007 Business Continuity Management Part 2: Specification (superseded, withdrawn)
Australia Standards
* HB 292-2006, "A practitioners guide to business continuity management"
* HB 293-2006, "Executive guide to business continuity management"
Others
*
*
*
*
*
*
International Glossary for Resilience
DRI International.
External links
*
' Charlotte Brooks, Matthew Bedernjak, Igor Juran, and John Merryman. In, ''Disaster Recovery Strategies with Tivoli Storage Management.'' Chapter 2. Pages 21–36. Red Books Series. IBM. Tivoli Software. 2002.
''SteelStore Cloud Storage Gateway: Disaster Recovery Best Practices Guide.''
Riverbed Technology, Inc. October 2011.
''Disaster Recovery Levels.''
Robert Kern and Victor Peltz. IBM Systems Magazine. November 2003.
''Business Continuity: The 5-tiers of Disaster Recovery.''
Recovery Specialties. 2007.
''Continuous Operations: The Seven Tiers of Disaster Recovery.''
Mary Hall. The Storage Community (IBM). 18 July 2011. Retrieved 26 March 2013.
* ttps://web.archive.org/web/20160303215200/http://www.bccmanagement.com/mtpod.html Wayback Machine
Janco Associates
Business Continuity Plan
CIDRAP/SHRM Pandemic HR Guide Toolkit
Adapt and respond to risks with a business continuity plan (BCP)
{{DEFAULTSORT:Business Continuity Planning
Systems thinking
Business continuity and disaster recovery
Collaboration
Backup
Disaster preparedness
Disaster recovery
Emergency management
IT risk management