Business continuity describes the planning procedures required to ensure that an organisation can continue to operate in the event of any incident that threatens it’s daily operations for any significant period of time. The recommended approach for business continuity is one that allows the organisation to prepare in advance for any likely incidents that might happen, and then plan for what can be done in those circumstances.
What are the risks?
There are two key risks associated with Business Continuity:
Lack of preparation
It won’t happen to us”, “we will cope – we always do”, are frequent responses made by organisations when questioned about their lack of preparedness. It is surprising that many organisations think that they don’t have time to plan for something that they assume will not happen. However, something as simple as a power outage can result in thousands of man hours lost, a lack of electricity can mean that there is no way to access the corporate network or a desktop PC.
Over-emphasis on IT
Whereas disaster recovery may primarily be about an organisation’s IT systems, Business Continuity is far wider and has to encompass how employees gain access to the information they need to continue working and providing service to customers when, for example, the office building has been flooded.
What should an organisation do?
Business continuity planning is based on a realistic risk assessment of events that could happen, and the impact those events could have if they did happen. An organisation can then ensure appropriate plans are in place to cope with most given situations. Contingency plans can be tested in advance and amended as needed and all staff made aware of what to do in an emergency or unusual situation. There should be five steps to any Business Continuity plan:
Identification of business critical resources
Identify and document all the critical resources needed to run the business. These will include both physical and electronic documents and files. The organisation must understand where they are stored and which are ‘business critical’ – that is, essential to continued daily operations. If access to resources was restricted temporarily, how long could the business continue before emergency action would be required?
Think about all the potential threats or points of weakness in the working environment and the impact that they might have. These should include physical infrastructure factors such as whether is a fire detection system and what could be affected by flooding. Business continuity also needs to take account of information access. Where is vital information stored? Is it backed-up regularly? Are there redundant copies of the information held elsewhere that can be accessed remotely?
Remember that Business Continuity can be threatened by weaknesses outside the organisation itself. What happens if a corporate laptop is lost or stolen? Is there adequate security to protect confidential information on the laptop?
Consider the actions that will need to be taken if the organisation is affected by an incident. The business has to decide in advance what happens next. You will need a plan to assess the extent of the disruption, and decide the response procedures. How will customers and partners contact and communicate with the organisation? Who needs to be informed? How can employees access the information they need to continue to be productive? Can employees work from home? Is there alternative office accommodation available?
Detailed contingency plans are needed to help manage an emergency or disruptive situation. From the perspective of Information Governance, planning revolves around identifying the most important information needed to continue operations, prioritising the information that will be needed straightaway and ensuring that the information is backed up regularly and is available from more than one source should the primary information resource by unavailable. This may require building redundancy into the corporate information storage infrastructure. For example, could a Cloud-based storage provider provide a degree of information resilience and availability that would be a challenge to an office-based LAN? Information Governance policies need to closely manage how corporate information is transferred and stored in the Cloud but as services such as Dropbox become more popular they can begin to be considered as part of a Business Continuity strategy.
Practice the plan
This is a really important step for making sure that everything has been considered. Visualise a number of different scenarios that could happen, but keep them realistic. Everyone is familiar with carrying out a fire drill – Business Continuity should be thought of in the same way.