Maintenance and Update of Business
Continuity Plans
Ken Doughty
EXECUTIVEMANAGEMENT’SCOMMITMENTANDSUPPORTFORABUSINESS CONTINUITY PLAN (BCP) DOES NOTJUST MEAN ISSUING A POLICY ON
BCP ANDFUNDINGITSINITIALDEVELOPMENT. Management commitment and support extends not only to developing the infrastructure for the implementation of the policy and ongoing maintenance of the plan, but also includes the on-going provision of critical resources (financial and human).
The infrastructure for updating the plan includes providing the neces- sary lines of communication to ensure that all changes in the organization that may have an impact on the BCP are communicated to the employee (e.g., BCP coordinator) charged with the responsibility of maintaining and updating the plan.
Too often, maintenance of the BCP is seen as an impost onto an often overloaded employee’s existing duties. This is one of the main causes why the BCP is not updated — it is competing with the day-to-day duties of the employee.
BCP MAINTENANCE REGIME Step 1: BCP Plan Ownership
A fundamental premise of successful business continuity planning is that plans should be owned by those who must actually carry them out in the event of an actual disaster. Unless ownership is assigned, any plans that are developed will not remain up-to-date, thereby increasing the risk
0-8493-0907-7/00/$0.00+$.50
AU0907/frame/ch25 Page 263 Monday, July 31, 2000 4:30 PM
MAINTENANCE AND TESTING OF BUSINESS CONTINUITY PLANS
to the organization of not recovering in a cost-effective and timely manner in the event of “disaster.”
There are a various ways of assigning ownership of the BCP; for example:
• corporate
• business unit
• business process (or function)
• business application
Further, consideration is also to be given to the complexity of the BCP;
that is, whether there are a number of BCPs within the organization (i.e., decentralized).
The decision to assign BCP ownership should be made at the executive level. This decision should be embodied in the organization’s BCP policy.
Additionally, to ensure compliance with the policy, a key performance indi- cator (KPI) should be designated for the maintenance and update of the BCP. This KPI will then be one of the measures to monitor the performance of each manager within the organization.
Once the BCP ownership has been defined, the assignment of the responsibility for development, maintenance, and testing of the plan(s) must be given due consideration by executive management. The organiza- tional employee(s) charged with the responsibility of maintaining the plan(s) should be at a level of management that reflects the organizational commitment to BCP. This will also facilitate pro-active action being taken by subordinate managers in the execution of BCP maintenance.
Step 2: Sensitivity Analysis of BCP
A sensitivity analysis of the BCP needs to be undertaken on a regular basis to identify the elements that may be the subject of potential change.
Exhibit 25-1 displays the elements that would be most sensitive to change.
Exhibit 25-1. Elements more sensitive to a change.
Element Potential Source of Change BCP strategy Corporate/business unit plans BCP decision-makers Reorganization (structural changes) BCP resourcing Financial budget
BCP recovery team members Staff turnover
BCP procedures Various
Service level agreements Change in service providers AU0907/frame/ch25 Page 264 Monday, July 31, 2000 4:30 PM
Maintenance and Update of Business Continuity Plans
The BCP coordinator needs to determine the change indicators and develop procedures to ensure that when the indicators are “set off,” that the nature and timing of the changes are communicated in a timely manner.
Step 3: Amendment/Update of BCP
Upon receipt of communication that changes are to occur, or have occurred, that have an impact on the current BCP, the BCP coordinator needs to develop an action plan (i.e., identify tasks, prioritize tasks and timetable for the development/implementation of tasks) to update the BCP.
Depending on the size of the organization, the complexity of the BCP infrastructure (i.e., corporate/business unit BCPs) and the nature of the changes to the plan may require the BCP coordinator to establish a project (i.e., create a project mandate, funding, resourcing etc.).
It is important that sufficient time be allowed to develop the BCP amend- ments to facilitate the review of the amendments by the stakeholders before the BCP is updated, including testing, revision, publication, and dis- tribution of the BCP. This is to ensure that the amendments are practical, fully understood by the BCP recovery team members, and easy to imple- ment in the event of disaster.
Step 4: BCP Maintenance Schedule
An up-to-date BCP will provide a reasonable amount of assurance in the event of disaster that the organization will minimize the affects of a disas- ter to allow the organization to carry out, in some semblance of “normal”
operations, while in recovery mode. Therefore, it is important that mainte- nance schedules and review procedures be developed and implemented.
The BCP coordinator should develop a maintenance schedule and asso- ciated procedures that include:
• corporate plan and business unit plan review
• risk management program review
• update of the business impact analysis
• sensitivity analysis of the BCP
• BCP gap analysis
• BCP procedures review
• third-party service providers agreement reviews
• BCP module testing
• BCP module testing results review
• update of the BCP from the BCP module testing
The results of the tasks undertaken in implementing the maintenance schedule should be communicated to executive management to ensure
AU0907/frame/ch25 Page 265 Monday, July 31, 2000 4:30 PM
MAINTENANCE AND TESTING OF BUSINESS CONTINUITY PLANS
accountability of the BCP ownership function within the organization.
Executive management should ensure that it receives regular reports (cor- porate governance) from the BCP owners.
Further, the organization’s auditors (internal or external) should also undertake a review of the BCP(s) to ensure that the assertions (reports) of its BCP owners are up-to-date and accurate. Acquittance by the auditors that the BCP is up-to-date will support the premise that executive manage- ment has undertaken its fiduciary duties.
FORMULATION OF CHANGE CONTROL PROCEDURES
The BCP coordinator is required to periodically (at least annually) update the Business Impact Analysis (BIA) to determine that the BCP strat- egy is appropriate. Part of this process is to review the corporate and busi- ness planning process to assist in identifying potential risks resulting from planned changes to the organization’s business environment.
Step 1: Review the Corporate and Business Plans
(Including the Strategic Information Technology Plan)
Today, organizations undertake the development of a corporate plan that provides the roadmap for the organization in the achievement of its mission, goals, and objectives, and details the strategies in the achievement of these objectives (see Exhibit 25-2). The corporate plan broadly details the organization’s mission statement, strategic objectives, strategies for a defined period (generally two to five years), KPIs, and S.W.O.T. (Strengths, Weaknesses, Opportunities and Threats) analysis. As part of this planning process, the organization’s business units develop business plans to sup- port the organization in the achievement of its goals and objectives.
It is essential that the BCP coordinator be involved in the development of the corporate and business plans. This involvement should extend to identifying the impact on the organization’s BCP(s) of the planned imple- mentation of the macro and micro strategies by the organization and its business units. The rationale for BCP coordinators to be involved in the planning phase is that they can identify the risk and quantify the exposure that planned strategies will have on the organization’s current and future BCP(s).
If the BCP coordinator is not involved in the planning phase, it is possi- ble that the projected benefit to the organization of implementing a specific strategy may not only be outweighed by the cost of changing the BCP strat- egy, but also threaten the likelihood of recovery if disaster should strike the organization or its strategic trading partner(s).
There are a number of strategies that will impact the current BCP and its maintenance in the future. For example, the organization may be planning to:
AU0907/frame/ch25 Page 266 Monday, July 31, 2000 4:30 PM
Maintenance and Update of Business Continuity Plans
• change its information technology environment (i.e., hardware/soft- ware platforms, outsourcing a part or all of its IT operations, changing the data/invoice communications network topology)
• relocation of the organization or business units to another city or state
• decentralize its IT operations
• change its business environment (e.g., property development to media — television)
All of these scenarios will have a dramatic impact on the current BCP strat- egy as well as maintenance of the plan.
From the planning process, the BCP coordinator should:
• document the planned changes (include organizational structure, staffing, and strategies) that are being considered/approved by exec- utive management
• identify the specific areas where the BCP will be impacted
• evaluate the impact on the current BCP(s)
Exhibit 25-2. Corporate planning and business continuity planning.
Corporate Objectives
Corporate Action Plan
Unit Business Plans Corporate Strategies
Corporate Business Continuity Plan
Business Unit Strategies
Business Unit Business Continuity Plan AU0907/frame/ch25 Page 267 Monday, July 31, 2000 4:30 PM
MAINTENANCE AND TESTING OF BUSINESS CONTINUITY PLANS
• develop new BCP strategies and procedures (where applicable)
• determine the cost of developing and implementing the new BCP strat- egies and procedures
• obtain executive management approval (include commitment) and funding (where applicable) for the implementation of the new BCP strategies and procedures
• develop an implementation plan (include training and testing) for the new strategies and procedures
• implement the new strategies and procedures Step 2: Develop Procedures to Monitor
Organizational/Operational Changes
The objective of maintaining the plan in a “state of readiness” is to reduce the likelihood of inappropriate decisions being made and decreas- ing the level of stress placed on BCP recovery team members in the event of disaster.
The BCP coordinator should also be concerned with the timeliness of the changes; that is, changes that may impact the plan should be conveyed as soon as possible to the BCP coordinator. Further, the BCP coordinator should have sufficient authority to ensure being informed of any changes no matter “how small.” Testing of the plan should not be the only impetus to update the plan; organizational changes must be the primary driver to update the plan.
The BCP coordinator must review the corporate plan and business unit plans on a regular basis and develop change control procedures to monitor any planned or unplanned changes (e.g., business opportunities) to the plans. The procedures should also include the organization’s relationship with its external service providers and key suppliers.
One of the major threats to BCP maintenance is where the organization is decentralized; that is, each business unit operates autonomously and reports to the corporate business entity on operational performance. The risk exists wherein the business unit might implement changes to its oper- ations that may directly or indirectly affect the business unit or corporate BCP, or both. These changes may not have been documented in the busi- ness plan. The changes may have arisen, for example, as a result of an opportunity in the marketplace.
To ensure that these changes are communicated, organizational BCP poli- cies and guidelines need to be developed, implemented, and enforced. A number of organizations today make it mandatory for all projects to include BCP as a project task sign-off item, regardless of the type of project (e.g., con- struction, engineering, logistics, IT, etc.). This ensures that each project addresses BCP during the planning process — rather than as an afterthought.
AU0907/frame/ch25 Page 268 Monday, July 31, 2000 4:30 PM
Maintenance and Update of Business Continuity Plans
The BCP coordinator must develop strong communication links with each business unit to ensure that all changes in operations that may have an impact on BCP are communicated. This will ensure that the BCP is con- tinually maintained up-to-date; otherwise, critical or subtle changes that may have an impact on the BCP strategies and plan(s) may go undetected.
Step 3: BCP Version Control
Version control, plan re-issue, and distribution can lead to a single point of failure in the successful execution of the plan in the event of disaster.
Maintaining version control over the BCP(s) is a critical task because, in the event of a disaster, the various BCP recovery team personnel may undertake tasks that are no longer relevant, incorrectly executed, out of order, or, even worse, fail to undertake the critical tasks.
The BCP coordinator should to develop a version control standard and procedures for the re-issue, distribution, and circulation of BCP updates;
and also ensure that there is a central record (e.g., a register) of the loca- tion and the authorized personnel who have copies of the plan. This is required to ensure that when the plan is updated, all copies of the plan are updated and old versions are removed. For example, the register should contain the following information:
• copy number
• name of recipient
• location
• date issued
• last updated
• update number
To ensure receipt of the revised BCP procedures, the BCP coordinator should request positive confirmation that the recipient has received the current version.
The organization has expended a large amount of money in the develop- ment and implementation of the plan. Therefore, it is essential that ade- quate security is maintained over the plan to prevent: (1) accidental or intentional destruction, and (2) unauthorized disclosure. Hence, the BCP coordinator should periodically undertake audits of the BCP recovery team members’ BCP manuals to ensure that they have not only been main- tained up-to-date, but also that they are secure from any unauthorized access (this includes off-site copies). In toto, the BCP coordinator should
• be ensured of the correct version
• that copies are issued only to authorized personnel
• that each copy has a accountable number
• that copies are secure from unauthorized access
AU0907/frame/ch25 Page 269 Monday, July 31, 2000 4:30 PM
MAINTENANCE AND TESTING OF BUSINESS CONTINUITY PLANS
Step 4: Testing BCP Changes
The success or failure of the BCP is measured against its objective of ensuring an orderly, timely, and cost-effective recovery from disaster. To measure how successful the BCP meets this objective is difficult without simulating a “real” disaster scenario. Therefore, organizations today undertake the following testing strategies: paper walk-through, “rolling”
BCP testing, or full BCP testing.
Paper Walk-through. This approach is relatively inexpensive and can be conducted through a workshop environment using a structured walk- through methodology.
“Rolling” BCP Testing. By breaking the BCP into its various modules/com- ponents, each module/component can be tested throughout the year using a continuous “rolling” approach. Via this approach, each module/compo- nent is tested and the scope of each test can be expanded to include more than one module/component at a time. This approach ensures that every facet of the plan is tested. The advantage of this is that the impacts of test- ing on the organization’s operations and cost are minimized.
Full BCP Testing. This approach can either be a “surprise” test or an organized test where all the BCP recovery team members are informed prior to the test being carried out.
The overall object of conducting the tests is to optimize BCP personnel experience, coordination, and provide assurance that in the event of a disaster there is every likelihood that the organization can recover in a cost-effective and timely manner.
However, testing of the BCP is perceived to be a costly exercise and hence there is general reluctance by executive management to undertake this. Therefore, the BCP coordinator must ensure that testing of the BCP outside of planned and budgeted testing should only be undertaken where there have been significant changes to the plan to warrant the cost of addi- tional testing.
This is where the judgment of the BCP coordinator is critical, particu- larly where the potential risk and exposure may be intangible to executive management. The BCP coordinator will be required to justify the “addi- tional” cost of testing the BCP due to changes enforced from organizational decisions.
SUPPORT TOOLS FOR THE MAINTENANCE OF THE BCP
Selecting the support tools to maintain and update the BCP is often a dif- ficult choice for the BCP coordinator. The difficulty arises because of the number of software tools available to select from:
AU0907/frame/ch25 Page 270 Monday, July 31, 2000 4:30 PM
Maintenance and Update of Business Continuity Plans
• word processing packages (e.g., MS Word, WordPerfect, Lotus AmiPro, etc.)
• database products (e.g., Lotus Notes, MS Access, etc.)
• BCP software (LDRPS, BCPKickstart, PreCovery, Comprehensive Business Recovery, Business Continuity Planning Complete, Cassan- dra, etc.)
Further, the BCP coordinator might have to comply with the organization’s system development methodology in the selection of software.
To select the appropriate software tools, the BCP coordinator should consider the items listed in Exhibit 25-3.
Each type of software tool (i.e., word processing, database products, and BCP software) will have its strengths and weaknesses. To ensure that the most appropriate software tool is selected may require the BCP coor- dinator to undertake a detailed evaluation of each of the products in accor- dance with the organization’s system development methodology. This requirement can be waived if it has been decided that a word processing package will meet the basic requirements.
The system development methodology generally requires that:
1. The BCP coordinator prepare a User Requirement document which details:
Exhibit 25-3. Considerations for selecting the appropriate software tools.
Software Organizational Parameters
• The complexity of the BCP
• The skill set of the personnel assigned the responsibility for updating the BCP (this where the BCP has been decentralized)
• Physical location of the personnel
• The availability of organizational resources (e.g., hardware, in-house software support, training, etc.)
Software Selection Criteria
• The software tool compliance with the organization’s software architecture (detailed in the IT Strategic Plan)
• Support and ongoing maintenance from the software vendor
• Price/performance of the software
• Ease of use
• Functionality (including export of text and graphics)
• Report generation
• Query capabilities
• Security
AU0907/frame/ch25 Page 271 Monday, July 31, 2000 4:30 PM
MAINTENANCE AND TESTING OF BUSINESS CONTINUITY PLANS
— the mandatory and desirable functions of the software in order of priority,
— installation, testing, and implementation requirements,
— hardware and software architecture (compliance with the organi- zation’s information technology architecture).
2. To reduce the number of software packages for detailed evaluation including testing, the user requirements are matched to those of the selected software packages. The BCP coordinator must match the mandatory and desirable requirements with those offered by the software package(s) and eliminate those software packages which do not meet the requirements.
3. Each shortlisted software package must be trialed. However, there is reluctance by software vendors to provide a full version of the soft- ware on an evaluation basis. The majority of vendors have a demon- stration version available.
4. The reasons for acceptance or rejection of each software package should be documented to a degree, which would stand scrutiny, by any interested party (e.g., auditors).
The BCP coordinator needs to review the software tool(s) on a regular basis. Specifically where due to organizational changes (e.g., change in hardware/software architecture, IT strategic plan, organizational growth/expansion, etc.), the BCP continues to grow/expand in size and complexity. Therefore, software tool(s) may not longer have the capacity and functionality to meet the BCP maintenance requirements.
SUMMARY
Executive management in many organizations today does not realize the organization’s dependency on its BCP. Therefore, the maintenance and updating of the BCP is an essential element of the survival of the organization.
The BCP does not guarantee that the organization will recover in a cost- effective and timely manner in the event of disaster. However, an up-to-date BCP will provide reasonable assurance to executive management that the organization will minimize the effects of a disaster on its operations.
Management will only realize the value of its investment in the mainte- nance of the BCP when a real disaster strikes the organization. To ensure that management continually provides the resources in the maintenance of the plan, the BCP coordinator must continually “sell” the virtues of Busi- ness Continuity Planning to all the stakeholders.
AU0907/frame/ch25 Page 272 Monday, July 31, 2000 4:30 PM