Ask a Business Continuity Practitioner – 5 key questions answered

BUSINESS CONTINUITY AWARENESS WEEK Let’s explore what mid-market Canadian businesses are doing about business continuity planning and the implications for those who forego it


A crisis can be defined as any unplanned event, occurrence or sequence of events that has a specific undesirable consequence. According to the US Bureau of Labor, 93 per cent of companies that suffer a significant data loss are out of business within five years. While what constitutes “significant loss” will vary from company to company, any blow to data integrity or system uptime can devastate smaller and mid-sized businesses where resources (IT and operational) are strained, redundancy measures are limited, lack of funding/budgets, and disaster planning may have taken a back seat to the demands of daily operations.

A data, operating or customer loss is a disaster that can turn your 5-year plan into a painful five-year wind-down. Business continuity planning has become more than something you should consider adding to your business strategy. As a full time business continuity practitioner for the past 16 years, the following are the common questions asked:

1.       Do today’s companies really need a business continuity plan?

Before this question can be answered we need clarify terminology. In my experience business continuity has two key focus areas. One is “business process” which I refer to as business continuity planning (BCP) and the other technology or infrastructure used to support “business process” – this is the Disaster Recovery Planning (DRP) element.  A BCP or DR Plan* is the identification of necessary arrangements and resources to support business process or technology infrastructure integrity during a disaster or any other unforeseen disruptive incident.

Back to the question: Yes, in today’s business environments, all sizes of businesses do need a continuity plans because of the reliance on information technology to run the business.  We are all moving to …..

  • E-business and globalization
  • Most companies have dependency technology and automation and specifically telecom for all types of business communications and transactions
  • 7×24 around the clock operations in meeting Customer expectations
  • Reliance on Partners, vendor, suppliers – outsourcing if you wish 

2.  What is the worst-case scenario if a company does not have a business continuity plan in place?

A worst-case scenario if a company does not have a business continuity plan when a disaster strikes is you cannot deliver your product or services to your customers, which in turn can lead to loss of your customers –which means lost revenues. There’s also the collateral impact as the word gets out about about delivery challenges experienced. This may develop into:

  • Company ‘image or branding’ concerns
  • Customer confidence (difficulty in getting new ones)
  • Loss market place position

It is not my style to use statistics to deliver the message but if it helps, according to a study by research firm Gartner Group, 43 per cent of companies were immediately put out of business by a “major loss” of computer records, and another 51 per cent permanently closed their doors within two years – leaving a mere six per cent “survival” rate.

3.       Where does “IT resiliency” fit into business continuity planning?

From a business systems point of view IT resiliency is a subset of business continuity planning. It’s an outcome of mitigation planning where you introduce measures to promote reliability, availability and survivability of your IT infrastructure from threats or unforeseen disasters. Simple examples would be application and hardware diversity and redundancy, back power supply and data replication for those systems that are vital to your organization’s survival.

Some IT resiliency best practices for the infrastructure include:

  • Conducting regular risk assessment(s) and audits of IT infrastructure and data centres.
  • Categorizing of applications based on the relative business importance considering recovery time objectives (RTO) and recovery point objectives (RPO) which are associated with business-critical applications.
  • Using applicable IT standards which address disaster recovery framework
  • Have in place documented recovery plan(s) for critical IT systems (build & exercise)
  • Critical data is being replicated / backed up and is recoverable and explore and virtualization and cloud computing of essential application environments to enhance recovery from certain disaster scenarios. Data loss is becoming a chronic problem.

4.       What is the value of a business continuity program?

Organizations must plan and be prepared for unexpected events – interruptions to your essential services. The value of a business continuity program is it promotes the safeguarding of organizational business interests through a process which identifies potential risks, their impacts and appropriate mitigative responses. Proactive pre-planning reduces impact and speeds up recovery to meet internal or external customer service level agreements.

  • All companies in all industries benefit from business continuity planning…it’s about business survival when the unexpected happens.
  • This means reducing disruption to business and operations by being able to orderly recovery from an incident and meeting required service levels.
  • This translates the customers —- both new and retaining the ones you have which pay you for the products and service you deliver.
  • Without customers and a revenue stream, no business can survive.

5.       What are some success factors to a business continuity program?

Based on my experience and the organizations we have assisted, some key functions recommended for a successful business continuity program include:

  • Engagement of a VP-level management individual to sponsor your business continuity program. This promotes success.
  • Know your business. Identify the critical business or operational functions and including infrastructure elements that must be preserved when disaster strikes. This can be accomplished utilizing a business impact assessment (BIA). The BIA is an essential component of an organization’s business continuity planning methodology; and includes it an exploratory process to summarize what are the processes and functions that must be preserved when a man-made or natural disaster occurs and the financial and operational impacts to the organization.  The result of BIA analysis (a business case if you wish) promotes the organization’s management group to support with both funding and resources to build continuity plans elements at risk.
  • Document continuity plans for each business function (process) or IT infrastructure element that must be preserved
  • Exercising (for performance) the continuity plan for key two reasons, which include to operationalize the continuity plan and validate functionality in meeting the required performance levels. And staff training for individuals named  in the continuity plan.

It’s clear that a business continuity plan is important to consider if you are serious about being in business.  I hope you now have a better idea of the risks, benefits and the steps to enable your business continuity plan for success. Need more information or any other questions answered? Please send me a note at vito.mangialardi@mtsallsteam.com

 

Comments are closed.