When business talks about Business Continuity Planning (BCP), most people delve only in information technology (IT) side. BCP is much more than managing IT disruption (albeit the importance of IT risks). The pandemic of corona virus (COVID-19) has shown us this.
We all see the panic and banning of people coming from China, South Korea (and even Singapore) in the early stage of this pandemic. But if we see now, Italy and Iran has dramatically increase its confirmed cases at the speed of light. Last week Italy has only 4000+ confirmed cases, on 11 March 2020 they reported 10,000+ confirmed cases and in less than 24 hours it has risen to 12,000+ confirmed cases - 20% increase in less than a day!
Organisations has now take measures to deal with suspected and confirmed infection, however all were reactive and taken quite some time - months - after the virus has gone viral. Is it too late? Should we have better identification of varied risks, maybe we would have a better response plan in place. Maybe our BCP has not considered all matters that should matter.
Business Continuity Planning 101
What is a BCP? BCP or Business Continuity Planning is a documented and formal arrangements for resuming critical business operations in a timely manner following a disaster or other disruption. BCP is a function of risk management. The response plan should be timely or immediate, focus is on sustaining the business, and recovery process must be efficient and organised.
The elements of BCP are:
Crisis management and communication plan
IT disaster recovery plan
Business resumption plan
Pandemic response plan
Understanding of the operating environment, the constraints and threats that could result in a significant disruption (conduct of risk identification and assessment) is very important. Followed by identification on which parts of the organisation critical to its short and long term success and quantification on the impact of those threats to critical functions. There should be a process to ensure that information remains current and relevant to the changing risk and business environment.
Learning from past (and current) disasters, we need to bear in mind that the event may impact multiple sites simultaneously, communications may suffer extended outages, full staffing may not be available for the recovery, work in process and vital records may be destroyed, essential transportation may not be available, supply chains may break down, untested provisions may be unreliable.
Therefore when preparing our BCP program, functions and systems must be inventoried and prioritised for recovery, teams and individuals have their recovery playbook for reference, and there are designated team for recovery coordination. In designing it, we need to understand the objective of BCP which includes:
Identify and mitigate risks
Protect employees, customers, assets
Reduce reliance on key personnel
Minimise potential economic loss
Minimise disruptions to operations
Ensure organisational stability
Provide for an orderly response and recovery
Minimise decision-making during and following a disaster
Reduce legal liability to the organisation
Comply with regulatory and contractual requirements.
There are many factors that contributed to an effective and efficient BCP program.
For a BCP program to be effective, there should be tone from the top. Thus organisation need to ensure that the following exists:
Solid organisational commitment
Effective risk management
A thorough business impact (BIA) analysis
Viable recovery strategies
Comprehensive recovery documentation
Enterprise wide plan deployment
Persistent plan maintenance and testing.
For a BCP program to be efficient, there should be:
An established goals and objectives
Clear roles and responsibilities
Defined standards, methodologies, and techniques
Ongoing and regular collaboration
Useful and productive tools
Formal reporting and monitoring
Regular evaluation and constructive feedback
Continuous refinement
When testing your BCP, remember that here should be a summary on what is successful and what is not.
The trend now is that organisation have an enterprise-wide BCP instead of only having an IT disaster recovery plan. Considerations should also be placed on increased scrutiny and accountability from the customer, regulators, investors, and board's perspectives. In addition, it should also entail consideration of wide-spread disaster scenarios, mass absenteeism planning, and an integration with or into organisation's enterprise risk management (ERM).
What to do now?
Assess your business operations, external expectation, risk postures, etc., to determine BCP requirements and objective.
Revisit your Disaster Risk Assessment Register. It should include identification of natural, human, and technical threats that may disrupt your organisation's critical business operations.
Evaluate your current BCP documentation, strategies, processes for alignment with your organisation's requirements and objectives, and general best practices.
コメント