Business Continuity Planning

Favorites

Download

In today’s fast-paced, volatile business climate, organizations cannot risk having outdated, incomplete, or inefficient plans. They need to automate the plan building and maintenance processes. For this reason, many organizations are searching for a planning tool developed to meet specific needs and regulatory requirements. This paper outlines and discusses how MetricStream's continuity planning and risk management solution can help organizations meet disaster recovery requirements.

Business Continuity Plan Methodology
The business continuity plan (BCP) should identify actions that organizations should take to minimize the adverse effects of potential disasters. Specifically, the organization’s BCP should include a preventive program that supports a documented BCP strategy, a comprehensive BCP framework, a testing program, and an oversight program to ensure that the plan is reviewed and updated regularly. Most organizations implement a phased methodology to analyze potential areas of vulnerability, define viable strategies, and implement business continuity plans.

• Phase 1 - Initiation: In phase one, an organization sets to the fullest extent practicable.” forth the overall goal for the BCP effort - validating the scope of the plan, and taking an inventory of the processes or business units needed for the project. It identifies key stakeholders in the process including executive sponsors, steering committee, and any other subject matter experts. This phase sets the parameters, and trains the team in the project objectives and methodology.
• Phase 2 - Business Impact Analysis and Risk Assessment: The business impact analysis is the next step in creating a business continuity plan. This part of the process serves as the foundation of any viable recovery planning effort. It includes all the critical business functions and processes, along with their potential threats. Here risks are identified, prioritized, and managed; the various single points of failure for the business including external dependencies are identified; and the overall business impact of these risks and SPOF are calculated. Recovery Time Objectives, Recovery Point Objectives and Recovery Communication Objectives are also identified for each critical business process. This phase is also utilized
  to identify regulatory requirements and best practices or standards that need to be followed; and the time and effort required in implementation of the BCP.
• Phase 3 - Strategy Development: Leveraging the information from the BIA and risk assessment, organizations determine which business functions are “core” or “mission-critical” and determine a strategy to manage the risks identified in the risk assessment process (address, mitigate, or accept). The critical time frames and impacts from the BIA are used to determine which contingency strategies are viable. The strategy alternatives must satisfy the BIA for both cost effectiveness and response times. The planners usually present three to four alternatives to management with the most cost effective alternative as the recommendation.
• Phase 4 - Business Continuity Plan Development: On the basis of phases I, II and III, the Business Continuity plan is created. Being the main deliverable of the project, the BC plan includes department level DR plans, external supplier response plans, and the like. The BC Plan is updated regularly. The primary components of the BCP include, but are not limited to:
• Communication/ Coordination Plan: Communication is the key in any crisis. The Communication and Coordination plan establishes the communication channels to be used during the execution of a BCP; determines a chain of command for coordination of the BC effort; defines authorized media contacts; and includes notification procedures for key suppliers, vendors and clients.
• Emergency Response Plan: The Emergency Response Plan specifies responses to the emergency situations, which are defined as risks that pose a danger to life, property, or the environment. This includes Emergency Notification tools like Email, Phone, SMS, FAX or Pager.
• Phase 5 - Business Continuity Plan Testing: In a quest to know whether their BCP is viable and usable, planners conduct thorough functional testing of their mission-critical applications and personnel to verify that all business processes work as expected. Plan testing is a regulatory requirement as well. It defines the methodology used to test the BCP, deciding on “how often do we test?”, “how much do we test?”, and “how do we judge the success or failure of the test?”. Once the test methodology is decided upon, business continuity plan is tested as an iterative task, at least twice annually.
• Phase 6 - Plan Maintenance: An outdated plan is as good as no plan. Most organizations strive to keep their Business Continuity Plans up to date with the latest and most efficient recovery processes. Elements regarding Recovery time objectives, Recovery Point Objectives, are evaluated and included in the plan. Testing and managing of the recovery strategy is kept consistent with the latest changes to the enterprise. Education is ongoing to maintain awareness of responsibilities when an emergency strikes.

Elements of Business Continuity Management (BCM)
Business Continuity Management is an ongoing process with several different but complementary elements mentioned below:

• Risk Mitigation Plan: Organizations, today, are taking a comprehensive and methodical approach to risk mitigation to ensure their business continuity. By developing, implementing and testing risk mitigation strategies, they provide their business with a level of resiliency and operational insurance which positions their business to continue, perform and succeed against unexpected threats. A viable Business Continuity plan involves a detailed plan for risk identification, prioritization, monitoring, and mitigation as a part of project planning. It covers all business units, verticals, service offerings, support groups and subsidiaries; and offer a deeper, more diverse, and quantified feedback on risks. This enables organizations to address the actual and the potential risk events in a systematic manner.
• Business Continuity Plan: The value of a business continuity plan can never be exaggerated. Business Continuity plan is one of the pillars in the overall framework of Project Business Continuity Management. Organization should develop a comprehensive BCP based on the size and complexity of the institution. The goal of the BCP should be to minimize losses to the institution, serve customers with minimal disruptions, and mitigate the negative effects of disruptions on business operations.
• Pandemic Plan: BCP planning cannot be restricted only to breakdown of critical operations and controls. Business can also get hampered in the event of a pandemic, which leads to human-resource disruption. An absence of staff can result in stalling of key functionalities which are important to keep an organization functional. It thus becomes important to prepare your company for organizational downtime during the health crisis; by considering the risk of pandemic outbreak while planning for business continuity.
• Contingency Plan: The key to attain and sustain success is by being prepared for the unexpected. Contingency planning is thus imperative for every organization so that they can have advance plans and strategies ready, to effectively handle unexpected problems, emergencies and catastrophic events. This is an important component of BCP which ensures the continuity and survival of a business - by devising a series of actions that can prevent the disruption of critical business functions.
• Business Recovery: BCM aims at devising plans which keep businesses operational despite all odds. Business Recovery forms one of the most crucial aspects of BCP as the efficiency of an organization depends on its effective business recovery plans which can restore critical business functions and data within acceptable time frame. Depending on the defined recovery strategies, Business Recovery can include temporary manual processing, recovery and operation on an alternate system, or relocation and recovery at an alternate site. Whatever be the mode of recovery, Business Recovery needs to look at various aspects like cost, allowable outage time, and a secure and fast restoration and resumption of business operations.
• Audits: Examining the business continuity process’s readiness; reviewing the documented plans for adequacy and completeness; examining the regular update and relevance of continuity plans; and identifying actions for enhancement of organization through proper risk analysis are all essential components of BCP. These requirements demand the need for auditing, which provides assurance to board on business continuity. Auditing is essential yet complex, encompassing audit planning, scheduling, implementation and management to ensure compliance with BCP. The need of the hour is to implement high quality audit management software which can automate certain aspects of auditing to enhance the efficiency of an organization.

MetricStream Solution
There is no denying that BCP is an essential component of keeping a business operational during odds. Today’s economic and political scenario has brought BCP on the forefront, mandating organizations to include BCP in their risk planning model. MetricStream provides an integrated and flexible framework that helps in embedding BCP in risk management model, and automating BCP lifecycle like the basic stages of planning, implementation, management and maintenance. The solution helps in automating plan building through resource management and risk analysis; mitigating resource loss through business recovery management; and facilitating plan maintenance, progress and documentation. The MetricStream BCP solution ensures that the organizations implement an effective business continuity plan.

• Risk Assessment and Analysis: The MetricStream solution provides customized strategies and recovery plans - addressing an organization’s business continuance requirements, and helping it minimize risk. It supports risk assessment and computations based on configurable methodologies and algorithms; giving an insight into the organization’s risk profile, and enabling the risk managers to prioritize their business continuity strategies for optimal risk/reward outcomes. Risk Control Self Assessment (RCSA) forms a core part of the MetricStream solution. The solution's risk self-assessment capabilities enable organizations to document and evaluate their risk frameworks, including processes, risks, events, key risk indicators (KRI) and controls. Executive-level dashboard and reports provide visibility into the risk analysis, highlighting key risk metrics and policy compliance. Business process automation capabilities provide for real-time event escalation, automated risk processes, and streamlined remediation of issues and action items.
• Risk and Control Framework Assessment: Through Risk and Control Framework Assessment, the MetricStream solution helps companies identify and understand the misalignments, challenges, and improvement opportunities in their risk and control frameworks. The system supports assessments based on predefined criteria and checklists and has a mechanism for scoring, tabulating, and reporting results. The repository of all assessments with an easy search capability ensures that the users can check to see if a specific control was tested, access the assessment results, and confirm whether it requires a remedial action plan. This assessment provides a clear definition of focus areas and efforts that can help management drive incremental improvements that will mitigate risk and enhance overall performance.
• Internal Audit: The MetricStream solution streamlines the audit management process in an organization. It provides the flexibility to manage a wide range of audit-related activities, data, and processes to support risk management. It supports all types of audits, including internal audits, operational audits, IT audits, supplier audits, and quality audits. Advanced capabilities like built-in remediation workflows, time tracking, email-based notifications and alerts, and offline functionality for conducting at remote field sites allow organizations to implement the industry-best practices for efficient audit execution and ensure integration of the audit process with the risk and compliance management system.
• Risk Monitoring: The MetricStream solution has the ability to track risk profiles, control ownership, assessment plans, remediation status, etc. on graphical charts that can be accessed globally and display real-time information. Ability to drill-down provides an easy way to access the data at finer levels of detail. In addition to pre-configured standard risk reports, the system provides flexibility by enabling stakeholders to configure ad-hoc or scheduled reports to view metrics on a variety of parameters such as by process, by business units, by status, etc. Quarterly and monthly trending analysis along with the ability to drill-down into each report and dashboard to see the underlying details enables risk managers and process owners to stay in constant touch with the ground reality and progress on business continuity programs. Automated alerts for events such as exceptions and failures eliminate any surprises and make the process predictable.
• Risk Remediation: The MetricStream’s risk remediation solution focuses on risk mitigation, by improving the efficiency of the related processes and controls. The process and control reviews, provided by the solution, display a tremendous potential to provide added business insight. By uncovering deficiencies,these reviews help identify performance and control improvement opportunities. The solution also helps enterprises organize their multiple security risk remediation initiatives into a project-level roadmap that helps meet requirements for regulatory compliance.