BUSINESS CONTINUITY MANAGEMENT

Introduction
A Business Continuity Management plan addresses the emergency response, resumption,
recovery
and restoration of all business operations and activities after a disruptive event has occurred.
This disruptive event is normally a very low probability but a very high consequence event.
The
cause of the disruption is irrelevant in business continuity management.
The framework provides guidance for the resumption and recovery of a businesss critical
functions
and activities in accordance with the pre-established timeframes and ensures compliance
with the
Continuity Management Policy.
An important factor in the success of the continuity plan in any business is support and
commitment
at all times from management at the highest level, all department heads and staff. For this
reason
the document needs to be approved at all levels of employment within the organisation.
The steps in the business continuity management process are:
1. Identification of activities that are critical to the business operations that must be
resumed as soon as possible
2. Identification of appropriate response options to a disruptive event
3. Development of a Business Continuity Plan (Plan) to guide the department through a
disruption
4. Preparation of a Business Continuity Recovery Plan to enable the continuation of critical
services
5. Test, report and review of the Plan to remain prepared.

How to Create a Business Continuity Plan

This will provide procedures for how employers and employees will stay in touch and keep
doing
their jobs in the event of a disaster or emergency, such as a fire at the office.
Unfortunately, many companies never take the time to develop such a plan, typically
because they

do not feel it is necessary. Creating a comprehensive Business Continuity Plan will allow
business
managers to enhance their businesss ability to continue business as usual during or after
significant
disruptions to business operations.
Accept the potential threats and risks facing company.
The possibility of a disruption shutting down the business operations is scary to think about,
a
business owner should always be prepared and willing to accept that risks and threats can
cause
turmoil for the business.
The owner can accept that unplanned for risks and threats can have devastating results on
business
operations, they can then make a plan that ensures that both the businesss assets and
personnel
are sufficiently protected.
Make a list of possible risks and their impact upon the company. For example, the death
of a
key person will not typically result in closing the doors for a while, but can severely impact
results, on vendor relations and customer service.
After identifying risks, sort them by impact and livelihood to prioritise your planning.

Business Continuity Plans are sometimes referred to as Disaster Recovery Plans and the
two have
much in common.
Disaster Recovery Plans should be oriented towards business recovery following a disaster,
and
mitigating the negative consequences of a disaster.
In contrast, Business Continuity Plans focus on creating a plan of action that focuses on
preventing
the negative consequences of a disaster from occurring at all.

Identifying critical inputs

Businesses are sometimes disrupted because of a total loss of assets resulting from a major
emergency, such as flood or fire. More often, however, disruption is caused by a loss of
access to a

critical input needed to operate the business.

Understand the critical inputs that enable you to provide each of products and
services.
These will be essential to restarting your business during a disruption.
Critical inputs may include:
specialist and generalist staff
electricity
water
fuel
vehicles
raw materials
equipment, premises
eftpos
computer records

Develop an IT backup process:

Without proper backup schedules and retention policies, backup media can't be used
efficiently, resulting in increased costs for data cartridges, automated libraries and off-site
storage. Lack of media management policies can also result in lost or damaged backup
media, impacting data availability and recoverability.

Step 1: Understand the backup environment

it's important to conduct a thorough assessment and inventory of the existing backup
environment, including backup servers and clients, automated libraries, backup media and
storage networking components.

Is the current infrastructure designed for backup and recovery? Most backup
solutions are designed to move a fixed amount of data to backup media within a
given backup window. While this is certainly an important consideration, the primary
emphasis for solutions design should be on ensuring that the business-critical
applications can be restored quickly in the event of a disaster.

Which systems are mission- critical? What are the availability requirements? What's
the cost of downtime?

What are the backup software and licensing requirements? Have enough licenses
been purchased to satisfy the requirements?

What are the database or application backup requirements? Is there a requirement

for hot backup?

Step 2: Perform capacity planning

Once the assessment and inventory are completed and the backup infrastructure is
understood and documented, the next step is to perform capacity planning. The purpose of
capacity planning is to identify the sources of storage growth and perform a gap analysis to
determine the differences between the current infrastructure capabilities vs. expected
requirements. Important questions to answer at this stage include:

What is the expected storage growth over the next six months and in one to three
years?

What are the anticipated increases in the number and types of backup clients?

Will the current backup architecture and infrastructure scale to meet this growth?

Step 3: Analyze current policies and procedures

In this step, internal and external customer requirements for backup and recovery must be
reviewed and documented. Questions that should be answered include:

What are the service level commitments that must be met for application and data
availability?

What backup schedules and windows are needed? (See "How often should backups
occur?" sidebar.)

What are the appropriate retention policies for this data? Are there any regulatory
requirements?

What are the corporate requirements for a disaster recovery plan?

Step 4: Determine resource constraints

in an ideal world, an enterprise would have unlimited resources to accomplish their business
objectives - including ensuring a successful backup and recovery.

Step 5: Monitor the management plan

Storage administrators require a robust set of software tools to properly monitor and manage
the backup and recovery infrastructure. These tools include messaging and event
notification frameworks such as HP's OpenView, Tivoli from IBM, and CA Unicenter, with
backup and recovery software from vendors such as Veritas, Computer Associates, Legato,
and Tivoli among others. While the leading software vendors provide a rich set of features
and functionality in their products, a more holistic view is required for expert management of
the backup infrastructure.
Many IT organizations are evolving into internal storage service providers. They are adding
value to their organizations by offering expert storage and backup knowledge, improved
quality of service and customized backup solutions to meet their customer requirements. As

such, these organizations are looking for new software solutions that provide enhanced
monitoring, reporting, asset management and chargeback capabilities. When researching
backup and recovery management tools, look for the following functionality:

Global view of the backup infrastructure. Many large enterprises have multiple data
centers that are geographically dispersed. A consolidated, global view of the
enterprise environment simplifies backup administration and reporting. A storage
administrator may quickly identify information at risk in the event of failed backups,
and take corrective action as required.

Event driven notification and response. The software management tool should
provide cohesive in-band and/or out-of-band monitoring capability for all components
in the backup and recovery infrastructure including backup servers, host clients,
automated libraries and storage networks.

Outsource IT storage procedure:

Core Business vs. Supporting Tasks

Technology Is Changing
One of the major problems with building your own data storage systems and creating data
backup strategies is that data storage technology has been developing rapidly during the last
decade. If you are not doing research regularly, test new technologies, pay attention to
important technical details, there is a great chance that you miss some important
opportunities that would make data handling safer, more efficient and cheaper.

Online Backup Means Automation

There are new software solutions for performing routine tasks. If data storage and handling
of backups is not your main field of activity, you may not be aware of all the opportunities
offered by automation. First of all, conducting certain backup routines automatically means
more reliable outcome, so you will have good quality backups done regularly. Fully
automated procedures are also safer because many possible human errors are eliminated.
Automation helps to save many man hours and helps to reduce costs.

Flexibility and Better Performance

Outsourcing offers many advantages. For example, ability to increase data storage capacity
when you need it without making huge investments in personnel, software solutions and
server hardware.

Free Employees from Routine Tasks

In most small and medium size companies there are no hired specialists who are dedicated
only to data storage and backup duties. It means that someone is managing data handling
issues as part of their other everyday tasks. Having many things to pay attention to in data
backup, there is less time for other important thing, which may actually have higher priorities
for company's success. The cost of small companies employees is usually far higher than
the cost of outsourcing specific, technically oriented tasks from professional data storage
service providers.

Dedication Defines Outcome

Handling all data in safe manner, including creating storage and backup systems,
implementing secure procedures as well as maintaining data systems on daily basis, takes
some experience and professional insight
Develop IT procedure Document:

Technology Hardware Purchasing Policy

Policy Number: {insert unique number}
Policy Date: {insert date of policy}
Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits
the needs of your business.
Computer hardware refers to the physical parts of a computer and related devices. Internal
hardware devices include motherboards, hard drives, and RAM. External hardware devices
include monitors, keyboards, mice, printers, and scanners.
Purpose of the Policy
This policy provides guidelines for the purchase of hardware for the business to ensure that
all hardware technology for the business is appropriate, value for money and where
applicable integrates with other technology for the business. The objective of this policy is to
ensure that there is minimum diversity of hardware within the business.
Procedures
Purchase of Hardware
Guidance: The purchase of all desktops, servers, portable computers, computer peripherals
and mobile devices must adhere to this policy. Edit this statement to cover the relevant
technology for your business.
Purchasing desktop computer systems
Guidance: For assistance with Choosing hardware and software, including desktop
computers, the Business Victorias Choosing hardware and software page on the Business
Victoria website.

The desktop computer systems purchased must run a {insert relevant operating system here
e.g. Windows} and integrate with existing hardware { insert names of existing technology
such as the business server}.
The desktop computer systems must be purchased as standard desktop system bundle and
must be {insert manufacturer type here, such as HP, Dell, Acer etc.}.

Purchasing server systems

Server systems can only be purchased by {insert relevant job title here, recommended IT
specialist}.
Server systems purchased must be compatible with all other computer hardware in the
business.
All purchases of server systems must be supported by {insert guarantee and/or warranty
requirements here} and be compatible with the businesss other server systems.
Any change from the above requirements must be authorised by {insert relevant job title
here}
All purchases for server systems must be in line with the purchasing policy in the Financial
policies and procedures manual.

Policy for Getting Software

Policy Number: {insert unique number}
Policy Date: {insert date of policy}
Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits
the needs of your business.
Purpose of the Policy
This policy provides guidelines for the purchase of software for the business to ensure that
all software used by the business is appropriate, value for money and where applicable
integrates with other technology for the business. This policy applies to software obtained as
part of hardware bundle or pre-loaded software.
Procedures
Request for Software
All software, including {insert relevant other types of non-commercial software such as open
source, freeware, etc. here} must be approved by {insert relevant job title here} prior to the
use or download of such software.
Purchase of software
The purchase of all software must adhere to this policy.
All purchased software must be purchased by {insert relevant job title here}
All purchased software must be purchased from {insert relevant suppliers names or the
words reputable software sellers here}

All purchases of software must be supported by{insert guarantee and/or warranty

requirements here} and be compatible with the businesss server and/or hardware system.
Any changes from the above requirements must be authorised by {insert relevant job title
here

Policy for Use of Software

Policy Number: {insert unique number}
Policy Date: {insert date of policy}
Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits
the needs of your business.
Purpose of the Policy
This policy provides guidelines for the use of software for all employees within the business
to ensure that all software use is appropriate. Under this policy, the use of all open source
and freeware software will be conducted under the same procedures outlined for commercial
software.
Procedures
Software Licensing
All computer software copyrights and terms of all software licences will be followed by all
employees of the business.
Where licensing states limited usage (i.e. number of computers or users etc.), then it is the
responsibility of {insert relevant job title here} to ensure these terms are followed.
{insert relevant job title here} is responsible for completing a software audit of all hardware
twice a year to ensure that software copyrights and licence agreements are adhered to.
Software Installation
All software must be appropriately registered with the supplier where this is a requirement.
{Business Name} is to be the registered owner of all software.
Only software obtained in accordance with the getting software policy is to be installed on
the businesss computers.

Communicate IT outages procedure to staff:

Identify who can conference call.
In the event that business operations cannot continue at the regular location, conference
calls from
home are a great way for employees to continue doing work as usual.
The employees ability to work, even when away from the office, will mean that at least some
of the
delays in performing work as usual can be avoided.

Some people in the company might be perfectly capable of conducting business from a
home office.
Develop strategies to keep your business running
With some forethought develop continuity strategies to keep your business operating after a
disruption.
The range of strategies you might consider includes:
cross-training staff and skill-sharing
hiring equipment
borrowing equipment from another business
having back-up equipment
retaining old equipment when it is replaced
practicing manual processes to replace computer systems
identifying alternative suppliers
having records and forms stored off-site
keeping computer back-ups off-site
contracting out
having insurance policies, contracts and other important documents copied and kept offsite
succession planning
For each product or service, develop a continuity strategy to restore business before the
maximum
acceptable outage is reached.

2. Objectives
The objective is that critical services shall be maintained at an acceptable level even
during an event which causes a major disruption to normal operations.
Ensure that all significant risks to business continuity are identified assessed and where
necessary treated in a consistent and practiced manner through the Business Continuity
Plans and training and reported to management.
Assign responsibility to all staff for the management of business continuity within
their areas of control and provides adequate training and testing to build
capability.
Scope

The Business Continuity Management framework shall operate for:

all identified risks to the organisations critical processes
unforeseen events that have the potential to disrupt critical business processes

Methodology
BCM objectives have been identified to ensure that critical business processes continue
to be met even under conditions of major disruption to facilities or staff resources.
These critical business processes and agreed timeframes for activation of contingency
plans and recovery are documented in the Business Impact Analysis.
The Crisis Management Plan must be adaptable to unforeseen events and still ensure
continuity of an acceptable level of service for a predetermined length of time, within
which critical business service systems must be returned to normal operation, defined as
a Recovery Time Objective (RTO).
For each critical service a Contingency Plan must be developed and maintained.
The Crisis Management Team ensure that Business Contingency Plans (BCPs) relevant to
the service disruptions are deployed and that all stakeholders are appropriately advised.
Roles and Responsibilities
Key roles and responsibilities during internal and external crisis situations are described
in detail within the Crisis Management Plan. This section details the responsibilities for
the development, maintenance and improvement of the Business Continuity
Management Framework.
Crisis Management Executive
Manage Business Continuity as a component of corporate risk mitigation
via the audit Management Committee.
Establish and review departmental Business Continuity Management
Framework context for the organisation
Crisis Management Team (CMT)
Ensure the functionality and preparedness of the Business Continuity
Management Framework
Participate in and promote Business Continuity Management training and
awareness.
Provide expert input to Business Continuity Management development and

maintenance.
General Managers
Champion BCM within their Group
Endorse critical business processes requiring BCPs
Ensure preparedness of their BCPs
Business Contingency Plan Team Leaders
Identify critical business processes requiring BCPs
Prepares and maintains BCPs
Champion BCM training, testing and BCP improvements
Conduct team BCP training, testing and improvements
Technology Recovery Team
Understand BCPs and ensure resulting return to operation (RTO)
objectives are achieved.

Training and awareness

On an annual basis:
All employees will receive information explaining the BCM framework.
Identified BCM roles will received training relevant for their role
Testing and exercising
An annual program of testing and exercising will be developed and implemented.
Review and update
On an annual basis:
Business Continuity Framework will be reviewed and updated.
Business Impact Analysis will be revalidated.
Best Practice Guide
Business Continuity Management Plan what does good look like?
A Business Continuity Management (BCM) framework is in place and is being used to
prepare for the effects of a severe unexpected business disruption event.
All critical business functions have been identified, confirmed, and documented.
Risk assessments and business impact analyses have been conducted.
Preparatory controls have been implemented.
Business continuity plans (BCPs) are in place for all business units with critical business

functions and the organisation as a whole.

BCPs include interdependencies with other critical business functions, business units,
systems, BCPs, disaster recovery plans, and emergency management plans.
Senior management has endorsed the BCPs and the framework.
BCP roles and responsibilities are documented, communicated, and agreed.
All business continuity stakeholders are aware, trained, and appropriately involved.
An effective communication strategy is in place.
BCPs are regularly maintained, reviewed (at least annually), and tested.
BCPs are accessible offsite in the case of a severe unexpected business disruption event.
BCP activation authorisation is at the appropriate level of management

References

Watch a short webisode about preparing an incident response plan.

Read an example business continuity plan.
Once the crisis has passed and it is safe for you to return to work, your recovery plan will
help get your business running again.
Find out how to identify business risk.
Read about information technology risk management.
Read about how to respond to, and recover from an economic downturn