Some products and services must consistently be delivered without disruption. Therefore, organizations have now opted to shift from business resumption to BCP. A BCP ensures that an organization continues with its normal operations by delivering products and services to its clients consistently even during and after a disaster. Critical products and services must be delivered to meet legal and other organizational obligations, avoid injuries and ensure survival (Krell, 2006).
A BCP includes identification of essential resources to facilitate BC, such as information, budgetary allocations, personnel, legal counsel, accommodation, equipment, and infrastructure protection; Arrangements, plans, and measures to ensure consistent delivery of critical products and services, which enable a company to recover its assets, data, and facility. Investing in a BCP not only demonstrates a proactive organization but also improves its image with shareholders, clients, and employees.
Moreover, having a BCP helps in identifying the interrelation of financial and human resources and assets with critical services and deliverables. In addition, it results in overall improvement of organizational efficiency (Savage, 2002). Creating and maintaining a continuity plan ensures that a company has the information and resources it needs to respond with a variety of crises. These crises may include sabotage, cyberattacks, accidents, fire and earthquakes, floods, tornadoes, and energy and power outages. The objective of this document is to provide a BCP for the YG Tech company.
BCP Governance
A BCP governance is a committee that defines senior management roles and responsibilities and ensures their commitment. The committee will be in charge of the BCP’s planning, implementation, approval, testing, and auditing, as well as its oversight. In addition, it will coordinate activities, oversee the development of continuity plans, approve the survey of BIA, review the outcomes of quality assurance activities, implement the BCP, communicate vital messages, provide strategic directions, and resolve conflicting priorities and interests.
The executive sponsor and the coordinator will co-chair the BCP committee. It will comprise the following members:
Executive Sponsor
He or she will be in charge of the BCP committee, as well as eliciting the guidance and support of senior management and ensuring that the BCP initiative is properly funded.
BCP Coordinator
He or she will secure senior management’s support, estimate program funding, develop BCP policies, ensure sufficient participant input, oversee and coordinate BIA process, oversee and coordinate the development of business continuity plans and arrangements, establish working teams and groups and stipulate their roles, coordinate appropriate training, and test, audit and conduct regular reviews for the BCP.
Security Officer
He or she will work with the coordinator to ensure that all aspects of the BCP meet the security requirement of the organization.
Chief Information Officer
He or she will work with both the IT specialists and BCP coordinator to plan for harmonized and effective continuity.
Business Unit Representative
They will contribute ideas and help with the BIA’s execution and analysis.
BIA
A BIA examines and evaluates the potential implications of a crisis or occurrence that interrupts normal business operations. It includes a component for identifying potential hazards as well as a technique for formulating risk-mitigation plans. Following the study, a report is written to describe the various dangers that the company faces. To estimate the likely effect of a disruptive event, data is required. As a result, a detailed questionnaire is created to identify critical corporate resources, procedures, linkages, and other factors (Krahulec and Jurenka, 2015).
A BIA is a vital component of the YG tech’s continuity plan. By determining the company’s most critical services, it will aid in risk reduction and disaster recovery planning. These assessments will help in aligning important service programs and technological components to the company’s operation at a granular level. It will also help the company to define:
- Durations and degrees of operation outages that are acceptable when a service interruption happens, the extent of the damage, as well as the duration the disruption will have the most effect, are likely to increase.
- The people, facilities, services, and skills necessary to keep critical company processes running smoothly.
- The period required to fully restore all necessary company processes, including supporting individuals, services, and resources.
- A company’s financial impact of a service outage. In terms of financial management, this is incredibly significant.
Critical Functions
These operations have the biggest impact on the organization’s operations and possibility for recovery. They are needed for the company to operate. From an IT standpoint, a critical network, system, or application breakdown would have a significant business impact. Such disruptions could have major legal and financial implications. Long-term restoration efforts may be required for these systems, which are nearly always expensive to the entire company. The likelihood of a system or service outage, whether induced by the IT system or the services it delivers, is extremely low, and the times of recovery are frequently measured in hours instead of days. ICT, customer service, finance, administration, production, human resources, marketing, and sales are the basic functions that are vulnerable to business disruption (Popescu, Păunescu, and Blid, 2018).
Roles of Major Personnel
Requester of BIA
An IT Program Manager or a Technical App Administrator will be in charge of the BIA Requester role. During the BIA procedure, the BIA requester will be accountable for the following tasks:
- Filling out the BIA Request Form
- Providing a list of potential BIA interviewers (for instance, subject matter experts, IT support contracts, and contributors)
The CEO
The company owner is usually the main client, and he or she may represent the interests of service consumers or IT programs. During the BIA process, the owner of the company will be responsible for the following:
- Providing a high-level assessment of the department, important business activities, IT services, and the ramifications of downtime.
- Ensure that departmental downtime operations and IT crisis response capabilities are in alignment.
TAM (Technical Application Manager)
He or she will be responsible for all aspects of the program, including system upgrades, patching, diagnostics, maintenance, and emergency preparedness solutions. During the BIA process, the TAM is in charge of the following tasks:
- Providing full technical details about a product or service (such as the infrastructure location, backup information, and the number of users).
Subject Matter Contributors and Experts
They will be in charge of providing:
- Any further impact data from the TAM’s or the company owner’s perspective.
ITSCM (IT Service Continuity Manager)
The ITSCM manager is in charge of the IT service continuity plan. During the BIA Process, the ITSCM manager will be responsible of the following duties:
- Conducting a BIA interview, drafting a BIA report summary, and updating the IT support systems with BIA data.
BIA Methodologies
Questionnaires
BCP coordinator will be required to develop questionnaires to acquire information from subject matter experts (SMEs). Although developing an effective questionnaire takes time, the responses will be focused, consistent, and brief. To increase participation, administrators should urge SMEs to fill questionnaires on their functional departments, methods, and functions at a place and time that is convenient for them (Krahulec and Jurenka, 2015).
The coordinator will also have to ensure that the questionnaire is properly designed. The questionnaire must be straightforward, clear, concise, and simple to comprehend. Even better, an online questionnaire is recommended to facilitate data saving in the database. When the questionnaires are finished, the coordinator and his or her team should review them to confirm that they are correct. The BCP coordinator may build up a system in which some questionnaires are supported with an interview for the most critical company functions, or if the questionnaire data indicates that there is doubt, dispute, or insufficient data (Krahulec and Jurenka, 2015).
Workshops
This method requires the BCP coordinator to employ group dynamic procedures that allow a group of people to coordinate and provided required BIA data. Due to group dynamics, this method creates a tremendous volume of data in a short timeframe. It also helps activity owners obtain a deep understanding of the BIA method and clear up any ambiguities (Krahulec and Jurenka, 2015).
This method will involve the use of questionnaires as well to get all the information needed. The organizer should decide on the appropriate level of participation for each participant and achieve a consensus on who will take part. He or she will also be responsible for selecting an appropriate time and venue for the workshop, as well as ensuring that all necessary utilities are available. It is also the supervisor’s obligation to establish a clear meeting agenda and disseminate it to meeting attendees in advance. The workshop facilitator will be appointed by the coordinator, who will also delegate the duties to be performed in the process. The workshop completion standards will be determined by the coordinator so that the facilitator and attendees are both aware of what is expected, the required outcomes, and how the meeting will conclude.
Before the workshop begins, the objectives must be stated clearly and the facilitator should ensure that they are met. To keep attendees on course and focused on the key aims, the facilitators will establish or execute a system for dealing with problems throughout the session. Furthermore, the facilitator must decide how to handle any problems that are not addressed during the session. The outcomes should be noted down and thoroughly recorded after the session, and attendees should be given the opportunity to review them for errors and omissions before they are completed (Krahulec and Jurenka, 2015).
Impacts of Disruption
Below are the potential impacts of disruption on YG Tech company:
- Customers and Suppliers – Customers and suppliers may be lost as a result of the company’s challenges or a business disruption or disaster.
- Financial – Income could be lost, costs could grow, and the organization could suffer legal and financial fines.
- Employees – Workers may be lost as a result of accident, stress, death, or a desire to quit the company following a major business interruption or natural disaster.
- Public Relations and Credibility – Business interruptions caused by IT system failures, such as data loss or theft, can pose serious public relations issues. To help maintain a company’s reputation after such failures, a well-thought-out public relations plan is required.
- Regulatory and legal requirements – Regulations controlling worker data privacy and security, as well as health and safety standards and other legal constraints, must all be assessed. The company may be unable to meet basic regulatory standards if certain business disruptions occur. It must fully know these regulations, as well as their needs regarding natural and artificial business interruptions.
Insurance Requirements
Having insurance will ensure that YG’s recovery is fully or partially financed. To determine what threats to be covered and the level of coverage, the company will utilize the data obtained by BIA. To ensure coverage for all eventualities, the coordinators may minimize the possibility of overlooking a scenario. Some components of a business could be underinsured or over insured.
The company policy’s coverage level should be documented and examined for uninsured areas and non-specified coverage levels. An extension in the policy should be considered for eventualities that property insurance may not cover. Consulting an adjustor, understanding, and clear communication are important when submitting a claim. When reporting losses, the adjustor should be made aware of the estimated complete recovery time.
After gathering and assembling all the relevant information, ranking for the critical business products and services are provided. The rating is based on the potential income loss, the time it takes to recover, and the severity of the disruption impact. Because service delivery is reliant on important products and services, external and internal dependencies should be defined.
Internal dependencies include company assets (for example, computer applications, tools, data, facilities, equipment, and vehicles), support services (such as human resources, finance, information technology, and security support), and employee availability. External dependencies include any external support services (for instance, utilities, transportation, facility management, insurance providers, government services, health and safety services, legal services, and finance institutions), external corporate assets (for example, vehicles, equipment, and facilities), and suppliers.
Plans
Threats and Risks Mitigation
Tools that can be used for the identification of risks and Threats are full-risk and-threat assessment and BIA. Risk mitigation is a continuous process and should be conducted even before activating BCP. YG company, for instance, relies on electricity for its operations. Recognizing this, the company has installed an automatic generator that will help in mitigating the short-term risk of a power outage. The company also relies on external and internal telecommunications to operate effectively. To minimize the effects of communication failures, YG company considers using redundant systems or substitute communication networks.
Continuity Plan
Storing and backing up data necessitates coordinated and multifaceted effort with considerations given to access, security, and regulations such as HITECH and HIPAA. YG company considers using solutions, such as cloud platforms, off-site data storage, on-premises backup servers, and remote data centers to safeguard data during a crisis. The company will utilize virtualization that enables rapid redeployment and data redundancy. The virtue machine will restore more quickly from backup than any hardware system. To avoid the compromise of local data centers, the company has set up two storage systems in different locations (Nollau, 2009).
The company will utilize cloud storage to offset ransomware attacks in addition to data storage. It provides in-built redundancies whereas some can be assigned constraints such as self-deletion and time limits should there be any data compromise. In the event of a natural crisis, conventional internet and mobile networks may not function. As a result, the company recommends using satellite communications to keep employees communicating and connected. In case of small outages or local network failures, the company can invest in virtual email servers to avoid leaving workers in the dark (Nollau, 2009).
Response Preparation
To properly respond to an emergency, YG company has teams to support and lead response and recovery operations. The team members are selected from experienced and trained personnel who have full knowledge of their roles and responsibilities. They include (Kirvan, 2016):
Control and Command Teams
They include a response, recovery, or continuation management team and crisis management team.
Task-Oriented Teams
They include procurement and contracting team, accounting and finance team, insurance team, telecommunications team, midrange/mainframe team, an alternate site coordination team, mechanical equipment team, notification team, hazardous material team, salvage and damage assessment team, transport team, media and public relation team, critical records management team, and local network team (Watters, 2014).
The BCP coordinator will define each team’s responsibilities and obligations, as well as select team members and chains of command, designate specific group tasks, identify possible alternate members, and develop a contact list. Multitasking teams and providing cross-team training will ensure that the teams function regardless of personnel loss or availability.
The company should avail alternate facilities to offset any loss of applications, network, IT assets, or the main facility. The company may opt to consider any of these three alternate facilities (Swanson, Hash, Pope, Wohl, Grance, and Thomas, 2002):
Cold Site
The location has basic infrastructure and environment controls available, for instance, HVAC and electrical. However, there are no telecommunications established or equipment. A cold site has sufficient room to accommodate the required equipment needed to sustain the system’s critical functions. The company may consider utilizing unused office space or unused data center areas as a cold site. This alternate facility is inexpensive. This is because the principal costs are merely the rent and upkeep of the requisite square footage for the recovery. The main disadvantage of this alternative facility is that it requires the most time to recover. This is attributable to the fact that all system equipment, as well as backup data and software, must be purchased, setup, and verified before the system begins to run.
Warm Site
Both cold sites and warm sites have similar basic infrastructure. A warm site, on the contrary, is supplied with enough telecommunications equipment and computers to run the system. The equipment, on the other hand, is not pre-loaded with the data or software needed to run the system. In a warm site, a backup media driver that is compatible with the system’s backup strategy is a must-have.
As a warm site, the company could use a development or testing facility that is geographically distinct from the production system. Although the facility may have the requisite infrastructure to run the system, doing so would require reverting to the existing software level of production, establishing contacts with users, and importing information from media backup. Because the equipment is purchased and maintained there, a warm location is more costly than a cold site. Recovery to a warm site can take many hours or days, based on the quantity of data to be restored and the complexity of the system.
Hot site
After the principal system facility is lost, a hot site is fully prepared and capable of immediately taking over system operations. It has enough storage for the system’s data, as well as the most recent production software version and necessary technology. It is mandatory for a hot site to have the most recent backup data loaded. A hot site’s data and databases are updated at the same time as or shortly after the principal data and databases are updated.
It is also critical to devise a method for quickly moving system users’ connectivity from the principal site. The corporation may explore using two similar systems in production at different sites, serving various geographic areas, or load balancing. Each site should be designed to manage the full burden, and data must be synchronized between systems on a regularly. This is the most expensive choice, as it necessitates a fully operating system and all telecommunications capacity, as well as the ability to sustain or rapidly update operational databases and data. In addition, the hot site should offer operational support that is virtually as good as the output.
The BCP coordinator should consider risks and threats and maximum allowable downtime and cost when choosing an alternate facility. The company can also utilize hardened alternate sites for security reasons. These kind of sites comprise security features that mitigate the impact of disruptions. The hardened sites may have high-level physical security, backup generation capacity, protection from intrusion or electronic surveillance, and alternate power supplies.
Readiness Procedures
Training
For readiness purposes, YG company intends to utilize training events. Training will be important as it will ensure that all the employees know what to do in case of any disruption in the company. It will familiarize everyone with protective actions for safety, such as shelter, lockdown, and evacuation. Employees will familiarize themselves with information security, workplace security, safety, and other loss prevention initiatives through training. The crisis management team and emergency responders will be trained to ensure that they understand their roles and duties as laid out by the BCP coordinator.
Task-oriented team leaders will undergo high-level training that includes an incident command system to capacitate them to lead others in the event of an emergency. The emergency response team will also be trained on how to use AEDs, and administer CPR or first aid. Employees on the other hand will be trained on how to use fire hoses, portable fire extinguishers, or other equipment used for firefighting (Krell, 2006).
Switch to substitute power; check backup devices of uninterrupted power; retrieve replicated data saved in the cloud; test alternate internet services are only a few of the drill procedures. Testing: restoration backups of virtual servers; battery power by powering systems with battery power and determining how long it takes; fallback of any data or systems replicated to cloud storage are examples of routine exercises for IT departments.
For successful training sessions, the BCP coordinator will ensure that all members attend. In addition, a regular review of applicable regulations will be performed to determine training requirements. Moreover, documenting and record-keeping of the training scope, instructor, participants, and duration will be maintained all the time (Krell, 2006).
Testing
YG company will conduct testing to evaluate whether the BC recovery strategies are effective. The testing will verify that the equipment and systems perform as expected. The testing will involve assessing critical protective systems such as software or individual hardware components that drive the company’s operations. A full system test will be conducted to evaluate whether the system complies with specified requirements (Krell, 2006).
Tests of recovery procedures and IT systems will be undertaken in a setting that is representative of the typical workplace. Because tests can be disruptive, they will be run on systems that simulate real-world situations. Warning, staff notification, alarm, smoke detectors, fire suppression, backup power supply, life safety, and pollution control will all be included in the inspection, testing, and maintenance of building protection systems. The testing schedule will be developed as per all applicable standards, guidelines, and procedures to achieve performance goals (Krell, 2006).
Exercises
Exercises will be used by the company to establish and maintain high levels of preparedness and proficiency. When planning an exercise, the BCP coordinator should incorporate the following (Swanson, Hash, Pope, Wohl, Grance, and Thomas, 2002): Goal – this will make it clear which part of the BCP will be examined. Objectives – these are the desired results. Specific, attainable, quantifiable, difficult, and timely objectives should be set. Scope – this will identify the geographical area, the test presentation and conditions, and the departments involved. Artificial assumptions and aspects – this will define which exercise aspects are assumed or artificial, for example, equipment availability, procedures to be followed, and background information.
Exercise narrative – this will provide attendees with the required basic information, establish the environment, and prepare them for action. Other important factors to be included are location, sequence of events and discovery method, whether events are still in progress or complete, any external conditions, initial damage reports, and time. Communications for participants – giving participants access to an emergency contact person will ensure enhanced realism in the exercise. Notifications will be sent to participants during an exercise to change or establish new situations.
Post-exercise assessment — the activity will be observed objectively to see if the objectives were met. The participants’ performance will be assessed in terms of assertiveness, collaboration, management, communication, leadership, and attitude. There will be a brief but thorough debriefing that outlines what did and did not work, with a focus on accomplishments and areas for growth. The exercise evaluation will also incorporate participant feedback.
Quality Assurance Techniques
After carrying out the readiness procedures, the company will conduct a BCP review. The review’s goal is to determine the plan’s relevancy, correctness, and efficacy. It will also reveal which parts of the strategy need to be improved. The company will make use of continuous BCP appraisals to ensure that the plan’s effectiveness is maintained. An external audit or an internal review will be employed to perform the appraisal.
External Audit
The auditors will verify the methodologies used to establish important operations and practices, as well as the comprehensiveness, correctness, and methodology of the continuity plans, when auditing the BCP.
Internal Review
The company provides that the BCP review will be performed when substantive changes to the organization happen, when changes to the threat environment occur, on a bi-annual or annual basis, and after an exercise to incorporate findings.
References
Business continuity and Crisis Management. Business impact analysis. (n.d.). Retrieved December 17, 2021, from https://www.nibusinessinfo.co.uk/content/business-impact-analysis
It Service Management Office. Business Impact Analysis (BIA) | IT Service Management Office. (n.d.). Retrieved December 17, 2021, from https://itsm.ucsf.edu/business-impact-analysis-bia-0
Kirvan, P. (2016, August 18). Should business continuity and disaster recovery plans involve staff? SearchDisasterRecovery. Retrieved January 26, 2022, from https://searchdisasterrecovery.techtarget.com/answer/Should-business-continuity-and-disaster-recovery-plans-involve-staff
Krahulec, J., & Jurenka, M. (2015). Business impact analysis in the process of Business continuity management. Security and Defence Quarterly, 6(1), 29-36.
Krell, E. (2006). Business Continuity Management. NY: American Institute of Certified Public Accountants.
Nollau, B. (2009). Disaster recovery and business continuity. Journal of GXP Compliance, 13(3), 51.
Păunescu, C., Popescu, M. C., & Blid, L. (2018). Business impact analysis for business continuity: Evidence from Romanian enterprises on critical functions. Management & Marketing, 13(3), 1035-1050.
Savage, M. (2002). Business continuity planning. Work study.
Swanson, M., Wohl, A., Pope, L., Grance, T., Hash, J., & Thomas, R. (2002). Contingency planning guide for information technology systems: Recommendations of the National Institute of Standards and Technology. NATIONAL INST OF STANDARDS AND TECHNOLOGY GAITHERSBURG MD.
Watters, J. (2014). Crisis Management Team Roles and Responsibilities. In Disaster Recovery, Crisis Response, and Business Continuity (pp. 247-252). Apress, Berkeley, CA.