Business Continuity Planning

Conclusion: The massive shift to working from home since the start of the COVID-19 pandemic has led to upsides for employees: more flexibility, no commute and greater productivity. Many executives have been publicly extolling the virtues of remote working. However, a number of management, cultural and work design issues are now starting to emerge. Organisations need to review their current workplace design and practices and prepare for a hybrid home-office workplace post-pandemic.

Conclusion: Remember, constructive feedback is of benefit to both the employees submitting the form and the staff who provide the services to enable working from home arrangements. Continuous improving is the nature of running IT operations and support services. This feedback can also assist with wider human resources polices as everyone comes to terms with supporting the existing present state and plan for future arrangements that may end up permanent or in a hybrid state.

Conclusion: Pandemic planning is a strategic approach to business continuity that anticipates and prepares for a widespread outbreak of an infectious disease.

Business continuity planning can have an over-emphasis on short-term technology platforms failing, but as part of business continuity planning consideration needs to be given to the potential risk of an outbreak of a disease that could spread and may not be resolved quickly. The time of risk may go over several months or longer. Some forecasts for the coronavirus speculate it could take 12 to 18 months to come up with a vaccine.

The impact and planning needs to consider both internal and external factors; that is, how the pandemic event may impact employees and the organisation’s ability to keep its business operating. External factors will include the impact of the pandemic event on external service providers, suppliers and customers.

Being prepared: IBRS has created a BCP checklist to help you create and/or update your business continuity plan.

This diagram is to be used in the following ways:

  • A checklist to ensure all BCP steps have been actioned and/or updated as required
  • An easy reminder to update key supporting documents to the BCP to remain current which include:
    • Enterprise risk frameworks
    • Business impact analysis documents
    • Evacuation and lockdown procedures
    • Recovery plans and testing of these plans
    • IT disaster recovery plans
    • Communication plans
    • Regular executive reporting

Conclusion: Australian organisations must have strong disaster recovery plans, be it for natural disasters or man-made disasters. The plans need to deal with the protection and recovery of facilities, IT systems and equipment. It is also critical that the plan deals with the human side of the impact of a disaster on the workforce. What planning needs to be done, what testing will be done, what will happen during a disaster and what needs to be done after a disaster?

This planning can be complex and confronting. Whilst testing the failover of IT systems can be relatively straightforward, testing the effectiveness of the workforce side of a plan will be difficult, and may even disturb employees who may prefer to think “surely it will never happen to us”.

Related Articles:

"ICT disaster recovery plan challenges" IBRS, 2019-08-03 20:43:12

"What are the important elements of a Disaster Recovery Plan?" IBRS, 2016-08-30 01:17:08

Conclusion: Two key supporting artefacts in the creation of pragmatic incident response plans are the incident response action flow chart and the severity assessment table. Take time to develop, verify and test these artefacts and they will be greatly appreciated in aiding an orderly and efficient invoking of the DRP/BCP and restoration activities.

Related Articles:

"ICT disaster recovery plan challenges" IBRS, 2019-08-03 20:43:12

"Pragmatic business continuity planning" IBRS, 2018-08-01 09:12:08

"Testing your business continuity plan" IBRS, 2019-05-31 13:39:29

"Top 10 considerations when running an incident response drill" IBRS, 2018-09-04 13:29:16

"What are the important elements of a Disaster Recovery Plan?" IBRS, 2016-08-30 01:17:08

Conclusion: The adherence to the recently introduced guidelines under ISO:31000 20181 is key to every ICT manager’s responsibilities and leadership remit as they are key in driving and leading the adoption of risk management guidelines across an organisation due to the overarching responsibilities of creating and protecting value. These new risk management guidelines have been deliberately rewritten to be simplified and based around a new reviewed set of principles, framework and processes. Greater emphasis is now placed on leadership to ensure risk management is more integrated and to ensure more actions and controls are in place at critical stages of projects as well as business operations.

Related Articles:

"Risk management – Tips and techniques" IBRS, 2017-10-02 22:35:45

"Testing your business continuity plan" IBRS, 2019-05-31 13:39:29

Conclusion: The ICT Disaster Recovery Plan (DRP) is, more often than not, focused on technology providing for redundancy of infrastructure and systems, including data back-up and data recovery. Whilst these components are important and necessary, we often oversimplify the need for business resumption of the ICT business, which in turn will impact ICT availability. The need to ensure people are part of the planning is critical to success. Often the disaster, whether it be a technology issue, a business issue, such as a fire or denial of access to key sites, or an environmental issue such as a flood or storm, can equally affect the need for expanded operations centres and larger than normal help desk support functions.

Effective planning and testing of the plan, for all aspects of a probable disaster scenario and the ICT Business Resumption Plan (BRP) to support the business as a whole, is necessary. Effective testing of the DRP and BRP for ICT must be a high priority for any CIO to ensure service levels are maintained. Failure to do so will increase the risk of ICT to the business.

Any test of your DRP and ICT BRP should include business and customer involvement to provide your organisation confidence that all known risks have been successfully mitigated. The oversight of the testing of these plans must be planned and conducted by an independent body (preferably a consultancy that has knowledge in the organisation business world, or your ICT advisory service).

Conclusion: ICT disaster recovery plans (DRPs) have been in place for many years. Fortunately, invoking these plans is rare, but just like insurance plans, it is wise to ensure the fine print is valid, up to date and tested on a regular basis to minimise restoration of business services reliant on the complex range of IT enablers in place. Adoption of general Cloud services and the ever-changing ICT asset landscape requires careful alignment with the DRP to be ready when the restoration is required.

Conclusion: In times of business disruption, the value of a pragmatic and accessible incident response plan (IRP) will become the main tool in getting the business back to normal operation, and minimising loss of revenue, services and reputation. This holds true during the time of stress when attempting to get back to normal operations. Using the analogy of taking out insurance, insurance is usually highly recommended or great to have, but hopefully rarely required and of little or no use when you need it to find it is out of date and/or incomplete. The same principle applies when you need to activate the IRP to quickly get that critical business function operating to sufficient levels.

Related Articles:

"Pragmatic business continuity planning" IBRS, 2018-08-01 09:12:08

"Testing your business continuity plan" IBRS, 2019-05-31 13:39:29

"Top 10 considerations when running an incident response drill" IBRS, 2018-09-04 13:29:16

"What are the important elements of a Disaster Recovery Plan?" IBRS, 2016-08-30 01:17:08

Conclusion: Regular testing of the business continuity plan (BCP) has many benefits which go beyond ticking the mandatory compliance box to keep audit off the back of executives. Effective testing exercises ensure the BCP has been updated and includes sense-checking the completeness of resources required in the recovery strategies of critical business functions. Running regular BCP exercises also has the benefits of raising the importance of identifying weaknesses, aligning restoration time expectations and ensuring continuous improvement.

Related Articles:

"Pragmatic business continuity planning" IBRS, 2018-08-01 09:12:08

"Top 10 considerations when running an incident response drill" IBRS, 2018-09-04 13:29:16

"What are the important elements of a Disaster Recovery Plan?" IBRS, 2016-08-30 01:17:08

Conclusion: Conducting effective business impact analysis details the business functions and provides further insight into the relative importance of each function and its criticality. The information is then used as the main source to develop business recovery strategies, the priority of restoration and identification of resources to aid in the restoration of business services. However, there are many challenges in performing this critical step in order to be best prepared when those business disruptions do occur.

Related Articles:

"Business continuity planning challenges" IBRS, 2019-03-04 13:41:18

"Pragmatic business continuity planning" IBRS, 2018-08-01 09:12:08

"Top 10 considerations when running an incident response drill" IBRS, 2018-09-04 13:29:16

Conclusion: IT organisations responding to mergers & acquisitions or migrating to multi-sourced environments of Cloud and service contracts should establish service providers governance frameworks that favour federated organisations’ principles. It requires maintaining central consistency (e. g. policymaking) whilst allowing local autonomy in certain areas (e. g. hardware purchases). This will leverage the economy of scale, allow the acquisition of local services and products more efficiently, and permit the introduction of new geographies whenever needed in a consistent manner.

Conclusion: Organisations need to plan to quickly and successfully recover business operations by creating and updating business continuity plans (BCPs) supported by disaster recovery plans (DRPs). However, there are many challenges to overcome in order to keep these plans useful in readiness when business disruption eventuates.

Conclusion: Keeping business continuity plans (BCP) succinct, up to date and easy to read will reap rewards when they are required during a business disruption.

Related Articles:

"Astute Leadership needed in a crisis" IBRS, 2017-01-01 10:35:45

"Investing in Business Resilience Planning - the CIOs hardest sell" IBRS, 2012-08-31 00:00:00

"Running IT-as-a-Service Part 40: Aligning business continuity and IT disaster recovery plans" IBRS, 2018-03-31 06:56:00

Conclusion: Effective risk management, whether it is for a change initiative or for ongoing business operations, will ameliorate harm or at the very least reduce the impact of harm. Leaders must understand risk management, and plan and engage with risks and mitigate the risks as appropriate on an ongoing basis.

Conclusion: organisations moving traditional enterprise applications into production on AWS will find backup and recovery functional but immature compared to their existing on-premises Enterprise Backup and Recovery (EBR) tools.

Storage administrators need to understand the native backup and recovery methods in AWS and determine how these can be used to meet the business’ recovery objectives. The optimal AWS solution may require adopting new tools and rethinking long-held assumptions.

Conclusion: Over the last five years the market of crisis management and emergency response systems has undergone a rapid evolution. Innovative solutions exploit the proliferation of smart mobile devices, the continuously growing number of available data feeds, the simplicity of the deployment models afforded by the Web, and powerful geographic information system functionality. Given the maturity of some of the available solutions, it makes sense for larger organisations in the public sector and for utility organisations to consider the deployment of a modern crisis management and incident response system.

Conclusion: Today organisations need to adapt swiftly to changes in their external environment. Brittleness and inflexibility are characteristic of complex systems that lack modularity and redundancy. Resilient systems offer an appropriate level of redundancy at all levels of abstraction: from replicated skill sets within organisational structures to physical redundancy of hardware. In other words, a simplistic focus on efficiency may introduce more risks than benefits.

Conclusion: As discussed in “Backup is not Archive!1 all IT organisations should evaluate the deployment of an archival platform to reduce storage costs and improve unstructured data management. Our 2008 survey found archiving in ANZ organisations to be immature and with many risks. A follow-up survey in 2011, and on-going client discussion, shows this situation has improved as evidenced by higher implementation success rates and customer satisfaction scores.

We found the products most commonly used in production were Symantec Enterprise Vault and Commvault Simpana. These products were very well rated by the organisations that used them while EMC on the other hand continues to struggle.

Conclusion: Most branch office data is poorly protected by the organisation’s existing backup strategy. Recent improvements in network connectivity, and the commoditisation of advanced deduplication techniques, fundamentally change the landscape and make highly automated, reliable and cost effective branch office affordable to most organisations.

Organisations with extensive branch office data that is not adequately protected should revaluate their branch office backup strategy.

Conclusion: Today business knowhow is mainly stored in two places: in human brains and in software systems. Both forms of storage share the problem that raw knowhow is not easily transferable from one context to another. Valuable knowledge is repeatedly lost through staff turnover and through technology replacements. Minimising knowledge loss requires determination and an understanding of the mechanisms that lead to unnecessarily strong coupling between business knowhow and implementation technology.

Conclusion: From adversity springs creativity. History shows straitened economic times can serve as a greenhouse, rapidly germinating seeds of ideas that may otherwise have taken longer to establish themselves. Six clear trends have emerged from the Global Financial Crisis (GFC) providing business advantage to early adopters. The common thread is their potential to deliver organisational efficiencies, savings, or both. IBRS believe these trends are likely to deserve a place in the IT firmament for a considerable time. CIOs should defensively review these trends; the outcome may be selective adoption or deferral, but their potency cannot be ignored.

Conclusion: Organisations with existing Business Continuity Plans (BCPs) may find them to be a poor fit when dealing with the unique circumstances surrounding a pandemic. The chief characteristic is massively depleted numbers of available workers, with as many as 25-40% of staff absent throughout the entire government and business eco-system. Those without effective plans face the prospect of severe disablement that may take many months of recovery. For them, urgent action is required to draft pandemic-specific BCPs or to modify, then test, existing BCPs.

Conclusion: Consistent with its belief that the global financial crisis has heralded a new era in IT, IBRS has identified a series of management maxims to serve as a source of reference for IT executives navigating economic uncertainty.

Conclusion: IBRS believes the global financial crisis has heralded a new era in IT. Cost sensitivity will remain a key theme; cautious behaviour will predominate and the margin for error allowed by senior management in key areas such as IT project and service delivery will drop to unprecedented lows. To assist the CIO and others responsible for managing IT, IBRS has identified a series of maxims to serve as a source of reference to IT executives navigating through economic uncertainty.

Conclusion: In recessionary economies, as in war, values and behaviours change in response to the times. Formerly valued business success factors may no longer apply; management thinking once considered outmoded may now have new relevance. At an organisational level, focus is likely to be on the lower strata of Maslow’s hierarchy of needs1. Indeed, C-level executives will be appraised on their ability to contribute to meeting these needs.

Conclusion: Economic downturns alter organisational dynamics and can herald changes in the executive power hierarchy. IT can be particularly vulnerable if seen as a cost centre and order taker. As economic forecasts darken, a common scenario is for the balance of power to swing to the CFO. Then, an economic austerity agenda is usually pursued, characterised by a program of across-the-board cost cuts that have Chief Executive imprimatur.

The financial press has begun using the term GFC as a short form for the Global Financial Crisis. Whilst outside the scope of this paper to speculate on the length and socio-economic effects of the GFC, there is no doubt that its impact will be experienced widely across business sectors and indeed within government. As consumer confidence recedes, corporate earnings shrink and revenue forecasts are revised downward, nothing is more certain than IT budgets being trimmed in 2009.

Conclusion: The International Standards Organisation has just released a new International Standard that focuses on Disaster Planning for IT1. This new standard reflects the changed/outsourced IT world. It provides guidelines for information technology disaster recovery services as part of business continuity management that apply to both “in-house” and “outsourced” ICT environments. This new approach for Disaster Recovery (DR) Standards should stimulate organisations to re-examine their IT DR plans to ensure that they meet current best practice and that the processes they are using to maintain their DR planning are satisfactory.

Conclusion: Dramatically increasing energy costs means that organisations must explore and implement approaches that ensure they reduce or contain the energy demands of their data centres. While ostensibly long term green driven, the short term real drivers will are economic.

Conclusions:When an organisation needs to trigger its Business Continuity Plan (BCP), and: it does not exist, or is untested, or is non viable, or it fails when activated..... the results are likely to be catastrophic. It is probable that its operations will not recover smoothly, if at all, and the business will be severely impacted, possibly unable to continue operations.

Conclusions: While there is now an increasing emphasis on Business Continuity Management (BCM), many organisations still focus on disaster recovery planning. Unwisely they restrict their focus to restoring IT infrastructure, giving only a “cursory nod” towards a more holistic business orientation that focuses on all critical business operations. Some create an artificial air of confidence by developing their business continuity plans and then not proving them. Others have little appreciation of the quality of their Business Continuity Plans (BCP) and whether or not they meet good practice. In all these cases there can be no assurance that the BCPs will be of any practical use if and when they are needed. The outcome will be, at least, serious and could be catastrophic.

Conclusion: Large companies can expect a significant business crisis once every four to five years and, if the disruption is significant, the organisation will be seriously affected or may never recover sufficiently to resume business.

The focus on what were once considered separate activities, business continuity, and disaster recovery, has changed and both are now considered an integral part of corporate governance. This integrated approach is now called Business Continuity Management (BCM) and should be the lynch pin in any organisation’s risk management.

In most businesses, regardless of size or industry, formal business continuity and/or disaster recovery planning is consistently under-funded and generally neglected by management. The business risks associated with this attitude can be very high but are not understood. Those plans that are in place simply don’t work. This is not surprising since disaster recovery hasn''t been given sufficient consideration, ensuring that plans are rarely tested (if ever) and equally rarely updated to reflect changes in process, technology or applications. In an emergency, there are many continuity requirements within an organisation’s business and services covering processes, facilities, and personnel. IT and a range of business units across the whole organisation must work together, both in planning for continuity and in its execution.

Conclusion: Short-term targets have affected planning but many companies will want to ensure that a qualified planning procedure will remove any shocks. This process can be isolated into various scenarios depending on market conditions. Scenarios minimise risk while maintaining the firm’s potential for reward relative to competitors.

The status of a market is affected by the number of competitors. This a major variable which could change rapidly, so it is significant to create a scenario for such a possibility and plot the effects and outcomes on the firm.