"Financial newspaper", 2009, N 31
Consider the basic terms related to business continuity. The key concept is a business continuity plan that describes how and what employees should do after the first emergency measures to save property and evacuate staff, as well as the work of several key departments that support the company's most needed products or services with a minimum number of core employees. It is clear that there should be different work plans in different situations. for example, when the floor is flooded, you need to have a plan for placing employees in another part of the building, when there is general quarantine and inability to work among crowds, you need to activate work plans remotely from home. In some cases, it makes sense to transfer the provision of services from another backup center, in some cases it is more reasonable to gradually restore the IT infrastructure in your own building. The activation plan for the relevant business continuity plans (or blocks of a single plan), as well as a brief description of the strategic options for emergency response are called business continuity strategies.
Emergency response plans (incident management plans) should also be defined, i.e. evacuation of personnel, rescue of property, call of external reinforcements to eliminate the consequences of the incident, self-containment or liquidation of the incident. An incident means any event that entails an interruption of the company’s activities and a decrease in the level of its services or products. Depending on the size of the incident, it can be classified as a minor incident, accident or disaster.
Keeping up-to-date business continuity and incident management plans together with a continuity strategy is a fairly complex process called the business continuity management process. It includes regular testing of plans, including testing interactions with third parties in case of emergency, training new employees, tightly monitoring changes to related documentation, continuous process improvement based on regular internal audit, involving senior management, etc. The standard describes in detail what a company must have in order to immediately implement plans in the event of a threat.
Let's talk about the practical aspects of building a business continuity management system.
Project initiation. It is important to remember that such a project should be initiated by senior management. The project to build a continuity management system, which began within the department (often IT or IS), often leads to the following results:
complete failure of the project (this usually happens in the case of an internal project),
substitution of concepts and creation of IT service continuity plans instead of business continuity plans. In this case, even the most disastrous IT systems do not save the company from downtime in the event of mass unrest and blocking access to the office, mass poisoning of employees, pandemics, etc.,
identification of incorrectly assessed criteria for business recovery (usually this happens in the case of an external project). In this case, the company becomes completely unprotected from real losses, which no one properly assessed in the event of a threat.
Step One - Analysis of the impact on the business. First of all, it should be understood that not all functions of a company must function continuously so that it can still provide its key services and products. Most functions can be discarded. Of course, this will mean certain losses, but not as significant as the loss of key functions. At this stage, the following questions must be answered:
what functions should be renewed and in what time frame,
which of the functions will be considered critical, i.e. make up the core of the business
what is the minimum number of employees and equipment needed to operate these functions in emergency mode.
The first thing that makes sense to start with is to determine the criteria for losses. Top management must decide:
in what units will losses be measured (irreparable financial losses, the number of customers irretrievably lost, the number of partners who have broken cooperation agreements, etc.),
what is the maximum allowable level of these losses.
Then you can divide the allowable losses into several intervals, for example, losses from 200 thousand to 400 thousand dollars, from 400 thousand to 800 thousand, from 800 thousand to one and a half million. These intervals will form the basis for further assessment of cumulative losses.
At the next step, it is important to find a qualified interviewer who will hold a series of meetings with the heads of company departments and ask them about the activities of business functions and the expected losses of the entire company (within the established scale) from downtime of certain functions for an hour, half a day, or a day , for three days, for a week, etc. Of course, these will be subjective assessments, but this is the best that can be obtained from experts. When the company has estimates of cumulative losses, it will need to arrange a general meeting between the heads of departments for final approval. Usually the last word rests with the CFO, often he is the moderator of the meeting.
So, when the company is ready to schedule rising losses due to downtime of business functions and at the same time knows threshold values that it has no right to exceed, it has a clear understanding of the maximum permissible deadlines for downtime of business functions. Within this maximum time period, the company can set a target indicator for the renewal of the function, for example, 70% of the allowable downtime, and 30% lay on unforeseen risks during the restoration work. The target time to resume business functions is often called RTO (Recovery Time Objective). During the interview, it is also necessary to find out what is the minimum staff for working in an emergency, as well as the estimated time to restore the function in the event of its complete destruction (fire, building collapse, etc.). Finally, we can distinguish those business functions that must be renewed within 24 hours into the general category of “critical business functions”. This is the core of the company's business, which must be protected.
Step Two - Risk Analysis. Now that you know which business functions should be protected, you must consider the potential threats that you should protect them from. Usually it is enough to highlight external and internal threats. External threats (riots in your area, floods with partial flooding of the building, frequent fires in the area, building subsidence caused by repairs, etc.) can be assessed by contacting the nearest Emergencies Ministry press center and finding out the statistics of incidents in the area. Internal threats are determined based on the specifics of the company’s business and the building’s internal infrastructure. It is more reasonable to prevent many threats than to plan the work of a business if they occur.
Next, we need to consider the degree of damage to various groups of assets in the event of the realization of certain threats. The degree of realism, multiplied by the degree of damage to assets, determines the magnitude of the corresponding risk. Having compiled a list of risks, you should select from them those that you need to manage yourself: choose the top 5 or top 10 risks and continue your planning for them.
Step Three - Create a Strategy Now that the possible threats and the departments that can be hit are known, with knowledge of the time frames for which these departments should be restored, and with the minimum number of employees that are supported during the full restoration of the business to its previous state, strategic strategies can be considered. options for company behavior in different emergency situations. Where to create team posts and how to mobilize an emergency response team? Should I build my own backup center for IT or buy the service "backup center" from an external provider? Which IT systems will be "synchronized" and restored in a matter of minutes, which will be restored gradually with the delivery of equipment from the warehouse? Where will additional equipment be stored in case the main one crashes? How will it be delivered if the main routes are blocked? The company's management answers these questions based on an understanding of possible threats, the cost of the solution and the cost of downtime.
Certain options are the name of the blocks of the future plan. In the event of a threat, these blocks can be activated. Who, how and in what sequence evaluates which blocks to activate, and who authorizes the activation of certain sections of the plan, should be contained in a small visual emergency communications diagram, which is often called the "incident response structure". A strategy itself is a structure for responding to an incident, a list of parts of a future plan and a short description of what is meant by one or another part of the plan. for example, the company may have a defined “work at home” plan, which is activated in case of quarantine, riots or severe frosts, or a plan to “move to a backup center” or “emergency redistribution to branches”, which is activated as appropriate. Accordingly, the list of these plans (or parts of a single plan) is crowned with a response structure.
Fourth step - creating plans. Once a strategy has been created, emergency response plans, business continuity plans, and business recovery plans should be prepared.
Emergency response plans describe how crisis teams are mobilized, how team posts are activated, how the incident is evacuated and initially contained, how reinforcements are called up, how employees are tracked, how their relatives are contacted, and how emergency press releases are issued for the press. These plans also include schemes for introducing and lifting a company’s state of emergency.
Business continuity plans describe how work proceeds according to the plan areas outlined in the strategy (usually it begins during or immediately after the evacuation of personnel and the rescue of key property). This includes a description of activation of emergency contracts with service providers, a scheme for transporting personnel and equipment to backup centers. These plans are aimed at maintaining critical business functions during the full recovery of the entire business.
Business recovery plans reflect the sequence of restoration work - restoration of former sites and former IT infrastructure, purchase of new equipment, systematic relocation of departments to former premises, report on the final restoration of certain business functions.
Step Five - Preparation for testing and testing. It is important to understand that a plan is only good when it is operational. To do this, regularly test plans. It’s rare when a company is ready to fully simulate a fire, or an explosion, or a terrorist attack. More often they are limited to testing individual functional units, moreover, they carry out testing “on the table” without interrupting the main activity. In other words, lists of emergency phones, phones of the closest relatives of employees, access to buildings, warning systems, the relevance of route maps, contracts with suppliers, etc. are checked. Selected employees imitate their actions, do not leave the borders of the building.
Step six - maintaining the system. After the first tests, regular reviews of risks and impact analysis are planned, since neither the outside world, nor companies are in place, external and internal audits are regularly conducted and areas for improvement are identified, employee trainings and periodic senior management involvement are conducted. At this stage, it is important that all changes to the documentation take place under the strict control of the change management process.