Hi all, I am working in a manufacturing company, and my task now is to setup and maintain a Business Continuity Plan. This sounds to me that this is mostly related to
How to start a Business Continuity Plan (BCP)?
Answers
Besides doing research (there is a tremendous amount of info on the web), a BCP has many facets. To only look at one facet (in this case risk
A BCP has (this is a short list) :
Business Continuity
GAP Analysis
Business Impact Study
Disaster Recovery
Security (Physical/Cyber/Information)
Document Management
Policy & Management
Strategic Services
Response, Planning & Support
Exercising & Auditing
Thank you, Mr Wayne. Too much information may make us difficult to focus on important and concised points. Do you have any suggestion on which source of document, or which official document that can be reliable to be referred to?
1
Yes, per Regis's comment, hire a BCP consultant to point you in the right direction and facilitate the process.
Remember, and this is crucial; a Plan that is never Tested, Modified, Re-Tested and Practiced is a Plan that will not work!
I find that if a business has never completed a Business Continuity Plan, and they search on the details of completing a plan via the web, they instantly become overwhelmed and do nothing, i.e. paralysis. Please look at a blog I posted on this subject - Should a business invest the time and resources in developing a Business Continuity Plan? (cfotips.com/?p=177) There are quick no cost activities that you should address first, then grow from there. Wayne's description is 100% accurate, but you will need to evolve to that point. As soon as you start, it will naturally gravitate that way.
Good luck. It is not easy.
Generally, business continuity is about taking steps to keep the business running in its core functions in spite of disruptions in external environment, internal "hiccups", or technological outages. Identify the key functions - manufacturing and getting product to the market would likely be essential to your organization - and then think through what could go wrong to disrupt that business. Some of the disruptions could happen and have a large impact on the business, others would be 'non-events' - because they aren't likely to occur, or happen so often that workarounds are in place and the impact is minimized. This is the Business Impact Analysis (BIA) part of a plan's development. The things that are likely to happen and have a big impact need to be evaluated for ways to reduce the impact. That becomes the main focus of the Business Continuity Plan (BCP).
A good BCP will require input from people throughout the organization. If management supports BCP you have an excellent chance at getting a project group in place to create the BCP. The BCP should address the activities needed for each department to recover its own functionality. In reality the BCP is really lots of BCPs and may be general, or very specific for a given threat - again based on the BIA. The overall order of events that need to occur is part of a Crisis Management Plan or an Incident Response Plan - this should identify who is responsible for getting the BCPs into effect during the chaos of crisis. As you can see, Business Continuity is really a multi-faceted task.
Here is some info I have found helpful in the Disaster Recovery/Business Continuity (DRP/BCP) world:
The current ISO standard is ISO 22301 from BSI (British Standards Institution). Here is a brief overview: http://www.continuityforum.org/content/news/168024/business-continuity-bs-25999-iso-22301-and-iso-22313
You absolutely want to look at the NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs document (http://www.nfpa.org/assets/files//PDF/NFPA16002010.pdf) for one of the better standards to guide your BCP efforts. If there is a single standard for BCP/DRP that I would adopt, it would be the NFPA, especially since it applies to the US (and doesn’t cost any $ to get hold of it).
One of my favorite information sites is DRJ (Disaster Recovery Journal) – They have
The BCI (Business Continuity Institute) at http://www.thebci.org has a “Good Practice Guide” that covers the general areas that a good BC plan should cover. It is available on the members section.
I used this template to help me organize a BCP effort at a prior company: http://www.drp.msu.edu/Planning.htm (see the step-by-step guide linked off this home page). This should provide some general guidance on “what should be in a DR/BCP plan?”
1
For clarity sake, a fully developed BCP has as a component (and not the overriding component) Data Recovery.
As Gary stated, it is multi-faceted and needs to address those hazards most likely to impact the Business. If the business is multi-located, all hazards must be addressed.
Continuity of
All very good comments. I would agree that the issue of BCP and Disaster Recovery can be intimidating at best. If you look at the resources already cited, or pick up any textbook on the subject you may easily be overwhelmed, and as one contributor indicated, become paralyzed - so nothing gets done.
Stephen Covey in his Seven Habits book said: Begin with the end in mind. This could be the best advice for developing your corporate DR/BCP plan. What are the key issues that are keeping management awake at night? It could be issues around data recovery - so that may be your focal point to begin with. If you could develop your plan centered on the top 3 issues that concern your management team the most, you may be able to get through a rudimentary plan in relatively short order. Now, this obviously doesn't cover all the bases or risks your company is exposed to - but it may be a good first step.
In addition, I would recommend engaging your insurance broker into your process. Depending on their resource base, they may be able to help you work through the process and give you templates, ideas, and plans they've developed with other clients. If they are unable to assist you, ask them to reach out to your insurer's loss control department, as they may have some helpful resources.
One last point - no discussion on DR/BCP is complete without a deep dive on your business income (commonly called business interruption) insurance. Many of the catastrophic risks your company faces are likely insurable risks; coordinating the right limits of business income coverage into your plan will help fund the costs of recovery.
Good luck!
1
I have touched base with some of my BCP experts and none have ever seen Insurance companies become involved in a substantive way (outside business interruption insurance, which having first hand experience is a nightmare to collect on). To clarify, the amount of paperwork, spreadsheets, etc I had to provide to justify lost business took days to compile and complete. It didn't take into account the direction of our business (upward or downward)).
Having talked with my Insurance Consultant, he states categorically that the Insurance Company doesn't take into account whether you do or don't have a BCP (for non-regulated businesses).
A Business or other entity that makes a BCP is essentially "self-insuring"; in that no insurer or government can, or will take the steps necessary to make sure your business survives; but will want to know why it didn't. A catch-22, to say the least.
Filed Under:
Risk Management