The Devil's in the Implementation
The focus is on reducing the consequences of a disaster to an acceptable level and ensuring the continuity of critical functions.
Every organization is unique; so plans must be tailored accordingly, allowing for additions and modifications as circumstances change. The plan should rely on systems and procedures while minimizing dependence on individuals and outside entities. The latter may not be available, depending on the nature of a disaster.
The three primary areas of risk exposure are:
• Financial loss
• Legal responsibility
• Business service interruption
Senior management and the top security executive must take the lead in planning, demonstrating a true commitment to the cause, participating in study and planning groups, maintaining an awareness of plan components and ultimately accepting the business risk of any deficiencies in the plan. So such oversight is crucial.
Coordinator LeadsOrganizations need to name a business continuity coordinator to guide development of the plan and take responsibility for putting it together. This coordinator typically directs several teams within the organization, ideally organized by major functional areas. These teams assume responsibility for gathering data from line management and others and applying it to the plan structure outlined by the business continuity coordinator. Once compiled, these functional mini-plans can be integrated in the overall business continuity plan.
Simply put, the broad components of the plan do the following:
• Reduce the impact of a disaster
• Provide an effective response system
• Create plans for recovery and resumption of business activities
Build a structure that allows for restoration of losses and return to normal operations
Developing the structure of the business continuity plan is critical. It must cover a variety of information systems and infrastructure elements. Databases, software systems, hardware, communication systems, security systems, life safety systems, transportation networks and supply chains are among the key elements.
The execution strategy for the plan must include: escalation and notification procedures; emergency response and procedures; recovery at the backup site; recovery activities in parallel; and recovery at the original or alternate site.
These procedures and instructions must be easy to understand, practical and accompanied by clear instructions on when and how to use them.
It is recommended that the final plan exist in hard copy form and also be automated on computer systems.
These are not all the details required to develop a business continuity plan, but a framework of understanding. Security executives should consider consulting additional resources to fully understand the complexities and details of development and implementation.
The devil is indeed in the implementation of disaster planning and recovery. To minimize losses, meet personal and corporate responsibilities while reducing the depth and time or a business service interruption, response, recovery and resumption are critical issues that security executives must address. One essential element: the need to name a business continuity coordinator. This person brings everything together.