Business continuity is an organization’s ability to continue to perform business operations during a time of an emergency, disaster, or unplanned incident.
Organizations are exposed to numerous risks including fires, floods, weather-related events, network outages, and cyber attacks that threaten to that take critical systems offline. Managing these risks by developing a business continuity plan (BCP) is key for an organization to restore normal operations in a predefined amount of time and communicate regular progress to stakeholders until the incident is resolved.
Business executives should ensure that any new systems being procured include business continuity requirements in order to recover quickly and minimize losses. Therefore, your vendor should deliver a business continuity plan with their system. Furthermore, they should work with your organization to align their system’s BCP with the overarching organization BCP.
Click Procurement Examples for system shall statements.
Benefits of a Business Continuity Plan
An effective BCP will generate the following benefits:
- Minimize the effect of an unplanned incident on an organization
- Reduce the risk of service disruption and financial loss
- Give staff, clients and other stakeholders confidence in the organization’s preparedness
- Potentially save lives
- Enable the recovery of critical business operations and systems within a predefined timeframe
- Comply with legal and statutory regulations
Develop a Business Continuity Plan
The BCP is generally developed in advance with input from knowledgeable stakeholders. Organizations need to consider potential threats, assess organizational vulnerabilities, and devise appropriate responses to ensure continued operations should the threat become a reality.
There are some standards worth considering that will save you time and allow your organization design a BCP using best practices:
- ISO 22301:2012 – specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.
- National Institute of Standards and Technology (NIST) Special Publication (SP) 800-34 – provides instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures to recover information system services after a disruption. Interim measures may include relocation of information systems and operations to an alternate site, recovery of information system functions using alternate equipment, or performance of information system functions using manual methods.
Creating a business continuity plan typically involves the following steps:
- Conduct a business impact analysis — A business impact analysis defines critical processes and data and the amount of acceptable downtime.
- Identify and prioritize the most critical business functions necessary for survival
- Identify the necessary resources for those critical business functions
- Calculate the acceptable downtime that the company can tolerate for each resource
- Perform a risk assessment — Risk assessments identify and analyze potential (future) events that may negatively impact normal business operations.
- Identify and analyze potential threat scenarios
- Calculate the risk probability for each threat
- Devise a incident response plan for each threat — Document a predetermined set of procedures to detect, respond to, and limit the impact of each threat.
- Create step by step procedures that need to be followed to assist in a recovery
- Closely coordinate with all other emergency preparedness plans including interconnected systems and business processes
- Clearly explain of where personnel should go for safety
- Include information on data backups and remote access
- Create the business continuity plan — Organize the above into a BCP.
- Establish a continuity culture — Introduce business continuity processes through education and awareness of all stakeholders.
- Conduct training and testing — The continuity team must be trained and tested. Training improves plan effectiveness and overall organization preparedness. Test the plan several times to ensure it can be applied to many different threat scenarios. Identify any weaknesses and gaps in the plan which can then be analyzed and corrected.
- Perform routine plan maintenance and updates — The plan must be updated regularly to remain current with operational, organizational, and system changes. It’s a living document in which threats need to be constantly evaluated.
Consider including a checklist that with key response details as well as emergency contact information that staff can keep at home in case of an emergency.
The Plan should include input from all facets of the organization. Once finalized, the Plan should be reviewed and accepted by all key stakeholders.
Here’s some sample text to consider for your acquisition document:
The Offeror must describe their business continuity plan and how their system can recover from a business interruption. Include any assumptions such as how employees or key personnel can continue working from remote locations. The plan must include backup arrangements and any formal agreements for the prioritization of systems and modules.
The Offeror must describe their procedures for restoring services in the event of an outage or disaster, including system and data restoration.
The Offeror must describe how backup procedures are updated and tested, including test and update frequency.
The Awarded Vendor must provide a business continuity test plan for use at the time of development and continual maintenance.
The Awarded Vendor must perform business continuity testing and successfully verify the System is operating in compliance with functional, non-functional, and system requirements in the event of a System-wide disruptive event.
The System must provide the ability to provide for Staff to conduct business remotely.
The System must automatically reconnect to resources, services, and applications that were temporarily unavailable once the resources, services, and applications become available.
The System must support prioritized functionality regardless of localized failure, capacity issues, or other external obstacles.
The System must provide the ability to provide notifications of system outages or other system disruptive incidents via all user interfaces.
The System must allow for redundant data stores and application servers to support business continuity.
The System must provide a mechanism that allows the System to backup and recover data.
The System must have the ability for point-in-time recovery.
The System must restore and maintain data integrity without data loss, regardless of whether the System was backed up with users on-line or not.
The System must be able to perform incremental and full system backups.
The System must be able to restore files from incremental and full system backups.
What is the difference between business continuity and disaster recovery?
Disaster recovery is the ability to restore critical support systems including IT systems, telecommunications, and hardware, should infrastructure be damaged or destroyed. A disaster recovery plan is one aspect of a business continuity plan.
What is the difference between business continuity and business resilience?
Business resilience is the ability for a business to read and quickly respond to changes in its environment such as an economic downturn, globalization, and disruptive technologies, in a manner that allows the business to not only survive but thrive.
What is the difference between business continuity and crisis management?
According to Wikipedia, crisis management is the process by which an organization deals with a disruptive and unexpected event that threatens to harm the organization or its stakeholders. It is considered to be the most important process in public relations.
Three elements are common to a crisis: (a) a threat to the organization, (b) the element of surprise, and (c) a short decision time.
Restoring business operations is one aspect of a crisis management.