Business continuity planning (BCP) is an essential part of any company that needs to protect against a loss or disruption of business caused by disasters including floods, fire, earthquakes, tornados, health outbreaks, or any incidents that could disrupt business in some way. With the increasingly globalized economy, even disasters that take place across the globe affect the bottom line of local businesses through connected supply chains. Creating a continuity plan will help ensure that if any kind of disaster strikes your business, the amount of lost data, revenue, and downtime are kept to a minimum.
We asked Michael Wallace and Lawrence Webber, authors of The Disaster Recovery Handbook, what you should know about BCP and how you can be best prepared if disaster strikes. Wallace is director of Software Services at InfoSystems, which provides clients with guidance on IT strategy, application development, business intelligence, disaster recovery planning, and policies and procedures. Webber is retired from the US Army Reserve as a First Sergeant in the Infantry and is a certified Project Management Professional, Six Sigma Black Belt, ITIL Manager, and Master of Business Continuity Planning. Wallace and Webber have both published books and articles on various business topics, including the books Quality Control for Dummies and Green Tech: How to Plan and Implement Sustainable IT Solutions, which they coauthored.
How has the increased recognition of BCP improved the chances for affected companies to survive a disaster?
The growth of BCP has resulted in improvements in:
- Awareness – companies are more real-time and executives more aware of the impact of an outage. Every fire or natural disaster (like a flood or tornado) brings it back to their attention.
- Technology – BCP is getting cheaper with more tools such as data replication. Preparing for disaster is becoming cheaper with new technology.
What is the most common type of disaster threat to a business?
Infrastructure issues (e.g., power, water, sewage) are the most common issues. How many of us have personally experienced a tornado compared to how many have experienced a power outage?
To what extent have the recent disasters, such as last year’s volcano in Iceland or this year’s earthquake and tsunami in Japan, affected business across the globe?
It has motivated companies to revisit their business continuity plan’s risk assessments to update their vulnerability ratings. Incidents such as this remind us that a disaster can happen at any time and anywhere.
How does a business continuity plan vary from, for example, a state university system to a global financial institution? Do specific industries need to worry about a disaster recovery plan more than others?
A business continuity plan addresses those areas that are critical to that particular type of business. In some cases, the minimum is prescribed in law, such as regulations at a bank or hospital.
Public companies must comply with Sarbanes-Oxley (SOX), and all companies must comply with the Health Insurance Portability and Accountability Act (HIPAA). Hospitals and financial institutions are required to provide and test particularly robust plans. Some other types of organizations, such as a public school, may simply close for a few days until the problem is solved.
What particular function in a company is most at risk?
The primary area of concern is cash flow. So if I were a major online retailer, my ability to receive orders might be more sensitive than for my warehouse to ship it. If I were a just-in-time supplier, then my priority is shipping the goods on time. Whatever process within the business has the most direct impact on cash flow is the process most at risk.
What kind of BCP standards and penalties should companies be aware of?
Some of the BCP standards are covered in the security standard ISO-17799. Also, information security is considered to be a component of BCP. Under SOX, public companies must have disaster recovery plans to meet their responsibilities to shareholders. Under HIPAA, there are strict standards and penalties for safeguarding employee health information. Individuals who violate HIPAA privacy regulations are subject to the following penalties:
- A fine of up to $50,000, or up to one year in prison, or both (class 6 felony)
- If the offense is committed under false pretenses, a fine of up to $100,000, up to five years in prison, or both (class 5 felony)
- If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine up to $250,000, or up to 10 years in prison, or both (class 4 felony)
- HIPAA also provide for civil fines to be imposed by the Secretary of Health and Human Services (HHS) “on any person” who violates a provision of it. The maximum is $100 for each violation, with the total amount not to exceed $25,000 for all violations of an identical requirement or prohibition during a calendar year. (class 3 felony)
How can software aid in BCP?
The software used to develop a plan primarily helps in the collection of important information and the organization of the data. You can do the same thing with standard desktop software such as Microsoft Word or Excel. However, some companies find the structure and prompts in purchased software to be useful. A program focused on BCP helps ensure that you don’t leave out important details in your plan.
What is the biggest challenge facing the creation of a BCP strategy?
The biggest challenge is executive apathy. A manager can spend $200,000 to create a new profit generating process or $200,000 for a disaster recovery solution to protect against a disaster that may never occur. The new process is more likely to get the manager promoted.
Who should lead a BCP initiative?
BCP is an operational issue with both IT and business components. We believe it should be lead out of business operations. However, most companies focus their disaster planning in IT so that is often where it is found for the entire company.
What advice do you have for an organization looking to create or improve a BCP plan?
Use a consultant to mentor the program’s initiation but always use your own employees for the planning. An outside consultant can cut through internal red tape and politics more effectively than an inside person. However, the plan must use internal resources so that it will be updated and tested regularly. This helps ensure that the binder does not just sit on a shelf, providing a false sense of security.
What common aspects of disaster avoidance and recovery do you see are overlooked in BCP plans?
Periodic testing is essential and often overlooked in the daily rush of business. Testing validates that the plan is current, forces updates, and teaches team members their roles in a disaster.
What pitfalls or benefits have you seen companies encounter from inadequate or strong BCP initiatives?
Pitfalls include a false sense of confidence when a disaster hits. No one will know where to find the plan or where to find information within it. A poor disaster communications plan can cause customers to lose confidence in your ability to deliver products and services if a disaster occurs and they don’t receive clear and prompt communication on the status of your business. One firm I know lost business when their operations suffered a fire that was on the local news. Customers who saw the news report assumed that they would not be able to ship needed product and placed orders with competitors. The reality was that most of the damage was confined to the administrative offices and the warehouse was undamaged and still in operation. But with no communications plan, no one was calling the customers to let them know that their shipments would still arrive on time.
A major benefit is resiliency. With a strong BCP, the critical business processes keep running in spite of adversity. A BCP initiative forces managers and executive to discuss how all the pieces of the business fit together and can highlight opportunities for improvement.