We need a business continuity plan to keep the company up and running through interruptions of any kind; it may be power failures, IT system crashes, natural disasters, supply chain problems and more.
The business continuity plan should be developed to prioritize key business processes, identify significant threats to normal operation and plan mitigation strategies to ensure effective and efficient organizational response to the challenges that surface during and after a crisis.
So, when developing the business continuity plan there are some main areas to consider and first of all you should understand the major disasters, threats that the organization has faced so far and possible threats in future. To identify that, you may have to consider the location, type, size of the business etc. In addition to that, total budget that the company has to allocate and it should be approved by the top management and supported by the top management. Finally, the developed plan should be reviewed by the auditors, security and insurance departments and it should be tested including a surprise testing.
For example, if you take a hospital the server should be up and running 24 hours a day and 365 days a year to enable them to carry out the functions such as billing and generating reports. So, there should be a mirror server too which will switch as the main server when the main server is not functioning. So, it has to be tested periodically and update the plan according to the results.
Main areas that should include in the business continuity plan as follows; Accountability –BCP team has to be appointed, BCP has to be communicated through out the organization and a person should be assigned to update the BCP.
Risk Assessment – Risks has to be identified and analyzed and likelihood for each type of risk has to be rated.
Business impact analysis – Critical business processes should be identified and ranked, impact in terms of human and financial costs has to be identified, maximum allowable outage and recovery time objectives been determined, length of time the business processes could be non-functional, recovery time objectives and resources required for resumption and recovery has to be identified.
Strategic plans – Methods to mitigate risks, procedure to respond and strategies should be attainable, tested and cost effective. Crisis management and response team development – Members of human resource department has to appointed to BCP team, response plans and contact information has to be included in the BCP.
Compliance with Corporate policy and mitigation strategies – Compliance audits have to be conducted to enforce BCP policy and procedures, systems and resources that will contribute to the mitigation process should be identified including personal, facilities, technology and equipment, systems and resources been monitored to ensure that they will be available when needed.
Avoidance, deterrence and detection – It has to be check whether employees are motivated to be responsible for avoidance, deterrence and detection, security programs to support, operational policy and procedures and sufficient physical security systems and planning are in place to protect the facility.
Potential Crisis Recognition and Team Notification – Response programs should be able to recognize when a crisis occurs and provide some level of response, danger signals has to be identified that indicate a crisis is imminent, personal should be trained to observe warning signs and notification system been put in place and notification contact list should be complete and up to date.
Assess the situation...