Differences with other tools and methodologies
Ver esta página en:
Why organize the Business Continuity Solution as several Plans instead of a single one?
If an organization is to recover from a contingency, there are a number of varied tasks that need to be executed to achieve concrete objectives and the people assigned to these tasks require specific knowledge and skills to be successful. It naturally follows from this that the recovery process is carried out by a series of Response Teams, each with their own responsibilities and skill sets.
It’s highly unlikely that these Teams are interchangeable with each other (e.g. a Team with IT professionals and a Team with accounting professionals won’t be able to reasonably perform the other Team’s tasks) so there is no need for all Teams to have the entire lists of tasks available to them. As a matter of fact, it’s actually desirable that this isn’t the case given the sensitive or confidential information that might be listed in each of the Plans.
There are many examples of information contained in the Plans that should only be disclosed on a need-to-know basis, like internal controls in the business processes that are weakened during the contingency to allow for an acceptable operating level, the location of alternative operating sites (particularly for IT), personal contact information for Executive Management, etc.
Coordination between Teams
The above notwithstanding, it’s obvious that team coordination is critical not only during the execution of the Contingency Plans but also during the maintenance processes.
BCPOrganizer models these coordination requirements in the following way: when any task (part of a Procedure included in the Plan) is related to a different Team that the one responsible for the task, this link is formally recorded within the tool (and listed in any printed version of the Plans).
During the execution of the Plans this “relationship” doesn’t imply a delegation of duties to the other Team or a point where execution stops until a certain result is received, since every Team knows their objectives and the way in which the other Team is supposed to assist them. Should the other Team not provide a response in a timely fashion (or not be able to), the original Team can try to obtain assistance from another party, or communicate their needs to the coordination teams.
To ensure that these relationships are properly maintained (e.g. that a certain Team doesn’t end up listed as “related” to a task that it can’t assist in any way or that a task is changed in a way that makes a previous listing stop being relevant or correct), the tool notifies the Team leaders of any changes and requires them to provide a formal approval before accepting the changes “into” the Plans.
Why include a Preventive Plans module within the tool?
While the objective of a Business Continuity Solution is to allow a company to recover after a contingency (of any kind, origin or magnitude) has occurred, clearly the preparedness level will have a major influence in the quality of the Solution. In this case, the quality is defined by aspects such as the cost or effort to implement the response actions (Contingency Plans), the infrastructure required in the plans, the recovery window, the operational level achieved and the effort needed to go back to normal operations.
The preparedness level of an organization has a lot to do with the effort in prevention that it carries out and therefore it follows that, if the preventive actions are sound, then the preparedness level will improve and the quality of the Solution in general will improve with it.
Considering the previous, we can say that two different and complementary approaches exist within Business Continuity Management: Response
is the central and mandatory issue in BCM and the Contingency Plans document the required actions. Prevention
, on the other hand, is the most effective and efficient way to enhance the quality of the Solution as a whole by improving the preparedness level, and the required actions can be documented in Preventive Plans.
Preventive Plans, as well as Contingency Plans, must be properly maintained and this is why this module has been included in BCPOrganizer.
What is included in a Preventive Plan? What is the best way to develop them?
When one is working in Prevention, it is fundamental to identify which are the situations that could cause an interruption in the critical processes of an organization –particularly when responding to such a situation would be nearly impossible or extremely hard or costly– and figuring out which are the proper actions to either minimize their probability or reduce their impact.
To this end, using the standard COSO II risk analysis methodology is an excellent way to get correct results through a formal analysis, considering as the main objective the continuity of critical business operations.
By using this technique it is possible to determine two kinds of situations that are interesting to the company:
- Issues that need to be corrected to improve the preparedness level by reducing the likelihood of interruptions or enhancing the quality of the response.
- Controls that need to be monitored to ensure that the preparedness level is maintained (e.g. data backup procedures, availability of certain resources in the required conditions, appropriate personnel training.
Both the issues to be corrected and the controls to be monitored can be included in the Preventive Plan managed by BCPOrganizer.
The tool provides the necessary functions to guide the execution of multiple Risk Analysis in different scenarios, with different values for probability and impact, and in this way obtain a Business Impact Analysis (BIA) – all this linked with the corresponding Preventive Plan.