These include the activities which ensure that critical business functions will be available to end users despite serious incidents or disasters that might otherwise have interrupted them, or will be recovered to an operational state within a reasonably short period. Hence, adequate disaster recovery infrastructure shall be maintained by the organization for ensuring recovery and business continuity in case of any disaster scenario.
Critical components of business continuity
- Resilience – Functions and the supporting infrastructure are designed and engineered in such a way that they are materially unaffected by disruptions like by using spare capacity
- Recovery – Arrangements made to recover or restore critical and less critical business functions which may fail for some reason.
- Contingency – The project establishes a generalized capability and readiness to cope effectively with whatever major incidents and disasters occur, including those that were not, and perhaps could not, have been foreseen. Contingency preparations constitute a last-resort response if resilience and recovery arrangements should prove inadequate in practice.
Business Continuity Management (BCM) is about identifying those parts of that can’t be lost and will stop the whole E-Government project usage by end user. To implement BCM following is needed to be answered
- What are key products and services?
- What are the critical activities and resources required to deliver these?
- What are the risks to these critical activities?
- How to maintain these critical activities in the event of an incident (loss of access to premises, loss of utilities etc)
Effective BCM capability is established and maintained by three steps as
- Assigning responsibilities – It is essential that BCM has the full support of management and this should be obtained from the outset. Without this support, it will be virtually impossible to instill a sense of value and ownership among the rest of the workforce. It is also important that an individual or team within your organisation is responsible for managing and co-ordinating the BCM capability. For
- Establishing and implementing BCM – One of the early tasks should be to agree the BCM policy. This would normally be the responsibility of the management board representative, working with others as appropriate, and should set out the scope, aims and objectives of BCM and the activities required to deliver these.
- Ongoing management – There are a number of activities that should be undertaken on an ongoing basis to ensure that BCM continues to be relevant and be updated with any change.
Business continuity planning (or BCP or business continuity and resiliency planning) is the process of creating systems of prevention and recovery to deal with potential threats to a company.
A business continuity plan is a plan to continue operations if a place of business is affected by different levels of disaster which can be localized short term disasters, to days long building wide problems, to a permanent loss of a building. Such a plan typically explains how the business would recover its operations or move operations to another location after damage by events like natural disasters, theft, or flooding. For example, if a fire destroys an office building or data center, the people and business or data center operations would relocate to a recovery site.
Any event that could negatively impact operations is included in the plan, such as supply chain interruption, loss of or damage to critical infrastructure (major machinery or computing /network resource). As such, risk management must be incorporated as part of BCP. In the US, government entities refer to the process as continuity of operations planning (COOP)
A BCP typically includes five sections:
- BCP Governance
- Business Impact Analysis (BIA)
- Plans, measures, and arrangements for business continuity
- Readiness procedures
- Quality assurance techniques (exercises, maintenance and auditing)
Business Impact Analysis
Business impact analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency. A BIA is an essential component of an organization’s business continuance plan; it includes an exploratory component to reveal any vulnerabilities and a planning component to develop strategies for minimizing risk. The result is a business impact analysis report, which describes the potential risks specific to the organization studied. One of the basic assumptions behind BIA is that every component of the organization is reliant upon the continued functioning of every other component, but that some are more crucial than others and require a greater allocation of funds in the wake of a disaster. For example, a business may be able to continue more or less normally if the cafeteria has to close, but would come to a complete halt if the information system crashes.
As part of a disaster recovery plan, a BIA is likely to identify costs linked to failures, such as loss of cash flow, replacement of equipment, salaries paid to catch up with a backlog of work, loss of profits, staff and data, and so on. A BIA report quantifies the importance of business components and suggests appropriate fund allocation for measures to protect them. The possibilities of failures are likely to be assessed in terms of their impacts in areas such as safety, finances, marketing, business reputation, legal compliance and quality assurance. Where possible, impact is expressed monetarily for purposes of comparison. For example, a business may spend three times as much on marketing in the wake of a disaster to rebuild customer confidence. The BIA should assess a disaster’s impact over time and help to establish recovery strategies, priorities, and requirements for resources and time.
A risk assessment identifies potential hazards such as a hurricane, earthquake, fire, supplier failure, utility outage or cyber attack and evaluates areas of vulnerability should the hazard occurs. Assets put at risk include people, property, supply chain, information technology, business reputation and contract obligations. Points of weakness that make an asset more prone to harm are reviewed. A mitigation strategy may be developed to reduce the probability that a hazard will have a significant impact.
During the risk assessment phase, the BIA findings may be examined against various hazard scenarios, and potential disruptions may be prioritized based on the hazard’s probability and the likelihood of adverse impact to business operations. A BIA may be used to justify investments in prevention and mitigation, as well as disaster recovery strategies.