2011 IEEE GCC Conference and Exhibition (GCC), February 19-22, 2011, Dubai, United Arab Emirates

BUSINESS CONTINUITY PLANNING (BCP) METHODOLOGY –

ESSENTIAL FOR EVERY BUSINESS

Dr. Manik Dey PhD, CISSP

Kuwait Institute for Scientific Research (KISR), [email protected]

ABSTRACT more frequently but it is actually a part of the broader
BCP framework. DRP normally takes care of the
Business Continuity Planning (BCP) indicates how well continuity of information technology (IT) services and is
an organization prepares itself to survive in unexpected mostly technical in nature. Every Business needs a BCP
disasters, disruptions or changes, assuring that the critical to face all possible disruptions and keep its operation
business processes will continue to function in most running with acceptable downtime. The objectives are to
adverse circumstances with acceptable limitations. BCP protect human lives, minimize financial and reputational
is also one of the domains of Information Security losses, continue serving the customers, and remain in
management. It has been emphasized by BS 25999 compliance with the statutory laws and regulations [7].
standard that an organization must have a Business
Continuity (BC) program in place to fulfill its obligations Most organizations maintain ‘Plan B’ (contingency) if
in this world of uncertainty. The main objectives are that ‘Plan A’ (regular business plan) does not work due to
in all unusual situations the business should sustain, some incident, accident or disaster. However, very
maintain regulatory compliances and deliver its products recently the world has seen some of the most
and services with minimum losses to its employees, unprecedented disasters such as collapse of twin towers
customers, vendors, and to the society at large. This (9/11, 2001 attack), US black-out (2003), Tsunami,
paper illustrates the concept of BCP along with its Katrina, Rita and Iceland Volcano (2010). These, in
implication to business in adverse circumstances and conjunction with the corporate corruption cases of
enunciates a methodology about how a Business WorldCom, Enron, Satyam, etc, have made organizations
Continuity Planning framework can be established in an realize that lack of proper Business Continuity or
organization. Disaster Recovery Planning can make them out-of-
business at any time. One report from US department of
Index Terms— Business Continuity (BC), Business Labor suggests that 40% of the companies facing such
Continuity Planning (BCP), Business Continuity disasters never reopen and 25% of the remaining
Management (BCM), BS 25999 standard, Information companies close within two years [9]. In fact, after the
Security 9/11 attack, majority of the affected companies in the
World Trade Center went out of business due to lack of
adequate DR and BC Planning.

1. INTRODUCTION Organization’s dependency on IT demands that IT-

related resources are secured and protected well against
Business Continuity (BC) deals with the continuation of all possible devastations. The recent increase of cyber
business in adverse circumstances. Business comprises of terrorism has also given an additional dimension to the
people, processes, various assets, products and services. problem. That is why Business Continuity is associated
Any incident such as market crash, pandemic diseases, with the Information Security Management System
natural disasters, technological failures, human errors, (ISMS). As per the ISO/IEC 27031 standard, the
cyber attacks, fraud or terrorism which causes disruption Information and Communication Technology (ICT)
to any of these entities, can affect the continuity of infrastructures should ensure the confidentiality, integrity
business either for a short term or for a long term basis. and availability (CIA) of IT services in all circumstances
and hence play a major role in maintaining Business
Business Continuity Planning (BCP) and Management Continuity [8]. In general, BCP will have IT and non-IT
(BCM) are the acts of anticipating disruptions, ensuring areas. In case of disruptions, the IT unit will be busy with
prevention or less chance of occurrences and responding restoration and recovery of related services using DRP
to any such incident in a planned and rehearsed manner processes whereas the non-IT areas will be busy with
so as to recover the losses and bring the business back other facilities and business matters so that the overall
into operation. Disruptions can be with or without business prevails.
warning and the results may be predictable or unknown.
The term Disaster Recovery Planning (DRP) is used

978-1-61284-119-9/11/$26.00 ©2011 IEEE 229

 Through implementation of appropriate BCP audit, and documentation covering the full cycle of
frameworks, organizations can maintain continuity and Business Continuity Planning and Management
get benefit from most adverse situations in this world of framework as shown in Figure 2.
uncertainty. There are numerous examples, case studies
and success stories of organizations benefitting from
Business Continuity (BC) initiatives. KPMG’s white
paper http://www.kpmg.com/CN/en/IssuesAndInsights
/ArticlesPublications/Documents/business_resilience_chi
na_0903.pdf describes their case studies in China where
various organizations have been benefiting from BCP
initiatives in the competitive market of economic
downturn since September 2008. The broader prospect of
BCP is called Business Resilience Planning (BRP) which
covers all the changes the business may face including
the disruptions covered by BCP as well as other changing
situations of challenges and opportunities [2, 5].

2. BCP COMPONENTS

Businesses are subject to various threats and Figure 2. BCP Lifecycle

vulnerabilities that continuously induce risks [4]. If the
risks are not handled appropriately, they may disturb the
continuity of business as depicted in Figure 1. 3. BCP STANDARDS

Threat agent Æinduces ThreatÆexploits In order to ensure that a BCP framework is meaningful
VulnerabilityÆ induces RiskÆaffects Business and fully comprehensive in tackling all aspects of
Process/FunctionÆaffects Business Continuity business continuity in the current and future situations of
uncertainty, organizations must follow some already
Figure 1. Threat, Vulnerability and Risks in BC established standards and guidelines. These standards
provide a systematic management approach to adopt the
Analysis of risks along with their impact on business is best practice controls, quantify the level of acceptable
therefore an important component of BCP [1]. Also, it is risk and implement the appropriate measures for
essential to identify the priority and classify time-critical continuity and recovery of business thus protecting the
areas or functions of the business along with their assets. organization and its stakeholders’ interests. Some of
Analyzing existing and future risks to all the critical these standards are:
business functions and calculating the effect of these
functions being non-operative for a maximum period of x BS 25999-1/2: Code-of-Practice and
time (Maximum Tolerable Downtime, MTD) along with specifications for Business Continuity (British
their Mean Time to Recovery (MTTR) in each case is Standard Institute) [7]
called Business Impact Analysis (BIA). x ISO-27031: Business Continuity in ICT [8]
x ISO-22399: Incident Management & Business
Once any disruption occurs, the organization must Continuity
know how to handle the situation immediately. This is x MS 1970: Business Continuity standard in
called incident handling or crisis management. After the Malaysia
incident has been taken into control, the other business x HB 221: Business Continuity standard in
continuity processes will do what is necessary to continue Australia
delivery of products and services to the intended parties x TR 19: Business Continuity Reference
within the acceptable and already agreed ‘Service Level Singapore
Agreement’ (SLA). The final step will be to recover the
x NFPA 1600: Disaster Recovery & BC
damages or losses and restore the operation into its
standard (National Fire Protection
original status.
Association USA)
Putting it all together - Business Impact Analysis In addition to these standards, there are compliances,
(BIA), Risk Management, Incident Handling, Disaster regulations and industry best practices such as HIPPA,
Recovery and Restoration are the main components of SOX, GLBA, COSO, Patriot Act, BC 177, ITIL, COBIT,
Business Continuity Planning [3]. All these are linked etc which need to be followed in order to make the BCP
into an end-to-end system with planning, analysis, initiative more effective in meeting the challenges.
design, training, implementation, review, maintenance,

230
 4. BCP DESIGN AND IMPLEMENTATION sources?
„ How the business function will work if the
While designing BCP for a specific disruption or change, computers and network accesses are not
various factors and parameters need to be considered. For available and is there any need for redundancy
example, the list below shows some of the requirements, of these resources?
which were learnt from the September 2001 World Trade „ What single point of failure exists and how
Center disaster: significant are the risks associated with it?
„ A BCP plan must be there in every business. „ What is the minimum manpower, physical space
The plan must be updated and tested frequently and other resources (communication etc)
considering all types of threats with the worst required for the recovery site?
possible consequences. Even with known „ Has the business unit defined critical
personalities and their roles in case of sudden
limitations, an existing BCP is indispensable to
disruptions of business and have the employees
face any disaster.
received sufficient training?
„ Dependencies and interdependencies of business
„ Have the family care and support needs of the
functions must be analyzed carefully. employees been adequately considered?
„ Employee counseling is important. Key
personnel may not be available at the time of Once the BIA is completed, the next step should be
need. Communication facilities, though the risk management of the possible threats and
essential, may be unavailable. disruptions. While doing this, the probabilities and
„ Alternate sites of IT backup should not be close frequencies of threats, the impact of disruptions on
to the primary site. business and the associated costs need to be considered.
„ BCP/DRP policies, procedures, guidelines Accordingly, as depicted in Figure 3, risks can be
should be kept safe in off-site location. prevented (taking precautionary measure), mitigated
„ The entire area may be surrounded by law (reduced by insurance for example), controlled (making
enforcement not allowing employees to contingency plan) or accepted (ignored) depending on the
approach the disaster site. Uncertainty of the characteristics of the risk and the possible damage it can
situation may lengthen the time of recovery. impose on the organization.

Keeping in mind similar factors along with the

business mandate, organization should carry out the
Business Impact Analysis (BIA) in the following way:

„ Identify the primary business mandate and

critical aspects (including compliances) of the
organization.
„ Prioritize time-critical services or products.
Identify dependencies (internal, external, and
legal).
„ Identify threats, vulnerabilities and risks
associated with the critical services or products.
Correlate IT service unavailability risks with the Figure 3. Risk Management
associated business risks, wherever applicable.
„ Estimate how long critical business functions The above set of exercises will end up more-or-less
can survive without the availability of critical with the completion of design phase. The following is a
services or products and their average recovery summary of steps, which can be followed while
time thus arriving at the MTDs and MTTRs for implementing a Business Continuity Framework in line
the critical functions. with the principles established earlier.
„ Do ranking of services and products based on
potential loss of revenue, time of recovery 1) Form a BCP/DRP team or section with a head
(MTD, MTTR) and severity of disruptions. designated as say, Business Continuity Officer (BCO).
„ Document the findings as part of the BIA report. Identify and allocate roles to the team members.
2) Exercise BIA and risk analysis to establish BCP
During BIA, raising the following questions can help requirements. Include and involve business leaders in this
in identifying the critical processes, functions or assets of phase in respective areas of business.
the entire business: 3) Prepare the BCP project proposal with an
„ What are the different equipments required for implementation plan along with the additional resource
the business function and how they are used?
requirements (budget) giving importance to leveraging
What are the critical outsourced items and their

231
existing resources, if possible. Present the project should not outweigh the business functions and the risks
proposal to the management for approval. Include the being protected. The CSI/FBI (2004) and other Surveys
recommended changes, if any and arrive at the final indicate that most organizations spend 10-13% of their IT
approved proposal. budget on Information Security including BCP.
4) Write down ‘Policies’, and ‘Procedures’
documents covering all pertinent areas of BCP and DRP 5. CONCLUSION
as analyzed before [6]. Present the policies and
procedures documents to the management for refinement Business continuity Planning (BCP) is certainly ‘a must’
and final approval. Ensure that the policies and and every organization should initiate an appropriate BC
procedures are circulated to all divisions and departments plan, if not done already. It makes the business more
and to outside parties, if applicable. resilient to adopt changes, prepare for uncertainties and
5) Implement the project in phases according to remain in operation at adverse situations thus adding
priorities. Procurements or hiring of necessary value to the business. The Information Security
equipment, accessories, hardware, software, physical Management System (ISMS), which ensures security of
space, manpower, etc should be linked with the information and related services, plays a major role in
implementation phases. establishing business continuity in today’s IT-centric
6) For IT (DRP), arrangements for redundancy such world.
as alternate network link, cold-site, warm-site, hot-site,
etc with appropriate relocation policy should be BCP is not a one-time project or a technical solution
organized as per the business requirements outlined in the with a start and an end for good. Rather, it is a
design phase and in line with the ISMS processes, if continuous process and should be followed as a regular
already available. business culture. Understanding the importance of BCP
7) Achieve and maintain the standards (particularly implementation and participating in it wholeheartedly by
BS 25999 and ISO 27031), compliance, regulations and the employees is very crucial. The senior management,
industry best practices as applicable to the business. being the prime sponsor and motivator, plays a vital role
8) Link the BCP activities with the Change in this matter from the very beginning.
Management process so that any change in the business
process is automatically included in the BCP. The BC solution should be business driven and
9) Organize awareness training for the employees to carefully designed to achieve cost-effectiveness and
return-of-investment (ROI). A successful BCP needs the
make them understand the BCP policies, procedures and
best combination of People, Processes, Policies,
guidelines to be implied upon them. Maintain appropriate
Procedures, Standards, Compliances and Technology.
documentations for the entire BCP cycle.
10) Establish routines for periodic BC tests and 6. REFERENCES
incident handling at sensitive areas. Various levels of
testing such as false alarm, walk-through, simulation, [1] “Risk-Intelligence-Security-Control (R.I.S.C.)”, The
parallel and live tests should be conducted to ensure that Business Continuity Journal, Vol. 2, No. 4, January 2008
people involved are fully trained and they know what to
do in order to maintain business continuity. The tests [2] IBM Business Resiliency & Continuity - www.ibm.com
should be conducted with proper planning and co- [3] Geary W. Sikich, Business Continuity: Maintaining
ordination so that these tests do not cause any significant Resilience in Uncertain Times, Pennwell Books, 2003
business disruptions. Define emergency response or crisis
management teams in respective areas with updated [4] Maria Cirino, The Art of Comprehensive Vulnerability
contact details. Motivate super performers (champions) Management (Black Book Series), Larstan Publishing, 2007
through appropriate appreciations. [5] Business Resilience Model, Business Resilience
11) Review and iterate (Plan, Do, Check & Act) the Certification Consortium International (BRCCI)
BCP framework and its operation. In this context, a
Business Continuity Forum (BCF) can be formulated to [6] Charles Cresson Wood, Information Security Policies Made
Easy, Information Shield Inc.2002.
review the status and effectiveness of the BC framework
periodically. Audit the BCP framework by a competent [7] “BS 25999:2006 Code of Practice for Business Continuity
and recognized auditor with the ultimate objective of Management (BCM)”, http:// www.bsi-global.com
getting BCP/BCM 25999 certification.
[8] ISO/IEC 27031–Business Continuity Standards for ICT
Implementing BCP framework may require additional
[9] The Hartford & US Small Business Administration
investment, which is like an insurance cost that will
2002, Page 14.
protect and assist the business in becoming more resilient
with increased preparedness to face various disastrous
situations and adding value to business. Such investment

232