Business Resumption.net

Phases in Developing a Typical BRP

Building a quality Business Resumption Plan is a lengthy process involving many persons and disciplines. Most organizations first build an IS data center plan, then a BRP for each critical data center user, and finally attempt a BRP for their critical manual processes. The following four phases apply to each of these functional areas.

Phase I - Funding

The initial step in any BRP program is that of obtaining the substantial funding normally required. This requires convincing the Board of Directors on the reality of a possible disaster and its probable impact on the ability of the organization to survive.
A detailed quantitative approach to a risk analysis is used widely. The approach is popular with government and large decentralized industrial firms with major consulting budgets, see Wong [11]. It determines the probability of various man-made and natural disasters occurring and their impact on key business functions. The results present probability estimates that are difficult to translate into risk-cost-protection decisions. Additionally they are actuarial based and do not apply to business decisions involving a single site or resource.

The board of directors of most firms respond far better to a fiduciary responsibility based risk analysis. A list of risks to which the firm's facilities and personnel is exposed is presented and a case study approach is used to demonstrate realistic risk exposure in Waldman [10]. Estimates are made of the financial impact on various business functions, computer related and non-computer related, of a loss in resource capability. When the impacts include financial or service level losses that can effect the firms survival, then the board members fiduciary responsibility requires a prudent level of protection and recovery capability. Funding for an adequate BRP is then made available, often as a priority project.

Phase II - Disaster Prevention

Following initial funding, the next step in the BRP program, is to determine the possible extent of exposure to natural and man-made disasters of critical resources; including facilities, data, and personnel. Procedures must then be implemented to minimize the probability of such disasters occurring.
Physical security planning primarily involves access controls, fire and water protection, earthquake and storm hardening, and critical records security. Most firms have a physical security program in place covering these areas prior to the implementation of a BRP program. The next step in the BRP is, therefore, simply an assessment of the program, and improvement if necessary. The author's experience indicates that the critical records area, particularly for non-computerized files, frequently is a major weak point.

Data security and protection programs are not as wide spread as physical security programs. Few firms have high quality data oriented security programs involving off-site backup storage of critical paper based financial & personnel records. Protection in this area frequently requires a major effort.

Phase III - BRP Planning

Disaster planning, as illustrated in Rohde and Haskett [6], is often initiated by the organization's data center, as it first implements applications critical to the day-to-day operations of the organization. The selling of data processing oriented disaster planning to the Board of Directors often alerts them to the risk presented by the non-computerized portions of the firms operations, and a total disaster recovery planning effort is initiated.

A team effort is the best approach to creating an organization's initial BRP. The team should include at least a person experienced in BRP architectures and plan development; a person with long term responsibility for developing and maintaining the plan; and an influential manager with in-depth knowledge of the organization, its operations, and its people. The team should move through the development cycle backwards and then forward.

Step 1 - for the various major resources of each business unit, determine the potential recovery architectures available, their costs, and the recovery periods they offer.

Step 2 - perform a risk analysis determining which resources are truly critical to the organizations survival. For those resources, determine their desired recovery periods and the most practical recovery architecture approach for each.

Step 3 - present a business resumption policy to the Board of Directors balancing risk, costs, and service levels.

Step 4 - create a detailed design of the authorized recovery architectures and assist each business unit in creating a business resumption policy and architecture.

Step 5 - assist each business unit in designating a BRP coordinator, assigning a planning team, and assisting them in developing and testing their plan.

Phase IV - BRP Testing

Desk-top walk through - Before any detailed testing, key stakeholders in each business function's BRP are convened in a conference room, and a detailed review is performed of the plan. Many small events are described and the participants are asked to state how the plan would guide their reactions. The events should require utilization of: major backup resources, emergency operations approaches, and all emergency response teams. Following this step, operations and simulation tests are scheduled.

Operational testing - Few organizations operationally test the complete disaster reaction cycle of: activation, life-safety, damage assessment, mobilization, emergency operations using off-site files and backup resources, and recovery planning. Only the data processing emergency operations area can normally be tested without involving a substantial number of persons during business hours. The scope of most operational tests therefore, includes: a semi-annual off-hour call to the manager of data center operations, assembly of the backup site operations team, acquisition of backup materials from an off-site location, travel to a backup hot/cold site, installation of systems and applications software, loading production data, and systems test of several critical applications.

Simulation testing - Simulation is the most feasible approach for testing the decision making aspects of disaster reaction activities, see Rosenthal [8 & 9]. The use of simulation exercises for testing a BRP has been spreading slowly over the last decade. Unlike their military counterpart, war games that use computer driven scenarios to perform very realistic exercises, BRP exercises are paper and pencil simulations. Teams are placed at tables representing their backup locations, and the description of an evolving disaster is presented. The teams communicate using backup communication resources or forms, make decisions, and everyone pretends that what is ordered actually happens. Debriefings and evaluation studies follow to correct any flaws in the BRP.

A scenario for use in simulation testing of a BRP must fulfill several objectives.

 

News & Sponsors

Books on the Bird Flu
Help Protect Your Family
Bird Flu - The Complete Survival Guide.

N95 Masks

ABC News: Money

States Refute Worries of Refund Delays Many states insist that income tax refunds will not be delayed, contrary to numerous reports asserting that many states would have to delay payments of refunds, although state March 12th, 2010 06:05 PM

Should CEO of Boys & Girls' Club Make $1M? The Boys & Girls Club of America, a nationwide charity that receives millions of dollars in taxpayer aid, is under fire for paying out high salaries to executives such as CEO March 12th, 2010 04:29 PM

Copyright ©2010 Business Resumption.net | Powered by Studiolion.com