BCP Phases CPATech Advisor May 2010 Article
- 1. Business ContinuityAt A Time -One Step Planning gninnalP ytiunitnoC ssenisuB By Bob Green, CPA.CITP & Rick Mark You’ve been tasked with either overseeing your own company’s ini- The result: a comprehensive matrix illustrating the impact of each tiative, or advising a client’s initiative, to implement a Business Continuity disaster scenario on each significant business process. Plan (BCP). Although there are scores of books, whitepapers and other resource materials on this topic, which also includes the concepts of PhaSe 3: create reSumPtion ScenarioS “Disaster Recovery Planning” and “Business Resumption Planning,” the During this phase, you will define and prioritize activities that would reality is that you need to start somewhere. And it is best if you think of allow for resumption of business processes for each disaster/outage this as a process, with distinct phases that provide measureable out- item. Specifically, the team needs to spell out activities that would allow comes. for resumption of operations at an acceptable level. These activities Rome was not built in a day. Elephants need to be eaten one bite at a include operational and IT infrastructure matters, IT and operational time, and, similarly, BCP’s take time and planning in their own right, controls and processes, personnel matters, vendor and customer com- before they can achieve the desired outcome. munications and notifications, etc. The result: a matrix outlining resump- This article will provide you with a high-level overview of the phases tion solutions accompanied by time and cost estimates to implement. of the BCP process, as well as provide insightful questions to address before commencing the effort. The BCP process and its outcome — the Plan — varies for every business. Some businesses are satisfied with just PhaSe 4: draft the firSt reviSion of the Plan doing a data backup and are not concerned about other ramifications of Begin to template the plan with sections or separate notebooks appli- an unplanned disaster, which, of course, is an irresponsible approach. cable to each scenario and resumption processes from Phase 3. During Most businesses, however, spend their BCP efforts on what matters most this phase, you will be able to see where your documentation or planned to them — planning and addressing how they would manage significant, efforts may be missing a step or a critical resumption procedure. Always yet more “realistic” disasters. Either way, you’ll want to consider the consider whether enough has been considered to satisfactorily mitigate questions below and how they influence how you go about doing the the impact of the disasters defined in Phase 1, and that the level of BCP exercise: resumed operations are likely to occur after implementing the resump- B How long can we be “down” before our business is affected in tions strategies defined in Phase 3. such a way that we may not be able to recover (and what does “down” mean to us)? PhaSe 5: imPlement SolutionS and teSt the Plan C How much does it cost us to be down? In this phase, you will implement resumption solutions that would assure D How long of an outage can our customers/clients accept before your business is ready for planned disaster scenarios. This often focuses they go elsewhere for services? on implementing contingency strategies for IT, operations, HR and other E How much business can we conduct if our computers are down, if areas. This phase also includes the very important testing activities nec- our paper files are water soaked from a pipe that exploded in the essary to put your BCP to a reasonable and practicable test of its effec- wall, if access to our building is being denied for safety reasons, or tiveness. Many companies perform mock disaster drills where they artifi- if our operations manager or IT leader goes missing for an cially enact one or several disaster scenarios from Phase 1, and determine extended period of time for any reason? just how capable the plan can work. For example, IT departments can F Are there any regulatory requirements from local or federal gov- simulate power outages for remote access and external services by dis- ernment that require us to have a plan like this, and how do we connecting Internet access temporarily to see if the backup scenario know if we are staying within those requirements? works. Similarly, operations departments can lock the facility as though there is no access to the corporate offices of the business, and subse- quently determine whether the BCP in fact can help resurrect the busi- So how do we Start? ness without being physically able to access the business. The next sections summarize the major phases of an effective BCP strategy and effort, which you can adapt to your own company’s specific needs and requirements. The first place to start, before Phase 1 is even PhaSe 6: finalize the Plan explored, is to define the team within your organization that will be In this phase, you will finalize the plan, involve all members of the com- charged with managing this effort. This is an ‘all in’ process — any key pany in building awareness and responsibilities, and establish proce- processes or personnel left out can lead to an incomplete and ineffective dures that allow for the plan to be activated if and when needed. You plan, if and when the time comes to enact it. will want to update the plan as changes in the business dictate and test the plan after updates are authored and provided for. The plan is a living PhaSe 1: what conStituteS a diSaSter for uS? document and can represent the lifeblood of the business if and when In this phase, business leaders in your organization discuss the many failure occurs, for almost any reason. realistic causes that could impede or stop the flow of business. This In order to obtain a successful BCP, each of these phases must be brainstorming session will yield causes that include earthquakes or other addressed. Your entire firm must adhere, and any missing components Acts of God; intentional or accidental fire; theft; internal and/or external will likely lead to disastrous outcomes. Feel free to utilize these steps as malicious intent; and even those as simple as spilled coffee on a key- a basis in your contingency plan, but also allow for growth within the board or laptop, traffic incidents that delay deliveries of product or sup- process to fit the needs of your practice and your clients. ■ plies, as well as a host of other instances. From our experience, we urge you, as a going concern, not to underestimate the impact that a disgrun- tled employee or competitor can have on a business’ ability to continue. Robert (Bob) Green, CPA.CITP/Partner and Rick Mark/Senior Manager are Information You should also always plan for intellectual property theft and Internet- Management professionals in the Enterprise Risk Management Services group at Singer- born hacking. Lewak, LLP, one of the western United States’ largest CPA and Consulting firms with six offices in California. This group provides CIO and CTO advisory services, as well as Governance, Risk and PhaSe 2: BuSineSS imPact aSSeSSment Compliance advisory/audit services to privately-held In this phase, you will analyze the impact of the realistic disaster causes and SEC registrant enterprises. Bob presently serves identified in Phase 1 on business processes and departments. The corre- on the AICPA’s Certified Information Technology Pro- lation of causes and effects on business processes is fundamental in the fessional (CITP) credential committee. They can be re-generation of the business process after a disaster scenario. During reached at [email protected] and RMark@ this phase, the team will gain a deeper understanding of what will need SingerLewak.com. Bob Green rick mark to be planned for, in each scenario, for each business unit/department. 81% of practitioners do NOT have a written disaster recovery plan. Source: The CPA Technology Advisor's Productiviy in Practice Survey (2008-2010) www.CPATechAdvisor.com/productivity Reprinted by permission ©2010 The CPA Technology Advisor • 420 N. Kickapoo, Shawnee, OK 74801 • 800-456-0864 • www.CPATechAdvisor.com