White Papers

Business Contingency Planning 101

by Kelley Goggins

Welcome to the wonderful world of contingency planning!
You are charged with developing, implementing, and maintaining the business contingency planning program for your company. You must provide leadership and guidance in maintaining integrated continuity of critical business functions. You will assist management in achieving timely recovery of business operations in the event of an interruption.

Contingency planners act as a focal point for their companies in any situation involving contingency planning or emergency response. The contingency planner plans the integration of a series of tasks, procedures, and information that direct actions at the time of a business interruption in order to reduce confusion, improve communications, and achieve a timely continuation/resumption of business. Your skills and projects are essential assets for your company.

Your roles and responsibilities include:

• Setting strategic direction and plans for all business units to ensure business continuity and effective emergency management.
• Integrating the contingency planning process across business units when the nature of the business requires it.
• Providing consulting services and direction to senior management.
• Coordinating and integrating the activation of emergency response organizations with the business units.
• Providing periodic management reporting and status.
• Ensuring executive management compliance with the contingency planning program.
• Ensuring the identification and maintenance of all critical business functions and requirements.
• Developing, implementing, and maintaining policy and guidelines for all business units to follow.
• Developing and maintaining testing and maintenance programs for all contingency planning functions.
• Providing training, maintenance, and support for approved contingency planning tools.
• Providing primary contact for their company to handle coordination response during a business interruption.
• Acting as a resource for contingency planning efforts within the company area of responsibility.
• Securing appointment, training, and backup of all contingency planning and response teams.
• Assisting in the design and maintenance of alternate sites.
• Maintaining currency of all contingency planning documentation, including all deliverables.

Introduction to the Planning Process
A business contingency plan is a set of procedures that defines how a business will continue or recover its critical functions in the event of an unplanned disruption to normal processing. Managers initiate business contingency planning to ensure that there is minimum disruption to their business processes in the event of a major interruption to services that normally support those processes.

The risk of potentially disastrous losses from business interruptions compels planners to use a common methodology to business resumption planning. A common approach is beneficial because it ensures that all issues are considered, simplifies the planning process, provides a level playing field for establishing priorities between business units, and simplifies invocation of the plan.

The basic steps to developing and exercising a business contingency plan include:

• Project initiation and management
• Risk analysis/reduction
• Business impact analysis
• Recovery strategies
• Developing the plan
• Exercise and maintenance of the plan
• Training and awareness program

Hidden Benefits of the Planning Process
Contingency planning is a necessity that has turned out to be beneficial in more ways than ever expected. Beyond ensuring a business function's viability during and following a disaster or unexpected situation, contingency planning efforts have led to significant improvements in the daily operations of many business units.

While researching and documenting a contingency plan, hundreds of single points of failure (SPOFs) may be found. (A SPOF is any single input to a process that, if missing, would cause the process or several processes to be unable to function.) Once identified, these SPOFs often can easily be eliminated -- or at least have their damaging potential reduced. Many business functions also have witnessed process improvements as a direct result of their contingency planning efforts, particularly while exercising business resumption plans.

Many business functions call for duplication in order to ensure continual operations. In these cases, many of the inputs to a given function are simply duplicated elsewhere so that there is a backup should the primary input fail. This is common with electronic inputs such as telephones and computers. A hidden benefit of installing backup systems is that through load sharing, the backup can be utilized to increase efficiency during normal daily operations.

There are more benefits. No other process does a better job of making a business assess its operations and processes than the structured exercise of planning what to do when the building, the full staff, information systems and communications are not available.

Get Started
A viable business resumption plan cannot be developed overnight. Adopting a phased approach to planning in order to provide the most protection for the organization in the least amount of time is better. The process to formulate a viable contingency plan is shown in Figure 1.

Before the project can even start, it must have total senior management support. You must work with senior management to define and agree on the scope of the project. Once the scope is determined, you can estimate the project resource requirements and define a timeline and deliverables.

You alone can not write the plan. You must establish a planning team to develop the recovery procedures; at this stage, the business functional senior managers must make a commitment to provide the resources to support this process.

Make sure all employees are aware of the plan and its contents. Make certain they know and understand their business function classifications as they will be used during emergency situations. Build contingency planning awareness into your new hire orientation. Conduct tests with different groups. Awareness by all is the key. Share the responsibility.

Analyze Risk
Identify the risks for which you must plan. Basically, there are three elements in the risk equation: threats, assets, and mitigating factors.

Threats are events or situations that would cause financial or operational impact to the organization. These are measured in probabilities, such as "may occur one time in 10 years." Each threat has a duration of time that the business or operation would not be able to function in its normal manner, if at all.

Assets are composed of the physical assets that are owned by the organization and its financial assets as well. Revenues lost for the duration of the incident, additional costs to recover, fines and penalties incurred, lost good will or competitive advantages all are components in the assets figure.

Mitigating factors are the protection devices, safeguards, and procedures in place that reduce the effects of the threats. They do not reduce the threat, they only reduce the effect of the threat. Examples of mitigating factors in use include uninterruptible power supplies (UPS) and generator backups for replacement power, sprinkler systems to control the spread of fire, and access card readers to control physical access to company space.

Some things to review during this process are the facility infrastructure, computer and communication recovery, and business function processes and components to help identify the kinds of risks and controls in place. During this phase, additional controls may be recommended to mitigate the effects of a particular risk identified.

Analyze Business Impact
The impact to your company should be measured in operating impact, financial impact, and legal and regulatory impact. Your business will be forced to operate in a manual mode for a significant period of time following the business interruption. Information normally available at the touch of a button will require tedious research and manual labor. The efficiency of your business will suffer, and management will be faced with making vital decisions to carry the operation through the crisis.

Your business may experience some serious financial losses as a result of the business interruption and many of those losses may not be covered by insurance. Should your billing, receivable, and collections business functions be crippled by inaccessibility of information, your cash flow will suffer. Management will not be able to manage working capital if they cannot determine what it is in a timely fashion. Risks are that lost customers will never return, the business' credit rating may suffer, and significant costs may be incurred for hiring temporary help.

Your business has contracts with outside suppliers, customers, and vendors. After a disaster, will you be able to fulfill the legal requirements of these contracts and pay the penalties if you can't? If your business is unable to meet reporting or filing deadlines to regulatory agencies (FDIC, state, federal), your business will incur penalties. There is also a potential for lawsuits; for example, it is illegal in Massachusetts to pay employees later than six days from the termination of the work week.

During this phase of the business contingency planning process, the planner will need to identify the critical functions within the business. These can be identified by listing all functions performed, determining the impact an incident would have on that function, and an estimate of the business loss for the duration of an outage. This process is often completed by conducting interviews with business functional managers and employees and/or by survey or questionnaire to the functional managers.

Remember financial assets as well as the physical. Lost revenues, additional costs to recover, fines and penalties, lost good will, and delayed collection of funds could be impacted in a disaster. Once you have determined the impact of an incident on a business function, you can determine the recommended recovery timeframe for the function. Each function should be classified by the following:

• AAA: Immediate recovery. No down time allowed. Requires implementing an in-place, fully equipped, and staffed alternate site.
• AA: Up to four hours to recover but requires installed, in-place, functional alternate site which can be staffed and functional within four hours.
• A: Same day recovery required but can be set up anywhere (hotel room, home, etc.)
• B: Up to 24 hours downtime
• C: 24 to 72 hours recovery
• D: 72 hours or greater

As part of this process you also must identify the technologies that are owned and supported by your business unit. These would be your LANs, LAN applications, client/server based applications, etc. These must be identified as a business function, prioritized, and, if critical, must have a recovery strategy and procedures.

It is crucial that the internal and external dependencies for the business function be understood and documented. This includes identifying all the inputs to the function and where they come from, all the outputs of the function and where they go to, as well as system application dependencies.

Once the critical and necessary business functions have been identified, the next step is to establish the resources that are required to continue to perform those functions. In recovering from a disaster, there are normally two phases defined:

• Response ‹ in the period immediately following the disaster, the emphasis will be to keep the business running at the minimum acceptable level.
• Recovery ‹ in the longer term, the business will need to be restored to its original performance. Identification of all resources required to support the function is required to facilitate the longer-term recovery.

Plan Recovery Strategies
Once the critical and necessary business functions have been identified and their recovery requirements known, the next step is to establish the resources that are required to continue to perform those functions. During this phase of the business contingency planning process, you will use the information gathered in the business impact analysis to identify potential recovery options and their associated costs, present the options to management, and get agreement on the approach to be taken and to spend the required amount.

The options for achieving the recovery must be investigated, costed, and compared against the potential cost of failing to recover. Recovery strategies will be driven by the recovery timeframe of the function. Recovery options might include the following:

• Self-service: A business unit can transfer work to another of its own locations which has available facilities.
• Internal arrangement: Training rooms, cafeterias, conference rooms, etc. May be equipped to support business functions.
• Reciprocal agreements: Other business units may be able to accommodate those affected. This could involve the temporary suspension of non-critical functions at the business units not affected by the outage.
• Dedicated alternate sites: Built by your company to accommodate critical function recovery.
• External suppliers: A number of external companies offer facilities covering a wide range of business recovery needs.
• No arrangement: For low priority business functions it may not be cost-justified to plan to a detailed level. Provided good business judgement is used and the risks are understood and accepted, it is reasonable to have no formal arrangements in place.

The minimum requirement would be to record a description of the functions, the maximum allowable lapse time for recovery, and a list of the resources required. The above options relate first to the availability of space and second to the availability of equipment and supplies with which to perform business functions. With some it also will be necessary to have arrangements with suppliers to provide equipment, supplies, services, and personnel. In all cases, arrangements must be in place for the recovery of vital records and documents.

The backup and protection of all vital/critical records is necessary to ensure their availability after a disaster occurs. The storing of vital/critical records offsite in a time-synchronized way allows management to have information with which to rebuild their business functions. During this phase of the planning process you need to determine:

• What are your business' vital records?
• Where are they stored?
• Are they backed up? How?
• How frequent are the backups?
• What is included in the backups?
• How can you obtain the backups?
• Who is authorized to retrieve them?
• How long will it take to retrieve them?
• Where will they be delivered?
• How long will it take to restore them?
• Who will restore them?

Document the Plan
Once the recovery strategies have been agreed on, the plan must be defined and documented. Each business unit plan should be flexible enough to respond to any type of incident. The two major scenarios you must plan for are as follows:

• The building you physically do your work in is not available to you and you must recover at an alternate site.
• The systems services you depend upon are not available and you must continue the critical functions without them.

The plan must include the following:

• An introduction, explaining why the plan is necessary and detailing its scope: who is included, and the range of events covered.
• A definition of the crisis management structure, giving details on the roles and responsibilities of everybody included.
• Procedures to be followed in the event of the disaster. These would include an alert process when an incident is first discovered, incident or damage assessment, declaration procedures, notification procedures, and team procedures.
• Location and procedures to be followed to activate the command center.

The contingency planner must define the teams necessary to support the recovery.

A combination of one or more of the following teams is generally used, depending on the size of the business unit and the number of critical functions to be recovered.

• Executive team: senior executives in the business unit who have overall responsibility to your company for the recovery of the critical functions.
• Management team(s): operate in the command center and are responsible for managing and controlling the recovery efforts.
• Response team(s): generally one team for each critical function. These people go to the alternate site and/or execute the recovery procedures.

Each business unit must have an emergency notification list. This list contains the phone numbers, beeper numbers, home numbers, etc. of each team member, as well as the contact list for internal and external vendors, internal or external customers, and other commonly used numbers that may be needed in a disaster (corporate travel agent, alternate site contacts, security, corporate communications, offsite storage vendors, etc.).

Each plan must have documented procedures for handling an incident that may result in the activation of the business resumption plan. It must document how an incident is identified; who is notified; how and by whom damage assessment or business impact are determined; who can make the decision to declare a disaster; and procedures for declaring the disaster. The plan activation procedures must include procedures for alternate site notification, offsite storage retrieval, emergency notification to the teams, and procedures for activating the command center(s).

Once the plan has been activated, a general action plan that summarizes the tasks to be executed to implement the recovery process should be included in the plan. In addition, a checklist for each team member, detailing recovery procedures for each critical business function need to be developed. These procedures need to be detailed enough that someone with a similar skill set should be able to execute them without having ever performed the task before.

Documentation on how communication will be handled both to internal customers and to external customers or clients is critical during the recovery process. It is very important that employees understand how to deal with the media and how to discuss the incident with customers on the phone or in person. It is very important that everyone be telling the same story at the same time. Procedures for handling media and customer communications must be included in the plan.

For insurance purposes, it is important that costs associated with the recovery effort be tracked as well as payment for purchases of needed supplies and replacement equipment be expedited. Procedures for handling finance issues must be included in the plan.

Human resource issues such as employee injuries, fatalities, family issues, trauma, etc. must be managed during the disaster. Procedures for handling these issues must also be included in the document.

Appendices can be used to contain common procedures, alternate site locations and directions, company-approved hotels, and any other information that may be useful in a disaster.

Exercise, Maintain, and Train
The plan should be exercised and tested on a regular schedule. Exercises also provide the opportunity to train the staff on the procedures documented in the plan. Plan reviews should be performed on a regularly scheduled basis and must occur at least annually. These reviews should be linked where possible to ensure the details of significant business changes are correctly incorporated into the plan. Results of the review should be formally reported and, where appropriate, the plan should be updated.

About the Author
Kelley Goggins has more than 20 years of experience in various aspects of contingency planning. A Certified Business Continuity Professional, she is currently responsible for the Corporate Contingency Planning program for Boston, MA-based Fidelity Investments business units.

Article reprinted with permission from Contingency Planning & Management magazine. Original Publication: March 1999