A Business Continuity Plan (BCP) is a valuable tool for the preparation in the event of an unforeseen disaster it affects your business. Most organizations readily agree with this fact that you need a BCP. However there is great disagreement within the organizations in which the question arises "how much planning is enough?". A BCP is a great barrier against unforeseen work stoppages, but do not have a cost. The creation, revision and testing of a BCP costs time and money; time employees spent writing and testing the plan, more money spent on contracts with backup suppliers and consultants. This is when the management began to question the value of BCP and decisions need to be made to balance the flow of emergency planning against the cost. At that point you're spending too much for the value you are getting?
A part of this question is answered in the risk assessment and business impact analysis phase of the BCP creation. If implemented properly, the items identified to be of sufficient risk to the business must request emergency plans. The scope (and the cost) of contingency plans should be proportionate to risk. For example, an information site may not require the same level of redundancy and recovery time goals as a tracking system. This is evaluated by business and supported by the BCP test results.
But beyond this, how to know if the BCP is appropriate? There's more you can do ... without doing too much? A great way to gain insight into the robustness of your particular BCP is to examine the most common types of BCP failures; situations in which the BCP did not guarantee the recovery time of the business objectives. Take a look at these common reasons why BCP fail to meet the goals and then carefully assess your BCP against these areas.
But what are the most common reasons why BCP does not live up to expectations?
1. The reasons to implement the BCP are not supported at the top.
I was involved in organizations where BCP were being implemented, or because it seemed the right thing to do or someone thought it was a good idea, because the auditors have been rescheduled to appear at the soon. The problem was that the senior management has never been on board with this idea and so no one below them really believed that this was worth spending the time or money. The result of this is a large set to search for documents with very little behind it. Example: BCP says "if the site is inaccessible, all employees working from home and go to a contact production site." This sounds great, but is it feasible? If there is no IT infrastructure in place to allow everyone to work from home, and the management in not willing to negotiate a contract for the emergency services with a contract manufacturer, because both of these items have a cost, then the plan it is bound to fail if you really need.
2. BCP does not look at the whole company.
Many organizations confuse Disaster Recovery Planning (DRP) and Business Continuity Planning (BCP). DRP focuses on IT systems, while BCP focuses on the entire company and organization. It 'nice to be able to recover your IT systems, but if people are not available for their use, or the manufacture of non-deliver products to customers, so the plan is not complete.
3. Holder of the BCP is not clearly identified.
In order for the plan to succeed, there must be an owner who is responsible for managing the BCP. The owner must also have sufficient authority to make business decisions for the allocation of resources to activities relating to BCP, risk assessment, and the authorization of expenditure for BCP. Hands-ion activities such documentation can be delegated to others, but the owner's responsibility to make sure the plan is maintained, up-to-date, and tested. In many organizations, the owner is a person (or, worse, a lot of people) in the direction which aims to "Just get it done! It do not bother me with details" and then delegate all responsibility to manage the other top people they do not have the authority to implement the plan, nor approve the associated expense. The result is similar to the entry # 1 in which you end up with a large set of documentation look without any value behind it. Sometimes, the owner is a person IT and then enter the matters described in paragraph # 2 in which the plan is heavily focused on DRP rather than looking at the entire company.
4. inadequate training BCP.
E 'essential that all members of an organization are familiar with and have been trained on their role (s) within the BCP. Just read the documents may not be enough. Some roles may require the use of different systems or access to information from alternative sources or be familiar with alternative positions. You need to be sure that in case of a real emergency, there is no confusion on what to do. Even with all the changes in progress in enterprises for all the time, it is very important for the formation of new persons in BCP. This is a continuous process that must be kept on the front burner at any time.
5. Inadequate BCP tests.
The effectiveness of the BCP depends on the level and frequency of testing. It's no different from fire drills and emergency evacuation drills; you should be familiar with the process and the best way to do that is to practice a drill simulated disaster. Organizations that do not fully embrace the concept of BCP generally make the minimum tests to keep costs down and not take people away from doing "real work". The result is that during a real emergency, can be found in a situation that was not expected and, therefore, valuable time has to be spent now understand how to solve the problems, rather than the execution of the solutions. Pay now or pay later; additional testing is done up front, the better prepared you will be.
6. Documentation is not updated.
documentsBCP are living documents that take the time to put together and the time to review for accuracy. This time needs to be invested at regular intervals to ensure that the documents are still correct information. If the BCP is writing, signed and filed, never to be looked at again until there is a disaster five years later, it is likely that some, if not most of the information is outdated. Organization trees, phone numbers, addresses, suppliers, customers, the account ID, password, all the changes all the time. It 'important that as part of BCP, there is an allowance for the time to spend on a periodic review of the BCP to ensure it is in progress. This can be annual, quarterly; Whatever your organization consider appropriate, but they should do or the plan's value decreases rapidly over time.
7. insufficient time spent in the planning and evaluation of the BCP strategy.
To create a truly optimized time and effort and value-added BCP requires you to analyze and evaluate information from many sources. This is not something a person working alone can simply zip off to get it checked from the list. Even a large team of expert consultants can not do it overnight alone. They must follow a careful process of interviewing all the key information holders for the organization to ensure that all critical factors are considered before making any recommendation for an effective BCP. These factors include the critical business process, risk factors, impact analysis, recovery time objectives, costs, logistics and problems of people (not necessarily in that order). If any of these factors are skipped over or information is just assumed, then there is a real risk that the plan may not be suitable or may cost more to accomplish that is really needed. Nether outcome is acceptable.
8. inadequate assignments of responsibility.
One of the key success factors for an effective BCP is to assign and distribute responsibilities appropriately. If all critical responsibilities are assigned to a single person, then the system quickly get overloaded and the process slows down, or worse some tasks will fail. If no one is clear who is responsible, then there will be conflicting and unclear direction or not will address key issues. There needs to be a clear BCP leadership to a higher level and therefore a logical distribution of responsibilities at the tactical level. A key element to consider is where there are multiple locations involved; It makes sense to have the BCP structured to function, even if the functions across different locations? Or from the site so that there is a local person on hand to provide leadership as it is necessary? Even for each assignment of responsibility, there must be a primary person and an assigned backup. This ensures the coverage of this area in the case where the main person able to perform this function.
Having this knowledge gives ideas of great value to allow the creation of a robust but cost effective BCP.
0 Komentar