Business Continuity Planning

Business continuity planning is a practice identifying all the processes and actions necessary to permit an organization to perform its crucial functions and activities during and after a disaster. It is the end result of the planning process by which an organization determines how it can continue to function in the event of a future disaster, and it is the starting point for action within an organization that finds itself trying to keep going after a disaster has occurred.

An organization without a written business continuity plan (BCP) has not prepared to cope with a disaster. A BCP is not complete if it does not clearly identify the vital initial steps undertaken by key members of an [Page 40]organization (managers, key departments, key employees) immediately following a disaster.

The BCP is key to the successful deployment of business continuity management (BCM) within an organization. BCM is a holistic management process that attempts to identify and understand the potential impacts of crucial and urgent risks, threats, or hazards that could affect organizational operations and activities and ensure that these risks can be reduced, minimized or addressed in an effective way. It further plans to use effective and efficient measures to continue essential business operations to at least a predetermined minimum level during and after a crisis or any disruptive event. It also provides a framework within an organization to build resilience and the capability to respond effectively during an incident in order to maintain the interests of key stakeholders as well as the reputation of the organization.

Originally, BCM was developed to prevent technology failures; hence, it focused on the protection of the public utility infrastructure from computer failures and the recovery of computer systems and facilities of large organizations, such as banks, government departments, electricity companies, and health authorities. They focused on prevention of and response to external physical hazards such as fire, floods, and terrorist activities. In order to protect the public interest, such organizations need to carry out operational continuity exercises regarding information services and data recovery.

In the 1980s, organizations were required to produce a BCP according to regulations such as the U.S. Foreign Corrupt Practices Act and the IS Security Standard (BS7799) in the United Kingdom. Business continuity planning still focused on the contingency measures necessary to protect IT and hard systems. During this period, they were aimed at mitigating the risk of a disaster and producing a survival plan to ensure the organization could survive and recover from a disaster.

From the 1990s, scholars have started to use a socio-technical approach to link BCM and crisis and risk management. BCM has been applied to a wider range of functions within an organization, including human and social factors. It has started to concern the organization itself and the potential to include the organization's values. The focus has shifted from technology and auditing approaches to the social and technical systems perspective. It emphasizes the value chain, the chain of activities taking place in an organization, and also engages stakeholders and customers in the planning process. Hence, a BCP may now include telecommunications, human resources, vital records, risk management, security, environmental concerns, and product recovery.

...