Skip to main content
Tuesday, June 18, 2013

Summary View of Business Continuity Management

Business continuity planning projects, like disaster recovery projects, are initiated for many reasons, such as:

  • Ensuring the agency continues to provide critical services to the public.
  • Reducing the cost of disruption and emergencies.
  • Promoting regulatory and or statutory compliance.
  • Providing a structured return to business after the event.
  • Enabling agencies to protect their employees and the state's physical and financial assets by mitigating risk efficiently and in a cost-effective manner.

Whatever the reason, committing funds, resources and time to implementing a business continuity management program, as well as understanding the ongoing cultural change that will become a long term, integral part of day-to-day business, is critical.

It is important to determine management priorities and which functions are critical in their minds, to keeping the agency doors open even in the face of disaster. When necessary, a cost/benefit analysis should be prepared to demonstrate the benefits of ensuring the protection and availability of those critical functions. A cost/benefit analysis should include:

  • Business continuity plan start-up and ongoing costs associated with the resources, time and effort necessary to the plan, as well as any third party contracts that may need to be created. An ongoing annual cost should also be calculated to include plan maintenance, administration, awareness, training and testing.
  • An estimate of the rebuild costs if a business continuity plan is not developed. Things like potential employee recruitment and new hire costs, technology replacement and potential moving costs should be included. Financial and/or operational impacts related to the critical functions of the business not being performed should also be estimated.
  • Potential savings to the business should also be investigated and reported to management. These savings could include:
    1. Preferred insurance risk status among insurance carriers.
    2. Appropriate recovery strategy for critical functions.
    3. Proactive plans and procedures that will minimize the cost of disruption due to a catastrophic event.

It is important to find out what management really cares about in running the business and which elements are critical in their minds, to keeping the business doors open even in the face of disaster. When necessary, a cost/benefit analysis should be prepared to demonstrate the benefits of ensuring the protection and availability of those critical elements. A cost/benefit analysis should include:

  1. Business continuity plan start-up and ongoing costs associated with the resources, time and effort necessary to the plan, as well as any third party contracts that may need to be created. An ongoing annual cost should also be calculated to include plan maintenance, administration, awareness, training and testing.

  2. An estimate of the rebuild costs if a business continuity plan is not developed. Things like potential employee recruitment and new hire costs, technology replacement and potential moving costs should be included. Financial and/or operational impacts related to the critical functions of the business not being performed should also be estimated.

  3. Potential savings to the business should also be investigated and reported to management. These savings could include:
    1. Preferred insurance risk status among insurance carriers.
    2. Appropriate recovery strategy for critical functions.
    3. Proactive plans and procedures that will minimize the cost of disruption due to a catastrophic event.
[Return to the top]

Phase I - Information Gathering...

Structure - Once the approval of senior management is obtained, a high level message should go out to all employees expressing the following:

  1. Management support.
  2. Expectation of employee cooperation.
  3. A brief overview of the objectives of the planning effort. A business continuity team should be established consisting of:
    • A business continuity coordinator who manages the activities of the team; timelines and budget; and reports to senior management.
    • Departmental representatives and a backup that understand the inner workings of each functional area and are able to answer questions contained in a Business Impact Analysis.
    • One or two key resources from technology who would understand the underlying technical issues as recovery requirements are prioritized.

Budget - This phase requires the most participation from the employee population but should be the closest to "true" cost as we are mainly dealing with employee time. This one-time cost could have been reported in the cost/benefit analysis.

Timelines - Timelines should be established based on employee availability but should be as aggressive as possible while everyone is still aware and supportive of the initiative. Probably the longest and most time consuming of the three phases.

Milestones - Milestones during Phase I can include:

  • Completion of the risk analysis/assessment and reporting the results to senior management.
  • Completion of the business impact analysis and reporting appropriate recovery alternatives to senior management.
  • Establishment of the emergency response teams, their responsibilities and informing employees of who those team members are.
  • Management decision on a recovery strategy that will best suit the established recovery requirements.

Phase II - Plan Development...

Structure - Once an appropriate recovery strategy has been chosen by management, the following additions to the project team may be necessary:

  • Legal counsel to complete any necessary third party contract negotiations.
  • Senior management with signing authority for third party contracts.
  • Technical writers for plan documentation.
  • Human resources/property management and the local emergency authorities to document emergency response procedures.
  • Communications representative with media training to develop first response scripts.

Budget - Budget items could include:

  • Consultant or contract resources.
  • Media management and communications courses.
  • Plan documentation software and training.
  • Any third party contracts that are established.

Timelines - Timelines will vary depending on:

  • Whether third party contracts are evaluated and established.
  • Participation and availability of departmental planning resources.
  • Whether technical writers are used for plan documentation.
  • Software training, if required.

Milestones - Milestones for this phase could include:

  • Completion of third party recovery provider contracts.
  • Completion of each departments or business units recovery plan.
  • Completion of the technical recovery solutions to reflect established Recovery Time Objectives (RTO).
[Return to the top]

Phase III - Business Continuity Process...

Structure - The two main focuses of the business continuity coordinator in this phase are:

  • Developing initial awareness and recovery training for all employees.
  • Coordinating and scheduling the first recovery test for the organization.

The project team should continue to forward status reports to senior management however, the frequency of those reports may drop down to once a month. The project team for employee training might consist of:

  • The project manager who coordinates the activities of the teams, manages timelines and budget, and reports to senior management.
  • Representation from human resources or the internal training department.
  • Representation from one or two key divisions to review and evaluate the training material.
  • Outside resources (if necessary) which specialize in employee awareness and training for business continuity.

The other set of activities that will be happening at the same time is for a team to develop a test plan, script and schedule for an initial restoration and/or recovery. To accomplish this, a project team needs to be assembled which should include:

  • A business continuity coordinator.
  • Technology support representatives.
  • Human resource representatives to facilitate travel or other related issues (if necessary).
  • Representatives from the departments to be tested.
  • Representatives from the recovery site provider (if necessary).

Budget - Budget estimates will vary depending on whether training and awareness programs are developed in-house or purchased from an outside vendor. In addition, creating a testing budget will depend on whether the testing will be done in-house or at an off-site or third party facility. Charges for using these facilities should be determined during the negotiation process in order to facilitate the testing budget process.

Timelines - Timelines for this phase are never ending as testing and education should be ongoing. Testing and education schedules should be developed for each new year and far enough in advance to ensure appropriate participation.

Milestones - Milestones for this phase could include the announcement that all employees had completed initial awareness/training classes and business continuity information has been included in the established newcomer's orientation. This should also include the completion of the first recovery testing.


[Return to the top]
Business Continuity Planning
Additional References
Home   |  SORM Rules  |  State of Texas  |   Statewide Search  |   State Auditor's Fraud Hotline
State Link Policy  |  Texas Homeland Security  |  Governor's Committee on People with Disabilities
Site best viewed in IE 6 and NN 7 with Javascript Enabled
For questions about this site: SORM Webmaster     

Page last modified: May 09, 2012 @ 03:09pm C.S.T.