Zinnov recently hosted a working session with its key customer stakeholders to understand Business Continuity Best practices being used by global organizations. The discussion had participation from large technology organizations with a global footprint across multiple locations.
The Session focused first on defining BCP within the context of technology organizations. An accepted definition within the group was Business Continuity Plan (BCP) ensures that critical products or services are continually delivered to customers even if there is disruption in business due to various internal or external factors.
Most organizations agreed that Business Continuity planning includes:
1. Plans, measures, alternates, and arrangements to ensure continuous delivery of critical services and products to customers, allows an organization resume its operations, and recover its data & assets.
2. Identifying key resources including personnel, equipment, information, assets, financial allocations/resources, and infrastructure critical for continual delivery of services and products
The group focussed on the key risks faced by every organization. Some of the BCP risks highlighted by the group included
• Natural disasters such as earthquakes, fire, floods and tornadoes
• Malicious activities such as vandalism, theft, and fraud
• Technical failure such network and power outage
• Cyber-attacks and hacker activity
The discussions focused on addressing some of the key misconceptions prevalent in organizations on business continuity planning.
1. A major misconception within organizations is that insurance is an adequate and sufficient enough component of BCP.
2. Another misconception within organizations is the belief the most BCP risks can be managed with the support of employees.
3. Another key challenge to BCP is the belief amongst senior management that investments made towards BCP tend to exhaust company resources.
The group discussed at length and settled on some of the key best practices for Business continuity planning:
1. Define Crisis Management, Disaster Recovery, Business Continuity Planning, and educate all the employees about the same. This will make employees aware of what they are expected to do in the scenario of a business disruption in order to maintain delivery of essential operations.
2. Assess critical organizational risks through vulnerability assessment i.e.
• Business Impact Assessment
• Risk Assessment
• Vendor Assessment
• Work Force Assessment
3. Acquisition risks should be into taken into consideration will designing business continuity plan
4. Business continuity plans should be made part of contract agreements with customers and 3rd party service providers
5. Establish a BCP team focused on designing/compiling a business continuity plan which identifies actions that an organization should take to minimize the adverse effects of potential disasters.
It is essential to identify the lines of authority, succession of management, and delegation of authority. For example: A BCP manager could be appointed for each business unit with a BCP coordinator for sub-functions. All BCP coordinators can report into a regional BCP coordinator.
Ensure that communication protocols are well-established for BCP coordinators with employees and senior management.
6. Define roles and responsibilities of team members in BCP team.
For example: Role of a regional BCP coordinator should be to educate employees, draft BCP policies, conduct dry runs, perform business impact analysis, and manage down-time.
Ideally, crisis management and disaster recovery teams should report into the BCP team for better coordination.
7. Create and share distribution lists for crisis teams, BCP managers, and executive sponsors to communicate about eventualities.
8. Ensure redundancies and geographical distribution of resources with critical skill sets to effectively manage down-time in a region.
9. Synchronize data centers to create backups at different geographic locations
10. Run BCP simulations to check the readiness of the plan in place
11. Build and enable ‘work from home’ capability and maintain metrics for the difference in BI created because of this capability
12. Create demilitarized zones with differential access permissions for BYOD scenarios
13. Monitor use of open source code in product releases
14. Centers outside headquarters should align to the Global BCP strategy. In addition, they should also allocate sufficient funds for BCP in their planning cycle.
Business continuity planning has become more critical in a globalized environment. The impact of any risks on global customers and employees make it essential to implement a BCP program within any technology organization.