Business Continuity Planning

Business Continuity Planning

2017, Jul 23    

How is it different from Disaster Recovery you ask? Let me tell ya!

Business Continuity Plan (BCP)

Focuses on sustaining an organization's mission / business process during and after a disruption.

If the technology fails then, business processes become jeopardized, economies of scale dismantle, competitive advantage lost, and viability is suspect until the problem mitigated.

Used in long-term recovery in conjunction with a Continuity of Operations (COOP) Plan.


Continuity of Operations Plan (COOP)

A COOP focuses on restoring an organization's mission essential functions (MEF) at an alternative site and performing those functions for up to 30 days before returning to normal operations. Minor threats or disruptions not typically addressed.

Standard elements include:

  • Program plans and procedures
  • Risk management
  • Budgeting and acquisition of resources
  • Order of succession
  • Delegation of authority
  • Continuity facilities
  • Continuity communication
  • Vital records management
  • Human capital
  • Test, training, and exercise
  • Devolution
  • Reconstitution


Business Impact Analysis

The purpose of the BIA is to be a structure research method that probes how business processes use technology. It’s used to demonstrate an analytical process that captures real evidence of performance and dependency through internal analysis and benchmarking. There are five goals related to conducting a BIA:

  • Identify the core technologies.
  • Identify the core stakeholders
  • Identify the business processes impacted by downtime
  • Prioritization
  • Containment of risk and liability during downtime.

What is the role of the BIA?

The intent is to document how each business unit depends upon technology and what catastrophic effects there would be in the event of a specific form of outage.

How is a BIA conducted?

With an emphasis on business process analysis, dependency studies, metrics, stakeholder roles and responsibilities, consensus-driven evaluation and approval, and functional assessments.

Quantifying Metrics

Metrics can give management something that can be related to dollar terms so that countermeasures can be evaluated in the same way. The expense to safeguard an asset should not exceed that value of the asset.

Exposure Factor

Exposure Factor is the percentage of loss a realized threat would have on a specific asset.

Single Loss Expectancy (SLE)

Single Loss Expectancy is the monetary amount assigned to the loss due to a single event.

Annual Rate of Occurrence (AR)

Annual Rate of Occurrence is a probability that the risk/threat will happen in any given year.

Annualized Loss Expectancy

Annualized Loss Expectancy is the monetary amount that represents that annually expected loss to an organization from a threat.

SLE * ARO = ALE


How do information system assets relate to critical business functions through BIA?

Say there’s an IT Data Center (an Asset) valued at $450,000.

In executing the TAM, a catastrophic vulnerability is identified: a flood.

It’s projected that a flood would damage 75% of that asset (EF).

This SLE would equal $337,500.

The risk or probability of the threat agent exploiting the vulnerability is ARO.

Annualized Rate of Occurrence is measured as 1 year, 10 years = 0.1

If the company is in a 100-year flood plain, ARO would equal 0.01

Leaving an Annual Loss Expectancy of $3,375.00

How is a BIA presented to senior management?

Risk management, disaster recovery, and contingency planning all require commitment from senior level executives. Arguing the importance of BIA process and how it's relevant to competitive advantage can be explained several ways.

  • Contains the risk of dependencies upon technology to reduce costs.
  • Provides visibility and transparency to business processes.
  • Strengthens stakeholder accountability.
  • Articulates roles and responsibilities.

Recovery Strategies

Before jumping in developing recovery strategies several things need to happen.

  1. Establish clear definitions of what a disaster is.
  2. Create clear lines of authority and responsibility and accountability.
  3. Foster management's commitment to the problem of risk management.
  4. Create a method for analyzing risk similar to that of quality improvement.
  5. Demonstrate quantifiable cost of risk and articulate benefits.
  6. Generate documented outcomes that can be used to evaluate performance.

Areas of concern:

  • Data backup and fault tolerance. Single large or redundant array of drives.
  • Network redundancy and alternative channels of data communication.
  • Power redundancy and shielding. Cleaning and stabilizing power.
  • Catastrophic disasters - Mirror, hot, warm, and cold sites.
  • Asset and Vendor Management. Third parties.

Mitigate the impact of Business Disruption.

Recovery strategies are options, and not every option is practical or feasible. But a Disaster Recovery Plan should articulate how to implement the Recovery Strategy in a time of crisis.


Here is a link to NIST 800-32 REV.1 Enjoy!