When disaster strikes... A guideline to business continuity awareness

Table of contents

List of abbreviations

Table of figures

1 Introduction
1.1 Motivation
1.2 Context and assignment of the thesis
1.3 Goals of the thesis
1.4 Methodology

2 Singapore’s cultural dimensions
2.1 Singapore State
2.2 Hofstede’s Dimensions of Culture
2.2.1 Power Distance
2.2.2 Uncertainty Avoidance (UA)
2.3 Singapore’s SARS crisis

3 Sample AG
3.1 Organization of Sample Pte Ltd, Singapore
3.2 The Corporate Information Office
3.3 BCP of SAMPLE Pte Ltd Singapore

4 Basics – Business Continuity Planning
4.1 BCP as Project
4.2 Definition of Business Continuity Planning
4.2.1 Dimensions of Business Continuity Planning
4.2.2 The BCP planning method
4.2.3 Business Continuity Institute
4.2.4 Disaster Recovery Institute International
4.2.5 The Phases of the BCP development process
4.3 Business Impact Analysis
4.3.1 Definition of Business Impact Analysis
4.3.2 Goals and contents of a BIA
4.3.3 Methods for collecting Data
4.3.4 Key Performance Indicator Review
4.3.5 Process Flows
4.3.6 Questionnaires
4.4 Disaster Recovery Planning
4.5 Testing of BCPs
4.5.1 Walk-through
4.5.2 Simulation

5 Problem analysis
5.1 Analysis of the Business Continuity Plans at SAMPLE PL
5.2 Requirements of the business continuity plans at SAMPLE PL
5.3 GAP-Analysis
5.4 Summary

6 Proposal of solution
6.1 Parameters for embedding of BCP
6.2 Objectives for a solution concept
6.2.1 Change Management
6.3 Strategy for implementation
6.3.1 Simulation Training
6.3.2 Awareness Program
6.3.3 Developing a BCP culture
6.4 Summary

7 Implementation of solution
7.1 BCP Communication
7.1.1 Leaflets
7.1.2 Crisis Information Number
7.1.3 Summary of Business Continuity Plans
7.1.4 BCP Intranet site
7.1.5 BCP podcast
7.1.6 BCP Web site
7.1.7 Crisis Reporting Number
7.1.8 BCP Crisis Conference number
7.2 BCP Process

8 Conclusion and recommendations for future work
8.1 Conclusion
8.2 Achieved goals
8.3 Recommendations

Appendix 1: The Relationship between Business Continuity and Sarbanes-Oxley
Appendix 2: Expert Interview
Appendix 3: Hotel New World Collapse
Appendix 4: Hofstede’s Cultural Dimensions
Appendix 5: BIA Questionnaires
Appendix 6: BCP Organization Chart
Appendix 7: Training Simulation for SAMPLE PL
Appendix 8: Lessons Learned - Communication

References

List of abbreviations

illustration not visible in this excerpt

Table of figures

Figure 1: Our Disaster Recovery Plan Goes Something Like This

Figure 2: Methodology of my diploma thesis, own diagram

Figure 3: Better performance of opaque industries in uncertainty-tolerant countries http://home.uva.nl/r.huang/www/uai_growth.pdf

Figure 4: BC Maturity Pyramid (Hiles, 2000, p.3)

Figure 5: The principal phases in BCM

Figure 6: Time for Recovery – Tandem Clients

Figure 7: Development Process BCP

Figure 8: Business Impact Analysis Process for the Hypothetical Government Agency

Figure 9: BCP as a business process by Elliott, Swartz & Herbane

Figure 10: Crisis Management Team organization chart

Figure 11: Own diagram, BCP Communication

Figure 12: Crisis reporting process flow, own diagram

1 Introduction

illustration not visible in this excerpt

Figure 1: Our Disaster Recovery Plan Goes Something Like This... By Dilbert, Scott Adams

”When there is a crisis, the crisis has to be managed”, was once said by Gerhard Schröder, the former German Chancellor (From: http://www.business-wissen.de/de/aktuell/kat13/akt18759.htm l). In actual disaster situations it is not as easy to handle the crisis and just “manage” it, you better be prepared.

When disaster strikes… these incidents cannot usually be handled with the organizational structures and resources provided for “normal everyday business” and therefore require a business continuity plan.

As we have experienced an increasing number of disaster events over the recent years, big and dramatic events like – the World Trade Center terrorist attack of 9/11, the Madrid and London train bombings, earthquakes in Pakistan, hurricanes in North America or the Southeast Asia tsunami, which were highly recognized in the media all over the world. But at the same time there have been also large number of disasters at a less recognized level, like fires, flooding, building crush down, and so forth. All these events have one thing in common: They can put a company out of business. To prevent that we are not prepared to respond these disaster events, we need to have a plan!

But planning for an event can only be the first step, next we need to implement these plans in our organization and make communicate it, to ensure that every employee knows what to do and how to react in a disaster event. Many organizations fail to actually implement a BCP program because of the perception that it is a process that is too costly, time-consuming, and requires a large amount of resources. Therefore the management must be assured that by investing in BCP, the organization’s life gets protected and that it makes good business sense.

1.1 Motivation

The determining factors for writing a thesis in the field of Business Continuity Planning (BCP) have been on the one hand the necessity of a 24/7-availability of all business relevant systems in the today’s business world and on the other hand the actuality of the topic, due to factors of new threats, requirements arising from e.g. Sarbanes-Oxley Act (SOA) Section 404 (Appendix 1) and the integration into corporate governance processes.

As all Business Units (BUs), Vendors and Customers are connected thru a network of IT-Systems; these systems also became crucial for the success or the failure of a company. But BCP is not solely to be seen as an IT topic, it is more a holistic management program.

For Sample Private (Pte) Limited (Ltd) (SAMPLE PL), Singapore the subtopics like Change Management and a practical approach for an implementation of the BCP were the main causes for assigning this thesis. As there are already Business Impact Analysis (BIA), Risk Analysis (RA) and a Disaster Recovery Plan (DRP) realized, but these plans had to be reviewed and implemented into the organization. Another purpose was to customize the tools and awareness programs for the management and the employees at SAMPLE PL. This is also an important element as every organization and each environment is different from the other.

1.2 Context and assignment of the thesis

BCP as planning for disaster events is also to be seen as a method to prevent crisis for a company in general. It should enable an organization to respond to crisis and/or disasters, to be prepared.

There are many events that can develop into a crisis and/or a disaster. Here are just a few examples: data theft and manipulation with blackmail involved, loss of data through negligence with an adverse PR effect, smear campaign, abduction, hostage-taking, hijacking, blackmail and protection rackets, bomb threats, sabotage, bomb attacks, fire, catastrophes, illegal stoppages/strikes/demonstrations, product piracy, contamination of food, accidents involving injury/death or considerable material damage or serious repercussions for the local population, for employees and/or the environment, business trips and projects in countries with high security risks.

Of increasing importance in crisis management are also the risks associated with the global networking of information and communication systems. These risks include: virus attacks, hacking, “cyber crime”, internet criminality and economic espionage.

The thesis does not cover the whole Crisis Management (CM) of the SAMPLE PL organization, as CM also includes topics like financial risk management and fraud as they are not relevant for the assignment. The formulation of this assignment puts emphasis on a deep analysis of the BCP program. In the scholarly literature BCP is also called Business Continuity Management, I will use the terminology BCP for my thesis, as there is no differentiation given and both terms are used in the same meaning.

Suku Nor, the Business Continuity Manager (BCM) of SAMPLE PL answers, asked about the main focus of implementing a BCP program for Singapore “the difficulties come from the fact that people really are not aware of this topic (…) in the environment of Singapore, people are not aware of possible threats, what gives some additional challenge…” (Appendix 3).

The paper should therefore provide a practical approach to the following problem: How can the implementation of a BCP build awareness of the management and the employees to possible risks and what enables them, to respond efficiently when a disaster strikes?

1.3 Goals of the thesis

The goal of my thesis is to show a way of implementing a BCP awareness program successfully in a big and complex organization and make the BCP entities recognizable by every employee. It should be realized as part of the culture of SAMPLE PL. Because only an ongoing BCP program with a strong focus on awareness and training can be efficient. The employees of SAMPLE PL should be enabled to respond to disaster events which are identified in the performed risk analysis. All members of the organization have to know their particular role and their responsibilities for business continuity.

1.4 Methodology

By giving an overview about Singapore’s regional premises and dimensions of culture (Chapter 2) I want to show the environment and people involved. I am then giving an overview about Sample in general, some facts and figures (Chapter 3), as well as an introduction to the Corporate Information Office (CIO) and its functions within the SAMPLE PL organization. During my time at SAMPLE PL, I was attached to the CIO department, because the Chief Information Officer also has the role of the BCM in the company. The CIO department has to ensure a lot of the requirements for BCP like the Information Technology Disaster Recovery Planning (ITDRP) or Information Security issues. The BCM has to drive the program and coordinate and communicate BCP in the organization. The following Chapter is then giving the theoretical basics to the topic, for an understanding of the underlying terminology and their definitions (Chapter 4). Different methods for performing BCPs and BIAs as well as their testing are explained and the phases and processes are shown. The problem analysis of the BCP program at SAMPLE PL will then be given in the next Chapter (Chapter 5). Here an analysis of the BCP plans at SAMPLE PL and their requirements are brought together. The chapter is finalized by a GAP-Analysis, which shows the main focus and problems that have to be solved. A proposed solution for the difficulties found in the earlier Chapter is then given (Chapter 6) and should help to “bridge the gap”. The parameters and objectives of a solution concept are explained and proposed processes are shown. The actual implemented solution program is subsequently presented in Chapter 7. The introduced BCP communication, with all of its modules can be found as well as a BCP process flow for SAMPLE PL. On the final pages a conclusion and recommendation for the topic is then finalizing the thesis (Chapter 8).

For getting a clear understanding of Singapore’s environment in general and BCP in particular as well as of the SAMPLE PL Company, I had to obtain and analyze information from various resources.

During a six month internship with SAMPLE PL, I obtained all the necessary internal data and information for an analysis of the existing BCP program and its requirements. I also gathered lots of external information in case studies, terminologies and theoretical background of BCP, which could be found in books, online-magazines, internet pages, continuity organizations and surveys.

A lot of information was provided to me during meetings, interviews and talks to colleagues who worked with me on the BCP topic. Throughout my stay in Singapore, I was working very closely with the team and was able to get all needed information and support for the thesis. Carrying out an interview with the BCM of SAMPLE PL helped me to understand the situation and problems better and gave me insight to the realistic every-day management concerns.

A problem I faced by obtaining information about BCP in general and an efficient implementation in particular was simply to find appropriate sources, as:

- The topic is pretty new and not well established especially not in and for the Asian region.
- There is not a lot of existing literature, especially books about BCP.
- The terminologies like continuity planning, disaster recovery or continuity management are used with different meanings in a lot of the variable sources.
- As every BCP has to be adapted to the environment and organization it is difficult to use lessons learned and case studies from past disasters as they may not be appropriate for us.
- Finally the functioning and response of BCP is different from other programs and processes as we can only simulate but not really practice business continuity in the every day workflow.

Although limited by these points, I am sure that the thesis gives a sufficient introduction and customized solutions for the assigned topic.

The following figure gives a structured and visible overview about my diploma thesis:

illustration not visible in this excerpt

Figure 2: Methodology of my diploma thesis, own diagram

2 Singapore’s cultural dimensions

No country has been more dynamic in recent years than Singapore. What are the factors that explain Singapore’s development and what does it mean for its ability in handling risk? To respond this question, it is necessary to have a look at Singapore’s cultural values.

2.1 Singapore State

Singapore is a small city-state with a population of about 4.2 million people, 80% of whom live in high-rise buildings. Geographically, Singapore is located just outside the “Pacific Rim of Fire” and is thus spared from the ravages and destruction caused by natural phenomena such as earthquakes and volcanic eruptions (Source: Total Disaster Risk Management – Good Practices, Asian Disaster Reduction Center). However, being highly urbanized, Singapore’s main challenges are man-made and technology-based disasters. Examples of major incidents are the collapse of the six-storey Hotel New World in 1986 (Appendix 4) and the SARS crisis in 2003 (Chapter: 2.3).

2.2 Hofstede’s Dimensions of Culture

Geert Hofstede is, according to LeBaron (2003) an organizational anthropologist from the Netherlands who did a research which was derived from a cross-country psychology survey of 88,000 IBM employees in 50 countries. He conducted the most comprehensive research exploring different cultural dimensions in international business. Hofstede’s dimensions of culture consist of Power Distance, Individualism vs. Collectivism, Masculinity vs. Femininity, Uncertainty Avoidance and Long-term Orientation vs. Short-term Orientation (Source: http://crinfo.beyondintractability.org­/essay­/culture_ negotia tion/?nid=2381).

For the assignment of the thesis especially two of these dimensions of culture (Appendix 5) are important for a characterization of Singapore when it comes to disaster preparedness. The first dimension is Power Distance (PD): It explains that culture with greater PD will be more likely to have decision-making concentrated at the top and make the important decisions finalized by the leader. The second dimension of culture is Uncertainty Avoidance (UA): The UA index indicates the extent to which individuals fear, and try to avoid, uncertainty. In a culture with strong UA, people have emotional needs for rules and, therefore, tend to rely on formal rules, even if the rules do not work; their rules tend to be numerous and precise. By contrast, in a culture with weak UA, individuals tend to accept uncertainty and have small needs for formal rules (Source: Hofstede, G., 1991, Culture’s Consequences: International Differences in Work – Related Values).

2.2.1 Power Distance

Meriwether (1993) stated in his work Culture Shock!: Singapore that the Relationships in Singapore are hierarchical minted; Singaporeans have strong values and adhere to a hierarchical relationship in society. This is a result of Confucian teaching (pp. 4). They see society as composed of people who are inherently unequal in rank and standing, and differences in rank are signaled and reinforced by the style of the interaction between the parties involved. Deference, respect and formality towards superiors are the norm. In addition, juniors are supposed to keep their opinions to themselves unless specifically and directly asked. Hence, according to Connor (1996) subordinates in Singapore are unlikely to question authority and are less likely to initiate upward communication unless requested to do so because of its culture values: “the importance of status differences and hierarchies” (From: Contrastive Rhetoric: Cross – Cultural Aspects of Second Language Learning, p.102).

Therefore a top-down implementation of new programs and its projects is likely to be accepted and will not be questioned by the staff. The more important factor is to convince the top management to get backing for the program and let them communicate the topic, because the authorities/supervisors are the trusted sources for the implementation of new projects to an organization. According to Hofstede, Singapore ranks on place 13 in the PD index, including values from 50 countries with a PD score of 74. Negotiators of national cultures with a high PD tend, referring to Hofstede (1991) to be comfortable with

- Hierarchical structures,
- Clear authority figures, and
- The right to use power with discretion

(From: Culture’s Consequences: International Differences in Work – Related Values, p.87).

2.2.2 Uncertainty Avoidance (UA)

Indicates to what extent a culture programs its members to feel either uncomfortable or comfortable in unstructured situations. People from UA cultures are uncomfortable with ambiguous situations and seek stable rules and procedures. On the contrary, Hofstede states, that people from cultures with low UA measures are more comfortable with unstructured situations are likely to adapt to quickly changing situations and will be less uncomfortable with ambiguous rules (Source: Culture’s Consequences: International Differences in Work – Related Values, pp. 110).

The figure Rocco R. Huang worked-out for the World Bank shows along the vertical axis, the relative performance of ambiguous industries and along the horizontal axis; the national Uncertainty Aversion Indicator (UAI) is plotted. A fitted line is drawn to illustrate the correlation (Source: Tolerance for uncertainty and the growth of infomationally opaque industries, p. 44).

illustration not visible in this excerpt

Figure 3: Better performance of opaque industries in uncertainty-tolerant countries http://home.uva.nl/r.huang/www/uai_growth.pdf

It shows that Singapore with its extreme low UA score of 8, which means the lowest score of all compared 50 countries, performs very well in ambiguous industries. It is also an indicator why Singapore is, closely linked to servicing Singapore’s thriving port, so successful in the shipbuilding and repairs industry. Today, Singapore is one of the world’s premier ship repair and ship conversion centers as well as a global leader in the building of jack-up rigs and the conversion of Floating Production Storage and Offloading units. Statistics issued by the Singapore Government state, that in 2003, a total of 7,924 ships dentifying 42.83 million gross tons were repaired in Singapore yards (So urce: Shipbuilding and Repairs, http://www.mpa.gov.sg/industrydevelopment/imc/ shipbldg_repairs.htm).

2.3 Singapore’s SARS crisis

The Serve Acute Respiratory Syndrome (SARS) Crisis was an important episode in 2003, testing Singapore’s ability to respond to the outbreak of a communicable disease. It started on 6 March 2003, when the cluster of three Singaporeans with atypical pneumonia was reported. In 30 May 2003, the World Health Organization (WHO) declared Singapore already SARS free. According to the Ministry of Defence, Singapore a total of 206 probable SARS cases with 31 deaths were reported during that period (Source: SARS and the SAF. http://www.mindef.gov.sg/imindef/publications/pointer/supplements/ supplement2004/chapter1.html). In managing the SARS Crisis, the Ministry of Health (MOH) in Singapore played a mayor role; it implemented measures which enabled the operational arm to detect new cases early and to respond effectively to contain new clusters in a SARS outbreak. The response framework has a very clear command structure for decision making. A report published by the Asian Disaster Reduction Center explains the role of the Ministry of Health Operations Group as the operational arm of the MOH; it is dentifyble for planning, crisis management and co-ordination of health services and operations during peacetime. It is also the command and control center during a crisis and is responsible for preventing and controlling major communicable disease events. Therefore it is the nerve centre for all decision-making and early-warning capabilities (Source: Total Disaster Risk Management – Good Practices, http://www.adrc.or.jp/publications/TDRM2005/TDRM_Good_Practic es/PDF/Chapter2_FINAL.pdf).

According to the Ministry of Defence in Singapore, “Only very little was known about SARS mode of transmission, infectiousness and the lethality of its “weaponry” or the mortality rate. The situation was aggravated by the absence of specific treatment, vaccination or chemoprophylaxis5 available for SARS” (From: Source: SARS and the SAF).

Nevertheless there was no panicking on the streets or chaos; people trusted the authorities that they are able to in respond the crisis in the right manner. In high PD countries like Singapore people tend to expect and accept institutions to tell them what to do and do not question the decisions made by authorities. People followed the instructions given and stayed at home or in quarantine if forced to do though. Singaporeans are also known for the lowest UA score of all compared countries, which means that they are not uneasy or worried about what may happen. In a country where anxiety levels are therefore very low, emotions and aggressions are not supposed to be shown and people are remaining calm in adverse situations. Rules are generally more respected in low UA countries and emergency plans can be implemented easily in these communities. Referring to Hofstede the combination of large PD and weak UA, which we find in Singapore, indicates the extend “family”, meaning that people would resolve conflict by permanent referral and concentration on authorities (Source: Cultures and Organizations: Intercultural Cooperation and
its Importance for Survival, Software of the mind, pp.141).

3 Sample AG

Sample, headquartered in London, is a global powerhouse in the automotive field. The company has 134,000 employees working to develop and manufacture products, design and install complex systems and projects, and tailor a wide range of services for individual requirements. Sample provides innovative technologies and comprehensive know-how to benefit customers in more than 100 countries. Founded more than 100 years ago, the company is active in the areas of Automation, Transportation, Military, and Aviation (Source: Sample AG).

3.1 Organization of Sample Pte Ltd, Singapore

Since the 1990s, Sample has played an important role in the economic and technological growth in Singapore. Sample is active in the business of:

- Automation
- Transportation
- Military
- Aviation
- Procurement

With five business units in Singapore, Sample is a leading supplier of products and solutions in the fields of automation. Sample has some 1,000 employees in Singapore, engaged in a wide range of activities, including engineering, design, software development, marketing, maintenance and manufacturing.

As a leading global trust, Sample delivers state-of-the-art solutions and technologies.

In 2005, the ‘Sample Business Center’, the new office building of Sample Pte Ltd was officially opened by Prime Minister Lee Hsien Loong. The new building consolidates most of Sample Singapore’s operations under one roof to achieve synergies and leverage on its capabilities.

3.2 The Corporate Information Office

Corporate Information Office of Sample Pte Ltd in Singapore offers a variety of services within the core functions of Process Management, Knowledge Management, Customer Relationship Management, Supply Chain Processes as well as IT Infrastructure and Operational Services to support all employees of the company.

Sample CIO has the goal to achieve Sample Business Excellence by:

- Standardizing processes and data across Sample to ensure faster implementation, reduced operational costs and organizational agility to provide the basis for application standardization,
- improving the highly diversified & decentralized IT landscape in order to raise synergies,
- providing reliable IT-Services at best-in-market prices to Sample Groups and Companies so that they can focus on their core business,
- establishing standards and setting guidelines for the Sample community so that IT, e-business & process activities are consistent and contribute to business success and
- Providing a user-friendly interface on the website to all Sample stakeholders (customers, employees, investors).

The implementation of Corporate Shared Services, which are offered to all Sample Units around the globe, is one important factor to succeed in the points mentioned above.

One important factor to achieve these goals is the implementation of Corporate Services across Sample worldwide. Main objective of the implementation of the mentioned Shared Service Concept is the overall cost reduction for all Sample Groups and Operating Companies in all Regions, Sample is doing business in.

3.3 BCP of SAMPLE Pte Ltd Singapore

Sample launched its Corporate Information Security (InfoSec) Program in 1991. At this time Disaster Recovery Planning was already part of this program and mostly focused on the recovery of Information Technology, Data Centers and Infrastructure. With regards to the increasing threats of world-wide crisis, Sample started to reinforce its Crisis Management in 2001. The initiative for BCP was launched one year later in 2002 and the focus of this first initiative was on Emergency Concepts for IT Systems.

The first BCP steps for SAMPLE PL were undertaken in May 2004 with the Planning of the implementation of a BCP. Herein SAMPLE PL firstly defined the Disaster Recovery and Business Continuity Stakeholders and conducted a Risk- and Business Impact- Analysis. After the definition of the DRP/BCP Stakeholders, Risk- and Business Impact- Analysis were arranged.

The defined External Stakeholders for SAMPLE PL are:

- the Media/PR
- Law Enforcement
- National Services
- Police
- Third Party Vendors
- Customers
- Ambulance
- and the Fire Brigade.

As Internal Stakeholders the following were defined:

- the Management
- IT Infrastructure
- Logistics & Transportation
- Personnel
- Facility
- and the Manufacturing.

The BIA, which consists out of questionnaire and interviews was developed and conducted by an external consultancy company, which complied the results together with the business units and the Corporate Service Departments (CSDs). The results were presented to the Business Continuity Manager in form of DRPs for each of the BUs and CSDs.

In his influential work Business Continuity Planning, Protecting Your Organizations life Ken Doughty, argues that a BCP methodology is crucial to ensure a structured approach is adopted and consistently applied throughout the development and implementation of the BCP (2000, p. 232). It is important to state that by adopting such a best practice approach BCP methodology, organizations gain assurance and confidence. In May 2005 a BCP methodology for the Sample Asia – Australia region was published by the Corporate Information Office Asia – Australia (Appendix 2). The Methodology gives a definition and a focus of BCP, as well as the different steps and fields which have to be developed and implemented throughout the program. It also gives the different phases of what has to be done, before implementation can take place, these 4 phases include:

1. Objectives Setting, Management backing and Project Kick Off
2. Analysis of the business via interviews and questionnaires, definition and classification of business critical processes and systems in a matrix, Mapping estimated financial and non-financial impacts to processes and systems, Recording potential risks and threats and map them into processes and systems, Developing a comprehensive report detailing incidents and their related business impact in terms of time and money
3. Creating record of technical and non-technical infrastructure, Prioritizing of system recovery; Describing where to find recovered information; Description of IT recovery procedures; Developing a DRP handbook; Definition and assignment of key functions to staff; Developing response and escalation procedures to handle different disaster
scenarios; Training of key functions; Developing and distributing communication procedures
4. Implementation of the BCP in organization; Running all single elements of the BCP; Physical set up of hot – warm – cold sites; Define a test drill roadmap / plan; Regularly update BCP based on test result and changing business environment; Communicate changes to staff

Up to now Phases one and two are done, and phase three is started.

The consultant company then conducted a DRP testing at the recovery site of Sample during October and November 2005. All Business Units and Corporate Service Departments had to participate and complete several tests. All activities were monitored and recorded by the BCP Coordinators of each BU and CSD. These BCP Coordinators are the interfaces between the Business Continuity Manager or the Crisis Management Team and the employees. As the BCP is not put in practice to the Sample organization yet, these recorded findings will be an important input to improve the BCP before implementation.

4 Basics – Business Continuity Planning

In this chapter the basic knowledge for implementing a BCP will be provided. Therefore a general process with all its procedures will be explained in the following paragraphs. All the necessary terminology, as well as the definitions will be given too.

For understanding the definition of a BCP, let us have a look where in an organization of a company business continuity normally stands. The slices of typical maturity that big enterprises do experience are, according to Andrew Hiles:

illustration not visible in this excerpt

Figure 4: BC Maturity Pyramid (Hiles, 2000, p.3)

As the program at Sample is a bottom-up approach, the thesis will only define the bottom three slices of the Pyramid. The explanation of the terminology will follow this approach.

4.1 BCP as Project

As BCP is a very complex topic and involves a lot of different BUs as well as CSDs as well as the Management, on the one hand and a lot of different strategies and analysis on the other, it is good to handle BCP initially as a project. Handling the BCP as a project is necessary, because adequate managerial routines for a BCP implementation are not yet set. Projects are, referring to Meredith & Mantel:

- “…a one-time activity with well-defined set of desired end results.”
- when development and implementation into the regular program of an organization is the goal
- independent, but relying to the companies organization’s standards
- characterized by customization
- evaluated for success or failure by their stake-holders

(Project Management – A managerial approach, pp. 9)

Projects usually follow some principal phases between the start and the defined ending. The following figure shows how these phases could look like for a typical BCP process:

illustration not visible in this excerpt

Figure 5: The principal phases in BCM

4.2 Definition of Business Continuity Planning

There is a bright variety of definitions for the terminology of BCP around in the business world. A lot of them see BCP solely as IT related, including backup planning and stand-in hardware. One of these definitions, published by the Primode’s Cyber Security Hub, defines BCP as:

Prepared (and tested) measures for protection of critical business operations from the effects of a loss, damage or other failure of operational facilities providing crucial functions (e.g. programs and data) to them, in terms of Information Security this comprises backups and archiving, stand-in hardware etc. (Source: Primode’s Cyber Security Hub Information Security Glossary).

Other definitions emphasize more on the disaster and recovery part of the BCP, but a continuity incident also has to deal with fraud or a epidemic, things we do not immediately see as ‘disasters’. A definition used by the Business Continuity Institute (BCI), an institute concerned with everyday BCP solutions of companies around the globe states:

Business Continuity Management is a holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities (Source: Business Continuity Management, Good Practice Guidelines, p. 4).

I prefer the definition of the BCI, because it emphasizes on the big picture of a BCP, which is not solely an IT or a disaster recovery related topic. It is more a holistic organizational management strategy, including all parts of an organization and an ongoing process, rather than a short term project.

4.2.1 Dimensions of Business Continuity Planning

As Business Units are the key factors of success and make it possible to ensure cost reduction, higher efficiency, customer orientation, etc. it is elementary to define and optimize their processes. For a better understanding of the interrelation of the BCP and the BUs, I want to describe briefly what BUs are.

According to PERA they are the “…lowest level of the company which contains the set of functions that carry a product through its life span from concept through manufacture, distribution, sales and service” (From: http://www.pera.net/Tools/Glossary/ Enterprise_Integration/Glossary_B.html).

At SAMPLE PL these BUs are organized with a product focus, the groups are connected by product line. In such an approach, each major product area is placed under the authority of a manager who is specialist in, and is responsible for, everything having to do with the product. The BUs have to create profit for a company, the corporate departments have to enable and support the BUs in doing so.

Business Units therefore do underlie different threats, which could lead to an interruption or a disruption of an effective workflow of the processes. BCP is concerned with handling impacts of these threats for the BUs and the involved resources. Today’s business world has a need for highly available processes; there is no company which can afford a down time of an important BU for a longer time. Especially in times of electronic networks and electronic commerce, maximal affordable down times of the BUs get smaller and smaller. In the recent years just-in-time deliveries, electronic data interchange, E-Commerce, Supply Chain Management, etc. increased strongly. With that growth of these trends, also the dependence between the companies their customers and vendors have increased. A survey released by the Forrester Institute, came to the solution that in the year 2005, solely in Europe £ 150 Billions are exchanged thru e-commerce (Source: Business Continuity: Best Practices, World Class Business Continuity Management, p. 3).

It becomes clear, that a down time of crucial BUs can therefore cause serious financial damage in very short time. This is also proven by a survey from Tandem, a computer producer in which the maximum down time of a BU was elicited. In that survey 15% of the testimonials answered that the recovery time should be less than one hour, and even three fourth of all interviewees want to have a recovery time of less than 24 hours.

illustration not visible in this excerpt

Figure 6: Time for Recovery – Tandem Clients

Highly available BUs is a must for the business world of today, which is extremely depending on IT services. The crucial processes have to get secured as good as possible, for keeping the daily business running. A need for BCP is given therefore, but which are the main advantages BCP can provide? Some good arguments for implementation of BCP are, given by the Business Continuity Institute:

- Due to the fact that it makes good business sense
- Service for Customer – it must be ensured that service/product can be delivered at all time
- Events are increasing – more and more diverse events to respond
- 7-24 – business around the globe

(Source: BCA Fact sheet)

[...]