Continuity planning

© 2004 millennium strategies

Overview

Continuity planning has emerged as a critical challenge facing nearly every business and school district. As computing and communication become ever more integrated into operational processes, the need for reliability coupled with need for a rapid return to productivity after a crisis are imperative. Businesses and schools can no longer function for even modest periods of time without technology to support critical processes. In addition, in crisis events that affect the community, schools become the focus and convergence point for organization, protection and response increasing the need for stability and recovery of infrastructure technology. Many businesses find themselves in similarly demanding roles to provide necessary goods and services that must be sustained during crisis events.

The fundamental goal for businesses and individual schools and departments is to achieve a state of operational continuity where infrastructure technology systems are continuously available irrespective of failures and crisis events. Achieving this goal means thinking proactively:

• • Design and implement robust systems
• • Be observant of unusual situations and eliminate avoidable hazards and causes of failure
• • Prevent crisis situations whenever possible and protect infrastructure systems from potential damage
• • Be prepared, plan a response and have the resources needed to reconstruct critical systems if necessary.

Continuity planning is no longer the job of Information Technology (IT) alone. While IT may manage the systems and implement recovery plans, it is the business of the entire business and school district to be aware of the need, recognized through adequate funding for continuity-related staffing, identified time for continuity activities and integration of the technology continuity plans into the operational safety plans.

The plan

A continuity plan is a comprehensive statement of consistent actions to be taken before, during and after an event or crisis that has the potential to disrupt organizational operations. The plan must be clearly documented and thoroughly tested to ensure the continuity of operations and availability of critical resources in the event of an actual disruption.

Continuity planning generally includes one or more of the approaches to restore disrupted IT services:

• • Eliminate identifiable hazards and mitigate known risks as much as possible
• • Recover IT operations using alternate equipment
• • Restore IT operations at an alternate location
• • Performing some or all of the affected operational processes using manual means for a short time.

The primary objective of continuity planning is to protect internal processes in the event that all or part of operations or information services are rendered nonfunctioning. This document defines a seven-step process that may be used to develop a continuity plan to information resources and associated operational processes.

• • Plan development supported by formal policy providing authority and guidance with ongoing updates to remain current with changes to systems and processes.
• • Conduct a operations impact analysis to identify and prioritize critical information and systems.
• • Increase staff readiness and awareness; identify and remove potential hazards; implement avoidance measures to prevent identifiable potential disruptions.
• • Identify effective response procedures to minimize disruptive exposure, extend system availability and ready systems for recovery if necessary.
• • Develop recovery strategies to ensure that systems and supported processes may be temporarily rebuilt quickly and effectively following a disruption.
• • Develop reconstruction procedures to provide detailed guidance and methods for permanently restoring damaged systems.
• • Plan testing, user training and mock exercises to identify gaps and prepare staff for plan activation to improve plan effectiveness and overall preparedness.

Phases in the continuity process include:

• • Readiness: planning, preparation and avoidance
• • Response: surviving and minimizing crisis events
• • Recovery: establishing temporary systems and processes
• • Reconstruction: rebuilding permanent systems and processes.

Benefits

Readiness is the key to achieving continuity. Planning minimizes disruption and helps to ensure a level of organizational stability and an orderly recovery after a disruption. Because the probability of a disruption occurring is highly uncertain, a continuity plan provides a certain level of comfort to know that if a catastrophe occurs the results will not be as devastating as they would otherwise be. In addition it helps to identify and eliminate potential hazards to avoid problems in the first place. There are many benefits to developing a continuity plan. Among them are:

• • Protecting staff, customers and students
• • Decreasing vulnerability to crisis events
• • Minimizing economic loss and decreasing exposure
• • Providing a sense of security
• • Reducing the probability of occurrence
• • Ensuring organizational stability
• • Reducing disruptions to operations
• • Minimizing scope and timeframe of disruption
• • Providing an orderly recovery
• • Assuring reliability of standby systems
• • Reducing demands on certain key individuals
• • Minimizing decision-making required during a disastrous event
• • Minimizing insurance premiums
• • Minimizing liability.

Critical success factors

The following factors are identified in the continuity planning industry as critical to the success of a continuity plan:

• • Executive Support: Executive leaders must support the need for continuity planning and be involved in the development and maintenance of the continuity plan. Management must be responsible for coordinating the plan and ensuring its effectiveness within the organization.
• • Organizational Awareness: Awareness begins with a risk assessment that accounts for a full range of possible disruptions, including natural, technical and human threats. A business impact analysis should be accomplished within each department and school to determine the consequence of representative disruption scenarios. The assessment and analysis should also evaluate the vulnerability of critical documents and equipment that may not be part of technology or information systems. Assessment and analysis should span the range of disruptive scenarios from malicious vandalism and equipment or software failures to total destruction. Assessment and analysis should be accomplished on a cyclical basis, probably annually, with plan testing and maintenance. Quarterly formal and informal presentations addressing the characteristics and protection of critical information will keep the concept of information protection and process continuity fresh in mind.
• • Program structure and organizational coordination: Program implementation needs to be of appropriate scale across the organization and the level of continuity coordination between departments, functions, schools and offices. This also includes the degree to which continuity considerations have been incorporated in other initiatives, programs and systems throughout the organization and in contracts and interaction with materials vendors, service providers, financial institutions and governmental agencies.
• • Central continuity operational committee: A management committee should be appointed to oversee the maintenance and implementation of the continuity plan. The committee should include representatives from all functional areas, in particular the leaders of operations, information systems, networks and communications. The committee should have an audit team to validate development of the organizational, district, departmental and school plans, consolidate lessons learned and coordinate testing and modification of plans.
• • Roles and responsibilities: The continuity plan should be structured using a team approach with teams responsible for plan testing and maintenance, event assessment and response coordination, facilities and systems logistics, and information and document protection. It must be clearly understood that these are functional teams that may not be aligned with the formal organizational chart. The teams should have a manager and an alternate with a clear definition of roles and responsibilities during each phase of the continuity process.
• • Adequate funding and staffing: Adequate time and resources must be committed to implementation, testing and maintenance for a continuity plan to be effective. Funds must be available for response and recovery materials and for rebuilding systems.
• • Supporting policy: To be effective and to ensure that staff fully understands continuity planning requirements, the continuity plan must be based on a clearly defined policy. The continuity planning policy statement should define the district's overall continuity objectives and establish the organizational framework and responsibilities for continuity planning. To be successful, senior management, most likely the Chief Information Officer, must support a continuity program. These officials should be included in the process to develop the program policy, structure, objectives and roles and responsibilities. Key policy elements include roles and responsibilities, scope and organization functions subject to continuity planning, resource requirements, training requirements, exercise and testing schedules, plan maintenance schedule, readiness and data protection methodologies.
• • Plan currency: That the continuity plan reflects ongoing changes to processes, applications and systems is crucial. This task includes updating the plans and revising this document to reflect changes; testing the updated plans for effectiveness; and training personnel for readiness and response. The continuity steering committee is responsible for this comprehensive maintenance task.