You are on page 1of 2

Copyright 2007 ISACA. All rights reserved. www.isaca.org.

Is Your Business Continuity Plan a Paper Tiger?


By Priyank Kothari, CISA, CISSP

B
usiness continuity planning (BCP), one of the most This simple analysis will help gauge the current state of
talked about topics in business circles, high-profile BCP readiness and act as a trigger point for realigning the
meetings and presentations today, has yet to make a BCP implementation strategy to attain an acceptable level of
real mark. Many organizations simply have a BCP framework readiness that matches the risk appetite of the organization.
in the form of a paper document, signed and stacked carefully
for regulatory or client needs. Managements Role
Several reasons are cited for its current status, including the BCP is a complex process, as one not only needs to
treatment of BCP as any other IT initiative, exhaustive prioritize business processes, taking into consideration the
coverage and scoping issues, and lack of an integrated testing current and future plans of the organization, but also to
strategy for BCP. understand the downturn impact of a business process failure
on the organization.
Where to Start Management has a key role to play in the planning,
A good starting point is a self-analysis exercise, which will business process prioritization and risk assessment, and
help clear the clouds and depict a true picture of the development and finalization of continuity plans for the
organizations preparedness in the event of a disaster. organization. Leaving the complete task to IT can result in
During a quarterly meeting, the team members should be significant gaps in the continuity plans and lead to the failure
asked the level of confidence they have in the organizations of the plans. IT will play a significant role in the development
capability to handle an unexpected disaster. To simplify the and design of IT recovery strategies to meet business needs;
task, some probable scenarios can be presented and the team however, when it comes to development of alternative business
members can be asked to assess their confidence level as high, recovery plans, the presence of key business decision makers
medium and low. This questionnaire can further cover areas is extremely important.
such as potential loss to the organization in the event of a Once business continuity plans are developed, it is equally
disaster and the organizational business areas that will be most important for management to ensure that periodic testing of
severely impacted. the plan is carried out under different scenarios. The plan
should be designed in such a manner that it is accommodating
Figure 1BCP Maturity Model enough to meet changes in the business environment and
precise enough to be carried out in case of a contingency.

BCP Testing Beyond Documentation


Mere documentation of a BCP framework, policy or
BCP Roles and Responsibilities methodology will not help. Detailed, well-defined, updated
recovery plans and procedures, with adequate training of the
Business and IT Recovery
Plans BCP team members and periodic testing exercises, are
required to meet the objective of a business continuity plan.
BCP
Framework Key questions management can ask to assess the
sustainability and preparedness of the business continuity plan
Increase in Maturity Level Increase in Maturity Level
in the organization include:
IT Support Has a detailed business impact analysis (BIA) exercise been
carried out to ascertain which business processes are more
Business Participation critical than others and how failure of these processes will
impact the organization?
Audit Participation Has the risk to business processes, which covers all probable
threats and disaster events, been identified?
Does an individual business recovery strategy exist for
Management Support
all critical business processes developed by respective
business teams?
BCP Maturity Model Have recovery plans been tested to ensure their applicability
Select layers that reflect the current status
and validity?
of BCP in the organization

I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 3 , 2 0 0 7 1
Are periodic training and awareness programs conducted for Conclusion
the BCP team members, not only to ensure that they are The objective of a business continuity plan is to ensure the
aware of their recovery responsibilities, but also to apprise recovery of business processes to an acceptable level within a
them of new changes and updates on the continuity plan? predefined time frame, thereby minimizing the loss impact to
Do the internal and external IT/process/security audit plans the organization. Managements active participation and
cover business continuity processes? periodic monitoring can help change the current BCP status of
Have all the gaps identified in previous audits been an inactive paper tiger to a highly flexible, dynamic and
addressed or is an action plan in place to address them? vibrant working model of recovery processes that will meet the
All these steps are over and above a basic business BCP objective of the organization.
continuity plan or framework document, which acts as a road
map for all other supporting continuity plans and recovery Priyank Kothari, CISA, CISSP
processes. is an information security consultant working with the global
consulting arm of Wipro Ltd. He has been part of numerous
BCP/disaster recovery (DR) design and implementation
projects across different industry verticals. He is a member of
ISACA and can be reached at priyank.kothari@wipro.com.

Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to
the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT
Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of
authors' content.

Copyright 2007 by ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article.
Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly
prohibited.

www.isaca.org

2 I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 3 , 2 0 0 7

You might also like