It is not just about size. When we mention a Business Continuity Plan - BCP, what comes into mind is the large enterprise. But those, in general, do not represent more than 15% of a country's officially registered business . The small and mid-size companies do have its share on the local economy, and a big one.
So, independently of the size of the business,a BCP comes in handy.
First of all, a series of question to be responded by CEO's, Co-Founders and Startup's head managers: Do we need it? Do we want it? And most of all, what for?
The needs of a small or mid-market company to invest in business continuity plans must be totally related to the risks it takes given the business they are in.
- In some areas, regulatory demands are very important and business continuity is required. Let us take for example, the banking and and insurance companies.
- Sometimes, the PCA may be required by a customer, as well as BCP, or Information Security Policies: we have to bear in mind that large enterprises are increasingly dependent on their sub-contractors on major contracts, which may represent a risk for them. So, in order to protect themselves, they force their partners - by contract - to set up a BCP.
- Some organizations that counsel or finance Startups also require assurance for business continuity. They want to be sure that the company, in the misshapen of facing a loss, it will have what it takes to keep on going.
- Last but not least, there are firms that are more motivated to implement a BCP: those who have already had a personal claim, or that have come into contact with a company close to them which has been affected by a BCP, or worse, those who have already experienced some sort of brake down on any area of its business.
How should a BCP be designed?
Before setting up a BCP, the company must ask simple, effective questions:
- What should be protected: Data? Information? Know-how? Collaborators? The information system? Production?
- What is the maximum loss of data or information admitted?
- What is the longest period of interruption acceptable?
The key is to determine the criticality of the elements.
The BCP should reflect the result of all consideration of risk, and according to these criteria, it will be able to adapt its level of sureness to the company.
But this is but part of the process. To be effective, the device must evolve at all times, not to become ineffective. It must adapt to changes that take place in the company - for example, if it merged - in the environment - a drastic example, a TNT industry sets up its business in the same area.
Most important though,it should also take into account the evolution of risks. Who would think of cyber security as a major risk, say, 10 or 15 years ago? Risks today have evolved to the point we must tell a physical from a virtual one. A BCP's characteristics must follow the risks all along.
Implementation
When the decision to move on to a BCP is taken, next comes the doubt whether to do it on its own or rely on a third party for the task. All business will be better off with external help.
Many reasons justify the use of an outside provider.
- Experience. Business are rarely confronted with major physical disasters such as fire, floods or any destruction. Inside teams, so, have a lack of experience when there is such an incident.
On the other hand, third party have this expertise. Its special teams specially suited for the job know not only how to organize full checklists to re conduct operations, but also for restarting the the core functions of the business in the shortest gap of time.
In addition, small and medium business do not have the necessary additional room - located far from its original site - to accommodate their back up data centers and storage solutions.
Companies have to change their beliefs about local backup. Medias are not reliable after a period of time, resulting in restorability issues.
Finally, using third party services for a BCP grants real time update for both system and data, other than its protection. This aspect is very important because small business setting up BCPt often run into the problem of outdating. The ones responsible for business continuity plan are either switched to other activities or the focus towards the BCP diminishes and becomes irrelevant.
Nevertheless,to succeed, even with a third party coaching, the project must be culturally accepted internally at all levels: it is a decision by the company as a whole.
Sources: ABNT, MS, HP
jeudi 27 mai 2010
Inscription à :
Articles (Atom)
