This page contains a Flash digital edition of a book.
interests of the business, but also their ongoing employment, you should find them more willing to help. In addition to a high level sponsor, you need to bring

together a small project team and appoint someone in the team to oversee the process; they will be the recovery co-ordinator. This person does not necessarily make the decisions about invocation or the system planning, but they act as the glue to make sure all the processes happen, as well as ensuring that the process has an owner.

2. Assessing the operational risks The easiest way to do this is to arrange a meeting that will bring together staff from every part of the business, and then have a structured brainstorming session. As a starting point, you can use the PEST (Political, Environmental, Social, and Technological) model to help keep ideas coming. Operational risk assessment (ORA) is a topic on its own,

but the main idea is that you end up with a log of all the risks that your company could be exposed to. You then rank the risks based upon a number of factors. For the ECA, we consider the probability of an event happening, the impact that it would have, the controls that we have in place, or can put in place, and our ability to improve the rating. We then review the highest items on the list and look at how we can improve the risk rating to the business. As an example, let’s take pandemic flu as a risk. The probability of this happening is actually fairly high as, statistically speaking, we are overdue a pandemic and the World Health Authority was on high alert not that long ago. The impact on the business would be high, as staff would likely be affected and you would have a reduced workforce. The controls you could put in place are that you would cut down on the need for travel and face-to-face meetings. Given what we’ve said above, this may well end up being a high- risk item that would require further investigation to mitigate the risk. The outcome will most likely be the creation of a policy, so that staff are made aware of what to do and when it is likely to be put into action. Once you have undertaken this process, you will find that

the answer to a number of risks will be your BCP plan, as BCP and ORA are very closely linked.

3. Building a plan Building a plan in itself has a number of sub-stages, which you need the process owners to own and contribute to. The following list will be required for most companies, but this list is not comprehensive, as some companies will have specialisms that need to be thought about as well. If the organisation is large and there are multiple planning groups, then you need to ensure that someone has overall oversight of all the groups. This is to ensure the overall solution works for all offices in the company – otherwise it’s possible that a company’s individual office plans work well in isolation, but do not work so well when brought together.

Call trees If a major incident were to happen, one of the first things you would need to do is contact your staff to advise what they should do, as they may not be able to come into the office. You may think you have all the details already in your HR system, but unless that is hosted in the ‘cloud’ it may not be

58 ECA Today May 2011

The plans should contain easy-to- use checklists to help the recovery team make timely decisions

available. You therefore need a Plan B – and a spreadsheet can do the job; it’s quick and easy to maintain, too. Collect as many forms of contact details as you can. One

mistake that was made during the 7/7 bombings in London was a reliance on calling staff by mobile phone to advise what to do. The reason this failed was that one of the first things to be shut down by the authorities was the mobile network. So make sure you collect a home number and a personal email address. Another option would be to create a Twitter group which staff could subscribe to, if you think sufficient numbers use the service.

Data backups As data is the lifeblood of your business, you need to ensure you have a formal process whereby you backup your data periodically, which for most companies should be every day. You then need to ensure that you have backups kept offsite, because if your building burns down, your backups will burn as well. Again, this can be as simple as someone taking home a tape each night, or you can use an offsite data storage company – which is what the ECA does.

Recovery plans You should have an overall plan that explains who makes the decisions (along with deputies in case of absence) and where the decision makers are to meet in the event that the office is not available. The plans should contain easy-to-use checklists to help the recovery team make timely decisions. The checklists need to cover what is working and what is not, as well as considering whether the office is habitable or not. Finally, it should outline the order that systems are to be recovered, which will be based around how critical they are to the business. In addition, there needs to be a plan for each department,

setting out what they will do. The departmental plan has to describe how that department will continue to function and process data in the event of not having any systems. For some, this will be as simple as having a paper and pen and making phone calls, but for others it will be much more involved. For instance, how will the accounts department continue to make payments or deposits? For departments that are resorting to manual working, consider whether you can create any templates that can be used to ensure that all the correct information is recorded when dealing with customers. This could be a Word document but, again, this needs to be stored offsite. Suggestions on how best to handle this can be read below.

Premises If you were not able to use or get back into your office, where would your staff work from? If you have systems that allow remote access and they are still functional, you may decide that it could be from home – although consideration needs to be given to this, as it also raises other issues. Another option may be to utilise an office in a different location if you have multiple sites within travelling distance. The cost alternative is to pay for space at a BCP facility, such as those offered by ICM or SunGuard, for example. The way this works is that the outsource provider will make available to you office space, desks, chairs, computers and phones. They can also provide other services, such as rack space, consultants to

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72