Skip to content

Business Continuity Plan: Examining of Multi-Usable Framework

Business Continuity and IT Disaster Recovery Blog

Business Continuity Plan: Examining of Multi-Usable Framework

Author: Silmie Vidiya Fani, Apol Pribadi Subriadi

Abstract

Business Continuity Plan (BCP) framework is procedural guidance to create plans that prevent, prepare, respond, manage, and recover a business from any disruption. Many organizations have not realized that BCP is essential to their business continuity. Organizations more concern with their main goal (profitability and market growth), rather than business continuity. Regarding the organization awareness of business continuity, many organization recognizes disruptions, but they did not aware of preparing BCP. There were no specific standard or framework for BCP that could use as a best practice. This research is a continuation of previous research, which has proposed with a specific procedure, including all elements and activities. However, this framework still has shortcomings in testing empirical studies. This paper aims to analyze the suitability of the framework with various types of organizations.

The framework has been tested in four cases: banking, 2 service-company, and manufacture. The results show that some activities of the BCP require further adjustment. Therefore, researchers need to readjust the BCP framework by changing several activities, to fit all type of organizations. Based on the results of the analysis, improvement is needed by doing some additions or subtractions of activities and elements in the framework, such as adding budgeting. This improvement aims to get a more tested framework that can be used as guidance in the future.

1. Introduction

Risks could arise in the form of disruptions both from external (such as disaster, malware, etc.) and internal threats (such as human error, utility disruptions, etc.). COSO ERM (2004) defines risk as to the occurrence of an event that could affect the goals of organizational achievement [1]. The disruptions have increased with the increasing number of companies that implement information technology and become more linked to the external network [2]. Huge losses and even bankruptcy may occur in an organization if there was no planning to deal with it. Regardless of how complex IT in the organization, they need a plan to deal with the disruptions that affect their businesses. Therefore, a plan is necessary to ensure that the operational activities of an organization still operate although there were disruptions. One of the efforts is creating a suitable business continuity plan (BCP) as a part of Business Continuity Management (BCM) [3].

BCP is a framework used to create and validate plans to maintain business operations continuously. It is applicable, before, during and after disasters or disruption occur [3, 4]. BCP focuses on sustaining business functions during and after a disruption and manage businesses operations. BCP is one of the most critical components of the recovery strategy. Unfortunately, only a few organizations aware of the importance of BCP and how to implement it. According to Snedaker & Rima (2014), each organization will not have the same BCP, because every organization are unique and has different needs [3]. In fact, there is no specific guidance regarding BCP (e.g. standard or framework). So far, from numerous studies, explanations or literature regarding the implementation of BCP in small, medium and large companies is understudied. Several studies just explain about the BCP framework with some elements that must include in the framework [5, 6, 7, 8, 9].

In the previous research, one of the BCP frameworks was proposed by [10] that cloud be used as a reference for implementing BCP. The BCP framework has 8 elements and 38 activities that could represent the processes of BCP life cycle. This framework could be implemented in all type of companies regardless of size, activity or sector [10]. In terms of theory, the framework met the standard because it includes several elements that must be present in the BCP framework. Several studies show that the BCP framework has at least consist of several elements such as business impact analysis, risk analysis, training, and testing [2, 6, 11, 12, 13].

In addition, the proposed framework also has detailed activities. Practitioners could easily follow the procedures of the framework during BCP implementation. The BCP framework still needs to be tested and adapted specifically to achieve organizational needs [11]. Furthermore, BCP also must be dynamic, along with the changing of the business environment and dependency on the changing of technology. Regarding on it, the framework proposed by [10] still needs to be tested because there is still lack of evidence in empirical studies.

This paper is aimed to test the BCP framework [10] because the BCP framework that has been created still refers to a standard for electricity companies. At this point, we would like to test the applicability of the framework in several types of organizations (e.g. service-based organization vs. product-based organization). Henceforth, based on the result of the implementation, it could be analyzed in which part of the framework that should be improved. This improvement aims to get a more tested framework. In addition, the well-tested framework could accommodate organizations to be more prepared when implementing the BCP framework.

2. Business continuity plan

Business continuity is a way in organizations to anticipate and overcome disruptions, so the risk of loss was reduced, and business operations could continue to operate. According to Venclova & Urbancova (2013), Business continuity is an effort to ensure that critical business functions would be available to customers, suppliers and other entities so that the entity has access to their functions within an organization when the risk occurred [14]. To support business continuity an organization needs to prepare a plan by creating a Business Continuity Plan (BCP). BCP is as a plan to respond emergencies and to recovery business operations. BCP allows the organization to return their normal conditions during and after the disruptions occur. BCP ensures that employees, assets, and business processes could quickly recover during disruptions. It was also one of the most critical components in recovery strategy.

The organization needs for implementing a business continuity plan (BCP) to determine the possible effects to their business. There are some people have misconceptions about Business Continuity Plan (BCP) with Disaster Recovery Plan (DRP) were the same. BCP is a plan to prevent and mitigate risks relate to disruptions of operations. BCP consists of the details of procedure before, during, and after disruptions occurred to maintain business continuity. DRP is a plan to responds during disruptions. It was a part of BCP to recovery of important operational during disaster.

BCP is to mitigate risk, to reduce the impact of risks and to ensure the business operates normally. BCP life cycle consist of assessments and objective setting, critical process identification, business impact analysis, and continuity response strategies, as well as monitoring, testing and improving these areas [15]. Until now, there were no specific standard or framework to make a BCP. Some standard accommodates several procedures in general explanation. Because of the lack of guidance in making BCP, the previous research was proposed a BCP framework for guidance [10]. This framework refers to the standards issued by NERD where the implementation was suitable to be used as a reference for electricity companies.

The framework was making based on literature studies about elements of BCP and combining with the latest standard of business continuity such as ISO 22301: 2012 Business Continuity Management and COBIT 5 Domain: Manage Continuity. The framework has 8 elements and 38 activities by adopting the PDCD (Plan-Do-Check-Act) from BCMS ISO 22301:2012 to determine the framework flow. Planning phase consists of determination of business continuity management needs. Do (Implementation) phase consists of 5 elements: (1) risk analysis; (2) business impact analysis; (3) business continuity strategy; (4) disaster recovery plan; and (5) training employees Check (monitoring & review) consist of one element BCP testing. In the last step, Act (maintaining and improving) phase has one element business continuity review. Fig 1. shows the procedure sequence of the BCP framework elements.

Fig. 1. BCP Framework.

Each element has activities that should be done to achieve its goal. Business continuity management needs are a purpose for understanding the organization need by building sustainability policies and business management objectives. To support this element, the activities that need to do were: (1) Objective Determination; (2) Scope Determination; (3) Forming A BSP Committee; (4) Parties Related Determination; (5) Resources Determination; and (6) Creating Communication Procedure. Risk analysis focuses on identifying possible risks, assessing risks and impact of risks that occur in the organization. The activities carried out are: (1) Risk Data Collection; (2) Risk Analysis; (3) Risk Scoring. Business Impact Analysis focuses on identifying and prioritizing business functions including assets, determining the tolerance period for disturbances, and identifying the impact of disturbances. 

The activities are (1) Business Process and IT Data Collection; (2) IT Services Prioritization; (3) Business Process Prioritization; (4) Disruption Impact Analysis; and (5) Recovery Time Determination. Business continuity strategy focuses on determining accountability for the impact of disruptions that interfere with business process and the development of procedures for managing disruption. The activities are: (1) Preventive Strategy Determination; (2) Determine strategies for actions; (3) Recovery Strategy Determination; and (4) Correction Strategy. (1) Information Technology Asset Data Collection; (2) Vendor Data Collection; (3) Server Location and IT Asset Determination; (4) Creating a form of control; (5) Activation and deactivation requests; (6) Testing Scenario; and (6) Evaluating Result Control. Training Employees activities are: (1) Training Determination; (2) Training delivery mechanism; (3) Training requirement plan; and (4) Training Implementation. BCP testing purpose is to confirm whether the BCP is made accordingly and to ensure team know their responsibility and their action during disruptions. The activities are: (1) Testing Mechanism Plan; (2) Testing Method; (3) Recording of Findings; and (4) Documentation Test Result. Business continuity review purpose is to review BCP periodically and adjusted the BCP according to the changes of business need. The activities are: (1) Time Period Review Determination; (2) Periodic Review; (3) Planning Review; and (4) Changes Consideration.

3. Research methodology

This research belongs to the research design category. This research design is intended to answer the needs regarding BCP guidelines because there is no standard BCP framework to date. This research begins from the existence of the proposed BCP framework [10] where the framework is claimed to be multi-usable framework. To prove it, the framework was tested on four types of organization. The use of four case studies was expected to show whether the framework could be implemented in diverse types of case studies. The four cases have different characteristics, both in terms of business, size, and activity. In terms of business, this company consists of three types of businesses, namely service companies (electrical service companies and water service companies), banking, and manufacturing. In terms of size, electric service companies and manufacturing companies are two companies that are considered to represent large size companies. Water service companies categorized in medium-sized companies and banking categorized in small size. 

All companies implement IT to support business activities and processes in the company. All companies implemented IT to support business activities and processes in the company. The four case studies took because they are considered to represent multi-dimensionality of organizational diversity. The results of the implementation would show conformity in the application of the BCP framework. The results of the implementation were analyzed to determine the differences produced in the four cases. The analysis conducted aims to evaluate the framework. Evaluation results can be carried out by researchers to produce improvements to the framework that can accommodate companies in the future.

4. Results

This section discussed the results of the BCP implementation. The implementation carried out was adjusted to the instructions from the BCP framework [10]. The output of this implementation is a BCP document. However, to keep the information of the organizations secure, the details of the implementation result would not publish in this section, just the evaluation of BCP implementation stages would be conveyed. The results show that the BCP framework was suitable for four cases, in which some activities need to be changed. The implementation of electricity service-company could implement without exception. The BCP framework was suitable to the case because it adopted from NERD standard that uses for electricity companies. Implementation of the framework at three companies could be carried out but several activities need to change. In manufacturing companies, there are 12 activities carried out with change and 5 activities not implemented [16]. Water service companies have 10 activities carried out with change and 6 activities not implemented. In a banking company, there were 6 activities carried out with change and 7 activities not implemented. Table 1. show the result of BCP framework implementation in general explanation.



Table 1 shows the result of BCP framework implementation by showing activities that could not implement and need change. Activities that were not contained in Table 1. were activities that cloud implement in accordance with the framework.

The activity change in the element of business continuity management needs was a merger of parties related determination activities with two activities on another element. These changes did not really affect the results in determining the organization needs at the beginning. The first element, activities that should not eliminate is in determining the objectives and scope of the organization. If they did not carry these activities out, the company could not be able to determine the organization needs. Other activities in the first element are supporters of managing needs by determining the roles of management, resources, and communication. Change in activity in the element of risk analysis occurs in manufacturing companies. Changes occur because risks are specifically base on IT assets. The changes occur according to the needs of the organization. A change in the sequence of activities caused changes that occur in a BIA element. 

The company was decided to conduct disruption impact analysis activities first so it can use the results of the analysis as a reference in determining business process priorities and IT prioritization. This data supported by several findings according to the Western Australian Government (2009) and Australian BCM institute (2000) proposing in conducting BIA the first step that could take was to identify the ranking of organizational processes according to the analysis of operational and financial impacts [17, 18]. According to Sayal (2006), BIA could do by estimating the disruption impact based on time [19]. It shows that this activity could adjust these change to the needs of the company.

Activity change in the business continuity strategy element is done with adding one activity, namely risk mitigation. Another changes are done by combining all activities into one. Changes that occur are not very significant, because the changes made are still following the activity flow that was determined by the framework and can achieve the objectives of the element, namely the determination of responsibility for disruptions that occur and the development of procedures for the management of disruptions [5]. Changes in activity on the DRP element are data collection of information technology assets and testing scenarios. Changes occur because data collection on information technology assets has been carried out in risk data collection activities. Judging from the objectives of the DRP element, the activity should have been carried out on BIA elements. 

It was because in the BIA process the most important step is identifying business activities and functions, record resources (including IT assets) [20]. Changes in scenario testing activities were included in BCP testing elements, based on the purposed of BCP testing these activities can be included. These activities focus on performed for disruptions handling simulation. The purpose of BCP testing was used to confirm whether the plan is proper and can be followed up and ensures that employees have the responsibility and understand what will happen when there is a disruption. BCP testing could do after a potential disruption identified and the impact accumulated [21]. Activities in BCP testing and business continuity reviews elements were not carried out based on company policies and time constraints. From our observation, it could conclude that these activities are related to costs and time. 

This activity is important to do because the success in implementing BCP is influenced by experimental activities and periodic reviews. Changes that occur in BCP implementation adjusted to the needs and development of the organization. A survey in 2016 showed that the biggest challenge in implementing the BCP was the lack of support and commitment of top management, budget, and resources [22]. Another research shows that the factors that can influence the success of BCP implementation are top management commitment, awareness, BCP knowledge [23]. If management does not support or have a little knowledge about BCP, this will have an impact on its implementation.

Based on the analysis, we found that the BCP framework needed several improvements to accommodate the organization in implementing the BCP framework. The improvement could do such as changing activities as in BIA element. It can accommodate organization’s that still lack of knowledge about BCP. Other addition that needed to improve the framework was to add budgeting. Budgeting is an important part when the company decides to implement BCP.

5. Discussion

The results of the BCP implementation indicate that all elements contained in the framework can be carried out, but some changes in activities need to be carried out to adjust to the conditions of the organization. Changes in activities are not significant will not change the purpose of each element [10, 24]. It can happen because of limited knowledge about BCP and lack of management support. Lack of knowledge about BCP in an organization can increase the occurrence of a failure in implementation. Lack of BCP knowledge in an organization can increase the occurrence of a failure in implementation. Knowledge about BCP will guide when starting planning that fits the needs of the organization. Another factor that influences the success of BCP implementation is the lack of management support, awareness, and culture [23, 25]. 

Management plays an important role that includes all tasks and functions related to company initiatives, financing, policies, etc. Support and policies that impartial will influence success in BCP implementation, which is ultimately carried out not only to meet regulatory requirements. Cultural factors also influence people’s behavior that can determine how the person handles the situation and concern for the organization and its environment. Culture influences people in determining strategy setting and management process systems that must be adopted [25]. [20] Argues that organizational culture has the potential to hinder or support the development and more broadly. Meanwhile, some factors influenced the effective disaster preparedness in business continuity plan were high-cost perceptions, lack of staff, inadequate information, and low priority [26].

Another factor that influences BCP implementation is the cost factor. BCP implementation is inseparable from costs that would affect management decisions in taking BCP-related policies. The cost factor added as an element in the planning process will help in deciding to implement the BCP when the cost description is clear. Previous research explained that costs are a factor that influences the success of BCP implementation [17, 20].

6. Conclusion

Preparing a Business Continuity Plan (BCP) is important for the organization. The business continuity plan allows an organization to plan its business continuity for the long term. It proves organizations that did not prepare BCP have the possibility of low survival [21, 22, 23, 24]. BCP has done according to the needs of the organization. In fact, each organization would have different stages in making BCP. This study proves that every organization has ways and changes in the application of BCP. The important thing that needs to underlined is that the BCP framework must contain elements that must be present in the BCP. In the case of this result, the application of BCP experienced a change in activity. Changes in activity occur due to a different understanding of case studies. Based on implementation in four case studies, the framework could use in general. 

It could conclude that the BCP framework is multi-usable. From these results, researchers propose a modified framework for future guidance, could be seen in Fig. 2. This study shows that an understanding of BCP is very important for the organization, it would be seen during implementation. At the same time, it requires preparation of support from both management, staff capability, costs, and time. Therefore, for future research, budgeting can be added in order to facilitate the company in its implementation.

The limitation of this study is the BCP framework has not implemented yet. In the future this framework will be tested in organizations and the results can shows if the BCP framework is suitable for all types of companies or not.


BRCCI – Business Resilience Certification Consortium International (www.brcci.org)

We are thankful to the author for allowing us to post this insightful article on our website. BRCCI provides a comprehensive training and certification program in business resiliency, continuity and IT disaster recovery planning:
1. 3-day CBRM (Certified Business Resilience Manager) is a comprehensive, all-in-one, 3-day Business Continuity Planning and Management Training and Certification course which is designed to teach practical methods to develop, test, and maintain a business continuity plan and establish a business continuity program.
2. 3-day CBRITP (Certified Business Resilience IT Professional) is a comprehensive training on how to assess, develop, test, and maintain an information technology (IT) Disaster Recovery Plan for recovering IT and telecommunications systems and infrastructure in the event of a disaster or business disruption. The training provides a step-by-step methodology to ensure a reliable and effective IT disaster recovery and continuity plan consistent with the industry’s standards and best practices.
3. 5-day CRP (Cloud Resilience Professional) This 5-day seminar is designed for professionals seeking expertise in cloud computing and resiliency management. You will gain a comprehensive knowledge of cloud foundation principles, best practice strategies for building resilient cloud environments, and essential cloud continuity and disaster recovery planning techniques.
4. 2-day CBRA (Certified Business Resilience Auditor) It provides 2 days of intensive, Business Continuity Audit training to enable students to determine the effectiveness, adequacy, quality and reliability of an organization’s Business Continuity Program. Students will learn an audit methodology to evaluate compliance of Business Continuity and IT Disaster Recovery Programs with the current industry’s best practices and standards including:

  • ISO 22301: Business Continuity Management Systems – Requirements
  • NFPA: Standard on Disaster/Emergency Management and Business Continuity Programs
  • ITIL: Information Technology Infrastructure Library

For information on the above program, please contact BRCCI (www.brcci.org1-888-962-7224).

On Key

Related Posts

ICR Standard

ICR Standard Author: Dr. Akhtar Syed Download PDF Section 1.0 – Introduction The Integrated Continuous Resiliency (ICR) standard, developed by BRCCI (brcci.org), is a comprehensive

What is ISO 22301 standard?

What is ISO 22301 standard? Author: Andrea Patricia Sanchez Dominguez Download PDF 1. Introduction The Standard ISO 22301 was proposed in 2012 as a new