The instructor will lead the class in discussions pertaining to a business continuity plan. Key elements of a business continuity plan starting with a risk analysis, business impact analysis, and alignment of critical business functions and processes will be discussed. Students will craft a business continuity implementation plan outline as part of this lab’s deliverables.

Assessment Questions & Answers

1. What is the different between a risk analysis (RA) and a business impact analysis (BIA)? A risk analysis (RA) focuses on all aspects of risk assessment for an organization and is a necessary step to assess what kind and how much business insurance to obtain. A business impact analysis (BIA) focuses on identifying critical business functions and operations that must be part of a business continuity plan to maintain and maximize availability.

2. What is the difference between a Disaster Recovery Plan and a Business Continuity Plan? A DRP is usually a subset of a BCP and defines how an organization is to handle major disasters or major outages and emergency situations. When a disaster situation is declared, the DRP is enacted not the BCP to handle and deal with the immediate emergency situation and handle the disaster situation as per the DRP procedures. A DRP deals with the immediate disaster situation and must achieve the RTO as defined in the BCP, usually in an alternate site or triage to restore immediate critical business functions and operations.

3. Typically, a business continuity plan is also a compilation or collection of other plans. What other plans might a BCP and all supporting documents include? • Disaster recovery plan • End-user recovery plan • Contingency plan • Emergency response plan • Crisis management plan • IT System recovery procedures (i.e., mission critical IT systems, applications, and data, VoIP / telephony infrastructure, Internet access, etc.)

4. What is the main difference between a Disaster Recovery Plan (DRP) and a Business Continuity Plan (BCP)? A Disaster Recovery Plan (DRP) focuses on the recovery of IT systems, applications, and data in the event of a catastrophic disruption (fire) or disaster (hurricane) and a major IT or data center outage occurs (physical damage or destruction). The immediate concern of a DRP is to bring up mission critical systems, applications, and data access as soon as possible, even if it’s a temporary or short-term solution while the rest of the Business Continuity Plan (BCP) kicks in. A BCP has a much broader scope and takes into account all business functions and processes from the prioritization dictated by the BIA.

5. What is the purpose of a risk assessment and business impact analysis? Why is this an important first step in defining a BCP and DRP?

The purpose of a risk assessment (RA) is to identify the entire organization’s risks and quantify the impact of the identified risks to the organization based on key business drivers (loss of life, loss of income, liability, exposure, etc.). The purpose of a business impact analysis (BIA) is to assess the impact of downtime for specific business functions or processes. The BIA prioritizes mission critical business functions and processes (i.e., sales, customer service, manufacturing, e-commerce website, etc.) such that the recovery priorities for IT systems, applications, and data were affected by an outage or downtime.

6. How does risk assessment (RA) relate to a business impact analysis for an organization? The BIA is like conducting a risk assessment except that it is focused on identifying critical, major, and minor business functions and operations. Once you identify these business functions and operations, you must then prioritize them in terms of importance to maintaining operations. Thus, a BIA is a form of risk management and risk assessment because you are assessing and minimizing the risk associated with downtime or unavailable IT systems, applications, and resources. The BIA helps organizations mitigate the risk associated with downtime and unavailable IT resources for business continuity and disaster recovery of critical business functions and operations.

7. Given the list of identified mission critical business functions and processes, what kind of company would you say this organization is, and what do you think are its most important business processes and functions?

This organization is in the production manufacturing business heavily dependent upon a supply chain infrastructure for just in time manufacturing and inventorying. The crux of this organization is based on its online sales through an e-commerce website and a sales support function to drive revenue and cash into the business. This type of business is heavily dependent upon maintaining its connection with its customers, in this case, online through the Internet supported by traditional sales through inside and outside sales professionals. Maintaining enhanced customer service delivery for both high-value customers (VIP) and low-value customers is critical to maximize customer retention and repeat purchases.

8. Given the prioritization list provided for the organization’s identified business functions and processes, write an assessment of how this prioritization will impact the need for IT systems, applications, and data access.

The assessment should focus on revenue generation and minimization of loss of income. Coupled with that is the need for maintaining customer service delivery whether online, e-mail, self-service on website, or via 800-number with call center. The customer is king to this organization and maximizing revenue and income supported by customer service delivery is what is driving this prioritization.

9. For the top 5 identified business functions and processes, what recovery time objective (RTO) would you recommend for this organization and why?

RTO - 8 hours or 1 business day. Given the real-time nature of this organization and real-time online transactions and purchases, providing real-time customer service support and product shipping logistics is critical to this organization. While portions of the identified #1 - #5 business functions and processes can be supported with minimal IT infrastructure, it would be important to identify the minimum IT systems, applications, and data access needed to support the online, e-commerce system, customer service functions, and access to the customer relationship management (CRM) database.

10. Why is payroll for employees and Human Resources listed as a co-number 1 business priority? It has a critical business priority to pay its employees on time and on schedule. Many businesses and organizations use an external payroll and direct deposit function to keep its employees paid and happy no matter what the circumstances are within the business or organization. It is also a breach of contract or employment to not pay your employees when pay is due, so it would be imperative to ensure continuity with payroll for its employees.