Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Business continuity planning
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Analysis== The analysis phase consists of: * Impact analysis * Threat and risks analysis * Impact scenarios Quantifying of loss ratios must also include "dollars to defend a lawsuit."<ref>{{Cite web|url=http://www.jcrcny.org/wp-content/uploads/2013/10/EmergencyManual.2.0.pdf |archive-url=https://ghostarchive.org/archive/20221009/http://www.jcrcny.org/wp-content/uploads/2013/10/EmergencyManual.2.0.pdf |archive-date=2022-10-09 |url-status=live|title=Emergency Planning}}</ref> It has been estimated that a dollar spent in loss prevention can prevent "seven dollars of disaster-related economic loss."<ref>{{cite web |website=RI.gov |title=Can your Organization survive a natural disaster? |url=http://www.riema.ri.gov/berhodyready/files/Session_1_Business%20Continuity.pdf |archive-url=https://ghostarchive.org/archive/20221009/http://www.riema.ri.gov/berhodyready/files/Session_1_Business%20Continuity.pdf |archive-date=2022-10-09 |url-status=live | author=Helen Clark |date=August 15, 2012}}</ref> ===Business impact analysis (BIA)=== A business impact analysis (BIA) differentiates [[Critical system|critical]] (urgent) and non-critical (non-urgent) organization functions/activities. A [[Mission-essential function|function]] may be considered critical if dictated by law. Each function/activity typically relies on a combination of constituent components in order to operate: * Human resources (full-time staff, part-time staff, or contractors) * IT systems * Physical assets (mobile phones, laptops/workstations etc.) * Documents (electronic or physical) For each function, two values are assigned: * Recovery point objective (RPO) β the acceptable latency of data that will not be recovered. For example, is it acceptable for the company to lose 2 days of data?<ref>{{cite web |last1=May|first1=Richard|title=Finding RPO and RTO |url=http://www.virtualdcs.co.uk/blog/business-continuity-planning-rpo-and-rto.html|url-status=dead |archive-url=https://web.archive.org/web/20160303224604/http://www.virtualdcs.co.uk/blog/business-continuity-planning-rpo-and-rto.html|archive-date=2016-03-03}}</ref> The recovery point objective must ensure that the maximum tolerable data loss for each activity is not exceeded. * Recovery time objective (RTO) β the acceptable amount of time to restore the function ==== Maximum RTO ==== Maximum time constraints for how long an enterprise's key products or services can be unavailable or undeliverable before stakeholders perceive unacceptable consequences have been named as: * {{visible anchor|Maximum tolerable period of disruption}} (MTPoD) * Maximum tolerable downtime (MTD) * Maximum tolerable outage (MTO) * Maximum acceptable outage (MAO)<ref>{{cite web |title=Maximum Acceptable Outage (Definition) |url=http://www.riskythinking.com/glossary/maximum_acceptable_outage.php |access-date=4 October 2018 |website=riskythinking.com |publisher=Albion Research Ltd.}}</ref><ref>{{cite web |title=BIA Instructions, BUSINESS CONTINUITY MANAGEMENT - WORKSHOP | url=http://www.driecentral.org/biainstructions.pdf |archive-url=https://ghostarchive.org/archive/20221009/http://www.driecentral.org/biainstructions.pdf |archive-date=2022-10-09 |url-status=live |website=driecentral.org |access-date=4 October 2018 |publisher=Disaster Recovery Information Exchange (DRIE) Central}}</ref> According to ISO 22301 the terms ''maximum acceptable outage'' and ''maximum tolerable period of disruption'' mean the same thing and are defined using exactly the same words.<ref>{{cite web |title=Plain English ISO 22301 2012 Business Continuity Definitions |url=http://www.praxiom.com/iso-22301-definitions.htm |website=praxiom.com |publisher=Praxiom Research Group LTD. |access-date=4 October 2018}}</ref> Some standards use the term ''maximum downtime limit''.<ref>{{cite web |url=https://www.ncsc.gov.bh/assets/static_images/policies/baseline-cybersecurity-controls-v1.pdf |page=12 |title=Baseline Cyber Security Controls |publisher=[[Ministry of Interior (Bahrain)|Ministry of Interior]] - National Cyber Security Center |year=2022}}</ref> ====Consistency==== When more than one system crashes, recovery plans must balance the need for data consistency with other objectives, such as RTO and RPO. <ref name=OpsBLog.Consistency>{{cite web |url=https://www.opscentre.com/blog/2016/03/22/recovery-consistency-objective |title=The Rise and Rise of the Recovery Consistency Objective |access-date=September 9, 2019 |date=2016-03-22 |archive-date=2020-09-26 |archive-url=https://web.archive.org/web/20200926060225/https://www.opscentre.com/blog/2016/03/22/recovery-consistency-objective/ |url-status=dead }}</ref> '''Recovery Consistency Objective''' (RCO) is the name of this goal. It applies [[data consistency]] objectives, to define a measurement for the consistency of distributed business data within interlinked systems after a disaster incident. Similar terms used in this context are "Recovery Consistency Characteristics" (RCC) and "Recovery Object Granularity" (ROG).<ref>"How to evaluate a recovery management solution." West World Productions, 2006 [http://www.thefreelibrary.com/How+to+evaluate+a+recovery+management+solution-a0147748661]</ref> While RTO and RPO are absolute per-system values, RCO is expressed as a percentage that measures the deviation between actual and targeted state of business data across systems for process groups or individual business processes. The following formula calculates RCO with "n" representing the number of business processes and "entities" representing an abstract value for business data: <math>\text{RCO} = 1 - \frac{(\text{number of inconsistent entities})_n}{(\text{number of entities})_n}</math> 100% RCO means that post recovery, no business data deviation occurs.<ref>{{cite web |author1=Josh Krischer |author2=Donna Scott |author3=Roberta J. Witty |title=Six Myths About Business Continuity Management and Disaster Recovery |publisher=Gartner Research | url=http://www.gartner.com/it/content/868800/868812/six_myths_about_bcm.pdf |archive-url=https://ghostarchive.org/archive/20221009/http://www.gartner.com/it/content/868800/868812/six_myths_about_bcm.pdf |archive-date=2022-10-09 |url-status=live}}</ref> ===Threat and risk analysis (TRA)=== After defining recovery requirements, each potential threat may require unique recovery steps (contingency plans or playbooks). Common threats include: {{columns-list|colwidth=18em| * [[Epidemic]]/pandemic * [[Earthquake]] * Fire * [[Flood]] * [[Hacker (computer security)|Cyber attack]] * [[Sabotage]] (insider or external threat) * [[Hurricane]] or other major storm * [[Power outage]] * Water outage (supply interruption, contamination) * Telecomms outage * IT outage * [[Terrorism]]/[[Piracy]] * [[War]]/civil disorder * Theft (insider or external threat, vital information or material) * Random failure of mission-critical systems * Single point dependency * Supplier failure * Data corruption * Misconfiguration * Network outage }} The above areas can cascade: Responders can stumble. Supplies may become depleted. During the 2002β2003 [[SARS]] outbreak, some organizations compartmentalized and rotated teams to match the [[incubation period]] of the disease. They also banned in-person contact during both business and non-business hours. This increased [[Resilience (organizational)|resiliency]] against the threat. ===Impact scenarios=== Impact scenarios are identified and documented: * need for medical supplies<ref>{{cite journal|doi=10.1016/j.ijpe.2009.10.004 |title=Medical supply location and distribution in disasters}}{{clarify|reason={{pipe}}doi= does not match {{pipe}}title=|date=December 2021}}</ref> * need for transportation options<ref>{{cite web |url=https://scholar.google.com/scholar_url?url=https://orbi.uliege.be/bitstream/2268/8333/1/JORS_Barbarosoglu_Arda_2004.pdf%26hl=en%26sa=X%26scisig=AAGBfm0xx_ynzP503rz-gtdgZVSN_h-m7w%26nossl=1%26oi=scholarr |archive-url=https://ghostarchive.org/archive/20221009/https://orbi.uliege.be/bitstream/2268/8333/1/JORS_Barbarosoglu_Arda_2004.pdf%26hl=en%26sa=X%26scisig=AAGBfm0xx_ynzP503rz-gtdgZVSN_h-m7w%26nossl=1%26oi=scholarr |archive-date=2022-10-09 |url-status=live |title=transportation planning in disaster recovery |website=SCHOLAR.google.com}}</ref> * civilian impact of nuclear disasters<ref>{{Cite web|url=https://www.globalsecurity.org/security/library/report/2004/hsc-planning-scenarios-jul04_exec-sum.pdf |archive-url=https://ghostarchive.org/archive/20221009/https://www.globalsecurity.org/security/library/report/2004/hsc-planning-scenarios-jul04_exec-sum.pdf |archive-date=2022-10-09 |url-status=live|title=PLANNING SCENARIOS Executive Summaries}}</ref> * need for business and data processing supplies<ref>{{cite magazine |author=Chloe Demrovsky |title=Holding It All Together |magazine=Manufacturing Business Technology |date=December 22, 2017}}</ref> These should reflect the widest possible damage.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)