Business Continuity - The Minimalist Approach With MSTA©
Risks which are carried unknowingly can easily wreck a recovery operation. A prerequisite for the development of viable
plans is, therefore, that the risks of loss of availability of vital resources have been minimised and are fully known.
So, having checked your building's height above the water table; tested physical access controls; cross-trained your staff;
ensured that archived computer disks can still be read by current systems; checked your business interruption insurance;
prepared building floor plans, indicating important items; secured active support for the business continuity planning
process from senior management and agreed the recovery philosophy and strategy, you are ready to develop a draft business
continuity plan.
Business Impact Analysis
Chart the effect of an adverse incident's occurrence at different times of day and at various times of the year. (Choose,
say, 3-hourly intervals between 1am and 10pm.)
An example from a recent MSTA© project at an international bank showed that, for departments having hundreds of computer
entries during the day, the worst time for an incident would be late afternoon, before the computer data had been backed
up. For management and internal inspection departments, the worst time for an incident would be early morning, before the
overnight computer run had been completed, leaving them without vital reports for the whole day. In this case, the perceived
impact of these findings was sufficient to justify transaction mirroring to a remote computer which reduced the risk to
an acceptable level. Procedures to retrieve third party messages were also included in the plans, for additional security.
Some Planning Tips From MSTA©
MSTA© has been applied to business continuity plan development since 1989 and
is just one of several alternative approaches to plan development. Any methodology should be applied with care.
• Start with the Solution and work backwards. Resources for recovery do not need to be a sub-set of an existing inventory.
• Educate staff to think 'business recovery' as well as 'systems recovery'. A computer back up tape is absolutely
no use for business continuity purposes until it becomes a 'SECURE, OFF SITE, BACK UP'. This concept applies to all recovery
resources - such as tape readers etc.
• Telephone, fax, telex and electronic payments systems require special treatment, so ensure that provision is minimal,
but adequate to meet the recovery philosophy.
• Watch out for items which are omitted from plans because they are 'not needed immediately'. If they are destroyed
in an incident, they are gone for ever!
• Customers, other offices, legal advisers, regulators, (even competitors) can be useful sources for replacing lost
or inaccessible documents.
• For paper based business areas, consider the use of a basic computer spreadsheet to log transactions or business
activities in single line, audit trail style, to keep track of current status and historical activity. Keep copies of back
up disks both on and off site.
• Remember that mobile phones need fully charged batteries! Consider paying staff to use their own mobile phones and
document them as resources in the recovery plans.
Business Continuity - The Minimalist Approach
In 1989, MBA introduced a business contingency planning methodology, MSTA(minimal step, targeted approach), which has
been applied, mainly, to the special needs of international banks, during the past ten years. Software tools have evolved
to take advantage of improvements in IT platforms. The latest version of the MSTA business continuity plan preparation
software will allow internet or intranet storage and maintenance of BC plans.
Some suggested definitions of the 'jargon'.
Disaster recovery
Recovery of technical environments, such as I.T. systems, networks and communications. The term is not usually used to
describe the recovery of business processes, manual procedures or paper documentation. Incidentally, the term is meant
to imply recovery from, and not of, a disaster!.
Business continuity
The business continues without interruption. This term should be used only when the business is able to continue, without
interruption or break, following a 'disaster'.
Business resumption
Infers that the business has been interrupted by the 'disaster'. Business resumption plans will enable the business to
resume its operations, in accordance with a pre-determined schedule, following a disruptive incident,.
Contingency planning
The term indicates that various contingency or 'precautionary' measures have been pre-planned to limit the effects of
a 'disaster' and to assist in restoring normal business operations, in accordance with a pre-determined schedule.
The MBA/MSTA view is that a business contingency plan is a collection of procedures and emergency resources that are developed
to assist a business to recover following an unplanned interruption in one or more of its business processes.
Almost any business continuity plan or business contingency plan is better than non at all, so here are a few suggestions for anyone wishing to prepare
their own BC plan.
A prerequisite for the preparation of a business contingency plan is that the risk of 'loss of availability' of vital
resources, (such as staff, stock, paper records, computer data, premises, etc.), have been minimised and are fully known.
A risk which is carried unknowingly can wreck an otherwise viable BC plan.
The primary objective should be to ensure that all vital business records, computer data and intrinsically valuable items
can be restored, replicated or reproduced within an acceptable time period following an unplanned interruption. If the
re-commencement of a business process, following an unplanned interruption, is time-critical, it may be necessary to pre-provision
recovery resources at a remote recovery location. For non critical business processes, it is sufficient to pre-plan the
outline strategy for recovery.
Start with the solution and work backwards. Resources for recovery do not need to be a sub-set of an existing inventory.
And watch out for items which are omitted from plans because they are 'not needed immediately'. If they are destroyed in
an incident, they are gone for ever!
|
Press Articles
