In the wake of some spectacular corporate governance failures at several companies, Congress has enacted the Sarbanes-Oxley Act. It addresses the shortcomings of corporate governance and now requires improved and demonstrated overall controls associated with the management and reporting of corporations - it is now law as of April 15, 2004. Failure to comply with Sarbanes-Oxley exposes Senior Management to possible prison time and/or significant penalties.
A great amount of activity in the Business Continuity/Disaster Recovery arena has recently occurred as related to the Sarbanes-Oxley Act. Business Continuity Programs, or the lack of them, are now on the checklists of all Corporate Auditors. Active and up-to-date Business Continuity Programs have now become a “Corporate Necessity”.
Cosmic Software Technology has recently formed a new arm of the company to provide all aspects of Business Continuity/Disaster Recovery Services. We now have two nationally recognized experts on staff to head up and manage our Business Continuity/Disaster Recovery projects. We feel that we can add great value to your organization with these services.
Cosmic Software Technology looks forward to further discussion of how our Business Continuity Program can protect your company’s critical assets.
The Eight Step Business Continuity Program………
The following program outline is a typical Business Continuity Program as found in “The Professional Practices for Business Continuity Planners” which is administered by Disaster Recovery Institute International (DRII) of Falls Church, Virginia. DRI International was founded in 1988 to provide a base of common knowledge in contingency planning. DRII also administers the industry's global certification program for qualified business continuity and disaster recovery planners (CBCP). The “Professional Practices for Business Continuity Planners” serves as the industry’s best practices standard.
The following eight (8) phase approach is utilized as the methodology for the initiation and timely completion of your Business Continuity and Recovery Planning Project. These phases are:
Phase 1 -- Project Initiation and Management
Phase 2 -- Perform a Risk Analysis
Phase 3 -- Perform a Business Impact Analysis
Phase 4 -- Develop a Recovery Strategy and establish Recovery Policies and Budgets
Phase 5 -- Develop the Business Continuity & Recovery (BC&R) Plan
Phase 6 -- Exercise the Business Continuity & Recovery (BC&R) Plan
Phase 7 -- Maintain and Update the Business Continuity & Recovery (BC&R) Plan
Phase 8 -- Train and Maintain Corporate Awareness of Business Continuity & Recovery (BC&R) Plan.
1. Project Initiation and Management
Identifies the scope of the project and provides an initial review of the Eight Phases. A high level project timeline is developed at this point in time.
2. Risk Analysis
Each phase of the BC Program is dependant upon the completion of the preceding phase except for the Risk Analysis. The Risk Analysis is typically performed “stand-alone” irregardless of the existence of an in place Business Continuity Program.
The Risk Analysis (RA) determines the vulnerability of a company’s physical and operational facilities to internal and external threats. It results from a focused evaluation of the company’s facilities and a statement of the most probable threats to those facilities.
The RA provides a rationale and cost justification for installation of risk mitigation elements (“controls”) to support continuous availability of business operations. By clearly stating the possible effects of a threat, it provides a vehicle for decisions by Senior and Executive Management. Observations made during the Risk Analysis are verified with key managers, and modified based upon validated information received from these reviewers. Issues related to risk mitigation are addressed as an essential element in any upgrade or architectural change. A set of "next steps" is developed to create a process that responds to changes in daily operational needs and business processes.
Although all 8 phases are needed for a successful Business Continuity Program, most practitioners in the industry feel that the Risk Analysis provides a client “the biggest bang for the buck”. It can be viewed as a “Business Continuity Physical Exam”.
3. Business Impact Analysis
The Business Impact Analysis (BIA) identifies critical company assets and determines the financial exposures and operational impacts resulting from a major outage or disruption in the daily business or telephone services operations. It results from questionnaires and face-to-face interviews, with key company and department heads.
4. Business Recovery Strategy, Policies and Budgets
Development of Acceptable Recovery Strategies to effectively avoid the žOutage ImpactsÓ as agreed upon during the BIA. In addition it provides the Disaster Recovery Team Leaders and Alternate Team Leaders with a žPlace To Go For RecoveryÓ in the aftermath of a Disaster Event.
5. Business Recovery Plan Development
Development of a Business Recovery Plan will assume a worst-case, total facility disaster, thus also providing for recovery from less severe circumstances. An alternate site location will be identified for business recovery. Team responsibilities will be detailed. All pertinent employee and business data will be included.
6. Exercising the Business Recovery Plan
Plan exercises should be conducted bi-annually during the initial phase of plan introduction. Plan functions and team communications are tested initially with more elaborate scenarios introduced as each subsequent test progresses. Plan maintenance is performed as an output of the Plan exercise.
7. Business Recovery Plan Maintenance
It is recommended that Plan Maintenance be performed on a yearly basis or as organizational structures may dictate. At maintenance time any new or changed pertinent information is edited and the updated Business Recovery Plan is distributed to the team members.
8. Employee Training and Corporate Awareness
Employees need to be aware of their responsibilities during the activation of the Business Recovery Plan. Employees that are not required in the execution of the plan still need to know that a plan exists and what it is expected to provide. Plan Training should be conducted for existing employees and new employees should be made aware that a BCR Plan exists and what their role in the plan requires.
Click chart to enlarge.