major incident or disaster, and enables management to provide direction and advice to affected business departments or units. A BCP comprises three major components: risk assessment, contingency planning (which is the process of creating, testing and maintaining a plan to recover from any form of disaster) and disaster recovery (the purpose of a disaster recovery plan (DRP) is to recover mission-critical technology and applications at an alternative site.

A DRP is a critical part of the BCP process and should be prepared to address each level of risk.

Byte Idea – ESRI

1. Risk assessment. Each organization needs to assess the major risks relevant to its own operating environment and determine the probable disaster scenarios that could affect its operations. As a minimum requirement, an organization should include the following disaster scenarios in its risk assessment where applicable:

• Physical and environmental disasters that cause the workplace to be inaccessible or inoperable. This could be due to fi re, explosion, fl ood, broken water pipes, accidental activation of water sprinklers, etc.

• Internal infrastructure failures that cause a cessation of internal information fl ow such as power failures, data centres or mainframes not being available, voice and data telecommunication failures and network failure (LAN, WAN), etc.

• External infrastructure failures which causes a cessation of inter-business information fl ow such as an interface failure between business partners, a failure by service providers, a widespread telecommunication failure, widespread power failures.

• Situational disasters such as terrorist attacks, a run on the stockmarket, national instability (e.g. political upheaval, military coup), or localized instability (e.g. a riot).

2. Contingency planning. The BCP process should be centrally coordinated and managed with input from all the departments/units that comprise the organization. In order to ensure that the plan can be fully implemented, all staff should be made aware of their roles and responsibilities, and regular drills held to monitor the effectiveness of the plan and to reveal any shortcomings which should be addressed (Fig. 5.8).

The practice of ensuring a disciplined documentation process and monitoring of a defi ned BCP process, the transparent provision of information to the public with timely press releases, the accountability of the various teams mobilized to make decisions and act on issues, sound management direction in a crisis and showing responsibility for social issues such as the safety and recovery of staff and tenants, all point towards good corporate governance that will promote trust and confi dence in the organization from its suppliers and customers.

3. Disaster recovery plans (DRP). In a DRP, which should focus on the most probable set of risks for a particular location, business functions must be identifi ed and prioritized for recovery at an alternative site. Each plan should include manual processing procedures in the event that business systems cannot be fully automated on resumption. In the worst case scenario, in which access to the corporate site is unavailable, the alternative site should be activated, key personnel relocated to the site and the DRP activated. The following key procedures, each with the sequence of operations, tasks to be performed, individual action plans (who, what, where and when), and communication and contact procedures associated with it, should be documented in the DRP:

• Notifi cation and activation of key staff

• Retrieval of vital records

• Re-location to alternate site

• Reconciliation of vital records for work-in-progress at the time of the disaster

• Resumption of business operations in ‘recovery mode’

• Acquisition of internal services and vendor support

• Expense monitoring and control

• Manual processing instructions

• Restoration of data when systems become available.

Fig. 5.8. The business contingency planning cycle

Business Continuity Planning

Business continuity planning should be ongoing throughout a business life cycle and has four phases:crisis prevention, emergency response, recovery of operations and restoration of facilities. ISO17799 (BS7799) (ISO, 2005) is an international security standard which covers disaster recovery and crisis management planning. The standard is very clear and requires a formal approach and the creation of a quality plan. Compliance with ISO17799 represents a statement on your company’s disaster recovery arrangements and gives assurance that the plan is sound and that the disaster recovery practices are likely to be adequate.

BCP Phase 1. Crisis Prevention and Survival

In this phase, various measures and activities can be taken by organizations to lessen the possibility or the impact of an adverse incident occurring to the business. Such activities include protecting corporate assets, which itself involves safeguarding the human assets, facilities and contents and vital records of the corporate entity, undertaking an analysis of the risks involved and creating appropriate risk minimization strategies, and conducting a business impact assessment.

• Safeguarding human assets involves protection from harm as well as the identifi cation of key employees required in a crisis situation and how to contact them at all times (seven days a week, 24 hours a day).

• Facilities and contents represent substantial capital investment and include buildings, furniture, equipment and other assets. Chief among these are data centres, branches and overseas offi ces if they exist. Each asset must be evaluated in terms of the threats most

likely to materialize impacting the company’s business or that of a strategic business partner, and the capacity of the company to cope with and minimize effects of threats which may include:

Š Natural disaster

Š Terrorist attack

Š Cyber-terrorism

Š Market manipulation

Š Accidental damage.

Risk minimization for facilities also includes the assessment of vulnerability to factors such as the use of a hazardous process or materials, storage of combustible materials, fl oor layout and arrangements which may concentrate or crowd control equipment, inadequate building exits, lack of shelter areas and limited evacuation routes. Analysis of facility vulnerability can provide the basis for developing practical and workable response plans.

• A business impact analysis (BIA) should be conducted to determine the fi nancial and operational impact and/or exposure of a business outage for different periods of time and should include an analysis of the:

Š Maximum tolerable down-time for each business process

Š Critical resources and systems needed to support business recovery

Š Alternative site requirements

Š Dependencies associated with each business process.

Other issues that must be addressed in this fi rst phase of BCP should include:

• The establishment and maintenance of a contact list of all vendors and suppliers for non- computer recovery resources required by the organization at an alternative site if that is required

• An estimate of the cost of resources required for recovery activities and a check that existing insurance coverage is adequate

• The establishment of guidelines and procedures for insurance claims in the event of a disaster

• The maintenance and updating of an inventory list of resources kept offsite

• The establishment of procedures for processing requests for recovery expenses

• The arrangement for purchase or lease of IT-related resources and telecommunications

• The arrangement of back-up servers for systems on servers/workstations to be established and maintained at the alternative site.

BCP Phase 2. Emergency Response

Following staff evacuation from the offi ce building under the survival phase, the emergency response phase involves immediate reaction to assess the damage or impact. The BCP standards should cover procedures such as incident identifi cation, damage assessment, activation of recovery plans and management/staff notifi cation.

Remote-access-aware disaster management teams should be activated in order to coordinate staff and restart business processes. These are cross-functional teams with representatives from human resources, facilities, relevant departments and IT. Teams should have direct access to registry lists of employees per site and the lists should be organized in

chained levels of priority for easy access to home addresses, contact numbers and remote- access capabilities.

These disaster management teams should coordinate activities to create virtual business units that leverage remote access to minimize points of failure and risk. They should use pre- assigned toll-free numbers for emergency contacts, create remote centres for pre-prioritized staff to work out of on a separate power grid, activate website/automated call centres for check-in by staff who may have been affected by the disaster, with confi rmation entered into a database which can be queried via the internet or telephone.

BCP Phase 3. Recovery of Operations

This phase involves initial resumption of time-sensitive and essential business operations and related computer and application systems, followed by less time-sensitive operations. How much of the less time-sensitive operations to be resumed at an alternative site would depend on their criticality to the organization.

Disaster or business recovery plans (BRPs) for each department or business unit in the organization should be prepared in advance and centrally managed by a designated business unit – most likely the unit that handles corporate security. In an eBusiness scenario, the following techniques may be employed if an alternative site is being deployed:

• Remote disk mirroring – which involves rolling-over a live system to backup facilities with little or no interruption

• A hot network node

• Remote journaling

• Deploy the standby operating systems

• Replicate the main server/s

• A tape library – to support the backup and recovery needs of data centres with mission- critical data backups.

BCP Phase 4. Restoration of Facilities

During this phase, all business and computer processing operations that are transferred to the alternative site will be restored at the primary site or relocated to a new structure. Normal business operations and services will be re-established at the primary/new site and post- recovery operations will be completed.

Business continuity planning and the resultant business continuity plan are imperative business processes in the 21st century. Without such planning, and in the face of a major disaster, chaos can rapidly result and the business can go to the wall. BCP is particularly important in a company that uses electronically enabling mechanisms to do business – losing data and corporate information is critical and has a long lasting effect which some companies can never recover from.

Summary

Developing and maintaining trust-based business relationships – the cornerstone of the electronically enabled business – is a diffi cult task requiring good communication and negotiation skills. This chapter has looked at some of the theory behind the development of trust, and how these theories and associated issues are related to the practical requirements of doing business in the eLandscape. Of particular importance is the need to recognize that the

‘unique selling point’ of the internet is that it opens up and extends communication channels that may not have been present previously. In so doing, it facilitates what electronically enabled business is all about – that is, the increased fl ow of good quality information and the creation of ‘gateways to deals’ between parties separated by time and distance. As such, the issue of privacy in terms of access to that information and the systems involved is a major concern and the physical and logical issues necessary to control access must be understood and acted upon to ensure that buyers, sellers, employees and customers are all suffi ciently comfortable to enable them to conduct business with the organization.

Managing the risks associated with doing business in an uncertain environment where trust related issues can make or break a business, is also a key management task addressed in this chapter. Risk management and risk evaluation strategies are put forward with the key areas necessitating serious contemplation for a manager – including disaster management and business continuity planning. Wendy Erhart, co-owner of Withcott Seedlings has proven time and again to be a good forseer and manager of risk. She is the Smart Thinker for this chapter.