It's time to look at business continuity

By Vito Mangialardi
Certified Business Continuity Professional

"Business continuity" is the ability of a company to meet business obligations during operational challenges (crises) imposed by "out of normal conditions."

Every business has a duty to protect employees, customers, shareholders, and the public against any event that could significantly affect the well-being and safety of personnel, the assets of the company, or the ability to provide service to their customers. A crisis is anything that causes you to redirect time and resources from daily business operations to respond to and manage the event.

"Business continuity planning" is proactive planning to address identified business risks. Planning enables a business to satisfy customers' needs, maintain revenues, minimize expenses, preserve market share, and keep the concerns of stakeholders at bay during a major interruption.

Business continuity planning is not a new process, but it is an ever-changing concern. Today, cloud computing provides new options and opportunities for organizations to manage business continuity with respect to systems, data, applications, and operations. (See the article on cloud computing elsewhere in this newsletter.)

Business continuity planning is also not a stand-alone process. The concepts should be incorporated in current processes, particularly annual business and financial planning processes. Business continuity plans (BCPs) deal with keeping essential business functions going while systems/operations recovery is under way.

Where to start
An initial approach to setting up a BCP is to ask yourself questions such as: What do we do? How do we do it? Where do we do it? What infrastructure is needed to deliver the service or product to our customers? What are our essential resources? What data do we need? What is the minimum information technology we must have in place?

Once the above questions have been considered the focus should be on prevention, but since not all risks can be avoided, business continuity planning also involves plans for managing a crisis, mitigating a loss, and recovering the business.

Self-Assessment of your business
Many risk events are not insurable, for example, loss of customers, reputation, or competitive advantages. To protect the critical assets of your business and ensure that it can deliver under crisis situations, you need to:

• Identify critical business components and dependencies: business facilities, employees, processes/functions, systems/applications, data, platforms, and networks
• Identify threats and vulnerabilities to your business processes and infrastructure
• Identify the impact an outage would have on employees, customers, and business interfaces
• Define how long you can afford to be inoperable in terms of business financial and operational impacts (e.g., customer service, brand damage, lost revenue)
• Develop and implement a risk mitigation strategy based on business impacts and priorities
• Identify objectives, requirements, and priorities for recovery of critical business components (e.g. physical and human resources, technology, information, communications)
• Identify and/or negotiate acceptable levels of service during recovery
• Negotiate vendor contracts and/or lease agreements necessary to acquire equipment and services in the event of a disaster
• Determine critical vendor and business interface disaster recovery capabilities and assurances, in the event they are affected by the same disaster

Arrangements you can implement to protect your business include:

• Business facility physical security (e.g., building access, alarms, electronic surveillance, perimeter protection, fire detection, and suppression)
• Provisions for employee safety, both at the existing and recovery sites (e.g., emergency evacuation plans and drills)
• System and data backup arrangements and procedures that support recovery strategy
• Network and business data security (e.g., firewalls, intrusion detection, hacker protection, password authentication, data encryption)
• Network redundancy and rerouting capabilities
• Work-around procedures and/or contingency plans for technology or network disruptions

Strategize, develop, document, and test plans and responses to ensure you have made arrangements regarding facilities (including those for employees), processes, systems, data, platforms, and networks. Plans should address employee health and safety, business recovery and restoration activities, internal and external communications requirements, and business priorities, including dependant communications channels with other offices, business interfaces, vendors, suppliers, and all customers. Good business continuity and recovery strategies will enable your company to meet or even exceed customers' expectations in today's demanding marketplace.


MTS Allstream was awarded the 2009 Disaster Recovery Institute of Canada (DRI) Award of Excellence and is well positioned to advise you on your BCP.

Vito Mangialardi is Director, Corporate Emergency Management for MTS Allstream and a Certified Business Continuity Professional. He will be speaking at the Manitoba Disaster Management Conference, March 10, 2011 and the World Disaster Management Conference in Toronto June 19 -22, 2011.

A version of this article originally appeared in Emergency Management Canada, Volume 1, issue 2.