S 6.114 Creating a business continuity concept

Initiation responsibility: Emergency Officer, Top Management

Implementation responsibility: Emergency Officer

A business continuity concept helps implement the business continuity strategy and describes a planned approach to reach the goals set for business continuity management. The business continuity concept comprises all of the documents drawn up in the business continuity management process. It consists of two essential components: contingency concept and business continuity handbook. These components reflect the two most important tasks of business continuity management; increasing the robustness of the business processes to reduce the probability of a damage event and optimally preparing the government agency and/or company to respond to an emergency or a crisis in order to minimise the effects of the damage. The contingency concept describes the present framework and contains all information generated during conception that does not contribute directly to responding to an emergency. The information needed to respond directly to an emergency such as contact information or instructions is described in the business continuity handbook.

It must be possible to trace every specific preventive safeguard back to the business continuity concept. For this reason, the business continuity concept must be planned and implemented carefully. Each of the aspects described briefly in the following are addressed in detail in BSI standard 100-4 Business Continuity Management.

A prerequisite for drawing up a business continuity concept is basic knowledge of the organisation and/or the specified scope of business continuity management, and a deep understanding of the business activities. The information needed, including the master data and an overview of the business processes, must be provided to business continuity management. The overview of business processes should also include information on the dependencies between the processes as well as information on which business processes are needed to manufacture the main products or provide the main services of the organisation. Outsourced processes must be taken into account in the overview of the business processes, and the suppliers, cooperation partners, and outsourcing service providers must be taken into account when examining the dependencies between the business processes.

One of the first steps during conception is to examine the impacts of business interruptions, to determine the availability requirements for the business processes and their required resources, and to define the required recovery periods.

For this, a Business Impact Analysis (BIA) should be performed. There are various methods for determining the required results. For this, a method for performing the BIA appropriate for the particular organisation must be selected, parameters must be defined for the selected method, and the corresponding decisions must be documented.

Experience has shown that methods based on complex numeric examinations often generate disproportionately high expenditure. The pragmatic approach specifically suitable for small-scale organisations would be to determine, classify, and/or prioritise the relevant processes in a workshop in cooperation with the persons responsible.

The selected method for performing a BIA should at least comprise the following steps:

• It must be analysed and assessed how an interruption of the business processes or value chains will affect the government agency and/or company and how the damage caused during interruption will spread during this time.
• Recovery parameters for the business processes must be identified and/or specified. These include:
  
  • the availability requirement marking the transition from failure to emergency,
  • the maximum tolerable period of disruption,
  • the recovery time,
  • the recovery level, and
  • the maximum admissible loss of data.

In addition, it is recommended to define the maximum permissible recovery time and/or the maximum permissible level of emergency operations.

• The business processes must be prioritised for the recovery. It may make sense to divide them into recovery classes. In this, it must be ensured, though, that the priorities and the recovery times are economically feasible and can be realised with the financial and personnel resources available. Mutual dependencies between the business processes must be taken into account. The organisation must specify which business processes are considered critical by the organisation and therefore must be included in all further considerations when specifying the concept.
• For the critical business processes at a minimum, the resources required for normal operation and for emergency operations must be defined and the degree of dependency of the particular business process on these resources must be determined. If single points of failure are identified, they must be specifically indicated. A single point of failure refers to a resource the failure of which will lead to the complete failure of business processes. It is recommended to perform a quick check of the corresponding safeguards.
• For each resource, it is necessary to assess its criticality, to determine its availability requirement, and to define its recovery and restoration times.

The Emergency Officer coordinates and performs the BIA with the help of the Emergency Coordinators. The main contacts and interview partners when performing the BIA are the people responsible for the business processes and resources. The results of the BIA must be documented in writing and approved by the organisation's management.

Detailed information on one possible method for performing a Business Impact Analysis can be found in BSI standard 100-4 Business Continuity Management.

A risk analysis must be performed to find the potential causes of business process interruptions. A suitable method for performing the risk analysis and the objectives of the analysis must be specified and documented. When performing the risk analysis, it may be helpful to analyse the effects of the failures identified in the BIA and vice-versa. The result of the risk analysis is a list of the primary risks to the continuity of the business processes and the resources critical to the organisation (see BSI standard 100-3 Risk analysis based on IT-Grundschutz). For each risk identified, it must be decided which risk strategies should be followed to reduce its effects, to decrease the probability of its occurrence, and to minimise the potential downtime.

In order to be able to derive the requirements, to specify specific safeguards, and to define recovery strategies based on the general goals, the protection requirements identified, and the risk assessment, it makes sense to survey the current state of the critical business processes and their supporting resources. By comparing the target values specified in the BIA for recovery and restoration and the appetite for risk (level of acceptance of risk) initially specified by the organisation to the currently implemented safeguards and recovery measures, the organisation identifies any gaps still present for recovery and risk handling.

In order to close these gaps, reasonable safeguards must be identified in the following course of conception increasing the reliability of the critical business processes and the resources they need, allowing for a prompt recovery and/or restoration, and therefore limiting the downtime and the damage caused when an emergency occurs. It is recommended to develop various strategy options for the emergency response, for business continuity, and for the recovery and restoration of the resources:

• meeting the business continuity, recovery, and restoration requirements specified,
• exhibiting a reasonable costs/benefit ratio,
• producing a coordinated, overall solution, and
• taking into consideration or involving the most important interest groups.

Suitable strategies must be selected and the decision must be documented. The organisation should also record how it will cooperate with suppliers, cooperation partners, and outsourcing service providers in an emergency. IT safeguards should be coordinated with security management, if necessary.

A business continuity concept consisting of a contingency concept and a business continuity handbook must be drawn up. The contingency concept contains all information generated during conception, including the safeguards selected to handle the risk and to enable fast recovery and restoration. The business continuity handbook contains the information needed directly for and during the emergency response. This information includes the business continuity plans, the recovery and restoration plans, including replacement plans and backuthe selecp plans, and business continuity plans for immediate safeguards, among other information. The business continuity plans, restoration plans, and recovery plans contain all information needed to quickly initiate emergency operations and to return the processes and resources back to normal operation. The plans should contain information on the recovery times and priorities of the processes and resources, as well as different recovery options for different damage events. Business continuity plans for immediate measures should ensure the welfare of the people affected by the emergency, among other things.

Depending on the type of organisation and how business continuity management is integrated into risk management in the organisation, it may make sense to create a crisis team guide and a crisis communication plan as well. The crisis team guide should provide the Crisis Team with support for strategic decision-making. The crisis communication plan contains information on how to communicate with the media and other interest groups and which paths of communication are to be used to this end, criteria specifying when and under which conditions information will be communicated, and the communication strategy.

The various business continuity plans must be compatible with each other. Each plan should contain the following information:

• who is responsible for the document,
• the scope of the plan,
• the purposes it can be used for,
• who will activate the plan under which conditions and how it is activated,
• what lines of communication are available for this area, and
• details of what tasks must be performed and which steps must be taken to respond to an emergency.

When viewed as a whole, the plans should contain the following information:

• specifications of the roles needed to respond to an emergency together with their tasks, rights, and duties,
• contact addresses of all employees with specific tasks in emergency response, as well as the addresses of external contacts such as cooperation partners, service providers, aid organisations, or regulatory authorities,
  criteria for the de-escalation of the emergency and a description of the steps the organisation needs to take for de-escalation, and
• specification of how the situation, decisions, and actions should be documented in an emergency.

All documents must be accessible to the people who need them to perform their tasks in emergency response. The documents must be formulated understandably for these people. Detailed information on the business continuity concept can be found in BSI standard 100-4 Business Continuity Management.

Implementation planning should be performed parallel to the selection of the individual safeguards and the creation of the business continuity concept. Implementation planning should specify the time frame for implementing the individual safeguards and which safeguards can be appropriately combined and implemented at the same time. In addition, the safeguards must be prioritised according to the urgency of their implementation. The implementation plan should contain the following:

• Specification of priorities (implementation sequence): All safeguards should be prioritised according to their importance and effectiveness. In general, priority should be given to implementing safeguards against particularly serious risks. If, for example due to financial reasons, it is impossible to implement all safeguards immediately, the safeguards with the broadest effect should be implemented first.
• When specifying the implementation sequence, possible interactions between the safeguards should be taken into account.
• Responsibilities : It must be specified for each safeguard who is responsible for initialising, implementing, and monitoring or auditing the safeguard.

When selecting emergency measures, it is necessary to consider their appropriateness and efficiency. The documentation should contain specific information on the responsibilities and authorities, as well as the activities planned for controlling, auditing, and monitoring the safeguards. The implementation sequence of all unfinished activities must be defined. In addition, the resources planned and/or used to implement the individual emergency measures must be documented.

When specifying the business continuity concept, information security must be taken into account. Information security must be guaranteed in an emergency, during initial operation, when operating alternative solutions, and when recovering normal operations. This includes guaranteeing the confidentiality of data (e.g. data access rights, encryption), meeting the minimum requirements in the field of data backups, and complying with all legal regulations (e.g. the archiving of business-relevant data). Security concepts must be created and security safeguards implemented for all emergency solutions. For this reason, close cooperation with the IT Security Officer must be ensured.

A business continuity concept may contain confidential information such as details of vulnerabilities or information on safeguards, for example. Such information may be deemed confidential and must only be disclosed to authorised personnel in this case. Therefore, the business continuity concept should be structured in such a way that individual parts can be disclosed to the specific group of addressees.

Review questions:

• Were the critical business processes and resources identified?
• Were the most important risks relevant to the critical business processes and resources identified, and were appropriate risk strategies selected for each risk?
• Were continuity strategies developed allowing for the critical business processes to be restored and recovered within the required time?
• Is there a current business continuity concept?
• Were business continuity plans and safeguards developed and implemented allowing for an effective emergency response and quick recovery of the critical business processes?
• Does the business continuity concept take into account information security and were corresponding security concepts for the business continuity solutions developed?