Continuity Program Management Cycle
RISC utilizes a standardized continuity program management cycle which provides consistency across an organization’s business continuity programs. Establishment of standardized planning and procedural objectives and requirements ensures sustainment of Essential Functions (EFs) during a catastrophic emergency. Use of the Continuity Program Management Cycle facilitates development and implementation of resilient continuity programs. [Ref: FCD-1 Annex A]
Business Impact Analysis
A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk assessment. Operations may also be interrupted by the failure of a supplier of goods or services or delayed deliveries. There are many possible scenarios which should be considered.
Identifying and evaluating the impact of disasters on business provides the basis for investment in recovery strategies as well as investment in prevention and mitigation strategies. [Department of Homeland Security]
Consider the Impact
The BIA should identify the operational and financial impacts resulting from the disruption of business functions and processes. Impacts to consider include:
- Lost sales and income
- Delayed sales or income
- Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.)
- Regulatory fines
- Contractual penalties or loss of contractual bonuses
- Customer dissatisfaction or defection
- Delay of new business plans
Timing and Duration of Disruption
The point in time when a business function or process is disrupted can have a significant bearing on the loss sustained. A store damaged in the weeks prior to the holiday shopping season may lose a substantial amount of its yearly sales. A power outage lasting a few minutes would be a minor inconvenience for most businesses but one lasting for hours could result in significant business losses. A short duration disruption of production may be overcome by shipping finished goods from a warehouse but disruption of a product in high demand could have a significant impact.
Conducting the BIA
Use a BIA questionnaire to survey managers and others within the business. Survey those with detailed knowledge of how the business manufactures its products or provides its services. Ask them to identify the potential impacts if the business function or process that they are responsible for is interrupted. The BIA should also identify the critical business processes and resources needed for the business to continue to function at different levels.
BIA Report
The BIA report should document the potential impacts resulting from disruption of business functions and processes. Scenarios resulting in significant business interruption should be assessed in terms of financial impact, if possible. These costs should be compared with the costs for possible recovery strategies. The BIA report should prioritize the order of events for restoration of the business. Business processes with the greatest operational and financial impacts should be restored first.
Next steps: Business Continuity Plan and Information Technology Disaster Recovery Plan.
Business Disruption Scenarios
- Physical damage to a building buildings
- Damage to or breakdown of machinery, systems or equipment
- Restricted access to a site or building
- Interruption of the supply chain including failure of a supplier or disruption of transportation of goods from the supplier.
- Utility outage (e.g., electrical power outage)
- Damage to, loss or corruption of information technology including voice and data communications, servers, computers, operating systems, applications, and data
- Absenteeism of essential employees [Referenced: DHS]
RISC Utilizes a strategic approach to the development of Business Impact Analysis. The purpose and use of the BIA is critical to an organization’s understanding of the potential threats and hazards that may seriously affect its ability to execute Essential Functions-especially during a catastrophic event.
Example of BIA Methodology:
- Determine Scope of BIA
- Determine Critical Operations
- Determine Interdependencies
- Determine Impacts (Tangible and Intangible)
- Determine Outage and Recovery Times
- Determine Control Measures
- Determine Resource Requirements
- Set Continuity and Restoration Objectives
- Develop Response, Continuity and Recovery Plans
Business Process Analysis
Business Process Analysis (BPA) is a methodology for the analysis of a business with a view to understanding the processes and improving the efficiency and effectiveness of its operations. It describes the processes involved, parties participating, information exchanged and documents produced. [Referenced DHS]
RISC utilizes Five Basic Questions to develop and execute a sound BPA:
Continuity of Government
RISC is highly experienced and well-versed in the development and execution of the National Continuity of Government Program (COG)- Presidential Policy Directive (PPD-40)- The National Continuity Policy. [Reference: https://www.fema.gov/pdf/about/org/ncp/nspd_51.pdf]
Background
Since the days of the Cold War, the United States has had a plan in place to continue the operation of the government following a catastrophic attack on the nation’s capital. The 2007 “National Security Presidential Directive 51” directs the geographic dispersion of leadership, staff, and infrastructure in order to maintain the functions of the United States Government in the event the nation’s capital is “decapitated” by a terrorist attack.
Buried deep within the 98-page National Continuity Plan is the strategy for the mass evacuation and relocation of every federal government agency including The White House and the military in response to an exceptional catastrophic event within the National Capital Region. Each agency is required to have a detailed Continuity of Operations Plan (COOP) in place. [Referenced DHS]
The Shadow Government
Following a catastrophic national emergency, the President, or his successor can authorize the establishment of a temporary “shadow government” to maintain control of the essential functions of the Federal Government. President Bush activated the shadow government on September 11, 2001 shortly after the second attack on the World Trade Center.
Every federal agency has designated key individuals to be part of an “Emergency Relocation Group”. These ERGs are assigned to an alternate secure location on a rotating basis and are ready to take over the duty of supporting the National Essential Functions of this nation in an emergency. [Referenced DHS]
COGCON Levels
The Continuity of Government Readiness Conditions (COGCON) system establishes executive branch readiness levels based on possible threats to the National Capital Region. The President alone determines and issues the COGCON Level.
COGCON 4: Federal executive branch government employees at their normal work locations. Maintain alternate facility and conduct periodic continuity readiness exercises.
COGCON 3: Federal agencies and departments Advance Relocation Teams “warm up” their alternate sites and capabilities, which include testing communications and IT systems. Ensure that alternate facilities are prepared to receive continuity staff. Track agency leaders and successors daily.
COGCON 2: Deployment of 50-75% of Emergency Relocation Group continuity staff to alternate locations. Establish their ability to conduct operations and prepare to perform their organization’s essential functions in the event of a catastrophic emergency.
COGCON 1: Full deployment of designated leadership and continuity staffs to perform the organization’s essential functions from alternate facilities either as a result of, or in preparation for, a catastrophic emergency.
[Referenced DHS]