BCM Questionnaires 5: Business Continuity Strategy

Introduction

A Business Continuity Strategy is the conceptual summary of recovery processes that must be carried out between the occurrence of a disaster and the time when normal operations are restored. It is the alternate processing or interim ability to process data and continue providing critical service while a full recovery of the primary site is underway.

Alternative Processing

• Did the BU BCM Coordinator identify alternative processing capabilities to each critical business function?
• Were any alternative processing capabilities considered before any IT Business Continuity Strategy was deployed?
• Was the Head of the Business Unit consulted to determine the Business Continuity Strategy for each critical business function?
• Does any of the Business Continuity Strategy implementation violate organizational policies? If yes, what actions were taken?
• Is cost-benefit analysis applied to each Business Continuity Strategy?
• Do the reciprocal agreements consider the likelihood of both parties experiencing the same disaster?

Service Provider Contracts

• Does the description of the alternate processing facilities indicate adequate physical security and appropriate environmental controls?
• Are the availability of alternate vendor sites and the rights of the individual subscribers in the event of multiple disaster declarations specified?
• Is the amount and nature of the support services by the vendor-defined about:
  • Implementation assistance?
  • Support for testing?
  • Logistical support?
  • After hours support?
• Does the vendor set limits about the total number of clients that may subscribe to any given facility?
• Is the vendor not permitted to renew (except by automatic renewal clause) or renegotiate the contract while the subscriber is experiencing a disaster or in the recovery phase?
• Are the duration of the test time and the scheduling defined?
• Does the organization have the right to audit the installation periodically to ensure that the specified configuration is maintained?
• Is there an escape clause that allows the subscriber to terminate the contract without any penalty for any of the following reasons?
  • Failure to maintain technical compatibility.
  • Failure to provide agreed on support services.
  • Failure to maintain suitable environmental support.
  • Any breach of contract.

• Does the contract provide an annual window of the opportunity to be terminated without penalty?
• Can the monthly fee be subjected to change without the written consent of the subscriber?
• Can the contract be assignable without written consent?
• Is the vendor subjected to the appropriate non-disclosure conditions?
• Is there an escape clause that allows subscribers to terminate their contracts without penalty if the provider fails for any of the following reasons?

• • Maintain technical compatibility.
  • Provide support services.
  • Maintain suitable environmental support.
  • Breach of contract.

• Is the contract transferable without the written permission of the subscriber?
• Is the vendor subjected to non-disclosure conditions?

IT Recovery Specific Issues

• Is there a clear and consistent definition of the backup capability of the vendor site throughout the contract?
• Can the organization occupy the warm site for a minimum period of six weeks?
• What are the defined conditions under which the subscriber can continue to occupy hot site facilities after the six week period?
• Are the numbers and descriptions/type of locally attached terminals and/or other devices available while on-site defined?
• Should continue technical capability be assured throughout the life of the contract?
• Should the contract specify a guarantee of access to the hot-site (including after-hours access) during the period of disaster recovery?
• Should the nature and extent of IT support services provided by the vendor be defined relative to:
  • Network diagnostic capabilities and implementation assistance?
  • Support for testing activities?
  • Assistance in configuring facilities such as equipment acquisition, transportation, storage, removal, and return?
  • Access and use of vendor software, documentation, ancillary facilities such as photocopying, food service?
  • Logistic support?

Off-site Storage of Documentation

• Is there an adequate procedure for off-site storage of data tapes and any documentation considered critical to recovery?
• How often is the data sent off-site: daily, weekly or less frequently? Is the timing realistic?
• If it is a weekly process can the organization recover the information lost from the time of the most recent tape and the date of a disaster - which may be as much as six days later?
• Is the off-site storage company professionally managed?
• Are the premises secured?
• Are the tapes picked up from the organization in a secure container?
• Have the backup tapes been tested?
• Have tapes more than six-year-old replaced[1] with newer ones?
• Are the dates of tape usage recorded?
• Has the ability of the off-site storage company been tested?

Alternative BCM Strategies

• Have alternative recovery strategies been identified?
• Is the relationship based on a consortium for recovery sites?
• Are there alternative communications systems?
• Are limitations of reciprocal agreements with other organizations clearly understood?
• Have the risks associated with each optional Business Continuity Strategy been assessed against the business impact analysis?
• Has a cost/benefits analysis of alternative recovery strategies been prepared and presented to the Executive Management?
• Has the organization considered relocating its alternate site away from the city? If not, what justification was given for taking no action? Were alternative arrangements made?
• Is there a review of documentation supporting different strategic alternatives conducted?
• Is there an estimate of the time it will take to overcome the backlog of work accumulated during the outage?

Location of Recovery Facility

• The position of the location of the recovery facility:
• Does it make sense?
• Is it based on plain convenience or inconvenience?
• If a disaster were to strike the current primary site, would the recovery site also be impacted?
• Is the proximity of both sites too close?
• Are both facilities on the same power or communication grid?

Notwithstanding the above comments, there may well be a very practical reason the recovery site is a hundred kilometres from the original; another manufacturing plant with additional capacity available, for instance. However, the position of the recovery facility is something that should be objectively questioned.

• Do the strategies support the recovery priorities?
• Have the recovery strategies been approved and key components implemented?
• Are the resources defined and available to execute them within the planned time frames?
• Do the recovery strategies make business sense?

Service Level Agreement (SLA)

• Have appropriate alternative sites and off-site storage been selected and agreed upon?
• What were the criteria used to make these decisions?
• Should they be reviewed against BIA and subjected to a cost/benefit analysis?
• If the organization is using a mix of dedicated and shared recovery space, what evidence of a risk-based allocation to different business units exists?
• Will the organization be advised if its shared alternate site is occupied or invoked by another organization?
• What contingency is in place for these circumstances?
• Does the organization know the total number of additional claims per shared seat?
• Does the provider have backup plans?
• Does the provider have arrangements for providing alternative space?
• Is there a documented SLA between the organization and its service provider?
• What is the performance metrics included in the SLA?
• Has the organization audited the service provider? What issues arose and how resolved?
• What warranties has the service provider made for site availability and the adequacy of facilities? Have liability limitations been established and how has the organization dealt with this?
• Where critical business processes are outsourced to third parties, does this organization have a BC or DR plan in place that provides for the continuation of the service from an alternative site?
• Is the outsourcer’s BC plan regularly tested?
• Does the SLA specify the service provider’s priorities for recovery?

Telecommunications

• Has the organization developed strategies to recover and restore voice communications?
• What arrangements are established with telecommunication service providers for voice communications recovery (for example, alternate exchanges, alternate routing, dial backup, foreign exchanges)?
• What arrangements are in place for local, long-distance, and global telecommunications network service providers’ data communications recovery?

Cost Comparison

• Is there any documentation of each viable alternative processing and recovery option?
• Have all other resources required and the costs for each option been determined?
• Is there a comparison of the various recovery options?
  • Is the cost with recovery priorities considerations in place?
  • Is the RTO considered?
  • Does the option meet the recovery needs?
  • Does the option exceed our needs?

Backup Processing and Off-site Storage

• Are all resources required during the start of the disaster for the selected strategies stored off-site?
• If they exist, should document off-site backup processing standards and procedures, be reviewed? If standards and procedures do not exist, ensure they are developed.
• Have the personnel responsible for the implementation of the backup procedures been made aware of the procedures?
• Should key elements of the off-site backup procedures be implemented for inclusion in the appropriate sections of the BC plan?
• Do off-site backup processing procedures and document concerns need to be analyzed?
• Is there a schedule to review the off-site storage facilities?

Continuity Strategies Effectiveness

• Has the adequate investigation been conducted in the marketplace to ensure that each selected strategy is the most commercially viable?
• Have all other requirements or changes been identified and consolidated to ensure the strategies are effective?
• Have changes to the off-site storage procedures been identified?
• Have the contracts been reviewed to ensure that they demonstrate better practice for contract management?
• Does the contract comply with the organization’s internal guidelines for contract management?
• Is the contract finalized and duly signed?

Resource

Goh, M. H. (2016). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series (2nd ed.). Singapore: GMH Pte Ltd.

Extracted from "BCM Questionnaires 5: Business Continuity Strategy"

Singapore Government Funding for BCM-8530 Course

The next section applied to Singaporean and Singapore permanent residents.  Click the button "Government Funding Available" to find out more about the funding that is available from the Singapore government.  This includes the CITREP+, SkillsFuture Credit and UTAP.

Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]

	Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org