ALL >> Education >> View Article
Business Contingency Planning
Total Articles: 153
A contingency plan is a vital part of preparing for a possible system failure of any severity. Testing the plan for the management and the staff to know how to implement it is vital in ensuring that the team knows how to implement it and recover from the failure. The business contingency plan helps to provide a reference tool for the actions needed immediately following an incident or emergency that threaten to disrupt the normal business activities. Emergency refers to the actual or impending situation that can cause loss of life, disruption of property, injury, or cause the interference, or disruption to normal business operations to an extent it poses a threat. An incident refers to any event that can or may lead to a disruption, loss, interruption, or crisis.
Therefore, the contingency plan tries to ensure the continuation of the normal hotel activities through minimizing the impact of any damage to records, equipment, staff, or premise. TechNet is a company that provides network access and telecommunication services to people and companies across the country.
Scope and Objective
TechNet is critically dependent on the continuous and uninterrupted services. Any loss of the system servers, network communications or other resources for a long period can result in a severe economic impact on the company. Thus, the contingency plan helps to address failures that can occur due to mechanical failure, a force of nature such as fire or hurricane, or a brownout or electrical blackout. Some other potential sources of failure can be sabotage or vandalism.
The business contingency plan focuses on various levels of disaster or system failures and what to do in the event that the disaster occurs (Lock & Fowler2006). Because it can be nearly impossible to plan for every conceivable type of disaster, the plan defines four levels of failures and how to respond to each. The primary objective of the plan is to sustain a minimally acceptable level of service for an extended period in case of a business interruption. When the business interruption is severe such as fire damage or storm, the restoration period can be extensive before TechNet can return to a pre-disaster level of productivity.
Description of Failures
TechNet Company defines the following levels of failures that can adversely impact productivity and cause economic loss to the organization.
Level 1 failure
Level 1 failure refers to personal disaster as they usually affect one person. It is possible to resolve level 1 failure in a short time, and it has a minimal impact on the company (Lock & Fowler2006). The failure can include a printer, not function or the loss of monitor, mouse, or a keyboard. An error created by a software application can also lead to level 1 failure.
Level 2 failures
In regards to level 2 failures, it is possible to remedy this failure in less than 24 hours and the failure does not have a high economic impact. However, the impact can vary by department. An example of level 2 failures is the loss of communications lines or the network server that will bring down all users in a department. Also, a truck can run into the power pole taking down all the voice and internet data communications to the main office. When a level 2 failure occurs preventing any department from accessing network stored files, the department will fall back to the local workstation and resume processing until advised that operations are back to normal. An IT department representative will restore the most current files available in the local resources and instruct users on how to access the files.
Level 3 failure
The level 3 failure can consider as an environmental failure such as the loss or power, or air condition that can prevent staff from safely occupying the building for a long period. It can also be a system failure such as the loss of network or a communication service that prevents the staff from completing their tasks. According to the contingency plan, the TechNet staff will resolve the level 3 failure in less than 72 hours. After identifying level 3 failures, the person on-call is immediately contacted, and that person will contact the ERT members and determine the appropriate level of response. From that point, the ERT will continue monitoring the failure closely until they restore all services.
The level 3 failures can have an economic impact on the company; however, the impact is not as severe as the level 4 failure. Level 3 failures affects a significant number of the mission critical users, and some users may not be able to access data and program files until the full restoration of the service. Hence, the essential staff falls back to minimal operation levels, and the non-essential staff can be called upon to help with performing tasks manually where possible until the full restoration of service.
Level 4 failure
Level 4 failures include catastrophic interruption of the normal operating processes. The catastrophic failures tend to be the most severe. They occur because of a natural disaster, acts of war, or even criminal actions. These failures result in the complete loss of the critical operating components. The components include data and the program servers, connectivity to outside communication lines, communications switches, and routers, or the loss of a primary place of business.
Level 4 failures may have a significant economic impact on the company’s ability to continue servicing its customers. Hence, when declaring the level 4 failure, the Emergency Response Team will activate the business contingency plan. When level 4 failures happen, and the place of business is not available, the TechNet critical staff will be relocated to the place of business is available or an alternate place of business is secured. There will be some staff used to assist in the restoration process and required to sign a release for their employee file stating that they are physically able and willing to perform the services requested. The Emergency Response Team determines the severity of the failure and the degree to which to implement the recovery plan. Because some level 2 and three failures can escalate quickly, it is important to advise employees to listen to news reports and stay close to their phones for further direction. The emergency response team can escalate the priority of the disaster as the team gathers more information about the failure.
The level 4 failure constitutes the disaster of the highest level, and it can have the greatest economic impact. It is essential that, in the unlikely event of a disaster of the nature, every person should know what their responsibilities are (Pride et al. 2013). Hence, all TechNet staff should read the contingency plan and also the policy and procedure manual describing their assignments and responsibilities. An ERT member will be on call and will carry a phone or pager for immediate contact. The staff members, police, and fire department will have the number for the ERT person on call. The person on call has the responsibility of evaluating the extent of the failure and activating this contingency plan.
Level 1 and 2 tend to be the most recurring failures and although they may not have a large economic impact on level 3 and four failures, they can be costly over a period.
The IT systems are normally vulnerable to a variety of disruptions that range from mild to severe. It is possible to minimize or eliminate much vulnerability through technical, operational, or management solutions as part of the organization’s risk management effort. However, it is virtually impossible for an organization to eliminate all the risks. The Contingency planning helps in mitigating the risk of a system and service unavailability through focusing on efficient and effective recovery solution (Pride et al. 2013).
Risk management refers to a process that identifies risks, develop strategies, and control the risk using managerial resources. The purpose of risk management is mitigating risks related to natural hazards, technology, humans, and organizations (Kaye & Graham 2015). The risk management team involves the assessment of risk and engages in monitoring and evaluation of the risk. The risk management team elicits the risk information and involve in the management of the risks.
It is not possible to manage and control risk unless one identifies the risk that can result in either negative or positive impact on the company. Having a better understanding of risks provides the better outcome of the risk assessment process, and it may be effective in managing the risk (Kaye & Graham 2015).
Types of exposure and risk assessment
Risk description Likelihood Consequences Risk rating
Earthquake Rare Extreme High 15
Storm Rare Extreme High 15
Flooding Unlikely Major Medium 11
Fire Rare Major Medium 11
Fire alarm failure Rare Extreme High 15
Electricity failure Possible Moderate High 13
Damage to infrastructure Rare Extreme High 15
Industrial dispute Possible Major Very high 19
Computer system failure (greater than a day) Possible Major Medium 11
Bomb or explosion Rare Extreme High 15
Communication system failure Possible Major Medium 11
The analysis of risks involves sources of risks, impact, or consequences of risks. In this step, it determines the likelihood of the risk happening in an organization. During risk analysis, the process involves is identifying the existing plan and strategies carried out in the past in minimizing and controlling the impact of the risk. Also, it involves determining and estimating the level of consequences that impact the process. The analysis phase involves analyzing the complexity and uncertainty of the risk where the higher the potential consequence, the greater the risk to the process of communication (Kaye & Graham 2015).
There are different ways of determining the likelihood of a risk occurring and its impact. However, the two most commonly used methods of analysis are qualitative and quantitative.
The quantitative analysis consists of comparing the specific statistical values for risks. The method of analysis is mostly useful in comparing the impact of a disruption instead of likelihood (Kaye & Graham 2015). It is possible to determine the quantities from a disruption, and it is impossible to place a numeric value on the likelihood of a risk. The qualitative analysis consists of the comparison based on the informed judgment of the likelihood or an impact. A key requirement for qualitative analysis is that the judgment informed as generalities and guesswork do not represent the qualitative analysis.
These two techniques are useful in determining the impact and likelihood of a risk, but none of the methods is superior. The quantitative method tends to be more specific; however, it requires detailed, consistent, and accurate information for the comparison to be useful (Kaye & Graham 2015). The qualitative analysis is less specific than quantitative, and it is better able to describe potentialities.
Risk management analysis matrix
The use of the risk management analysis matrix is essential when communicating risk to executives and the senior management of the company. The risk management analysis matrix helps in assessing consequences should the risk occur and the likelihood of the risk occurring (Doughty, 2000). The likelihood and the consequences determine the overall risk rating or the level of the risk.
Types of consequence Negligible Minor Moderate Major Extreme
Disruption to operational delivery No interruption to service Some disruption manageable by altered operational routine Disruption to a number of areas in the location of organization All operational areas of the company compromised Total system dysfunction and total shutdown of operations
Staff morale Staff dissatisfaction in the local unit. No effect on services Alteration to routine practice required in the local area Disruption spreads across services or programs Disruption spread to routine practice statewide Statewide cessation of service
Security (include theft, fraud and unauthorized access) Event noted by the local management and no change to routine operation. Monitored by local staff Security event that can threaten a service Major event that threatens a service across wider organization and require referral to police. Extreme event affecting the service areas ability to continue with operation resulting to a total shutdown.
Operational management No impact on local operations Minor impact on local operations Moderate to long term effect on wider operations Major impact on operations across other areas of organizations Cessation of some of the operations.
Likelihood or probability of occurrence
Rare: can occur in exceptional circumstance and may occur at least once in five years or more
Unlikely: may sometimes occur but not expected and might happen at least once during a period of five years or less
Possible: can occur, foreseeable, and capable of happening and may occur at least once in 12 months.
Likely: expected to occur occasionally and it can occur at least once per month
Almost certain: expected to happen more frequent, in most circumstances and happens at least once per week.
Risk management analysis matrix
Likelihood Negligible Minor Moderate Major Extreme
Rare Low 1 Low 4 Low 5 Medium 11 High 15
Unlikely Low 2 Medium 8 Medium 10 High 14 Very high 21
Possible Low 3 Medium 9 High 13 Very high 19 Very high 22
Likely Medium 6 High 12 Very high 17 Very high 20 Extreme 24
Almost certain Medium 7 Very high 16 Very high 18 Extreme 23 Extreme 25
Low risk (1-5): manage through routine procedures, unlikely to require specific applications of resources
Medium Risk (6-11): possible to manage through specific monitoring or response procedures locally
High risk (12-15): requires management attention and management responsibility in controlling the risk
Very high risk (16-22): requires detailed research and management planning at the executive level and senior management
Extreme risk (23-25): requires immediate action and involvement at the senior management and executive level to control the risk.
Based on the matrix, those risks with a residual risk rating very high and extreme should be reported. It is essential for the management to consider the need for legal advice or guidance.
Business Impact Analysis
Business impact analysis is a vital step in the contingency planning process. The BIA normally enable the contingency planning coordinator to characterize fully the system processes, requirements, and interdependencies and also use the information to determine the contingency priorities and requirements. BIA purpose is to correlate specific system components with the critical services that they provide (Hiles, 2004). Based on that information, it characterizes the consequences of the disruption of the system components.
BIA is the process of figuring out the processes that are critical to the ongoing success of the company and understanding the impact of a disruption to the processes (Doughty, 2000). There are various criteria used that include internal operations, customer service, financial, and legal or regulatory. In the case of the IT Company, the goal is to understand the critical business functions and tie them to the various IT systems. It is essential to understand the interdependencies because it is critical to both disaster recovery and business continuity for the company.
BIA includes the following steps;
Identifying key business processes and functions
Establishing requirements for business recovery
Determining resource independencies
Determining impact on operations
Developing priorities and classification of business processes and functions
Developing recovery time requirements
Determining financial, legal, and operational impact of disruption
For TechNet, BIA is the process for analyzing activities and understanding the effect that the business disruption may have upon continued provision of the service. BIA does not just ensure the appropriate application of resources towards protecting the most critical services of an organization (Doughty, 2000). However, it also saves the unnecessary expenses of applying an inappropriate level of resources to a less critical area. When correctly done, a BIA provides consistent, clear, trusted, and real risk impact analysis information to the senior management against which they can make quality decisions about management of risks.
Business contingency management Team
BIA mainly depend on o the managerial skills of the management team. It plays an essential role in identifying and controlling risks in an organization. BIA may not include directly in the business process; however, it can analyze the risks and also find the possible methods for controlling the impact.
Incident Response Plan
The incident response plan deals with the identifying, classifying, responding, and recovering from an incident (Green et al. 2013). It usually deals with questions of various people such as victims and the response team. In the case of TechNet, when there is a virus in the system, the IR plan will be helpful in assessing the possibility of imminent damage and inform the decision, makers. The plan usually helps the organization to make important decisions about the organization. Issues included in the incident plan are a description of the roles and responsibilities and procedures and actions to take. The organization usually depends on the incident response team to handle and also resolve the incident when it occurs.
Incident Command Structure
The aim of the incident command structure is establishing and directing plans of action to follow in the event of a disaster (Green et al. 2013). The incident command structure consists of an incident commander, designated operation section chief, and support staff to support recovery. The structure is modular in design and it changes based on the size and also the complexity of the incident. The incident commander tends to administer and manage the execution of the incident response plan. The operation section chief provides the tactical direction of the other personnel needed based on the type of incident.
The incident response team includes people who prepare for and respond to the incident such as a natural disaster or interruption of the business operation (Green et al. 2013). The team consists of specific members designated before an incident happens.
The incident commander is usually responsible for the overall management of an incident. During an emergency, the incident commander will activate and direct all activities until the emergency is under control. The incident commander has the responsibility of coordinating updates and evaluating the incident response plan (Green et al. 2013). The commander ensures the appropriate preparation of corresponding contingency plan. The incident commander also ensures that the incident response team and other staff get proper training of the plan and procedures. It is also his responsibility to keep all the members of the incident response team briefed in all aspects of a disaster plan. He is also responsible for communicating the status of the incident to management and maintain liaison with the police agencies and other emergency locations.
The deputy commander is also responsible for ensuring the effective communication of the commander’s guidance and intent. In the event of an incident, the deputy commander will perform all activities of the incident commander if he is absent. He is also responsible for the administrative and financial functions critical to the IT department operations in case of a disaster.
The application section chief handles the coordination of the application recovery team when in a disaster mode. The network section chief has the responsibility of coordinating all infrastructure activities when in the disaster mode. The system administrator has the role of coordinating all systems administration and the e-mail activities when in the disaster mode. During the time of disaster declaration, the incident commander will appoint people to the damage assessment team. The damage assessment team comprise of senior management from the IT department infrastructure and application section. The team has the responsibility of assessing damage to all infrastructure and applications including data.
Incident command structure
Disaster Recovery Plan
The purpose of having a disaster recovery plan is guiding the management and the technical staff of the company in the recovery of network and administrative computing services and facilities in an event of a catastrophic disaster. The focus of the disaster recovery plan is providing an orderly way for responding to the major disaster that severely impacts or destroys the central administrative computing system or the network operated by the IT department. The intent is providing a plan that will restore the operations as fast as possible with the latest and up-to-date data available (Green et al. 2013).
The objective of the disaster recovery plan is maximizing the effectiveness of contingency operation through a plan that consists of three phases (Green et al. 2013). The activation phase is for detecting and assessing damage and activating the plan and the recovery phase for restoring temporary IT operations and recovering the damage done to the original system. The reconstitution phase is for restoring IT system processing capabilities to the normal operations. The disaster recovery plan also aims at identifying the resources, procedures, and activities needed to perform processing requirement during a long interruption to normal operations (Snedaker, 2013). Its objective is also to assign responsibilities to designated personnel and guide recovering and continuing operations during a prolonged period of interruption to normal operations.
Assumption in developing DRP
The assumption in developing the DRP includes;
The catastrophic long-term disaster where the company ceases to function for 30 days cannot plan for, and computer service recovery from the event is part of a general recovery process. There are some risks that are acceptable as the company does not have the necessary resources for protecting itself against every conceivable risk (Green et al. 2013). Also, there is personnel identified and trained in the emergency response and recovery loses and they are available in activating the disaster recovery plan. The computer center equipment including the components that support the company network and critical server have a connection to an uninterruptible power supply that offers 30 minutes to one hour of electricity during a power failure.
There are different ways of classifying disaster. A common method is through separating the natural disaster from the man-made disasters. The man-made disasters include the acts of terrorism, acts of wars, and those acts by a man that usually start as an incident and then escalate into a disaster (Green et al. 2013). It is also possible to classify disaster through the speed of development such as slow-onset disaster and rapid-onset disaster. The rapid-onset disaster tends to occur suddenly with a very little warning that will destroy the means of production (Green et al. 2013). The slow-onset disaster occurs over time, and they slow deteriorate the capacity of the organization to withstand their effects.
Natural disasters have an impact on the company’s information system. For instance, an earthquake can cause direct damage to parts of the information system and also the building housing the system. As a result, it disrupts the operations through interrupting access to the building that house the information systems. Floods may damage parts of the information system and also the building housing the parts and the impact are the same as that caused by an earthquake (Snedaker, 2013).
In the case of TechNet Company, it connects with a high-frequency data network to connect with data shared with the branch offices. TechNet provides virtual web servers that distribute the information directly from the head office. The company also ensures Wi-Fi connectively that helps to make sure that all employees stay in touch. The high availability data servers in the company help to prevent the data breach and protect the IP address from hackers that prevents the chance of hacking the network. The security appliances in the company help in preventing the incoming data-flow to the server and also safeguard the data process.
The organization will move to crisis management when a serious problem occurs. The crisis management team takes the responsibility of assessing the problem, preparing, and implementing a recovery strategy (Devlin, 2006). The team also communicates with employees, customers, and shareholders to explain to them the plan and reassure them of the firm's ability to recover. A crisis management plan helps in reducing default and uncertainty in the event of a crisis.
The disaster recovery team manages and executes the disaster recovery plan through detecting, evaluating, and responding to the disaster and by reestablishing operations in the primary business site (Snedaker, 2013). The incident response team has the obligation of managing and executing the incident response plan through detecting, evaluating, and also responding to incidents (Green et al. 2013). The crisis management team has the obligation of managing and mitigating the impact of personal loss and distress on the organization (Devlin, 2006). It does this role by minimizing the loss of life, ensuring quick and accurate notification of the key personnel, and ensuring the quick and accurate accountability of personnel. The business contingency team performs the role of managing and executing the BCP through setting up for and starting off-site operation when an incident or a disaster occurs.
The time needed for recovery of the functional areas and the restoration of normal processing depend on the damage caused by a disaster (Snedaker, 2013). The time frame for the recovery may vary from several days to several months. In TechNet, the recovery process starts immediately after the occurrence of a disaster and runs continuously until the restoration of normal operations. In the recovery phase, it usually incorporates all the steps to bring mission-critical functions back up to the service level. It involves restoring the operating systems, data, and applications (Snedaker, 2013). In this case, all the information is validated as current before starting the process. Part of the planning and the procedure documentation for the phase include documenting the time needed from the moment of disaster declaration and activation of the alternate processing site until the system is operational.
A business contingency plan focuses on sustaining the organization’s operations during and after the disruption of technology resources. In this plan, it consists of a disaster recovery plan, crisis management plan, and business impact analysis. The business contingency plan is essential for giving the organization the best shot at success during a disaster. The lack of the contingency plan means that the organization will take long than necessary to recover from the event, and it can go out of business for good.
Devlin, E (2006). Crisis management planning and execution. CRC Press
Doughty, K (2000). Business continuity planning. CRC Press
Hiles, A (2004). Business continuity: World class business continuity management. Rothstein Publishing
Kapoor, J., Hughes, R., & Pride, W (2013). Business. Cengage Learning
Kaye, D & Graham, J (2015). A risk management approach to business continuity. Rothstein Publishing
Lock, D & Fowler, A (2006). Accelerating business and IT change. Gower Publishing Ltd
Snedaker, S (2013). Business continuity and disaster recovery planning for IT professionals. Newnes
Whitman, M., Mattord., H., & Green, A (2013). Principles of incident response and disaster recovery. Cengage Learning
Sherry Roberts is the author of this paper. A senior editor at Melda Research in cheap reliable essay writing service if you need a similar paper you can place your order for a custom research paper from cheap assignment services.
Education Articles1. The Right Economics Tuition For You
Author: Economics Tuition
2. Online Courses - Pro-elearning | Software Online Training
3. How To Choose Your College For Bms
Author: Indsearch Pune
4. Php Frameworks Guide & Top 10 Best Php Framework 2019
5. Top 7 Ui Trends Users Will Love In 2019
6. Rajasthan Patwari Vacancy 2019 | Rajathan Patwari Recruitment 2019
7. Why English Language Training Is A Must For The Students Who Are Moving Abroad
Author: Mia Seal
8. Real Fur And Its Benefits In A Brief
Author: Ravjit Soin
9. Answering Your Frequently Asked Questions About Civil Engineering
Author: SIT Pune
10. 4 Signs To Guarantee That You Have Chosen The Right Gofundme Alternative
Author: Steven Bergeron
11. The New Highlights Coming To Java 13
12. Options To Hire The Most Sincere And Experienced Security Camera Experts
Author: Mark Palsan
13. Steps To Become A Smart Driver For Getting A Better Earning Opportunity
Author: Alzbeta Berka
14. Options To Become A Qualified Teacher For Increasing Your Employability
Author: Alzbeta Berka
15. Advanced Digital Marketing Training In Madhapur Hyderabad