Urgent action is called for if a server is wrecked or a router quits. Good if people don’t act aimlessly now but can rely on an emergency manual. Even better if you not only have a manual available, but if there is a well-devised contingency management plan. Restoring a failed system has, of course, top priority in every emergency situation. But above all, it is crucial to keep the important business processes going. Adequate emergency action can only be taken if people are aware of these processes and the necessary components and systems.
Contingency management based on a business impact analysis
In an emergency, the time factor (how long does it take until the situation becomes critical?) plays a decisive role. When setting up a contingency plan, it is therefore essential to know if you have three days to restore a particular system or if the disruption of a business process will cause a critical situation after three hours already. A so-called business impact analysis (BIA) is therefore a must when developing emergency measures. A BIA allows you to identify critical business processes including the resources they are based on. What is more, the consequences of process disruptions as well as the process interdependencies can be determined and the required recovery times can be specified. The results are a prerequisite for a subsequent risk analysis (also to determine the probability of occurrence) and for selecting an appropriate contingency plan as well as prevention measures. In addition, you can use the BIA to define requirements for emergency operation.
For useful suggestions and explanations on performing a BIA, refer to the BSI Standard 100-4: Business Continuity Management guideline that you can download from the BSI website. The information found in the “Good Practice Guidelines” (GPGs) published by the Business Continuity Institute (BCI) might also be helpful. BCI members can download a free copy of the GPGs from the members area, non-members can purchase them from the BCI shop.
Contingency management is a corporate duty
What does all this mean for the emergency manual to be created? First of all, it is important to realize that contingency management is a central business management duty since its purpose is to secure the survival of the entire company. Ideally, there is a global emergency manual for which a central emergency response organization is responsible. It should be complemented by business continuity plans and recovery plans created by each functional division. The emergency documentation to be provided by the IT department should supply information such as the required system data based on the existing IT documentation, include descriptions of the IT processes to be performed in an emergency, and describe recovery plans and backup processes for emergency operation of the IT systems.
That much for the theory – but how about the practical situation? A request comes up to create IT documentation that “somehow” also considers emergencies by providing an emergency manual. Here, it is important to make business management and the functional divisions aware of their responsibility and to request the necessary preliminary work and information with respect to BIA and risk analysis from them. If this does not succeed (happens all too often), all that is left is to limit your efforts to minimum IT contingency management by examining the IT services as to how crucial they are and creating IT contingency plans for the critical processes. This involves finding a compromise between the textbook approaches stipulated in the emergency standards and their implementability within the scope of the company’s own needs and possibilities. Be aware that you need a holistic approach – an isolated description in a traditional emergency manual about restoring individual systems will hardly be helpful in an emergency.