Often called resilience, it is a capability that enables organizations to either endure environmental changes without having to permanently adapt, or the organization is forced to adapt a new way of working that better suits the new environmental conditions. As such, BCP is a subset of risk management. A 2005 analysis of how disruptions can adversely affect the operations of corporations elements of business plan how investments in resilience can give a competitive advantage over entities not prepared for various contingencies extended then-common business continuity planning practices. Adapting to change in an apparently slower, more evolutionary manner – sometimes over many years or decades – has been described as being more resilient, and the term “strategic resilience” is now used to go beyond resisting a one-time crisis, but rather continuously anticipating and adjusting, “before the case for change becomes desperately obvious.
This approach is sometimes summarized as: preparedness, protection, response and recovery. Business continuity is the intended outcome of proper execution of Business continuity planning and Disaster recovery. Several business continuity standards have been published by various standards bodies to assist in checklisting these ongoing tasks. The Vulnerability Analysis is a general process that aims to evaluate the risk and the target acceptance level set. It enables continuity requirements to be established, the minimum service level to be specified for each essential activity and the maximum acceptable downtime to be specified, including in degraded mode.
Quantifying of loss ratios must also include “dollars to defend a lawsuit. It has been estimated that a dollar spent in loss prevention can prevent “seven dollars of disaster-related economic loss. A function may be considered critical if dictated by law. For example, is it acceptable for the company to lose 2 days of data? The recovery point objective must ensure that the maximum tolerable data loss for each activity is not exceeded.
According to ISO 22301 the terms maximum acceptable outage and maximum tolerable period of disruption mean the same thing and are defined using exactly the same words. After defining recovery requirements, each potential threat may require unique recovery steps. The above areas can cascade: Responders can stumble. During the 2002-2003 SARS outbreak, some organizations compartmentalized and rotated teams to match the incubation period of the disease.
They also banned in-person contact during both business and non-business hours. These should reflect the widest possible damage. Tier 0 – Nothing off-site “recovery time . Tier 2 – Hot site – will require hours or even days to load the most recent backup tapes.
Tier 4 – “Point-in-time copies” so that less reprocessing of transactions will be needed. Tier 5 – “Transaction integrity” – the hot site is kept as up-to-the-moment as possible. For IT: the minimum application and data requirements and the time in which they must be available. A process plant must consider skilled staff and embedded technology.
This phase overlaps with disaster recovery planning. BS 7799, peripherally addressed information security procedures. 2008: BS25777, specifically to align computer continuity with business continuity. IEC 27031 – Security techniques — Guidelines for information and communication technology readiness for business continuity.