You have been asked to present information to your company’s board of directors regarding each of the following items:
business continuity plan (BCP),
disaster recovery plan (DRP),
business impact analysis (BIA), and
operational risk management strategy (ORM).
Create a written report consisting of at least three pages in which you describe the purposes and benefits of each one, the
challenges involved in creating each one, and how each one fits into a risk management strategy. Also, assemble and
present a policy for planning and performing each of the processes above.
Risk Management Strategies
Business Continuity Plan (BCP)
A BCP helps in establishing business continuity plans and processes that entail how the organization assesses risks, conducts risk mitigation practices, and how it can resume critical functions when faced by disasters or disruptions in operations (Eccleston, 2008). The main purpose of the BCP is to identify ways in which the business can resume critical business functions following a disaster. The BCP provides numerous benefits to the organization. One of the key benefits is that it provides business continuity even in the face of disasters that significantly affect operations. A BCP helps in building customer confidence. When other organizations fail to deliver in face of disasters, a business with a BCP can continue providing essential services. Another benefit tied to this is its role in creating a competitive advantage (Eccleston, 2008). This is because customers may prefer the firm’s products to others. BCP reduces the risk of financial loss. Another benefit is that developing a BCP enables the business to meet legal and statutory obligations. It is also a way of complying with the international business continuity standards.
There are a number of challenges involved in developing a BCP. The first challenge is high costs in developing the plan. Implementation of a BCP plan requires installation and maintenance of equipment, hardware, software, and allocation of human resource, which is costly (Stewart, Chapple, & Gibson, 2015). The second challenge is that the BCP process is complex to develop, implement, and maintain. This is because it involves making complex plans about mitigating potential disasters. The third challenge is the tendency of the management to make incorrect assumptions in the development of the plans. This may erode its effectiveness. Lastly, the senior management may fail to allocate enough time in the development of the BCP due to demands for other things in the organization (Stewart, Chapple, & Gibson, 2015). The BCP fits is a way of risk management. Risk management, just like the BCP, is involved in assessing the impacts of possible risks, developing mitigation plans, and settling on possible plans of actions if the risk occurs.
Policy for Planning and Performing the BCP
The following is a policy for planning and performing of the BCP
- Initiation – This involves establishing a team responsible for business continuity planning. At this level, one highlights the milestones, develops the executive report, and outlines the master schedule.
- Organizational impact analysis – this involves examining the potential impacts of system failure or disasters on the core business operations.
- Contingency planning – This stage involves identifying contingency plans. In addition, the specific triggers are established. Presence of these triggers marks the implementation of the contingency plans.
- Testing – This involves ensuring that the business continuity plan is workable (Stewart, Chapple, & Gibson, 2015).
Disaster Recovery Plan (DRP)
A Disaster Recovery Plan (DRP) is similar to a BCP. While BCP ensures the continuity of all critical business functions, DRP ensures the restoration of damaged IT systems in the business through assessments, repair, and other activities. DRP is more of an effort to recover the business’ IT systems as well as applications (Gregory, 2010). There are several benefits in DRP. The key benefit is that it ensures the possibility of a business surviving a disaster. DRP reduces risk through threat analysis as well as through implementation of mitigation procedures. DRP improves reliability and availability of IT systems and business processes, meaning production can go on uninterrupted even in the face of disasters. DRP contributes to organizational maturity, since the organization can cater to its customers even during disasters. Lastly, DRP enables the organization to gain marketplace advantages through enhancing reliability.
Challenges are present in implementing a DRP. The first challenge involves high costs of implementing a DRP. This is because a business has to set aside money for backup IT systems and applications. The second challenge involves having a wrong or inadequate DRP. The plan is wrong if it is too complicated or too simple to handle the organization’s demands. The third challenge involves relying on wrong technologies such as outdated technologies. Another challenge is failure to test the DRP to ensure it is working. This may come because of a reactive IT department that fails to anticipate problems (Gregory, 2010). The DRP fits into a risk management strategy because it involves assessing the impacts of possible risks, developing mitigation plans, and settling on possible plans of actions if the risk occurs.
Policy for Planning and Performing the DRP
The DRP includes critical application assessment, back-up and recovery procedures, implementation procedures, test procedures, and the plan maintenance. The following are the steps involved in planning.
- Data collection
- Plan development
- Testing of the plan
- Monitoring and maintenance processes.
Business Impact Analysis (BIA)
A Business Impact Analysis (BIA) helps in the examination of risks, threats, and exposures facing a business (Wallace & Webber, 2011). A BIA is a form of risk analysis, but includes calculations. A BIA provides an overview of critical business functions within an organization. A BIA has a number of benefits to the business. First, a BIA helps in quantifying costs associated with the loss of a particular vital function. It line with this, it helps in assessing intangible costs associated with a vital function. BIA helps organizations to establish the most vital functions that they ought to safeguard. Organizations can use a BIA to prioritize the application of scarce resources to multiple business functions (Wallace & Webber, 2011). BIA can help in establishing the vital records and the possible impacts in case of a loss. BIA can help in identification of major business losses such as loss of market share, customer loss, and others. Lastly, it can help in matching resources and business functions.
There are a number of challenges in a BIA. One of the challenges relates to cost implications of the plan. Since the analysis touches on departments, some departmental heads may be adamant to share sensitive information to the project manager. This influences the quality of the BIA. Another challenge is data overload. It might be difficult for the analyst to handle too much unstructured data. A business should perform a BIA prior to implementing risk management strategies. A BIA helps to identify areas in businesses that are most crucial. As such, risk management strategies can focus on the identified areas.
Planning and Performing
- Gathering information
- Analyzing the collected information
- Documentation of findings
- Presentation of the findings to the leadership for decisive action (Heng, 2002).
Operational Risk Management Strategy (ORM)
Operational risk is the risk of loss emanating from failed business processes (internal processes), failed systems, external events, and people risks (Lather & Gakhar, 2011). This includes legal risks as well. The purpose of Operational Risk Management (ORM) is to identify and implement mitigating measures against operational risks. Some of the specific risks include high cost of energy, high employee turnover, legal risks, high cost of waste, and others. The benefits of ORM include identification of risks factors (internal and external); evaluation of risk drivers; implementation of internal controls to mitigate operational risks; aid in developing budgets for operational risk; and in strengthening of decision support system (Lather & Gakhar, 2011).
There are several challenges in implementing ORM. ORM results in high costs of compliance due to its complexity. There challenges in implementing the right risk management systems to support the needs of the organization. Another challenge is accessing the relevant information required in risk analysis. Another challenge is lack of management support to implement ORM. Operational risk management is a form of risk management strategy (Lather & Gakhar, 2011).
Policy for Planning and Performing
The policy for planning and performing include the following.
- Identification of risk
- Implementation of core risk management process
- Capital evaluation
- Assessing risk appetite.
Eccleston, C. H. (2008). NEPA and environmental planning: tools, techniques, and approaches for practitioners. New York, NY: CRC Press.
Gregory, P. (2010). Cissp guide to security essentials. Boston, MA: Course Technology. Boston, MA: Course Technology.
Heng, G. M. (2002). Conducting Your Impact Analysis for Business Continuity Planning. Retrieved from https://books.google.co.ke/books?id=LMPOAgAAQBAJ&dq=business+impact+analysis +(BIA)+challenges+in+implementation&source=gbs_navlinks_s
Lather, A. S., & Gakhar, D. (2011). Contemporary issues in corporate finance. New Delhi: Excel Books.
Stewart, J. M., Chapple, M., & Gibson, D. (2015). CISSP: Certified information systems security professional study guide. Hoboken, NJ: Sybex, a Wiley Brand.
Wallace, M., & Webber, L. (2011). The disaster recovery handbook: A step-by-step plan to ensure business continuity and protect vital operations, facilities, and assets. New York: AMACOM.