Technology (IT systems/applications)
Information systems manage the entities physical records (for example correspondence, project and management files) and electronic records on computing facilities (for example email, electronic policy and procedure manuals, forms and images). Treatments that deal with the continuity of technology
- preventative controls such as robust systems and application design, fault-tolerant hardware, uninterruptible power supplies, and monitoring facilities;
- use of secure and fire-proof in-house storage facilities;\agreements and activities required to transfer processing to other locations;
- provision for backup processing facilities (electronic and manual);
- off-site storage of data;
- the ability of vendors to supply equipment if the entity does not hold spares, or the equipment is rendered unavailable due to the crisis/incident; and
- continuity of protection of classified information.
Table 3 - Example treatment options for facilities, telecommunications and systems
Telecommunication is essential for the continuity of business functions. Better practice continuity approaches include treatments that address recovery from loss or disruption of voice and data communications, both within and outside the entity. In many entities, voice networks are more important than data networks.
Treatments that deal with communication continuity can include:
- human resource procedures and administration required to support the business function;
- vendor and carrier negotiations in which contractual or service level agreements are made with telecommunication vendors;
- alternate path design and switching services redundancy being built into communications networks which enable communications to be diverted to other locations if, and when, necessary;
- backup equipment and software which includes backing up Private Automatic Branch Exchange data, network software and acquiring necessary redundant equipment;
- default Public Switched Telephone Network failover for entities that use Voice over Internet Protocol; and
- uninterruptible power supplies and monitoring facilities which help prevent system loss during
As part of the business impact analysis, vital records supporting the critical business processes are identified. Restoring vital records requires that a suitable records management program is in place. This includes the management of hardcopy and electronic records data and archiving policies for both forms of records.
Record management procedures are part of the entity’s overall information management strategy. Continuity issues in record management extend beyond just keeping business processes in place. Record management has long-term implications for the entity and continuity strategy considerations include:
- legal requirements and exposures;
- adverse affects on reputation through inability to deliver information;
- inefficiency across all processes in locating and utilising information;
- political ramifications of non-delivery of a service or information;
- stakeholder dissatisfaction;
- decision-making processes which will be affected; and
- records destroyed outside of a valid Records Disposal Authority by the business disruption event.
As a business disruption may affect more than one business process, the treatments developed for each critical process need to be consolidated and, ultimately, individual business process plans combined into an entity-wide plan.
While this is the final step in determining treatment options, the concept of coordination drive the entire approach. This is crucial to effective business continuity management as it recognises the interdependencies between business processes within the entity.
Business process approaches address the activities and responsibilities of a business function. The aim is to continue critical business processes from the point of the business disruption event to the point when operations are returned to normal.
Table 4 - Example treatment options for business processes