|Page

Commercial Bank of Ethiopia

Information System Division

IS Operation and BCDR Director

BCDR Department

Individual Assignment on BCDR Concepts

Assignment 2

By:
Aragaw Wassie (MSC)

Submitted to:

Mr. Hailu T. (Director of IS Operation and BCDR)

March, 2023
Addis Ababa, Ethiopia

i|Page
Table of Contents
1. Introduction about Business ........................................................................................................ 1
2. Business Continuity ...................................................................................................................... 4
2.1 Business Continuity as a Process ..................................................................................... 4
2.2 Business Continuity as a Discipline ................................................................................. 5
2.3 Business Continuity Management ....................................................................................... 6
2.4 Business Continuity Management System (BCMS) ................................................................. 7
3. Business Continuity Plan (BCP) .................................................................................................. 8
4. Disaster Recovery........................................................................................................................ 11
4.1. Disaster Recovery Plan? .......................................................................................................... 12
4.2. Types of Disaster Recovery Solutions .................................................................................... 14
5. Crisis Management ..................................................................................................................... 16
5.1. What is Crisis? ......................................................................................................................... 16
5.2. Crisis management................................................................................................................... 17
5.3. Crisis Management Plan ........................................................................................................ 18
6. Business Continuity and Disaster Recovery (BCDR) .............................................................. 19
Why is BCDR Important? .......................................................................................................... 21

|Page
1. Introduction about Business
Business is an enterprise or activity with the intention to make profits. It can be in the form of
a company, partnership, organization, sole proprietorship, occupation, or any entity that
undertakes commercial, industrial, charitable, or professional activities to earn profits.

The term “profit” doesn’t necessarily mean anything monetary. It can be a non-monetary
benefit in any form which a business entity may deem/consider rewarding. Moreover, a
business can be a “for-profit” or “not-for-profit” entity and may have a separate existence from
those who run/control it.

Concept of Business

The business concept is a mandatory idea for any type of business. It sets the foundations or
directions that shape the future operations of any business. For instance, the business concept
determines the vision, mission, business model, and plan for a business entity.

To make it simpler, let’s have a look at this example. The business concept behind Uber, an
American corporation, was to aggregate the taxi drivers under one platform and help them offer
their services on demand. Then, the company developed all its business strategies on the basis
of this concept.

Objectives of Business

A business may have different goals depending on its financial standing, products, industry,
etc. However, generally, we can categorize business objectives in four different ways.

 Economic Objectives basically depend on the financial needs of any business entity.
Economic objectives may include growth, profits, survival, etc.
 Human Objectives generally target the business employees, their needs, personal growth,
security, satisfaction, motivation, etc.
 Organic Objectives include anything and everything that focuses on business
improvement. Common examples include improving brand reputation, strengthening the
business, raising capital, innovation, growth, etc.
 Social Objectives include everything that focuses on the betterment of society. Social
objectives may include fair price policy, customer satisfaction, quality products, charities,
fair employment practices, fair trade practices, environmental protection, etc.

1|Page
Form of Business Structure

We can categorize business in different forms on the basis of objectives, ownership, liability,
etc. Here are some common forms of business.

Sole proprietorship

In a sole proprietorship, only one individual owns and runs the business. Also, the individual
will be responsible for any lawsuits and liabilities while all the profits and losses also belong
to the owner.

A sole proprietorship is usually easy to register and operate. There are no legal obligations for
minimum capital, number of employees, registered office, etc.

However, in a sole proprietorship, the owner has unlimited responsibility. That is, the creditors
of the business have the right to go for the owner’s personal assets in case the owner fails to
settle the debts.

Partnership

A partnership is a form of business where two or more individuals make a formal contract to
run a business together. A partnership can be limited or general. However, just like the sole
proprietorship, all the partners in a partnership will have unlimited liability (unless otherwise
agreed). However, in the case of a limited partnership, one or all partners are liable to a limited
extent.

Corporation

A corporation is probably the most complex form of business. Here is how;

 It has a separate legal identity. i.e., it is a totally different entity than its owners.
 Corporation has to pay tax; it can make profits, initiate a lawsuit, or can be sued as well.
 Corporations raise capital through stocks or shares, and shareholders are the owners of
the corporation.
 Generally, owners have limited liability (unless otherwise agreed).
 Owners or shareholders do not necessarily run the business. Rather, they select their
representatives (board of directors) to run the corporation and make necessary
decisions.

2|Page
  Corporations have certain requirements to full fill (depending on their local laws), such
as
 A minimum amount of capital
 Minimum number of employees
 Memorandum of association
 Articles of association

Cooperative

It is a form of business in which a group of people (members) own and run a private business
for their mutual benefits. The members get their share in all the earnings or profits of the
cooperative. Generally, the members have voting rights, and they can elect officers and the
board of directors to run the cooperative. Generally, the main objective of a cooperative is to
offer services to all members rather than just offering returns on their investments.

LLC (Limited Liability Company)

A limited liability company is basically a combination of two different business structures-

partnership and corporation. The members in Limited Liability companies have limited
responsibility. Their personal assets cannot be used to pay the debts of the company. Moreover,
the members of an LLC don’t have to pay corporate taxes on their profits or losses from the
company.

Challenges to a Business

Running a business is not a piece of cake, especially when it comes to corporations. Every
business has to face internal and external challenges, such as.

 Coping with the future uncertainty such as market trends, customer trends, changing
economic environment. A business has to be proactive to stay competitive in the
market.
 Monitoring organizational performance effectively and efficiently is another challenge
for any business. Management has to evaluate what is working for them and what is
not. They need to develop KPIs and expertise in interpreting and communicating
metrics for better decision-making.
 Financial management is one of the most important elements in a business and equally
challenging. A business needs to know where to invest (smart investments), when and
how to reduce costs, maintain a good cash flow, how to increase profits margins, etc.
3|Page
  A business has to comply with all the regulations or rules set by the authorities. It may
include corporate social responsibility, economic policies, legal obligations, etc.
 Integration between the business and technology on a consistent basis is another
challenge for businesses. Technological advancements are even faster than the speed of
light. You will fall behind in line if you cannot keep up with them.
 Hiring and managing a skilled workforce is always a herculean task for any business.
Your workforce can make or break your organization. Hiring “Wrong” people can
demolish your organization within no time. People with professional skills, attitudes,
and adaptive mindsets are the actual assets of your business.
 Data management may be a relatively new entrant in the business arena, but it has
become an integral part very quickly. Collecting, categorizing, interpreting, and then
using the data effectively is the key to success in the modern business world.
 Everything in your business will fall apart if you don’t have strong customer service
strategies in order. Customer is the king, especially when there is so much competition
around. Make no mistake, “angry customers” can ruin your brand reputation just like
that with the help of the internet. After all, technology has its pros as well as its cons..
 Applications and software used across the organization are not documented Shadow IT,
a situation when applications are installed without business and IT knowledge, which
can cause organizational data leaks and data fragmentation.
 IT Disaster recovery planning, and sometimes the IT organization as a whole, is
disconnected from the rest of the business continuity planning activities.

2. Business Continuity
Business continuity is an umbrella discipline and encompasses some specific disciplines such
as business continuity planning, where you do all the work to prepare for a disaster; service
continuity, where you set up, maintain, and test the technology solutions that support business
continuity; and crisis management, which is the process you will use to respond to major events
that your “business as usual” processes can’t cope with. Business continuity has a broader
scope that includes crisis management, crisis communications, IT disaster recovery, and
Cybersecurity incident response.
2.1 Business Continuity as a Process
The process of business continuity, also known as the business continuity life cycle,
describes how any organization should go about ensuring that critical activities are

4|Page
performed no matter what else is happening. The process is cyclical and follows the same
basic steps as most processes of continuous improvement (Figure 1).

Figure 1 Business continuity life cycle

The process is first about understanding what constitutes a critical process, then plans how it
will be introduced, then designs and delivers supporting solutions, then tests it all, and then is
maintained. Business continuity as a process really means that it is repeatable and can be
undertaken by a wide range of people, with different levels of experience and seniority, and
yet can achieve consistent high-quality results. Process is important because it gives people
something they can do, and it has the added benefit of making everything auditable, which is
increasingly important.

2.2 Business Continuity as a Discipline

When I talk about BCM as a discipline, I’m talking about how the tasks connect with the
people who will do them. The discipline of business continuity comprises policies and the
collection of people and teams in your organization that are responsible for the various steps
that make up the business continuity life cycle and making sure all remain in good working
order. Business continuity people are also responsible for monitoring incidents so that in the
event of a business interruption the plans to ensure continuity get invoked as quickly as
possible.

Typically, people supporting continuity include the following:

• Continuity planners, who identify what is critical and decide how it can be continued
through an interruption.

5|Page
 • IT service continuity professionals, who are responsible for making sure the critical IT
services are available to support critical business activities.

• Crisis management team, which is responsible for monitoring the business for potential
interruption events and then making sure that timely action is taken, which would
normally involve invoking the business continuity plans and recovering any required IT
services.

2.3 Business Continuity Management

Business continuity management (BCM) is a management process which is practiced to
counteract the negative impacts of possible threats on the continuity of organisational activities.
As such, we could consider BCM as a subset of broader risk management strategies and
processes, which are aimed at treating the wide range of risks identified within an enterprise
and its environment.

Risk Management is a process to identify measure, prioritize and treat the risks affecting an
organisation. It is a core part of corporate governance and it entails making judgments on how
to allocate resources Response options include: avoidance, reduction, transfer and retention (or
tolerance).

BCM is made of preventive measures as well as preparedness arrangements and response

options.

 Prevention is to reduce the likelihood of a risk. Example: relocate the critical stocks in a
geographic location subject to lower or no risk of disaster.

 Preparedness is to stand ready in case the risk realises and to control/minimize damages
and losses. Example: make an inventory of reliable alternative suppliers and establish a
first contact with them.

6|Page
 Response options are those that you roll out after the disaster hits. Example contact
alternative suppliers in case of supply chain disruption.

Figure 2 Business Continuity Management

A BCM program combines the principles of business continuity plan, crisis management,
disaster recovery, emergency response and operational relocation to maneuver emergencies
with as little damage as possible. By anticipating the disasters before they happen, the
organization can ensure operations proceed smoothly.

2.4 Business Continuity Management System (BCMS)

It is part of the overall management system that establishes implements, operates, monitors,
reviews, maintains and improves business continuity.

NOTE: The management system includes organizational structure, policies, planning

activities, responsibilities, procedures, processes and resources.

This International Standard applies the “Plan-Do-Check-Act” (PDCA) model to planning,

establishing, implementing, operating, monitoring, reviewing, maintaining and continually
improving the effectiveness of an organization’s BCMS.

 Plan (Establish): Establish business continuity policy, objectives, targets, controls,

processes and procedures relevant to improving business continuity in order to deliver
results that align with the organizations overall policies and objectives.

 Do (Implement and operate): Implement and operate the business continuity policy,
controls, processes and procedures.

7|Page
  Check (Monitor and review): Monitor and review performance against business
continuity policy and objectives, report the results to management for review, and
determine and authorize actions for remediation and improvement.
 Act (Maintain and improve) : Maintain and improve the BCMS by taking corrective
action, based on the results of management review and reappraising the scope of the
BCMS and business continuity policy and objectives.

3. Business Continuity Plan (BCP)

A business continuity plan (BCP) is defined as a “proactive business process that lets a
company understand potential weaknesses and threats to their organization in times of crisis.
The BCP is at the heart of a company’s business continuity management program, using the
program’s principles to inform best practices for risk mitigation. It provides instructions for
handling various situations and includes contact points for assistance, locations for emergency
office spaces and procedures for an immediate response within the organization. A well-
executed BCP also comprises a process for identifying certain problem areas before a critical
event occurs and neutralizing the risk entirely. A BCP allows a company to continue to serve
customers during a crisis, decreases business downtime, and outlines the steps to be taken --
before, during and after an emergency to maintain the company's financial viability. A core
objective of the process is to protect and preserve operations and profitability.

8|Page
Business continuity Planning focuses on the entire enterprise’s mission critical infrastructure
such as

 People
 Processes
 Technology

When developing a business continuity plan for your organization, you need to consider
the following:

 Create a list of all the critical business functions in your organization

 Create a business impact analysis
 Develop a range of different crises scenarios and consider how they could interrupt
your business operations
 Develop strategies to mitigate any vulnerabilities you have identified to maintain
functionality in a disaster.
 Identify employees who will have key roles in implementing business continuity
processes.
 Provide training to relevant employees
 Review and evaluate your business continuity plan regularly

Key Steps to creating a Business Continuity Plan

A. Risk Assessment
Identify Stake Holders

 A Business Continuity Plan does not rest solely on one employee, or even one
department. To create an effective BCP, companies must identify key stakeholders and
seek their valuable input. Work with stake holder to identify key risks that pertain to
their success, and how in the event of a disaster, your partnership could be affected.
Discuss ways these risks can be mitigated.

Prioritize Risks

 One of the most common pitfalls when creating a Business Continuity Plan is focusing
on the wrong risks. To begin prioritizing risks, first identify potential threats that may

9|Page
 impact day-to-day functionality. Consider listing your industry risks, target market,
rising trends, geographical area, etc. Once listed, begin prioritizing the risks. This may
be based on the level of impact, likelihood of occurrence, or other defined criteria.
Consider some of the following risks: 

 Natural Disasters (Earthquakes, Floods, Fires) 

 On-premise accidents (power outage, office relocation) 
 IT Security Threats (Malware, Ransomware, Data Breaches) 

 Once risks have been identified, and a response has been devised, identify gaps in the
BCP through careful review. Encourage collaboration to identify where the plan is
weak, then make necessary changes.

B. Business Impact Analysis

Collaboration is key when creating an effective Business Continuity Plan. Not only will
this allow others to feel a sense of ownership over the plan, thus making execution more
effective, but it will give you a greater understanding into how a disaster may impact other
business functions. A Business Impact Analysis (BIA) is a breakdown of how a disaster
will affect key areas of the business. This will be most effective if feedback from managers
and employees is received personally. Consider: 

 Seeking to understand different team structures and their tools.  

 Meeting with managers and asking their feedback on how these processes will
be affected in the event of a disaster. 
 Developing questionnaires. 
 Conducting workshops to instruct business function and process managers how
to complete the BIA.
C. Strategy and Plan Development

When finalizing the Business Continuity Plan, it is imperative to document the plan and
store the document in a secure location. Consider storing the BCP off-site, in the event of
the site location, or documents, experiencing damage/ theft.  Consider including the
following elements in your BCP: 

10 | P a g e
  Develop and plan framework
 Organize recovery teams 
 Develop relocation plans 
 Write business continuity and IT disaster recovery procedures
 Document manual workarounds
 Assemble plan, validate, gain management approval
D. Test, Implement, and Maintain

To have confidence in your Business Continuity Plan, test, re-test, then test again. A strong
BCP has undergone testing to identify the weak points. Managers should consider maintenance
checks to ensure the BCP is up to date, testing every year. This will provide further confidence
in the actionable response items in the BCP. Managers/ BCP Teams should also:

 Conduct orientation exercises 

 Document test results 
 Update Business Continuity Plan to incorporate lessons learned from testing
and exercises

BCP should be developed and implemented well in advance for an enterprise to ensure its
effectiveness. Business Continuity Management (BCM) is a structure for
maintenance/management of the BCP.BCM practitioners see a few organizational problems
while implementing BCM Programs. At the high level, they can be categorized into two areas:

4. Disaster Recovery
Disaster Recovery refers to the processes and procedures involved to restore the information
systems and physical infrastructure required to conduct the business following a disaster. It is
the practice of anticipating, planning for surviving, and recovering from a disaster that may
affect a business. Disasters can include:

 Natural events like earthquakes or hurricanes

 Failure of equipment or infrastructure, such as a power outage or hard disk failure
 Man-made calamities such as accidental erasure of data or loss of equipment
 Cyber-attacks by hackers or malicious insiders

11 | P a g e
 4.1. Disaster Recovery Plan?

A Disaster recovery plan defines instructions that standardize how a particular organization
responds to disruptive events, such as cyber-attacks, natural disasters, and power outages. It
enables businesses to respond quickly to a disaster and take immediate action to reduce
damage, and resume operations as quickly as possible. A disaster recovery plan typically
includes:

 Emergency procedures staff can carry out when a disaster occurs

 Critical IT assets and their maximum allowed outage time
 Tools or technologies that should be used for recovery
 A disaster recovery team, their contact information and communication procedures
(e.g. who should be notified in case of disaster)

Common Element Include Disaster Recovery Plan are as follow:

 Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

A disaster recovery plan must make it clear what are your organizations:

 RTO—the maximal time your organization can tolerate for recovering normal
operations in case of a disaster (for example, recovery within 30 minutes, 2 hours, 12
hours)
 RPO—the maximal amount of data your organization can afford to lose (for example,
an hour of data, 3 hours of data, one day of data)

 Identify Personnel Roles

The plan should define who in the organization is responsible for disaster recovery processes,
with their names and contact details. Critical responsibilities include:

 Ongoing backups and maintenance of business continuity systems

 Responsibility for declaring a disaster
 Responsibility for contacting third-party vendors
 Responsibility for reporting to management and liaising with customers, press, etc.
 Responsibility for managing the crisis and recovering from it

12 | P a g e
 List of Disaster Recovery Sites

A disaster recovery plan must specify where the company’s assets are located, and where each
group of assets will be moved if a disaster occurs. There are three types of sites:

 Hot sites—a fully functional data centre with IT equipment, personnel and up to date
customer data.
 Warm sites—a functional data centre that allows access to critical systems only,
without up-to-date customer data
 Cold sites—used to store backups of systems or data, but without the ability to
immediately run operational systems

 Remote Storage of Physical Documents and Storage Media

Most organizations have a large quantity of physical documents and/or storage media like
DVDs, external hard drives or backup tapes, which must be protected in case of a disaster.
Unexpected loss of this data can be detrimental to the business or result in compliance
violations. Therefore, copies of all critical documents must be stored in a remote location
 Disaster Response Procedures

A key element of a disaster recovery plan is a documented procedure for responding to a

catastrophic event. The first few hours of an event are critical, and staff should know exactly
what to do to minimize damage to organizational systems, and recover systems to resume
normal operations. A DR procedure should include clear action steps, in simple and
unambiguous language, including how to fail over to the disaster recovery site and ensure that
recovery is successful.

 Identify Sensitive Data

All organizations maintain sensitive data, which may also be subject to compliance
requirements, such as Personally Identifiable Information (PII), credit cardholder data, or other
valuable data like intellectual property (IP).

A disaster recovery plan must identify how this sensitive data is securely backed, and who
should have access to the original copy and the backups, both during normal operations and in
the event of a disaster.

13 | P a g e
 Define a Communication Plan for Disaster Events

When disaster strikes, a company must have a clear plan for delivering essential information
to affected parties, including:

 Management
 Employees
 Vendors and suppliers
 Customers
 Compliance authorities
 The media

 Physical Facility Needs

In case of a physical disaster like a flood or earthquake, there will be a need to restore physical
facilities. The disaster recovery plan should specify what is the minimal facility that will enable
the company to restore normal operations—including office space, location, furniture needed,
computing and IT equipment.
 Run Disaster Recovery Drills

Disaster recovery plans might look great on paper, but fail when they are needed most. To
avoid this from happening, run a drill and test your plan in a realistic scenario. Learn the lessons
from the drill and update the plan to make it clearer and more effective for all parties involved.
Disaster recovery plans must be updated at least once per year.

4.2. Types of Disaster Recovery Solutions

a. Datacentre Disaster Recovery

Organizations with proprietary data centres must implement a disaster recovery strategy that
addresses all IT infrastructure components in the datacentre and the surrounding physical
facility. This strategy typically centres on backups to failover sites housed in secondary data
centres or colocation facilities. Business and IT leaders should document the various
components of these physical facilities, including heating, cooling, power, fire response, and
security controls.

b. Network Disaster Recovery

14 | P a g e
Network connectivity is critical for external and internal communication, application access,
and data sharing in the event of a disaster. The network disaster recovery strategy should detail
a plan to restore network services and ensure access to backup data and secondary storage sites.

c. Virtualized Disaster Recovery

Organizations can use virtualization to replicate workloads in a secondary location or cloud

environment for disaster recovery. Virtualized DR is flexible, easy to implement, fast, and
efficient—virtualized workloads have small IT footprints, support frequent replication, and
enable fast failover initiation. Various data protection vendors provide virtual DR and backup
products.

d. Disaster Recovery in the Cloud

With many cloud services available, organizations can host DR systems in a cloud environment
rather than in a physical location. Cloud disaster recovery involves more than cloud backup.
IT teams must configure automatic workload failover to the DR cloud platform for immediate
recovery when a disruption occurs.

e. Disaster Recovery as a Service (DRaaS)

DRaaS is a commercially available cloud DR service that allows an organization to replicate

and host its virtual and physical servers on a third party’s infrastructure. The DR service
provider is responsible for implementing the disaster recovery plan during a crisis based on the
service-level agreement.

Difference between Disaster Recover and Business Continuity

Some key distinctions between business Continuity and Disaster recovery as follow:

 Business continuity is a proactive approach to minimizing risks and ensuring the

organization can continue to deliver products and services regardless of the circumstances.
BC primarily focuses on defining ways to ensure employees can continue their work and
enable the business to continue operations during disaster events.
 Disaster recovery is a subset of BC focused mainly on the IT systems required for business
continuity. DR defines specific steps needed to resume technology operations after an event

15 | P a g e
 occurs. It is a reactive process that requires planning, but organizations implement DR only
when a disaster truly occurs.
 Business continuity focuses on keeping business operational during a disaster, while
disaster recovery focuses on restoring data access and IT infrastructure after a disaster. In
other words, the former is concerned with keeping the shop open even in unusual or
unfavorable circumstances, while the latter focuses on returning it to normal as expediently
as possible.
 Unlike business continuity plans, disaster recovery strategies may involve creating
additional employee safety measures, such as conducting fire drills or purchasing
emergency supplies. Combining the two allows a business to place equal focus on
maintaining operations and ensuring that employees are safe.
 Business continuity and disaster recovery have different goals. Effective business
continuity plans limit operational downtime, whereas effective disaster recovery plans limit
abnormal or inefficient system function. Only by combining the two plans can businesses
comprehensively prepare for disastrous events.
 A business continuity strategy can ensure communication methods such as phones and
network servers continue operating in the midst of a crisis. Meanwhile, a disaster recovery
strategy helps to ensure an organization’s ability to return to full functionality after a
disaster occurs. To put it differently, business continuity focuses on keeping the lights on
and the business open in some capacity, while disaster recovery focuses on getting
operations back to normal.
 Some businesses may incorporate disaster recovery strategies as part of their overall
business continuity plans. Disaster recovery is one step in the broader process of
safeguarding a company against all contingencies.
 They have different goals: business continuity plans are concerned with limiting downtime,
while disaster recovery plans are concerned with ensuring the company doesn’t suffer from
inefficient systems functions.

5. Crisis Management
5.1. What is Crisis?
A crisis can be defined as a disruptive event which affects a business’s facilities, IT systems,
data, personnel etc. which leads to a stoppage in production. The halt in production will have

16 | P a g e
a cascading effect on revenues, profitability, production schedules, business reputation,
customer goodwill etc.

A crisis could be internal or external in nature. It could be a major crisis or a minor one.
Depending on the severity of the crisis, the business may be exposed to adverse publicity. If it
is a publicly traded business, the adverse publicity may drive down share value, leading to
shareholder unrest. Therefore, a crisis should be handled in a very professional and competent
manner.

Crisis situations appear to happen suddenly. Four key elements indicate the presence of a crisis
situation. These four elements are:

 Missing or uncertain (unreliable) information

 Little time in which to act (or respond)
 A threat to people or resources valuable to people
 The resources required to resolve the situation exceed the available resources.

5.2. Crisis management

Crisis management refers to the identification of a threat to an organization and its
stakeholders in order to mount an effective response to it. This is a process to manage a
response to a crisis or major event affecting your business operations in order to stabilise and
effectively control the situation and recover your operations in the quickest time possible.
Crisis can be attributed to impending changes related to the country’s social, political,
economic, environmental or security situation. It often causes uncertainty and threats to the
organisation’s goals.

CM covers all aspects of what may precipitate a crisis situation through to recovery from that
situation. This means assessing, reducing and managing the risks, threats and hazards that can
promote crisis situations, as well as planning and preparing to respond to – and recover from –
crisis situations. Effective CM means seeking to:

 Mitigate or reduce the sources, size and impacts of a crisis situation

 Improve crisis onset management

 Improve crisis impact management when responding to a crisis

17 | P a g e
  Enhance the recovery from a crisis situation through effective and rapid recovery
management action.

5.3. Crisis Management Plan

A Crisis Management Plan is a part of the overall BC plan. The Crisis Management Plan
contains the communication and decision-making components of the BC plan. A well thought
of and documented Crisis Management Plan will facilitate communication between all
stakeholders with safety considerations being paramount. It will also detail steps to be taken
for impact assessment as also interaction with media regarding the crisis and action being taken
to contain it.

Factors Considered in a Crisis Management Plan

Since every business has different needs, one shoe does not fit all as far as Crisis Management
Plan is concerned. However, common guidelines for a sound Crisis Management Plan are:

 Crisis Management Team – it should contain senior managers who have the expertise and
experience needed to manage a crisis. The team should also consist of anyone with
specialized knowledge useful in combating a crisis.
 Organizational responsibilities of the team – each member should be assigned a specific
task by defining his functions, duties and responsibilities during a crisis.
 Sub-teams -this will function under the overall direction of the main team member. A sub
team will have people with different types of expertise, who can handle the tasks associated
with the crisis.
 Evaluation and corrections – after the conclusion of the crisis, assigned members should
evaluate the response and take corrective action to overcome deficiencies.
 Contact list -a regularly updated contact list should be compiled to keep internal and
external stakeholders in the loop.
 Command Centre -a Crisis Management/Emergency Operations Command Centre should
be designated as the focal point for handling the crisis.
 Logistics – the logistical support for notification, mobilization and Manning of crisis
centres should be clearly laid out.
 Public relations – in a time of crisis the last thing an organization needs is a ‘bad press’. A
team member should be specifically assigned to this task.

18 | P a g e
6. Business Continuity and Disaster Recovery (BCDR)
BCDR is a set of process and technique used to help organization recover from disaster and
continue or resume routine business operation. It enables to organization to adapt to and bounce
back from disruption while maintaining continuous business operation. The term business
continuity and disaster recovery is fusion of two component business continuity and disaster
recovery. In 2020 BCDR has a higher profile than ever before. The rapid spread of COVID-19
around the globe caught many businesses unprepared to deal with sudden disruption resulting in
devastating consequences for some.

Businesses of all sizes can benefit from a BCDR, as any kind of organization can experience
an unforeseen disaster. A BCDR plan typically involves both business and information
technology (IT) operations, and the ultimate goals of a BCDR plan are to mitigate disaster risks
and help organizations continue normal operations as soon as possible. Often, a BCDR plan is
part of an organization's risk management strategy.

How to create a BCDR Plan

Here are four key steps that you can follow to create an effective BCDR plan for your
organization:

1. Assess your organization's risks

The first step to creating a BCDR plan is assessing your organization's risks. Risk assessment
involves evaluating your organization to determine potential threats to its growth and long-
term success. Before you start to develop the specifics of your BCDR plan, think about
potential natural and human-caused disasters that could affect your organization.

2. Create recovery strategies

Once you've assessed your risks, you can design recovery strategies. For each disaster risk that
you identified, brainstorm strategies your organization could implement to continue its
business operations and restore its information technology. It can be helpful to assemble a team
to come up with strategies, as different individuals can offer various perspectives.

3. Develop and implement your plan

Another key step to creating a BCDR plan is formalizing your strategies in a comprehensive
plan. In your BCDR plan, include the disaster risks you identified as well as the step-by-step
strategies you developed for handling each situation. You can also include the roles and

19 | P a g e
responsibilities of your organization's employees so all involved parties know what tasks they
need to complete during a disaster situation.

4. Test Your plan

After you've created your BCDR plan, you may test it to make sure it can work effectively
during a disaster. As you complete testing, be sure to identify any problems with your BCDR
plan so that you can improve them. This can help you ensure that your organization is equipped
with the most effective BCDR plan possible if a disaster occurs. Many organizations also
periodically review their BCDR plans to ensure they are up-to-date.

BCDR Standards

Government and private sector standards bodies, including the National Institute of Standards
and Technology (NIST) and the International Organization for Standardization (ISO), have
published BCDR guidelines. The standards, which cover topics from crisis management to risk
assessment, provide frameworks on which businesses can build their BCDR plans.

The following is a sampling of standards:

 ISO 22301:2019 Security and resilience -- Business continuity management systems --

Requirements

 ISO 22313:2012 Societal security -- Business continuity management systems -- Guidance

 ISO 22320:2018 Security and resilience -- Emergency management -- Guidelines for

incident management

 ISO/IEC 27031:2011 Information technology -- Security techniques -- Guidelines for

information and communication technology readiness for business continuity

 ISO 31000:2018 Risk management -- Guidelines

 ISO Guide 73:2009 Risk management -- Vocabulary

 IEC 31010:2019 Risk management -- Risk assessment techniques

 ISO/TS 22317:2021 Security and resilience -- Business continuity management systems -

- Guidelines for business impact analysis

 FINRA Rule 4370. Business Continuity Plans and Emergency Contact Information

20 | P a g e
 National Fire Protection Association 1600: Standard on Continuity, Emergency, and Crisis
Management (new consolidated draft pending)

 NIST Special Publication 800-34 Rev. 1: Contingency Planning Guide for Federal
Information Systems

 American National Standards Institute/ASIS ORM.1.201 Security and Resilience in

Organizations and Their Supply Chains.
Why is BCDR Important?

The role of BCDR is to minimize the effects of outages and disruptions on business operations.
BCDR practices enable an organization to get back on its feet after problems occur, reduce the
risk of data loss and reputational harm, and improve operations while decreasing the chance of
emergencies.

Some businesses might have a head start on BCDR. DR is an established function in many IT
departments with respect to individual systems. However, BCDR is broader than IT,
encompassing a range of considerations -- including crisis management, employee safety and
alternative work locations. A holistic BCDR approach requires thorough planning and
preparation. BCDR professionals can help an organization create a strategy for achieving
resiliency. Developing such a strategy is a complex process that involves conducting a business
impact analysis (BIA) and risk analysis as well as developing BCDR plans, tests, exercises and
training.

21 | P a g e