Professional Documents
Culture Documents
Aragaw W. Assignment 2
Aragaw W. Assignment 2
BCDR Department
Assignment 2
By:
Aragaw Wassie (MSC)
Submitted to:
March, 2023
Addis Ababa, Ethiopia
i|Page
Table of Contents
1. Introduction about Business ........................................................................................................ 1
2. Business Continuity ...................................................................................................................... 4
2.1 Business Continuity as a Process ..................................................................................... 4
2.2 Business Continuity as a Discipline ................................................................................. 5
2.3 Business Continuity Management ....................................................................................... 6
2.4 Business Continuity Management System (BCMS) ................................................................. 7
3. Business Continuity Plan (BCP) .................................................................................................. 8
4. Disaster Recovery........................................................................................................................ 11
4.1. Disaster Recovery Plan? .......................................................................................................... 12
4.2. Types of Disaster Recovery Solutions .................................................................................... 14
5. Crisis Management ..................................................................................................................... 16
5.1. What is Crisis? ......................................................................................................................... 16
5.2. Crisis management................................................................................................................... 17
5.3. Crisis Management Plan ........................................................................................................ 18
6. Business Continuity and Disaster Recovery (BCDR) .............................................................. 19
Why is BCDR Important? .......................................................................................................... 21
|Page
1. Introduction about Business
Business is an enterprise or activity with the intention to make profits. It can be in the form of
a company, partnership, organization, sole proprietorship, occupation, or any entity that
undertakes commercial, industrial, charitable, or professional activities to earn profits.
The term “profit” doesn’t necessarily mean anything monetary. It can be a non-monetary
benefit in any form which a business entity may deem/consider rewarding. Moreover, a
business can be a “for-profit” or “not-for-profit” entity and may have a separate existence from
those who run/control it.
Concept of Business
The business concept is a mandatory idea for any type of business. It sets the foundations or
directions that shape the future operations of any business. For instance, the business concept
determines the vision, mission, business model, and plan for a business entity.
To make it simpler, let’s have a look at this example. The business concept behind Uber, an
American corporation, was to aggregate the taxi drivers under one platform and help them offer
their services on demand. Then, the company developed all its business strategies on the basis
of this concept.
Objectives of Business
A business may have different goals depending on its financial standing, products, industry,
etc. However, generally, we can categorize business objectives in four different ways.
Economic Objectives basically depend on the financial needs of any business entity.
Economic objectives may include growth, profits, survival, etc.
Human Objectives generally target the business employees, their needs, personal growth,
security, satisfaction, motivation, etc.
Organic Objectives include anything and everything that focuses on business
improvement. Common examples include improving brand reputation, strengthening the
business, raising capital, innovation, growth, etc.
Social Objectives include everything that focuses on the betterment of society. Social
objectives may include fair price policy, customer satisfaction, quality products, charities,
fair employment practices, fair trade practices, environmental protection, etc.
1|Page
Form of Business Structure
We can categorize business in different forms on the basis of objectives, ownership, liability,
etc. Here are some common forms of business.
Sole proprietorship
In a sole proprietorship, only one individual owns and runs the business. Also, the individual
will be responsible for any lawsuits and liabilities while all the profits and losses also belong
to the owner.
A sole proprietorship is usually easy to register and operate. There are no legal obligations for
minimum capital, number of employees, registered office, etc.
However, in a sole proprietorship, the owner has unlimited responsibility. That is, the creditors
of the business have the right to go for the owner’s personal assets in case the owner fails to
settle the debts.
Partnership
A partnership is a form of business where two or more individuals make a formal contract to
run a business together. A partnership can be limited or general. However, just like the sole
proprietorship, all the partners in a partnership will have unlimited liability (unless otherwise
agreed). However, in the case of a limited partnership, one or all partners are liable to a limited
extent.
Corporation
It has a separate legal identity. i.e., it is a totally different entity than its owners.
Corporation has to pay tax; it can make profits, initiate a lawsuit, or can be sued as well.
Corporations raise capital through stocks or shares, and shareholders are the owners of
the corporation.
Generally, owners have limited liability (unless otherwise agreed).
Owners or shareholders do not necessarily run the business. Rather, they select their
representatives (board of directors) to run the corporation and make necessary
decisions.
2|Page
Corporations have certain requirements to full fill (depending on their local laws), such
as
A minimum amount of capital
Minimum number of employees
Memorandum of association
Articles of association
Cooperative
It is a form of business in which a group of people (members) own and run a private business
for their mutual benefits. The members get their share in all the earnings or profits of the
cooperative. Generally, the members have voting rights, and they can elect officers and the
board of directors to run the cooperative. Generally, the main objective of a cooperative is to
offer services to all members rather than just offering returns on their investments.
Challenges to a Business
Running a business is not a piece of cake, especially when it comes to corporations. Every
business has to face internal and external challenges, such as.
Coping with the future uncertainty such as market trends, customer trends, changing
economic environment. A business has to be proactive to stay competitive in the
market.
Monitoring organizational performance effectively and efficiently is another challenge
for any business. Management has to evaluate what is working for them and what is
not. They need to develop KPIs and expertise in interpreting and communicating
metrics for better decision-making.
Financial management is one of the most important elements in a business and equally
challenging. A business needs to know where to invest (smart investments), when and
how to reduce costs, maintain a good cash flow, how to increase profits margins, etc.
3|Page
A business has to comply with all the regulations or rules set by the authorities. It may
include corporate social responsibility, economic policies, legal obligations, etc.
Integration between the business and technology on a consistent basis is another
challenge for businesses. Technological advancements are even faster than the speed of
light. You will fall behind in line if you cannot keep up with them.
Hiring and managing a skilled workforce is always a herculean task for any business.
Your workforce can make or break your organization. Hiring “Wrong” people can
demolish your organization within no time. People with professional skills, attitudes,
and adaptive mindsets are the actual assets of your business.
Data management may be a relatively new entrant in the business arena, but it has
become an integral part very quickly. Collecting, categorizing, interpreting, and then
using the data effectively is the key to success in the modern business world.
Everything in your business will fall apart if you don’t have strong customer service
strategies in order. Customer is the king, especially when there is so much competition
around. Make no mistake, “angry customers” can ruin your brand reputation just like
that with the help of the internet. After all, technology has its pros as well as its cons..
Applications and software used across the organization are not documented Shadow IT,
a situation when applications are installed without business and IT knowledge, which
can cause organizational data leaks and data fragmentation.
IT Disaster recovery planning, and sometimes the IT organization as a whole, is
disconnected from the rest of the business continuity planning activities.
2. Business Continuity
Business continuity is an umbrella discipline and encompasses some specific disciplines such
as business continuity planning, where you do all the work to prepare for a disaster; service
continuity, where you set up, maintain, and test the technology solutions that support business
continuity; and crisis management, which is the process you will use to respond to major events
that your “business as usual” processes can’t cope with. Business continuity has a broader
scope that includes crisis management, crisis communications, IT disaster recovery, and
Cybersecurity incident response.
2.1 Business Continuity as a Process
The process of business continuity, also known as the business continuity life cycle,
describes how any organization should go about ensuring that critical activities are
4|Page
performed no matter what else is happening. The process is cyclical and follows the same
basic steps as most processes of continuous improvement (Figure 1).
The process is first about understanding what constitutes a critical process, then plans how it
will be introduced, then designs and delivers supporting solutions, then tests it all, and then is
maintained. Business continuity as a process really means that it is repeatable and can be
undertaken by a wide range of people, with different levels of experience and seniority, and
yet can achieve consistent high-quality results. Process is important because it gives people
something they can do, and it has the added benefit of making everything auditable, which is
increasingly important.
• Continuity planners, who identify what is critical and decide how it can be continued
through an interruption.
5|Page
• IT service continuity professionals, who are responsible for making sure the critical IT
services are available to support critical business activities.
• Crisis management team, which is responsible for monitoring the business for potential
interruption events and then making sure that timely action is taken, which would
normally involve invoking the business continuity plans and recovering any required IT
services.
Risk Management is a process to identify measure, prioritize and treat the risks affecting an
organisation. It is a core part of corporate governance and it entails making judgments on how
to allocate resources Response options include: avoidance, reduction, transfer and retention (or
tolerance).
Prevention is to reduce the likelihood of a risk. Example: relocate the critical stocks in a
geographic location subject to lower or no risk of disaster.
Preparedness is to stand ready in case the risk realises and to control/minimize damages
and losses. Example: make an inventory of reliable alternative suppliers and establish a
first contact with them.
6|Page
Response options are those that you roll out after the disaster hits. Example contact
alternative suppliers in case of supply chain disruption.
A BCM program combines the principles of business continuity plan, crisis management,
disaster recovery, emergency response and operational relocation to maneuver emergencies
with as little damage as possible. By anticipating the disasters before they happen, the
organization can ensure operations proceed smoothly.
Do (Implement and operate): Implement and operate the business continuity policy,
controls, processes and procedures.
7|Page
Check (Monitor and review): Monitor and review performance against business
continuity policy and objectives, report the results to management for review, and
determine and authorize actions for remediation and improvement.
Act (Maintain and improve) : Maintain and improve the BCMS by taking corrective
action, based on the results of management review and reappraising the scope of the
BCMS and business continuity policy and objectives.
8|Page
Business continuity Planning focuses on the entire enterprise’s mission critical infrastructure
such as
People
Processes
Technology
When developing a business continuity plan for your organization, you need to consider
the following:
A. Risk Assessment
Identify Stake Holders
A Business Continuity Plan does not rest solely on one employee, or even one
department. To create an effective BCP, companies must identify key stakeholders and
seek their valuable input. Work with stake holder to identify key risks that pertain to
their success, and how in the event of a disaster, your partnership could be affected.
Discuss ways these risks can be mitigated.
Prioritize Risks
One of the most common pitfalls when creating a Business Continuity Plan is focusing
on the wrong risks. To begin prioritizing risks, first identify potential threats that may
9|Page
impact day-to-day functionality. Consider listing your industry risks, target market,
rising trends, geographical area, etc. Once listed, begin prioritizing the risks. This may
be based on the level of impact, likelihood of occurrence, or other defined criteria.
Consider some of the following risks:
Once risks have been identified, and a response has been devised, identify gaps in the
BCP through careful review. Encourage collaboration to identify where the plan is
weak, then make necessary changes.
Collaboration is key when creating an effective Business Continuity Plan. Not only will
this allow others to feel a sense of ownership over the plan, thus making execution more
effective, but it will give you a greater understanding into how a disaster may impact other
business functions. A Business Impact Analysis (BIA) is a breakdown of how a disaster
will affect key areas of the business. This will be most effective if feedback from managers
and employees is received personally. Consider:
When finalizing the Business Continuity Plan, it is imperative to document the plan and
store the document in a secure location. Consider storing the BCP off-site, in the event of
the site location, or documents, experiencing damage/ theft. Consider including the
following elements in your BCP:
10 | P a g e
Develop and plan framework
Organize recovery teams
Develop relocation plans
Write business continuity and IT disaster recovery procedures
Document manual workarounds
Assemble plan, validate, gain management approval
D. Test, Implement, and Maintain
To have confidence in your Business Continuity Plan, test, re-test, then test again. A strong
BCP has undergone testing to identify the weak points. Managers should consider maintenance
checks to ensure the BCP is up to date, testing every year. This will provide further confidence
in the actionable response items in the BCP. Managers/ BCP Teams should also:
BCP should be developed and implemented well in advance for an enterprise to ensure its
effectiveness. Business Continuity Management (BCM) is a structure for
maintenance/management of the BCP.BCM practitioners see a few organizational problems
while implementing BCM Programs. At the high level, they can be categorized into two areas:
4. Disaster Recovery
Disaster Recovery refers to the processes and procedures involved to restore the information
systems and physical infrastructure required to conduct the business following a disaster. It is
the practice of anticipating, planning for surviving, and recovering from a disaster that may
affect a business. Disasters can include:
11 | P a g e
4.1. Disaster Recovery Plan?
A Disaster recovery plan defines instructions that standardize how a particular organization
responds to disruptive events, such as cyber-attacks, natural disasters, and power outages. It
enables businesses to respond quickly to a disaster and take immediate action to reduce
damage, and resume operations as quickly as possible. A disaster recovery plan typically
includes:
A disaster recovery plan must make it clear what are your organizations:
RTO—the maximal time your organization can tolerate for recovering normal
operations in case of a disaster (for example, recovery within 30 minutes, 2 hours, 12
hours)
RPO—the maximal amount of data your organization can afford to lose (for example,
an hour of data, 3 hours of data, one day of data)
The plan should define who in the organization is responsible for disaster recovery processes,
with their names and contact details. Critical responsibilities include:
12 | P a g e
List of Disaster Recovery Sites
A disaster recovery plan must specify where the company’s assets are located, and where each
group of assets will be moved if a disaster occurs. There are three types of sites:
Hot sites—a fully functional data centre with IT equipment, personnel and up to date
customer data.
Warm sites—a functional data centre that allows access to critical systems only,
without up-to-date customer data
Cold sites—used to store backups of systems or data, but without the ability to
immediately run operational systems
Most organizations have a large quantity of physical documents and/or storage media like
DVDs, external hard drives or backup tapes, which must be protected in case of a disaster.
Unexpected loss of this data can be detrimental to the business or result in compliance
violations. Therefore, copies of all critical documents must be stored in a remote location
Disaster Response Procedures
All organizations maintain sensitive data, which may also be subject to compliance
requirements, such as Personally Identifiable Information (PII), credit cardholder data, or other
valuable data like intellectual property (IP).
A disaster recovery plan must identify how this sensitive data is securely backed, and who
should have access to the original copy and the backups, both during normal operations and in
the event of a disaster.
13 | P a g e
Define a Communication Plan for Disaster Events
When disaster strikes, a company must have a clear plan for delivering essential information
to affected parties, including:
Management
Employees
Vendors and suppliers
Customers
Compliance authorities
The media
In case of a physical disaster like a flood or earthquake, there will be a need to restore physical
facilities. The disaster recovery plan should specify what is the minimal facility that will enable
the company to restore normal operations—including office space, location, furniture needed,
computing and IT equipment.
Run Disaster Recovery Drills
Disaster recovery plans might look great on paper, but fail when they are needed most. To
avoid this from happening, run a drill and test your plan in a realistic scenario. Learn the lessons
from the drill and update the plan to make it clearer and more effective for all parties involved.
Disaster recovery plans must be updated at least once per year.
Organizations with proprietary data centres must implement a disaster recovery strategy that
addresses all IT infrastructure components in the datacentre and the surrounding physical
facility. This strategy typically centres on backups to failover sites housed in secondary data
centres or colocation facilities. Business and IT leaders should document the various
components of these physical facilities, including heating, cooling, power, fire response, and
security controls.
14 | P a g e
Network connectivity is critical for external and internal communication, application access,
and data sharing in the event of a disaster. The network disaster recovery strategy should detail
a plan to restore network services and ensure access to backup data and secondary storage sites.
With many cloud services available, organizations can host DR systems in a cloud environment
rather than in a physical location. Cloud disaster recovery involves more than cloud backup.
IT teams must configure automatic workload failover to the DR cloud platform for immediate
recovery when a disruption occurs.
15 | P a g e
occurs. It is a reactive process that requires planning, but organizations implement DR only
when a disaster truly occurs.
Business continuity focuses on keeping business operational during a disaster, while
disaster recovery focuses on restoring data access and IT infrastructure after a disaster. In
other words, the former is concerned with keeping the shop open even in unusual or
unfavorable circumstances, while the latter focuses on returning it to normal as expediently
as possible.
Unlike business continuity plans, disaster recovery strategies may involve creating
additional employee safety measures, such as conducting fire drills or purchasing
emergency supplies. Combining the two allows a business to place equal focus on
maintaining operations and ensuring that employees are safe.
Business continuity and disaster recovery have different goals. Effective business
continuity plans limit operational downtime, whereas effective disaster recovery plans limit
abnormal or inefficient system function. Only by combining the two plans can businesses
comprehensively prepare for disastrous events.
A business continuity strategy can ensure communication methods such as phones and
network servers continue operating in the midst of a crisis. Meanwhile, a disaster recovery
strategy helps to ensure an organization’s ability to return to full functionality after a
disaster occurs. To put it differently, business continuity focuses on keeping the lights on
and the business open in some capacity, while disaster recovery focuses on getting
operations back to normal.
Some businesses may incorporate disaster recovery strategies as part of their overall
business continuity plans. Disaster recovery is one step in the broader process of
safeguarding a company against all contingencies.
They have different goals: business continuity plans are concerned with limiting downtime,
while disaster recovery plans are concerned with ensuring the company doesn’t suffer from
inefficient systems functions.
5. Crisis Management
5.1. What is Crisis?
A crisis can be defined as a disruptive event which affects a business’s facilities, IT systems,
data, personnel etc. which leads to a stoppage in production. The halt in production will have
16 | P a g e
a cascading effect on revenues, profitability, production schedules, business reputation,
customer goodwill etc.
A crisis could be internal or external in nature. It could be a major crisis or a minor one.
Depending on the severity of the crisis, the business may be exposed to adverse publicity. If it
is a publicly traded business, the adverse publicity may drive down share value, leading to
shareholder unrest. Therefore, a crisis should be handled in a very professional and competent
manner.
Crisis situations appear to happen suddenly. Four key elements indicate the presence of a crisis
situation. These four elements are:
CM covers all aspects of what may precipitate a crisis situation through to recovery from that
situation. This means assessing, reducing and managing the risks, threats and hazards that can
promote crisis situations, as well as planning and preparing to respond to – and recover from –
crisis situations. Effective CM means seeking to:
17 | P a g e
Enhance the recovery from a crisis situation through effective and rapid recovery
management action.
Since every business has different needs, one shoe does not fit all as far as Crisis Management
Plan is concerned. However, common guidelines for a sound Crisis Management Plan are:
Crisis Management Team – it should contain senior managers who have the expertise and
experience needed to manage a crisis. The team should also consist of anyone with
specialized knowledge useful in combating a crisis.
Organizational responsibilities of the team – each member should be assigned a specific
task by defining his functions, duties and responsibilities during a crisis.
Sub-teams -this will function under the overall direction of the main team member. A sub
team will have people with different types of expertise, who can handle the tasks associated
with the crisis.
Evaluation and corrections – after the conclusion of the crisis, assigned members should
evaluate the response and take corrective action to overcome deficiencies.
Contact list -a regularly updated contact list should be compiled to keep internal and
external stakeholders in the loop.
Command Centre -a Crisis Management/Emergency Operations Command Centre should
be designated as the focal point for handling the crisis.
Logistics – the logistical support for notification, mobilization and Manning of crisis
centres should be clearly laid out.
Public relations – in a time of crisis the last thing an organization needs is a ‘bad press’. A
team member should be specifically assigned to this task.
18 | P a g e
6. Business Continuity and Disaster Recovery (BCDR)
BCDR is a set of process and technique used to help organization recover from disaster and
continue or resume routine business operation. It enables to organization to adapt to and bounce
back from disruption while maintaining continuous business operation. The term business
continuity and disaster recovery is fusion of two component business continuity and disaster
recovery. In 2020 BCDR has a higher profile than ever before. The rapid spread of COVID-19
around the globe caught many businesses unprepared to deal with sudden disruption resulting in
devastating consequences for some.
Businesses of all sizes can benefit from a BCDR, as any kind of organization can experience
an unforeseen disaster. A BCDR plan typically involves both business and information
technology (IT) operations, and the ultimate goals of a BCDR plan are to mitigate disaster risks
and help organizations continue normal operations as soon as possible. Often, a BCDR plan is
part of an organization's risk management strategy.
Here are four key steps that you can follow to create an effective BCDR plan for your
organization:
The first step to creating a BCDR plan is assessing your organization's risks. Risk assessment
involves evaluating your organization to determine potential threats to its growth and long-
term success. Before you start to develop the specifics of your BCDR plan, think about
potential natural and human-caused disasters that could affect your organization.
Once you've assessed your risks, you can design recovery strategies. For each disaster risk that
you identified, brainstorm strategies your organization could implement to continue its
business operations and restore its information technology. It can be helpful to assemble a team
to come up with strategies, as different individuals can offer various perspectives.
Another key step to creating a BCDR plan is formalizing your strategies in a comprehensive
plan. In your BCDR plan, include the disaster risks you identified as well as the step-by-step
strategies you developed for handling each situation. You can also include the roles and
19 | P a g e
responsibilities of your organization's employees so all involved parties know what tasks they
need to complete during a disaster situation.
After you've created your BCDR plan, you may test it to make sure it can work effectively
during a disaster. As you complete testing, be sure to identify any problems with your BCDR
plan so that you can improve them. This can help you ensure that your organization is equipped
with the most effective BCDR plan possible if a disaster occurs. Many organizations also
periodically review their BCDR plans to ensure they are up-to-date.
BCDR Standards
Government and private sector standards bodies, including the National Institute of Standards
and Technology (NIST) and the International Organization for Standardization (ISO), have
published BCDR guidelines. The standards, which cover topics from crisis management to risk
assessment, provide frameworks on which businesses can build their BCDR plans.
FINRA Rule 4370. Business Continuity Plans and Emergency Contact Information
20 | P a g e
National Fire Protection Association 1600: Standard on Continuity, Emergency, and Crisis
Management (new consolidated draft pending)
NIST Special Publication 800-34 Rev. 1: Contingency Planning Guide for Federal
Information Systems
The role of BCDR is to minimize the effects of outages and disruptions on business operations.
BCDR practices enable an organization to get back on its feet after problems occur, reduce the
risk of data loss and reputational harm, and improve operations while decreasing the chance of
emergencies.
Some businesses might have a head start on BCDR. DR is an established function in many IT
departments with respect to individual systems. However, BCDR is broader than IT,
encompassing a range of considerations -- including crisis management, employee safety and
alternative work locations. A holistic BCDR approach requires thorough planning and
preparation. BCDR professionals can help an organization create a strategy for achieving
resiliency. Developing such a strategy is a complex process that involves conducting a business
impact analysis (BIA) and risk analysis as well as developing BCDR plans, tests, exercises and
training.
21 | P a g e