Risk Management


A Case for Business Continuity Planning (BCRP);

What is Business Continuity Plan? Where do we start?

By Ngure Kimotho

What is business continuity plan? Why does an organization need it? Where does a company start in developing one? In the following discussions we shed some light of these issues:

Business continuity (BC) can be defined as an organization’s ability to maintain or restore its business when some circumstance disrupts normal operations. Business continuity and disaster recovery planning are now accepted as basics requirement for every business and organization. It’s in every board of director and leading CEO’s mind. It is every concern of enterprising shareholders!

It is widely accepted that a detailed business continuity/disaster recovery plan should not only exist, but should be up to date. A BCDRP poorly maintained can be worse than no plan at all. It should reflect the actual on-going needs of the business activity or function.

Business Continuity Plans are sometimes referred to as Disaster Recovery Plans (DRP) and the two have much in common. Disaster recovery and business continuity planning are processes that help organizations prepare for disruptive events. However a DRP should be oriented towards recovering after a disaster whereas a BCP shows how to continue doing business until recovery is accomplished. Both are essential to business and are often combined into a single document for convenience. Business continuity planning is a major component of risk management. Business continuity planning includes business impact analysis, business continuity plan (BCP) development, testing, awareness, training, and maintenance. A business continuity plan addresses actions to be taken before, during, and after a disaster.

A Good BCP will keep your company up and running through interruptions of any kind- power failures, IT system crashes natural disasters, supply chain problems and more. It spells in detail what, who, how, and when. It also requires a continuing investment of time and resources.


The commitment of top management is essential for the business recovery effort to succeed. Management commitment can be recognized when

  • A sound impact analysis is funded, the results of which are read, understood, and acted on by management deciding to use a strategy based on likely impacts to the organization.
  • Comprehensive planning involves all programs and technical management’s clear accountability for the continuation of the areas that they manage. The effort culminates in a written plan that is specific, credible, and candid regarding its constraints, weaknesses, and vulnerabilities.
  • An ongoing exercise and maintenance program is developed that ensures the viability of the BCP.

A practical approach is one that plans for the worst-case-scenario—including:

  • Loss of access to the facility,
  • Loss of access to information resources (systems, networks, data), and

  • Loss of skilled or key personnel who perform critical processes.

The top level management should therefore issue a clear policy statement on Business continuity/disaster recovery planning. At an absolute minimum, this statement should contain the following instructions:

  • The organisation should develop a comprehensive disaster recovery plan.
  • A formal risk assessment should be undertaken in order to determine the requirements for the disaster recovery plan.

  • The disaster recovery plan should be periodically tested in a simulated environment to ensure that it can be implemented in emergency situations and that the management and staff understand how it is to be executed.

  • The disaster recovery plan should cover all essential and critical business activities.

  • The disaster recovery plan is to be kept up to date to take into account changing circumstances.

  • All staff must be made aware of the disaster recovery plan and their own roles within.

A similar policy statement to this should be communicated to all management and staff as part of its information security policy management process. Without a policy statement, the management will wonder in the darkness the organization will be just but a sitting duck.

The management should concentrate not only on what can bring the company down, but also what can bring it back life after a major disruption



The first step in a sensible business continuity process is to consider the potential impacts of each type of disaster or event. This is critical – how can you properly plan for a disaster if you have little idea of the likely impacts on your business/organization of the different scenarios?

Having determined the impacts, it is now equally important to consider the magnitude of the risks which could result in these impacts. Again, this is a critical activity – it will determine which scenarios are most likely to occur and which should attract most attention during the planning process. BIA and Risk analysis are disciplines in their own right


Creating a disaster recovery and business continuity plan is a complex task. However, certain jobs can be done in advance of planning. One of these is to gather the necessary documents and other requisite information, so that these are to hand when the plan is actually created. Many companies that we have worked with have found the following list of items which may potentially be useful:

  • The existing business continuity plan, if there is one
  • List of major suppliers and their contact details
  • List of emergency services and their telephone numbers
  • Staff contact information
  • Existing evacuation procedures
  • Copies of floor plans and maps
  • Asset inventories
  • Premises addresses/maps
  • Health and Safety procedures and policies
  • Copies of maintenance and service level agreements (SLAs)
  • Operations procedures and manuals
  • Inventories of information and IT assets
  • IT/computer system specifications
  • Communication system specifications
  • Any industry regulations and guidelines
  • Information security policies and standards
  • Environmental and quality procedures
  • The organization name chart
  • Offsite storage procedures
  • Insurance details


A sound disaster recovery and business continuity plan is essential to protect the well being of an organization. This cannot really be over emphasized… yet many enterprises still side step the issue or hold plans which are clearly out of date or inadequate.

Part of the reason for this is the complexity of the task. This is not helped by some vendors selling planning products which are they extremely difficult to master.


Effective disaster preparedness policies, knowledge and continuous training underpin the whole of the disaster recovery management initiative. They determine the fundamental practices and culture throughout the enterprise. They are usually linked closely with security policies, both addressing the basic defense requirements to ensure the stability and continuity of the organization. It is essential therefore that they exist, are up to date and are comprehensive. Fortunately, some excellent pre-written policy sets are available and can even be obtained on the internet.


An organization can be brought down by an incident happening in suppliers and service providers premises even if far away from its premises just like a depression in USA affects business in Africa. Service level agreements (SLAs) are fundamental to business continuity. The bottom line is that they define your minimum levels of availability from key suppliers, and often determine what actions will be taken in the event of serious disruption. Consequently, they require full consideration and attention and must be constructed extremely carefully.

ISO 17799 requires appropriate business continuity management and planning…. and compliance with this internationally recognized standard is growing in importance. But how do you achieve this? How do you manage the compliance process? How do you know where you stand in relation to the demands of the standard?


Having created the recovery/continuity plan, it is important to ensure that it remains up to date and workable. Equally, it is essential to monitor contingency practices on the ground to ensure that they are appropriate. The Disaster Recovery Toolkit is an audit and contingency checking product, specifically designed to assist with this. Information can be found on the following site:


As discussed above a detailed business continuity/disaster recovery plan should not only exist, but should be up to date. It should reflect the actual on-going needs of the business activity or function. But how do you ensure that this is actually the case? If you have a plan, do you know that it will all work? Do you ever audit it, and if so, how?

Equally importantly, do you know what your service/resource dependencies are and what their time criticalities are? What of your everyday contingency practices – do they measure up to close scrutiny? To determine and ensure all of this, every organization must develop a Disaster Recovery Toolkit.

The Disaster Recovery Toolkit is a highly valuable collection of items and documents to assist in ensuring continuity in the face of serious incident or disaster. Each item included is tried and trusted and based on the best practices worldwide It comprises

  • A contingency audit questionnaire;

  • A dependency analysis document – questions and guidance;
  • A Business Impact Analysis questionnaire;

  • An audit questionnaire for your disaster recovery or business continuity plan (if indeed you have one)

  • A checklist, action list and framework for disaster recovery an business continuity planning;

The toolkit should be designed to help the organization review the full array of business continuity and disaster recovery issues. It should help you gain all the assurance you need that all is going well.



Contingency audit questionnaire to review your contingency
  • IT Infrastructure Contingency questions

  • Network Contingency questions

  • Specific Application Contingency questions

  • Application Back Up Practices questions)

  • Power Supply Contingency questions)

  • PC & Small System Contingency questions
Audit questionnaire for your disaster recovery plan (if you have one)
  • The status of the plan itself,
  • The content of the plan,
  • Business functions;
  • Disaster recovery actions.
Dependency analysis document… Questions and guidance.
  • Resources/services and scope of the plan
Checklist, framework and action list for disaster recovery planning.
  • Consequences of the potential incident on your different operations and functions
Checklist, framework and action list for disaster recovery planning.
  • Checklist against and existing plan.
  • Practical contingency matters.

  • Recommended actions


Part of the risk process is to review the types of disruptive events that can affect the normal running of the organization. There are many potential disruptive events and the impact and probability level must be assessed to give a sound basis for progress. To assist with this process the following list of potential events has been produced:

Environmental Disasters

    • Flood
    • Drought
    • Earthquake
    • Electrical Faults
    • Fire
    • Landslides
    • Contamination and Environmental Hazards
    • Epidemic

Organized and / or Deliberate Disruption

    • Act of terrorism
    • Act of Sabotage
    • Act of war
    • Theft
    • Arson
    • Labour Disputes / Industrial Action \

Loss of Utilities and Services

    • Electrical power failure
    • Loss of gas supply
    • Loss of water supply
    • Petroleum and oil shortage
    • Communications services breakdown
    • Loss of drainage / waste removal

Equipment or System Failure

    • Internal power failure
    • Air conditioning failure
    • Production line failure
    • Cooling plant failure
    • Equipment failure (excluding IT hardware)

Serious Information Security Incidents

    • Cyber crime
    • Loss of records or data
    • Disclosure of sensitive information
    • IT system failure

Other Emergency Situations

    • Workplace violence
    • Public transportation disruption
    • Neighbourhood hazard
    • Health and Safety Regulations
    • Employee morale
    • Mergers and acquisitions
    • Negative publicity
    • Legal problems


Business continuity plan cannot be complete without a Disaster Recovery Directory. This is comprehensive directory of service and solution providers for business continuity – major supplier reference source. At this time vendors are invited to complete the free entry form in advance of formal launch. It’s your lifeline.

Things to Remember in Developing a Disaster Recovery Plan

  1. Keep your plan simple, it does not need to be perfect. Remember, any plan is better than no plan at all!
  2. After testing (twice yearly) update your plan as necessary. Do not wait! A disaster recovery plan is never finished, it evolves.

  3. Stay flexible—a flexible plan may better prepare your organization. Do not assume just one disaster possibility.
  4. Document the plan and other materials—a list of your primary vendors (and secondary vendors if the disaster hits the primary vendor as well) is a must.


And a to those who like shortcuts! Please remember, there is no “fill-in-the-blank” template for recovery plans. Each environment requires its own tailor-made design. And lastly, a plan is good as its implementer’s will. A plan does not manage the business but managers do. The responsibility of business continuity and protection of the shareholder stakeholder’s value or citizens of a city lies squarely on the top management.


Ngure Kimotho Bcom, MBA, is Programme Director, Africa Institute of Disaster, Management & Development