Top 11 errors in the development of BCP
Hello everyone, my name is Igor Tukachev, and I am a business continuity consultant. In today's post,
1. RTO and RPO at random
The most important mistake I've encountered is that the recovery time (RTO) is taken from the ceiling. Well, as from the ceiling - for example, there are certain figures of two years ago from the SLA, which someone brought from the previous place of work. Why do they do that? After all, according to all methods, you must first analyze the implications for business processes, and on the basis of this analysis, calculate the target recovery time and the allowable data loss. But doing such an analysis is sometimes long, sometimes costly, sometimes it is not very clear how to underline the necessary. And the first thing that comes to mind is: “We are all adults and we understand how a business works. We will not waste time and money! Let's take plus or minus, as it should be. From the head, using proletarian wit! Let the RTO be two hours. ”
What does this lead to? When you come to the management for money on measures to ensure the required RTO / RPO with certain figures, it always requires justification. If there is no justification, then the question arises: where did you get it from? And the answer is nothing. As a result, the credibility of your work is lost.
')
In addition, sometimes these two hours of recovery cost a million dollars. And the rationale for the duration of the RTO is a matter of money, and very large.
Finally, when you come with your BCP and / or DR-plan to the performers (who will immediately run and swing their arms at the time of the accident), they will ask a similar question: where did these two hours come from? And if you cannot clearly explain this, then they will have no confidence either in you or in your document.
It turns out a piece of paper for the sake of paper, unsubscribe. By the way, some do it consciously, just to meet the requirements of the regulator.
Well, you understand
2. A cure for everything
Some believe that the BCP plan is designed to protect all business processes from any threats. Recently, to the question “What do we want to defend against?” I heard the answer: “From all and more”.
But the fact is that the plan is designed to protect only specific key business processes of the company from specific threats. Therefore, before developing a plan, it is necessary to assess the occurrence of risks and analyze their consequences for the business. Risk assessment is needed in order to understand exactly what threats the company is afraid of. In case of building destruction, there will be one plan for ensuring continuity, in the event of sanctions pressure - another, in case of flooding - the third. Even at two identical sites in different cities plans may vary significantly.
It is impossible to protect with one BCP all company entirely, especially big. For example, the huge X5 Retail Group began to work on providing continuity with two key business processes (we wrote about it here ). And to fence the entire company with one plan is simply unrealistic, this is from the category of “collective responsibility”, when everything is responsible and no one is responsible.
In ISO 22301, there is a concept of a policy with which, in fact, the process of continuity in a company begins. It describes what we will protect and from what. If people resort and ask to add this one, for example:
- And let's add to the BCP the risk that we hack?
Or
- We recently flooded the last floor during the rain - let's add a script, what to do in case of flooding?
Then immediately send them to this policy and say that we are protecting the specific assets of the company and only against specific, pre-agreed threats, because they are now in priority.
And even if the proposals for changes are indeed expedient, then offer to consider them in the next version of the policy. Because the protection of a company is a lot of money. So all changes to the BCP plan must go through budget committee and planning. We recommend reviewing the company's business continuity policy once a year or immediately after significant changes in the company's structure or external conjuncture (readers forgive me for such words).
3. Fantasies and reality
It often happens that when drawing up a BCP plan, the authors describe a certain ideal picture of the world. For example, "we do not have a second data center, but we will write a plan as if we have one." Or, the business does not yet have any part of the infrastructure, but employees will still bring it into the plan in the hope that it will appear in the future. And then the company will pull the reality onto the plan: build a second data center, describe other changes.
On the left - the infrastructure corresponding to the BCP, on the right - the real infrastructure
All this is a mistake. Write a BCP plan - it means spending money. If you write a plan that will not work right now, then you will pay for very expensive paper. According to it, it is impossible to recover, it can not be tested. It turns out work for the sake of work.
You can write a plan pretty quickly, and building a backup infrastructure, spending money on all protection solutions is long and expensive. This may take more than one year. And it may turn out that you already have a plan, and the infrastructure for it will appear in two years. Why do you need such a plan? What will he protect you from?
Even from the category of fantasy, when the working team on the development of BCP begins to think for the experts what they should do and for how long. It turns out from the category: “having seen a bear in the taiga, it is necessary to turn in the direction opposite to the bear and run at a speed exceeding the speed of the bear. In the winter months, it is necessary to cover up the tracks. ”
4. Tops and roots
The fourth most important mistake is that the plan is made either too superficial or too detailed. Need a golden mean. The plan should not be too detailed
On izi in general
5. Caesar - Caesar, locksmith - locksmith
The following error stems from the previous one: all actions for all levels of management cannot be contained in one plan. BCP plans are usually developed for large companies with large financial flows (by the way, according to our research , on average 48% of large Russian companies faced abnormal situations involving significant financial losses) and a multi-level management system. For such companies you should not try to fit everything in one document. If the company is large and structured, then the plan should have three separate levels:
- strategic level - for senior management;
- tactical level - for middle managers;
- and operational level - for direct performers in the field.
For example, if we are talking about restoring a fallen infrastructure, then at the strategic level, a decision is made to activate the recovery plan, at the tactical level the process procedures can be described, and at the operational level - instructions for commissioning specific pieces of equipment.
BCP without budget
Everyone sees his area of ​​responsibility and communication with other employees. At the time of the accident, everyone opens the plan, quickly finds his part and follows it. Ideally, you need to remember by heart which pages to open, because it happens that there is a bill for a minute.
6. Role playing
Another mistake in the preparation of the BCP plan: you do not need to register in the plan specific names, mail addresses and other contact information. In the text of the document itself, it is necessary to indicate only impersonal roles, and assign the names of those responsible for specific tasks to these roles and list their contacts in the annex to the plan.
Why?
Today, most people change jobs every two to three years. And if you register all those responsible and their contacts in the text of the plan, you will have to constantly change it. And in large companies, and especially state-owned, every change to any document requires a lot of approvals.
Not to mention that if an emergency happens, and you have to frantically scroll through the plan and search for the right contact, then precious time will be lost.
Life hacking: when changing an application, it is often not even necessary to approve it. Another hint: you can use the automation system update plan.
7. Lack of versioning
Usually create a plan version 1.0, and then make all changes without editing mode, and without changing the file name. In this case, it is often not clear what has changed in comparison with the previous version. In the absence of versioning, a plan lives its own life, which is not tracked in any way. On the second page of any BCP plan, the version, the author of the changes and a list of the changes themselves must be indicated.
No one can understand
8. Who to ask?
Often companies have no BCP planner and no separate unit responsible for business continuity. This honorary duty is assigned to the CIO, his deputy, or according to the principle “you are engaged in information security, here’s another BCP for you”. As a result, the plan is developed, agreed and approved by all, from top to bottom.
And who is responsible for storing the plan, updating, and reviewing the information in it? This may not appoint. It is wasteful to take an individual employee for this, and you can load it with an additional duty of one of the existing ones, of course, because everyone is now striving for efficiency: “Let's hang a lantern on him so that he can mow at night,” but is it necessary?
We are looking for those responsible for the BCP two years after its creation
Therefore, it often happens like this: a plan was developed and put in a closet covered with dust. Nobody tests it, does not support its relevance. The most frequent phrase that I hear when I come to the customer: "There is a plan, but it was developed a long time ago, it was not tested, it is not known, there is a suspicion that it does not work."
9. Too much water
There are plans in which the introduction of five pages, including a description of the prerequisites and thanks to all participants in the project, with information about what the company does. While you finish the pages to the tenth, where useful information, you have already flooded the data center.
When you try to finish reading until the moment, what do you do when the data center is flooded
Take out all corporate "water" in a separate document. The plan itself must be very specific: the person responsible for this task does this, and so on.
10. At whose expense is the banquet?
Often the creators of the plan have no support from the top management of the company. But there is support from middle management that does not manage or does not have the necessary budget and resources for organizing business continuity. For example, the IT department creates its BCP plan within its budget, but the CIO does not see the whole picture of the company. My favorite example is video conferencing. When the general does not work videoconferencing, who he gut? CIO, who "did not provide". Therefore, from the point of view of a CIO, what is the most important thing in a company? What is constantly “loved” for it: video conferencing, which immediately turns into a business-critical system. And from a business point of view, well, no VKS, think about it, let's talk on the phone, as under Brezhnev ...
In addition, the IT department usually thinks that its main task in the event of a disaster is to restore corporate IT systems to work. But sometimes it is not necessary to do this! If there is a business process in the form of printing papers on a terribly expensive printer, then you should not buy a second such printer as a spare one and put it next to it in case of a breakdown. It may be enough to temporarily color the papers by hand.
If we build continuous protection inside IT, we are obliged to enlist the support of senior management and business representatives. Otherwise, pupating inside the IT department, you can solve a certain range of problems, but not all of them.
This is the situation when only the IT department has DR plans
10. Without testing
If you have a plan, you need to test it. For those who are not familiar with the standards, this is not at all obvious. For example, you have an “emergency exit” sign everywhere. But tell me, where do you have the fire bucket, hook, shovel? Where is the fire hydrant? Where should the fire extinguisher stand? But everyone should know this. It does not seem at all logical for us to find a fire extinguisher with our eyes when entering the office.
Perhaps the need to test the plan should be mentioned in itself, but this is a controversial decision. In any case, the plan can be considered a worker only when it has been tested at least once. As mentioned above, I very often hear: “There is a plan, the whole infra is prepared, but not the fact that everything will work as it is written in the plan. Because it is not tested. Never".
Finally
Some companies can analyze their history in order to understand what troubles and with what probability can occur. Research and experience suggest that we cannot defend against everything. Shit, sooner or later, happens with any company. Another thing is how prepared you are for this or a similar situation and whether you can restore your business in time.
Some people think that continuity is about how to eliminate all sorts of risks so that they are not realized. No, it's about the fact that risks are realized, and we will be ready for this. Soldiers train in order not to think in battle, but to act. The same is true with the BCP plan: it will allow you to rebuild your business as quickly as
The only equipment that does not require BCP
Igor Tukachev
Business Continuity Advisor
Computer Systems Design Center
Jet Infosystems
Source: https://habr.com/ru/post/460489/
All Articles