TOP 11 mistakes in the development of BCP
Hello everyone, my name is Igor Tyukachev, and I am a business continuity consultant. In today's post,
1. RTO and RPO at random
The most important mistake that I have met is that the recovery time (RTO) is taken from the ceiling. Well, as from the ceiling - for example, there are some figures two years ago from the SLA, which someone brought from a previous place of work. Why are they doing this? After all, according to all the techniques, you first need to analyze the consequences for business processes, and based on this analysis, calculate the target recovery time and allowable data loss. But to do such an analysis is sometimes long, sometimes costly, sometimes it’s not very clear how to emphasize the necessary. And the first thing that comes to many minds: “We are all adults and we understand how business works. We will not waste time and money! Let's take a plus or minus, as it should be. From the head, using proletarian ingenuity! Let RTO be equal to two hours. "
What does this lead to? When you come to the management for money for activities to ensure the required RTO / RPO with certain numbers, it always requires justification. If there is no justification, the question arises: where did you get it? And there is nothing to answer. As a result, trust in your work is lost.
In addition, sometimes these two hours of recovery are worth a million dollars. And the rationale for the duration of RTO is a matter of money, and very large.
And finally, when you come with your BCP and / or DR plan to the performers (who will directly run and wave their arms at the time of the accident), they will ask a similar question: where did these two hours come from? And if you cannot explain this clearly, then they will not have trust either in you or in your document.
It turns out a piece of paper for the sake of a piece of paper, unsubscribing. By the way, some do it deliberately in order to simply satisfy the requirements of the regulator.
Well do you understand
2. The cure for everything
Some believe that the BCP plan is designed to protect all business processes from any threats. Recently, the question "What do we want to defend ourselves against?" I heard the answer: "From everything and more."
But the fact is that the plan is designed to protect only specific key business processes of the company from specific threats. Therefore, before developing a plan, it is necessary to assess the occurrence of risks and analyze their consequences for the business. Risk assessment is needed in order to understand what kind of threats the company is afraid of. In case of building destruction, there will be one plan for ensuring continuity, in case of sanctions pressure - another, in case of flooding - the third. Even at two identical sites in different cities, plans can vary significantly.
You cannot protect an entire company with one BCP, especially a large one. For example, the huge X5 Retail Group began to provide continuity with two key business processes (we wrote about this here ). And to enclose the whole company with one plan is simply unrealistic, this is from the category of “collective responsibility”, when everyone is responsible and no one is responsible.
In the ISO 22301 standard there is a concept of a policy with which, in fact, the process of continuity in a company begins. It describes what we will protect and from what. If people
come running and ask to add this, for example: - And let's add to the BCP the risk of us being hacked?
Or
- Here we recently flooded the last floor in the rain - let's add a script, what to do in case of flooding?
Then immediately send them to this policy and say that we protect specific company assets and only against specific, pre-agreed threats, because they are now in priority.
And even if the proposals for changes are really appropriate, then offer to take them into account in the next version of the policy. Because protecting a company is a lot of money. So all changes to the BCP plan must go through the budget committee and planning. We recommend that you revise the company's business continuity policy once a year or immediately after significant changes in the structure of the company or the external environment (forgive the readers for such words).
3. Fantasy and reality
It often happens that when drawing up a BCP plan, the authors describe some ideal picture of the world. For example, "we do not have a second data center, but we will write the plan as if we have it." Or the business does not yet have any part of the infrastructure, but employees will still bring it into the plan in the hope that it will appear in the future. And then the company will pull reality onto the plan: build a second data center, describe other changes.
On the left is the infrastructure corresponding to the BCP, on the right is the real infrastructure.
All this is a mistake. Writing a BCP plan means spending money. If you write a plan that will not work right now, then you will pay for very expensive paper. It is impossible to recover from it, it is impossible to test it. It turns out work for the sake of work.
You can write a plan quite quickly, and building a backup infrastructure, spending money on all protection solutions is a long and expensive process. This may take more than one year. And it may turn out that you already have a plan, and the infrastructure for it will appear in two years. Why do we need such a plan? What will he protect you from?
From the category of fantasies, when the BCP development team begins to think over for experts what they should do and for how long. It turns out from the category: “when you see a bear in the taiga, you need to turn in the opposite direction from the bear and run at a speed exceeding the speed of the bear. In the winter months it is necessary to cover the tracks. ”
4. Tops and roots
The fourth most important mistake is that the plan is made either too superficial or too detailed. Need a middle ground. The plan should not be too detailed
Easy
5. To Caesar - Caesarean, locksmith - Locksmith
The following error stems from the previous one: all actions for all levels of management cannot be integrated into one plan. BCP plans are usually developed for large companies with large financial flows (by the way, according to our study , on average, 48% of large Russian companies faced contingencies that entailed significant financial losses) and a multi-level management system. For such companies, you should not try to put everything in one document. If the company is large and structured, then the plan should have three separate levels:
- strategic level - for senior management;
- tactical level - for middle managers;
- and the operational level - for direct performers in the field.
For example, if it is a matter of restoring a fallen infrastructure, then a decision is made at the strategic level to activate the restoration plan, process procedures can be described at the tactical level, and instructions on how to commission specific equipment items at the operational level.
BCP without a budget.
Everyone sees their area of responsibility and communication with other employees. At the time of the accident, everyone opens a plan, quickly finds his part and follows it. Ideally, you need to remember by heart which pages to open, because it happens that the count goes on for minutes.
6. Role playing
Another mistake in the preparation of the BCP plan: you do not need to prescribe specific names, mail addresses and other contact information in the plan. In the text of the document itself, only depersonalized roles should be indicated, and the roles of those responsible for specific tasks should be assigned to these roles and their contacts should be listed in the appendix to the plan.
Why?
Today, most people change jobs every two to three years. And if you write down all those responsible and their contacts in the text of the plan, then it will have to be constantly changed. And in large companies, and even more so state ones, every change to any document requires a bunch of approvals.
Not to mention that if an emergency occurs, and you have to frantically leaf through the plan and look for the desired contact, then valuable time will be lost.
Life hack: when you change an application, you often don’t even need to approve it. One more hint: you can use the automation system for updating the plan.
7. Lack of versioning
Usually they create a plan of version 1.0, and then make all the changes without editing, and without changing the name of the file. However, it is often not clear what has changed compared to the previous version. In the absence of versioning, the plan lives its own life, which is not tracked in any way. The second page of any BCP plan should include the version, author of the changes, and a list of the changes themselves.
No one can figure it out
8. Who to ask?
Often companies do not have a responsible BCP and there is no separate business continuity unit. This honorable duty is assigned to the CIO, his deputy, or on the principle of “you are engaged in information security, here you have BCP in addition.” As a result, the plan is developed, agreed and approved by everyone, from top to bottom.
And who is responsible for storing the plan, updating, and reviewing the information in it? This may not be prescribed. To take an individual employee for this is wasteful, and to burden one of the existing ones with an additional duty is possible, of course, because everyone is now striving for efficiency: “Let's hang a flashlight on it so that it can mow at night,” but is it necessary?
We are looking for those responsible for BCP two years after its creation
Therefore, it often happens like this: a plan was developed and put in a long box covered with dust. Nobody tests it, does not support its relevance. The most common phrase that I hear when I come to the customer is: “There is a plan, but it has been developed for a long time; it’s not known whether it was tested, it is suspected that it doesn’t work.”
9. Too much water
There are plans in which the introduction of five pages, including a description of the premises and thanks to all participants in the project, with information about what the company is doing. While you are flipping pages to the tenth, where useful information, you have already flooded the data center.
When you try to read to the point of what to do when the data center is flooded
, take out all corporate “water" in a separate document. The plan itself should be extremely specific: the person responsible for this task does this, and so on.
10. At whose expense is the banquet?
Often, the creators of the plan do not have support from the top management of the company. But there is support from middle management who does not manage or does not have the necessary budget and resources for organizing business continuity. For example, the IT department creates its BCP plan within its budget, but the CIO does not see the whole picture in the company. My favorite example is video conferencing. When the general videoconferencing does not work, who will he gut? CIO who "did not provide." Therefore, from the point of view of the CIO, what is the most important thing in the company? What he is constantly “loved” for: video conferencing, which immediately turns into a business-critical system. And from a business point of view - well, there’s no VKS, think, we’ll talk on the phone, as in Brezhnev ...
In addition, the IT department usually thinks that its main task in the event of a disaster is to restore the functioning of corporate IT systems. But sometimes this is not necessary! If there is a business process in the form of printing pieces of paper on a terribly expensive printer, then you should not buy a second such printer as a spare and put it next to it in case of breakdown. It may be sufficient to temporarily color the paper manually.
If we build continuous protection inside IT, we are obliged to enlist the support of senior management and business representatives. Otherwise, having pealed inside the IT department, you can solve a certain range of problems, but not all that are necessary.
This is the situation when only the IT department has DR plans
11. Without testing
If you have a plan, you need to test it. For those who are not familiar with the standards, this is completely unobvious. For example, everywhere you have the “emergency exit” signs. But tell me, where is your fire bucket, hook, shovel? Where is the fire hydrant located? Where should a fire extinguisher stand? But everyone should know this. It does not seem logical to us at the entrance to the office to find the eyes of a fire extinguisher.
Perhaps the need to test the plan should be mentioned in him, but this is a controversial decision. In any case, a plan can only be considered a worker when it has been tested at least once. As mentioned above, I often hear: “There is a plan, all the infrastructure has been prepared, but not the fact that everything will work as it is written in the plan. Because they have not been tested. Never".
Finally
Some companies may analyze their history in order to understand what troubles and with what probability can occur. Research and experience indicate that we cannot defend ourselves from everything. Shit, sooner or later, happens with any company. Another thing is how much you will be prepared for this or a similar situation and whether you can restore your business on time.
Some people think that continuity is about how to eliminate all kinds of risks so that they do not materialize. No, it’s about the fact that the risks are realized, and we will be ready for this. Soldiers train in order not to think, but to act in battle. The same goes for the BCP plan: it will allow you to rebuild your business as quickly as
The only equipment that does not require BCP
Igor Tyukachev,
Business Continuity Consultant , Jet Infosystems
Computer Complex Design Center