Having a business continuity plan is nice, but if you don't know when and how to start using it, the money you've invested in it was spent in vain.
Even worse, you'll likely lose quite a lot of money because your business operations will be disrupted.
What is a business continuity plan?
Before going into the activation procedures, let me go through some of the basics of business continuity plans.
BS 25999-2 standard defines a business continuity plan as a "documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical activities at an acceptable predefined level". (Click here to read more about BS 25999-2).
Therefore, a business continuity plan is not a single procedure or a single document. It usually consists of at least two parts: (1) incident response plan, and (2) recovery plan. An incident response plan is a procedure that clearly defines what to do immediately after an incident occurred - e.g. how to evacuate the building, who to call for help, how to contain the incident etc.
The purpose of the recovery plan is to resume business critical activities within the recovery time objective. It is activated right after the incident response plan, and can be used e.g. to recover the ICT infrastructure (also called "disaster recovery plans"), to recover production sites, to recover business processes in a service company, etc.
Since the business continuity plan consists of several parts, each of these parts is activated separately - here I'll focus only on the two parts mentioned earlier.
Activation of incident response plan(s)
Well, the activation of this one is quite obvious. If anyone notices fire, an explosive device, flood in the basement or malicious code, he or she should notify someone immediately. Now, who is it they are going to call?
In case of a smaller company, there is usually one responsible person who must be notified in case of any incident; however, in larger companies there could be more people responsible - e.g. one person for all IT related incidents, and one person for all non-IT related incidents.
It is up to them to activate the appropriate incident response plan - the company should have quite different incident response plans for e.g. fire as opposed to a threat letter.
Activation of recovery plan(s)
At first thought, it is not so obvious who should activate them. But good practice says that recovery plans should be activated by top level management dealing with crisis - usually it is the Crisis Manager.
Such a decision should be made by a high level authority because it could prove quite costly to activate the recovery plan if there was no reason for it - e.g. someone at a lower level might panic and initiate transportation to the alternative site, which could prove quite unnecessary.
But also someone who is not informed about the whole picture of the crisis could wait too long to make such a decision, which could prove even more expensive.
Therefore, the decision to activate certain (or all) recovery plans must be made by the Crisis Manager (or similar) - the criteria for activation are based on an estimate whether the disruption of business activities caused by the incident is going the last longer than the RTO (Recovery Time Objective). If so, then an appropriate recovery plan must be activated.
The question which recovery plan to activate is rather simple - if, for example, the whole company is affected by the incident, then all the recovery plans must be activated; however, if only one department is affected, then only the recovery plan for that department must be activated.
Of course, for all this to work, it is not enough to write nice activation procedures - it is essential that those activation procedures are customized to the company's situation, that they are remembered by all employees involved, and that they are practiced.
If they are just a theoretical document which no one has seen for 2 or 3 years, then it is hard to expect employees to observe such procedures. It is true that preparing for an emergency is quite a wide topic that must include exercising and testing of all elements of the business continuity plan, but sadly, activation procedures are very often neglected in this respect.
Once again, for your business continuity plan to work, you need good activation procedures. But good activation procedures are useless if no one knows about them.
Cross-posted from ISO 27001 & BS 25999