“When should you de-activate your BCP” is asked time and time again during the development of a Business Continuity Planning (BCP). AskBetsyBCP tackles this very relevant question and we wanted to share it with everybody.
Last week I received an email asking: “My CEO wants to know what the industry criteria is for de-activating our BCP… I’ve never seen anything “official” …HELP!”
Here is my answer: In 30 years of BC/DR, the only time I’ve seen this “clearly defined” was in Service Level Agreements (SLAs) with hot-site vendors. Keep in mind each incident is unique and can be corporation specific. These are “guidelines” only and not “BCP industry accepted standards”. It is the Business Continuity Management Team (BCMT) responsibility initiate the de-activation of the BCP by consolidating the individual business units service status into a Corporate overview. Share this overview with the Crisis Management Team (CMT) allowing them to make fact based decisions on de-activating the BCP. With all of that in mind, I use the criteria outlined below to make it easier for my clients.
First, let’s take a look at how BCP “activation” occurs. An incident results in a disruption to Business As Usual (BAU) that:
- Exceeds the pre-approved RTO/RPO for the service.
- Is sufficiently diverse that the response/recovery requires a horizontal management of resources.
- Is anticipated to exceed the available recovery resources, resulting in an inability to respond appropriately.
- Makes maintaining BCP defined critical service levels impossible.
- Meets pre-established criteria (aka ‘BCP triggers’) for activation.
With the above issues being addressed. Take the following into consideration when de-activating your BCP.
- Able to operate at BAU levels.
- Is operating at ‘new’ (pre-defined) normal BAU levels.
- Isolate incident response activities to a “task force” and to minimize the impact of day-to-day operations.
- The Crisis Management Team has approved de-activation based on scenario and situation specific needs.
NOTE: De-activation is done either in totality for the organization, service by service or location by location.
It is best to accomplish “De-activation” through step down process. With each step confirm the business is able to operate at an acceptable level before progressing. This allows for a smooth transition of the BCP response governance structure to a regular operational governance structure. Keeping the BCP governance structure at hand allows for a nimble response to any unforeseen need for re-activation.
Be sure to document all of the factors leading to a decision to de-activate. “Record of Decision” must always have a date, a timestamp and a record of the participants confirming the decision was based on information available at time of decision.
KingsBridgeBCP offers businesses of all sizes BCP Software Solutions and industry know how based on best practices. From a FREE Edition to a Platinum Edition there is a Shield for everyone. Our software packages meet the wide range of our customers’ needs, ensuring we deliver the best value in every project. To learn more about KingsBridge click here.