Speaker 1: Hi team, welcome to my session on Coffee with Prabh. And today we're going to discuss about what is business continuity plan. And in this video, I'm going to discuss a very high level process how to build BCP in the organization, how BCP works in the organization. And by this video, you can get a better understanding from an IC2 in Risaca exam perspective also. My name is Prabh Nair. For more information, you can refer my LinkedIn profile. And if you're new to my channel, do subscribe to my YouTube channel and click on the bell icon to make sure you should not miss my future videos on a similar topic. So without wasting time, let's start with the first part. So what is BCP? BCP basically stands for business continuity planning. And disaster recovery plan is basically DRP. Now what is BCP all about? BCP is a plan by which we can able to sustain the business in the case of disaster. And disaster recovery plan is a plan to restore the IT technology services in the case of disaster. DRP is a part of a BCP. Let's understand in a very simple layman term. Suppose I'm taking online training. The training is basically from 9am to 1pm. What is your expectation as a customer? There should not be any downtime. Because make sure from 9am to 1pm the session should go on properly. Okay, that's great. So we have to ensure that 9am to 1pm there is no downtime in the session. So what I did, I bought a UPS, I bought two internet connections. I had one redundant servers. I have another trainer. So any point of time, if there's a power failure, I can switch to UPS. Any point of time, my internet, one internet service provider is down. I can use another internet service provider, right? So what is this? By end of the day, show must go on. Because all this thing is part of my BCP. Just to ensure my session should continue from 9am to 1pm. Okay, so BCP is umbrella and DRP is a part of the BCP. Okay, so if I'm today accessing a Facebook website, Google website and all that they have a spare site in a multiple locations. So right now I requested from one particular server. If server is basically down from another server, we get a service. Because of the DRP plan, they able to switch the operation from one site to other site. But me as a customer will not face any downtime. Why? Because Google basically have a BCP plan, which ensure the service must be available whenever it required. So the ultimate purpose of BCP is to ensure the availability. But the question is how to build BCP in the organization. So first step in the BCP is to build the contingency policy. That policy come from a management. Remember always any kind of a system you want to introduce in the organization. We need to first introduce a policy for that. Because policy is the governance of any system. If you are introducing a information security, information security policy should be there. If you are planning to introduce a change management, change management policy should be there. If you are planning to introduce patch management, patch management policy should be there. So policy build the governance. Policy is the foundation for a governance. So in this case also, in BCP the first thing we need a contingency planning policy. We call it as a contingency policy. So contingency policy include the statement from the management. Example, we as a management want to ensure the continuity of our services. We need to preserve the resources, their availability and all that. This policy is applicable for the India, US and UK. So this kind of a statement is covered in the policy. So after creating a policy or having a policy in the organization, that give me the assurance the management is interested in the BCP. Based on that, I am going to perform the BIA because company has appointed me as a BCP coordinator. Now it is not possible for me to protect everything. Same like in a COVID, one doctor was handling 100 patients. It is not possible for them to give attention to all the 100 patients on a same time. So what they did? They identify which one is critical and according to that they have prioritized. Same happen here in BCP, it is not possible for me to move from one location to another location entire thing, entire stuff, it will be very expensive. So we need to identify what is critical and what is not. And for that reason, we basically perform the BIA. So BIA basically stands for business impact analysis. It is a process by which we analyzing the criticality and impact of the assets. It is a process by which we determine which one is important and which one is not important as a process and technology. So in the BIA, the first step as a BCP coordinator, what I'm going to do, I will first pen down all the business process. What are the business process we have? What is the revenue generated by the business process? And who are the business owners? After identifying this information, I will confirm and validate the information about the revenue because everything is about paisa, paisa, paisa. So for that, I'm going to do, I will schedule the meeting with the business owners to understand how this revenue generate, who are the important components and what is the importance of this business in the organization. After having a meeting with them, I will try to identify the applications and servers which support the business process. Let's take an example. I'm a BCP coordinator, I'm speaking to Mr. Manish. Manish is basically the business owner for the net banking and net banking generating a huge business for the organization. Further to that, I identify how many assets which support the net banking like servers, database, data centers, and I also identify what are the networks we have. So where I had a first interaction with Manish to understand how critical, are you okay to accept in downtime? Manish was saying, no boss, I'm not okay to accept any kind of a downtime. My objective, my goal here is to ensure the business must be up and run 24 into 7. So I said, okay, no doubt, no issues. I scheduled a meeting with another business owner and that business owner also said the same thing. I want the business to be run 24 into 7. Okay, fine. I scheduled another meeting with another business owner. He also said the same thing. I want the business to be up 24 into 7. So I was confused. On one side, I have a very limited budget and the other side, business owners want their business to be run 24 into 7. So what I did, I started with a one by one process. I first identify Manish business, net banking, their servers and everything. Then I identify threats, then identify vulnerability, and then identify the impact. I discovered if their server is basically down for one hour, it cost us $2,500. It cost us $2,500. For second business, if second business is down, the cost is $4,000 for one hour. Then I went to the business owner three, they told me, we have analyzed the impact and we discovered if their server is down, it will cost them $5,000. So I rolled back to Manish and I asked him, Manish, we have did the impact analysis because we're doing a risk assessment here and we discovered if your server is down for one hour, it will cost us $2,500. Are you okay to accept this downtime? No, Prabh, I'm not okay with that. I want a solution. I want to save this $2,500. No problem. So we have a one solution, which is called a redundant server, which cost us $5,000 per hour. Are you freaking me? $5,000, I'm going to invest to save my $2,500? No way. That was the point. You want 24 into 7, right? Do you have any alternate solution, Prabh? Yes. So I come up with the alternate solution. I told them we have a solution, which is called $500 cloud solution, where in the case of business is down, in 30 minutes we can restore. In that, the maximum loss you have is only $1,000. So we reduce from $2,500 to $1,000 plus $500 extra for the cost of control. Now tell me. Yes, Prabh, I'm okay with that. So first fundamental rule in the organization, risk cannot be eliminated. We can only reduce the risk to an acceptable level. So here what we did, we basically come up with the recovery strategy. Okay. So we identify business one, okay to accept the downtime of 30 minutes. Business two, okay to accept the downtime of one hour. Business owner three, okay to accept the downtime of one hour. So this is how I'm prioritizing the criticality. So in the BIA, one of the important metrics we have first for MTD, maximum tolerable downtime. So in this case, Manish was agreed for the downtime of 30 minutes. It means within that 30 minutes, I need to restore the service. So MTD is something determined by the owner here and who is the owner, Manish. Based on that, I define my RTO, RTO is time it takes to restore. So I took 25 minutes as a timeline in which I need to restore that. So that is called RTO. So I set the RTO. And based on that, I identify and prepare the recovery strategy that for the business one, we need a hot site, for business two, we need a warm site, for business three, we need a hot site. When I basically prepare this entire information. So if you understood here, BIA is all about identifying the business unit, identify the business owner, identify the impact and document the recovery priority. Then based on the BIA, my next step is to prepare the recovery strategy. That what will be the recovery strategy for all my recovery points, because I need to restore right what we agreed, then I'm going to submit this recovery strategy document as a draft to the senior management for an approval. Management will basically approve that I'm going to submit to the business case. Management will basically ask me some questions that is basically already answered in the business case, value propositions and everything. Management will basically approve that. Then that recovery strategy becomes the input in the DR plan. Hey guys, this is the business process we have that we need to restore in this particular timeline. This is a function, this is the contact people to whom you need to contact, make sure this need to be restored in 30 minutes, 20 minutes, everything will be captured in the DRP plan. Then we'll make sure the plan is accurate. We test the plan and then we update the plan. So here if I have a site 1 which is called Noida and I have a site 2 which is basically called Gurgaon. If anything happened to Noida, move to Gurgaon, move to other thing, that is part of a DR. But without impacting a downtime, so that is something DR, moving from Noida to Gurgaon or Gurgaon to other locations, I have a spare site. So all these things happen is DR. But overall, all this plan work together is called as a BCP, business continuity plan. So BIA is the most important component we have in the BCP. Okay, so this is all from my side. So summary is very simple. First build policy, second is BIA, then create a recovery strategy, submit the recovery strategy for the man-man approval, which include the value proposition cost. From a recovery strategy, we create a DR plan, building a hot side, cold side, warm side, whatever is there. Then we test the plan, we update the plan and based on that, we roll out the plan to the employees. This is all from my side. Do let me know how do you find this video and do let me know what are the further videos shall I bake on our similar topics. And make sure if you are new to my channel, do subscribe to my YouTube channel and click on the bell icon to make sure you should not miss my future videos on a similar topic. Thank you. Goodbye.