Abstract
Contingency planning is a major component in the continuity of business. Since conducting business in itself is a risk, there is a need to consider ways to either prevent the occurrence, mitigate or recovery the business after a chance event. The management of a business need to have its risk management team whose sole responsibility is to manage risks that are bound to happen. A contingency plan is aimed at making sure the business activities continues as usual even after the occurrence of the risk as soon as possible. In most cases, the contingency planning is directed at the operations and technical levels of business activities. The probability of occurrence of the risk needs to be calculated and determined so that specific measures are put in place to counter the damages caused by the risk incident. There are specific steps that need to be followed while executing a contingency plan for it to be effective and efficient in alleviating the event.
Introduction
When an entrepreneur decides to start a business, they take a risk. Whether it is a small or a large business, the risks faced are the same but of different magnitude. A newly started business faces the risk of lack of customers to buy its products; hence, prone to collapse. Competition from other businesses either newly formed or existing ones is a risk to one’s business customer base. Theft and fraud is another risk that any business will face and have to deal with. In fact, in a large store, the management faces the threat of shoplifting by purported customers who visit them. The stores are also at the risk of being attacked by thieves and stealing either cash or the goods being sold. Fire is another risk that the business has to deal with. Waking up to a store that has been burnt is not desirable for an entrepreneur. It is, therefore, crucial to put measures in place to at least avert the business from such risks occurring.
Delegate your assignment to our experts and they will do the rest.
There are some risks, which cannot be entirely prevented from occurring and such calls for an approach to contain them if they occur. Despite all these risks, it is every entrepreneur’s hope that the business he/she is setting up will continue being operational over a long period and keep yielding profit. Contingency is an event or circumstance that has a possibility of occurring but cannot be predicted with certainty. Such an event can only be calculated by the probability of it occurring. It will, therefore, be appropriate to have a contingency plan that can be executed to either mitigate or prevent further occurrence of the event. A contingency plan is a plan that is put in place for an outcome other than the usual plans (Mikes & Kaplan, 2014).
Contingency planning
To come up with a reliable and executable contingency plan, seven steps need to be followed. The steps ensure that all the necessary considerations are involved and taken into account. The National Institute of Standards and Technology designed the seven progressive steps to be integrated into each stage of the system development life cycle when coming up with a contingency plan. The first step is to develop a contingency planning policy statement. Having a formal policy that is acceptable at the company provides the authority needed while coming up with the plan. The policy also gives guidelines that are needed to develop a very efficient and effective contingency plan.
The second step involves conducting a business impact analysis. The analysis will help in identification of information systems and components that are critical in supporting the business mission and goals achievement. The analysis will also enable prioritization of such components when the plan is being formulated. Such an analysis will ensure challenges like over planning are eliminated to utilize resources adequately for the business. One is also able to avoid under preparation for the risk occurrence.
The next step is to identify preventive controls in the plan. Prevention of the risks from occurring can help the business to not incur the cost of executing a contingency plan. Having preventive controls in place also ensures that costs of the contingency plan development cycle are reduced or not even incurred at all. Putting measures in place to reduce the effects of system disruptions ensures that system availability is increased. Such can help revert or event prevents a crisis in business operations accruing from business occurrence.
After identifying preventive controls, the next step will involve creating and developing contingency strategies. The strategies are aimed at making sure that damage is not too much in terms of businesses activities. In this strategies are formulated that can be able to completely mitigate the risk occurrence. The risk management team will have to come up with the best strategy and advise the top management on the strategy to be employed in case the anticipated risk occurs. The team should be able to identify triggers of the risk, so that appropriate plan is put in place. A thorough recovery strategy will ensure that the system is recovered quickly promptly and effectively the following disruption by the risk occurrence.
The fifth step is developing an information system contingency plan. The information system will contain details describing the contingency plan put in place in case of the risk occurrence. The contingency plan needs to have the guidelines that need to be followed when executing the plan in case of risk occurrence. The system should also have procedures that need to be followed when restoring the damaged system that is unique to the system’s security impact level and recovery requirements. The information should state what would trigger the implementation of the contingency plan. Information about who will be in charge of the plan and execute it should be stated in the plan. The reporting process of the occurrence of the risk should be outlined and the protocol to be followed (Mikes & Kaplan, 2014).
The next step will involve testing, training, and exercises of the contingency plan. Carrying a pilot project helps in the testing of the developed plan. Such will help in determining the strength and how effective the plan will be in the case of actual occurrence of the risk. In case gaps are identified in the plan, improvements can be employed to ensure the system will be effective. Training of the personnel who are in charge of the plan is paramount. Such is because they will need to familiarize themselves with the new plan and know how it works. The staff will be able to understand how they can execute the contingency plan in case of occurrence of the risk anticipated. The overall advantage of this step is that it ensures that proper and timely execution of the plan in case of occurrence. Such will ensure that mitigation and reversion of the damage is achieved for the benefit of the business.
The final step involves maintenance of the contingency plan. Having the plan as a document is advantageous for storage purpose. The strategy cannot be interfered with without proper protocol being followed. The document can be updated regularly to conform to the changes implemented in the business by the management. Updating should be made by confirming all the assumptions that were made with current data, or one can check with a third party for accuracy. The plan should be stored in a place that is easily accessed by the concerned staff so that in case it is needed for implementation is easily found. Making it known of its existence also creates awareness of the plan so that in the case of the risk occurrence, the plan can be executed (Dahlberg, Kivijärvi & Saarinen, 2016).
Recovery Options
Recovery of the company’s system is an important part of its activities during the risk management by the risk management team. There are options that can be considered when recovering from the risk occurrence or even when there is a threat to the company systems. The business continuity management or the planning refers to the development; implementation and maintenance of the policies that will assist manage business disruptions. The aim of the recovery is to maintain business activities uninterrupted despite the occurrence of the risk.
Prevention or avoidance is a recovery option that can be employed to help business recover from risk occurrence. In this option, the probability of the risk occurring is pushed to the minimum or eliminated. Installing a power backup to reduce data loss or disruption of business activities in case of power blackouts can be implemented. Training of the staff to detect signs of the event occurring makes them act promptly to revert it from occurring hence avoiding business disruption. Implementation of fraud prevention policies and procedures will in effect avoid business from incurring any costs emanating from risk occurrence.
Some forms of risks cannot be prevented from occurring but can be suppressed. Risks caused by natural events like floods cannot be controlled from happening. The business can put measures in place to recover the business from such disruptions. Transference of such risk to a third party ensures that in case the event occurs, a third party will incur the cost. Most businesses have taken insurance covers as a recovery option. The insurance firm can compensate the business unit in case an event that had been insured occurs. Compensation guarantees business continuity of its activities.
Containment is a recovery option that will help in preventing further damage to the business by the event occurrence. Controls and procedures are put in place to ensure that fast interventions are carried out in case the risk occurs to mitigate its effects on the business activities. Putting up policies to be followed in case of risk occurrence ensures that escalation of the damage is minimized even on its occurrence. The risk management team can put a person in charge is the operation so that detection of risk occurrence is early enough. Such will, therefore, ensure measures put in place to prevent their spread are implemented as soon as possible (Mikes & Kaplan, 2014).
Primary site decommissioning is a recovery option where the risk has already occurred and damaged the business activity. The actions taken here are directed into salvaging what has been left or undamaged part. Restoring and replacing the damaged property of the business is the most important activities in this option. Such is aimed at making sure the business activities return to where they were before the occurrence of the risk. All that needs to be done is to have the necessary resources to replace the damaged items for the business caused by the event.
Contingency plan testing requirements
For effective contingency plan to be in place always, there is the need to a continuous testing of the plan. Such a strategy will ensure that upgrading of the plan is done every time the business changes its operations. Incorporation of the plan to the new program of activities covers every risk that is anticipated at all times. There is always the need to identify testing requirements when a plan is developed to improve effectiveness and efficiency.
After coming up with a contingency plan, the first testing requirement is to communicate to every personnel working in the company. Knowledge is the plan by the staff to ensure that every bit of the plan is known and its function. The staff will always be ready to support a plan that they have knowledge of, and in the case of occurrence of the risk, the prompt administration will be done. Such will save the business from further damage of the property against which the risk is prevented.
The next step is to make everyone to know and understand their roles in the plan. For those in the management team, they will have known their specific roles in the contingency plan. Those who will be charged with plan execution need to understand how the plan is carried out and the steps followed. They will need to be informed of the alternatives in case the normal procedure does not work out. Those who are in charge of storing the plan need to know the storage place. Safety of the plan will need to be guaranteed so that the plan is not tampered with without authorization.
After knowing their roles, the staff with the responsibilities of the plan needs to be trained. Training involves even carrying out a pilot study just to demonstrate how the plan works. This testing will require experts and the developers to train the staff. The experts will train the staff so that even in case they are not around, the staff can be competent enough to execute the plan in case of event occurrence. Disaster drills can be conducted to make the training successful and fruitful (Pennington et al, 2014).
Another testing of the plan requires periodic reviews of the plan. Such may be occasioned by changes in the relevant technological, operational or personnel changes. Any changes to the risk management team will influence changes in the plan. Outdating of the technology and updating the same need to be reviewed so that they are they are in line with the strategic plan. Changes in the operations of the business like the addition of a department require to be incorporated in the contingency plan.
Distribution of the new plan needs to be distributed to all the staff in the company. Such will help them to familiarize themselves with the new plan. They will be able to recognize any component that is new or has been revised to meet the needs of the company. After the document has replaced the old version need to be destroyed. Discarding the old plan requires that all the copies including both soft and hard copy need to be destroyed. Staff can even be in charge of the discarding the old plan (Dahlberg, Kivijärvi & Saarinen, 2016).
The plan should be kept in an off-site location. There is a need to have a personnel to be in charge of the location. The plan needs to be safe but accessible to the authorized personnel. Access should be quickly to tackle the risk occurrence and hence prevent damages from happening.
The risk management team should do a periodic audit of the plan. The audit is carried out to reassess the risks of the business. Some risks are seasonal like those of emanating from the natural calamities like floods. As such in the case of such period, there will be need prepare in cases likelihood is of concern. The audit is also able to analyze the efforts to control risk by comparing actual performance with the performance levels described in the contingency plan. Performance level can be improved by identifying the gaps and putting in place strategies to combat those gaps ( Williams, Hardy & Holgate, 2013).
Recommendations of Business contingency testing plan for 24 months cycle
The information technology issues and procedures involved in ensuring a successful business contingency plan revolve around the effective system analysis and design process. The phases of system analysis and design involved include preliminary study, feasibility study, system analysis, system design, coding/programming, testing, implementation and finally maintenance.
Preliminary study is the first step, and it involves just a brief study of the business system to be put in place. This enables the developers to have an overview of how the physical system will be. Once the management approves the preliminary study, feasibility study commences. This process estimates the operational, economical, technical and scheduled effectiveness of the system to users. System analysis involves breaking down the entire business process into smaller processes and doing a detailed study on them. This is with a view to understanding how information flows to improve the system processes ( Williams, Hardy & Holgate, 2013) .
System design is the most vital phase where the system analysis logic is implemented into a physical system. System design process commences with the general design; where costs of the system building blocks are estimated. Then finally the detailed design process is implemented which involves designing output and input of the system data. Programmers then code the system design into a workable code Testing then follows; where a system test run is done to identify and remove any present bugs in the system. Maintenance is then done at regular time intervals involving updating of the system resources (Pennington et al., 2014).
With a robust system development process put in place, some techniques have to be put in place to ensure that the business continuity in the future is guaranteed. This includes installing security measures such as firewalls to guard business assets against being tampered with by hackers and malware. Information technology measures that can ensure the business remains stable and does not become bankrupt and cease to operate should also be set up. These measures include:
Strong User Authentication
This includes using passwords that include all types of characters involving a mixture of upper case and lower case alphabets, numeric and the underscore character. Use of common words such as ‘password’ should be avoided. Non-reversible password hashes should also be placed in the user store. This prevents attacks such as spoofing (an attempt to gain access to a system by using false identity) of user identity and denial of service by hackers and attackers. Password credentials should also not be passed in plain text over the wire. Lockout policies to end-users should also be implemented to limit the number of retry attempts to guessing of passwords. The system administrator should also perform auditing of failed login attempts to establish patterns of password hacking attempts (Mikes & Kaplan, 2014).
Firewall Installation
Network firewalls filter traffic between the external side and internal side of a network. Operating systems of the bank should be configured with firewalls to prevent footprinting by disabling unused protocols and unnecessary ports at the time of data transfer. Firewalls block Trojan horses; prevent keyloggers and blocks hackers from accessing the network. There are three ways of filtering firewall; static filtering, dynamic filtering, and state-full inspection filtering. Firewalls should be implemented as they are inexpensive and easy to install. They also make security transparent to end users.
Data Encryption
This is the conversion of data into a ciphertext that is not understood by unauthorized persons or attackers unless a decryption is done. Complete encryption of information over a network ensures that sniffed data packets are not usable to an attacker. This prevents monitoring of data over a network by attackers who try to identify a pattern and the message intervals in which data is transmitted over a network. Using an encrypted communication channel ensures that eavesdropping over the network is hindered.
Cryptography
It is a technique of storing and transmitting data in a particular form so that it can only be read and processed by only those it is intended for. It involves techniques such as merging words with images and hiding information in storage or transit. Cryptography offers confidentiality, authentication, integrity and non-repudiation (the sender of information cannot in the future deny their intent in the transmission of the information). The drawbacks of cryptography include difficult access to information for authorized and legitimate users, especially during decision-making times. Cryptography implementation in information processing causes delays. Cryptography is also not pocket-friendly since setting up public key infrastructure costs a lot of money; the business, therefore, ought to be ready to invest in it. This is because the process of setting computational difficulty in mathematical problems requires hiring of highly efficient personnel and high performing systems ( Williams, Hardy & Holgate, 2013)
Packet filtering
This measure is used to counter spoofing (where an attacker tries to hide their identity by using the fake source address of the data packet. Incoming packets and outgoing packets that seem to be originating from invalid IP sources should be filtered.
Reinforcing the TCP/IP stack
Hardening this stack involves implementing dynamic backlog principle mechanism to ensure that the connection queue keeps functioning without being exhausted.
Antivirus Installation
Anti-malware from credible manufacturers such as Kaspersky and Norton prevent against viruses, Trojan horses, and worms (malware that self-replicates from one computer to another over a network) that cause interruption to normal system functions. Antiviruses should be updated regularly for patching of any buffer overflows. Scanning of the system for malware should be up to date.
Use of cookies
Cookies are small text files stored on user’s computers and used by websites to keep track of user information such as login passwords. Cookies by default are domain specific and browser specific. Small cookie timeout values should be set to ensure that a user regularly signs into the system after short time intervals. This prevents attackers from replaying a request without authentication. Cookies also store a user’s session state and occupy less memory. The disadvantage of using cookies is that users usually have a choice of disabling cookies on their computers or even delete them.
Setting up a Back-up Plan
Information technology disaster recovery plan (IT DRP) should be developed in relation to the business continuity plan. This plan includes making sure that all critical information is backed up regularly. This helps to recover important data in instances of data loss from malware, and hacking or when there occurs mass hardware failure in the business. Hardware at a given branch of the business can be configured to run similar software applications and hardware to that of the main branch to ensure that data can be recovered in case of a malfunction at the main branch offices ( Williams, Hardy & Holgate, 2013) .
There are also credible vendors who offer data security services. The firm accesses their information from a web browser such that in case a downtime is detected at the client site, the vendor holds data until the client’s system is up running again. Cartridges, Blu-Ray discs, DVD and USB drives of large capacity should be used to back up data regularly. Cloud computing that offers infinite storage space should be used to store all most all critical information assets of the business. (Reid et al., 2015)
References
Dahlberg, T., Kivijärvi, H., & Saarinen, T. (2016). IT Investment Consistency and Other Factors Influencing the Success of IT Performance. Strategic IT Governance and Alignment in Business Settings , 176.
Mikes, A., & Kaplan, R. S. (2014, October). Towards a contingency theory of enterprise risk management. AAA
Pennington, C., Dijkstra, T., Lark, M., Dashwood, C., Harrison, A., & Freeborough, K. (2014). Antecedent precipitation as a potential proxy for landslide incidence in South West United Kingdom. In Landslide Science for a Safer Geoenvironment (pp. 253-259). Springer International Publishing.
Reid, M., Hultink, E. J., Marion, T., & Barczak, G. (2015). The impact of the frequency of usage of IT artifacts on predevelopment performance in the NPD process. Information & Management .
Williams, S. P., Hardy, C. A., & Holgate, J. A. (2013). Information security governance practices in critical infrastructure organizations: A socio-technical and institutional logic perspective. Electronic Markets , 23 (4), 341-354.
