How to avoid disaster: RIM's crucial role in business continuity planning.

• Author: Jones, Virginia A.
• Position: RIM FUNDAMENTALS - Records Information Management

The world has experienced a great deal of natural and man-made upheaval and destruction in the past few years, including tornadoes, hurricanes, earthquakes, tsunamis, floods, fires, uprisings, terrorist attacks, deliberate and accidental data breaches, and cyber attacks. Any organization that believes it is safe from loss due to a natural or manmade disaster is denying reality.

With the large number of high-profile disasters of the past decade, it is not surprising that the "2010 AT&T Business Continuity Study" of 530 organizations showed that 83% of the business executive respondents indicated their organization had a business continuity plan (BCP). However, 12% indicated they did not have a plan, and 5% were not sure.

While most organizations are aware that a BCP is necessary to keep their business operational during and immediately following a disruptive event, not all agree on what the plan is or what it should include.

Understanding the BCP

Business continuity planning is part of a business continuity management (BCM) process that identities potential risks and vulnerabilities and their impacts on an organization. It provides processes and procedures for mitigating risks and effectively responding to a disruptive event in a way that safeguards the interests of the organization's key stakeholders, reputation, brand, and value-creating activities. To be successful, BCM must be fully integrated across the entire organization as a required management process.

BCM includes business continuity planning, which focuses mainly on incident response and, depending on the organization, can include records and information security and risk management processes.

According to the Contingency Planning Guide for Information Technology Systems from the National Institute of Standards and Technology, a BCP is the documentation of a predetermined set of instructions or procedures that describes how an organization's business functions will be sustained during and after a significant disruption. It functions as a roadmap that can be followed when a disruptive event occurs.

[ILLUSTRATION OMITTED]

BCP Goals

The goal of business continuity planning, as identified by the U.S. Federal Emergency Management Agency (FEMA), is to reduce the consequence of any disruptive event to a manageable level. The specific objectives of a particular organization's continuity plan may vary, depending on its mission and functions, its capabilities, and its overall continuity strategy.

In general, according to FEMA, continuity plans are designed to:

* Minimize loss of life, injury, and property damage

* Mitigate the duration, severity, or pervasiveness of disruptions that do occur

* Achieve the timely and orderly resumption of essential functions and the return to normal operations

* Protect essential facilities, equipment, records, and assets Be executable with or without warning

* Meet the operational requirements of the respective organization. Continuity plans may need to be operational within minutes of activation, depending on the essential function or service, but certainly should be operational no later than 12 hours after activation.

* Meet the sustainment needs of the respective organization. An organization may need to plan for sustained continuity operations for 30 days or longer, depending on resources, support relationships, and the respective continuity strategy adopted.

* Ensure the continuous performance of essential functions and operations during an emergency, such as pandemic influenza, that require additional considerations beyond traditional continuity planning

* Provide an integrated and coordinated continuity framework that takes into consideration other relevant organizational, governmental, and private sector continuity plans and procedures

A BCP concentrates on the core business functions--manufacturing processes, customer relations, client or patient interactions, research facilities, information technology infrastructure, and so on. Records and information management (RIM) are rarely...