Fujitsu’s Business Continuity Plan Development Methodology V Takeshi Ito V Hideaki Orikasa V Tetsuya Yoshida (Manuscript received November 7, 2006) In today’s high-risk business environments, more and more companies are focusing on the Business Continuity Plan (BCP) as a management methodology for improving their ability to respond to any contingency. However, BCP development methodolo gies suitable for the business environment of Japanese companies have not progressed much beyond the theoretical stage, and the persons in charge of BCP development in companies have been struggling with this issue. Fujitsu has developed a practical methodology and software tool called BCEXPERT to streamline development of its own BCPs for business formations within the Fujitsu Group. This paper describes Fujitsu’s BCP development methodology that has been standardized as the Fujitsu Business Continuity Management Model. This methodology mainly consists of three steps: 1) structuring business processes and resources required for the processes, 2) extracting essential resources for business continuity; and 3) analyzing the business impact of assumed resource damages in various risk scenarios. This methodology can be applied not only to BCP development but also to business resource optimization. 1. Introduction The persons in charge of risk management in Japanese companies have been talking more about the concepts of the Business Continuity Plan (BCP) and Business Continuity Management (BCM) since the September 11 terrorist attacks in 2001. However, while the risk environments surrounding companies have become increasingly severe over the past five years, BCP remains a key concept that managers often hear about but do not fully understand. Moreover, various requests for responses to the internal control required by the soon-to-be-enforced Japanese SOX act, information security, the environment, privacy, and other management issues have yet to be addressed, and many persons in charge of risk management regard the need for BCP development as yet another burden to shoulder. This paper describes how BCP development 168 methodology can be made more practical and efficient based on the business conditions of Japanese companies by making use of Fujitsu’s experience of BCP development. The methodolo gy will help reduce the burdens of the persons in charge of risk management in these companies. 2. What is a BCP? Fujitsu defines a BCP as follows: The purpose of a BCP is to allow critical busi ness activities to continue when an unexpected situation such as a large-scale disaster occurs. A BCP is an action plan for achieving the goals of business continuity (recovery time objectives for critical business activities) determined based on the analysis of the management environment, business structure, and risk environment. In BCP development, only analyses such as the analysis of the business impact tend to draw FUJITSU Sci. Tech. J., 43,2,p.168-177(April 2007) T. Ito et al.: Fujitsu’s Business Continuity Plan Development Methodology attention. However, the final purpose is basically to develop an effective action plan that specifies the items to be handled, the people who will handle them, and the deadlines to be met in an emergency. Fujitsu’s BCP consists of an emergency action plan and the analysis of business continuity requirements based on the analysis data that supports the action plan development. 3. Change in business environment The risk environment surrounding compa nies is becoming increasingly severe. The risks companies face include an earthquake in the northern part of Tokyo Bay or an inland earth quake in the capital; large-scale earthquakes in the eastern sea, southeastern sea, southern sea, and other areas; flooding (which is becoming an increasingly severe problem); terrorism; and a bird flu pandemic. These risks are constantly present and largely unpredictable. Because these risks are universally recognized, international standardization activities have been started to realize an adequate level of business continuity management by 2008. The Japanese government publicized a series of guidelines for developing a BCP in 2005 that demonstrated a very proactive administrative approach for business continuity enhancement. The guidelines are the “Business Continuity Guidelines 1st ed.”1) by the Cabinet 33% Office and the “BCP Development Operational Guidelines for Small and Medium Enterprises”2) by the Small and Medium Enterprise Agency. Also, the Business Continuity Advancement Organization (BCAO)3) was established in June 2006 and has been actively promoting business continuity since July. This is the first registered non-profit corporation in Japan aimed at promot ing BCP standardization and fostering BCP specialists. A serious problem that needs to be addressed by companies is that BCP development is becoming mandatory. The growing internation al recognition of the need for business continuity enhancement has emerged as a request to improve the business continuity capabilities of business partners in the business-to-business transactions that secure the global supply chain. More and more companies check for the presence or absence of BCP development by suppliers before starting a transaction. Particularly, most European and American companies strongly recognize the risk of business continuity in Japanese companies due to the threat of large earthquakes. BCP develop ment is needed not only for ensuring business continuity during a disaster but also during everyday operation. Despite the rapid changes in our environ ment, only 7.9% (23% including the companies who have just started to introduce BCP) of domestic companies have developed a BCP (Figure 1).4) This figure is much lower than the 44% 15% 7.9% We have no disaster prevention plan. We have developed a disaster prevention plan including emergency measures and launched BCP. We have a disaster prevention plan focusing on emergency measures, e.g., evacuation, confirmation of safety. We have developed a disaster prevention plan including BCP. Source: Development Bank of Japan: Special Survey Concerning Companies’ Approaches to Disaster Prevention (Chart 2-1 Development situation of disaster prevention plan and business continuity plan [BCP])4) Figure 1 BCP development situation in domestic industries (November 2005). FUJITSU Sci. Tech. J., 43,2,(April 2007) 169 T. Ito et al.: Fujitsu’s Business Continuity Plan Development Methodology 47% figure determined by the Business Continuity Institute5) for major overseas compa nies. The Central Disaster Prevention Council wants all of Japan’s major companies and more than 50% of the country’s small and medium companies to develop a BCP within 10 years.6) To attain this goal, further supportive activities based on public-private partnerships will be necessary as well as improved management awareness. 4. Fujitsu’s Business Continuity Management Fujitsu is an information system vendor that plays a major role in the social infrastructure and also a manufacturer participating in the global supply chain. In keeping with these roles, since its establishment, Fujitsu has developed disaster prevention and emergency response plans and conducted various training to prepare for emergency situations. Moreover, in 2004, a company-wide BCP development project was set Management architecture Management (management conference) De Devveloping and controlling basic policy ffor or b business usiness contin continuity uity Organization in charge of business continuity Developing and supporting operation of BCP Specialized organization Developing, operating, and improving BCP Business unit Business unit Business unit Business unit up, and in 2005, a specialized organization was established to develop BCPs and enhance business continuity throughout the Fujitsu Group. Fujitsu has a variety of business operations with different business environments, structures, bases, and management resources. To develop a BCP for each operation, company-wide business continuity management has been implemented in three layers: management, a specialized organi zation for business continuity, and the business unit (Figure 2). The specialized organization for BCP development plays a key role in this system. This expert group consists of Fujitsu staff having special skills in, for example, disaster prevention, procurement, information system operation, consulting, system development, and outsourcing. The organization for BCP development has also developed various tools and software products to make BCP development and maintenance efficient. Function Document • Determines basic principles. • Determines promotion system and control method. • Approves group BCP. • Approves amount invested for measures. • Overall control • Develops development and operation processes and methodology. • BCP template • Development support (consulting and tool provision) • Adjusts company-wide optimization (inter-group and company-wide) • Educational development and implementation support • Develops, operates, and improves prior measures plan. • Develops, operates, and improves action plan in an emergency. • Develops, operates, and improves business recovery plan. • Develops, operates, and improves information system recovery plan. • Develops, operates, and improves human resource training plan. • Business continuity basic policy • BCP development guidelines • BCP (for each unit) Figure 2 Business continuity management in Fujitsu. 170 FUJITSU Sci. Tech. J., 43,2,(April 2007) T. Ito et al.: Fujitsu’s Business Continuity Plan Development Methodology 5. Fujitsu’s BCP development methodology Fujitsu’s BCP development methodology has been standardized as the Fujitsu Business Continuity Management Model (Figure 3). This model covers the phases from planning to operation. BCP development and operation management performed in accordance with this model enable visualization and standardization of an entire business process regardless of differences in the business environment and structure. This model consists of the following six phases: 5.1 BCP system development (Phase I) This phase develops collaborative projects between the specialized organization for BCP development and the target business operation. 5.2 Analysis of business continuity requirements (Phase II) This phase structures the current business processes and resources and sets a goal for busi ness continuity. Figure 4 shows the flow of Phase I BCM system development • Setting up BCM enhancement plan • Approving executives • Developing promotion system Phase II Analysis of business continuity requirements • Collecting basic information • Business Impact Analysis • Analyzing resources of critical business process • Risk analysis • Extracting critical resources of critical process Development of business continuity strategies • Extracting measures options • Considering return on investment • Developing measures plan • Determining business continuity strategies Business continuity strategies BCM enhancement plan Project implementation plan (WBS) Phase III Business continuity requirements Measures plan business continuity requirement analysis. 1) Collect and analyze information required for BCP development (research of the business environment and structure) (q). 2) Based on the information collected by inter views and questionnaires, analyze the impact of business interruption (Business Impact Analysis) (w). 3) Based on the analysis results, determine the Recovery Time Objective (RTO) (e). 4) Analyze the business processes, resources that support the processes (people, facilities, information systems, etc.), and physical re source assignment to create a structured influence diagram (Figure 5) (r). The influence diagram clarifies the condi tions for implementing business using the structured business processes and resources. 5) Analyze the risk environment surrounding the business to make assumptions about the risk factors and risk occurrence status. Although the possibility of an earthquake is often considered in risk analysis, it is impor tant to study a wide range of situations that Phase IV Development of business continuity plan • BCP • Awareness and training plan • Developing BCM plan • Testing plan items and approval Business continuity plan Phase V Phase VI Implementation of business continuity measures Evaluation and improvement • Preventive measures • Redundancy measures • Spare measures • Alternative measures • Test and reflection in BCP Evaluation improvement report Manual checklist Awareness Business and continuity management training plan plan • Education • Training • Evaluating training results • Extracting improved items • Reviewing business continuity environment • Reflection in plan and measures Manual checklist (revision) Related documents (revision) Figure 3 Fujitsu’s Business Continuity Management Model. FUJITSU Sci. Tech. J., 43,2,(April 2007) 171 T. Ito et al.: Fujitsu’s Business Continuity Plan Development Methodology qBusiness environment research wBusiness Impact Analysis at suspension eDetermining Recovery Time Objective (RTO) tRisk analysis yAssuming resource damage at risk iGap analysis qBusiness structure research rModelling process resource relationship (influence diagram) uBusiness damage at risk (time for recovery to current status) Measures examination Figure 4 Flow of business continuity requirement analysis. B6 Board production B2 供給能力の確保 最終目標 中間目標 B3 生産工場での生産台数の確保 *ボックス内、記法 凡例:ボックス種別の説明 リソース 要員 (別モデル化) 間接評価 リソース ページ間 のリンク ID ボックス内容 の記述 B5 製品生産と品質 ID: 識別子 B*: 目標指標 M*: 機能指標 R*:リソース 依存関係の方向 M6-1 Activation of board production environment R22 Stock amount (YY unit production relation) B6 基板製造 Personnel collection model Explanatory note: Explanation of box types Final goal Resource Indirect evaluation resource Intermediate goal * Notation in box Personnel (separate modeling) Description of ID box 製造 要員参集モデル R64 指導員 (YY ユニッ ト製造) ID: Identifier B*: Objective indicator M*: Functional indicator 等 (YYユニット製造) R*: Resource Linkage between pages B9 部材調達 (生産工場) R21 ライン要員 (YY ユニッ ト製造) Direction of dependence R63 クリーンルーム (YY ユニッ ト製造) M9 ––1 部材供給ルート R10 Instructor (board production) R08 Line personnel (board production) R06 Electricity R61 Air conditioning B6-2 Drawing control system B6-4 Information system B R06 Electricity R07 Pure water R61 Air conditioning B8-1 Information system E R12 (Special equipment) Production line R17 (Special equipment) YY unit production control B9 ––1 サプライヤ部材 直接納品 B12 生産オペレーション (生産工場) R32 生産管理データ (XX センター) 要員参集モデル R31 要員(生産オペ (生産工場)) R13 (Special equipment) Tuning device R06 電力 B5 ー 2 生産管理システム R25 納品出荷伝票 B21 物流管理 (本社)物流管理部門) 要員参集モデル B5––2 生産管理システム R3 社内ネット(WAN) R53 要員(生産オペ (生産管理部門)) R57 生産管理データ (XXセンター) R40 要員(物流管理 (物流管理部門) R41 生産・製品引当 管理システム (XXセンター) B5 ––2 生産管理システム R3 社内ネット(WAN) R36 (情報システム) 物流オーダー管理システム (XXセンター) R68 Nitrogen B13 部材購買 (本社)調達部門) B18 生産オペレーション (本社)生産管理部門) 要員参集モデル 要員参集モデル R28 要員(部材購買 (調達部門) R29(情報システム) R35(情報システム) R3 社内ネットワーク 購買管理システム 在庫管理システム (WAN) (XXセンター) (XXセンター R30(情報システム) 部材管理システム (YYセンター) B8 YY unit production R19 YY unit production line. Cleaning equipment, etc. (YY unit production) B9––4 調達部門経由部材 R39 サプライヤ部材 (関連会社) R27 サプライヤ部材 (その他供給会社) Figure 5 Influence diagram. 172 FUJITSU Sci. Tech. J., 43,2,(April 2007) T. Ito et al.: Fujitsu’s Business Continuity Plan Development Methodology 6) 7) 8) can occur. For example, a bird flu pandemic would leave buildings and equipment undam aged but would incapacitate an estimated 40% of the population. This situation clearly differs from that of an earthquake and consequently requires different countermea sures. While it is a waste of time to think of unrealistic situations, it is important to look beyond the obvious risks to business continuity (t). Based on the above risk analysis, apply the situation (resource damage) to the influence diagram (y). Based on the resource damage, determine how much damage the current business will suffer (time for recovery to current status). Also, identify the critical resource that will have the largest impact on the stop time (u). Achieve the goal of BCP, which is to bridge the gap between the present recovery time and the RTO that has already been specified (i). 5.3 Development of business continuity strategies (Phase III) This phase determines measures and strat egies for attaining the above-mentioned goal of BCP. There is an inverse relationship between the amount invested in the measures for business continuity and the effects they produce. If it were assumed an earthquake would make a critical production base unusable, it would be better to build a plant having the same production capability elsewhere in advance. An information system can be made continuously available simply by building a second or even a third infor mation center. However, for many companies, these measures are prohibitively expensive. This phase determines the optimum balance between the improved responsiveness to an unexpected situation and the investment amount and also determines the measures and business continu ity method to be employed in an emergency. To achieve these goals, the return on investment in FUJITSU Sci. Tech. J., 43,2,(April 2007) the business continuity enhancement investment must be visualized to support management decision-making. Figure 6 shows a matrix chart of the return on investment. Based on this matrix, priority will be given to measures with lower investment and higher effect. A measure with a higher investment and effect (construction of a second plant, dual information system centers, etc.) will be addressed as a medium-term to long-term management challenge at the management’s discretion. 5.4 Development of business continuity plan (Phase IV) This phase creates a practical action plan based on the business continuity strategies. The action plan consists of an implementation plan of various measures, an education and training plan, and an emergency action plan. The most signifi cant of these is the action emergency plan, which must be optimized so that the persons in charge will rapidly and steadily perform their roles. This plan should be in the form of a concise manual or checklist that clarifies the individual roles and contains only the required information. 5.5 Implementation of business continuity measures (Phase V) This phase implements the measures speci fied in the action plan. The measures include employee education and the fostering of special ists as well as measures for physical resources (i.e., preventive, redundancy, spare, and alterna tive measures). 5.6 Evaluation and improvement (Phase VI) This phase performs yearly training in accordance with the developed BCP and updates the BCP every year after a review of the business continuity requirements based on the changes in the business environment. This phase is the most important phase for keeping the BCP effective at all times. To reduce the load on the continuous 173 T. Ito et al.: Fujitsu’s Business Continuity Plan Development Methodology Determining the direction of measure options based on return on investment matrix Major Construction of second plant Remote backup of vital records Addition of alternative production line Installation of safety confirmation system Inventory building Medium Measure effect Anti-seismic reinforcement Minor Development of personnel participation plan at disaster Development of SLA with outsourcing supplier Installation of private electric generator Contract of alternative office Decentralization of suppliers Mid- and long-term measures Outside of examination Major Short-term measures Medium Minor Range of costs invested for measures Figure 6 Concept of measures examination (example for manufacturing industry). improvement activities, in addition to keeping the BCP up-to-date, it is also important to pursue BCP document composition with easy maintenance and efficient updating. 6. Tool for promoting BCP development efficiency Fujitsu uses the BCEXPERT software tool to promote standardization and efficiency of BCP development and updating operations (Figure 7). BCEXPERT provides standard processes from BCP development planning to BCP update operation. It consists of BC-Navi, which supports project management; tools that support simula tions in each process; and document template groups. The goal of BCP development is to create an effective action plan for continuing business in an emergency. This action plan is based on the results of researchers who have analyzed the business environment, business structure, risk environment, and other factors. The environment surrounding business is constantly changing, and to quickly and accurately reflect these changes 174 in the action plan, a proactive approach to BCEXPERT and other software tools is essential. 7. Future issues To continuously promote business continuity enhancement activities based on BCP develop ment, the following issues must be addressed: 1) Visualization of activity results It is easy to understand the costs of BCP development and these activities but difficult to understand their achievements. Therefore, the continuous improvement activities are liable to lose momentum. One effective way to promote these activities is to set activity results bench marks. These benchmarks establish standards (maturity models) for the measurement of a com pany’s business continuity capability and link the standards with the activities’ status. To create a maturity model, benchmarks regarding the approaches of advanced companies and other companies in the same industry are necessary. However, there is no accumulation of effective data in Japan. We expect that the BCAO and industry FUJITSU Sci. Tech. J., 43,2,(April 2007) T. Ito et al.: Fujitsu’s Business Continuity Plan Development Methodology 5000_1 リスク評価 ワークシート 5000 リスク分析 START 3000_1 プロジェクト 計画書 3100_1 アンケート インタビュー 設計参考 資料 3000 パイロット 事業 概況調査 3100 アンケート インタビュー 設計 3200 アンケート インタビュー 実施 4000 収集情報 の分析 重要業務 の特定 4100 重要業務の プロセスと リソース モデル化 3000_2 事業内容 調査結果 3100_2 アンケート インタビュー シート 3200_1 アンケート インタビュー 集計表 4000_1 現状調査 分析結果 報告書 4100_1 プロセス リソース モデル 5000_2 リスク分析 結果報告書 7100_1 対策投資対 効果分析 ワークシート 6000_1 施設・人員 分布状況 データ 6000 ビジネス 影響度分析 6000_2 ダメージ シナリオ 設定表 6000_3 ビジネス 影響度 分析結果 報告書 7000 対策オプション の抽出 7100 事業維持 戦略の決定 7100_2 対策投資対 効果分析 結果報告書 8100 ドキュメント 作成 (BOP-BOM 計画書) 8000 実施計画の 策定と レビュー 8100_1 パイロット 事業向 BOM推進 計画書 8100_2 BOP策定 ガイドライン 8100_3 対策計画書 END 8100_4 災害時行動 計画書 8100_5 教育訓練 計画書 Figure 7 BCM operation support tool (BCEXPERT). groups will promptly develop these benchmarks. 2) Linkage with internal control It is important for each company to implement measures to ensure the level of internal control that will be required by the soon-to-be-enforced Japanese SOX act. Internal control and business continuity have one thing in common in their implementation processes in which process-oriented examinations are made and risks are clarified and controlled. However, they differ fundamentally in their purpose and scope because internal control is intended to guarantee reliability of financial reports, while business continuity is intended to continue critical business activities in an emergency. Essentially, it would be ideal if BCP development and continuous improvement activities were both controlled by internal control activities. However, at the moment they must be developed as sepa rate efforts. In the future, integration between internal control and business continuity activities will be promoted in line with the expansion of the scope of internal control. 3) Business continuity enhancement in the supply chain FUJITSU Sci. Tech. J., 43,2,(April 2007) Because Fujitsu has been developing various businesses in the global supply chain, a companyspecific BCP is unlikely to enhance business continuity. Fujitsu will continuously review the service level agreements (SLAs) with its clients and evaluate how its business partners have de veloped their BCPs. 8. Conclusion Sometimes, BCP development work is described as a tunnel that has no exit because, despite the extensive research analyses and large volumes of documentation associated with BCP development, the effectiveness of a BCP cannot be demonstrated until an emergency occurs. How ever, from a completely different standpoint, BCP development work provides a big opportunity for management restructuring. As mentioned above, the work includes creating a relationship model between the business processes of critical busi ness activities and required resources to analyze the impact that resource damage will have on a business. In fact, this model can be used as a simulation model to cope with changes in the management environment and optimally and 175 T. Ito et al.: Fujitsu’s Business Continuity Plan Development Methodology promptly allocate resources. Basically, BCP development work is nothing less than an activi ty for getting to the core of how to continue important business activities with minimal resources even in an emergency. This activity reveals the essential framework of a business with all redundancies eliminated and allows us to review the business origins of a company. Look ing at BCP development work from the viewpoint of not only the measures against disasters but also for management restructuring can enhance business continuity in an emergency. It also leads to sophistication and streamlining of management activities themselves. Business continuity management in Japan is still in its infancy com pared to that in European countries and the US; however, this can be converted to an advantage by regarding business continuity as a manage ment improvement activity from the beginning. Fujitsu aims to develop a new management mod el to achieve sustainable management that focuses on more than just efficiency. 176 References 1) 2) 3) 4) 5) 6) Central Disaster Management Council, Special Board of Inquiry on enhancing disaster manage ment by utilizing the private sector and markets, Corporate Evaluation/Business Continuity Working Group, and Cabinet Office, Government of Japan: Business Continuity Guidelines 1st ed. — Reducing the Impact of Disasters and Improving Responses to Disasters by Japanese Companies. August 1, 2005. http://www.bousai.go.jp/MinkanToShijyou/ guideline01e.pdf Small and Medium Enterprise Agency: BCP Development Operational Guidelines for the Small and Medium Enterprises. (in Japanese). http://www.chusho.meti.go.jp/bcp/index.html A Specified Non-Profit Japanese Corporation Business Continuity Advancement Organization (BCAO). (in Japanese). http://www.bcao.org/ Development Bank of Japan: Special Survey Concerning Companies’ Approaches to Disaster Prevention. (in Japanese), January, 2006. http://www.dbj.go.jp/japanese/release/rel2006/ 0105.html InterRisk Research Institute & Consulting, Inc.: Report of Field Survey of Japanese Companies Concerning Business Continuity Management (BCM). (in Japanese), October 2005. Central Disaster Prevention Council: Counter measure Strategies against Disaster by Inland Earthquake in the Capital City (plan). (in Japanese), April 21, 2006. h t t p : / / w w w. b o u s a i . g o . j p / c h u b o u / 1 7 / shiryou3-1.pdf FUJITSU Sci. Tech. J., 43,2,(April 2007) T. Ito et al.: Fujitsu’s Business Continuity Plan Development Methodology Takeshi Ito, Fujitsu Research Institute. Mr. Ito received the B.A. degree in Law from Ritsumeikan University, Kyoto, Japan in 1982. He joined Fujitsu Ltd., Tokyo, Japan in 1982, where he was engaged in the sales and marketing of systems integration solutions and solution services for financial institu tions. In addition, he was engaged in the sales and marketing of an Applica tion Service Provider (ASP) service business. He is currently engaged in Business Continuity Plan (BCP) development and consultation on Business Continuity Management (BCM). In 2007, he moved to Fujitsu Research Institute. He is an executive board member of the Business Continuity Advancement Organization (BCAO) of Japan. Tetsuya Yoshida, Fujitsu Research Institute. Mr. Yoshida received the B.A. degree in Economics from Kwansei Gakuin University, Hyogo, Japan in 1992. He joined Fujitsu Ltd., Tokyo, Japan in 1992, where he was engaged in purchasing software licenses from software vendors for more than 10 years. He is currently engaged in in-company Business Continuity Plan (BCP) development. In 2007, he moved to Fujitsu Research Institute. E-mail: [email protected] E-mail: [email protected] Hideaki Orikasa, Fujitsu Research Institute. Mr. Orikasa received the B.S. degree in Mechanical Engineering from the University of Tokyo, Tokyo, Japan in 1976. He joined Fujitsu Ltd., Tokyo, Japan in 1976, where he was engaged in the development of operating systems, work on systems integration, and development of IT service manage ment methods. He is currently engaged in Business Continuity Plan (BCP) development and consulta tion on Business Continuity Management (BCM). In 2007, he moved to Fujitsu Research Institute. He is a member of the Information Processing Society of Japan. E-mail: [email protected] FUJITSU Sci. Tech. J., 43,2,(April 2007) 177
© Copyright 2024