Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - A Guide to Effective Business Continuity in Support of the Year 2000 Challenge


Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

1.0  Introduction to the Guide

1.1 Why Focus on Business Continuity?

Like all projects of this nature, size and complexity, the Year 2000 project brings with it a significant amount of uncertainty, unexpected events resulting from the dynamic environment in which we live in, and undesirable outcomes from the remediation work performed by departments. Most people would agree, in that context, that continuous risk management would be beneficial to departments. Who wouldn't want to identify potential problems early enough so that they can be addressed, thereby helping to ensure the ultimate success of their Year 2000 initiatives?

The Government remains optimistic about the its ability to successfully address the Year 2000 problem, but it is the ethical, social, business, and legal responsibility of all government managers to consider the possibility of not being able to complete their conversion activities. Continuity of operations should be the prime concern of managers impacted by the Year 2000 problem. Contingency planning will put these managers in a position to pro-actively and positively work through a potential crisis due to a Year 2000-related business disruption. A pre-established framework for control as well as effective communication, practiced through realistic scenarios, will also provide managers with invaluable tools to work through potential crises.

For these reasons, it is critical that business continuity be a priority for all departments.

1.2 Business Continuity Concepts and Definitions

In order to clearly position the business continuity process described in this guide vis--vis similar processes at the government and national level and conversion activities taking place within the departments, we are providing the readers with the underlying concepts of our process and some basic definitions. At the conceptual level, the TBS business continuity process can be depicted as shown below in Figure 1.

Figure 1 – Conceptual View of the Business Continuity Process

Figure 1 – Conceptual View of the Business Continuity Process

The Business Continuity process start with the establishment of a governance structure which will steer the process and ensure that decisions are made in a timely fashion. The governance structure extends from the planning and control level, where resources are mobilized and assigned to conversion activities, to the corporate (or department level) governance where high level decisions are made regarding business continuity. Both sides of the organization, that is functional and technical, are represented and bring their own set of objectives to the process. Technical personnel aim at achieving Year 2000 compliance before the year 2000 while functional personnel aim at ensuring business continuity. This guide is targeted at the functional side of the organization but recognizes that the achievement of the functional personnel's objectives is heavily dependent on the technical personnel's ability to meet theirs. The technical side of the organization plays an important role in the performance and success of the business continuity process.

The business continuity process spans over the three stages of business continuity identified, within the context of this guide, as:

  1. Prevention. This is the period where organizations identify risks that may impact the continuity of their business processes, evaluate the key attributes of the risks, and determine the organization's response to these risks in order to reduce their exposure to business interruptions;
  2. Preparedness. The preparedness stage aims at establishing the plans to address the risks and monitor the progress of the conversion work and evolving the business continuity plan; and
  3. Response. The final stage follows the declaration of a crisis and includes working through the crisis and resuming the operations of the organization.

The Business Continuity process is then broken down into process areas which include:

  1. Risk Management. Risk Management is a continuous process with methods and tools for identifying, analyzing, planning, monitoring and controlling potential, undesirable events which may negatively impact an organization's objectives. It should be noted that while the aim of the business continuity process is to prevent or minimize business interruptions due to the Year 2000 related failures, technical risks must also be managed since they will often constitute the root cause for these business interruptions. Risk management provides a disciplined environment for pro-active decision-making that:
    • Continuously assesses what could go wrong;
    • Determines which risks are important to deal with; and
    • Implements strategies to deal with those risks.
  2. Contingency Planning. Contingency planning is the area of the business continuity process where a department attempts to ascertain the kinds of crises most likely to occur and prepares to deal with them. Typically based on risks deemed unacceptable or which require significant mitigation measures, the overall purpose of contingency planning is to recognize and address as many uncertainties and risks as possible so that departments can maintain control over their operations when a crisis strikes. Contingency planning includes such components as crisis scenarios, contingency plans, crisis response plans and business resumption plans;
  3. Crisis Response. Crisis response is the collection of activities that minimize the effects of a crisis situation. Crisis response involves notification, assessment, planning, action and termination activities. Typically, this will involve the application of contingency plans to stabilize, prevent escalation and mitigate a crisis event. Crisis response involves both direct and corporate governance as well as planning and control level personnel (Crisis Response Team) who are normally responsible for actions directed towards crisis stabilization.
  4. Business Resumption. Typically, these are the actions undertaken once a crisis event has been stabilized. Business resumption involves the Crisis Management Team but the focus moves from the crisis itself to recovery and the resumption to normal business routines.

These four process areas are integrated into one common set of steps that take organizations from realizing that failures due to the year 2000 problem are possible through responding and recovering from crises. TBS integrated process has a particularity of building on the Software Engineering Institute's Continuous Risk Management process. Hence, although it may appear to differ from standard business continuity processes at the lowest level (step level), it satisfies the requirements of the government, builds upon a sound knowledge base and aligns itself nicely with similar processes implemented at the national level. These steps include:

  1. Set up Governance;
  2. Identify;
  3. Analyze;
  4. Plan;
  5. Monitor; and
  6. Control.

1.3 TBS Six-step Approach to Business Continuity

The TBS is proposing a six-step approach to business continuity. It builds on the work of the Software Engineering Institute for Continuous Risk Management and integrates Contingency Planning, Crisis Response and Business Resumption. The underlying activities of this approach are depicted below.

  Figure 2 – Integrated Business Continuity Approach

  • Identify = identifier
  • Analyse = analyser
  • Plan = planifier
  • Track = suivre
  • Control = contrler
  • Communicate = communiquer

Figure 2 – Integrated Business Continuity Approach

The business continuity activities are as follows:

  1. Set up Governance. The first step in implementing business continuity is to set up the required governance structure to support the process, identify and mobilize the department's resources, obtain governance structure members' commitment and involve these individuals in the business continuity process. The governance structure should not be different but integrated with the existing Year 2000 Project governance structure found in the departments;
  2. Identify. Departments must identify risks related to the Year 2000 problem that could impact the department's ability to ensure business continuity. Departments must also identify any risks that are beyond their control and should therefore be elevated to the TBS level (government-wide issues such as public infrastructure) or shared with their partners and suppliers;
  3. Analyze. Departments must convert the risk information, gathered in the "identify" step, into decision-making information. In addition to defining the risk attributes such as probability, impact, source and response, departments must relate the risk information to assets as well as business functions. This analysis will allow departments to clearly understand the potential impact of risk on business continuity and to take the appropriate management actions to address the risk;
  4. Plan. Once the risks have been identified and analyzed, departments can then assign resources to the management of the identified risks, or the elaboration of contingency plans for those business functions significantly affected by risks. They should also prepare plans to respond to crises and resume business following a crisis;
  5. Track. In order to continuously monitor risks and the related exposure to business interruptions, departments must then implement the strategies developed in the previous activity and continuously monitor variations to these plans. They must also track the progress of the conversion activities in order to identify risks; and
  6. Control. Upon materialization of one or more risks or Year 2000 failures, departments must control the negative impacts and escalate decision requirements to the appropriate level within the governance structure. If the negative impact cannot be controlled, contingency plans or procedures may have to be implemented for the impacted business function. Under certain scenarios, a structured response to these crises will have to be initiated and special controls implemented. The control step also addresses the business resumption activities.

Implicit but critical to this approach is the need to communicate information about the possibility of not completing conversion activities and the solutions to that problem. The success of the business continuity process hinges on frank and open communications on risks, contingency plans, crisis response plans and business resumption plans within departments as well as between departments, their partners and the TBS.

1.4 Opportunities and Barriers

Getting started with this guide will probably be one of the biggest challenges for organizations that are new to business continuity. In addition to the inertia problem that many departments experience when faced with new processes, other barriers may arise. The following table summarizes some of these challenges and provides high-level solutions to address them.

Table 1: Barriers and Solutions
Barriers Solutions
Inadequate Senior Management Commitment
  • Leverage TBS requirement for Contingency Plans by December 31, 1998
  • Emphasize legal, social, ethical and business responsibilities of managers to ensure the continuity of department operations
  • Sell pro-active nature of the process
Insufficient Funding
  • Present this process as "formalized" good management and integrate it into normal day-to-day activities
  • Sell the incremental nature of the process resource requirements based on progress and risk information thus minimizing the funding impact (funding gets reallocated from remediation to contingencies as failures occur or are eminent)
Cultural Barriers
  • Emphasize opportunities (e.g. ability to introduce new services earlier) as well as risks
  • Increase the level of communication early in the process
  • Celebrate successes (e.g. working through unforeseen crisis, preventing problem before its occurrence, etc.)
Lack of Knowledge
  • Hire temporary assistance and ensure technology transfer
  • Take TBS sponsored SEI courses offered through the Institute

1.5 How to Use This Guide

This guide has been structured and formatted to provide easy access to the TBS business continuity process requirements, and to maximize the efficiency of the individuals attempting to meet these requirements. The document focuses on the business continuity process and is divided into eight chapters (an introduction, six chapters describing each of the six steps, and a conclusion). The procedures required to effectively implement the elements are provided in appendices that are bound separately.

In order to keep this guide down to a reasonable size, and since the Software Engineering Institute Continuous Risk Management process has been fully endorsed by the TBS for CRM, specific references are made in this guide to the SEI Continuous Risk Management Guidebook. Departments that do not have a copy of the SEI CRM Guidebook can obtain one by contacting David Holmes at 957-2530. Activities or processes extracted directly from or based on the SEI CRM Guidebook are preceded by the logo below.

Logo depicting activities or processes extracted directly from or based on the SEI CRM Guidebook