Implementation of Business Continuity Planning Methodology in Making Business Continuity Planning Documents at PT. XYZ

Kata kunci: Rencana Kelanjutan Bisnis; Proses Bisnis; Mempertaruhkan; PT. XYZ; PT. XYZ is a company engaged in the communication sector. As a company with a national scale, PT. XYZ has various risks, ranging from natural disasters, human disturbances and disruption due to technology. Disruption risks can disrupt the company’s operational activities. A business continuity plan document is created to determine the company’s steps to minimize damage due to disruption. Making a business continuity plan or BCP starts from the project initiation stage, risk assessment, business impact analysis, mitigation strategy development, plan development, training, testing, auditing. The results obtained from this research are BCP documents used by PT. XYZ in response to a disturbance. With the BCP, PT. XYZ can respond to a disruption that occurs and quickly restore business operations.


INTRODUCTION
According to the PT. XYZ annual report, PT. XYZ is an information and communication company and a complete telecommunications service and network provider in Indonesia. In providing telecommunications services and networks for all Indonesian people, PT. XYZ has several infrastructures such as cables and towers, which are spread in various areas. Of course, multiple risks and disasters can threaten PT. XYZ if not guarded and protected. Suppose there is a risk or disaster in the infrastructure, the business processes at PT. XYZ can be disrupted or even temporarily stopped until conditions recover. Not only that, PT. XYZ's reputation as a service provider can be threatened because of the blocked services. Therefore, a process in business continuity planning is needed by making a Business Continuity Plan or BCP so that business processes can occur even if a disaster occurs. BCP was created to support the vision of PT. XYZ.
Companies need to carry out a business continuity plan or a Business Continuity Plan (BCP) in ensuring business continuity. BCP is necessary to maintain the business processes owned by the company (Amirullah & Subriadi, 2019). BCP is a company's plan to keep its business continuity (Snedaker S. , 2014). BCP is designed to reduce the negative impact of business disruption caused by internal and external (Asgary & Naini, 2011). Making BCP aims to prevent disruption to normal business activities (Solehudin, 2005). BCP is made with adjustments to the needs and conditions of the company itself (Pertiwi, 2016).
In previous studies, BCP has consistently been implemented for companies and organizations that have critical services. In the case study of PrintGila, which has designed the BCP needed to complete and strengthen the system to become a reliable system (Santoso & Gitarini, 2017). In addition, BCP was also implemented at the Ananda Purwokerto hospital, where SIRUS has been implemented. Still, there are many obstacles in the implementation process, so BCP is needed (Setiawan, Waluyo, & Pambudi, 2019). Industrial companies also need BCP, as in the study by (Wijaya & Widiawan, 2017), which studied the Nail Company in Surabaya. In the government sector, BCP was also designed by (Fajriansah, 2017) and (Zainuri, Nugroho, & Widyawan, 2015) to maintain the continuity of business processes. In this research, a BCP will be designed for PT. XYZ. The design of the BCP will produce a BCP document that defines the possible risks, their impact on business continuity, and the company's steps in mitigating the existing risks. The BCP document will also describe the company's efforts to conduct training, test, and audit the risk mitigation steps.

LITERATURE REVIEW Business Continuity Planning
Business Continuity Planning (BCP) is a methodology used to create and validate plans to maintain sustainable business operations before, during, and after disasters or disruptive events. BCP is concerned with managing the operational elements that enable a business to function normally to generate revenue (Snedaker S. , 2014). BCP is a critical component of enterprise risk management initiatives to facilitate business operations under adverse conditions by introducing appropriate resilience strategies, recovery objectives, and business continuity and crisis management plans. In addition, BCP acts as a proactive discipline in identifying vulnerabilities and risks and planning how to mitigate, accept or deploy them in the event of business disruption (Dushie, 2014).

Risk Assessment
Risk assessment is the process of identifying risks or hazards that will occur and analyzing what will happen if these risks arise. Risk assessment is a systematic method to determine whether an organization has an acceptable risk or not. Risk assessment includes risk identification, risk analysis, and risk evaluation (Muhaimin, 2018).

Business Impact Analysis
Business Impact Analysis is a step to understand what business processes are critical in the company. In addition, a business impact analysis can make it easier to understand the impact of disruptions on each running business process. This step will look at the business processes of various existing business functions such as services for consumers, internal operational activities, laws and regulations, and finance. In conducting a business impact analysis assessment, there are several steps taken. The first step is to identify the critical business processes and the most vital business functions in the company. After that, business recovery determines resources and linkages, the impact of each operation in disruption, the priority of each business process and function, the need for recovery time, and the impact on financial and operational. The result of this stage is a business impact analysis document which is then used together with a risk assessment analysis to produce a mitigation strategy (Snedaker S. , 2007).
The making of recovery time requirements consists of RPO, RTO, and WRT. RPO stands for Recovery Point Objective, which is the fair amount of data loss from critical business functions. RTO stands for Recovery Tolerable Downtime, which means the time takes to recover business functions from disruptions. WRT is Work Recovery Time which is the time it takes to recover unavailable business functions until they usually run. The time required for each business function varies, depending on where the business function is located. If the business function takes 0 to 12 hours to run normally, then the business function is mission critical. If it takes 13 to 24 hours, the business function is vital. If it takes 1 to 3 days, then the business function is considered necessary, and more than that is deemed minor (Snedaker S. , 2007).

Risk Mitigation Strategy
A risk mitigation strategy is a process plan that develops options to increase opportunities. The risk mitigation strategy is carried out by evaluating the overall risk to reduce the possibility of threats, vulnerabilities, or disruptions that can disrupt business operations, projects, or other business activities (Ahmed, 2017). With a risk mitigation strategy, the entire risk profile of the business is obtained that will help direct the right business decisions. In the risk profile, available what threats might occur, how likely the threats will happen, and how vulnerable the existing system is (Snedaker S. , 2007).

RESEARCH METHOD
In general, the research was conducted using the Business Continuity Planning method. The following is the method used in the study.

Project Initiation
This step analyzed threats and solutions, business needs, functions and technicalities, success criteria, and contributors to PT. XYZ.

Risk Assessment
In this step, the risk assessment that might occur at PT. XYZ's complies with the risk criteria was analyzed.

Business Impact Analysis
This step would provide an analysis of the business process and its impact on PT. XYZ.

Risk Mitigation Strategy
The strategy for preparation of risk mitigation strategies taken for PT XYZ to mitigate risk was provided.

Business Continuity Plan
This step prepared a Business Continuity Plan with steps to deal with existing threats.

BC/DR Team And Communication Plan
The researchers provided a plan for making BC/DR Team and a Communication plan to arrange for the distribution of responsibilities to the BC/DR team to deal with threats in PT. XYZ.

Training, Testing & Auditing
The preparation of training, testing, and auditing for employees of PT XYZ was analyzed to allow employees to overcome threats that may occur.

Conclusions and suggestions
At this stage, conclusions and suggestions were drawn based on the research done.

Project Initiation
In preparing the design of the BCP document, PT XYZ's needs in each critical area will be prepared in advance. The needs are divided into business needs, functional needs, and technical needs, as follows.  Table 1 contains the requirements needed to consider a BCP creation. A critical area serves as a scope that needs to be considered for strategy making from BCP. Needs are divided into three namely Business, Functional and Technical Requirements. The three functions are to state the needs from the business, functional and technical side. The needs should be stated so that the BCP can align with company needs and protect critical areas from future threats. The BCP design project can be successful if it meets the criteria stated in Table  2. Success criteria are also required in making the BCP.

Risk Assessment
In conducting a risk assessment, the criteria must first be prepared that make this a reference. The following are the criteria for the risk rating. After determining the risk rating criteria, a risk register is made as a risk assessment at PT XYZ, which is as follows. Based on the identification and risk assessment carried out (Table 4.), it is found that the risk that has the highest value (very high) is cybersecurity threats. This risk has a high probability (high) and a very high impact (very high). Therefore, PT XYZ responds to this risk to minimize the possibility and implications of the risk.

Business Impact Analysis
Business Impact Analysis is a stage to find out what business processes are critical to the sustainability of PT. XYZ. At this stage, the impact of each business process is also analyzed if these processes experience disruption-business Impact Analysis for PT. XYZ can be seen in the following table.

Risk Mitigation Strategy
The Risk Mitigation Strategy will define options from various recovery steps that PT can take. XYZ to overcome the risks that occur. The following is a risk mitigation strategy taken based on the consideration of several factors.

Business Continuity Plan
The following are the triggers and steps that must be taken in each phase of the Business Continuity Plan. BCP is made based on two departments, namely the IT department and the non-IT department.

BC/DR Team & Communication Plan
In maintaining business continuity, a structured division of responsibilities is needed in a special team, namely the BC/DR team. Team leaders and members are selected from organizational employees who have the ability, knowledge, and experience to respond to disturbances that occur in the organization. In addition, a spokesperson is also needed so that communication can run smoothly. The following is the BC/DR Team and the Communication Plan executed when a cybersecurity threat occurs at PT XYZ. In the BCP document, it is necessary to determine the communication process so that the information delivery process can run smoothly. The following are recommendations for communication flow in the event of a disturbance/disaster: 1. The communication plan begins when the company experiences a disaster or disruption in business process operations, information technology, and others that can hinder PT XYZ from achieving organizational goals. 2. Departments experiencing disturbances/disasters can independently deal with disturbances/disasters received. If the disturbance/disaster is beyond the control of the affected department, the department can report to the head of the department for assistance. 3. The department head will contact the BC/DR team for initiation and request assistance. The team leader will initiate team activities and hold coordination meetings to address disturbances/disasters. 4. The team leader will assign team members to carry out inspections. 5. Team members will immediately perform recovery according to BCP. Team members will also protect salvageable assets by limiting asset use or temporary deactivation. 6. If a communication media wants to interview the company, the spokesperson will intervene as the only communication channel. 7. If the disturbance/disaster is considered to have a significant impact on operations, temporary suspension of operational activities can be considered. Decision decided by the team leader. 8. Once the disturbance/disaster is under control and the impact can be minimized, the operational transition from recovery to normal can begin. After the operation returns to normal, the BC/DR team will evaluate to assess the performance results and things that need improvement.

Training Testing & Auditing
In supporting the success of the business continuity plan that has been designed, training and testing are needed for PT XYZ employees. The training aims to train employees in dealing with cybersecurity threats at PT XYZ. The following is the initiation of a training project that employees will carry out. The following are training topics that PT XYZ employees need to carry out. In ensuring employee understanding of the business continuity plan, a test consists of several stages as follows. Before conducting the test, it is necessary to pay attention to several following aspects to run smoothly.

CONCLUSION
From the preparation of the BCP, the preparation starts from identifying the risks that have the most significant impact and are likely to be cybersecurity threats. A risk can hinder the running of business processes from various aspects, ranging from the customer, financial, reputation, operational and human. The most appropriate risk mitigation strategy is by considering multiple factors, namely compiling recommendations for handling cyber-attacks based on historical incident analysis. In maintaining business continuity, plans have been prepared to start from SOP activation, recovery, business continuity to normal operations. In addition, the BC / DR team is determined, and training and testing are carried out to allow BCP to run smoothly. The suggestion for further research is to continue improving the sustainability of existing research because the BCP document is a document to develop according to organizational needs and developments in information technology.