business continuity checklists

8/7/2019 Business Continuity Checklists

1/26

Business Continuity Checklists

An ancient philosopher once said, "The reason for failure is unwillingness, the pretendedreason is inability". If your business or your family is called before its audit committee to

review your Continuity and Resiliency Plans, would your Plans pass the Preparednesstest?

The 7 Questions of Business Preparedness are a good start to review you BusinessContinuity Plan. The following checklists can help you measure the completeness of vital

components of your Business Continuity Planning Program and its associated

documentation.

Please review each checklist and email us any suggestions or comments you may have.

Policy Statement - Minimum Policy components and Sample BCP Policy Policy Integration - Lists how to integrate and enforce the BCP Policy

Plan Resiliency - Provides steps to ensure Plan flexibility

Plan Validation - Define and measure the validation and exercise program

Service Level Agreements - Minimum components of an SLA agreements

Plan Completeness - Plan overall metrics from Plan initiation to validation

Individual Preparedness - Planning to ensure your staff's availability

Public Authority Coordination - Support and awareness with public authorities

Let us know what other checklists would be helpful and how you have implemented and

validate your Business Continuity Planning program.
http://www.businesscontingency.com/seven.phpmailto:[email protected]://www.businesscontingency.com/checklist-statement.phphttp://www.businesscontingency.com/checklist-statement.phphttp://www.businesscontingency.com/checklist-integration.phphttp://www.businesscontingency.com/checklist-integration.phphttp://www.businesscontingency.com/checklist-resiliency.phphttp://www.businesscontingency.com/checklist-resiliency.phphttp://www.businesscontingency.com/checklist-validation.phphttp://www.businesscontingency.com/checklist-validation.phphttp://www.businesscontingency.com/checklist-sla.phphttp://www.businesscontingency.com/checklist-sla.phphttp://www.businesscontingency.com/checklist-completeness.phphttp://www.businesscontingency.com/checklist-completeness.phphttp://www.businesscontingency.com/checklist-individual.phphttp://www.businesscontingency.com/checklist-individual.phphttp://www.businesscontingency.com/checklist-public_authority.phphttp://www.businesscontingency.com/checklist-public_authority.phpmailto:[email protected]://www.businesscontingency.com/seven.phpmailto:[email protected]://www.businesscontingency.com/checklist-statement.phphttp://www.businesscontingency.com/checklist-integration.phphttp://www.businesscontingency.com/checklist-resiliency.phphttp://www.businesscontingency.com/checklist-validation.phphttp://www.businesscontingency.com/checklist-sla.phphttp://www.businesscontingency.com/checklist-completeness.phphttp://www.businesscontingency.com/checklist-individual.phphttp://www.businesscontingency.com/checklist-public_authority.phpmailto:[email protected]


2/26

7 Questions of Company Preparedness

1. Is your business impact tolerant?

2. Have you mitigated points of failure?3. Are you and your staff prepared for Business interruptions?

4. Is your Contingency Plan documented and approved?

5. Have you reviewed your Plan with staff, suppliers and customers?6. Is your Plan current and regularly tested?

7. Does your Plan insure timely resumption of critical business functions?

1. Is your business impact tolerant?

If you can accept the results of an impact on your business then you are tolerant of thatimpact. To reach a point of impact tolerance you must prepare by evaluating your risks,

assessing their probability of occurring, analyzing your business processes, implementing

contingency plans, communicating and exercising these plans and keeping the planscurrent. The difference between impact tolerance and disaster is your preparedness.

2. Have you mitigated points of failure?

As you evaluate your business processes, you must evaluate each process, in detail, to

identify possible points of failure. To insure an acceptable level of continuity for your

business, a decision must be made on plans and procedures to be implemented and put inplace, to minimize or eliminate a process failure. If contingency procedures are in place

they should be re-evaluated and tested regularly. Do not assume you are ready. Planahead and include contingency planning procedures in your change control process. Your

pre-event contingency planning and preparedness validation will determine how little

your business and customers are impacted when a failure occurs.

3. Are you and your staff prepared for Business

interruptions?

The Business Planning Process does not end with an implemented and documented Plan.The Plan must be kept current, tested regularly and communicated to all those affected.The communication of expectations, approved and documented in your Plan, should

define the Roles and Responsibilities of all participants when the Plan is activated and de-

activated. The time to prepare is before an interruption occurs.


3/26

4. Is your Contingency Plan documented and

approved?

Do not assume everyone knows "what to do" when a potentially disastrous event occurs.

The actions to be taken to insure that post-disaster business is continued, should bediscussed, approved by management and documented for review. Documentation of the

Plan provides a reference platform of clarity for staff, suppliers and customers.

5. Have you reviewed your Plan with staff, suppliers

and customers?

The actions to be taken, defined in your Contingency Plans, identify the impact apotentially disastrous event may have on your business, staff, suppliers and customers.

Reviewing appropriate portions of your Plan with each group will allow you to insure

acceptability and clarify expectations. It should be noted that all required components ofrecovery should be include in your Plan (workplace, technology and tools, staff, support,

communications, etc.)

6. Is your Plan current and regularly tested?

If your Contingency Plan doesn't reflect the current business processes, levels of risktolerance, mitigation procedures, recovery processes, team member roles and

responsibilities, notification lists and other critical components for a successful and cost

effective recovery and mitigation of disaster, then your Plan is not current. If you have

not verified, by testing, that the steps documented in the Plan will work, as specified and

expected and in the timeframe required then you can not be assured that you will meetbusiness and customer expectations. Regular testing of major portions of your plan

should occur annually. If significant changes occur in your business or a significantprocess, another Impact Analysis should be completed and the required Plan changes

implemented, documented and tested to insure they meet expectations. Testing should

validate the recovery procedure and the minimum time to recover.

7. Does your Plan insure timely resumption of critical

business functions?

The measure of time between failure and your recovery back to an acceptable level ofbusiness, can determine whether you will still be in business when you have completedyour recovery. Many businesses have learned, too late, that customers move to other

suppliers when services or products cannot be received as expected. You should include a

proof-of-concept step in any remote site recovery agreement or Service Level Agreement(SLA), as well as with your plan validation, to insure your Plan will satisfy your recovery

time objectives and recovery expectations. You can best minimize the impact to your


4/26

business by preparing your Contingency Plan and communicating with your customers

before, during and after their expectations are impacted.


5/26

Policy Statement Checklist

The best foundation for a complete Business Continuity Program is the definition,

approval, communication and integration of an organization-wide Business ContinuityPolicy. The following Policy components will help to insure that strong foundation:

The opening Introduction or Overview statement section defines the purpose of

the policy.

The Policy statement section defines the goals, metrics and responsibilitiesrequired to meet policy compliance. A statement of non-compliance penalty

should also be included.

The Policy Leadership statement section defines the executive managementofficer responsible for oversight, implementation and compliance assurance of the

policy.

The Policy Compliance Certification statement section defines the details to meetpolicy compliance certification. This may be a reference to a detailed document or

source.

The Policy Compliance Certification support statement section defines those who

can assist with meeting policy compliance requirements.

According to the "Interagency Paper on Sound Practices to Strengthen the Resilience of

the U.S. Financial System" report, decisions about overall BCP objectives should not be

left to the discretion of individual business units. An organization-wide Policy should

govern.

We would appreciate any comments you may have on Policy statements for a BusinessContinuity Planning program. Let us know your Policy, how you communicate the Policy

and insure its compliance, and if we can publish your comments on our website.
http://www.sec.gov/news/studies/34-47638.htmhttp://www.sec.gov/news/studies/34-47638.htmhttp://www.businesscontingency.com/contact.phphttp://www.sec.gov/news/studies/34-47638.htmhttp://www.sec.gov/news/studies/34-47638.htmhttp://www.businesscontingency.com/contact.php


6/26

Policy Sample

Introduction

[Company] is committed to its customers, employees, shareholders and suppliers. Toinsure the effective availability of essential products and services, [Company] provides

this Business Continuity Planning policy in support of a comprehensive program for

business continuity, disaster prevention and total business recovery.

Policy

Each department is responsible for current and comprehensive Business Continuity

Planning (BCP). When implemented, the Plan should include those procedures and

support agreements, which insure on-time availability and delivery of required productsand services. Each Plan must be certified annually with the BCP policy compliance

process through the BCP team.

Policy Leadership

[Executive] is the BCP executive management liaison for the BCP program. Resolutionof issues in the development of or support for all Plans should first be coordinated with

the BCP team and appropriate internal or external organizations. The "Business

Continuity Planning - Policy Compliance Certification" documentation defines the issueresolution process.

Policy Compliance Certification

BCP compliance verification is provided by the BCP team. In order to meet compliance

requirements, each Plan should include those appropriate procedures, staffing, tools andworkplace planning requirements necessary to meet approved deliverable requirements.

In order to support the Enterprise BCP Plan the format of the BCP documentation must

follow the BCP team defined Plan template requirements. Detailed compliance

certification requirements are provided through the BCP team and included in the"Business Continuity Planning - Policy Compliance Certification" document located at

[link to network location].

BCP Plan Compliance Certification is required annually. A waiver for temporary

compliance certification may be given if a detailed written waiver request issued by thedepartment manager is approved by the BCP executive management team liaison.

Maximum delay for compliance is one year.

Policy Compliance Certification Support


7/26

The BCP team is available to support the development and BCP policy compliance

certification process. BCP team services and contact information is available at the

BusinessContinuityPlanningTeam intranet link.

[Company] recognizes the importance of a comprehensive Business Continuity Planning

Program to insure the safety, health and continued availability of employment of itsemployees and quality goods and services for those we serve. We require the

commitment of each employee, department and vendor in support of the objectivesrequired to protect [Company] assets, mission and survivability.


8/26

Policy Integration Checklist

Promises without progress do not meet preparedness requirements. Metrics for Policy

compliance must be clearly defined, implemented and measured. The following policyintegration items can help to insure the success of your Business Continuity Policy.

Enforcing metrics of your Policy components will help clarify the Policy, can save

resources and will insure that you meet continuity requirements.

The Change Control Process supports and includes the Business Continuity Plan(BCP) Policy objectives

The BCP Policy is included in the metrics for performance and compensation for

all levels of individual and groups in clear and specific terms.

Each task in the BCP is assigned to a specific individual. On a regular basis the

individual is required to certify (sign) that they are a) aware of the assigned

responsibility and b) that the task procedures work as documented. Specific metrics and penalties are included in all Service Level Agreements

(SLA's) and contracts sufficient to insure Business Continuity, Preparedness and

compliance of BCP policy.

Status of the State of the BCP program and Policy support is a regular agendaitem for all executive, middle management and team meetings.

Business Continuity and Disaster Recovery is incorporated into the business

process development and operational procedures.

Business Continuity Plans are required and verified for key suppliers and

customers

SLA's that support BCP objectives are implemented with key customers

How the Business Continuity Program is integrated into the fabric of your daily businessand long-term strategy will affect your preparedness.


9/26

Plan Resiliency Checklist

Eliminating single-points-of-failure greatly increase the probably of continuity.

Flexibility can make the difference between maintaining continuity and disaster.Resiliency really counts throughout your Continuity Plan including the emergency

response, risk mitigation and recovery programs. Include the following checklist in your

resiliency considerations to insure continuity.

The operations center is geographically diverse.

The back-up and recovery site(s) are outside the current operational area.

Staffing back-up and/or cross training is enforced and tested.

Applications and other resources for critical processes are location flexible.

Business Continuity Plans are current and validated regularly.

Metrics and a reporting review responsibility are in place for all Plans and

Agreements (contracts, Service Level Agreements (SLA's), etc.). Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are a

measured Plan exercise verification objective.

We are interested in your feedback on this checklist for Plan Resiliency. Let us know

how you are insuring your required Business Continuity and Preparedness and if we canpublish your comments on our website.
http://www.businesscontingency.com/contact.phphttp://www.businesscontingency.com/contact.php


10/26

Plan Validation Checklist

Plan validation completes the policy integration, risk assessment, impact analysis,

recovery strategy selection and Continuity Plan program awareness and training steps.BCP highly recommends that you don't come up short on this checklist.

Plan validation objectives are comprehensive, approved and measurable.

Plan validation is scheduled on a regular basis and included in the Policy

Compliance Certification.

Plan validations are as broad and complete as possible.

Plan validation exercise objectives support your Recovery Time Objective (RTO)

and Recovery Point Objective (RPO) and challenge the Plan.

Each validation exercise (tabletop, walk-through or full) has appropriate metrics

to meet or exceed Policy Compliance Certification and references its policy

compliance component(s). Auditors are included in the validation process.

Executive, upper-management, crisis management and customers (and vendors

as applicable) are included in the validation objectives approval process,

validation's results report distribution list and are invited to the Plan validationcommand center as appropriate.

Plan validation results and the Plan changes resulting are integrated into

documentation.

Required Plan revalidation items are captured and are included in the "next

scheduled validation" as appropriate.

The validation results report includes those activities, successes, shortcomings,

individuals and teams involved (internal and external) and how each addressed,point-by-point, the objectives of the validation plan objectives.

Plan validation is a key measure of the success of your Business Continuity Planning

program. Let us know any comments you may have on this checklist and what you aredoing for Plan validation. We intend to put some of the comments received on our

website, so let us know if we can list yours and check back to see what others have said.


11/26

Service Level Agreement Checklist

Service level clarity and metrics can insure the completeness of your Service Level

Agreement (SLA) objectives. Leave nothing to chance or adverse interpretation. Thesupplier must know the what and how and clients expect no less. This checklist for

SLA's may also be included in contracts, letters of understanding and mutual aid

agreements. Include the following checklist items in all agreements to ensure clarity andreap big benefits.

The service provider and client are clearly defined including specific primary and

secondary contacts.

Performance metrics and method(s) of measurement are stated clearly to insurecompliance.

Regularity and format of compliance reporting are clearly defined.

The problem escalation notification process and conditions are clearly defined andvalidated.

SLA terms should include, but not be limited to:

o Start and end date

o Dependencies

o Assumptions

o Non-performance penalties

o Special cost issues

o Deliverables

o Special requirements (security clearances, delivery issues, etc.)

o Extension and renewal terms

o Sub-contracting or company buy-out terms and any other item whichmay have impact on the service expectations of the agreement.

o Key participant's sign-offs are included

o Referenced documents are noted appropriately

Require Continuity Plans and preparedness for suppliers and clients and includethe metrics in the SLA or agreement.

Wherever two are gathered together as provider and client, an understanding of

expectations MUST be defined. The best way to guarantee what expectations are on both

sides of a service is to "put it in writing" then audit the on-going deliverables;. Clarityand sufficient details are also important.


12/26

Plan Completeness Checklist

The completeness of your Plan and its support of critical business functions and

processes will determine your ability to meet staff, customer and vendor requirements. Toinsure completeness is an ongoing process of communication, training, and awareness.

Never ASSUME. Contingency Preparedness is a responsibility, not an option. You must

know what is acceptable and what is not and insure all staff, internal and external, meetthe required objectives. Minimize continuity omissions by including the following

checklist:

There is a Plan support cover letter authored by the highest possible Executive

level person responsible for insuring the Business Continuity Policy CertificationCompliance Policy is enforced. The preferred author is the Board Chair,

President, CEO, or CFO with additional enforcement by a letter from each

affiliate or departmental Chief Executive. There are Plans supporting the minimum key areas of:

o Emergency Response

o Technology and Tools

o Workplace

o User Operational Procedures

o Staffing

o Media and Communications Interface

The Plan is an enterprise-wide integrated and coordinated Plan.

Plans are developed, implemented and validated following thorough riskassessment, impact analyses, strategy analysis and critical business process

support requirements and flow analysis on a regular basis. Integration exists between the Process Development Process, Change Control, the

Audit Process, Service Level Agreement (SLA) and contract negotiations, and alldaily operational procedures and activities.

Plans are documented for the level of the responsible implementer and the skills

required are clearly defined.

All interfaces, assumptions, depedencies, requirements and details are clearly

documented. Voluminous details of procedures, contact lists, etc. are only

referenced but are audited and validated on a regular basis.

Confidential Plan information is not included in the general distribution process

but is available through secure duplicate sources.

Key external suppliers and customer interfaces, roles and responsibilities areincluded in the Plan, as appropriate, and included in the validation process.

Executive Management and Crisis Management teams approve and participate in

the Plan validation process.

The Plan and all associated documentation (electronic or physical) is secured,duplicated and dispersed geographically.


13/26

Individual Preparedness Plan Checklist

A critical component of every Business Continuity Plan is the staff of individuals who

manage and perform the critical processes that insure continuity. Individuals who are notavailable or can not focus on the task at hand during a disaster will impact the success of

the required business continuity and the recovery. There is no guarantee that individuals

will be completely prepared if they have the items in the Individual Preparednesschecklist below. They can be assured that without most of the listed items, they will not

be prepared. The following list provides an overview of some items to consider when

preparing your personal and/or your family's contingency plan.

Complete CPR and First Aid training.

Document details of key contacts and a plan for communication:

o Names

o

Full address including zip codeo Phone numbers 10-digit (Home, work, cell, pager)

o Communications Schedule Plan

o Emergency contact names with relationship

Develop and document a Re-location Plan:

o Maps, including primary and alternate route(s)

o Hotel list with contact numbers

o Meeting places

Reserve and list cash, credit cards, traveler checks, bank checks, etc.

Insure needed medical:o Prescription and non-prescription medicine

o Doctor contact informationo First Aid kit

o Personal Data (Blood type, allergies, etc.)

o DNA chart or material (hair, etc.)

Have personal and family documentation:o Identification

Drivers License

Pictures Social Security Number

Auto information (license tag, make, model, color, etc.)

o Critical documents (Birth Certificate, Will, etc.)

o Checklistso The Emergency Plan

o Current photos

o First Aid instruction book

Insure transportation preparedness (Gasoline, flares, flashlight, registration,

insurance, etc.)

Store and refresh water, food, vitamins, etc.

Check your tool kit including shovel, pliers, screwdriver, tape, etc.


14/26

Pack clothing, bedding, toys, etc.

Bring telephone items (analog and cord, cellular with charger and extra battery)

Prepare camping supplies (tent, sleeping bag, stove, compass, whistle, waterpurifier etc.)

Have pet requirements (leash, food, tags, medicine, run pen, etc.)

The completeness of your Plan and your communication of it with those covered by the

Plan, will impact your preparedness and ability to survive. To insure your Plan'scompleteness is an ongoing process of communication, training, and awareness. Never

ASSUME. Individual Preparedness is a responsibility, not an option. Let us know what

comments you may have on this checklist and if we can list your comments on ourwebsite for others to consider.


15/26

Public Authority Coordination Checklist

Coordination with public authorities is a critical component of the Business Continuity

Plan. Public authorities are the first responders in the event of an emergency, such as fire,civil unrest, terrorism, hostage situation and a hazardous material event. Public

authorities may control access to your business whether you or your neighbor are affected

by an event. Public authorities include fire, police, city, county, state or nationalemergency management teams, National Guard, public utilities, and your city, county,

state and, potentially, national elected officials. Beyond insuring that your suppliers and

staff meet required objectives, you must know the local and regional public authorities

who support your business environment and their response procedures to insure you canmaintain continuity.

Complete Business Continuity Planning must include organization-wide coordinated

plans, supplier deliverable assurances, other support services organizations andcoordination with public authorities.

Listed below are some recommended issues to include in your Coordination with Public

Authorities planning process as you develop and maintain your enterprise Business

Continuity Plan.

Preparedness

Know your local and regional public authorities including, but not limited to,

emergency management, fire, police, public utilities and elected officials.

Maintain current knowledge of laws, regulations, codes, zoning, standards orpractices concerning emergency procedures specific to your location and industry.

Document each authority group and their roles and responsibilities and possible

support resources.

Document authority group contact information and required contact protocol.

Document the communication protocol and status reporting process.

Document organizations staff members that may be a member of a public

authority group (volunteer fire, police, Red Cross Disaster Services, NationalGuard, State Emergency Response Committee (SERC) and Local Emergency

Planning Committee (LEPC), etc.).

Document facility and region access issues to include, but not limited to, "all

clear" parameters/metrics, evacuation and return routes and process details. Establish liaison procedures for emergency and disaster scenarios.

Document and associate with appropriate public authority Early WarningNotifications Systems, Press Releases, Websites, etc.

Coordinate organizational vulnerability and risk assessment with associated

public studies and assessments.


16/26

Review vulnerabilities and risks and include complimentary and appropriate

mitigation and response procedures in your organizations Business Continuity

Plan and risk assessment process.

Utilize the Incident Command System (ICS) / National Incident Management

System (NIMS) format and stay current with local authorities and their

implementation. Document the levels of support and / or degree of recovery obtainable in support

of your organizations response and recovery Plan. Especially evaluate Plan

activities for days 1 through 5.

Document local and regional supporting infrastructure resources to include, but

not limited to, roadmaps, contour maps, pipelines, waterlines, power plants and

grids, communication lines and hubs, railroads, bridges, water and fuel supplies,

etc. Document local and regional supporting resources to include, but not limited to,

Emergency Operations Centers (EOC), hospitals, police and fire facilities,

evacuation support centers, supply warehouses and docks, key vendors, National

Guard facilities, SERC and LEPC resources, etc. Document the forms and processes to be used during an event or exercise to

insure activities and participants, etc. are captured for review and Plan responseand recovery improvements.

Develop procedures for sharing critical and confidential (lock boxed) information

to include, but not limited to, your organizations site layout information, floor

plans, secure areas, laboratories, electrical sources, telecomm sources, etc. andpublic authority confidential information.

Determine organizational interface protocol, identification and training

requirements and identify appropriate internal staff or support representative(s).

Share locations and types of organizational resources of public interest including,

but not limited to, hazardous materials, fuel supplies, water sources,

organizational contacts.

Define "regional" supporting resources, staffs, expertise, etc. to include, but not

limited to, Red Cross, United Way, Catholic Charities and other religious and

community support groups, etc.

Document organizational resources potentially available in support of other

organizations and public authority activities. Include skills and training

parameters.

Response and Recovery

Monitor status information included on local, regional and national warningsystems, press releases, radio and television reports, etc.

Document the actual events including all incoming information and

recommendations and comments by participants, clients and observers to facilitatepost event analysis.

Monitor public authority exercises and event responses and review their on-going

event status and Plan implementations.


17/26

Notify authorities of organizational on-going event status and projected Plan

implementations.

Include public authorities in organizational exercises where applicable.

Participate in local and regional exercises with staff and resources including, but

not limited to, the (EOC) Emergency Operations Center.

Communicate availability and document use of resources for public authorities.

Post Event or Exercise

Document local and regional public authority facilities which may have an impact

on your business to include, but not limited to, police and fire stations, public

buildings such as city halls, courthouses, Justice of the Peace locations,infrastructure terminals and storage locations, parking lots and Federal Reserve

Banking locations.

Communicate internal event or exercise results to public authorities when theirsupport was utilized, could have been utilized, or had an effect on your recovery.

Review the event or exercise documentation, Plan objectives, participants andfinal reports for lessons learned and Plan and training modifications and

procedures improvements. Participate in post event public discussions and round-tables.

Coordinate future exercises and objectives.

Training

Participate in local and regional training exercises with staff and resources. Share internal training for the response and recovery Plans developed, including

documentation validations and certification process, table-tops, walk-throughs,component validations, etc.

Complete Business Continuity Planning must include enterprise-wide coordinated plans,

supplier deliverable assurances, other support service organizations and coordination with

public authorities. Let us know how you formalize interface with public authorities and

any recommendations you have for our checklist.


18/26

Business Continuity Assessment Checklist

This assessment will assist you with putting your business continuity plan together.

The assessment has been split into sections for ease of reference. Document relevantdetails/information/procedures and you will then have a business continuity plan. Not

all the questions may be relevant to your business.

BUILDING FACILITIES Do you have evacuation procedures for your buildings?

Are the fire exits clearly marked and fire procedures in place?

Do you regularly practice fire drills?

Do you have primary and secondary evacuation points at a suitable distanceaway from the building(s)?

Do you have a site plan of your building(s)?

Do you have generator backup systems in place? Do you have an alternative building to use in an emergency i.e. where your

business or critical elements of your business could continue to operate from?

Do you check on a regular basis that that the heating and air conditioning isworking?

Have you familiarised yourself and your staff with the location of the mains

switches and valves (electricity, gas, water)?

Do you carry out end of day inspections i.e. to check everybody has left?

At the end of the working day do you have procedures in place to make surethat all appliances are switched off and doors and windows are locked?

Do you regularly check the integrity of external fences and doors?

PERSONNEL Have you got a list of all employee contact telephone numbers and home

addresses?

Do your staff know who is in charge in the time of a crisis?

Have your staff been given specific roles in the event of a crisis?

If your business could not operate from its present location could your staff

work from an alternative location, or some of them work from home etc?

Do you have members of staff with first aid or medical training?

SECURITY Is there a security system installed?

Do you have a security policy?

Do you give advice or training on security?

Do you check references fully?

Are contractors checked fully (i.e. company as well as each individual)?

PAPER AND ELECTRONIC DOCUMENTS


19/26

Do you copy/back up your information?

Do you store your critical paper documents in fire/waterproof containers?

Do you have copies of critical accounts and contracts at a separate location?

Is someone responsible for the upkeep of your files and accounts?

IT Are your IT systems critical to the running of your business?

If your IT systems went down do you have manual processes that couldmaintain critical documentary/administrative functions?

Do you know how long it would take to recover IT functions if your systemwent down?

Who would restore your system if it went down and do you have their contact

details?

Do you have a tested IT disaster recovery plan?

Is your computer anti-virus software up to date?

Are documented IT security policies and procedures in place?

Are all your computer users fully aware of email and internet usage policies? Is your company system part of a larger network?

Do you know how many platforms/servers/applications or operating systemssupport critical business functions?

Is expertise of how to use your IT system, knowledge of where criticaldocuments are electronically stored etc, limited to one individual?

Do you have vital computer information stored on back up disks held offpremises?

SUPPLIERS Do you have alternative suppliers for critical equipment/ stores/ parts/ goods/

products etc? Do you have an arrangement with your critical suppliers where they will

inform you if they cannot make a delivery?

Do your suppliers have a business continuity plan?

Do you have your suppliers correct contact details both office hours and out

of office hours?

COMPANY EQUIPMENT Do you have someone accountable for the assets of your company?

Do you have an inventory and is it regularly checked?

Do you have controls over the movements of your company equipment?

CUSTOMERS Do you have the correct contact details for all your main customers?

Do you have any key customers who you will need to be in constant contact

with during a crisis?


20/26

LOCATION Have you thought about the types of risk that might occur due to the

actions/operations of other businesses near to you?

Have you thought about the types of risk associated with the environment i.e.

flooding from nearby river, snow, severe weather etc?

INSURANCE Do you have sufficient insurance to pay for disruption to business, cost of

repairs, hiring temporary employees, leasing temporary accommodation andequipment etc?

Do you have your insurance companys details in order to contact them

immediately at the time of an incident?

ASSESS THE RISKSConsider what are the most likely and greatest risks to your business? Analyse the

risk by asking yourself the following questions:

How likely is it to happen?

What effect will it have on the business?

How can you cope with it i.e. what do you need to do to stay operational if ittakes place?

What preventative measures can you take to prevent them from happening or

minimise the effect they will have on your business?

Are you insured against the worst eventualities?

PUBLIC RELATIONS (MEDIA)Bad publicity or incorrect information given out during an incident can make or breaka companys reputation. If your business has a major incident then PR will influence

how existing and potential customers, suppliers and all other stakeholders will viewyour business.

Nominate a company spokesperson, ensure all staff know who it is, ensurethat they have some training in media handling

During an incident ensure:

That your company gives out a consistent message

Staff are kept informed

Advertisements are placed in local or national papers as needed

GENERALHave you prepared an emergency pack? If you have prepared a pack have you

included the following items?

Business recovery plan

List of employees with contact details


21/26

Details of IT providers

Contact details for clients and suppliers

Building site plan

Spare keys

Computer back up tapes/discs

First aid kit

Stationary/message pads/coloured pens and pencils Torch with spare batteries

Megaphone

Tape

Mobile phone/s fully charged

Disposable cameras

Dust and toxic fume masks

Is your business continuity plan:

Clearly documented

Easily accessible

Understood by key personnel

Is there someone in your organisation who will have responsibility for maintaining

and up-dating your plan?


22/26

From FEMA's Standard Checklist Criteria For Business Recovery

Completed By :

Name:______________________________________________

Company:___________________________________________

Room:_______________

Street:______________________________________________

City, State, Zip:_______________________________________

Phone Number:______________________

Business Recovery Plan for :____________________________

Business Recovery Plan LEVEL 1 (Executive Awareness/Authority)

1) Has a Business Recovery Plan been:a) Developed?

b) Updated within the last 6 months?

Business Recovery Plan LEVEL 2 (Plan Development andDocumentation)

1) Has a classification (critical, important, marginal) been assigned to the Business

Process/Function/ Component that this Facility/Function supports?

2) Has a Business Recovery Plan been:

a) Documented?b) Maintained?

3) Does the Business Recovery Plan include the following sections:

a) Identification?b) Incident Management?

i) Responsible company officer?

ii) Personnel responsible for updates?

c) Response?d) Recovery?

e) Restoration?

f) Plan Exercise?g) Plan Maintenance?

h) Business Recovery Teams and Contact Information?

4) Does the Business Recovery Plan identify hardware and software critical to recoverthe Business and/or Functions?


23/26

5) Does the Business Recovery Plan identify necessary support equipment (forms,

spare parts, office equipment, etc.) to recover the Business and/or Functions?

6) Does the Business Recovery Plan require an alternate site forrecovery?

i) Does the Business Recovery Plan provide for mail service to be forwarded to the

alternate facility?

ii) Does the Business Recovery Plan provide for other vital support functions?7) Are all critical or important data required to support the business being backed up?

i) Are they being stored in a protected location (offsite)?

8) Do you conduct a walk-through exercise of your Plan at least annually? (This should

include a full walk-through as well as "elements" of your plan (i.e. accounts payable,receivable, shipping and receiving, etc.)

9) Does the walk-through element exercises have a prepared plan which includes:

a) Description

b) Scopec) Objective

10) Is a current copy of the Business Recovery Plan maintained off-site?

11) Do all users of the Business Recovery Plan have ready access to a current copy at

all times?

12) Is there an audit trail of the changes made to the Business Recovery Plan ?

13) Do all employees responsible for the execution of the BDRP received ongoingtraining in Disaster Recovery and Emergency Management?

LEVEL 3 (Management & Recovery Team Assessment andEvaluation For Effectiveness)

1) Has the business officer and management team approved the Business Recovery

Plan ?

2) Does the business owner maintain:

a) The master copy of the Business Recovery Plan ?

b) An audit trail of the changes made to a Business Recovery Plan ?3) Do all aspects of physical and logical security at the alternate site conform with your

current security procedures?

4) Are the physical and logical security at the alternate site at least as stringent as the

security at the disaster location?


24/26

5) Have all employees and their alternates responsible for executing a manual work-

around for a mechanized process been identified in the Business Recovery Plan and

properly trained?

6) Has an independent observer documented the simulation exercise(s) noting all results,

discrepancies, exposures, action items, and individual responsible, etc.?

7) Was a debriefing held within a reasonable period of time (typically two weeks) after

the simulation exercise(s) to ensure all activities have been accurately recorded?

8) Did the exercise coordinator publish a simulation exercise(s) report within areasonable period of time (typically three weeks) after the completion of the simulation

exercise(s)?

9) Did the exercise report include:

a) what worked properly as well as any deficiencies and recommendations forimprovement?

b) responsiblity and due date for the development of the Corrective Action Plan?

10) Was a Corrective Action Plan developed by the Exercise Team to address any

deficiencies identified by the exercise?

11) Is there a retention plan for the Exercise Plans and Corrective Action Plans(minimum retention 3 years)?

12) Has a walk-through element exercise been performed at least quarterly?

13) Did each walk-through element exercise have a prepared plan which includes:

a) Description


14) When there is a change in hardware, software, or a process that might impact the

Business Recovery Plan, is the Business Recovery Plan reviewed and updated within 30days of the changes:

Sign-Off By Officer:

by whom?Name:____________________________

When?

Date:_____________________________15) Based on the Joint Assessment has the Team determined that the Business Recovery

Plan is effective?


25/26

Business Recover Plan (Business Recovery Plan )--LEVEL 4(Certification)

(Management & Recovery Team Assessment Of Readiness and Plan Maintenance)

1) Has the component Business Recovery Planbeen approved by the owner(s) of the

Business Function(s)?

2) Has the entire Business Recovery Plansimulation exercise been performed at least

annually?

3) Has the Corrective Action Plan been completed and closed?

4) Did the Business Recovery Plansimulation exercise have a prepared plan whichincludes:

a) Description


5) Did the component Business Recovery Plansimulation exercise meet the acceptable

Recovery Time Objective set by management?

6) Based on the Joint Assessment has the Team determined that the Business Recovery

Planand Exercises have met all requirements to provide reasonable assurance that theplan will work in the event of a disaster?

7) Does the Business Recovery Planspecify the maximum acceptable Recovery Time

Objective (RTO)?

8) Does the Business Recovery Planspecify the level of service (which the business

owner has agreed to be acceptable) to be provided while in recovery mode?

9) Have all changes relating to RTO in the Business Recovery Plan been approved by the

process owner?


26/26

Business Continuity Checklist

The nature of an emergency or disaster is its unpredictablity. However, organizations which havedone their homework ahead of time can reduce losses and be better prepared to continue operating

and communicating with employees and customers during the aftermath. The ability to telework

and familiarity with procedures involved have proven to be a key asset in emergency management.The following checklists detail questions most employers should be able to answer and tasks thatshould be accomplished ahead of time to ensure business continuity.

In the event of an emergency, has your organization determined the answers to thesequestions?

Who is the coordinator/main contact?

What are the vital business functions that need to be online first?

Who is already set up to telework or can easily make that transition?

Is there a way to connect to the companys network remotely and is there a backup in case the

primary system fails?

Tasks to help prepare for an emergency situation:

Create a list of employees already teleworking and/or those who can start immediately as well as

their contact information.

Designate an IT/IS point person in charge of ensuring employees can gain remote access.

Designate a company-wide coordinator or "task force" to act as the primary source of information

and guidance in such situations.

Develop a telework kit for regular and potential ad hoc teleworkers that includes basic guidelines,

a list of important numbers and e-mail addresses, passwords and procedures for staying incommunication and backing up key data.

Backup records/data regularly in case network is lost.

Ask all employees to become familiar with telework procedures, technologies and remote access

to company servers and to have a plan for how they might work remotely in an emergencysituation.

Make sure secure access to corporate data and applications is available and a backup system is in

place should the primary system go down.

Make sure the telecommunication system allows for call forwarding.

Provide emergency teleworkers with calling cards to use for business calls.

business continuity checklists

Documents