types of situations covered by this guid e

TYPES OF SITUATIONS COVERED BY THIS GUIDE

Guide to Practical Business Continuity Planning

of 42

CONTENTS INTRODUCTION ...........................................................................................................................3

Business Continuity and Disaster Recovery .......................................................................... 3 Protecting Value................................................................................................................... 4 Design for Resilience – a BCM Model.................................................................................. 4 The Ten Professional Practices ............................................................................................. 7 Summary .......................................................................................................................... 8

THE BCP DEVELOPMENT PROCESS........................................................................................9 Levels of Involvement in the Process .................................................................................... 9 Roles and Responsibilities .................................................................................................. 10 The SevenStep BCP Development Process ........................................................................ 11

STEP 1 – PROJECT INITIATION MEETING ...........................................................................12 1.1 Objectives....................................................................................................... 12 1.2 Meeting Agenda ............................................................................................. 12

STEP 2 – KICKOFF MEETING .................................................................................................14 2.1 Objectives....................................................................................................... 14 2.2 Meeting Agenda ............................................................................................. 14 2.3 Future Meetings.............................................................................................. 15

STEP 3 – STRATEGY MEETING ...............................................................................................16 3.1 Objectives....................................................................................................... 16 3.2 Meeting Agenda ............................................................................................. 16

STEP 4 – VALIDATION MEETING............................................................................................17 4.1 Objectives....................................................................................................... 17 4.2 Meeting Agenda ............................................................................................. 17

STEP 5 – WRITING THE PLAN..................................................................................................19 5.1 Objectives....................................................................................................... 20 5.2 Methodology .................................................................................................. 20 5.3 Modular Plan Development ............................................................................ 20 5.4 The Entity BCP .............................................................................................. 21 5.5 Coordinator’s Role ......................................................................................... 27

STEP 6 – FINAL MEETING.........................................................................................................28 6.1 Objectives....................................................................................................... 28 6.2 Meeting Agenda ............................................................................................. 28

STEP 7 – PLAN MAINTENANCE AND EXERCISING.............................................................29 7.1 Maintenance ................................................................................................... 29 7.2 Exercising....................................................................................................... 29

THIRDPARTY RESOURCES.....................................................................................................30 SITE CRISIS/INCIDENT MANAGEMENT TEAMS .................................................................30 APPENDICES................................................................................................................................31

A.1 Summary of Entity Strategic Objectives.......................................................... 31 A.2 List of Entities for BCP Development ............................................................. 32 A.3 Preliminary List of Strategies, Resources and Costs ........................................ 33 A.4 Summary of Strategy Evaluation..................................................................... 34 A.5 Business Continuity Worksheet ...................................................................... 35 A.6 Entity Business Continuity Template .............................................................. 37


of 42

INTRODUCTION One of the most frequently asked questions by those attempting to develop a business continuity plan (BCP) is, “How do I start?” FM Global has developed this guide as the practical, planning focused element of our business continuity management (BCM) toolkit: an array of services and products that address this question.

It’s important to understand that BCM is much more than writing a BCP, and there are a number of stages that an organization needs to go through before and after the plan development stage. Consequently, this guide should not be viewed as a starting point for BCM, nor as a standalone resource, but primarily as a collection of guidelines and templates to assist the business continuity planner. Excellent documents in the public domain provide detailed information on the context of planning within BCM. These include the Good Practice Guidelines ( www.thebci.org) and the Professional Practices for Business Continuity Professionals ( www.drii.org), authored by the Business Continuity Institute (BCI) and the Disaster Recovery Institute International (DRII) respectively, two of the most prominent authorities in this field.

Nonetheless, we have included some background information to enable you to put business continuity planning into context, because we believe a sound understanding of BCM basics is essential to building effective plans. This information is drawn both from our experience and from the public domain, particularly the BCI and DRII (FM Global has no connections with these two organizations and their appearance here does not constitute a recommendation or endorsement by us).

Business Continuity and Disaster Recovery What is the difference between a BCP and a disaster recovery plan (DRP)? Both terms are often used interchangeably, and the fact that there are similarities between the two adds to the confusion. The distinction between the two terms can be seen from the following:

ª Disaster Recovery refers to those activities necessary to respond to an incident at a location to restore normal operations after a major incident, or specific scenario. DRPs are therefore written to establish the necessary actions immediately, during and after an anticipated event to expedite the resumption of normal operations.

ª Business Continuity is a strategic approach to the business as a whole, involving the development of a response to safeguard the entire business by managing the impact of a disruption to achieve the company’s business objectives for survival, irrespective of the cause of the disruption. By implication, the development of the BCP requires a much deeper understanding of the business, the criteria for business survival, the continuity strategies available, and the resources necessary to implement the continuity response.

This manual is made available for informational purposes only in support of the insurance relationship between FM Global and its clients. This information does not change or supplement policy terms or conditions. The liability of FM Global is limited to that contained in its insurance policies.

http://www.thebci.org/gpgdownloadpage.htm

http://www.drii.org/displaycommon.cfm?an=2


of 42

Although there is inevitably some overlap in these two concepts, this guide focuses on the development of the BCP, rather than DRP.

Protecting Value Businesses generally exist to deliver products and services to markets in order to generate value for stakeholders. The effective delivery of these products and services is enabled by a number of processes, which exist both inside and outside the organization. Within this context and this document, we are defining a process very broadly – it can be a person or group of people, an activity, an asset, a function, a supplier – essentially a discrete enabler of the business model.

Within any business, certain products and services will be deemed critical to continued success because they generate (or support the generation of) a large proportion of value for the business, or they may do so in the future. It follows that the processes that enable the delivery of the critical products and services will themselves be considered critical to the business.

The failure of a critical process, for any reason, could potentially stop the delivery of products and services, resulting in a reduction in the value generated for stakeholders. Consequently, a business needs to protect these critical processes to ensure they are able to withstand disruption to continue delivery of services. The business must, therefore, be sufficiently resilient to achieve this objective.

Design for Resilience – a BCM Model BCM is the actualization of this ideal. It is a business culture rather than a project – a continuous effort by all members of an organization to contribute to building resilient processes. The BCI and the DRII collectively define BCM as:

a holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience and the capability for an effective response that safeguards the interest of its key stakeholders, reputation, brand and value creating activities.

It is a framework that combines various elements of disaster recovery, risk management and related disciplines, which can ultimately lead to an actionorientated document, the BCP. The BCP is derived from conclusions and assumptions drawn from informationgathering activities, risk assessments and assigning roles and responsibilities to key individuals that ensure the development and implementation of appropriate recovery strategies to achieve specific objectives.

When contemplating business continuity, many organizations fail to recognize there is plenty to do before developing the plan. For example, Protecting Value makes it clear that some work must be done in order to establish which are the critical products, services and processes. Design for Resilience is a framework for developing and managing business continuity.


of 42

Design for Resilience represents the ideal that an organization ultimately aspires to internalize business continuity to the extent that strategic decisions about the design of the organization – such as the development of new products, services and markets – are influenced by consideration of how to ensure that the critical enabling processes are resilient from their very conception. In order to achieve this aspiration, the organization must undertake an iterative process of analysis, planning and implementation.

Strategy It is essential that senior executive support and sponsorship are secured at the outset of the BCM process. Given the strategic nature of business continuity, the lack of such support is likely to result in failure.

Culture Not only must business continuity be supported at the executive level, it also needs to be owned throughout the organization. Communication of the benefits of business continuity must be organizationwide – the development and implementation of business continuity strategies and plans will take place at the tactical and operational level, so buyin is critical.


of 42

Understand your business In the context of your organization’s strategy, business impact analysis and risk assessment tools are used to identify the critical products, services and enabling processes. These tools help you to gain a full appreciation of the complex relationships and potential vulnerabilities to extended disruptions within your own organization, your suppliers, customers and the economic environment within which your company operates

Develop your continuity strategies Strategies to maintain the effective delivery of products and services in the event of an impaired process need to be established and evaluated at different levels: organization (corporate), process level and resource recovery. There are three core types of BCM strategy: physical solutions; operational solutions and response/recovery solutions. They are not mutually exclusive; for example, you may choose to physically protect a process to the maximum feasible extent but still provide operational backup and a plan to implement this when required.

Implement your continuity strategies Having gained a sound understanding of the business, established critical processes, determined priorities and identified the BCM strategic choices, you can now turn your attention to implementation. Some strategies – operational solutions, for example – will be implemented preincident, to increase the resilience of the process. Others will be implemented postincident – and in order to ensure effective and efficient implementation, you will need a plan. The BCP is an actionorientated document that effectively transforms all the conclusions and judgments applied during the informationgathering process and business impact analysis into direct action. The BCP should be clear, concise and well organized. A group’s plan should address the five key areas of all organizations: people, facilities, data/processes/information technology, supply chain and distribution channels. We will return to the practicalities of developing the plan in the main body of this guide.

Keep continuity alive Two actions are essential to carry business continuity beyond being ‘just another initiative.’ The developed BCPs must be exercised – by doing so, the capability of the organization to continue business in the event of a major incident is secured. Benefits of exercising include:

ª Effective training and enhanced awareness of all persons involved in BCM

ª Testing of all components of the plan to ensure that the desired result is achieved

ª Clarification of roles and responsibilities and communication between participants

Exercising should be conducted at least annually, subject to agreement by the sponsor in discussion with the company’s executives.


of 42

In addition to exercising and auditing the plan, changes must be made to respond to changes in key processes. Organizations are dynamic, and a plan can quickly become out of date in today’s fastpaced business environment. Design for Resilience is an iterative management process, not simply the oneoff development of a set of plans.

The Ten Professional Practices The Professional Practices for business continuity professionals, as set out by the DRII and the BCI, is a common body of knowledge comprising the skills, tasks and activities that characterize the business continuity profession. In developing a BCM framework within your organization, you will not necessarily need to possess all this knowledge and all these skills, but it is likely that at some point you will need to access them. The DRII provides the following summary of the Professional Practices:

Project Initiation and Management Establish the need for a BCM process or function, including resilience strategies, recovery objectives, business continuity and crisis management plans, and including obtaining management support and organizing and managing the formulation of the function or process either in collaboration with, or as a key component of, an integrated risk management initiative.

Risk Evaluation and Control Determine the events and external surroundings that can adversely affect the organization and its resources (facilities, technologies, etc.) with disruption as well as disaster, the damage such events can cause, and the controls needed to prevent or minimize the effects of potential loss. Provide costbenefit analysis to justify investment in risk mitigation controls.

Business Impact Analysis Identify the impacts resulting from disruptions and disaster scenarios that can affect the organization and techniques that can be used to quantify and qualify such impacts. Identify timecritical functions, their recovery priorities and interdependencies so that recovery time objectives (RTOs) and maximum tolerable outages (MTOs) can be set.

Developing BCM Strategies Determine and guide the selection of possible business operating strategies for continuation of business within the recovery point objective and RTO/MTO, while maintaining the organization’s critical functions.

Emergency Response and Operations Develop and implement procedures for response and stabilizing the situation following an incident or event, including establishing and managing an emergency operations center to be used as a command center during the emergency.


of 42

Developing and Implementing Business Continuity and Crisis Management Plans Design, develop, and implement Business Continuity and Crisis Management Plans that provide continuity within the recovery time and recovery point objectives.

Awareness and Training Programs Prepare a program to create and maintain corporate awareness and enhance the skills required to develop and implement the BCM Program or process and its supporting activities.

Maintaining and Exercising Plans Preplan and coordinate plan exercises, and evaluate and document results. Develop processes to maintain the currency of continuity capabilities and the plan document in accordance with the organization’s strategic direction. Verify that the plan will prove effective by comparison with a suitable standard, and report results in a clear and concise manner.

Crisis Communications Develop, coordinate, evaluate, and exercise plans to communicate with internal stakeholders (employees, corporate management, etc.), external stakeholders (customers, shareholders, vendors, suppliers, etc.) and the media (print, radio, television, Internet, etc.).

Coordination with External Agencies Establish applicable procedures and policies for coordinating continuity and restoration activities with external agencies (local, state, national, emergency responders, defense, etc.) while ensuring compliance with applicable statutes or regulations.

Summary The Design for Resilience model can be viewed as the recipe of how to implement BCM in an organization, whereas the Professional Practices could be viewed as the BCM ingredients. More detail on the Professional Practices, along with a wealth of other BCMrelated information, is provided on the websites of the DRII and BCI organizations.

The remainder of this document presents what we believe to be a practical approach to developing BCPs within the context of the model and the Professional Practices. It is intended to provide general guidance and introduce basic BCM/BCP terms and concepts. Implementing BCM in an organization can be a very complex matter and further information can be obtained from numerous sources to help with specific situations. This guide is not intended to address all needs organizations may have when it comes to implementing BCM in their business or to develop all types of BCPs.


of 42

THE BCP DEVELOPMENT PROCESS

Levels of Involvement in the Process There may be several organizational levels involved in business continuity planning. The following definitions are provided to give a common understanding of each level. This guide uses the term ‘entity’ to describe an operating group, division, location or site, a business function, department activity or supplier for the business within a hierarchy structure, depending on the type of operation involved. There may be more than one entity at each level within the company. In all cases, the sevenstep process outlined on page 11 should be applied to each entity at each level of the business. The following chart shows typical entity levels for a company involved in the BCP development process.


of 42

However, it should be recognized that the topics at each level in the process will differ in importance. In general, those entities at the top of the hierarchy will be more focused on establishing the strategic objectives, whereas the entities in the lower hierarchy will be focused on activities to implement the strategy. In all cases, the critical activities within each entity level must be aligned to support the overall strategic objectives of the company’s top level in the hierarchy as a whole.

Once entity level plans are developed, they should be reviewed and coordinated at the entity level above and below in the hierarchy to ensure they are consistent, and that interdependencies between internal and external service providers are addressed for each level.

Roles and Responsibilities Responsibilities for undertaking the plan development at each entity level should be assigned for all activities that are considered critical for continuity of deliverables throughout the hierarchy. The following is a list of typical roles and responsibilities for the plan development.

Role Responsibilities

Senior Entity

Manager

• Designate a business continuity coordinator with the responsibility and authority for leading the development of continuity plans.

• Meet with the continuity coordinator to determine the best process for developing continuity plans at the site.

• Designate which organization entities and managers responsible should participate in the business continuity planning process.

• Provide the necessary incentives and resources to assure the business continuity planning process is successful.

• Communicate the toplevel strategic objectives that have been developed, and the objectives the entity plan must achieve through the BCP.

Senior Operational Managers

• Help identify critical functions and service supplier entities within the organization that underpin the achievement of the given objectives.

• Work with the business continuity coordinator to ensure each entity within the organization develops plans for its own critical functions and suppliers.

• Help identify and address dependencies between plans. • Approve each plan created within each entity.

Senior Department Managers

• Designate entity members to develop their BCP within an agreed time frame. • Work with other entities to address interdependencies and common issues. • Approve a specific BCP for the entity.

Business Continuity

Coordinator

• Become familiar with the business continuity planning process as put forth by business continuity industry standards (see DRII and/or BCI referenced within this document).

• Lead the site’s business continuity planning process. • Work with each entity level within the organization to assure individual BCPs are completed and consistent.

• Coordinate continuity plans within the site, and for the business as a whole. • Ensure each plan is consistent and aligned with the overall objectives of the business, as well as integrated with both internal and external supplier dependencies.


of 42

The SevenStep BCP Development Process The remainder of this document discusses developing an effective BCP utilizing the following sevenstep development process:

This process should be applied at each entity level, beginning at Level 1. At each lower entity level, as indicated in Section 2.1, the process should be extended to separate entities at each level that could impact the business objectives.


of 42

STEP 1 – PROJECT INITIATION MEETING

The Project Initiation Meeting for entity level 1 is an important meeting to ensure plan development can progress efficiently and costeffectively throughout the company. A key aspect of this meeting is to ensure the appropriate managers for each entity level are in attendance, and that continuity of participants can be maintained throughout the course of the plan development process. A business continuity coordinator should be appointed in advance to lead this meeting.

A second aspect of the meeting is to establish the strategic objectives for the entity.

1.1 Objectives ª Develop an understanding of how business continuity planning applies throughout the

company.

ª Set the strategic objectives of the top entity level 1. For lowerlevel entities, establish the strategic products or services from within the entity that impact the level1 objectives as the focus of the entity’s BCP.

ª Determine the steps necessary to have a business impact analysis performed for the entity levels (if not already completed).

ª Decide which entities need to participate in the planning process.

ª Determine project timeline and schedule kickoff meetings for each entity level.

1.2 Meeting Agenda Five primary agenda items are explained below. The business continuity coordinator or site manager should lead the meeting.

Business Continuity Coordinator The site manager should confirm the responsibility and authority of the business continuity coordinator. This should include the authority to set schedules for the project and assure each entity meets these deadlines.

Plan Development Process Review The participants should review the purpose of business continuity planning, as well as the process to be used for creating individual entity plans, and the resources that will be needed. Any questions regarding the need for BCPs should be addressed to assure all managers fully support the planning process.

Establishing the Strategic Objectives The group should establish the strategic objectives for the individual entity to maintain the optimum level of products or services to meet the customer demands developed for the business. These should be entered into Appendix A.1.


of 42

Entities to Participate in Planning The group should determine which entities should be involved in the planning process. This would normally include every entity with a missioncritical function that is essential for key operations, production deadlines or meeting customer requirements.

The group should also determine the best method for creating and coordinating plans at the site:

ª If there is only one major entity, then plans may be coordinated directly at that level;

ª If there are a number of major entities, each may coordinate its own plans, and rollup all the plans into the next level of hierarchy using the same process.

Based on the objectives developed, list the entities participating in the BCP development in Appendix A.2.

Entity KickOff Meetings The actual planning process for each entity begins at the respective kickoff meeting, as explained in the next part of this guide. The group should agree on a schedule for these meetings.


of 42

STEP 2 – KICKOFF MEETING

The KickOff Meeting builds on the project initiation meeting and commences the planning process for the BCP development. Business impact analysis and risk assessments are planned and scoped, plan ownership assigned and timelines established.

2.1 Objectives ª Confirm and agree on the process and resources that will be required to complete a BCP

for the entity.

ª Agree on a timeline to have a business impact analysis (BIA)/risk assessment (RA) completed, if not already available. This will be used to identify and quantify threats, interdependencies and exposures to critical functions within the entity.

ª Confirm the assumptions under which the entity’s BCPs will be developed.

ª Schedule meetings for each critical function, or activity.

ª Enter the discussion minutes and conclusions into the relevant sections in the Worksheet Comments, Section 1, Appendix A.5.

2.2 Meeting Agenda Four primary agenda items are explained in detail below. The business continuity coordinator should lead the meeting.

Purpose of Meeting and Process Review the purpose of the meeting and the business continuity process. Confirm that the appropriate people are involved with the necessary authority, and assure the appropriate level of commitment and availability for the activity from the attendees.

Business Impact Analysis (BIA) The group should determine resources and assignments required to complete a BIA. A BIA should be undertaken for a discrete focus of the business, and would normally include every entity with missioncritical activities (MCA’s) that are essential for operations that are needed to at least deliver the strategic objectives. The options of performing the BIA internally or using an outside resource should be considered.

The BIA is one of the most important steps in business continuity planning. It is the foundation work from which the whole BCM process is built. It identifies, quantifies and qualifies the business impact of a loss or disruption of business processes on the entity, and provides the data from which appropriate continuity strategies can be determined to safeguard the business.


of 42

It evaluates how the disruption of various functions or suppliers would affect the company as a whole. The entity can then focus its BCPs on its critical functions or suppliers.

The model below shows the integration of three key components to generate the BIA.

It should be appreciated that a BIA is an indepth study of an organization’s activities. The process is likely to take months rather than days, but is absolutely necessary to ensure the development of an overall business continuity framework.

Risk Assessment (RA) A risk analysis is used to identify potential threats to the entity’s objectives and activities. It also determines which risks are most significant. A risk assessment may already have been completed for the upper level entity as part of a BIA or Risk Register. If so, conclusions from this activity can be referenced in determining an appropriate focus for a BCP.

However, the primary function of the BCP is to manage the impact to the business overall in the event of disruption. The BCP should therefore be created to safeguard the predefined company’s appetite for risk from a period of disruption to the highlevel strategic objectives of the company, no matter what the risk, or cause of disruption, is likely to be. In all cases, the BCP should address the resilience of the operations to deliver on the strategic objectives. The conclusions from the risk assessment can be considered during the cost benefit analysis for selected strategies, to ensure optimum return for the cost of the plan.

Assumptions Assumptions help define the context within which each entity’s BCP will be developed. Assumptions should be realistic and give all teams a common starting point for their plans. Choose the ones that apply to the entity, and add any others needed to create a list of assumptions that make the most sense. Enter all assumptions in Section 1.4 of Appendix A.5.

2.3 Future Meetings Each entity with a critical function or activity will need to hold meetings to begin creating a BCP. These meetings are covered in the next part of this guide.

The group should agree on the timeline for individual meetings, and on a date to reconvene for a review of individual strategies once all meetings are completed.


of 42

STEP 3 – STRATEGY MEETING

The goal of the Strategy Meeting is to identify those processes truly vital to the survival of the entity, and have in place strategies that will ensure their continuity and the continuity of the top level.

3.1 Objectives ª Review the BIA and agree on the key areas of the entity that should be safeguarded.

ª Review the risk assessment to identify what would most likely cause an interruption of the entity’s operations.

ª Review the conclusions from the entity’s kickoff meeting, verify that the conclusions are valid, and revise them as necessary.

ª Analyze options for operating in continuity mode, and choose a preliminary strategy.

ª Begin to identify minimum requirements for operating in continuity mode.

ª Estimate preliminary costs for the strategy chosen.

3.2 Meeting Agenda Four primary agenda items are explained in detail below. The business continuity coordinator should lead the discussion, using this guide as a prompt. Discussion topics from the meeting should be recorded in Section 1: Objectives and Strategies Worksheet of the Entity Worksheet for Business Continuity Planning (see Appendix A.6).

Purpose of Meeting Review the purpose of the project and ensure that the participants understand the objectives of the meeting. The ultimate objective at this stage is to identify appropriate strategies for each critical process within the entity. You may need to review some of the material from the kickoff meeting to validate the purpose of the project.

Preliminary Actions, Resources and Costs Referencing Appendices A.1, A.3, A.4 and A.5, create a preliminary list of major actions to be taken for implementing the chosen strategy. Estimate the costs for each action and complete A.3.12.3.

It is not necessary to create detailed procedures or equipment lists at this time. This will be done after the strategy is approved by senior management.

At this point, Section 1: Objectives and Strategies Worksheet of the Entity Worksheet for Business Continuity Planning (see Appendix A.6) should be complete. The entity head should take this information to the entity’s senior management for review before proceeding further. That process is covered in the next part of this guide.


of 42

STEP 4 – VALIDATION MEETING

The Validation Meeting’s primary objective is to resolve variations in assessments and proposed strategies derived from the individual entity reviews, and to confirm the acceptable strategies to achieve the company’s objectives on which the BCP will be based. This meeting should include a senior level decisionmaker that can deliver a binding conclusion to those in attendance.

4.1 Objectives ª Review the results of individual meetings.

ª Discuss strategies chosen, and identify possible conflicts.

ª Management should approve suggested strategies, as appropriate.

ª Agree on next steps and timeline for completion of BCPs.

4.2 Meeting Agenda Three primary agenda items are explained in detail below.

Entity Results Individual entity managers should summarize the results of their individual meetings. The following should be covered:

ª The entity’s key internal and external customers

ª Major risks to the entity’s ability to deliver on the strategic objectives

ª The maximum acceptable time for an interruption of the entity’s critical systems or operations (RTO/MTO) for the strategic products or services

ª Dependencies that will need to be addressed in another entity plan

ª The entity’s suggested strategy

ª A preliminary estimate of resources and costs for implementing the chosen strategies

Senior management should summarize the overall results of the individual strategies and approve the strategies for the company as a whole.

Discussion At this point it is important for all entities to discuss how their business continuity strategies fit together with senior managers. Are there any conflicts? Do the time lines and expectations of one fit the needs of the others? Are there any differences perceived in customer requirements, or dependencies, or minimum operating requirements for the strategies to succeed?

The costs and benefits of various strategies also should be discussed. If senior management approval of the cost is necessary, it should be obtained at this time.


of 42

The ultimate goal of this discussion is for all entities, along with the company’s senior managers, to agree on, and approve, the strategies to be implemented by the business entities.

The entities should also discuss a coordinated process for activating their plans. This should include establishing the criteria for invocation of the plan, designating a specific person to interface with the incident management teams to receive the notification in the event of crisis and the authority for invoking.

The coordinator should note any discrepancies or questions that need to be answered, so that a concrete action plan can be developed in the Next Steps portion of the meeting. The coordinator should also point out any items that may indicate trouble spots or pitfalls for the group as a whole. These may be listed as ‘red flags,’ with action items to resolve each one.

Next Steps The following steps should be agreed:

ª Action items should be listed, with individuals assigned to follow up.

ª Schedules and deadlines should be agreed upon for completing each entity’s BCP.

A date should be set for the final meeting with senior management (the final meeting is covered in Step 6 of this guide).


of 42

STEP 5 – WRITING THE PLAN

Steps 14 have been all about the process of how to gather information, how to record the information for analysis to determine what needs to be included in the entity BCP, and the steps needed to achieve this.

The ultimate application of a BCP is to provide an actionorientated, ready reference framework for management decisionmaking. The plan should facilitate the ability to manage a disruption for any period of time, but still enable the business to be conducted at a level of continuity that is transparent to the internal and external customer base.

The reason why certain operational processes are unavailable is not the issue at this point. It could be as a result of a fire, flood, terrorist attack, or a massive power outage. Any one of these events could result in the entity’s facilities and resources, which are taken for granted in dayto day operations, being no longer available for an indeterminate period of time.

It should be recognized that there may be distinct responsibilities for separate entities within a company, depending on the size and structure of the business. Separate disaster recovery and/or emergency response plans may be prepared for separate entities within a company, in addition to the entity based BCP. For example, the response to specific causes or events at a facility may be the sole responsibility of a facilities or engineering department within larger organizations, whereas it could be incorporated into the response for a business entity within smaller companies. Generally, these actions and activities should be contained in the location’s specific incident emergency response, or disaster recovery plan.

The BCP development methodology ensures all stages of an unforeseen event are catered for through a process of managed escalation. By designing the overall plan in a modular format, where each entity level within the company represents a separate module, and including a similar content for each plan, a consistent approach to referencing essential information can be achieved.

The completion of the entity plan focuses on the development of procedures necessary to implement the criteria established in Section 5.2 and in Appendices A.1 and A.2. This section outlines what must be considered for each section of the BCP document.

Key assumptions in the writing of the final plan include the following:

ª A business impact analysis (BIA) and a risk assessment have been completed, and all necessary critical criteria for the business to survive have been identified;

ª Essential recovery strategies based on the strategic objectives of the toplevel entity have been established and approved;

ª Activities, roles and responsibilities and personnel for all entities, from suppliers to ultimate customers have been identified.


of 42

5.1 Objectives ª Correlate information for inclusion in the entity’s final plan.

ª Identify and document the actions required to implement the strategies.

ª Develop contact lists.

ª Establish the document format for the ready reference.

5.2 Methodology There is no right or wrong way to lay out the individual entity plan. There are many publicly available designs from various business continuity sources that can be considered. These can range from simple word documents to sophisticated online software. Each method has benefits as well as disadvantages. The important feature is that the selected option must reflect the needs of the company and be structured accordingly for simple reference.

For all companies, however, the plan must be an actionoriented document that enables the strategic objectives of the company to be achieved in the event of disruption and defines the roles and responsibilities of those key persons who are expected to implement the response. In most cases, the plan should only contain action statements and not include discussion, description or judgment comments normally restricted to the business impact analysis or risk assessments. The conclusive action statements can be developed from an analysis of the completed worksheets from each entity meeting.

Small companies may only require a simple, single plan document that reflects the number of staff and size of the enterprise, with relevant actions for the mitigating strategies. Larger companies may need more detailed modular plans that reflect the actions required of each key business unit, and which need to be integrated within the multiple disciplines of the organization to ensure the appropriate actions of the enterprise as a whole. The following discusses a modular format that can be used as the structure of a plan for both the more complex and simpler enterprises.

5.3 Modular Plan Development The modular format enables the BCP documents to be accessed at the time of an incident by the individual entity managers. This modularity enables specific activities within the separate entity levels to be addressed and combined with other entity plans to provide an overall BCP for the business as a whole, or toplevel entity. Each BCP can then be rolled up as the company BCP to be referenced by the incident management team (IMT) and senior managers at the upper entities within the hierarchy.

The information gathered so far and recorded on the appended templates can be reviewed, and the conclusions incorporated into the report format. Each module is encompassed within the framework of an overall plan that is typically retained for reference by the IMT. Usually, it is


of 42

not necessary for each individual team to have access to each other’s plan. A sample of an overall plan structure for an entity, which incorporates the main elements of the individual entity plans and can be rolled up to reflect the needs of the company overall, is shown in Table 5.3:

Sections 13 and 7 represent plans that are applicable across the toplevel entity. Sections 4 and all others represent plans from lowerlevel entities, as may exist within the company for the selected supply chains.

The guidelines and steps outlined in this document are helpful in creating a formal BCP for key lower entities, or business functions that can be represented in the above format.

5.4 The Entity BCP The purpose of the individual entity plan is to provide managers with a resource reference to guide early continuity of essential services. Typically, these will include provision of key human resources, equipment and internal/external supplier services necessary to maintain critical activities in the event of an extended disruption to normal processing.

The individual plans define action required to support the key activities at the entity level, and to ensure that these can continue to operate at a sufficient capacity to maintain a high degree of transparency of service deliverables to internal and external customers. A key part in any recovery is to know ahead of time what is required for this to happen.

Each plan within the overall BCP can be divided into the entity modules, each having similar document content. Typically, this content would include:

ª Introduction

ª Role and Responsibilities

ª How to Use this Plan

ª Supporting Staff

SECTION 1 Plan Overview

SECTION 2 Incident Management Team

SECTION 3 Business Continuity Management

SECTION 4 Information System Recovery Team

SECTION 5 Recovery and Damage Assessment Team

SECTION 6 Business Entity Team

SECTIONS … Other Business Entity Teams, as needed.

SECTION 7 Facilities Team

APPENDICES Document Configuration Management

Table 5.3: Example of Modular Report Content


of 42

ª Standby Locations

ª Public Relations

ª Actions for Entity Team

ª Key First Priority

ª Contact List

ª Key Resources and Contact Details

ª Vital Materials List

ª Equipment, Software Requirement

ª Business Resumption Plan

ª Activity Log

ª Appendix

1 Introduction The plan starts with defining the overall purpose, or objective, of the entity in terms of the critical products, or services, delivered for the company.

What should be included in the plan: The introduction should be a short statement of the key products or services provided from the entity that supports the company’s deliverables. The plan should list the continuity criteria for RTOs and MTOs for strategic products or services that must be achieved, and what needs to be provided from the entity to meet these minimum objectives.

2 Roles and Responsibilities A highlevel comment stating the overall objectives of the entity, including a list of relevant roles and responsibilities of individuals within the entity, should be included.

What should be in the plan: This section should include a list of persons selected for the plan, with roles and responsibilities clearly identified. Only selected resources who have agreed to these responsibilities should be included within the plan.

This section of the BCP describes the trigger points and process for activating, or invoking, the plan. It should also list the specific managers with authority to activate the plan so there is no question about who has this authority.

A natural disaster, fire or other crisis may cause activation of the site’s incident, emergency response or disaster recovery plans. A team member of these plans should be responsible for notifying the business continuity team members that there may be a significant disruption to normal operations, as applicable.

These communications should be coordinated at the top entity level so the team member does not need to notify contacts in numerous individual entities.

3 How to use this plan The plan’s key purpose is to provide guidance for entity managers in a business continuity response in the event of an extended disruption to normal operations.


of 42

What should be in the plan: The plan should contain a comment stating that the document contains necessary reference material to guide business continuity activity by the IMT in the event of an extended period of disruption.

4 Supporting Staff Entity managers are responsible for ensuring staffing levels are sufficient to maintain an adequate level of processing in response to the size of the disruption. Those individuals within the entity who could maintain the key processes, and their role and responsibilities, must be clearly identified, communicated and fully understood.

These responsibilities can cover a wide range of activities and may include scaling up communications through a chain of hierarchy, provision of assets, and travel to alternative locations. Each specific activity needs to be identified.

What should be in the plan: The plan should address the human resource requirements identified in Section 2.2 of Appendix A.5. Only the conclusions from this analysis need be coordinated with Human Resources and Finance to ensure the chosen resources can be utilized, and that the plan complies with employee regulations.

5 Standby Locations A standby location for a command center should be selected by the IMT. This should be established at a safe location that will not be impacted by the incident, but is sufficiently close to the primary location and adequately sized to facilitate access by the team members.

What should be included in the plan: The initial assembly point for staff should be included in each entity plan. Full details and directions to an alternative facility, including a map or diagram of the location, should be included.

6 Public Relations The control of internal and external communications to public media is essential in maintaining the integrity of the company’s management to manage the crisis.

What should be included in the plan: Instructions that all communications should be directed to the media spokesperson of the company on the IMT, or appointed alternative. The plan should advise that employees not make any comment to the media.

7 Actions for Entity Team Actions required by each entity team will be subject to the specific function and the extent of the incident. Actions would need to consider the shortterm immediate response to the event (supervision of evacuation procedures, notification to staff at home if after hours, recovery of key materials and equipment) and those actions needed if the response was scaled up into a full invocation and a need for relocation of personnel to resume operations at an alternative location.


of 42

What should be included in the plan: The plan should identify specific actions to be undertaken by the assigned entity function team members. This should include, but is not limited to:

ª Persons to undertake actions for a shortterm disruption;

ª Other actions identified from the individual business entity plan;

ª Actions identified for a full invocation and a need to relocate operations at alternative locations.

8 Key First Priority Within the entity objectives, key priority activities must be completed at the outset of an incident for each business entity, if these objectives are to be achieved quickly. Establishing these priority activities will require careful consideration. Each entity should consider its individual needs within the criteria identified above.

What should be in the plan: The plan should include key priority actions that are necessary to expedite the activities identified in the individual entity plan. This is expected to be specific to each entity, but should address how best to initiate the identified actions should the BCP be invoked.

9 Contact List This section facilitates the primary contacts for responsibility and control of each entity. Key personnel to be immediately notified if the plan is activated as referenced below, should be listed.

The contact details of employees are confidential and therefore should be treated accordingly. Some staff may be concerned about having their home information published. They may, for example, have an unlisted home number. It is essential that all employees provide a means to be contacted following an incident. These employees must be reassured that this information will only be distributed on a needtoknow basis, and that the information will have limited access.

Those that have concerns about the release of contact information and indicate a reluctance to provide the details would normally not be eligible to participate in the BCP programs. In all cases, a written agreement must be obtained from the resource, indicating acceptance for the private information to be made public.

An alternative contact person should be identified for each primary contact listed. This may be the next contact listed in the table. All participants must be made aware of any responsibilities aligned to them under the BCP.

What should be included in the plan: The list should contain contact information for everyone assigned to the plan, including:


of 42

ª members of the continuity team;

ª a member of the site’s incident/emergency team;

ª members of the incident management team;

ª managers of any operations affected;

ª business entity personnel who have agreed to participate in the continuity plan;

ª personnel from other entities and suppliers, on a need to know basis.

Primary contacts should be listed in the order of contact. The list should include home and alternative telephone numbers and other contact information. Essential details, beyond this basic contact information, should be made available from the BCP developed for Human Resources with the agreement of the employee.

10 Key Resources and Contact Details The contact lists should contain names and contact information for all key personnel or entities potentially affected by a business disruption. This may include, but is not limited to the following:

ª Contractors

ª Emergency agencies

ª Key customers

ª Fire department

ª Interdependent operations

ª FM Global contact

ª Key suppliers

Contact details for all customers and critical vendors who will need to be advised on the situation, as appropriate, should be identified.

11 Business Resumption Plan This section provides guidance on the restoration and reoccupation of the original premises. Plans may not be appropriate for each entity. However, it is appropriate for facilities planning to accommodate the other entities.

What should be included in the plan: Where appropriate, plans should be developed to phase in the reoccupation of the facility from the temporary standby locations, after the original premise has been restored. This should be driven by a determination of priority processes from each of the entities that were identified in the individual BCPs for continuity.

12 Vital Materials List The vital materials list includes all materials that are essential to conduct those business processes that were identified as ‘mission critical’ in each entity. These materials could include files, records or other information that would not be accessible if the building could not be occupied or is inaccessible.


of 42

What should be included in the plan: It should include any materials identified in the individual plan that are essential to support the key processes that would not be accessible from within the building, or could not ultimately be accessed through electronic systems within an acceptable period of time. These materials should be included in an offsite storage facility, as appropriate.

13 Equipment and Software Requirements This section identifies the equipment and IT requirements for the identified missioncritical processes. This provides the documentation to ensure the equipment is provided by others.

What should be included in the plan: Any item of equipment or application that is required to maintain the key activities should be listed. The priority timeline for applications to be resumed to meet the entity requirements should be included and communicated to each service supplier, or provider.

14 Business Continuity Activity Log The activity log is a facility to capture all the business continuity activity conducted during the incident.

What should be included in the plan: A document log facility (table or spreadsheet) for recording the activity undertaken by the entity during the period of disruption.

15 Appendices The scope of plan coverage may be increased to capture continuity management by specific scenario event (e.g., power outage, loss of IT at month end), or specific details of topics in the plan that require separate reference for the different business functions. These scenario events and the management therein can be included as appendices. The recommendation is to discuss this with the business continuity manager when the need to enhance/amend the plan arises.

What should be included in the plan: This section of the BCP in each entity should contain any supporting or additional documents needed to implement the plan. These may include, but are not limited to, the following:

ª Staffing schedules

ª Process maps or plans

ª Utility drawings or layouts

ª Emergency organization procedures in case of fire

ª Special requirements

ª Essential equipment list with model numbers and sources

ª Equipment photographs


of 42

ª Software inventories with replacement sources

ª Floor space requirements

ª Floor plan for alternate location

ª Street map to alternate location/bridge limitations/cranes and transportation

ª Contract with alternate location

ª Contracts with alternate service providers

ª Regulatory compliance requirement

ª Locations of software backups

ª FM Global contacts

ª List of items in storage areas

ª Essential documents, operating manuals and vital records

16 Document History On completion of the plan, the Document Control Tables should be updated, and the final plan released with version control. A sample control table is shown below.

Date Amended by Change details

Version Classification Created Author References Quality Review By

5.5 Coordinator’s Role Upon completion of the entity plans, the business continuity coordinator takes an advisory role and the entities take the lead. This period may take several weeks. The coordinator’s role is to:

ª Ensure the plans are being developed according to the schedule (checkpoints may be advisable).

ª Answer questions to assist in the writing of the plans.

ª Relay problems to the organizational level, if necessary.

ª Keep the entities motivated and check on their progress.

Interim ‘status’ meetings during this phase may be helpful for all entities to compare progress and questions, and perhaps establish synergies or common processes.


of 42

STEP 6 – FINAL MEETING

The final meeting is an essential last step to determine the final criteria for the overall company BCP. The meeting’s primary objective is to resolve differences in assessments derived from the individual entity reviews, to address inconsistencies between entity plans, and to agree to the acceptable actions on which the overall BCP should be based.

6.1 Objectives ª Ensure each entity plan aligns with the strategic objectives of the company.

ª Review and resolve any discrepancies between individual entity plans.

ª Address coordination issues between entities.

ª Review and approve all plans and the consolidated BCP.

6.2 Meeting Agenda Three primary agenda items are explained below:

Overview of Entity Plans Either the business continuity coordinator or each entity’s senior manager should provide a quick overview of the plan to other entity managers. Any discrepancies between individual entity plans, or need for further coordination between entities, should be discussed and resolved at this time.

Plan Approval If not already done, each entity manager should give final approval for his or her entity’s plan by signing the front of each plan. The next hierarchy manager also should indicate final approval of all plans by signing the front of the consolidated plan.

Next Steps Each entity is responsible for updating and maintaining its BCP. The participants at the meeting should agree on a periodic schedule (at least annually, unless there are significant changes) when the business continuity coordinator should remind each entity to review and update its plan. The group should also discuss when and how to exercise its plans. The next part of this guide provides additional information on plan maintenance and exercising.


of 42

STEP 7 – PLAN MAINTENANCE AND EXERCISING

BCPs should be updated at least annually or more frequently, whenever there is a significant change affecting the entity. Changes may include:

ª Customer requirements

ª Business processes

ª Personnel

ª Hardware

ª Software

ª Physical facilities

ª Reorganization

ª Operational procedures

ª New solesource supplier

Each entity should assign a specific person the responsibility for updating its BCPs as necessary. If there is a change of personnel within an entity, a replacement should be appointed with this responsibility.

7.1 Maintenance Unless there is a dedicated fulltime business continuity coordinator within the company, it is the BCP owner’s responsibility to ensure each entity maintains an uptodate plan and ensures it is incorporated into the overall company plan. This owner is normally the senior manager responsible for the entity. If the owner’s position changes, a new owner or coordinator should be identified and all entities informed of the changes.

7.2 Exercising Exercising of plans validates the business continuity procedures and confirms that the people involved know what to do in the event of a disruption. Regular testing of BCPs is the best way to assure they will work when needed.

ª A tabletop discussion of a hypothetical situation may be a good way to test the plan the first time.

ª Short drills, such as confirming each entity has access to its plan even if there is no access to the building, also are desirable.

ª Subsequent tests may involve simulated exercises, but it is important to ensure the people involved feel prepared for this type of test. Such tests can be combined with a site crisis team exercise in order to coordinate crisis response with business continuity procedures.

The exercising of plans should be considered an opportunity for further learning, rather than a test to pass or fail.


of 42

THIRDPARTY RESOURCES The following resources and documents are available to assist you in the development of your BCPs.

ª www.DRII.org

ª www.theBCI.org

ª Your FM Global client service team

ª FM Global’s Risk Reports

ª FM Global’s Business Risk Consulting Group (BRCG)

ª FM Global’s training and education group

Your FM Global client service team contact will be able to provide you with contact details for any necessary support.

SITE CRISIS/INCIDENT MANAGEMENT TEAMS Site crisis or incident management teams should also be familiar with preliminary business recovery processes, because this is part of overall crisis management. Business continuity teams should coordinate closely with crisis management teams, and may find additional knowledge and resources through these teams.

http://www.drii.org/

http://www.thebci.org/


of 42

APPENDICES

A.1 Summary of Entity Strategic Objectives

Business Continuity Design Criteria Strategic Objectives Deliverables Activity

(Product/Service to maintain) Maximum Tolerable Outage (MTO)

Recovery Time Objective (RTO)


of 42

A.2 List of Entities for BCP Development

Entity for BCP Development

Products Impacted Priority Comments


of 42

A.3 Preliminary List of Strategies, Resources and Costs

STEP STRATEGIES MINIMUM RESOURCES ESTIMATED COSTS 1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20


of 42

A.4 Summary of Strategy Evaluation

ALTERNATE STRATEGY

ADVANTAGES DISADVANTAGES COST VS. BENEFIT RANK

1.

2.

3.

4.

5.

6.

7.


of 42

A.5 Business Continuity Worksheet

BUSINESS CONTINUITY WORKSHEET

(Name of Site)

PURPOSE

This worksheet records the discussions from each entity meeting.

SITE BUSINESS CONTINUITY COORDINATOR/PLAN OWNER

___(Insert name and contact information)____

SENIOR MANAGER’S APPROVAL

This is to verify that I have reviewed and approved this worksheet as the basis for a Business Continuity Plan.

_____________________________ _______________ Name and Title Date


of 42

A.5.1 LIST OF WORKSHEETS

The following worksheets are attached.

Entity Scope of Worksheet Responsible Manager and Phone Number

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20.


of 42

A.6 Entity Business Continuity Template

Copy this plan worksheet as many times as necessary to create one worksheet for each entity

ENTITY WORKSHEET FOR BUSINESS CONTINUITY PLANNING

ENTITY: ________________________________

COMPANY: ________________________________

LOCATION: ________________________________

This is worksheet number _____ of _____ for this company

SCOPE

This worksheet covers the following operations within this entity:

ENTITY MANAGER’S APPROVAL

The contents of this worksheet are approved for inclusion into the business continuity plan

____________________________ __________________ Name and Title Date


of 42

WORKSHEET COMMENTS

SECTION 1: OBJECTIVES AND STRATEGIES

1.1 Customer and Business Requirements 1.2 Critical Systems and Operations 1.3 Recovery Time Objectives (RTO), Maximum Tolerable Outages (MTO) 1.4 Assumptions 1.5 Continuity Strategy 1.6 Priorities

SECTION 2: PROCEDURES FOR TEMPORARY OPERATIONS

2.1 Activating the Plan 2.2 Major Actions


of 42

Section 1: Objectives and Strategies Worksheet

1.1 CUSTOMER ANDBUSINESSREQUIREMENTS

The entity’s primary responsibilities:

The entity’s key customers (internal and external):

Customer requirements that drive the business continuity strategy:

1.2 CRITICAL SYSTEMS ANDOPERATIONS

Systems and operations within the entity that are critical for meeting customer requirements, and which are covered by this plan:

Dependencies: Systems and operations on which this entity depends, but which are not under its control and are therefore not covered by this plan:

1.3 RECOVERY TIME OBJECTIVES (RTO), MAXIMUM TOLERABLE OUTAGE (MTO)

Maximum acceptable time for an interruption of critical systems or operations (the time within which critical systems or operations must be restored after an interruption):

1.4 ASSUMPTIONS

The following assumptions have been made for this entity in addition to all organizationwide assumptions:

1.5 CONTINUITY STRATEGY

Taking into account time limits, advantages, disadvantages and costs, the overall continuity strategy for operating in contingency mode is as follows:

1.6 PRIORITIES

Systems or operations to be restored first. Target time line: _______ Systems or operations to be restored second. Target time line: _______ Systems or operations to be restored third. Target time line: _______


of 42

Section 2: Worksheet for Invoking the Plan

2.1 CHECKLIST FOR INVOKING THE PLAN

þ Specific conditions for invoking this plan (Invocation criteria established by the strategic objectives):

þ Managers with authority to activate this subplan: þ Procedures (if necessary) for deciding whether to activate: þ Convene Business Continuity Team at ______________________. þ Review summary of situation and damage assessment. þ Make decision whether to invoke the plan. þ Determine preliminary time schedule and shifts for key personnel


of 42

2.2 MAJOR ACTIONS

COPY THIS PAGE FOR EACH MAJOR ACTION LISTED IN SECTION 2 THAT NEEDS TO BE DEFINED FURTHER

This section of the plan contains specific procedures needed to complete major actions to deliver the strategy. Using the master checklist in Section 2.2.1 as an initial guideline, the entity should create as many separate sets of procedures as necessary to complete each major action on the master checklist for the selected strategies (Appendix A.2).

Each set of procedures should include specific actions to be taken, the timeline, who is responsible for completing each step, and the resources needed.

Major Action: __________________________ (Reference strategy development for selected strategy and required action)

Step Timeline Specific Actions to be Taken Person Responsible

Resources Required

1

2

3

4

5


of 42

2.2.1 EXAMPLES OF PROCEDURES AND RESOURCES: (Note: The following should be considered for implementing the strategy. These procedures are not expected to apply for all entities, but will provide a prompt for consideration and should be reviewed selectively as applicable).

PROCEDURES

• Delegating authority for purchasing, response ownership, noncore expenses, operations, implementing emergency accounting procedures and overall responsibility for incident management

• Arrangements for alternate locations outside potential disaster areas (other sites, hotel or conference centers, recovery service company sites, supplier or other company sites)

• Alternate floor space requirements (including primary operations, support functions, and temporary command post areas)

• Transportation of people, equipment, documents and vital records to alternative locations • Security and access for alternate sites • Establishing utilities (power, heat, water, sanitary) and other needs at alternate location • Obtaining essential drawings for operations, network configurations, utility requirements,

and other processes, including uploading of software applications, tapes and data • Process for repair, relocation or replacement and installation of equipment • Retrieval and loading of software at alternate location • Recovery of essential documents, operating manuals and vital records (inventory, backup,

safeguarding, and transportation to alternate location) • For facilitating employees (especially key employees or skill sets) • Establishing optimum staffing requirements and schedules • Implementing employee welfare issues (arrangements for family safety, child care, new

commute time, extra expenses, food and dining areas, sanitary facilities, communications) • Managing customer ordering and customer service operations when at reduced capacity • Providing added insurance coverage at alternate location • Issuing public relations statements

RESOURCES

• Key personnel or specific skill sets, staffing requirements, and schedules • Vendors for service utilities (power, heat, water, sanitary facilities, etc.) • Outsourcing suppliers • Vendors for key operating or processing equipment, essential test equipment and tooling,

raw materials • Vendors for office supplies and equipment, telecommunications equipment, including land

lines, data lines, satellite phone and pager coverage, 2way radios • Essential documents, operating manuals and vital records

P07170

types of situations covered by this guid e

Documents