Business Continuity Plan

Document Sample
Business Continuity Plan Powered By Docstoc
					 Post Incident
Business Continuity Plan
 Do I need Business Continuity?

• You are part of a successful
• However, in this uncertain world,
  you need a business that is
• Which can change with differing
  conditions and be strong through
  any disaster, be it natural or
• What if a crisis prevented delivery
  to a key customer?
• How would a major incident affect
  the morale of your employees?
• Would serious damage to your
  premises or resources affect your
  ability to carry on the business?
       Small Business

• If you are part of a small business
  then you are more likely to suffer
  from any incident that prevents
  your business from functioning
• The slightest delay in supporting
  your customers can and will be
What is a Business Continuity Plan?

• Business Continuity Planning (BCP)
  takes business protection beyond the
  disaster recovery plan, which just
  focuses on the short term re-
  establishment of your business
  following an incident.
• It is a proactive approach, identifying
  potential threats before they occur and
  planning an organised response so that
  the effects of the incident are
             For example

• If your business was hit by a fire:
   – A BCP would cover all anticipated effects of
     such a disaster and detail plans and actions
     to minimise the damage to your business.
   – Most importantly, it would guide you
     through the incident and direct your
     resources and efforts in the right direction
     to bring normality back to your business as
     soon as possible.
• A generic BCP can provide the basis of
  any response no matter what the nature
  of the incident is.
  (specific details can be aimed at particular problems
  within the plan)

• If your premises was hit by a fire,
  would all the computer systems
  also be affected?
• If so, would you lose vital
  information about suppliers,
  customers and orders?
• Would documents and paperwork
  also be destroyed?
        BCP Benefits

• Business Survival
  – Prepare for the worst. If well
    practiced, staff and management will
    be able to respond to an incident
  – Resources necessary to support the
    business through an incident will be
    identified and available
  – Any alternative premises and
    resources will be ready for use
 Business Continuity Plan

• Increased dependency by the business over recent
  years on computerised production and sales delivery
  mechanisms, creates increased risk of loss of normal
• Increased dependency by the business over recent
  years on computerised information systems
• Increased likelihood of inadequate IT and information
  security safeguards
• Increased recognition of the impact that a serious
  incident could have on the business
• Need to establish a formal process to be followed when
  a disaster occurs
• Need to develop effective back up and recovery
  strategies to mitigate the impact of disruptive events
• An intention to lower costs or losses arising from
  serious incidents
• Avoidance of business failure from disruptive incidents.
        BCP Benefits

• Risk management
  – Identify, manage and mitigate as
    many risks as possible
  – Reduce the risks where necessary
  – Promotes a safer working
    environment and improves working
        BCP Benefits

• Responsibility
  – A company that takes BCP seriously
    will be a more attractive proposition
    for Bankers, investors, insurers,
    customers and employees
  – A business with a BCP will have a
    responsible management
         BCP Benefits

• Employee satisfaction
  – A sound working environment
  – Welfare and safety concerns of the
    employee addressed
  – A BCP shows your employees that
    they are important to the survival of
    the company
  – Training exercises and drills are vital
    to the successful implementation of a
        Policy Statement

• A formal risk assessment should be undertaken in order
  to determine the requirements for the Business
  Continuity Plan.
• The Business Continuity Plan should cover all essential
  and critical business activities.
• The Business Continuity Plan should be periodically
  tested in a simulated environment to ensure that it can
  be implemented in emergency situations and that the
  management and staff understand how it is to be
• All staff must be made aware of the Business Continuity
  Plan and their own respective roles.
• The Business Continuity Plan is to be kept up to date to
  take into account changing circumstances.
• A similar policy statement to this should be
  communicated to all management and staff as part of its
  information security policy management process.
       Planning Costs

• Cost of the Resources required to
  support BCP Project Management
• BCP Planning Tools, Templates
  and Reference Materials
• Additional equipment e.g. PCs,
  printers, laptops, mobiles, software
  etc. for the BCP Planning Team
          Project Manager

•   Position on Project Team
•   Date position becomes effective
•   The person to whom the Project Manager reports
•   Levels of authority for operational issues and financial
•   Level of resources required by the position
•   Project structure
•   Responsibilities for assessing risk and measuring
•   Responsibilities for preparing and testing the Plan
•   Deliverables from the project
•   Responsibilities in the event of an emergency occurring
•   Duties in respect of training and awareness
•   Responsibilities for on-going BCP maintenance
    Project Team Meeting

•   Introduction to BCP by the BCP Project Manager
•   Project organisation structure
•   Project initial information requirements
•   Consideration of causes of potential disasters or
•   Preliminary consideration of key business
•   Consideration of impact of potential disaster or
•   BCP methodology
•   Project milestones
•   BCP testing
•   BCP training
•   Frequency of BCP Team Meetings

• Business Risk and Impact Analysis
• Documented activities necessary to prepare
  the organisation for possible emergencies
  (including strategic recovery measures)
• Detailed activities for dealing with the Disaster
  Recovery Phase
• Procedure for managing the Business
  Recovery Process
• Plan for testing the Business Recovery
• Plan for training the staff in the Business
  Recovery Process
• Procedure for keeping the Plan up to date
  Required Information

• Organisation chart showing names and
• Existing BCP (if available)
• Staff emergency contact information
• List of suppliers and contact numbers
• List of professional advisers and emergency
  contact information
• List of emergency services and contact
• Premises addresses and maps
• IT system specification
• Communication system specification
• Copies of maintenance agreements / service
  level agreements
  Required Information

• Existing evacuation procedures and fire
• Health and Safety procedures
• Operations and Administrative procedures
• Personnel administrative procedures
• Copies of floor plans
• Asset inventories
• Inventories of information assets
• IT inventories
• Off-site storage procedures
• Relevant industry regulations and guidelines
• Insurance information
       Potential Hazards

•   Tornado            • Freezing Weather
•   Hurricane          • Contamination
•   Flood              • Environmental
•   Snow                 Hazards
•   Drought            • Epidemic
•   Earthquake         • Explosion
•   Electrical Strom   • Suicide Bomber
•   Fire               • Dirty Bomb
•   Subsidence and     • WMD
BCP Process

•   Terrorism
•   Sabotage
•   War
•   Crime
•   Arson
•   Labour Disputes

•   Electric Failure
•   Loss of Gas supply
•   Loss of Water
•   Contaminated Water
•   Fuel Shortage
•   Lack of Communications
•   Loss of Waste removal
        Security System

•   Cyber Crime
•   Loss of Data
•   Disclosure of Materials
•   IT failure
•   Virus
     Other Emergencies

•   Workplace Violence
•   Public Transport
•   Neighborhood Issues
•   Health and Safety
•   Morale
•   Take over
•   Legal Matters
       Key Processes

• E-commerce processes
• E-mail based communications
• Other on-line real-time customer
• Production line
• Production processes
• Quality control mechanisms
• Customer service handling
• Maintenance and support services
• Sales and sales administration
       Key Processes

• Finance and treasury
• Research and development activities
• Human resources management
• Employees
• Information technology services
• Premises (Head Office and branches)
• Marketing and public relations
• Accounting and reporting
• Strategic and business planning
• Internal audit
Impact Factors
        Key Personnel

• This section includes information on
  each of the key personnel responsible
  for handling emergency procedures.
  These persons should be fully familiar
  with the implementation of these
  procedures and should have received
  any necessary training (if appropriate)
  for handling technical or specialised
             BCP Leader

• Typical responsibilities include:
   – Determine the objectives and policies surrounding
     the BCP
   – Coordinate, organise and manage the BCP team
     and project
   – Provide a point of contact for emergency services
     and develop a coherent message for the
   – Present the BCP to management and employees
   – Develop a project plan and forecast financial
   – Define the BCP management structure and team
   – Manage the whole process from plan to execution
              BCP Team

• Plan Coordinator
     • Manages the process and coordinates various
       tasks and teams
• Senior Management
     • Approves the plan, authorises finances and sets
       realistic goals
• Human Resources
     • Hires additional personnel if assistance is
       required during the planning stages
• Media Liaison
     • Prepares and delivers a media strategy in the
       event of a disaster
             BCP Team

• Legal
     • Available to assist with any insurance
       issues, legal matters and welfare
• IT Security
     • Responsible for IT, before, during and
       after an incident. Maintain the data
       throughout the process
• Security
     • Liaises with first responders and
       responsible for the physical security of
       your business
             BCP Team

• Facilities
     • Maintain facilities during a crisis
• Emergency Team (selected employees)
     • Responds to the incident and
       implements the BCP
• Damage Assessment
     • Reports on the damage and effects of
       any incident
• Off-site
     • Maintains records, data, documentation
       and files essential to the business
            BCP Team

• Alternate Site
     • Identify an alternative location from
       which the business can continue to
• Repair
     • Responsible for getting the business up
       and running by carrying out any repairs
       to premises and / or IT systems
  Emergency Services

• A comprehensive list of services
  and contact numbers should be
  kept up to date
• Liaisons should be maintained
  between your Organisation and
  personnel you will rely on
    Building Requirements

• Freehold or leasehold
• Responsibility for maintenance
• Insurance coverage
• Responsibility for emergency repairs
• External approvals needed before work can commence
• Internal approvals needed before commissioning
• Procedures for obtaining approvals in emergency
• Persons responsible for premises recovery activities,
  with emergency contact details
• Persons responsible for approving repairs or
  replacement for equipment or furniture, with emergency
  contact details
Organizational Chart
    Disaster Recovery Team

•   Key members of Senior Management
•   Personnel Manager
•   Facilities Manager
•   Fire and Safety Officer
•   Maintenance Staff
•   IT technicians
•   Communication technicians
•   Security staff
•   Information Security Officer

•Is there an actual or potential threat to
human safety
•Is there an actual or potential serious
threat to buildings or equipment
•Is there likely to be a need to involve the
emergency services

If the answers to any of the above are
positive then the Disaster Recovery Team
should also be notified.

• "The training is to be carried out in a
  comprehensive and exhaustive manner so that
  staff become familiar with all aspects of the
  recovery process.
• The training will cover all aspects of the
  Business Recovery activities section of the
  BCP including IT systems recovery".
• Consideration should also be given to the
  development of a comprehensive corporate
  awareness programme for communicating the
  procedures for the business recovery process.

Shared By: