Overview Business Continuity in a Binder ASAE Technology Conference -2-14-2007 George A. Breeden, CAE -george.breeden@rsmi.com The purpose of these documents is to provide some examples forms that an organization can use to better prepare for an emergency or crisis. They are intended to help an organization get started with business continuity planning, not complete it. It is likely that your organization will have additional information to add, and some of this won't be appropriate. As with any similar documents, every organization should review and adapt them to their own needs, and where appropriate, review with legal counsel and the organization's volunteer leadership. These documents are intended to be pragmatic and also useful in the ongoing management of the organization. They contain information that will likely be useful during the course of normal business, and ideally other standard policies and procedures will be stored with this information. This will help ensure that the information is reviewed for currency periodically. Ideally every time there is a staff change in the organization (hiring, termination, significant promotion) these documents will be reviewed and updated accordingly. At the minimum the organization should review and discuss them semi-annually. These pages are formatted for landscape printing, and example items are presented in italics. Some worksheets require more than one page width, and in these cases the first column is repeated. They are generally formatted to fit on one page for this presentation, but depending on the data you enter, it will probably be more practical to use multiple width pages. This information may be freely used for business continuity and related planning by any organization, non-profit or otherwise, but the information can not be reprinted or otherwise republished for any other purpose without the express permission of George Breeden, RSM McGladrey. Business Continuity in a Binder 2-14-2007 -ASAE Technology Conference George A. Breeden, CAE RSM McGladrey -george.breeden@rsmi.com 1Support Vendor Info General Information This document is used to maintain a list of all vendors that are used to support the primary business systems of the organization. This is useful for day to day maintenance as well as disaster recovery. System Describes the system or service i.e., e-mail, phone system, web site, etc. Version Info The specific brand and versions of the systems as applicable. Support Vendor The company name of the support company. Contract Number The contract or warranty number. Contract Expiration Date the contract expires. Support Contact The name of the person at the company that is most familiar with your organization that would provide service. Sales Contact The name and contact information for the sales person most familiar with your organization. Phone Number Phone number of the support company. Support E-mail e-mail for support. Support Web Web address for support. Support login information IDs and passwords for customer support systems provided by vendor. Permitted Representatives If the company limits who can make requests from within the organization, list them here. Contract Type Whether the contract is an annual support, fee-for-incident, etc. This will help prevent surprises during an incident that delay issue resolution. Alternate support companies Additional companies that may be able to support this system during an emergency if the primary vendor it not available for a critical system. Create a separate line for each, as appropriate. Emergency Hours Procedures Any special information that is required to initiate support during non-business hours. Notes Any additional notes that may be helpful during an incident. Business Continuity in a Binder 2-14-2007 -ASAE Technology Conference George A. Breeden, CAE RSM McGladrey -george.breeden@rsmi.com 2 of 14Support Vendors System Support Vendor Contract Number Contract Expiration Support Contact Sales Contact Phone Number E-mail Phone System Network HVAC AMS Web Long Distance Custom databases Cell phone service Conference calling Business Continuity in a Binder 2-14-2007 -ASAE Technology Conference George A. Breeden, CAE RSM McGladrey -george.breeden@rsmi.com 3 of 14Support Vendors System Phone System Network HVAC AMS Web Long Distance Custom databases Cell phone service Conference calling Fax Web Permitted Representatives Contract Type Emergency Hours Procedures Model and Version Info Has Continuity Plan Notes Business Continuity in a Binder 2-14-2007 -ASAE Technology Conference George A. Breeden, CAE RSM McGladrey -george.breeden@rsmi.com 4 of 14Staff Last Updated 1/1/2007 Name Home Cell Emergency Contact Emergency Contact # Notes Business Continuity in a Binder 2-14-2007 -ASAE Technology Conference George A. Breeden, CAE RSM McGladrey -george.breeden@rsmi.com 5 of 14Key Constituents Last Update 1/1/2007 Role Name Office Cell Emergency # Fax E-mail Executive committee members Legal Counsel Industry media contacts Partner firms and non-profits Business Continuity in a Binder 2-14-2007 -ASAE Technology Conference George A. Breeden, CAE RSM McGladrey -george.breeden@rsmi.com 6 of 14Key Suppliers Service Company Primary Contact Phone Emergency Number Account Numbers Web E-mail Has Continuity Plan Notes Legal Counsel PR Firm Telco Health Insurance D&O Insurance Other Insurance plans Building Engineer Payroll Banks and Investment Firms Business Continuity in a Binder 2-14-2007 -ASAE Technology Conference George A. Breeden, CAE RSM McGladrey -george.breeden@rsmi.com 7 of 14Configurations System Last Updated Person Responsible Included in Binder? Notes Network topography Firewall Router Web server DNS Backup plan VeriSign configuration Business Continuity in a Binder 2-14-2007 -ASAE Technology Conference George A. Breeden, CAE RSM McGladrey -george.breeden@rsmi.com 8 of 14Software System Software Version Vendor Licenses License Keys/Serial numbers Media Stored Offsite? Business Continuity in a Binder 2-14-2007 -ASAE Technology Conference George A. Breeden, CAE RSM McGladrey -george.breeden@rsmi.com 9 of 14Software System Support Vendor Service Contract Contract Expires Notes Business Continuity in a Binder 2-14-2007 -ASAE Technology Conference George A. Breeden, CAE RSM McGladrey -george.breeden@rsmi.com 10 of 14Hardware System Make Model Date Acquired Warranty or Service Contract? Contract Expires Support Vendor Cost at Acquisition Notes Phone System Voicemail System HVAC Exchange Server AMS Server Switches UPS Systems Business Continuity in a Binder 2-14-2007 -ASAE Technology Conference George A. Breeden, CAE RSM McGladrey -george.breeden@rsmi.com 11 of 14Other Resources Document Who receives Last Reviewed Description Phone Tree Plan All Staff A phone tree plan doesn't need to be complicated -it simply needs to contain a list of all staff and show who will contact who. For small to medium sized organizations, the simplest plan is to have the top person contact two people who each contact two more, and so on. When the final level is reached, then each person calls the person above them to give an accounting of who was contacted. If someone can't be reached immediately, the person above them then calls the people that their subordinate was to call. Organization Chain of Command All Staff In the event the Executive Director, or other most senior staff person is not available during an emergency, the organization should have a documented chain of command or succession plan. This is simply a list of those people in decreasing order who are authorized to make decisions for the organization until the normal management is restored. The document should include the names, all contact information and optionally if there are any extensions or limits to their decision making. For example, in the event of an emergency certain staff may be authorized to expend funds to maintain or help with recovery, but at some point down the chain the organization may want to limit these actions. Similarly, in an extreme emergency, the organization may want to lift some limits on expenditures for certain key powers (ie., an emergency powers act). This list likely would include persons not limited to staff to include the chairman and other members of the board, depending on the organization. Emergency Evacuation Procedures All Staff Every organization should have well documented evacuation procedures that include a gathering location and roll call procedure post event. The plan should include provisions for helping persons requiring special assistance. The gathering location should assume inclement weather. Portable database of members and key constituents Key Staff Every organization should have a simple text file with each of the key groups they may need to contact in an emergency. Ideally the entire business continuity plan should be contained on a CD or USB key that is updated periodically and would contain all contact information for members, board members, media and other key constituents. The following documents should be developed or maintained and be included in the master binder, depending on the organization. Business Continuity in a Binder 2-14-2007 -ASAE Technology Conference George A. Breeden, CAE RSM McGladrey -george.breeden@rsmi.com 12 of 14Other Resources Document Who receives Last Reviewed Description Password list (sealed and secured) Key Staff While maintaining a list of all administrative and special system passwords poses a security risk, not having access to them in general, much less in an emergency, is worse. The list should be maintained in a sealed envelope in a secured location on and off site, and an electronic version maintained with key personnel, such as IT director, HR director, CEO, CFO, Chairman and legal counsel. Additionally, organizations should consider documenting the process for changing system passwords. Some passwords may be embedded in other systems such as system services or backup jobs, so having step by step procedures for fully changing them may be helpful if the crisis involves system security. Remote web update procedures Key Staff In the event that the organization experiences an emergency, staff and members should be directed to the organization's web site for additional information. The business continuity plan should include information necessary for someone to be able to update the website with information for this purpose. It isn't necessary that the layman necessarily be able to update it, but that the information be sufficient for someone with reasonable technical skills to do so, and if any special software or access is required, detail those requirements. Access instructions for key systems Key Staff Instructions for accessing all critical systems remotely should be included, to include which accounts are permitted (if restricted) login instructions and any special instructions. Instructions for changing voicemail message remotely Key Staff In particular the organization should document the process for updating the company phone system or voicemail greeting as a way of leaving information for callers. Login IDs and passwords should be included. Procedure for broadcast faxing members and key constituents Key Staff Ideally the organization should have an outside service prepared with common lists of key constituents and members so an emergency broadcast fax can be sent with little notice. Having pre-prepared fax data files at the vendor is not necessary, assuming the organization maintains the lists with the continuity plan, and can transmit them. Specific instructions and contact information for the vendor should be maintained, and tested periodically to ensure the data files are compatible with the service. Procedure for broadcast e-mailing members and key constituents Key Staff Similar to the fax broadcast option the organization should be prepared to send broadcast faxes to key groups on short notice using the lists they maintain with the continuity plan. Specific instructions and contact information for the vendor should be maintained, and tested periodically to ensure the data files are compatible with the service. Standard procedures for remote access to network resources All Staff Standard procedures for general staff to access e-mail, voicemail and network resources should be maintained and shared with all staff. Business Continuity in a Binder 2-14-2007 -ASAE Technology Conference George A. Breeden, CAE RSM McGladrey -george.breeden@rsmi.com 13 of 14Other Resources Document Who receives Last Reviewed Description International travel procedures All Staff If the organization has staff that travel internationally, for work or pleasure, it should have key procedures for these staff. In particular, it should include, per trip, information such as numbers for the US embassy, relief organizations and medical facilities that will accept your insurance if applicable. Payroll instructions Key Staff In the event that there is a business interruption every organization should be prepared to ensure that staff will continue to be paid pending return to normal operations. The organization should make plans regarding payroll and other benefits prior to having an emergency, which would include how to communicate to these organizations with instructions and what will be required from the companies to process these transactions outside of the normal process. Business Continuity in a Binder 2-14-2007 -ASAE Technology Conference George A. Breeden, CAE RSM McGladrey -george.breeden@rsmi.com 14 of 14