Business Continuity in a Binder

Overview Business Continuity in a Binder ASAE Technology Conference - 2-14-2007 George A. Breeden, CAE - george.breeden@rsmi.com The purpose of these documents is to provide some examples forms that an organization can use to better prepare for an emergency or crisis. They are intended to help an organization get started with business continuity planning, not complete it. It is likely that your organization will have additional information to add, and some of this won't be appropriate. As with any similar documents, every organization should review and adapt them to their own needs, and where appropriate, review with legal counsel and the organization's volunteer leadership. These documents are intended to be pragmatic and also useful in the ongoing management of the organization. They contain information that will likely be useful during the course of normal business, and ideally other standard policies and procedures will be stored with this information. This will help ensure that the information is reviewed for currency periodically. Ideally every time there is a staff change in the organization (hiring, termination, significant promotion) these documents will be reviewed and updated accordingly. At the minimum the organization should review and discuss them semi-annually. These pages are formatted for landscape printing, and example items are presented in italics. Some worksheets require more than one page width, and in these cases the first column is repeated. They are generally formatted to fit on one page for this presentation, but depending on the data you enter, it will probably be more practical to use multiple width pages. This information may be freely used for business continuity and related planning by any organization, non-profit or otherwise, but the information can not be reprinted or otherwise republished for any other purpose without the express permission of George Breeden, RSM McGladrey. Business Continuity in a Binder 2-14-2007 - ASAE Technology Conference George A. Breeden, CAE RSM McGladrey - george.breeden@rsmi.com 1 Support Vendor Info General Information System Version Info Support Vendor Contract Number Contract Expiration Support Contact Sales Contact Phone Number Support E-mail Support Web Support login information Permitted Representatives Contract Type Alternate support companies Emergency Hours Procedures Notes This document is used to maintain a list of all vendors that are used to support the primary business systems of the organization. This is useful for day to day maintenance as well as disaster recovery. Describes the system or service i.e., e-mail, phone system, web site, etc. The specific brand and versions of the systems as applicable. The company name of the support company. The contract or warranty number. Date the contract expires. The name of the person at the company that is most familiar with your organization that would provide service. The name and contact information for the sales person most familiar with your organization. Phone number of the support company. e-mail for support. Web address for support. IDs and passwords for customer support systems provided by vendor. If the company limits who can make requests from within the organization, list them here. Whether the contract is an annual support, fee-for-incident, etc. This will help prevent surprises during an incident that delay issue resolution. Additional companies that may be able to support this system during an emergency if the primary vendor it not available for a critical system. Create a separate line for each, as appropriate. Any special information that is required to initiate support during non-business hours. Any additional notes that may be helpful during an incident. Business Continuity in a Binder 2-14-2007 - ASAE Technology Conference George A. Breeden, CAE RSM McGladrey - george.breeden@rsmi.com 2 of 14 Support Vendors System Phone System Network HVAC AMS Web Long Distance Custom databases Cell phone service Conference calling Support Vendor Contract Number Contract Expiration Phone Support Contact Sales Contact Number E-mail Business Continuity in a Binder 2-14-2007 - ASAE Technology Conference George A. Breeden, CAE RSM McGladrey - george.breeden@rsmi.com 3 of 14 Support Vendors System Phone System Network HVAC AMS Web Long Distance Custom databases Cell phone service Conference calling Fax Web Permitted Representatives Emergency Contract Hours Type Procedures Model and Version Info Has Continuity Plan Notes Business Continuity in a Binder 2-14-2007 - ASAE Technology Conference George A. Breeden, CAE RSM McGladrey - george.breeden@rsmi.com 4 of 14 Staff Last Updated Name 1/1/2007 Home Cell Emergency Contact Emergency Contact # Notes Business Continuity in a Binder 2-14-2007 - ASAE Technology Conference George A. Breeden, CAE RSM McGladrey - george.breeden@rsmi.com 5 of 14 Key Constituents Last Update Role Executive committee members Legal Counsel Industry media contacts Partner firms and non-profits 1/1/2007 Name Office Cell Emergency # Fax E-mail Business Continuity in a Binder 2-14-2007 - ASAE Technology Conference George A. Breeden, CAE RSM McGladrey - george.breeden@rsmi.com 6 of 14 Key Suppliers Service Company Legal Counsel PR Firm Telco Health Insurance D&O Insurance Other Insurance plans Building Engineer Payroll Banks and Investment Firms Primary Contact Phone Emergency Number Account Numbers Web E-mail Has Continuity Plan Notes Business Continuity in a Binder 2-14-2007 - ASAE Technology Conference George A. Breeden, CAE RSM McGladrey - george.breeden@rsmi.com 7 of 14 Configurations System Network topography Firewall Router Web server DNS Backup plan VeriSign configuration Last Updated Person Responsible Included in Binder? Notes Business Continuity in a Binder 2-14-2007 - ASAE Technology Conference George A. Breeden, CAE RSM McGladrey - george.breeden@rsmi.com 8 of 14 Software System Software Version Vendor Licenses License Keys/Serial numbers Media Stored Offsite? Business Continuity in a Binder 2-14-2007 - ASAE Technology Conference George A. Breeden, CAE RSM McGladrey - george.breeden@rsmi.com 9 of 14 Software System Support Vendor Service Contract Contract Expires Notes Business Continuity in a Binder 2-14-2007 - ASAE Technology Conference George A. Breeden, CAE RSM McGladrey - george.breeden@rsmi.com 10 of 14 Hardware System Phone System Voicemail System HVAC Exchange Server AMS Server Switches UPS Systems Make Model Date Acquired Warranty or Service Contract? Contract Expires Cost at Support Vendor Acquisition Notes Business Continuity in a Binder 2-14-2007 - ASAE Technology Conference George A. Breeden, CAE RSM McGladrey - george.breeden@rsmi.com 11 of 14 Other Resources Document Phone Tree Plan Organization Chain of Command Emergency Evacuation Procedures Portable database of members and key constituents The following documents should be developed or maintained and be included in the master binder, depending on the organization. Who Last receives Reviewed Description A phone tree plan doesn't need to be complicated - it simply needs to contain a list of all staff and show who will contact who. For small to medium sized organizations, the simplest plan is to have the top person contact two people who each contact two more, and so on. When the final level is reached, then each person calls the person above them to give an accounting of who was contacted. If someone can't be reached immediately, the person above them then calls the people that their subordinate was to call. All Staff In the event the Executive Director, or other most senior staff person is not available during an emergency, the organization should have a documented chain of command or succession plan. This is simply a list of those people in decreasing order who are authorized to make decisions for the organization until the normal management is restored. The document should include the names, all contact information and optionally if there are any extensions or limits to their decision making. For example, in the event of an emergency certain staff may be authorized to expend funds to maintain or help with recovery, but at some point down the chain the organization may want to limit these actions. Similarly, in an extreme emergency, the organization may want to lift some limits on expenditures for certain key powers (ie., an emergency powers act). This list likely would include persons not limited to staff to include the chairman and other members of the board, depending on the organization. All Staff Every organization should have well documented evacuation procedures that include a gathering location and roll call procedure post event. The plan should include provisions for helping persons requiring special assistance. The gathering location should assume inclement weather. All Staff Every organization should have a simple text file with each of the key groups they may need to contact in an emergency. Ideally the entire business continuity plan should be contained on a CD or USB key that is updated periodically and would contain all contact information for members, board members, media and other key constituents. Key Staff Business Continuity in a Binder 2-14-2007 - ASAE Technology Conference George A. Breeden, CAE RSM McGladrey - george.breeden@rsmi.com 12 of 14 Other Resources Document Who receives Last Reviewed Password list (sealed and secured) Key Staff Remote web update procedures Key Staff Description While maintaining a list of all administrative and special system passwords poses a security risk, not having access to them in general, much less in an emergency, is worse. The list should be maintained in a sealed envelope in a secured location on and off site, and an electronic version maintained with key personnel, such as IT director, HR director, CEO, CFO, Chairman and legal counsel. Additionally, organizations should consider documenting the process for changing system passwords. Some passwords may be embedded in other systems such as system services or backup jobs, so having step by step procedures for fully changing them may be helpful if the crisis involves system security. In the event that the organization experiences an emergency, staff and members should be directed to the organization's web site for additional information. The business continuity plan should include information necessary for someone to be able to update the website with information for this purpose. It isn't necessary that the layman necessarily be able to update it, but that the information be sufficient for someone with reasonable technical skills to do so, and if any special software or access is required, detail those requirements. Instructions for accessing all critical systems remotely should be included, to include which accounts are permitted (if restricted) login instructions and any special instructions. In particular the organization should document the process for updating the company phone system or voicemail greeting as a way of leaving information for callers. Login IDs and passwords should be included. Ideally the organization should have an outside service prepared with common lists of key constituents and members so an emergency broadcast fax can be sent with little notice. Having pre-prepared fax data files at the vendor is not necessary, assuming the organization maintains the lists with the continuity plan, and can transmit them. Specific instructions and contact information for the vendor should be maintained, and tested periodically to ensure the data files are compatible with the service. Similar to the fax broadcast option the organization should be prepared to send broadcast faxes to key groups on short notice using the lists they maintain with the continuity plan. Specific instructions and contact information for the vendor should be maintained, and tested periodically to ensure the data files are compatible with the service. Standard procedures for general staff to access e-mail, voicemail and network resources should be maintained and shared with all staff. Access instructions for key systems Instructions for changing voicemail message remotely Key Staff Key Staff Procedure for broadcast faxing members and key constituents Key Staff Procedure for broadcast e-mailing members and key constituents Standard procedures for remote access to network resources Key Staff All Staff Business Continuity in a Binder 2-14-2007 - ASAE Technology Conference George A. Breeden, CAE RSM McGladrey - george.breeden@rsmi.com 13 of 14 Other Resources Document Who receives Last Reviewed International travel procedures All Staff Payroll instructions Key Staff Description If the organization has staff that travel internationally, for work or pleasure, it should have key procedures for these staff. In particular, it should include, per trip, information such as numbers for the US embassy, relief organizations and medical facilities that will accept your insurance if applicable. In the event that there is a business interruption every organization should be prepared to ensure that staff will continue to be paid pending return to normal operations. The organization should make plans regarding payroll and other benefits prior to having an emergency, which would include how to communicate to these organizations with instructions and what will be required from the companies to process these transactions outside of the normal process. Business Continuity in a Binder 2-14-2007 - ASAE Technology Conference George A. Breeden, CAE RSM McGladrey - george.breeden@rsmi.com 14 of 14