Developing and Implementing Business Continuity Plans
Dave Carlson - February 25, 2008
The following outline was extracted from a generally accepted practices (GAP) document prepared by the Disaster Recovery Journal Editorial Advisory Board and the Disaster Recovery Institute International (Yelland, 2007). This outline can be used as the basis for developing a business continuity plan (BCP). Customize the BCP for a particular organization, as appropriate.
- Preplan Activities
- Ensue the plan has executive oversight and authority before proceeding.
- Ensure that a business continuity policy is defined for the organization.
- Define, clarify and develop sponsor communication procedures.
- Develop, present, and obtain approval for planning assumptions and exclusions.
- Review organizational structure and management hierarchy for planning effort.
- Verify contact information, availability, and supervisory approval for all involved.
- Define project scope, schedule, and reporting points. Verify management approval and support for these components.
- Develop plan content guidelines.
- Data Gathering
- Complete a risk assessment for all parts of the plan.
- Use the completed Business Impact Analysis (BIA) (see Appendix A) to confirm impact to all critical business processes and systems for prolonged outages.
- Validate and clarify statements from executive management about the mission, vision, and goals of all aspects of the plan.
- Identify mission critical processes and any other processes that support the specific mission critical processes. Clarify the impact other processes may have on mission critical processes.
- Validate information about all goals with management to ensure the scope and size of the plan development effort will meet the organizationís needs.
- Establish requirements for resources and organizational commitment to complete plan development and implementation effort.
- Ensure all impacts not captured in the BIA have been analyzed and recorded.
- Identify and itemize vital records critical to the organization, including the critical tools and processes used to retain the records.
- Identify and itemize vendors critical to the organizationís mission and core business processes and functions.
- Identify key customers who will require notification or business modifications during time of disaster. Include required escalation procedures and parameters.
- Data Analysis and Consolidation
- Will the plan provide for recovery in time? Confirm overall recovery time objectives are achievable with recovery performance capabilities.
- Will the plan meet objectives? Confirm overall recovery point objectives are achievable with recovery performance capabilities.
- Finalize personnel and resource requirements to develop and implement the plan.
- Review, clarify, and understand the recovery alternatives available for each critical business function as well as cost analysis.
- Consider various approaches to develop the BCP documentation and effort.
- Determine if the recovery plan strategy requires a business case analysis.
- Review and confirm recovery site selections and build-out requirements.
- Define key parameters that the plan must address. Minimum considerations are:
- Legal and regulatory requirements,
- Contracts and agreements,
- Distinction between recovering business processes and technology,
- Recovery procedures,
- Disaster analysis, definition, notification, and escalation procedures,
- Backups and alternative worksites.
- Plan Documentation
- Document overview and scope, including considerations for any classified information.
- Include assumptions and impacts if assumptions are not valid.
- Include exclusions and potential impact of not including specific items.
- Include compliance statements about required items.
- Identify teams for each process, including team responsibilities.
- Document disaster identification, declaration, and escalation processes.
- Document supporting resources.
- Define and clarify all controls, including authority and compliance issues.
- Display recovery flow graphically, whenever possible. Include up and down stream requirements and dependencies.
- Provide an overview of each sub-component of the overall plan. Minimum requirements are:
- Command and control
- Communication plan (both internal and external)
- Media interface plan (pre-scripted and approved messages)
- Technology and tools plan
- Workplace plan
- Staffing plan
- Operational procedures plan for each phase of the recovery
- Supply chain plan dependencies and work-around procedures.
- Include whatever appendices are required to provide details about specific items. Examples include:
- Validation schedule
- Key internal contacts (detailed information)
- Key vendors and suppliers (detailed information)
- Off-site resource information
- Graphics (maps, floor plans, photos, organization charts, flow charts, etc.)
- Sub-plan details, as applicable
- Reporting requirements
- Event tracking requirements
- Compliance requirements and references
- Follow-Up Activities
- Plan for status reporting. Provide schedule for and document audits and changes.
- Plan recommendations report to include, but not limited to:
- Plan maintenance and distribution
- Validation process
- Audit process
- Training requirements
- Awareness program
- Command and control
- Post-Incident documentation. Include debrief procedures, gather status reports, identify and record key learning points, gather cost accounting details, and gather appropriate visual records of events (e.g., photos, newspaper reports, internal and external communications).
Yelland, L. (Ed.). (2007). Generally accepted business continuity practices: A look at business continuity best practices. A joint project of Disaster Recovery Journal and Disaster Recovery Institute International. Retrieved February 18, 2008 from http://www.drj.com/GAP/