Вы находитесь на странице: 1из 36

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Business Continuity Guide

Help Topics

Contents
Introduction Standards & Practices Administrator Setup Initiation & Management Assessment & Analysis Continuity Development Continuity Management Incident Management

INTRODUCTION With the increased dependency of on-line applications, Internet usage and up-to-date information to facilitate decisionmaking and run daily operations, business processes and their support systems require continuous availability. Irregardless of how well you build redundancies into the infrastructure, such as, UPS, generators, hardware replication or how well you try to shield yourself from the hackers and crackers of the world, there will always be those natural and man-made disasters that can have a devastating impact on the organization. The best proactive action an organization can take is implementing a Business Continuity Management program that is fully integrated as an embedded management process. What is Business Continuity Management (BCM)? According to the Business Continuity Institute: Business Continuity Management is an holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities. What is the difference between BCP and BCM? Firstly, BCP is a loosely used term that may mean Business Continuity Planning (a process) or Business Continuity Plan (the documentation). Before an organization can achieve a comprehensive Business Continuity Management (BCM) program, the Business Continuity Planning (BCP) process must be undertaken. Basically, the BCP process is the project related tasks. Business Continuity Management (BCM) is inclusive of the BCP activities, as well as, the on-going activities.
Business Continuity Planning (BCP) Business Continuity Management (BCM)

Identifies the BCM Management Team Develops a corporate wide BCM Policy Defines the Project Terms of Reference Identifies working team members Conducts a Risk Assessment & Impact Analysis Defines the scope & recovery strategies of the Plan Develops the BCP documentation

Embeds BCM into the corporate culture Maintains the Plan (change control) Conducts regular testing Provides on-going training Conducts annual audits

Myths & Misconceptions One of the more frequently asked questions is: What is the relationship between Business Continuity and Risk

1 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Management? The answer is: Business Continuity Management is actually a component of operational risk management. Below, is a comparison of the two disciplines.
Business Continuity Management Business Impact Analysis Impact and Time Events causing significant business disruption For strategy planning: Survival threatening incidents only Focus mainly on incident management mostly outside the core competencies of the business Sudden or rapid events (though response may also be appropriate if a creeping incident becomes severe) Key Method Key Parameters Type of incident Size of events Scope Intensity Risk Management Risk Analysis Impact & Probability All types of events - though usually segmented All sizes (costs) of events though usually segmented Focus primarily on management of risks to core-business objectives All from gradual to sudden

Another common question is: How does BCM fit with ISMS, ITIL and DRP?
Discipline ISMS Information Security Management System Information Security ITIL IT Infrastructure Library IT Infrastructure, Development and Operations ISO 20000 1. Service Strategy 2. Service Design 3. Service Transition 4. Service Operation 5. Continual Service Improvement DRP Disaster Recovery Plan IT Recovery BCM Business Continuity Management Business Continuity

Application (Focus) Standards Framework (Phases)

ISO 27001 1. Plan - designing the ISMS, assessing information security risks and selecting appropriate controls. 2. Do - implementing and operating the controls. 3. Check - review evaluate performance of ISMS. 4. Act - changes to bring ISMS back to peak performance IT only www.iso27001security.com

ISO 27000 1. Assess & Analysis 2. Plan Development 3. Plan Maintenance

BS 25999 1. BCM Policy & Program Management 2. Understand the Organization 3. Determine BCM Strategies 4. Develop & Implement a BCM Response 5. Exercise, Maintain & Review 6. Embed BCM within Organizations Culture Organization wide www.thebci.org

Continuity Reference

IT only www.itil.org

IT only www.drii.org

STANDARDS & BEST PRACTICES The recoverEASE Business Continuity Planning and Management module is designed as a do-it-yourself (DIY) solution that addresses best practices for Business Continuity.

2 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

The following Good Practices Guidelines (GPG 2010) developed by the Business Continuity Institute (BCI) and Disaster Recovery Institute International (DRII) have been incorporated into recoverEASE. By following the instructions you will be complying with a set of internationally accepted standards and best practices for Business Continuity Planning (BCP) and Management (BCM). These standards are applied to logical project phases to form the methodology. Certification Standards 1. BCM Policy and Program Management a) Establishing the need for a Business Continuity Management (BCM) Process, including: resilience strategies, recovery objectives, business continuity and incident management plans, obtaining management support for such a process. b) Organizing and managing the formulation of the function or process either in collaboration with, or as a key component of an integrated risk management initiative. c) Developing, coordinating, evaluating and creating plans and procedures to communicate with external stakeholders including the media, during incidents; 2. Understanding the Organization a) Business impact analysis (BIA): Identifying the impacts resulting from disruptions and disaster scenarios that can affect the organization and developing techniques that can be used to quantify and qualify such impacts. Establishing critical functions, their recovery priorities and inter-dependencies so that recovery time objectives can be set. Risk evaluation and control: Determining the events and environmental surroundings that can adversely affect the organization and its facilities with disruption and/or disaster and understanding the damage such events can cause. Establishing the controls needed to prevent or minimize the effects of potential loss. Providing cost-benefit analysis to justify investment in controls to mitigate risks. 3. Determining Business Continuity Management Strategies a) Determining and guiding the selection of alternative business recovery operating strategies for continuation of business within recovery time and/or recovery point objectives, while maintaining the organizations critical functions. b) Delivering solutions for continuation of business within the recovery time and/or recovery point objectives, whilst maintaining the organizations critical functions. c) Developing, coordinating, evaluating and creating plans and procedures to communicate with internal stakeholders during incidents d) The provision of post-incident support and guidance for employees and their families 4. Developing and Implementing a BCM Response a) Developing and implementing emergency response procedures for responding to and stabilizing the situation following an incident or event. b) Establishing and managing an Emergency Operations Center to be used as a command center during the emergency c) Practical experience in handling incidents/emergencies d) Designing, developing and implementing business continuity and incident management plans that provide continuity within recovery time and/or recovery point objectives. 5. Exercising, Maintenance and Review a) b) Pre-planning and coordinating plan walkthroughs/exercises. Evaluating, updating, improving and documenting the results of exercises

b)

3 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

c)

Developing processes to maintain the currency of continuity capabilities, business continuity and incident management plans in accordance with the organizations strategic direction. d) Establishing appropriate policies and procedures for coordinating incidents, continuity and restoration activities with external agencies whilst ensuring compliance with applicable statutes and/or regulations. e) Practical experience in dealing with external agencies 6. Embedding Business Continuity Management within the Organizations Culture a) Preparing a program to create and maintain corporate awareness and enhance the skills required to develop and implement the business continuity management program or process and its supporting activities.

ADMINISTRATOR OPTIONS & SETUP In the main menu click Administrator and complete the Set-up menus. This must be done prior to setting up users. Locations & Departments - Setting up the Locations and Departments is extremely important. Locations are geographic sites or buildings, such as HQ, a branch, regional office, etc. (not addresses such as 2nd floor ABC building). Keep the Location and Department names as short as possible, as they will be combined to generate the Unit ID. Unit IDs will be used to identify specific Departments, generate files in Phase 2 and for sorting of records & reports. Creating Users The Administrator is responsible for setting up BOD/Stakeholders, BCM Management, Senior Management, Auditors, Department Managers, BCP Manager and BCM Coordinator. Once setup, the BCM Manager and BCM Coordinator will be responsible for adding their respective users and assigning roles. The BCP Manager and BCM Coordinator will be limited to assigning User or Management level privilege only.

Setting User IDs and Passwords - When you first set-up your Users, use the first part of their email address as the User ID (Example: david@company.com, where david is the User ID). User IDs are unique. Meaning no duplicate IDs. You can assign a common password for all users, such as planner. The first time a User logs in, they can change their password. If a User forgets his/her password, you will need to clear it and enter a new password. Setting Privileges The Administrator has full privilege. Change History and Audit Logs are automatically generated in the Administrator main panel for sensitive data and file handling. Users are required to submit a Change Request when they need changes and do not have privilege.
Administrator & Auditor Administrator

The individual(s) responsible for managing recoverEASE. The recoverEASE Administrator is responsible for the Administrator module, which includes setting up the Locations, Departments, Users, User Privileges and setting initial roles of the Users. While the Administrator has unlimited access in recoverEASE, control will be given to the BCM Manager & BCM Coordinator to manage their respective modules. However, only the Administrator may delete a User, since a User may have a role in more than one module. Administrator privilege should be limited to only a few.

4 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Auditor

Allows the same access as Administrator, but for viewing only (no updating, uploading, additions, deletions or modification to files and data); Excellent for monitoring by Auditor, Compliance Officer or Quality Assurance

Business Continuity User Management

Department Managers, Team Leaders, Alternate Team Leaders & Team Members BCM Manager, BCM Coordinator, Senior Management & individuals that are responsible for Incident Reporting, Evacuation, Damage Assessment, Salvage, Logistics, Media and Crisis Management, BOD/Stakeholders

System Groups to link dependencies of Business Functions & Technology items Maintenance Functions License menu - for the Administrator to enter annual subscription information provided by recoverEASE. A renewal notice will be sent to you prior to the expiration date. Ensure the contact information is up-to-date. If you have changes to the Company Address or Contact Information, update the appropriate fields, SAVE Changes, generate the License report under Reports in the Treeview and email to support@bcprm.com. Important: DO NOT Change the Registration Number, Expiry Date or License Key until you receive the renewal instructions and new License Key. DB Backup / Restore facilities to backup and restore recoverEASE database Zip & Download User Files - provides Administrator with ability to zip and download all files in a folder Change History for tracking revisions / changes to the Plan Global Change Facility facilities to globally change Department names, owners, primary and alternate recovery responsibilities.

Reports & Logs contains various reports including changes to database records and audit logs to capture deletions and uploading of files

PROJECT INITIATION & MANAGEMENT Critical Success Factor # 1 - Ensure you have senior managements support; The Project Manager will need the approval and authority to cross departmental boundaries to get the needed cooperation; Ensure all functional areas of the organization are included in the project;

1 BCM Policy and Program Management a) Establishing the need for a Business Continuity Management (BCM) Process, including: resilience strategies, recovery objectives, business continuity and incident management plans, obtaining management support for such a process. b) Organizing and managing the formulation of the function or process either in collaboration with, or as a key component of an integrated risk management initiative. c) Developing, coordinating, evaluating and creating plans and procedures to communicate with external stakeholders including the media, during incidents; As a starting point, it is important to obtain senior managements approval and set-up a proper structure. The scope of the initiative must also be defined. This means identifying the parts of the organization that will be included in the project is it just HQ, HQ and regional offices, etc. Most organizations begin with HQ and expand to other locations once experience is gained from the initial project. Project Preparation Instructions You will need to download, review and edit the following documents (located in recoverEASE under Documentation in the Initiation & Management module):

5 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Sample BCM Policy Sample BCM Charter Phase1 Project Terms of Reference Phase2 Project Terms of Reference Department Form

Edit these documents based on your organizational structure. When you present to senior management, issue the documents as a handout. Note: Phase2 Project Terms of Reference cant be completed until Phase1 is complete, but will illustrate to senior management on the contents and help set expectations. Use the Project Planner (located in recoverEASE under Project Tools in the Initiation & Management module) to schedule and track the Project Tasks. Step 1 - Obtain Management Support for Project 1. 2. 3. Present Awareness slides to senior management Identify BCM Management Team Finalize the BCM Policy, Charter & Phase 1 Project Terms

Step 2 - Identify Project W orking Group (Department Team Members) 1. 2. 3. Present Awareness slides to all Department Managers Issue the Department Form Each Department must identify and assign a Team Leader and Alternate for the Projects duration. Team Leaders and Alternates must be knowledgeable of their Departments processes and policies.

Step 3 - Conduct Threat Vulnerability Analysis The Threat Vulnerability Analysis should be conducted as a workshop with the BCM Management Team or senior management.
Project Initiation & Management Obtain Management Support for Project Identify BCM Management Team Develop BCM Policy Develop BCM Charter Conduct Threat Vulnerability Analysis Identify Department Team Members Schedule Kick-off for Phase 1 Resources Project Management Office Project Manager Project Coordinator Senior Management Methods Presentations Interviews Documents / Reports Man Days 5 10 10 4 Outcomes & Deliverables BCM Awareness Identify Management Team Identify Working Project Members BCM Charter BCM Policy Threat Vulnerability Analysis Project Terms of Reference Audience Senior Management Senior Management Senior Management Duration day day day Week 1 Week 2

Key Assumptions

6 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

That the BCM Management Team will play a key role in the governing, development and on-going activities of the Business Continuity Planning and Management programs. That a Project Management Office (PMO) will be established to manage project risks and quality assurance. That the Project Manager has the necessary BCM skills set or an external consultant will be hired to fill the role. That a BCM Management Team, Project Manager, Coordinator and a working group will be appointed to provide the required information to the project.

The BCM Management Team should represent the core components of the organization, (I.e. HR, Finance, IT, Risk Management, Operations, Property, Corporate Communications) as these individuals will be responsible for Damage Assessment and Plan activation when a disaster or disruption strikes. The working group is comprised of a Team Leader and Alternate from each department participating in the project. The Team Leader and Alternate must be knowledgeable in the processes and policies of their respective departments. BCM Management Team Roles & Responsibilities
During Business Continuity Planning Approve project budget Approve project scope/deliverables Review and accept Risk Assessment Approve the Scope of the Plan Review and accept the Plan On-going Business Continuity Management Approve budget Ensure Plan effectiveness Review Test plans and results Monitor Plan revision/change control Ensure annual audit of the Plan Report status to the Board Ensure compliance

Sample BCM Management Team

Damage Assessment Team

Recovery Team

Conduct Threat Vulnerability Analysis - All organizations face a certain level of risk associated with natural events, accidents or intentional acts. Pre-loaded with the most common "Man Made" and "Natural" disasters, the Threat Vulnerability Analysis is a tool to quickly analyze, rate the risk levels based on existing controls and select a mitigation strategy of the listed threats. Acceptable threats are simply acknowledged and require no further action, while threats with a mitigation strategy other than Accept must be exported to the Threat Register for further action.
Sample Threat Vulnerability Analysis Type: Threat: Likelihood: Impact Rating: Risk Score: Man Made Contagious Diseases 3 Moderate Happens every five years 4 High Serious 7

7 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Risk Level: Mitigation:

High Reduce

Once all tasks are complete you are ready to schedule the Phase 1 Kick-off with the BCM Management and working group members. Preparing for the Phase 1 - Risk Assessment & Analysis Kick-Off meeting Administrator - You will need to complete all menus under Set-up in the Administrator menu Setting Up Users - Requires Administrator privilege Pre-requisite Enter the Location and Department names in the Administrator Set-up menu first. Enter the names and contact info of your project team members and users. Members should have been identified as part of the Business Continuity - Project Initiation & Management tasks identified above. This will fill drop-down boxes in other menus to reduce data entry. User IDs are unique. Meaning no duplicate IDs. Tip - When you first set-up your Users, use the first part of their email address as the User ID (Example: david@company.com, where david is the User ID). You can assign a common password for all users, such as planner. The first time a User logs in, they can change their password. If a User forgets his/her password, you will need to clear it and enter a new password. Required Complete all fields including the Set Roles Checkboxes This is required for sorting in the Call List, Members and User reports. Setting Privileges - How you set privileges determines the read/write access for members to complete Tasks and to force change control.
Business Continuity Privileges User Department Managers, Team Leaders, Alternate Team Leaders & Team Members Management BCM Manager, BCM Coordinator, Senior Management & individuals that are responsible for Incident Reporting, Evacuation, Damage Assessment, Salvage, Logistics, Media and Crisis Management, BOD/Stakeholders

Using the Project Planner - The Project Planner & Scheduler menu is designed for the Project Manager to plan and schedule project activities. Project Phases, Tasks, Purpose, Responsibility, Task Activities & Notes have been pre-defined. Follow the Phases and tasks in order. The Project Manager uses the Scheduler section to set and manage project dates. Scheduler Field Descriptions Start/Meeting Date - When the Task or Meeting is executed Start Time - Time when the meeting is scheduled Meeting Location - Where the meeting will take place Estimated End Date - This is the expected end date for the Task Actual End Date - When the Task was actually completed As Project Tasks are completed, amend the records (Actual End Date) and go to the Project Checklist Menu and check off completed items to track your progress. Project Planner Reports Project Details Past Due Tasks Completed Tasks Incomplete Tasks Project Minutes - The Project Minutes menu is for generating the minutes of Project meetings. Typically, each Task would be associated with an individual Project meeting. Specific Project data entered in the Planner/Scheduler menu will

8 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

automatically be displayed to identify the Project Task and you simply enter the Attendee & Absentee names and draft text of the minutes. Although you probably want more advanced formatting than is offered here, this is a good place to draft your Project minutes. This will give you a permanent record, which is easy to refer to. You can output the draft and format in your own word processor for the final version. Project Checklist - The Project Checklist menu allows you to track the project status. Simply check off items as they are completed and print out the report. Distribute to Team members at your Project Status meetings.

RISK ASSESSMENT & ANALYSIS Critical Success Factor # 2 - Ensure you get reliable, accurate information, as this forms the foundation for everything you do from this point forward

2 Understanding the Organization a) Business impact analysis (BIA): Identify the impacts resulting from disruptions and disaster scenarios that can affect the organization and developing techniques that can be used to quantify and qualify such impacts. Establish critical functions, their recovery priorities and inter-dependencies, so that recovery time objectives can be set. b) Risk evaluation and control: Determine the events and environmental surroundings that can adversely affect the organization and its facilities with disruption and/or disaster and understanding the damage such events can cause. Establish the controls needed to prevent or minimize the effects of potential loss. Provide cost-benefit analysis to justify investment in controls to mitigate risks. 3 Determining Business Continuity Management Strategies a) Determine and guide the selection of alternative business recovery operating strategies for continuation of business within recovery time and/or recovery point objectives, while maintaining the organizations critical functions. b) Deliver solutions for continuation of business within the recovery time and/or recovery point objectives, whilst maintaining the organizations critical functions. c) Develop, coordinate, evaluate and create plans and procedures to communicate with internal stakeholders during incidents d) The provision of post-incident support and guidance for employees and their families

Phase 1 Risk Assessment & Analysis BCP Awareness / Kick-off / Assign Tasks Business / Technology Assessment Conduct Facilities Evaluation Prepare Threat Analysis & Risk Profile Identify Minimum Workspace Requirements

Month 1

Month2

Month 3

9 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Compile Draft Assessment Report Present to Project Members for discussion Present to Management for Acceptance Resources Project Management Office Project Manager Project Coordinator Senior Management Department Managers Team Leaders & Alternates Methods Presentations Interviews Estimated Man Days 8 20 20 2 2 5 Outcomes & Deliverables Phase 1 Kick-off Risk Assessment & Analysis Report Facilities Evaluation Minimum Workspace Requirements Threat Vulnerability Analysis Risk Profile Business Assessment Technology Assessment Review Draft Assessment Report Risk Assessment & Analysis Report

Workshops

Documents / Reports

Before you can develop a suitable Continuity Plan, you must identify and prioritize what the Plan should contain and have management agree. This is the Requirements Definition process and involves the assessment of Information Technology equipment and business functions or processes. Of equal importance is avoiding disaster in the first place. For this purpose, an evaluation of your facilities, infrastructure, practices and surrounding area must be conducted. The objectives of the Risk Assessment are to identify any existing risks at the business location and to evaluate the business functions, support systems and resources required for recovery in the event of disaster or disruption. The Risk Assessment & Analysis consists of six main activities 1. 2. 3. Business Assessment - to understand functional priorities, risk levels, resources required, recovery time objectives and recovery strategy; Technology Assessment - to understand priorities, risk levels, resources required, recovery time objectives and recovery strategy; Minimum W orkspace Requirements to understand the minimum staff, PCs, telephones & fax required during the first 48 hours, 3 5 days and after one week in order to stage the recovery; to assist with staff relocation during a disaster or disruption to the work environment; Facilities Evaluation - to identify existing risks and recommends preventative measures; Threat Vulnerability Analysis - is a process that identifies the threats associated with natural events, accidents or intentional acts at your facilities and weighs the potential impact and likelihood of such an occurrence. Risk Profile to identify the top five risks, estimated impact duration and impact on cash flow;

4. 5. 6.

The end result or final deliverable of this Phase is a Risk Assessment & Analysis Report presented to management detailing our findings and recommendations. By getting managements agreement on the recommendations, the Scope of the Plan to be developed in Phase 2 Continuity Plan Development will be defined. Note: The Risk Assessment & Analysis phase is the most important as this is where the foundation for the remaining phases is built. Below are the contents of the Risk Assessment & Analysis Report. Use the Sample Risk Report Template (Documentation folder) to build your report. Report Contents: 1. Executive Summary 2. Introduction 3. Business Assessment 4. Technology Assessment 5. Minimum Workspace Requirements 6. Facilities Evaluation Results 7. Threat Vulnerability Analysis

10 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

8. Risk Profile 9. Recovery Options & Cost 10. Recommendations Disaster Avoidance (threat analysis, mitigation) Continuity Plan Development (scope, strategies) 11. Conclusion Important All departments must participate in Phase 1 and every support system and business function, regardless of criticality, whether it is a manual or automated process must be assessed. Project Manager Review and Acceptance - The Project Manager is responsible for reviewing the data entered by the Team Leaders / Alternates in the Business and Technology Assessment menus. Only Accepted items will be included in Phase 2 Continuity Plan Development (requires Administrator privilege). Tips on Data Gathering As there is an abundant amount of information to collect during Phase 1, it is recommended to breakdown the Business & Technology Assessment into two steps. Step 1 - Identification & Impact Analysis: Interview Department Managers to complete Part 1 & 2. Identify who in the Department will complete Part 3 & 4. Step 2 - Recovery Profile: By completing Part 3 & 4, you will have defined the recovery requirements Business Functions Assessment - You must understand the criticality and dependencies in order to assess the business functions. An assessment must be made for all functions, regardless or whether they are manual and automated processes. The following represents the data that will need to be collected and analyzed for the Risk Assessment & Analysis report. During the Assessment workshop Department Team Leaders and Alternates will be instructed to enter the data into recoverEASE.
Business Functions Assessment
Step1 - Identification & Impact Analysis Part 1 Identity 1. Department 2. Function Name 3. Brief Description 4. Owner 5. System Dependency 6. Maximum Tolerable Outage 7. Priority Part 2 Impact Analysis 1. Identify Main Risk 2. Potential Impact 3. Likelihood 4. Risk Score Part 3 Inventory Required 1. Equipment 2. Software 3. Data/Documents Step 2 - Recovery Profile Part 4 Recovery Requirements 1. Recovery Point Objective 2. Recovery Time Objective 3. Recovery Strategy 4. Estimated Restore Time 5. Primary Recovery Responsibility 6. Alternate Recovery Responsibility 7. Pre-requisite to Recovery

Technology Assessment - Because most business functions are support by information technology, profiling the systems and more specifically the components (servers, storage, network equipment) is required to understand criticality and dependency or relationship to the business processes. The following represents the data that will need to be collected and analyzed for the Risk Assessment report. During the Assessment workshop Department Team Leaders and Alternates will be instructed to enter the data into recoverEASE.
Technology Assessment
Step1 - Identification & Impact Analysis Part 1 Identity 1. Department 2. Server or Item Name 3. Brief Description 4. Equipment Type 5. Owner 6. # Users 7. System Group 8. Maximum Tolerable Outage 9. Priority Part 2 Impact Analysis 1. Identify Main Risk 2. Potential Impact 3. Likelihood 4. Risk Score Part 3 Inventory Required 1. Equipment Specs 2. Software 3. Data/Documents Step 2 - Recovery Profile Part 4 Recovery Requirements 1. Recovery Point Objective 2. Recovery Time Objective 3. Recovery Strategy 4. Estimated Restore Time 5. Primary Recovery Responsibility 6. Alternate Recovery Responsibility 7. Pre-requisite to Recovery

11 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Impact Analysis The Impact Analysis is a result of the data collected in the Business Functions and Technology Assessment menus. The objective is to identify an impact rating for each Business Function and Technology component. Identify Main Risk - What is the main Risk associated with this Business Function or Technology component? Potential Impact - What affect will this have on your department if the Business Function or Technology component is unavailable/inoperable? Likelihood What is the likelihood of an incident affecting this Business Function or Technology component Impact Rating - What is the operational impact for this Business Function or Technology component on the organization

Criteria used to determine the Risk Rating:


Rating System 1 4 Very Low Likelihood 5 4 3 2 1 Common Twice a year or more Likely At least once a year Moderate Every 2 to 5 years Unlikely Every 5 to 10 years Rare Never happened 5 Low 6 Medium 7 High 8 10 Very High Impact Rating 5 Very High Catastrophic 4 High Serious 3 Medium Disruptive 2 Low Inconvenient 1 Very Low Minor inconvenience

Note: Likelihood may refer to actual or anticipated occurrence Minimum W orkspace Requirements - Since you are unlikely to have recovery facilities that can house all employees, you will need to determine the minimum workspace requirements. Perhaps, some can work from home, some may require a recovery site, some may have an alternate work location and others may need to be put on leave while facilities are unavailable. This will identify the number of staff, PCs, telephones and fax machines you will need in the first 48 hours, 3 - 5 days and after one week. This will help to identify the alternate workspace needed for recovery and assist with staff relocation. This information is collected via interviews with each Department Manager. This information is entered into the BCM Tool and is readily available to make informed decisions on what to do with office-less staff.
Unit ID Current # Staff First 48 hours Staff: PCs: Telephones: Facsimile: Number of Staff who can work from home during disaster: Number of Staff with Alternate Workspace: Number of Staff requiring relocation during disaster: Location of Alternate Workspace: Identify any special requirements: (Excluding PCs Telephone, Fax or Technology components) 3 5 Days After 1 week

Facilities Evaluation - The Facilities Evaluation will identify potential threats at the business premises and is conducted by the Project Manager. The Project Manager will make the appropriate recommendations on how to minimize or eliminate any identified risks found. The evaluation is a manual process conducted by interviews and visual inspection. The underlying theme here is "Disaster Avoidance". The evaluation is based on the following categories, which represent the most common threats imposed on operations and are the reasons companies have had problems or implemented Continuity Plans in the past. These areas are to be utilized as a basis for identifying risk. Evaluation Categories

12 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Fire Protection Physical Security Data/Document Management Information Technology Practices Personnel Management Environmental Systems General Programs External Factors Pandemic Plans

Threat Vulnerability Analysis - a process that identifies threats that could cause a disaster or disruption, identifies the potential impact and weighs the likelihood of the threats. The organization will be better informed to study mitigation strategies and related implementation costs. The organization can either Accept the risk or mitigate (Avoid, Exploit, Reduce or Transfer) the risk knowing you have made an informed decision. Note: The Threat Vulnerability Analysis should have been conducted in the Project Initiation & Management phase. If not, it must be completed during Phase 1. Risk Profile - This is not rocket science, but an attempt to logically anticipate the types of incidents the company is most like to experience and potential impact to cash flow. You will need to know the types of incidents that happen in the area and try to anticipate the 5 most likely events that could affect the company. If you are a regular reader of the local newspaper, it should be easy. If not, you will need to update yourself or do some research or use the Threat Vulnerability Analysis to determine the top five threats. Use common sense. If the company is located in Florida or South Carolina, then a hurricane is a pretty good bet. If you are in California, then earthquakes are a likely event. Look at the area. Are you in a flood prone area? Are there frequent disruptions to power? And so on... Basically, all companies are at risk of fire, system intrusion, equipment failure and human error. In the Facilities Evaluation - External Factors section, you should have already asked some key questions you may be able to use here as well. Use your best judgment and try to estimate how long the event would cause an outage. When you present the Risk Assessment report you must be convincing. The "Incident History for Area" tab is used to document previous events in the area and/or at the company. This is where you justify your selection of the events. Next, perform a basic Financial Impact. The objective here is to show the amount of funds that move in and out of the company. Go to the Finance Manager and explain that you need to know the average amount of incoming and outgoing funds per month. This is for the location you are assessing. For example - If you are assessing the Headquarters location, then it is the funds that move in and out of that location. Not what happens in the regional or branch office. The Finance Manager should be able to retrieve this info from last year's financial reports very easily (Incoming Funds = Revenue; Outgoing Funds = Expenses). You can add any estimated growth to last year's amounts and determine the average monthly amount. The report will calculate the daily amount based on 20 working days per month. When a disaster strikes, the flow of funds is usually disrupted - not lost, just delayed. With a disruption of funds, it may limit the ability to settle payments and obligations to banks, suppliers, employees, etc., which can result in lost business, legal action and eventually bankruptcy.

CONTINUITY PLAN DEVELOPMENT

4 Developing and Implementing a BCM Response a) Developing and implementing emergency response procedures for responding to and stabilizing the situation following an incident or event. b) Establishing and managing an Emergency Operations Center to be used as a command center during the

13 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

c) d)

emergency Practical experience in handling incidents/emergencies Designing, developing and implementing business continuity and incident management plans that provide continuity within recovery time and/or recovery point objectives.

2 Continuity Plan Development Project Kick-off / Assign Tasks Complete Executive Section Complete Plan Appendices Complete Recovery Steps Prepare Draft Plan Conduct Initial Plan testing & validation Present to Project Members for discussion Present to Management for acceptance Resources Project Management Office Project Manager Project Coordinator Senior Management HR Manager Property Manager Team Leaders & Alternates Method Presentations Interviews Man Days 8 25 25 4 4 4 12

Month 1

Month2

Month 3

Outcomes & Deliverables Phase 2 Kick-off Roles & Responsibilities Staff Relocation Pandemic Plan Site Restoration Recovery Procedures Development Plan Testing Incident / Crisis Management Business Continuity Plan Initial Testing Report

Workshops Training Documents / Reports

Introduction A Continuity Plan is a documented statement of actions and steps to follow before, during and after a crisis situation to minimize disruption to operations. The Plan will define recovery policies, the responsibilities of the Recovery Teams and the procedures to restore the critical functions. recoverEASE has developed a set of common elements to produce a generic Plan model to save you time without sacrificing content or quality. These elements are applicable for any industry or organizational environment. You can build an ICT Plan, a Department Plan or a corporate wide Plan with an unlimited number of departments. Plan Elements - Elements are chapters and appendices that makeup the entire Plan. The Plan is divided into two sections Executive Section - lays out the basic responsibilities and policies of the Plan Recovery Section - describes in detail the step by step, keystroke by keystroke actions required to restore the operations

The Executive Section is primarily used as a communication tool to inform the organization of the Plan and lays out recovery policies. The Recovery Section is technical in nature and is the "what" and "when" actions that must take place in order for recovery to be achieved. The following is the list of generic Plan chapters and appendices. Remember, you can add additional chapters to the generic model as required.

14 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Generic Plan Model


Executive Section Chapters 1. Purpose & Scope 2. Roles & Responsibilities 3. Emergency Response 4. Incident Management 5. Staff Relocation 6. Site Restoration 7. Pandemic Plan 8. Plan Management Appendices a) Internal Call List b) Business & Technology List c) Vendor/Suppliers List d) Policy Statements e) Recovery Site(s) f) External Call List g) Insurance Coverage h) Command Centers i) Plan Revisions j) Change History Recovery Section Chapters 1. Team Assembly 2. Retrieval of Data/Documents 3. Business Responsibilities 4. Technology Responsibilities 5. Recovery Steps 6. Return to Normalcy Appendices a) Recovery Team Call List b) Business & Technology Inventory c) Configuration Diagram d) Network Diagram

W orking with Plan Elements All Plan Elements originate as RTF documents. They may be downloaded, edited and uploaded as required. Access Control Plan Sections - Only Administrator, BCM Manager or Coordinator may upload or delete files Recovery Steps - Only Administrator, BCM Manager or Coordinator may Generate Templates Recovery Steps - All Users may download and upload Recovery Step files to complete tasks Plan Appendices - See the Help topic in each menu for access control Tips Only 'Accepted' Business Functions & Technology Items in Phase 1 are included in the Recovery Steps Template generator. You must regenerate the ES & RS Reports after changes to reflect the latest data in the corresponding Plan Section Appendices. The Appendices menus are database programs that use the data to generate the corresponding files in the ES & RS Reports. To simplify the process, click Regenerate to update all ES & RS Reports at once. This should always be done before you zip, download or distribute any Appendix files. Preparation Set Roles Generate the Recovery Steps Templates for Users to complete their tasks File Limits Total available space for Plan Sections is 2GB and for Recovery Steps is 2GB; individual file size maximum is 10MB; any non-scripting, non-executable file types are allowed; Recommendation It is highly recommended to follow the Plan Elements and naming convention that has already been established. When the reports (highlighted in blue above) are generated under Responsibilities, ES Reports and RS Reports, the corresponding chapter or appendix is automatically updated and time stamped in the Plan Sections based on the naming convention. Maintain the Plan in recoverEASE and all users will have access anytime, anywhere. 1. Generate the reports under Responsibilities, ES Reports and RS Reports. This will automatically update the corresponding chapters and appendices in the Plan Sections. To simplify the process, click Regenerate to update all ES & RS Reports at once.

When you have updates to the Plan, complete item 1 above.

15 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Building the Plan Building the Continuity Plan is a two-step process under Plan Builder. The Administrator (Project Manager) may edit the Plan Contents while users are editing their Recovery Steps templates. You will need to generate the Recovery Steps templates in the Recovery Steps menu by clicking Generate Templates. This will generate a RTF document for every Function and Technology Item that was "Accepted" in the Business Functions & Technology Assessment menus. The name of the document consists of Unit ID_Priority_Function or Technology Name. Users may click on the file and download for editing. The file name should always be maintained. Once edited, users may upload the updated Recovery Steps file. Each time you re-generate the Recovery Steps templates only missing files or new Functions or Technology Items are created. Previous files are not over written. The major tasks for the Team Leaders & Alternates during Phase 2 is building their Recovery Procedures for each Business Function and Technology Item. recoverEASE utilizes the data collected during Phase 1 to generate templates for each Business Function and Technology Item accepted and included in the Scope of the Plan. The standard format for Recovery Procedures varies between Business Functions and Technology Items. A workshop is utilized to assist the Team Leaders & Alternates with this task.
Business Functions Sample Format Unit ID: HQ - Finance Function: Account Receivable Priority: Critical (first 48 hours) Pre-requisite: Restoration of Great Plains Recovery Procedures: A. Action During Disruption B. Data/Transaction Recovery C. Functional Restoration D. Verification Technology Items Sample Format Unit ID: HQ - ICT Item: HRMSAPPS System Group: ABC HRMS Priority: Moderate (3 to 5 days) Pre-requisite: Backup media available Recovery Procedures: A. Operating Environment Restore B. Data Restoration C. Network Restoration D. Verification

The Recovery Steps instructions should be in sufficient detail so that any member of the Recovery Team may follow. This is the heart of the Recovery Section and tends to be technical by nature. Ensure there is sufficient detail. All approved change request and changes to responsibilities for Business Functions and Technology are captured by the system and updated automatically when you generate the ES-I Plan Revisions & ES-J Change History reports. Important - If required, you may add or delete chapters with a few exceptions. 1. 2. Always follow the naming convention (I.e. ES-3-EmergencyResponse.rtf, RS-5-RecoverySteps.rtf, etc.). Never rename any of the Appendices or the following chapters, as they are automatically updated with the latest data. RS-3-Business Responsibilities RS-4-Technology Responsibilities

Maintaining the Plan - If one element requires change download, amend and upload to replace the element. Building the Call Tree There are 5 menus provided to build the contact information that will be required when you need to implement the Plan. The contact info will be used as part of the Crisis Management when disaster strikes to assemble Teams and update relevant people/organizations of the disaster status. 1. Internal Call List - for Internal Notification and includes the Damage Assessment Team, Management Team, Salvage Team, Evacuation Team, Recovery Teams and Non-Members (staff/users - I.e. Stakeholders, Branch & Regional managers, etc.) 2. External Call List - for External Notification and includes customers, authorities, regulatory bodies, etc. 3. Vendor/Suppliers - list of vendor/suppliers you may need to contact for support, re-supply or determination on salvageable/unsalvageable equipment 4. Insurance Coverage policy and contact information for insurance claims

16 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

5.

Emergency Services - For contact info of emergency services you may need during Emergency Response

Building the Teams Information entered in the Project Members menu will be available in the Internal Call List menu under Plan Development. You will need to locate and assign individual roles for each member in the Internal Call List menu. Sample Team Structure

Damage Assessment Team Roles & Responsibilities


Management Team Disaster Declarers Assessment Leader Assessment Members Corporate Affairs Operations Property Administration Human Resources Recovery Management BCM (Recovery) Manager BCM (Recovery) Coordinator Evacuation Team

Recovery Team

Authority to declare a disaster and invoke the BCP Responsible for Incident Reporting, Damage Assessment, Command Center Activation and recommendation on whether to declare a disaster or not Responsible for assessing the impact and duration of the disaster/disruption to their specific functional areas Responsible for media management and preparing press statements for senior management related to the disaster/disruption Assesses the operational effectiveness when a disruption or disaster occurs; Ownership of the BCM program Responsibility for the repair / relocation of the damaged facilities Provides logistics/transportation assistance Assist the Damage Assessment Team with the relocation of affected staff based on the length and severity of the disaster Responsible for the companys BCM Acts as backup to the BCM Manager, maintains the Business Continuity Plan (change control, testing & distribution) Responsible for emergency evacuation, assembly at designated area and head count; Consists of Team Leader and Floor Marshals (This should already be in place for Occupational Safety & Health compliance) Department Managers to determine salvageable items Responsible for supplies & transportation to recovery site Overall responsibility for their Department BCM Responsible for maintaining and testing the Business Functions and support systems related to their Departments recovery capability Acts as backup to the Team Leader Perform assigned recovery tasks

Salvage Team Logistics / Transportation Department Managers Team Leaders Alternate Team Leaders Team Members

Department Team (Each Department)

17 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Set Role(s) - Check the appropriate checkbox under the specific Team. The Department Managers, Team Leaders and Alternates should have been set when you first set them up as Project members. You will need to add the Disaster Declarers, Damage Assessment, Salvage, Evacuation and Logistics/Transportation team members now. Adding them in the Internal Call List menu doesnt give then a password or privilege to access recoverEASE. If you want them to have access, then go to the Project Members menu in the Initiation & Management module to set them up. Tips - A BCM Management Team member should not be a Recovery Team member. A Recovery Team member should not be a Management Team member. Evacuation members shouldn't have any other responsibilities. Do not give an individual too many responsibilities. The Disaster Declarers and BCM Coordinator should not have any other roles. The BCM Manager may also be the Damage Assessment Leader or a Damage Assessment Member. Make sure the Position field reflects the person's role(s) in the Team [I.e. BCM Manager/Damage Assessment Leader or Damage Assessment Member (Technology)]. Building the Department Team Department Managers Should be a Savage Team member, as they are more aware of the departments assets and can deal with vendors on whether items are salvageable or not; Should be the Assembly Point and Head Count Leader for their department, as they should be aware of who is on leave or away from the workplace; Department Team Leaders a senior department member who understands the processes and policies of the department and may act as backup to the Department Manager; Department Alternate Leader backup to the Department Team Leader Department Team Member in large departments, members are necessary in assisting with recovery activities;

Non-Team Members - Require Notification: For non-members, such as company staff, Stakeholders, Branch or Regional Managers and senior management that are not part of any Team, but require notification during a disaster (only notified if the Disaster is declared).

CONTINUITY PLAN MANAGEMENT

5 Exercising, Maintenance and Review a) b) c) Pre-planning and coordinating plan walkthroughs/exercises. Evaluating, updating, improving and documenting the results of exercises Developing processes to maintain the currency of continuity capabilities, business continuity and incident management plans in accordance with the organizations strategic direction. d) Establishing appropriate policies and procedures for coordinating incidents, continuity and restoration activities with external agencies whilst ensuring compliance with applicable statutes and/or regulations. e) Practical experience in dealing with external agencies 6 Embedding BCM within the Organization Culture a) Preparing a program to create and maintain corporate awareness and enhance the skills required to develop and implement the business continuity management program or process and its supporting activities.

3 Continuity Plan Management BCP / BCM Awareness & Education BCM Tool User Training BCM Tool Management Training BCM Tool Administrator Training

Duration day day day 1 day

Participants All Department Managers All non-management users BCM Management Team recoverEASE Administrators

18 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Incident Management Training Testing & Maintenance Training Test Preparation Actual Test Plan Audit Training Awareness Survey Resources Project Management Office Project Manager Project Coordinator BCM Management Team Senior Management Methods Presentations 4 12 12 2 2

1 day 1 day 5 days 5 days day 2

BCM Management Team BCM Manager, Coordinator, Team Leaders & Alternates BCM Management Team BCM Management Team & Department Teams Auditor, BCM Manager, BCM Coordinator Random participants

Estimated Man Days

Outcomes & Deliverables Test Report Results Awareness Survey Results Project Closeout Presentation Test Plan Test Report Awareness Survey Report Project Closeout Report

Documents / Reports

Note: An Awareness Survey Form is available in the Plan Maintenance module in recoverEASE. Although referred to as Phase 3, these are the formal on-going programs required to ensure the Plan is maintained, tested and validated. How you manage the Plan is extremely important. You can use the Event Scheduler to schedule your Tests and Revision Control sessions in advance by clicking on Events in the main menu. Here are some tips. Plan Implementation & Distribution - The Plan should be issued or accessible to those people who are responsible for implementing the Plan. Try to minimize the number of hard copies of the Plan that you will need to manage. As long as users have Internet access to the Plan, then you only need to have a few hard copies at the Command Centers and Recovery locations. Maintain the Plan in recoverEASE. This will allow team members to review on-line and minimize the hard copies you need to distribute. Although you will probably need to output a few hard copies to present to management, having access to the Plan on-line will be much faster than searching for the hard copy when you need to review it. Ensure you have access to recoverEASE at your Recovery site(s) and Command Centers. Most importantly - Communicate the Plan throughout the organization. Although the project members will be fully aware of the Plan contents since they went through the process, other employees will not unless it is presented to them. As a minimum, employees need to understand the Escalation and Emergency Response procedures described in Chapter 3 Crisis Management in the Executive Section of the Plan if you expect to have incidents reported and managed properly. Give formal presentations to staff. Get the whole organization involved in testing. Conduct fire drills and evacuation exercises regularly. Testing & Maintenance - During Plan Development and after the Plan is complete, testing and maintenance of the Plan are essential. Testing should be conducted at least twice a year after Plan Development. Rotate team members into different roles to give more exposure to the overall Plan. The Plan is just like a piece of software - it must be maintained. As the organization changes or personnel change, so must the Plan. Incorporate good change control procedures. An annual Audit of the Plan by a qualified 3rd party is recommended. Data Entry menus, Reports & Blank Forms provided for testing & maintenance in recoverEASE Test Objectives Test Activities Problem Log Test Report

19 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Revision Control Global Change Facilities Periodic Reviews

Initial Testing (during Plan Development) Testing may take place during Plan development on a component basis. For example, once the procedures are documented for the recovery of the IT operating environment (O/S), it may be tested to ensure the O/S can be restored at the alternate-computing center. There is no need to wait until the entire Plan is finished to start testing the major components. There is a logical sequence to follow. First, the operating system, then the database, applications and network for example. The initial test is primarily to evaluate the contents of the procedures for accuracy and completeness. The authors of the procedures need to describe in detail all steps required to achieve recovery. Quite often the author may leave out small details because he/she performs these mundane tasks daily. The detail should be such that any person could follow the procedures and recover. A Project Manager is typically not experience with every application, operating system or business function and therefore cant simply read the procedures and ensure they are complete and accurate. The best way to ensure the procedures are correct is - to have someone other that the author conducts the test. You may want to switch the recovery team members, where as, the applications team restores the O/S and the O/S team recovers the applications for example. If other team members can restore functions they are not familiar with, then the procedures must be properly documented. This same approach is used for non-IT functions. For any test, whether it is initial testing or on-going testing, the proper steps are: 1. 2. 3. 4. 5. 6. 7. Define Scope/Objectives Assumptions & Test Scenario Develop Test Schedule/Activities Test Walkthrough Actual Test Test Monitoring Test Post-mortem

1. Scope/Objectives - The Scope should state whether the Test is an ICT test, a complete BCP test or identify the departments participating in the Test. Any test must have pre-determined objectives in order to measure success or failure. The objectives may be to measure the timeframe for recovery, or validity of the procedures, or both. 2. Assumptions and Test Scenario - Any assumptions that the test is based on should be documented as well. A standard assumption is the test data that will be used (I.e. what back-up to restore from; is it a partial or full back-up; how many days of lost data to apply to the back-up, etc. This assumption is important for the teams to conduct data reconciliation/verification. Without the reconciliation/verification process, the test cannot be validated as successful. The objectives and assumptions of the test should be decided within the recovery team and presented to senior management for approval prior to testing. Scenario - Example: The disaster happened at 7:00am on Friday, 13 June before the office opened. All on-site data was destroyed. The recovery test will restore the full system backup from Saturday, 7 June and apply the incremental back-ups from Monday, 6 June to Thursday, 12 June from the company's off-site storage. All Department team members will participate. Location/Participants - Identify the Test Site & Address and the Participants of the Test. 3. Develop Test Schedule/Activities - Develop a list of activities with the team members. The list should indicate who performs the activity, the estimated start & end times of each major recovery step. This list can be developed in the Test Activities menu after completing the Test Objectives menu and can measure estimated against actual times. 4. Test Walkthrough - When the test objective, assumptions & activities list has been developed, a test walkthrough is conducted 2-3 days prior to the test to determine if any deficiencies or omissions maybe foreseen. This is typically a classroom environment where the team members methodically go through the testing scenario to ensure they have included the proper procedures, have the required inventories and understand their responsibilities and roles for the test. (Use the Test Objectives and Test Activities reports to present to the Recovery Teams) 5. Actual Test - The actual test maybe either a partial test or full test. Upon the completion of the Recovery Procedures section, most organizations would breakdown the initial tests into small, manageable components to check

20 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

for completeness and expose the team members to testing gradually. The following is an IT example: 1st Test Operating System Recovery 2nd Test Database Recovery 3rd Test Applications Recovery & Network Recovery 4th Test Full Test For Speed

The first test is most important. If you cannot restore the operating environment, you cannot proceed with other testing. The recovery configuration will probably not be the same environment as the home site computing system and allowances will have to be made. It maybe that there are software components that are CPU serial number dependent and require patching or approval from the software vendor for use on the recovery machine. The disk configuration maybe different and necessary allowances made. The second and third test is to validate the remaining components of the Plan. Applications Recovery should include participation from the users as well. After the initial test to check the procedures, branch operations if any, should be included in testing. You do not have to include every branch in the same test. This could be accomplished over time. Additionally, the data back-ups must be tested and checked periodically to ensure they are readable and recoverable. The users and applications personnel should develop data reconciliation/verification procedures to guarantee that the data is complete and accurate and testing is successful. The fourth test is to measure the actual recovery timeframe to ensure you can meet the recovery time objectives. This test should include every component of the Plan from team assembly, retrieval of off-site data/documents and the complete restoration and verification of the recovery process. This test should utilize the actual team members performing their own tasks. This is not the time to switch team members around. Future tests should switch team member's responsibilities to give each a broader exposure to the entire Plan. Test should be as realistic as possible. In some cases, alternate facilities and equipment may not be available and a simulation test is the only option. If so, you must make the simulation as realistic as possible. For example: You have a business recovery plan for a department that will only rent alternate office facilities when faced with an actual disaster. This may be because renting alternate facilities is too expensive based on the risk. For testing, they do not have anywhere to assemble and restore. You can simulate alternate facilities by utilizing space at another branch or hotel. At least do it away from the home site. This way you will know if the Critical Inventory required for the recovery is actually available. Everyone in the organization should be exposed to Plan testing. By testing, people routinely understand what has to be done. During a crisis there is total chaos. By testing, hopefully these people won't panic in time of need. When to test During Plan Development After Major Upgrade Or Addition To Hardware/Software After Changes To The Organization After Changes To The Recovery Facility When You Have New Team Members Minimum Twice A Year

There is nothing wrong with having a problem during testing, but you should never have the same problem twice. 6. Test Monitoring - The Recovery Manager and/or DR Coordinator should monitor each and every test. The purpose is to ensure the Plan documentation is accurate and measure the time of restoration of each component. Any deviation from estimated times, actual recovery procedures, deficiencies or omissions in the Plan should be noted during testing for later up-date to the Plan. A Problem Log should be kept, which will document any problems (Problem Log Menu/Form). Most organizations would include a member of the company's audit department to assist in monitoring the testing. Generate and take the Test Activities Report (estimated) to the test to input the actual start & end times. When you return to the office input the data into the appropriate record in the Test Activities menu to update the report. (Can do this on-line if you have access to recoverEASE) 7. Test Post-Mortem - After each test, whether successful or not, a follow-up with a test report to the team members and senior management is required. A summary of the test activities should be highlighted and any problems encountered should be noted and a course of action chosen to rectify the problem. The report should state whether the objectives were met or not. If not, why? The Plan must be up-dated if applicable. Future test and their objectives

21 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

should be discussed. If the test was completely unacceptable, then the corrective measures should be made immediately and a new test rescheduled as soon as possible. recoverEASE reports are excellent for this. The Problem Log and the actual start & end times data will help you prepare the overall Test Report.

On-Going Tests As a minimum the organization should test the Plan twice a year. Many organizations test on a quarterly basis. Components of the Plan may be tested anytime. You should conduct one full test per year. This is the ideal time for the annual Plan Audit. Keep the users involved in testing and ensure the Plan is kept high profile within the organization. Get senior management involved. Test objectives should vary from one test to the next. Rotate team members as often as possible to give each greater exposure to the Plan. The ideal test would be to switch all computer operations at the home site and run normal production at the recovery site. This is a bit risky, but if the Plan is correct and your network capability is in place, it should be no problem. In any test you must have data reconciliation. There must be a means to verify that the data is complete, accurate and that there are no lost transactions. Reconciliation procedures should be pre-determined between the appropriate recovery teams and the users. (Reconciliation procedures can be built for each function in the Recovery Steps in the Verification box) There is no need to have the entire team present throughout the entire test. They will just be in the way. Only team members who need to perform the tasks should be present when required. It is very frustrating and a waste of their time to have them sitting around with nothing to do. These team members still have their day-to-day responsibilities at the home site while testing is taking place. The Test Activities Report should make it clear who and when team members need to be present. Types of Tests Testing methods can vary from simple to complex depending on the preparation and resources required. Each bears its own characteristics, objectives, and benefits. The type or combination of testing methods employed should be determined by, among other things, the experience with business continuity planning, size, complexity, and the nature of its business. Testing methods include both business recovery and disaster recovery exercises. Business recovery exercises primarily focus on testing business line operations, while disaster recovery exercises focus on testing the continuity of technology components, including systems, networks, applications, and data. To test split processing configurations, in which two or more sites support part of a business lines workload, tests should include the transfer of work among processing sites to demonstrate that alternate sites can effectively support customer-specific requirements and work volumes and site-specific business processes. A comprehensive test should involve processing a full days work at peak volumes to ensure that equipment capacity is available and that RTOs and RPOs can be achieved. More rigorous testing methods and greater frequency of testing provide greater confidence in the continuity of business functions. While comprehensive tests do require greater investments of time, resources, and coordination to implement, detailed testing will more accurately depict a true disaster and will assist management in assessing the actual responsiveness of the individuals involved in the recovery process. Furthermore, comprehensive testing of all critical functions and applications will allow management to identify potential problems; therefore, management should use one of the more thorough testing methods discussed below to ensure the viability of the BCP before a disaster occurs. Examples of testing methods in order of increasing complexity include: Tabletop Exercise / Structured Walk-Through Test A tabletop exercise/structured walk-through test is considered a preliminary step in the overall testing process and may be used as an effective training tool; however, it is not a preferred testing method. Its primary objective is to ensure that critical personnel from all areas are familiar with the BCP and that the plan accurately reflects the ability to recover from a disaster. It is characterized by: Attendance of business unit management representatives and employees who play a critical role in the BCP process;

22 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Discussion about each persons responsibilities as defined by the BCP; Individual and team training, which includes a walk-through of the step-by-step procedures outlined in the BCP; and Clarification and highlighting of critical plan elements, as well as problems noted during testing. W alk-Through Drill / Simulation Test A walk-through drill/simulation test is somewhat more involved than a tabletop exercise/structured walk-through test because the participants choose a specific event scenario and apply the BCP to it. However, this test also represents a preliminary step in the overall testing process that may be used for training employees, but it is not a preferred testing methodology. It includes: Attendance by all operational and support personnel who are responsible for implementing the BCP procedures; Practice and validation of specific functional response capabilities; Focus on the demonstration of knowledge and skills, as well as team interaction and decision-making capabilities; Role-playing with simulated response at alternate locations/facilities to act out critical steps, recognize difficulties, and resolve problems in a non-threatening environment; Mobilization of all or some of the incident management/response team to practice proper coordination without performing actual recovery processing; and Varying degrees of actual, as opposed to simulated, notification and resource mobilization to reinforce the content and logic of the plan. Functional Drill / Parallel Test Functional drill/parallel testing is the first type of test that involves the actual mobilization of personnel to other sites in an attempt to establish communications and perform actual recovery processing as set forth in the BCP. The goal is to determine whether critical systems can be recovered at the alternate processing site and if employees can actually deploy the procedures defined in the BCP. It includes: A full test of the BCP, which involves all employees; Demonstration of emergency management capabilities of several groups practicing a series of interactive functions, such as direction, control, assessment, operations, and planning; Testing medical response and warning procedures; Actual or simulated response to alternate locations or facilities using actual communications capabilities; Mobilization of personnel and resources at varied geographical sites, including evacuation drills in which employees test the evacuation route and procedures for personnel accountability; and Varying degrees of actual, as opposed to simulated, notification and resource mobilization in which parallel processing is performed and transactions are compared to production results. Full-Interruption / Full-Scale Test Full-interruption/full-scale test is the most comprehensive type of test. In a full-scale test, a real-life emergency is simulated as closely as possible. Therefore, comprehensive planning should be a prerequisite to this type of test to ensure that business operations are not negatively affected. The organization implements all or portions of its BCP by processing data and transactions using back-up data/media at the recovery site. It involves: Enterprise-wide participation and interaction of internal and external management response teams with full involvement of external organizations; Validation of incident response functions; Demonstration of knowledge and skills as well as management response and decision-making capability; On-the-scene execution of coordination and decision-making roles; Actual, as opposed to simulated, notifications, mobilization of resources, and communication of decisions; Activities conducted at actual response locations or facilities; Actual processing of data using back-up media; and Exercises generally extending over a longer period of time to allow issues to fully evolve as they would in a crisis and to allow realistic role-playing of all the involved groups.

23 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Regular testing is key to a successful Plan... ON-GOING MAINTENANCE Revision Control (Change Control) Now that the Plan is developed and tested, the real important work begins and this is a never-ending journey. Most organizations and especially computer operations have poor change control procedures. Why, because it is not enforced. Unless the Plan receives adequate maintenance, you should have not spent the time and effort in its development. Today, with the emphasis on business process re-engineering and the fast pace of IT development proper maintenance procedures are a must. Use the Revision Control menu to record your Plan changes. If your organization has frequent changes to personnel and Plan contents, you should conduct Revision/Change Control meetings monthly to ensure the Plan is current. If you are a fairly stable organization, you should conduct these meetings quarterly. Issue the Revision Control form to all members prior to the meeting or allow users to submit Change Request in recoverEASE. Review Change Request at the meeting. Approve or Reject the change and enter the Effective Date if approved. Make sure you issue the changes prior to the Effective Date to all Plan holders. Tips For each chapter or appendix that changes, "Add" a new record You must have Administrator permission to set fields in the Approval / Status section. Note: If you have a critical change that drastically affects the Plan, change it immediately - don't wait until the Revision/Change control meeting... Global Change Facilities - The Global Change facilities available under Maintenance in the Administrator menu will allow the Administrator to change multiple records in corresponding database tables to accommodate organizational changes, such as, renaming or relocation of departments and the replacement of Owners, Primary & Alternate Recovery responsibilities for Business Functions and Technology Items. Global changes cant be undone, but may be reversed by submitting a new global change. This is extremely useful when individuals leave the company or transfer to another department. Changing or Renaming Departments: Ensure the Location and Department exists in the Administrator Set-up menus. Changing Owners, Primary & Alternate Recovery Responsibilities: Ensure the User exists in the Administrator Set-up - Create User IDs menus. You will need to make global changes in the follow menus. Business Functions Technology Items

Note: Global Changes are automatically updated in the Plan Documentation when the ES J. Change History report is generated. Periodic Reviews - In conjunction with Revision/Change Control meetings, have each department complete the Periodic Review menu. Periodic Plan reviews are a must to ensure the Plan is up-to-date and remains viable. If your organization has a high turnover in staff or reorganizations, this should be done quarterly. Otherwise, a bi-annual review will suffice. If you have changes that have an immediate or sever impact on the Plan, submit a Change Requests without delay. Each Department Team Leader or Alternate is required to review the following and 'Confirm' the review when requested by the Recovery Manager or Coordinator. The Administrator will be responsible for reviewing the overall Plan Contents. Department Review Categories Business Functions Technology Items Recovery Steps Department Members Confirmation Form

24 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

For confirmation, simply select your Department and update the Review Date, Type of review, Action Taken and SAVE. Plan Auditing - recoverEASE includes a Plan Audit Guide & Checklist in the Plan Tests & Audit main panel for you to conduct an annual audit of the Plan.

INCIDENT MANAGEMENT A. Overview

Edit the generic Incident Management chapter in the Executive Section and identify the BCM Management Team in the Internal Call List menu to meet your organizational requirements. Once you have completed the Incident Management chapter, it will provide the direction to ensure all incidents are managed properly and professionally. Processes A. B. C. D. E. F. Incident Identification & Reporting Emergency Response Escalation Process Damage Assessment Media Relations Internal/External Notification

Incident Management Menus (review the instructions in each menu) Command Centers - identifies command center locations, contact info and inventory Incident Reporting - allows for gathering important incident information to use with your escalation and damage assessment procedures. Command Center Operations - For managing Command Center activities including Call Tree and status reporting Damage Assessment - For conducting the Damage Assessment. Emergency Services - For pre-building Emergency Services contact info for quick reference.

BCM Management Team The following is the recommended structure for the BCM Management Team. Don't assign the same person to multiple roles. There should be an individual responsible for each role, as most of the required activities will be concurrent. The Crisis Management Team is comprised of management members responsible for conducting the Damage Assessment, Emergency Response and decision on implementation of the Continuity Plan. It is the responsibility of senior management, the Damage Assessment Team Leader and Recovery Manager to ensure personnel receive adequate training. Training is achieved through regular Continuity Plan testing and simulations. The roles and responsibilities of the Crisis Management Team are listed below. Note: The majority of the BCM Management Team members are members of the Damage Assessment Team.

Sample Team Structure

25 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Damage Assessment Team Roles & Responsibilities


Management Team Disaster Declarers Assessment Leader Assessment Members Corporate Affairs Operations Property Administration Human Resources Recovery Management BCM (Recovery) Manager BCM (Recovery) Coordinator Evacuation Team

Recovery Team

Authority to declare a disaster and invoke the BCP Responsible for Incident Reporting, Damage Assessment, Command Center Activation and recommendation on whether to declare a disaster or not Responsible for assessing the impact and duration of the disaster/disruption to their specific functional areas Responsible for media management and preparing press statements for senior management related to the disaster/disruption Assesses the operational effectiveness when a disruption or disaster occurs; Ownership of the BCM program Responsibility for the repair / relocation of the damaged facilities Provides logistics/transportation assistance Assist the Damage Assessment Team with the relocation of affected staff based on the length and severity of the disaster Responsible for the companys BCM Acts as backup to the BCM Manager, maintains the Business Continuity Plan (change control, testing & distribution) Responsible for emergency evacuation, assembly at designated area and head count; Consists of Team Leader and Floor Marshals (This should already be in place for Occupational Safety & Health compliance) Department Managers to determine salvageable items Responsible for supplies & transportation to recovery site Overall responsibility for their Department BCM Responsible for maintaining and testing the Business Functions and support systems related to their Departments recovery capability Acts as backup to the Team Leader Perform assigned recovery tasks

Salvage Team Logistics / Transportation Department Managers Team Leaders Alternate Team Leaders Team Members

Department Team (Each Department)

Note: After an incident resulting in physical property damage occurs, a proper and thorough site/damage assessment must be performed, not only to determine the extent of the damage, potential recovery time frames and costs but, to ensure the safety and health for personnel entering into the damaged environment. In many cases, a thorough site or damage assessment is not immediately possible after the fire has been put out, the water contained, or the environment stabilized. Access to and assessment of the facility and its contents may be delayed due to the possible loss of structural integrity, necessary forensic investigation, or existing and potential toxic contamination. For more information, see Salvage and Restoration Tips.

B.

Incident Reporting

Any abnormality that affects the normal operations or administration of the organization will be considered an incident. An incident will be identified as either life threatening or non-life threatening. All incidents must be reported. a) b) If life is at immediate risk, raise the alarm and evacuate all affected If life is not at immediate risk, escalate the situation to supervisors or superiors until the incident is reported to the Recovery Manager or Coordinator.

26 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Incident Reporting - Although any user with Read/Write privileges can complete the Incident Report menu, this should be limited to the Recovery Manager and Recovery Coordinator. This is to conduct an initial assessment of the situation to determine if the situation warrants an Emergency Response or assembly of the Damage Assessment Team. It may be that some incidents are rectified on the spot. Tip - As a general rule, if any areas in the Step 2 - Questionnaire (Initial Assessment) are affected, check the appropriate box(s) and escalate to the Damage Assessment Team for a further determination. If escalation is required, contact the Damage Assessment Team. Select the name of the person you escalated the report to. Field Descriptions Step 1 - Details Incident Date- Date of the Incident Incident Time - Time of the Incident Reported By - Person reporting the incident Incident Location Select the affected location Incident Type - Select the incident/disaster type Coverage - Select the coverage of the incident/disaster Life Threatening Select Yes or No Were Emergency Services Contacted - Select Yes or No; If Emergency Services were contacted (for example - if there was a fire, someone needs to call the Fire Department. Ask the caller if they called - otherwise - you call or inform the caller to call.) Description - Provide details of the incident/disaster (what, how, etc.)

Step 2 - Initial Assessment of Areas Affected Facilities Checkbox Operations Checkbox Technology Checkbox Personnel Checkbox Financial Checkbox Administration Checkbox Image / Reputation Checkbox

27 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Legal Issues Checkbox Compliance Checkbox Customers Checkbox Service Levels Checkbox Environmental Checkbox

Step 3 Decision Escalate To Damage Assessment Team - Determine if escalation is required (see Tips above) Escalated To - Select who in the Damage Assessment Team the call was escalated to Completed By - This field is set automatically by your user name

C.

Emergency Response

The following will serve as the Emergency Response guidelines. Periodic drills are conducted to ensure employees understand their roles and responsibilities. The Evacuation Team consists of Floor Marshals, which are assigned to each floor to ensure a safe evacuation. Floor Marshals - Roles & Responsibilities 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. Ultimate responsibility for evacuating staff Regularly assess, identify and report safety and occupational health hazards in the representative's area (floor) Develop a plan to mitigate safety and occupational health hazards within the representative's area of responsibility To review and report circumstances surrounding work injuries, work caused illnesses and dangerous events Understand how to raise the alarm and call the appropriate authorities Post the Floor Plans to your floor and building with the evacuation routes at appropriate locations. Ideal locations are near stairwells and on the safety bulletin board Manage the emergency evacuation within the representative's area of responsibility Keep an accurate, up-to-date list of the staff in your area of responsibility Manage the Head Count for your area of responsibility Possess basic first-aid skills Ensure staff understand how to evacuate Ensure maintenance of safety equipment in your area of responsibility Participate in regular testing of evacuation procedures Ensure any special needs for the disabled (hearing impaired, sight impaired, mobility challenged, etc.) are addressed Consider how the evacuation can be accomplished in the absence of electric power or intercom capabilities Be cool headed and calm in an emergency

D.

Evacuation & Escalation

Evacuation 1. In the event of an emergency that requires evacuation of the building (such as a fire, significant toxic gas release, bomb threat, explosion, etc.), first: Rescue: Try to rescue any personnel in immediate danger if it does not put you in imminent danger. Alarm: Pull the building fire alarm or call 911. All of the fire alarm pull stations are labeled. If you talk with a 911 operator, state your name, address, and nature of the problem. Speak slowly and clearly. Wait for the dispatcher to hang up. Confine: Before you evacuate your area, if it does not put you in jeopardy, quickly walk through your local area to check to see that everyone has left the building. Close all doors, windows and other openings that would aid in the spread of fire or toxic fumes Evacuate: Evacuate the building If the situation warrants, notify all affected areas to evacuate immediately

2.

28 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

3.

When evacuating the building, leave by the nearest staircase. Floor Plans should be posted at various areas around the building for route of quickest escape. 4. Immediately go to a designated Assembly Area for a head count. Quickly identify any individuals whom you suspect might still be in the building and alert fire/police personnel. 5. Disabled Occupants - If a disabled occupant is unable to exit the building unassisted, the Floor Marshal must immediately notify the fire/police personnel of the person's location. Employee Assembly 1. Identify designated areas for employee assembly in order to ensure that all employees can be accounted for following evacuation 2. Safety considerations for the gathering areas should anticipate the potential for having to evacuate the facility grounds following an incident involving either an on-site or off-site hazardous material incident 3. Each gathering area should have Assembly Point Leader(s) and Head Count Leader(s) whose responsibility is to account for all employees in the designated area (part of OSHA compliance) Notification of Emergency Services 1. Designated individuals assigned to call the local Fire, Police and Emergency Medical Staff Note: You can build the Emergency Services contact information in the Emergency Services menu under the Crisis Management topic in recoverEASE. Escalation & Command Center Set-up An incident or disaster affecting the company will most probably first be discovered by a staff member or security personnel. Staff or security (after hours) will report any incidents to their immediate supervisor for further determination. If the situation is life threatening, all employees are empowered to raise the alarm immediately without further escalation. For non-life threatening incidents, they will be reported up the chain of command until it reaches the Recovery Manager or Damage Assessment Team for a determination on further action. Once the incident has been reported and the Recovery Manager or Damage Assessment Team determines that a formal Damage Assessment is warranted, the Damage Assessment Team will convene at the identified Crisis Management Command Center to begin the assessment. There are two locations identified and available to the Team (one location at the company premises and one location at our recovery site). If the location at the company premises is affected by the incident/disaster, then the Team will convene at the alternate location and begin the assessment process. The Damage Assessment Team List will be used to assemble the Team. The Damage Assessment Team Leader will also act as the Command Center Manager. Command Center locations and inventories are maintained in Appendix H.

E.

Damage Assessment

Note: After an incident resulting in physical property damage occurs, a proper and thorough site/damage assessment must be performed, not only to determine the extent of the damage, potential recovery time frames and costs but, to ensure the safety and health for personnel entering into the damaged environment. In many cases, a thorough site or damage assessment is not immediately possible after the fire, for example, has been put out, the water contained, or

29 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

the environment stabilized. Access to and assessment of the facility and its contents may be delayed due to the possible loss of structural integrity, necessary forensic investigation, or existing and potential toxic contamination. The Damage Assessment will evaluate the key areas of the organization and prepare a recommendation on whether to implement the Continuity Plan or not. The Assessment is presented to senior management for the final decision. If the decision is made to declare a disaster, the Continuity Plan is implemented based on Chapter 5 Plan Activation in the Executive Section of the Continuity Plan. Concurrently with Plan Activation, the activities to repair the damage as outlined in Chapter 8 - Home Site Restoration will be implemented. An incident or disaster may impact any or all areas of the company. With this in mind, the company has divided the assessment into 5 key areas. The Damage Assessment will evaluate these key areas and prepare a recommendation on whether to declare a disaster. Key Areas 1. Facilities - the physical structure & location 2. Technology - information and communications 3. Operations - product delivery, business continuity 4. Personnel - employees safety and well-being 5. Financial financial implications 6. Administration implications on administration 7. Image / Reputation corporate impact 8. Compliance affects on compliance 9. Legal Issues legal implications 10. Customers how affected 11. Service Levels how affected and to what extent 12. Environment impact on the environment Damage Assessment Contents The following represent the Damage Assessment contents. All areas must be evaluated and reported when an Assessment is warranted. It may be that a particular area is not affected, in such cases, this should be indicated and the assessment considered complete for that area. Affected areas require a complete assessment (meaning all fields are required). Assessment Start Date: Expected Duration of Incident: Estimated Asset Loss: Estimated Non Asset Loss: Assessment Details 1. Facilities Evaluation Areas Affected: Details: 2. Technology Evaluation Components Affected: Details: 3. Operations Evaluation Functions Affected: Details: 4. Personnel Evaluation # Staff Affected: Details:

30 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

5. Financials Evaluation How Affected: Details: 6. Administration Evaluation How Affected: Details: 7. Image / Reputation Evaluation How Affected: Details: 8. Legal Issues Evaluation How Affected: Details: 9. Compliance Evaluation How Affected: Details: 10. Customers Evaluation How Affected: Details: 11. Service Levels Evaluation How Affected: Details: 12. Environment Evaluation How Affected: Details: Status Recommend Declare Disaster (Yes/No) Justification: Recommend Time: Recommended By: Was a Disaster Declared (Yes/No) Disaster Declared By: Date/Time Declared:

F.

Media Relations

The organization must be prepared to deal with the media during an emergency. Otherwise, the organization risk losing its reputation, customers and/or share value. Don't deny or cover-up. Reporters are excellent snoopers and will eventually uncover the truth. It's far better to be up front and proactive. Admit the incident openly and explain that any unfortunate or unforeseen events have been anticipated and are covered in your Continuity Plans. The first rule for spokespeople is NEVER LIE. Lies always are discovered and the price to be paid for the fabrication will be dear. An organization must "speak with one voice" even if there actually are several "voices." Everyone - personnel, media, lenders and clients - need to understand that the only information they can depend upon comes from an "authorized spokesperson." Rumors are one of an organization's worst enemies. A good communications plan includes "fill-in-the-blanks" scripts for the most common events and for serious incidents. The scripts should include anticipated questions or be very clear that questions will not be entertained by the spokespeople. Scripts should be developed as part of the organization's response plans and be vetted by Legal.

31 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

It is advisable to have line managers review the scripts to assure they are technically accurate. If pressed for information beyond the script, the spokespeople must hold firm. They may tell the interrogator they will check and get back to the person, but a time should be set for the next meeting. As with all deadlines, if it looks like a deadline will be missed, tell everyone before the deadline and set a new deadline, which will be met "no matter what."

Sample Press Statements During Disaster - COMPANY is currently experiencing temporary disruptions to the main computer system due to (fill in the crisis - power failure, fire, communications outage, etc.) and wish to advise the public and customers that we have implemented our Continuity Plans. Fortunately, COMPANY was prudent enough to develop & test our Continuity Plans for such an occasion. Our personnel are well trained for this type of event and we will continue to serve the public / customers. However, some transactions may take a few minutes longer than normal. COMPANY apologizes for any inconvenience caused. We expect the disruption to last for XX hours and will notify the public/customers when the contingency period is over. All inquiries can be directed to the following telephone numbers during the contingency period - XXX-XXXX. After Disaster - COMPANY wishes to inform the public/customers that the XXXXXXXXX problem affecting the main computer system has been rectified and its business as usual at all locations. Our Continuity Plans during this period were effective and all transactions were completed successfully. We apologize for any inconvenience to the public/customer and thank you for your cooperation.

G.

Notification

In addition to dealing with the media, you will need to communicate with board of directors, stakeholders, employees, suppliers, customers, branch operations and regulatory bodies. The specific groups and/or organizations should be identified below and the individuals responsible for the communications identified. Although, board members and stakeholders contact numbers are normally treated with confidentiality, someone must be appointed to maintain the list and ensure they are informed of the situation. Note: You can build the Internal Notification contact information in the Internal Call List menu and the External Notification contact information in the External Call List menu under the Appendices in the Continuity Development module. Internal Notification Responsibilities Designated individuals assigned to notify the staff, users and branches;

Salvage and Restoration Tips It is difficult for organizations to execute their BCP when they have no idea how severe the damage is, or how long it will be before they can have access to the environment which houses their core business operations, their vital records, critical work in progress, and production capabilities. After an incident resulting in physical property damage occurs, a proper and thorough site/damage assessment must be performed, not only to determine the extent of the damage, potential recovery time frames and costs but, to ensure the safety and health for personnel entering into the damaged environment. In many cases, a thorough site or damage assessment is not immediately possible after the fire has been put out, the water contained, or the environment stabilized. Access to and assessment of the facility and its contents may be delayed due to the possible loss of structural integrity, necessary forensic investigation, or existing and potential toxic contamination. In losses such as fire, flooding, and earthquake, companies, who position and actually incorporate delayed access scenarios into their recovery plans, will be among the first to recover. Pre-loss communication with the municipal authorities in your city, such as the Fire Department, or local emergency management office is an excellent recovery strategy. Notifying them in advance, as to what areas of your building are crucial to your business recovery processes, can help them work with you in the early stages of responding to the loss. Pre-qualify credentialed emergency resources who will possibly be allowed to enter the facility(s), (depending upon the severity of the loss), under special municipal escort to obtain at least a partial damage assessment of the critical floors and departments. These resources could be drawn from your pre-determined general contractor, restoration specialist or recovery management resource with whom

32 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

you have a pre-established agreement or contract, thereby allowing them to respond immediately to your needs. Pre-Loss Response Contracts As you compile your listing of critical recovery resources, you may want to discuss with them any potential agreements or contracts regarding their response to your emergency needs. It is important that these agreements are set up in advance so that all the necessary legal, financial, and in some cases, insurance approvals are in place if and when a loss does occur. It is also important to have documented evidence from them that they have their own business recovery and continuity of operations plan in place so that their own disaster will not prevent them from responding to your needs. It is important to understand that the insurance company will require as much documentation as possible regarding the circumstances, evidence and property damage relating to the loss. Your pre-determined resources should have a good working relationship with your insurance carrier to ensure that the loss mitigation procedures employed are acceptable and regarded as cost-effective. In many cases, the insurance adjuster cannot get to the loss scene immediately, and has to rely on the integrity and performance of the emergency restoration organization. It is also helpful to have discussions with your insurance carrier and broker as to what their philosophy and policies are with regard to emergency mitigation measures. Emergency Mitigation Measures Once the affected site is approved for entry and the site/damage assessment begins, emergency mitigation measures should also be put in place - within the first 24 - 48 hours if possible - to help reduce or control the damage. Emergency restoration procedures, such as removal of standing water, facility dehumidification, corrosion control and smoke removal are crucial loss recovery factors in reducing damage to critical components of the facility. These include the mechanical and electrical controls, as well as contents including telecommunication, electronic data processing and manufacturing equipment, vital records, raw stock and finished products. Electronics, as well as finished products, should always be carefully examined and, if necessary, tested by experienced technicians to make sure they still meet the manufacturers original operating and performance specifications, as well as general cosmetic appearance. For example, if electronic equipment has suffered thermal damage, as evidenced by melted plastic components, or been exposed to heat far beyond the manufacturers recommendations, it normally cannot be restored and re-certified. However, if equipment has been exposed to just smoke from the fire for a relatively short time, there may be very little damage, except for the corrosive components of the particulate. If this equipment remains in a moist, humid environment, severe corrosion can occur within 48 - 72 hours. Ideally, you would be able to clean all of the equipment at the same time, and remove the contaminants, but factors such as the volume of equipment, decisions on restoration Vs replacement, insurance coverage issues and re-certification requirements can delay the complete cleaning process. The proper testing, performed by your pre-qualified specialists, must be done as quickly as possible to determine the quantitative, as well as the qualitative corrosivity. Emergency mitigation procedures, such as the removal of surface contamination and application of corrosion inhibitors, which can buy you the time you need to make the necessary replace or restore decisions, should be considered. Structural Damage Assessment It is imperative that a thorough investigation of the structure be performed, as quickly as possible by a licensed structural engineer. Many of the buildings affected by water infiltration have been exposed by this situation to loading conditions that they have never seen before and possibly were not designed to withstand. After the water is pumped out, all structural walls, beams, and columns should be investigated to determine if water-related forces have adversely affected the structural capacity and serviceability of building elements. When existing conditions have been evaluated, the structural engineer should design repairs to provide immediate intervention for stabilization as needed, and to provide long-term measures to address distress conditions. Structural intervention must be coordinated with measures to address architectural, mechanical, electrical, and environmental concerns in areas affected by water. After a fire, structural conditions to look for include: distortions in structural columns, beams and slabs; fracturing of connections, spalling of concrete members and cracking of concrete members. If these conditions exist extensively, then material tests should be performed to determine if the strength of the structural materials have been affected by the fire.

33 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

Surveys of columns and beams should be performed to determine the extent of their distortions and to evaluate the affect of the distortion on the load carrying capacity of the structural members. It is obvious that you will want to include a qualified structural or professional engineer on your emergency response damage assessment team so that you can have accurate information as quickly as possible to begin the repair, restoration or replacement. If your organization does not own the affected facility your business is housed in, you will want to make sure the building owner or their representative has addressed this requirement in their disaster recovery or business/service continuity plan. Hazardous Material Contamination Depending on the type and level of non-routine contamination found or suspected at the facility(s), such as PCBs, asbestos, lead, cadmium, mercury, etc., or any combination of the combustibles and reactives consumed in the fire, explosion or loss scenario, OSHA requires not only special protective clothing and equipment, but special training and certifications in order for an individual to be able to even enter the building. To safeguard against potential hazards, it is important that your internal or external certified industrial hygienist test for any health, safety and environmental concerns that may exist. Once an in-depth site assessment is performed, samples taken and analyzed, the proper cleaning and decontamination protocols can be identified and performed by your pre-qualified hazardous material decontamination specialists. Pre-determined specialists should include, at a minimum, a certified industrial hygienist, occupational physician, toxicologist, microbiologist, geologist, remediation and bio-remediation specialists and OSHA certified hazardous materials technicians. It may also be necessary, depending upon what was in the facility, to identify those items that would require lab packing, which is the containerization and removal of like hazard classes of materials, such as all flammable liquids and all corrosives -- and then have that process performed. Profiling and disposal in compliance with local, state, and federal regulations will then be necessary, as will the determination that the facility(s) has been returned to the proper criteria of clean by the local or state officials. Evidence or suspicion of hazardous contamination at your site will normally necessitate a more detailed assessment, and the decontamination protocols and timeframe to make your facility tenable again can be lengthy and costly. Therefore, you must anticipate this possibility when identifying your recovery scenarios in your recovery and continuity plans. Fire Damage Assessment In addition to determining structural integrity and hazardous material(s) contamination, it is also important to determine if any routine contamination resulting from the cause of the loss exists, such as the by-products of a fire. In the event of fire, heat and soot are generated and areas of the building you assume may be unaffected directly from the fire can still suffer damage. The initial damage assessment should always address both indirect as well as direct fire-damage areas. Contamination, such as fire combustion by-products, may lie hidden behind the obvious physical damage to the structure. These by-products are locked into the soot, which condenses on all cool surfaces. Poly Vinyl Chloride (PVC) plastic, for example, when heated, generates hydrogen chloride gas. This gas, combined with water, forms hydrochloric acid, a very corrosive chemical. Other building materials can form sulfates and nitrates. A common cushion material, polyurethane foam, yields hydrogen cyanide when burned. Even fire-extinguishing chemicals can generate such by-products as hydrochloric acid, hydrofluoric acid and hydrogen bromide. Since each fire leaves its own unique chemical fingerprint in the soot, the chemical components are determined by what burned, in what quantities, and under what conditions. W ater - Residual Chemical Damage Water associated with floods or fire suppression can carry contaminants also. Inorganic salts from building materials and atmospheric particulate matter can be deposited on exposed circuit boards. Also chilled-water systems often contain glycol, which can adversely affect certain types of paper and magnetic media. The water's ionic content, acidity, suspended solids, and organic content should always be analyzed. Silt and other residue may contain contaminants such as bacteria, heavy metals, pesticides, PCBs, and hydrocarbons, etc., and submitted to a qualified laboratory for analysis. In some cases, metals, including lead, chrome, cadmium,

34 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

barium, and traces of mercury were found. Based upon tests and analysis results, the proper cleaning protocols must be employed. Another site assessment consideration at the affected buildings, and which can often occur, are the potential presence, and loss of maintenance chemicals, oils, paints, solvents, housekeeping chemicals and pesticides, etc., which could have been released into the flood waters. When these and other unknown chemicals are found in various locations, such as, in these sub-basements, specific procedures have to be followed. They involved taking a complete physical inventory of each container. Simultaneously, product segregation, according to Department of Transportation (DOT) Hazard Class specifications, must be performed by certified, trained, hazardous material technicians. Mold and Mildew In addition, where you have had standing water, or moist, humid conditions in a facility for more than 24 - 48 hours, you must be concerned about the development and growth of mold and mildew spores. This affects not only the structure, HVAC systems and critical contents such as documents and magnetic media, but can produce sick building syndrome as well. Highly elevated humidity and temperature levels, for example, over 50% relative humidity and over 75 degrees F, in moist humid conditions can produce an environment conducive to mold and mildew growth. Mold growth will typically be visual around baseboards, on ceiling tiles, light fixtures, supply registers, upholstery and porous surfaces such as paper documents. A wipe sample will provide you with evidence of CFU's (colony forming units). Samples, taken from different areas and contents in the facility, should be sent to a qualified laboratory, specializing in health and environmental issues. Their analysis will tell you the type and volume of mold spores growing. Active growth can be killed by using special EPA recognized biocides. Dormant spores are more difficult to deal with because when the humidity and temperature levels in the facility return to normal ranges, e.g. 50% relative humidity and 75 degrees F ambient temperature, active growth will become dormant. In moist, humid conditions, when the temperature and humidity levels rise again, the dormant spores can again become active. There are varied approaches of source removal for dormant spores." A proper and thorough damage assessment, performed by a Certified Industrial Hygienist and decontamination of the HVAC systems is critical in ensuring that the building will be returned to the proper criteria of clean for re-occupancy. With today's technology, there is hardly ever a need to replace the ductwork. Rather you can apply the proper EPA recognized biocide through various fogging and cleaning applications. In compliance with your local and state regulations, follow up clearance sampling is necessary as the final step in returning the facility to a safe and healthful condition. Vital Records Recovery Although you may have excellent disaster avoidance and loss control programs in place, in the event of fire or water damage, vital records can become a total loss very quickly. Understanding and implementing the emergency mitigation procedures for records, recovery will allow for a more successful restoration. Different types of documents, photographs and vellum items, as well as magnetic media, need immediate and extra-special care. In dealing with paper in moist, humid conditions, you have about 48 hours before damage-inducing mold and mildew begin to grow. In any weather, mold will appear within 48 hours in unventilated areas made warm and humid by recent fire in adjacent parts of the building. Every effort should be made to reduce high temperatures and vent the areas as soon as the water has receded or been pumped out. Water-soaked materials must be kept as cool as possibly by good air circulation until they can be stabilized. As long as books are tightly shelved, mold will develop only on the outer edges of the bindings. Thus, no attempt should be made in these conditions to separate books and fan them open. Archival files, packed closely together on shelves in cardboard boxes, or in metal fire cabinets, are the least affected. As a general rule, damp books, located in warm and humid areas, without ventilation, will be subject to rapid mold growth. Archival files, which have not been disturbed, will not be attacked so quickly by mold. As they begin to dry after removal from the water, however, both the bindings and the edges of books will be quickly attacked by mold, especially when in warm, unventilated areas. A different problem exists for books printed on coated stock, since, if allowed to dry in this condition the leaves will permanently fuse together. Coated papers must not be permitted to begin drying until each volume can be dealt with

35 de 36

21/9/2011 17:08

BCP Guide

http://www.bcprm.com/continuity/bcm/htmlhelp/BCPguide.htm

under carefully controlled conditions." A blast freezing or cold storage resource is also vital to your plan. Having a freezer trailer at the damage site, equipped with a diesel-powered refrigeration system, capable of 0F, is recommended. In many cases, immediate damage assessment or restoration is not possible. Freezing and storing documents can buy you time to finalize arrangements for proper recovery procedures. Although freezing itself is not a drying method - and does not kill mold - if definitely controls its growth if done properly. Certain procedures must be completed prior to freezing to avoid additional damage. These procedures may include washing away accumulated mud, sewage, and dirt. In addition, when removing wet documents from file cabinets or shelving, do not attempt to pull them apart while wet. Remove all documents in blocks, if possible, so you do not increase deterioration. Boxes should be labeled as precisely as possible. A master inventory should always be created, and bar-coding systems can be helpful in tracking the items as they move from one location and process to another. Equally important are the special health and safety, cleaning and handling protocols, which must be established before restoration begins. These protocols are based on the type of damage and debris affecting the documents and media, as well as their surrounding environment. During flooding, for example, sewage backup normally occurs. The typhoid bacteria can be present in sewage and therefore your qualified resources will need to institute the proper health and safety procedures. As you pre-plan for vital records recovery, just as you pre-qualify all other resources, research the track record of your vendors who will be retrieving, possibly relocating, and restoring your information and critical media. Document how the media will be transported to and stored in the freeze-drying chambers or off-site cleaning and storage location. Determine in advance not only the recovery costs but, the accessibility you will or will not have to your records while they are off-site. A well-designed and maintained site and damage assessment plan that includes pre-loss site safety audits, along with disaster avoidance, mitigation and good loss control and waste management practices should be an integral part of an organizations business and service continuity planning effort.

36 de 36

21/9/2011 17:08