Business Continuity Checklists

An ancient philosopher once said, "The reason for failure is unwillingness, the pretended
reason is inability". If your business or your family is called before its audit committee to
review your Continuity and Resiliency Plans, would your Plans pass the Preparedness
test?

The 7 Questions of Business Preparedness are a good start to review you Business
Continuity Plan. The following checklists can help you measure the completeness of vital
components of your Business Continuity Planning Program and its associated
documentation.

Please review each checklist and email us any suggestions or comments you may have.

• Policy Statement - Minimum Policy components and Sample BCP Policy

• Policy Integration - Lists how to integrate and enforce the BCP Policy
• Plan Resiliency - Provides steps to ensure Plan flexibility
• Plan Validation - Define and measure the validation and exercise program
• Service Level Agreements - Minimum components of an SLA agreements
• Plan Completeness - Plan overall metrics from Plan initiation to validation
• Individual Preparedness - Planning to ensure your staff's availability
• Public Authority Coordination - Support and awareness with public authorities

Let us know what other checklists would be helpful and how you have implemented and
validate your Business Continuity Planning program.
7 Questions of Company Preparedness
1. Is your business impact tolerant?
2. Have you mitigated points of failure?
3. Are you and your staff prepared for Business interruptions?
4. Is your Contingency Plan documented and approved?
5. Have you reviewed your Plan with staff, suppliers and customers?
6. Is your Plan current and regularly tested?
7. Does your Plan insure timely resumption of critical business functions?

1. Is your business impact tolerant?

If you can accept the results of an impact on your business then you are tolerant of that
impact. To reach a point of impact tolerance you must prepare by evaluating your risks,
assessing their probability of occurring, analyzing your business processes, implementing
contingency plans, communicating and exercising these plans and keeping the plans
current. The difference between impact tolerance and disaster is your preparedness.

2. Have you mitigated points of failure?

As you evaluate your business processes, you must evaluate each process, in detail, to
identify possible points of failure. To insure an acceptable level of continuity for your
business, a decision must be made on plans and procedures to be implemented and put in
place, to minimize or eliminate a process failure. If contingency procedures are in place
they should be re-evaluated and tested regularly. Do not assume you are ready. Plan
ahead and include contingency planning procedures in your change control process. Your
pre-event contingency planning and preparedness validation will determine how little
your business and customers are impacted when a failure occurs.

3. Are you and your staff prepared for Business

interruptions?
The Business Planning Process does not end with an implemented and documented Plan.
The Plan must be kept current, tested regularly and communicated to all those affected.
The communication of expectations, approved and documented in your Plan, should
define the Roles and Responsibilities of all participants when the Plan is activated and de-
activated. The time to prepare is before an interruption occurs.
4. Is your Contingency Plan documented and
approved?
Do not assume everyone knows "what to do" when a potentially disastrous event occurs.
The actions to be taken to insure that post-disaster business is continued, should be
discussed, approved by management and documented for review. Documentation of the
Plan provides a reference platform of clarity for staff, suppliers and customers.

5. Have you reviewed your Plan with staff, suppliers

and customers?
The actions to be taken, defined in your Contingency Plans, identify the impact a
potentially disastrous event may have on your business, staff, suppliers and customers.
Reviewing appropriate portions of your Plan with each group will allow you to insure
acceptability and clarify expectations. It should be noted that all required components of
recovery should be include in your Plan (workplace, technology and tools, staff, support,
communications, etc.)

6. Is your Plan current and regularly tested?

If your Contingency Plan doesn't reflect the current business processes, levels of risk
tolerance, mitigation procedures, recovery processes, team member roles and
responsibilities, notification lists and other critical components for a successful and cost
effective recovery and mitigation of disaster, then your Plan is not current. If you have
not verified, by testing, that the steps documented in the Plan will work, as specified and
expected and in the timeframe required then you can not be assured that you will meet
business and customer expectations. Regular testing of major portions of your plan
should occur annually. If significant changes occur in your business or a significant
process, another Impact Analysis should be completed and the required Plan changes
implemented, documented and tested to insure they meet expectations. Testing should
validate the recovery procedure and the minimum time to recover.

7. Does your Plan insure timely resumption of critical

business functions?
The measure of time between failure and your recovery back to an acceptable level of
business, can determine whether you will still be in business when you have completed
your recovery. Many businesses have learned, too late, that customers move to other
suppliers when services or products cannot be received as expected. You should include a
proof-of-concept step in any remote site recovery agreement or Service Level Agreement
(SLA), as well as with your plan validation, to insure your Plan will satisfy your recovery
time objectives and recovery expectations. You can best minimize the impact to your
business by preparing your Contingency Plan and communicating with your customers
before, during and after their expectations are impacted.
Policy Statement Checklist
The best foundation for a complete Business Continuity Program is the definition,
approval, communication and integration of an organization-wide Business Continuity
Policy. The following Policy components will help to insure that strong foundation:

• The opening Introduction or Overview statement section defines the purpose of

the policy.
• The Policy statement section defines the goals, metrics and responsibilities
required to meet policy compliance. A statement of non-compliance penalty
should also be included.
• The Policy Leadership statement section defines the executive management
officer responsible for oversight, implementation and compliance assurance of the
policy.
• The Policy Compliance Certification statement section defines the details to meet
policy compliance certification. This may be a reference to a detailed document or
source.
• The Policy Compliance Certification support statement section defines those who
can assist with meeting policy compliance requirements.

According to the "Interagency Paper on Sound Practices to Strengthen the Resilience of

the U.S. Financial System" report, decisions about overall BCP objectives should not be
left to the discretion of individual business units. An organization-wide Policy should
govern.

We would appreciate any comments you may have on Policy statements for a Business
Continuity Planning program. Let us know your Policy, how you communicate the Policy
and insure its compliance, and if we can publish your comments on our website.
Policy Sample
Introduction
[Company] is committed to its customers, employees, shareholders and suppliers. To
insure the effective availability of essential products and services, [Company] provides
this Business Continuity Planning policy in support of a comprehensive program for
business continuity, disaster prevention and total business recovery.

Policy
Each department is responsible for current and comprehensive Business Continuity
Planning (BCP). When implemented, the Plan should include those procedures and
support agreements, which insure on-time availability and delivery of required products
and services. Each Plan must be certified annually with the BCP policy compliance
process through the BCP team.

Policy Leadership
[Executive] is the BCP executive management liaison for the BCP program. Resolution
of issues in the development of or support for all Plans should first be coordinated with
the BCP team and appropriate internal or external organizations. The "Business
Continuity Planning - Policy Compliance Certification" documentation defines the issue
resolution process.

Policy Compliance Certification

BCP compliance verification is provided by the BCP team. In order to meet compliance
requirements, each Plan should include those appropriate procedures, staffing, tools and
workplace planning requirements necessary to meet approved deliverable requirements.
In order to support the Enterprise BCP Plan the format of the BCP documentation must
follow the BCP team defined Plan template requirements. Detailed compliance
certification requirements are provided through the BCP team and included in the
"Business Continuity Planning - Policy Compliance Certification" document located at
[link to network location].

BCP Plan Compliance Certification is required annually. A waiver for temporary

compliance certification may be given if a detailed written waiver request issued by the
department manager is approved by the BCP executive management team liaison.
Maximum delay for compliance is one year.

Policy Compliance Certification Support

The BCP team is available to support the development and BCP policy compliance
certification process. BCP team services and contact information is available at the
BusinessContinuityPlanningTeam intranet link.

[Company] recognizes the importance of a comprehensive Business Continuity Planning

Program to insure the safety, health and continued availability of employment of its
employees and quality goods and services for those we serve. We require the
commitment of each employee, department and vendor in support of the objectives
required to protect [Company] assets, mission and survivability.
Policy Integration Checklist
Promises without progress do not meet preparedness requirements. Metrics for Policy
compliance must be clearly defined, implemented and measured. The following policy
integration items can help to insure the success of your Business Continuity Policy.
Enforcing metrics of your Policy components will help clarify the Policy, can save
resources and will insure that you meet continuity requirements.

• The Change Control Process supports and includes the Business Continuity Plan
(BCP) Policy objectives
• The BCP Policy is included in the metrics for performance and compensation for
all levels of individual and “groups” in clear and specific terms.
• Each task in the BCP is assigned to a specific individual. On a regular basis the
individual is required to certify (sign) that they are a) aware of the assigned
responsibility and b) that the task procedures work as documented.
• Specific metrics and penalties are included in all Service Level Agreements
(SLA's) and contracts sufficient to insure Business Continuity, Preparedness and
compliance of BCP policy.
• Status of the “State of the BCP” program and Policy support is a regular agenda
item for all executive, middle management and team meetings.
• Business Continuity and Disaster Recovery is incorporated into the business
process development and operational procedures.
• Business Continuity Plans are required and verified for key suppliers and
customers
• SLA's that support BCP objectives are implemented with key customers

How the Business Continuity Program is integrated into the fabric of your daily business
and long-term strategy will affect your preparedness.
Plan Resiliency Checklist
Eliminating single-points-of-failure greatly increase the probably of continuity.
Flexibility can make the difference between maintaining continuity and disaster.
Resiliency really counts throughout your Continuity Plan including the emergency
response, risk mitigation and recovery programs. Include the following checklist in your
resiliency considerations to insure continuity.

• The operations center is geographically diverse.

• The back-up and recovery site(s) are outside the current operational area.
• Staffing back-up and/or cross training is enforced and tested.
• Applications and other resources for critical processes are “location flexible.”
• Business Continuity Plans are current and validated regularly.
• Metrics and a reporting review responsibility are in place for all Plans and
Agreements (contracts, Service Level Agreements (SLA's), etc.).
• Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are a
measured Plan exercise verification objective.

We are interested in your feedback on this checklist for Plan “Resiliency.” Let us know
how you are insuring your required Business Continuity and Preparedness and if we can
publish your comments on our website.
Plan Validation Checklist
Plan validation completes the policy integration, risk assessment, impact analysis,
recovery strategy selection and Continuity Plan program awareness and training steps.
BCP highly recommends that you don't come up short on this checklist.

• Plan validation objectives are comprehensive, approved and measurable.

• Plan validation is scheduled on a regular basis and included in the Policy
Compliance Certification.
• Plan validations are as broad and complete as possible.
• Plan validation exercise objectives support your Recovery Time Objective (RTO)
and Recovery Point Objective (RPO) and challenge the Plan.
• Each validation exercise (tabletop, walk-through or full) has appropriate metrics
to meet or exceed Policy Compliance Certification and references its policy
compliance component(s).
• Auditors are included in the validation process.
• Executive, “upper-management”, crisis management and customers (and vendors
as applicable) are included in the validation objectives approval process,
validation's results report distribution list and are invited to the Plan validation
command center as appropriate.
• Plan validation results and the Plan changes resulting are integrated into
documentation.
• Required Plan revalidation items are captured and are included in the "next
scheduled validation" as appropriate.
• The validation “results” report includes those activities, successes, shortcomings,
individuals and teams involved (internal and external) and how each addressed,
point-by-point, the objectives of the validation plan objectives.

Plan validation is a key measure of the success of your Business Continuity Planning
program. Let us know any comments you may have on this checklist and what you are
doing for Plan validation. We intend to put some of the comments received on our
website, so let us know if we can list yours and check back to see what others have said.
Service Level Agreement Checklist
Service level clarity and metrics can insure the completeness of your Service Level
Agreement (SLA) objectives. Leave nothing to chance or adverse interpretation. The
supplier must know the “what and how” and clients expect no less. This checklist for
SLA's may also be included in contracts, letters of understanding and mutual aid
agreements. Include the following checklist items in all agreements to ensure clarity and
reap big benefits.

• The service provider and client are clearly defined including specific primary and
secondary contacts.
• Performance metrics and method(s) of measurement are stated clearly to insure
compliance.
• Regularity and format of compliance reporting are clearly defined.
• The problem escalation notification process and conditions are clearly defined and
validated.
• SLA terms should include, but not be limited to:
o Start and end date
o Dependencies
o Assumptions
o Non-performance penalties
o Special cost issues
o Deliverables
o Special requirements (security clearances, delivery issues, etc.)
o Extension and renewal terms
o Sub-contracting or company “buy-out” terms and any other item which
may have impact on the service expectations of the agreement.
o Key participant's “sign-offs” are included
o Referenced documents are noted appropriately
• Require Continuity Plans and preparedness for suppliers and clients and include
the metrics in the SLA or agreement.

Wherever two are gathered together as provider and client, an understanding of

expectations MUST be defined. The best way to guarantee what expectations are on both
sides of a service is to "put it in writing" then audit the on-going deliverables;. Clarity
and sufficient details are also important.
Plan Completeness Checklist
The completeness of your Plan and its support of critical business functions and
processes will determine your ability to meet staff, customer and vendor requirements. To
insure completeness is an ongoing process of communication, training, and awareness.
Never ASSUME. Contingency Preparedness is a responsibility, not an option. You must
know what is acceptable and what is not and insure all staff, internal and external, meet
the required objectives. Minimize continuity omissions by including the following
checklist:

• There is a Plan support cover letter authored by the highest possible Executive
level person responsible for insuring the Business Continuity Policy Certification
Compliance Policy is enforced. The preferred author is the Board Chair,
President, CEO, or CFO with additional enforcement by a letter from each
affiliate or departmental Chief Executive.
• There are Plans supporting the minimum key areas of:
o Emergency Response
o Technology and Tools
o Workplace
o User Operational Procedures
o Staffing
o Media and Communications Interface
• The Plan is an enterprise-wide integrated and coordinated Plan.
• Plans are developed, implemented and validated following thorough risk
assessment, impact analyses, strategy analysis and critical business process
support requirements and flow analysis on a regular basis.
• Integration exists between the Process Development Process, Change Control, the
Audit Process, Service Level Agreement (SLA) and contract negotiations, and all
daily operational procedures and activities.
• Plans are documented for the level of the responsible implementer and the skills
required are clearly defined.
• All interfaces, assumptions, depedencies, requirements and details are clearly
documented. Voluminous details of procedures, contact lists, etc. are only
referenced but are audited and validated on a regular basis.
• Confidential Plan information is not included in the general distribution process
but is available through secure duplicate sources.
• Key external suppliers and customer interfaces, roles and responsibilities are
included in the Plan, as appropriate, and included in the validation process.
• Executive Management and Crisis Management teams approve and participate in
the Plan validation process.
• The Plan and all associated documentation (electronic or physical) is secured,
duplicated and dispersed geographically.
Individual Preparedness Plan Checklist
A critical component of every Business Continuity Plan is the staff of individuals who
manage and perform the critical processes that insure continuity. Individuals who are not
available or can not focus on the task at hand during a disaster will impact the success of
the required business continuity and the recovery. There is no guarantee that individuals
will be completely prepared if they have the items in the Individual Preparedness
checklist below. They can be assured that without most of the listed items, they will not
be prepared. The following list provides an overview of some items to consider when
preparing your personal and/or your family's contingency plan.

• Complete CPR and First Aid training.

• Document details of key contacts and a plan for communication:
o Names
o Full address including zip code
o Phone numbers 10-digit (Home, work, cell, pager)
o Communications Schedule Plan
o Emergency contact names with relationship
• Develop and document a Re-location Plan:
o Maps, including primary and alternate route(s)
o Hotel list with contact numbers
o Meeting places
• Reserve and list cash, credit cards, traveler checks, bank checks, etc.
• Insure needed medical:
o Prescription and non-prescription medicine
o Doctor contact information
o First Aid kit
o Personal Data (Blood type, allergies, etc.)
o DNA chart or material (hair, etc.)
• Have personal and family documentation:
o Identification
 Drivers License
 Pictures
 Social Security Number
 Auto information (license tag, make, model, color, etc.)
o Critical documents (Birth Certificate, Will, etc.)
o Checklists
o The Emergency Plan
o Current photos
o First Aid instruction book
• Insure transportation preparedness (Gasoline, flares, flashlight, registration,
insurance, etc.)
• Store and refresh water, food, vitamins, etc.
• Check your tool kit including shovel, pliers, screwdriver, tape, etc.
 • Pack clothing, bedding, toys, etc.
• Bring telephone items (analog and cord, cellular with charger and extra battery)
• Prepare camping supplies (tent, sleeping bag, stove, compass, whistle, water
purifier etc.)
• Have pet requirements (leash, food, tags, medicine, run pen, etc.)

The completeness of your Plan and your communication of it with those covered by the
Plan, will impact your preparedness and ability to survive. To insure your Plan's
completeness is an ongoing process of communication, training, and awareness. Never
ASSUME. Individual Preparedness is a responsibility, not an option. Let us know what
comments you may have on this checklist and if we can list your comments on our
website for others to consider.
Public Authority Coordination Checklist
Coordination with public authorities is a critical component of the Business Continuity
Plan. Public authorities are the first responders in the event of an emergency, such as fire,
civil unrest, terrorism, hostage situation and a hazardous material event. Public
authorities may control access to your business whether you or your neighbor are affected
by an event. Public authorities include fire, police, city, county, state or national
emergency management teams, National Guard, public utilities, and your city, county,
state and, potentially, national elected officials. Beyond insuring that your suppliers and
staff meet required objectives, you must know the local and regional public authorities
who support your business environment and their response procedures to insure you can
maintain “continuity”.

Complete Business Continuity Planning must include organization-wide coordinated

plans, supplier deliverable assurances, other support services organizations and
coordination with public authorities.

Listed below are some recommended issues to include in your “Coordination with Public
Authorities” planning process as you develop and maintain your enterprise Business
Continuity Plan.

Preparedness
• Know your local and regional public authorities including, but not limited to,
emergency management, fire, police, public utilities and elected officials.
• Maintain current knowledge of laws, regulations, codes, zoning, standards or
practices concerning emergency procedures specific to your location and industry.
• Document each authority group and their roles and responsibilities and possible
support resources.
• Document authority group contact information and required contact protocol.
• Document the communication protocol and status reporting process.
• Document organizations staff members that may be a member of a public
authority group (volunteer fire, police, Red Cross Disaster Services, National
Guard, State Emergency Response Committee (SERC) and Local Emergency
Planning Committee (LEPC), etc.).
• Document facility and region access issues to include, but not limited to, "all
clear" parameters/metrics, evacuation and return routes and process details.
• Establish liaison procedures for emergency and disaster scenarios.
• Document and associate with appropriate public authority Early Warning
Notifications Systems, Press Releases, Websites, etc.
• Coordinate organizational vulnerability and risk assessment with associated
public studies and assessments.
 • Review vulnerabilities and risks and include complimentary and appropriate
mitigation and response procedures in your organizations Business Continuity
Plan and risk assessment process.
• Utilize the Incident Command System (ICS) / National Incident Management
System (NIMS) format and stay current with local authorities and their
implementation.
• Document the levels of support and / or degree of recovery obtainable in support
of your organizations response and recovery Plan. Especially evaluate Plan
activities for days 1 through 5.
• Document local and regional supporting infrastructure resources to include, but
not limited to, roadmaps, contour maps, pipelines, waterlines, power plants and
grids, communication lines and hubs, railroads, bridges, water and fuel supplies,
etc.
• Document local and regional supporting resources to include, but not limited to,
Emergency Operations Centers (EOC), hospitals, police and fire facilities,
evacuation support centers, supply warehouses and docks, key vendors, National
Guard facilities, SERC and LEPC resources, etc.
• Document the forms and processes to be used during an event or exercise to
insure activities and participants, etc. are captured for review and Plan response
and recovery improvements.
• Develop procedures for sharing critical and confidential (lock boxed) information
to include, but not limited to, your organizations site layout information, floor
plans, secure areas, laboratories, electrical sources, telecomm sources, etc. and
public authority confidential information.
• Determine organizational interface protocol, identification and training
requirements and identify appropriate internal staff or support representative(s).
• Share locations and types of organizational resources of public interest including,
but not limited to, hazardous materials, fuel supplies, water sources,
organizational contacts.
• Define "regional" supporting resources, staffs, expertise, etc. to include, but not
limited to, Red Cross, United Way, Catholic Charities and other religious and
community support groups, etc.
• Document organizational resources potentially available in support of other
organizations and public authority activities. Include skills and training
parameters.

Response and Recovery

• Monitor status information included on local, regional and national warning
systems, press releases, radio and television reports, etc.
• Document the actual events including all incoming information and
recommendations and comments by participants, clients and observers to facilitate
post event analysis.
• Monitor public authority exercises and event responses and review their on-going
event status and Plan implementations.
 • Notify authorities of organizational on-going event status and projected Plan
implementations.
• Include public authorities in organizational exercises where applicable.
• Participate in local and regional exercises with staff and resources including, but
not limited to, the (EOC) Emergency Operations Center.
• Communicate availability and document use of resources for public authorities.

Post Event or Exercise

• Document local and regional public authority facilities which may have an impact
on your business to include, but not limited to, police and fire stations, public
buildings such as city halls, courthouses, Justice of the Peace locations,
infrastructure terminals and storage locations, parking lots and Federal Reserve
Banking locations.
• Communicate internal event or exercise results to public authorities when their
support was utilized, could have been utilized, or had an effect on your recovery.
• Review the event or exercise documentation, Plan objectives, participants and
final reports for lessons learned and Plan and training modifications and
procedures improvements.
• Participate in post event public discussions and round-tables.
• Coordinate future exercises and objectives.

Training
• Participate in local and regional training exercises with staff and resources.
• Share internal training for the response and recovery Plans developed, including
documentation validations and certification process, table-tops, walk-throughs,
component validations, etc.

Complete Business Continuity Planning must include enterprise-wide coordinated plans,

supplier deliverable assurances, other support service organizations and coordination with
public authorities. Let us know how you formalize interface with public authorities and
any recommendations you have for our checklist.
 Business Continuity Assessment Checklist
This assessment will assist you with putting your business continuity plan together.
The assessment has been split into sections for ease of reference. Document relevant
details/information/procedures and you will then have a business continuity plan. Not
all the questions may be relevant to your business.

BUILDING FACILITIES
 Do you have evacuation procedures for your buildings?
Are the fire exits clearly marked and fire procedures in place?

 Do you regularly practice fire drills?
 Do you have primary and secondary evacuation points at a suitable distance
away from the building(s)?
 Do you have a site plan of your building(s)?
 Do you have generator backup systems in place?
 Do you have an alternative building to use in an emergency i.e. where your
business or critical elements of your business could continue to operate from?
 Do you check on a regular basis that that the heating and air conditioning is
working?
 Have you familiarised yourself and your staff with the location of the mains
switches and valves (electricity, gas, water)?
 Do you carry out end of day inspections i.e. to check everybody has left?
 At the end of the working day do you have procedures in place to make sure
that all appliances are switched off and doors and windows are locked?
 Do you regularly check the integrity of external fences and doors?

PERSONNEL
 Have you got a list of all employee contact telephone numbers and home
addresses?
 Do your staff know who is in charge in the time of a crisis?
 Have your staff been given specific roles in the event of a crisis?
 If your business could not operate from its present location could your staff
work from an alternative location, or some of them work from home etc?
 Do you have members of staff with first aid or medical training?

SECURITY
 Is there a security system installed?
 Do you have a security policy?
 Do you give advice or training on security?
 Do you check references fully?
 Are contractors checked fully (i.e. company as well as each individual)?

PAPER AND ELECTRONIC DOCUMENTS

  Do you copy/back up your information?
 Do you store your critical paper documents in fire/waterproof containers?
 Do you have copies of critical accounts and contracts at a separate location?
 Is someone responsible for the upkeep of your files and accounts?

IT
 Are your IT systems critical to the running of your business?
 If your IT systems went down do you have manual processes that could
maintain critical documentary/administrative functions?
 Do you know how long it would take to recover IT functions if your system
went down?
 Who would restore your system if it went down and do you have their contact
details?
 Do you have a tested IT disaster recovery plan?
 Is your computer anti-virus software up to date?
 Are documented IT security policies and procedures in place?
 Are all your computer users fully aware of email and internet usage policies?
 Is your company system part of a larger network?
 Do you know how many platforms/servers/applications or operating systems
support critical business functions?
 Is expertise of how to use your IT system, knowledge of where critical
documents are electronically stored etc, limited to one individual?
 Do you have vital computer information stored on back up disks held off
premises?

SUPPLIERS
 Do you have alternative suppliers for critical equipment/ stores/ parts/ goods/
products etc?
 Do you have an arrangement with your critical suppliers where they will
inform you if they cannot make a delivery?
 Do your suppliers have a business continuity plan?
 Do you have your suppliers correct contact details – both office hours and out
of office hours?

COMPANY EQUIPMENT
 Do you have someone accountable for the assets of your company?
 Do you have an inventory and is it regularly checked?
 Do you have controls over the movements of your company equipment?

CUSTOMERS
 Do you have the correct contact details for all your main customers?
 Do you have any key customers who you will need to be in constant contact
with during a crisis?
 LOCATION
 Have you thought about the types of risk that might occur due to the
actions/operations of other businesses near to you?
 Have you thought about the types of risk associated with the environment i.e.
flooding from nearby river, snow, severe weather etc?

INSURANCE
 Do you have sufficient insurance to pay for disruption to business, cost of
repairs, hiring temporary employees, leasing temporary accommodation and
equipment etc?
 Do you have your insurance company’s details in order to contact them
immediately at the time of an incident?

ASSESS THE RISKS

Consider what are the most likely and greatest risks to your business? Analyse the
risk by asking yourself the following questions:

 How likely is it to happen?

 What effect will it have on the business?
 How can you cope with it i.e. what do you need to do to stay operational if it
takes place?
 What preventative measures can you take to prevent them from happening or
minimise the effect they will have on your business?
 Are you insured against the worst eventualities?

PUBLIC RELATIONS (MEDIA)

Bad publicity or incorrect information given out during an incident can make or break
a company’s reputation. If your business has a major incident then PR will influence
how existing and potential customers, suppliers and all other stakeholders will view
your business.

 Nominate a company spokesperson, ensure all staff know who it is, ensure
that they have some training in media handling
During an incident ensure:

 That your company gives out a consistent message

 Staff are kept informed
 Advertisements are placed in local or national papers as needed

GENERAL
Have you prepared an emergency pack? If you have prepared a pack have you
included the following items?

 Business recovery plan

 List of employees with contact details
  Details of IT providers
 Contact details for clients and suppliers
 Building site plan
 Spare keys
 Computer back up tapes/discs
 First aid kit
 Stationary/message pads/coloured pens and pencils
 Torch with spare batteries
 Megaphone
 Tape
 Mobile phone/s fully charged
 Disposable cameras

 Dust and toxic fume masks

Is your business continuity plan:

 Clearly documented
 Easily accessible
 Understood by key personnel

Is there someone in your organisation who will have responsibility for maintaining
and up-dating your plan?
 From FEMA's Standard Checklist Criteria For Business Recovery
Completed By :

Name:______________________________________________

Company:___________________________________________

Room:_______________

Street:______________________________________________

City, State, Zip:_______________________________________

Phone Number:______________________

Business Recovery Plan for :____________________________

Business Recovery Plan LEVEL 1 (Executive Awareness/Authority)

1) Has a Business Recovery Plan been:
a) Developed?
b) Updated within the last 6 months?

Business Recovery Plan LEVEL 2 (Plan Development and

Documentation)
1) Has a classification (critical, important, marginal) been assigned to the Business
Process/Function/ Component that this Facility/Function supports?

2) Has a Business Recovery Plan been:

a) Documented?
b) Maintained?
3) Does the Business Recovery Plan include the following sections:
a) Identification?
b) Incident Management?
i) Responsible company officer?
ii) Personnel responsible for updates?
c) Response?
d) Recovery?
e) Restoration?
f) Plan Exercise?
g) Plan Maintenance?
h) Business Recovery Teams and Contact Information?
4) Does the Business Recovery Plan identify hardware and software critical to recover
the Business and/or Functions?
 5) Does the Business Recovery Plan identify necessary support equipment (forms,
spare parts, office equipment, etc.) to recover the Business and/or Functions?

6) Does the Business Recovery Plan require an alternate site for

recovery?

i) Does the Business Recovery Plan provide for mail service to be forwarded to the
alternate facility?
ii) Does the Business Recovery Plan provide for other vital support functions?
7) Are all critical or important data required to support the business being backed up?
i) Are they being stored in a protected location (offsite)?
8) Do you conduct a walk-through exercise of your Plan at least annually? (This should
include a full walk-through as well as "elements" of your plan (i.e. accounts payable,
receivable, shipping and receiving, etc.)

9) Does the walk-through element exercises have a prepared plan which includes:

a) Description
b) Scope
c) Objective
10) Is a current copy of the Business Recovery Plan maintained off-site?

11) Do all users of the Business Recovery Plan have ready access to a current copy at
all times?

12) Is there an audit trail of the changes made to the Business Recovery Plan ?

13) Do all employees responsible for the execution of the BDRP received ongoing
training in Disaster Recovery and Emergency Management?

LEVEL 3 (Management & Recovery Team Assessment and

Evaluation For Effectiveness)
1) Has the business officer and management team approved the Business Recovery
Plan ?

2) Does the business owner maintain:

a) The master copy of the Business Recovery Plan ?

b) An audit trail of the changes made to a Business Recovery Plan ?
3) Do all aspects of physical and logical security at the alternate site conform with your
current security procedures?

4) Are the physical and logical security at the alternate site at least as stringent as the
security at the disaster location?
5) Have all employees and their alternates responsible for executing a manual work-
around for a mechanized process been identified in the Business Recovery Plan and
properly trained?

6) Has an independent observer documented the simulation exercise(s) noting all results,
discrepancies, exposures, action items, and individual responsible, etc.?

7) Was a debriefing held within a reasonable period of time (typically two weeks) after
the simulation exercise(s) to ensure all activities have been accurately recorded?

8) Did the exercise coordinator publish a simulation exercise(s) report within a

reasonable period of time (typically three weeks) after the completion of the simulation
exercise(s)?

9) Did the exercise report include:

a) what worked properly as well as any deficiencies and recommendations for

improvement?
b) responsiblity and due date for the development of the Corrective Action Plan?

10) Was a Corrective Action Plan developed by the Exercise Team to address any
deficiencies identified by the exercise?

11) Is there a retention plan for the Exercise Plans and Corrective Action Plans
(minimum retention 3 years)?

12) Has a walk-through element exercise been performed at least quarterly?

13) Did each walk-through element exercise have a prepared plan which includes:

a) Description
b) Scope
c) Objective
14) When there is a change in hardware, software, or a process that might impact the
Business Recovery Plan, is the Business Recovery Plan reviewed and updated within 30
days of the changes:

Sign-Off By Officer:
by whom?
Name:____________________________
When?
Date:_____________________________
15) Based on the Joint Assessment has the Team determined that the Business Recovery
Plan is effective?
Business Recover Plan (Business Recovery Plan )--LEVEL 4
(Certification)
(Management & Recovery Team Assessment Of Readiness and Plan Maintenance)

1) Has the component Business Recovery Planbeen approved by the owner(s) of the
Business Function(s)?

2) Has the entire Business Recovery Plansimulation exercise been performed at least
annually?

3) Has the Corrective Action Plan been completed and closed?

4) Did the Business Recovery Plansimulation exercise have a prepared plan which
includes:

a) Description
b) Scope
c) Objective
5) Did the component Business Recovery Plansimulation exercise meet the acceptable
Recovery Time Objective set by management?

6) Based on the Joint Assessment has the Team determined that the Business Recovery
Planand Exercises have met all requirements to provide reasonable assurance that the
plan will work in the event of a disaster?

7) Does the Business Recovery Planspecify the maximum acceptable Recovery Time
Objective (RTO)?

8) Does the Business Recovery Planspecify the level of service (which the business
owner has agreed to be acceptable) to be provided while in recovery mode?

9) Have all changes relating to RTO in the Business Recovery Plan been approved by the
process owner?
Business Continuity Checklist

The nature of an emergency or disaster is its unpredictablity. However, organizations which have
done their homework ahead of time can reduce losses and be better prepared to continue operating
and communicating with employees and customers during the aftermath. The ability to telework
and familiarity with procedures involved have proven to be a key asset in emergency management.
The following checklists detail questions most employers should be able to answer and tasks that
should be accomplished ahead of time to ensure business continuity.

In the event of an emergency, has your organization determined the answers to these
questions?

• Who is the coordinator/main contact?

• What are the vital business functions that need to be online first?
• Who is already set up to telework or can easily make that transition?
• Is there a way to connect to the company’s network remotely and is there a backup in case the
primary system fails?

Tasks to help prepare for an emergency situation:

• Create a list of employees already teleworking and/or those who can start immediately as well as
their contact information.
• Designate an IT/IS point person in charge of ensuring employees can gain remote access.
• Designate a company-wide coordinator or "task force" to act as the primary source of information
and guidance in such situations.
• Develop a telework kit for regular and potential ad hoc teleworkers that includes basic guidelines,
a list of important numbers and e-mail addresses, passwords and procedures for staying in
communication and backing up key data.
• Backup records/data regularly in case network is lost.
• Ask all employees to become familiar with telework procedures, technologies and remote access
to company servers and to have a plan for how they might work remotely in an emergency
situation.
• Make sure secure access to corporate data and applications is available and a backup system is in
place should the primary system go down.
• Make sure the telecommunication system allows for call forwarding.
• Provide emergency teleworkers with calling cards to use for business calls.