Академический Документы
Профессиональный Документы
Культура Документы
An ancient philosopher once said, "The reason for failure is unwillingness, the pretended
reason is inability". If your business or your family is called before its audit committee to
review your Continuity and Resiliency Plans, would your Plans pass the Preparedness
test?
The 7 Questions of Business Preparedness are a good start to review you Business
Continuity Plan. The following checklists can help you measure the completeness of vital
components of your Business Continuity Planning Program and its associated
documentation.
Please review each checklist and email us any suggestions or comments you may have.
Let us know what other checklists would be helpful and how you have implemented and
validate your Business Continuity Planning program.
7 Questions of Company Preparedness
1. Is your business impact tolerant?
2. Have you mitigated points of failure?
3. Are you and your staff prepared for Business interruptions?
4. Is your Contingency Plan documented and approved?
5. Have you reviewed your Plan with staff, suppliers and customers?
6. Is your Plan current and regularly tested?
7. Does your Plan insure timely resumption of critical business functions?
We would appreciate any comments you may have on Policy statements for a Business
Continuity Planning program. Let us know your Policy, how you communicate the Policy
and insure its compliance, and if we can publish your comments on our website.
Policy Sample
Introduction
[Company] is committed to its customers, employees, shareholders and suppliers. To
insure the effective availability of essential products and services, [Company] provides
this Business Continuity Planning policy in support of a comprehensive program for
business continuity, disaster prevention and total business recovery.
Policy
Each department is responsible for current and comprehensive Business Continuity
Planning (BCP). When implemented, the Plan should include those procedures and
support agreements, which insure on-time availability and delivery of required products
and services. Each Plan must be certified annually with the BCP policy compliance
process through the BCP team.
Policy Leadership
[Executive] is the BCP executive management liaison for the BCP program. Resolution
of issues in the development of or support for all Plans should first be coordinated with
the BCP team and appropriate internal or external organizations. The "Business
Continuity Planning - Policy Compliance Certification" documentation defines the issue
resolution process.
• The Change Control Process supports and includes the Business Continuity Plan
(BCP) Policy objectives
• The BCP Policy is included in the metrics for performance and compensation for
all levels of individual and “groups” in clear and specific terms.
• Each task in the BCP is assigned to a specific individual. On a regular basis the
individual is required to certify (sign) that they are a) aware of the assigned
responsibility and b) that the task procedures work as documented.
• Specific metrics and penalties are included in all Service Level Agreements
(SLA's) and contracts sufficient to insure Business Continuity, Preparedness and
compliance of BCP policy.
• Status of the “State of the BCP” program and Policy support is a regular agenda
item for all executive, middle management and team meetings.
• Business Continuity and Disaster Recovery is incorporated into the business
process development and operational procedures.
• Business Continuity Plans are required and verified for key suppliers and
customers
• SLA's that support BCP objectives are implemented with key customers
How the Business Continuity Program is integrated into the fabric of your daily business
and long-term strategy will affect your preparedness.
Plan Resiliency Checklist
Eliminating single-points-of-failure greatly increase the probably of continuity.
Flexibility can make the difference between maintaining continuity and disaster.
Resiliency really counts throughout your Continuity Plan including the emergency
response, risk mitigation and recovery programs. Include the following checklist in your
resiliency considerations to insure continuity.
We are interested in your feedback on this checklist for Plan “Resiliency.” Let us know
how you are insuring your required Business Continuity and Preparedness and if we can
publish your comments on our website.
Plan Validation Checklist
Plan validation completes the policy integration, risk assessment, impact analysis,
recovery strategy selection and Continuity Plan program awareness and training steps.
BCP highly recommends that you don't come up short on this checklist.
Plan validation is a key measure of the success of your Business Continuity Planning
program. Let us know any comments you may have on this checklist and what you are
doing for Plan validation. We intend to put some of the comments received on our
website, so let us know if we can list yours and check back to see what others have said.
Service Level Agreement Checklist
Service level clarity and metrics can insure the completeness of your Service Level
Agreement (SLA) objectives. Leave nothing to chance or adverse interpretation. The
supplier must know the “what and how” and clients expect no less. This checklist for
SLA's may also be included in contracts, letters of understanding and mutual aid
agreements. Include the following checklist items in all agreements to ensure clarity and
reap big benefits.
• The service provider and client are clearly defined including specific primary and
secondary contacts.
• Performance metrics and method(s) of measurement are stated clearly to insure
compliance.
• Regularity and format of compliance reporting are clearly defined.
• The problem escalation notification process and conditions are clearly defined and
validated.
• SLA terms should include, but not be limited to:
o Start and end date
o Dependencies
o Assumptions
o Non-performance penalties
o Special cost issues
o Deliverables
o Special requirements (security clearances, delivery issues, etc.)
o Extension and renewal terms
o Sub-contracting or company “buy-out” terms and any other item which
may have impact on the service expectations of the agreement.
o Key participant's “sign-offs” are included
o Referenced documents are noted appropriately
• Require Continuity Plans and preparedness for suppliers and clients and include
the metrics in the SLA or agreement.
• There is a Plan support cover letter authored by the highest possible Executive
level person responsible for insuring the Business Continuity Policy Certification
Compliance Policy is enforced. The preferred author is the Board Chair,
President, CEO, or CFO with additional enforcement by a letter from each
affiliate or departmental Chief Executive.
• There are Plans supporting the minimum key areas of:
o Emergency Response
o Technology and Tools
o Workplace
o User Operational Procedures
o Staffing
o Media and Communications Interface
• The Plan is an enterprise-wide integrated and coordinated Plan.
• Plans are developed, implemented and validated following thorough risk
assessment, impact analyses, strategy analysis and critical business process
support requirements and flow analysis on a regular basis.
• Integration exists between the Process Development Process, Change Control, the
Audit Process, Service Level Agreement (SLA) and contract negotiations, and all
daily operational procedures and activities.
• Plans are documented for the level of the responsible implementer and the skills
required are clearly defined.
• All interfaces, assumptions, depedencies, requirements and details are clearly
documented. Voluminous details of procedures, contact lists, etc. are only
referenced but are audited and validated on a regular basis.
• Confidential Plan information is not included in the general distribution process
but is available through secure duplicate sources.
• Key external suppliers and customer interfaces, roles and responsibilities are
included in the Plan, as appropriate, and included in the validation process.
• Executive Management and Crisis Management teams approve and participate in
the Plan validation process.
• The Plan and all associated documentation (electronic or physical) is secured,
duplicated and dispersed geographically.
Individual Preparedness Plan Checklist
A critical component of every Business Continuity Plan is the staff of individuals who
manage and perform the critical processes that insure continuity. Individuals who are not
available or can not focus on the task at hand during a disaster will impact the success of
the required business continuity and the recovery. There is no guarantee that individuals
will be completely prepared if they have the items in the Individual Preparedness
checklist below. They can be assured that without most of the listed items, they will not
be prepared. The following list provides an overview of some items to consider when
preparing your personal and/or your family's contingency plan.
The completeness of your Plan and your communication of it with those covered by the
Plan, will impact your preparedness and ability to survive. To insure your Plan's
completeness is an ongoing process of communication, training, and awareness. Never
ASSUME. Individual Preparedness is a responsibility, not an option. Let us know what
comments you may have on this checklist and if we can list your comments on our
website for others to consider.
Public Authority Coordination Checklist
Coordination with public authorities is a critical component of the Business Continuity
Plan. Public authorities are the first responders in the event of an emergency, such as fire,
civil unrest, terrorism, hostage situation and a hazardous material event. Public
authorities may control access to your business whether you or your neighbor are affected
by an event. Public authorities include fire, police, city, county, state or national
emergency management teams, National Guard, public utilities, and your city, county,
state and, potentially, national elected officials. Beyond insuring that your suppliers and
staff meet required objectives, you must know the local and regional public authorities
who support your business environment and their response procedures to insure you can
maintain “continuity”.
Listed below are some recommended issues to include in your “Coordination with Public
Authorities” planning process as you develop and maintain your enterprise Business
Continuity Plan.
Preparedness
• Know your local and regional public authorities including, but not limited to,
emergency management, fire, police, public utilities and elected officials.
• Maintain current knowledge of laws, regulations, codes, zoning, standards or
practices concerning emergency procedures specific to your location and industry.
• Document each authority group and their roles and responsibilities and possible
support resources.
• Document authority group contact information and required contact protocol.
• Document the communication protocol and status reporting process.
• Document organizations staff members that may be a member of a public
authority group (volunteer fire, police, Red Cross Disaster Services, National
Guard, State Emergency Response Committee (SERC) and Local Emergency
Planning Committee (LEPC), etc.).
• Document facility and region access issues to include, but not limited to, "all
clear" parameters/metrics, evacuation and return routes and process details.
• Establish liaison procedures for emergency and disaster scenarios.
• Document and associate with appropriate public authority Early Warning
Notifications Systems, Press Releases, Websites, etc.
• Coordinate organizational vulnerability and risk assessment with associated
public studies and assessments.
• Review vulnerabilities and risks and include complimentary and appropriate
mitigation and response procedures in your organizations Business Continuity
Plan and risk assessment process.
• Utilize the Incident Command System (ICS) / National Incident Management
System (NIMS) format and stay current with local authorities and their
implementation.
• Document the levels of support and / or degree of recovery obtainable in support
of your organizations response and recovery Plan. Especially evaluate Plan
activities for days 1 through 5.
• Document local and regional supporting infrastructure resources to include, but
not limited to, roadmaps, contour maps, pipelines, waterlines, power plants and
grids, communication lines and hubs, railroads, bridges, water and fuel supplies,
etc.
• Document local and regional supporting resources to include, but not limited to,
Emergency Operations Centers (EOC), hospitals, police and fire facilities,
evacuation support centers, supply warehouses and docks, key vendors, National
Guard facilities, SERC and LEPC resources, etc.
• Document the forms and processes to be used during an event or exercise to
insure activities and participants, etc. are captured for review and Plan response
and recovery improvements.
• Develop procedures for sharing critical and confidential (lock boxed) information
to include, but not limited to, your organizations site layout information, floor
plans, secure areas, laboratories, electrical sources, telecomm sources, etc. and
public authority confidential information.
• Determine organizational interface protocol, identification and training
requirements and identify appropriate internal staff or support representative(s).
• Share locations and types of organizational resources of public interest including,
but not limited to, hazardous materials, fuel supplies, water sources,
organizational contacts.
• Define "regional" supporting resources, staffs, expertise, etc. to include, but not
limited to, Red Cross, United Way, Catholic Charities and other religious and
community support groups, etc.
• Document organizational resources potentially available in support of other
organizations and public authority activities. Include skills and training
parameters.
Training
• Participate in local and regional training exercises with staff and resources.
• Share internal training for the response and recovery Plans developed, including
documentation validations and certification process, table-tops, walk-throughs,
component validations, etc.
BUILDING FACILITIES
Do you have evacuation procedures for your buildings?
Are the fire exits clearly marked and fire procedures in place?
Do you regularly practice fire drills?
Do you have primary and secondary evacuation points at a suitable distance
away from the building(s)?
Do you have a site plan of your building(s)?
Do you have generator backup systems in place?
Do you have an alternative building to use in an emergency i.e. where your
business or critical elements of your business could continue to operate from?
Do you check on a regular basis that that the heating and air conditioning is
working?
Have you familiarised yourself and your staff with the location of the mains
switches and valves (electricity, gas, water)?
Do you carry out end of day inspections i.e. to check everybody has left?
At the end of the working day do you have procedures in place to make sure
that all appliances are switched off and doors and windows are locked?
Do you regularly check the integrity of external fences and doors?
PERSONNEL
Have you got a list of all employee contact telephone numbers and home
addresses?
Do your staff know who is in charge in the time of a crisis?
Have your staff been given specific roles in the event of a crisis?
If your business could not operate from its present location could your staff
work from an alternative location, or some of them work from home etc?
Do you have members of staff with first aid or medical training?
SECURITY
Is there a security system installed?
Do you have a security policy?
Do you give advice or training on security?
Do you check references fully?
Are contractors checked fully (i.e. company as well as each individual)?
IT
Are your IT systems critical to the running of your business?
If your IT systems went down do you have manual processes that could
maintain critical documentary/administrative functions?
Do you know how long it would take to recover IT functions if your system
went down?
Who would restore your system if it went down and do you have their contact
details?
Do you have a tested IT disaster recovery plan?
Is your computer anti-virus software up to date?
Are documented IT security policies and procedures in place?
Are all your computer users fully aware of email and internet usage policies?
Is your company system part of a larger network?
Do you know how many platforms/servers/applications or operating systems
support critical business functions?
Is expertise of how to use your IT system, knowledge of where critical
documents are electronically stored etc, limited to one individual?
Do you have vital computer information stored on back up disks held off
premises?
SUPPLIERS
Do you have alternative suppliers for critical equipment/ stores/ parts/ goods/
products etc?
Do you have an arrangement with your critical suppliers where they will
inform you if they cannot make a delivery?
Do your suppliers have a business continuity plan?
Do you have your suppliers correct contact details – both office hours and out
of office hours?
COMPANY EQUIPMENT
Do you have someone accountable for the assets of your company?
Do you have an inventory and is it regularly checked?
Do you have controls over the movements of your company equipment?
CUSTOMERS
Do you have the correct contact details for all your main customers?
Do you have any key customers who you will need to be in constant contact
with during a crisis?
LOCATION
Have you thought about the types of risk that might occur due to the
actions/operations of other businesses near to you?
Have you thought about the types of risk associated with the environment i.e.
flooding from nearby river, snow, severe weather etc?
INSURANCE
Do you have sufficient insurance to pay for disruption to business, cost of
repairs, hiring temporary employees, leasing temporary accommodation and
equipment etc?
Do you have your insurance company’s details in order to contact them
immediately at the time of an incident?
Nominate a company spokesperson, ensure all staff know who it is, ensure
that they have some training in media handling
During an incident ensure:
GENERAL
Have you prepared an emergency pack? If you have prepared a pack have you
included the following items?
Clearly documented
Easily accessible
Understood by key personnel
Is there someone in your organisation who will have responsibility for maintaining
and up-dating your plan?
From FEMA's Standard Checklist Criteria For Business Recovery
Completed By :
Name:______________________________________________
Company:___________________________________________
Room:_______________
Street:______________________________________________
Phone Number:______________________
a) Documented?
b) Maintained?
3) Does the Business Recovery Plan include the following sections:
a) Identification?
b) Incident Management?
i) Responsible company officer?
ii) Personnel responsible for updates?
c) Response?
d) Recovery?
e) Restoration?
f) Plan Exercise?
g) Plan Maintenance?
h) Business Recovery Teams and Contact Information?
4) Does the Business Recovery Plan identify hardware and software critical to recover
the Business and/or Functions?
5) Does the Business Recovery Plan identify necessary support equipment (forms,
spare parts, office equipment, etc.) to recover the Business and/or Functions?
i) Does the Business Recovery Plan provide for mail service to be forwarded to the
alternate facility?
ii) Does the Business Recovery Plan provide for other vital support functions?
7) Are all critical or important data required to support the business being backed up?
i) Are they being stored in a protected location (offsite)?
8) Do you conduct a walk-through exercise of your Plan at least annually? (This should
include a full walk-through as well as "elements" of your plan (i.e. accounts payable,
receivable, shipping and receiving, etc.)
9) Does the walk-through element exercises have a prepared plan which includes:
a) Description
b) Scope
c) Objective
10) Is a current copy of the Business Recovery Plan maintained off-site?
11) Do all users of the Business Recovery Plan have ready access to a current copy at
all times?
12) Is there an audit trail of the changes made to the Business Recovery Plan ?
13) Do all employees responsible for the execution of the BDRP received ongoing
training in Disaster Recovery and Emergency Management?
4) Are the physical and logical security at the alternate site at least as stringent as the
security at the disaster location?
5) Have all employees and their alternates responsible for executing a manual work-
around for a mechanized process been identified in the Business Recovery Plan and
properly trained?
6) Has an independent observer documented the simulation exercise(s) noting all results,
discrepancies, exposures, action items, and individual responsible, etc.?
7) Was a debriefing held within a reasonable period of time (typically two weeks) after
the simulation exercise(s) to ensure all activities have been accurately recorded?
10) Was a Corrective Action Plan developed by the Exercise Team to address any
deficiencies identified by the exercise?
11) Is there a retention plan for the Exercise Plans and Corrective Action Plans
(minimum retention 3 years)?
13) Did each walk-through element exercise have a prepared plan which includes:
a) Description
b) Scope
c) Objective
14) When there is a change in hardware, software, or a process that might impact the
Business Recovery Plan, is the Business Recovery Plan reviewed and updated within 30
days of the changes:
Sign-Off By Officer:
by whom?
Name:____________________________
When?
Date:_____________________________
15) Based on the Joint Assessment has the Team determined that the Business Recovery
Plan is effective?
Business Recover Plan (Business Recovery Plan )--LEVEL 4
(Certification)
(Management & Recovery Team Assessment Of Readiness and Plan Maintenance)
1) Has the component Business Recovery Planbeen approved by the owner(s) of the
Business Function(s)?
2) Has the entire Business Recovery Plansimulation exercise been performed at least
annually?
4) Did the Business Recovery Plansimulation exercise have a prepared plan which
includes:
a) Description
b) Scope
c) Objective
5) Did the component Business Recovery Plansimulation exercise meet the acceptable
Recovery Time Objective set by management?
6) Based on the Joint Assessment has the Team determined that the Business Recovery
Planand Exercises have met all requirements to provide reasonable assurance that the
plan will work in the event of a disaster?
7) Does the Business Recovery Planspecify the maximum acceptable Recovery Time
Objective (RTO)?
8) Does the Business Recovery Planspecify the level of service (which the business
owner has agreed to be acceptable) to be provided while in recovery mode?
9) Have all changes relating to RTO in the Business Recovery Plan been approved by the
process owner?
Business Continuity Checklist
The nature of an emergency or disaster is its unpredictablity. However, organizations which have
done their homework ahead of time can reduce losses and be better prepared to continue operating
and communicating with employees and customers during the aftermath. The ability to telework
and familiarity with procedures involved have proven to be a key asset in emergency management.
The following checklists detail questions most employers should be able to answer and tasks that
should be accomplished ahead of time to ensure business continuity.
In the event of an emergency, has your organization determined the answers to these
questions?
• Create a list of employees already teleworking and/or those who can start immediately as well as
their contact information.
• Designate an IT/IS point person in charge of ensuring employees can gain remote access.
• Designate a company-wide coordinator or "task force" to act as the primary source of information
and guidance in such situations.
• Develop a telework kit for regular and potential ad hoc teleworkers that includes basic guidelines,
a list of important numbers and e-mail addresses, passwords and procedures for staying in
communication and backing up key data.
• Backup records/data regularly in case network is lost.
• Ask all employees to become familiar with telework procedures, technologies and remote access
to company servers and to have a plan for how they might work remotely in an emergency
situation.
• Make sure secure access to corporate data and applications is available and a backup system is in
place should the primary system go down.
• Make sure the telecommunication system allows for call forwarding.
• Provide emergency teleworkers with calling cards to use for business calls.