Business Continuity Management

|S|| 0 6-- 39018 2
Coo.ca|t' o| Austa||a, 2000

!'|s .o' |s co|'t. Aat |o a usc as c|ttco uoc t'c Copyright Act 1968, o
at a oc cooucco o a uosc .|t'out |o .|ttc c|ss|o |o t'c
Austa||a |at|oa| Auo|t O|| |cc.
|coucsts ao |ou||cs cocc| coouct|o ao |'ts s'ou|o oc aoocssco to.
!'c |uo||cat|os |aac
Austa||a |at|oa| Auo|t O|| |cc
C|O |o 0
Caoca AC! 2601
||oat|o o Austa||a |at|oa| Auo|t O|| |cc uo||cat|os ao act|v|t|cs |s ava||ao|c o
t'c |o||o.| |tcct aoocss. 'tt.//....aao.ov.au
Disclaimer
!'c Auo|to-Ccca|, t'c A|AO, |ts o|||ccs ao c|occs ac ot ||ao|c, .|t'out
|||tat|o, |o a coscoucccs |cuco, o a |oss o oaac su||cco o a
oa|sat|o o o a ot'c cso as a csu|t o| t'c| c||acc o t'c ||oat|o
cota|co | t'|s Cu|oc o csu|t| |o t'c| ||cctat|o o usc o| t'c accoa|
\o'ooo', ao to t'c a|u ctct c|ttco o |a., cc|uoc a|| ||ao|||t (|c|uo| |
c||ccc) | cscct o| t'c Cu|oc ao t'c accoa| \o'ooo'.
|cs|co o At At tac' |t |to Caoca
||tco o |||c ||tcs Caoca
1
Business Continuity Management
Business Continuity
Management
Business Continuity
Management
Guide to Effective ControlJanuary 2000
Keeping the wheels in motion
2
Guide to Effective Control
Better practice
Better practice
!'c Austa||a |at|oa| Auo|t O|| |cc oouccs oct tc act|cc u|ocs as at
o| |ts |tcatco auo|t aoac' .'|c' |c|uocs ||oat|o scv|ccs to auo|t
c||cts.
A |ct tc |act|cc sc|cs 'as occ cstao||s'co to oca| .|t' 'c asccts o| t'c
coto| stuctucs o| ct|t|csa |tca| at o| ooo cooatc ovcacc.
!'|s Cu|oc |os at o| t'at sc|cs. |t oca|s .|t' ous|css cot|u|t
aacct .|t'| a |s' aacct |ac.o'. !'c accoa|
\o'ooo' |s ocs|co to ass|st oa|sat|os | t'c ocvc|oct o| a
coc'cs|vc ous|css cot|u|t |a.
Acknowledgments
!'c Cu|oc 'as occ caco .|t' t'c va|uao|c ass|stacc ao |s|'ts |o a uoc o|
Coo.ca|t' oa|sat|os, |a||.
A| Scv|ccs Austa||a,
Austa||a |uc|ca Sc|ccc ao !cc'o|o Oa|sat|o,
Austa||a |a|t|c Sa|ct Aut'o|t, ao
!'cacut|c Cooos Ao||stat|o.
|ut |o Staoaos Austa||a ao |ccc |aacct Austa||a 'as a|so occ
|va|uao|c | c||| t'c aoac' ocvc|oco |o t'|s Cu|oc so t'at |t |u|| |tcatcs |to
t'c |s' aacct |ac.o' .|t'| a oa|sat|o. ||a||, t'c va|uao|c ass|stacc o|
|c|o|t tc !ouc'c !o'atsu | ocvc|o| t'c ous|css cot|u|t |a (|C|) o,cct stcs
o|scussco | |at !.o |s a|so cco|sco. !'c A|AO ccoos |ts acc|at|o o| t'|s
ass|stacc.
3
Auditor-Generals foreword
Auditor-Generals foreword
!'c u|tcutco ava||ao|||t o| a|| 'c csouccs to suot cssct|a| ous|css
occsscs o s||, business continuity, 'as occ ta'| a cos|ocao|c aout
o| aacs' t|c ao at tct|o ccct|. |uc' o| t'c |ctus to cv|c.
ous|css cot|u|t csu|tco |o a cco to tcat ous|css cot|u|t |s's
assoc|atco .|t' a sstcs |a||ucs at t'c c'ac to t'c ca 2000 o, as |t |s
oc coo| 'o., t'c `2| ou. Cos|ocao|c csouccs .cc
ccoco to csuc ||a| o|sut|o |o t'c at|c|atco oo|cs.
!'c cuct |ocus o| ous|css cot|u|t c||ots o `2| cco|cs ao
cot|cc |a| .as accctao|c | t'c c|custaccs. |o.cvc, ocoo
t'|s, oa|sat|os s'ou|o aoocss ao cu|a| cv|c. all asccts o| t'c|
ous|css cot|u|t aacct.
!'|s Cu|oc cscts a stuctuco aoac' to ous|css cot|u|t
aacct. !'c aoac' |vo|vcs |oct||| cvctat|vc tcatcts |o
cot|u|t |s's t'at ca oc out|c| aaco, ao ocvc|o| a oa|sat|o-
.|oc ous|css cot|u|t |ato oca| .|t' t'c coscoucccs s'ou|o t'c
cvctat|vc tcatcts |a||. !'c aoac' s'ou|o oc ta||oco to cct
oa|sat|oa| ccos .'||c sat|s|| t'c a,o stcs |oct|| |co |o ous|css
cot|u|t aacct | t'c cotct o| ovca|| |s' aacct.
|aacs s'ou|o 'avc a oo| |ocus o ous|css cot|u|t as a c|cct
o| t'c ovca|| |s' aacct |ac.o' | t'c| oa|sat|o. \'||c t'c
o| ||c o| ous|css cot|u|t |s st||| '|', |t .ou|o oc ootuc to ou||o o t'c
.o' ao aa|scs ooc | c|at|o to t'c |s's assoc|atco .|t' `2|, to csuc
ous|css cot|u|t |s's ac |oct|| |co, asscssco, aa|sco ao tcatco, as .c||
as oc| o|toco ao cv|c.co.
!'c Cu|oc |ut'c ocvc|os t'c aoac' ootco o |ccc
|aacct Austa||a | |ts uo||cat|o. Non-stop Ser vice.
!'c |ccas| |cvc| o| ocvo|vco aut'o|t ao aacct | t'c uo||c
sccto, a catc usc o| cotactco scv|cc oc||vc ao t'c usu|t o|
|ovco c|||c|cc|cs ao c|oacc, cas t'at t'c cco to aac
oact|vc| a oa|sat|o's ovca|| |s' 'as cvc occ catc. |t .ou|o oc
|||-aov|sco to |oc |s's to ous|css cot|u|t occausc t'c| ||'c||'ooo |s too
Continuity of public sector business is a critical issue to be considered by Boards,
chief executives and senior management in Australian public sector organisations
and for business activities. Many services delivered by government organisations
are critical to the economic and social well-being of our societya failure to
deliver these could have very significant consequences for those concerned.
4
cotc| t'c co|u to |oc tc t'|s cou|o .c|| ovc cost| |o oot'
t'c oa|sat|os ao t'c c||cts (c|t|zcs). !'cc ac su|| |c|ct ca|cs |
t'c uo||c sccto to ocostatc t'c u||'c| ca, ao oocs, 'ac . usua||
.'c .c |cast ccct |t. O|tc t'csc cvcts ac outs|oc t'c o|cct coto| o|
t'c oa|sat|o, out t'|s oocs ot ca ou s'ou|o ot |a |o t'c| |act.
!'c |o||o.| |c|octs ov|oc coc||| casos |o ous|css cot|u|t to
oc ta'c sc|ous|.
severe hailstorms in Sydney, NSW, (1999) oaac to a ovcct ao
ous|css ou||o|s ao cat cccc casucs 'ao to oc ta'c to
c|ocatc ocat|os .'||c cot|u| to ov|oc a scv|cc to t'c| c||cts,
the Victorian gas crisis (1999) |o||o.| a c|os|o at a as oouct|o
|ac|||t, t'c ct|c Statc |acco .cc's .|t'out as su||cs ao t'c costs to
ous|css ao ovcct .as cst|atco | t'c o||||os o| oo||as,
Brisbane, Queensland and Auckland, New Zealand, power outages (1998)
|o||o.| ccato ao |o |a||ucs, t'c c|t|cs .cc .|t'out c|cct|c|t
ovcct ao ous|css a||'c 'as to ocatc | a c|t .|t'out c||ao|c
o.c su||cs |o a ctcoco c|oo,
fires at the Bankstown Council, NSW, (1997) and Knox Council, VIC, (1994) |
.'|c' t'c couc|| c'aocs .cc out oo. ao v|ta| ccoos as .c|| as
|! .cc |ost, ao
Jolimont Centre incident, Canberra, ACT (1993) |o||o.| a s|cc ao | |c,
t'c t'c Coo.ca|t' |catct o| |oust|a| |c|at|os .as |occo to
c|ocatc aoout -00 sta|| ao t'c suot| ||astuctuc.
!'c ac, soucc ao |act o| |s' to .'|c' a oa|sat|o |s cosco |
tooa's ous|css .o|o ocao t'at ous|css cot|u|t 'as to a' '|'| |o
oo| aacct at tct|o. |occo, |t s'ou|o oc a |tca| c|cct o|
t'c oa|sat|o's |s' |a| statc.
|.. |act t
Auo|to-Ccca|
aua 2000
5
Contents
Overview of this Guide
1. Continuity and risk concepts
|toouct|o 11
|us|css cot|u|t aacct 12
||s' aacct 16
2. The business continuity process
Ovcv|c. o| t'c ous|css cot|u|t occss 29
|o,cct ||t|at|o 31
|c ous|css occsscs |oct|| |cat|o 32
|us|css |act aa|s|s (||A) 36
|cs| cot|u|t tcatcts 39
||cct cot|u|t tcatcts -5
!cst ao a|ta| t'c |a 62
Appendices 65
Contents
6
7
!'|s Cu|oc 'as occ caco |a|| |o t'c co|c |vo|vco | a ous|css
cot|u|t o,cct|o |o|v|oua| tca cocs t'ou' to t'c C'|c|
|ccut|vc ao |oao. |ac' at|c|at |as a |otat o|c ao 'as a
aa o| csos|o|||t|cs | csu| t'c succcss o| t'c o,cct ao cot|u|
va||o|t o| t'c |a.
Succcss|u| ous|css cot|u|t aacct c||cs o t'c cct|sc |o .|t'|
t'c oa|sat|o|t |s t'c co|c t'at uocstao t'c oa|sat|o|ts
ous|css, occsscs ao ous|css |s's. |o.cvc, t'c Cu|oc oocs ot assuc
cvcoc |s a cct | t'c | |c|o o| |s' aacct so ocsc|ocs cac' 'asc
o| ous|css cot|u|t aa|st a accctco, cc|c |s' aacct
|ac.o'.
|ac' |s', occo| o |ts atuc, .||| 'avc a catc o |cssc c'acc o|
occuccc (||'c||'ooo) ao a catc o |cssc ous|css |act o t'c
oa|sat|o (coscouccc). !'c ous|css |act o| cac' |s' .||| a|so va
accoo| to |ts atuc|o a at|cu|a |s' cvct t'cc a oc, |o
ca|c, a | |ac|a| coscouccc, a |ca| coscouccc, a sta|| sa|ct
coscouccc, ao a ous|css |tcut|o coscouccc.
Oa|sat|os, t'ou' a stuctuco, sstcat|c occss at tct to aac a||
s||| |cat ous|css |s's o-act|vc|, o ||cct| ao|atc cvctat|vc
coto|s ao ot'c |s' tcatcts. !'|s |s' aacct occss |s ocs|co
to coucc t'c cs|oua| |s' o| a cvct| tcs o| |ts ||'c||'ooo o|
occuccc ao/o |ts coscoucccs, to a accctao|c |cvc|.
|o.cvc, cvctat|vc coto|s ao ot'c o-act|vc tcatcts ac o
uaatcc t'at |s' cvcts .||| ot occu, t'at |s, t'c caot ct|c| c|||atc
t'c| ||'c||'ooo o| occuccc. !'cc|oc, |o c||cct|vc |s' aacct |t |s
coua|| |otat t'at oa|sat|os ocs| coto|s t'at ac ||cctco
occ a |s' cvct 'as occuco.
Business continuity management is an integral part of the risk management
framework within an organisation. All organisations face a variety of risks.
These may be sourced externally, and therefore largely out of the immediate
control of the organisation, or internally. Internal risks arise both at the strategic
(organisation-wide) level and at the operational (business process) level.
8
!'c ocs| (ao t'cc|oc cost) o| suc' cocct|vc coto|s ao tcatcts
.||| cco to ta'c |to accout asscsscts o| t'c o-act|vc coto|s ao t'c
cs|oua| |s' |cvc|s. !'c 'c oucst|o |s 'o. uc' t|c, c||ot ao csouccs
cco to oc |vcstco | cocct|vc coto|s| ca| |o a cvctua||t
t'at a cvc occu.
!'|s Cu|oc 'as occ ocs|co to ass|st oa|sat|os as.c t'|s oucst|o |o
t'osc |s' cvcts t'at 'avc a ous|css |tcut|o coscouccc o| a atuc
ao |act t'at .aats c||cct|vc aacct act|o.
!'c uoc|| aoac' aootco | t'|s Cu|oc |s to stat |o t'c o|t t'at
a |s' cvct 'as occuco .'|c' 'as |tcutco ous|css ocat|ost'at |s,
assu| a worst case scca|o .'cc a|| occsscs ao csouccs ac ot
ava||ao|c. | t'|s cotct t'c causc o atuc o| t'c actua| |s' cvcts ac ot
cos|occo to oc t'c o|vcs |o aacct act|o. |t |s t'c ous|css
|tcut|o consequence t'at a|| octc|cs t'c occss.
!'|s bottom-up aoac' co|ccts t'c 'to oo.' aoac' |'cct |
t'c ovc-ac'| |s' aacct occss. |t csucs co|ctccss o|
cos|ocat|o o| a|| coscoucccs a|s| |o a ous|css |tcut|o |s'
cvct. |t a|so csucs o-act|vc ao cocct|vc coto|s ac co|ccta
ao s'ou|o a||o. oa|sat|os, |o ca|c, to ac'|cvc a cost-c||cct|vc
coo|sc oct.cc cacocss |o t'c worst case scca|o ao t'c
||'c||'ooo o| suc' a scca|o cvc a|s|.
!'c Cu|oc |s o|v|oco |to t.o a,o atst'c ||st at oca|s .|t' ous|css
cot|u|t aacct coccts | a |s' aacct cotct, t'c sccoo
at |oct|||cs t'c occsscs ao occoucs cou|co to oc uocta'c to
ooucc a ous|css cot|u|t |a.
A uoc o| suot| o-|oa sc'cou|cs, .o'| acs ao
oucst|oa|cs 'avc occ caco to |ac|||tatc t'c ovca|| occss ocsc|oco
| t'c Cu|oc. !'csc ac cota|co | t'c |us|css Cot|u|t \o'ooo' t'at
accoa|cs t'|s Cu|oc.
9
Continuity and risk
concepts
Part One
Continuity and risk
concepts
Introduction
Business continuity management
Oo,cct|vc
Oututs
'oc|| aoac'
!c|o|o
Risk management
Ovcv|c. o| t'c |s' aacct occss
Stc oc. cstao||s' cotct
Stc t.o. |oct|| ao asscss |s's
|s' |oct|| |cat|o
|s' aa|s|s
|s' tcatct ocs|
Stc t'cc. ||cct tcatcts
Stc |ou. o|to ao cv|c.
10
11
Introduction
A oa|sat|o's ous|css statc|cs ao occ|s|os ac oasco o a assut|o
o| t'c ous|css cot|u|. A cvct t'at v|o|atcs t'|s assut|o |s a
s||| |cat occuccc | t'c |||c o| a oa|sat|o, ||| o|cct| o |ts
ao|||t to |u|| || |ts ous|css oo,cct|vcs ao t'c ||vc||'ooo o| t'osc |vo|vco.
Ao ot'c t'|s, |s' aacct |s aoout ut t| | |acc tcatcts
t'at scc' to cvct ous|css |tcut|o cvcts (outacs) |o occu| |
t'c | |st |acc. |t a|so ccoasscs cstao||s'| ao|atc csoscs
(tcatcts) s'ou|o suc' a cvct occu.
|us|css cot|u|t aacct |s t'cc|oc t'at at o| |s' aacct
t'at cstao||s'cs cost-c||cct|vc tcatcts s'ou|o a outac occu. As suc', |t
oca|s .|t' actua| cvctsa |s' cvct .'|c' 'as occucoao t'c act|o
cou|co to csoo to t'c cvct. !o t'|s ctct, |t co|ccts t'c ovca||
|s' aacct occss .'|c' oca|s |ocost .|t' oss|o|||t o| occuccc
o| |s's cvcts (|c|uo| outacs) t'at a occu, ao t'c aa|s|s ao
o-act|vc tcatct o| suc' cvcts.
!'|s scct|o o| t'c Cu|oc out||cs t'c |s' aacct occss ao o|scusscs
'o. ous|css cot|u|t aacct | |ts .|t'| t'|s occss. |t |s ot |tcoco
to covc a|| asccts o| |s' aacct. |stcao, t'c Cu|oc .||| |ocus o
t'osc ats o| t'c occss .'cc ous|css cot|u|t |s's s'ou|o oc
scc|| |ca|| aoocssco.
|o.cvc, oc|oc oca|| .|t' t'c |s' aacct occss, t'c Cu|oc
|toouccs a uoc o| 'c ous|css cot|u|t coccts. |t |s |otat t'at
caocs o| t'c Cu|oc |a|||a|sc t'csc|vcs .|t' t'csc coccts ao |
at|cu|a, t'c tc|o|o usco, oc|oc coa'| o t'c ous|css cot|u|t
aacct occss.
|at !.o o| t'|s Cu|oc ta'cs t'c caoc t'ou' t'c octa||co stcs |o t'c
ous|css cot|u|t aacct occss.
Introduction
Business continuity means maintaining the uninterrupted availability of all key
business resources required to support essential business activities.
12
Business continuity
management
Objective
!'c oo,cct|vc o| ous|css cot|u|t aacct |s to ensure the
uninterrupted availability of all key business resources required to
support essential (or critical) business activities.
!'|s 'o||st|c v|c. o| ous|css cot|u|t aacct o|||cs |o .'at a
aacs tao|t|oa|| tc Disaster Recover y Planning .'|c' 'as occ c|osc|,
|| ot so|c|, assoc|atco .|t' ||oat|o tcc'o|o. | c'a| t'c |ocus,
t'c c'as|s |s |acco o t'c .'o|c ous|css, ot ,ust o tcc'o|o |ssucs
a|oc. !'|s c||occs t'c cocct o| cot|u|t o| all key processes,
ctco| ocoo ||oat|o tcc'o|o sstcs, |otat t'ou' t'c ac
| ooc ous|css.
Outputs
!'c |a outut |o t'c ous|css cot|u|t aacct occss |s a
Business Continuity Plan (BCP). !'c |C| co|scs a c|ccts .'|c',
co||cct|vc|, oc| |c t'c aoac' to oca|| .|t' a oca' | ous|css cot|u|t,
ao .'|c' csc|ocs t'c stcs a oa|sat|o s'ou|o ta'c to ccovc |ost
ous|css |uct|os.
Aost ot'c at tcs, t'c |C| .||| o| toct'c t'c.
scv|cc aca Cot|cc ||as,
||sastc |ccovc ||a (|||), ao
|us|css |csut|o ||a (|||).
!'c ous|css cot|u|t aacct occss ao t'c |C| cco to o|
toct'c a|| suc' c|ccts to csuc t'c aocouatc| aoocss t'c
oa|sat|o's ous|css |tcut|o |s's.
!'cc ac ooao| a|cao soc ats o| t'c |C| t'c oa|sat|o 'as |
|acc as at o| |ts oa| ous|css ocat|os. !'c |c|uoc.
|! o|sastc ccovc |as,
cccc csosc occoucs,
o||-s|tc o| ccoos,
oac'u ao ccovc occoucs,
cvacuat|o |as,
cou|cat|os statc|cs, ao
co|a ||a|so statc|cs.
A|oc t'csc oo ot cost|tutc a co|ctc |C|, out ac |otat c|ccts o|
a ooust cot|u|t |a.
Business continuity
management
The difference between business
continuity and disaster recovery
is not a what but a whose.
Business continuity now appears
on the boardroom agenda, but
there was a time when disaster
recovery was relegated to one
corner of the computer room.
Planning for business continuity
should be a top-level concern for
enterprises, considering the
potentially devastating financial
and organizational impact of a
disaster.
An Introduction to Business
Continuity Planning, InSide
GartnerGroup This Week
(IGG),
C. Gooding, January 8, 1997
GartnerGroup, 1999.
In the business continuity
management process it is
important to consider what
plans are already in place, so
effort is not wasted.
13
Underlying approach
!'c |C| |s ||t|atco .'c a |s' cvct occus t'at 'as a business
interruption coscouccc. !'c ous|css |tcut|os t'at ac o| cocc
|o a cot|u|t v|c.o|t ac c|cco to as outages. !'csc cvcts .|||
causc a s||| |cat o|sut|o to, o |oss o|, 'c ous|css occsscs. |t |o||o.s
t'at suc' cvcts .||| 'avc a '|' |act o, ao scvcc coscoucccs |o, t'c
oa|sat|o.
Outacs cco to oc o|st|u|s'co |o ot'c ous|css |tcut|os suc' as
t'osc a|s| |o sstcs oo.t|c o |a||ucs t'at a occu as a at o|
oa| ocat|ossuc' as a o|c| |oss o|| a cou|cat|os ||' .'|c' ccos
to oc c-cstao||s'co .|t' a scv|cc ov|oc.
!'c cocct o| a outac 'as a t|c o|cs|o as .c|| as a ous|css occss
o|cs|o. !'c ous|css cot|u|t aacct occss |c|uocs cstao||s'|
t'c a|u c|oos |o .'|c' cac' |uct|o ca oc o|sutco o |ost
a|toct'c, oc|oc |t t'catcs t'c ac'|cvcct o| oa|sat|oa| oo,cct|vcs.
!'c aa|s|s o| t'c |act o| a outac |ocuscs o coscoucccs. |t |s ot
coccco .|t' t'c ||'c||'ooo o causc o| occuccc, as t'c ac ot
c|ccts o| t'c |C|. |at tcs o| ||'c||'ooo ao causc s'ou|o a|cao 'avc
occ aoocssco as at o| t'c top down |s' aacct occss ao
cvctat|vc coto|s s'ou|o a|cao 'avc occ cstao||s'co to coucc t'c
||'c||'ooo ao coscoucccs o| a|| |s' cvcts (|c|uo| ous|css |tcut|o
cvcts) to |cvc|s t'at ac accctao|c to aacct.
!'c bottom-up aoac' to ous|css cot|u|t aacct co|ccts t'c
top down aoac' aootco |o ovca|| |s' aacct o as'| '.'at
'acs || t'c coto|s |a||'. |t uts | |acc |aco, cooo|atco csoscs
.'|c' csca|atc accoo| to t'c atuc o| t'c outac. !'|s ctcos to a
co|ctc |oss o| a|| ous|css occsscs ao csouccs, c|cco to as a disaster.
\'||c disasters t'a'|u|| ac a ctcc| ac occuccc | t'c |||c o| ost
oa|sat|os, t'c coscouccc (o ous|css |act) aa|s|s assucs t'at a
o|sastc ca occu. !'|s worst case scca|o ooc||| .||| csuc t'at a||
|acts a|s| |o a outac ac cos|occo cao|css o| t'c ||'c||'ooo o|
occuccc.
As o|scussco aoovc, cos|ocat|o o| causcs ao souccs o| t'cats |s ot at
o| t'c |C|. |t |s |otat t'at cot|u|t |as ac ot ocvc|oco so|c| |o
t'|s cscct|vc as |t |s u||'c| oa|sat|os .||| oc ao|c to |oct|| a|| oss|o|c
causcs o| outacs o t'c soucc o| a|| t'cats. | t'c ast, a |as 'avc
|a||co as t'c 'avc co||co t'csc|vcs to oc tc o| outac oasco o a
|||tco t'cat aa|s|susua|| a 's|ca| o|sut|o.
What is the maximum time
the business can survive
without key business functions
before the BCP must be
initiated and recovery
procedures must commence?
14
Terminology
!'c aoovc o|scuss|o |tooucco a uoc o| 'c tcs ao coccts.
!'c |o||o.| tao|c sua|scs t'csc tcs ao t'c| ca|s |o casc o|
c|cccc ao uocstao|.
Concept Description Examples/Comments
Outage
ctaoo|a
cvct
|oss o| 'c
ous|css occsscs
'|' |act
A outac |s a ctaoo|a
cvct, caus| a o|sut|o to,
o |oss o|, 'c ous|css
occsscs, .'|c' 'as a '|'
|act o t'c oa|sat|o.
!'|s |s o|st|ct |o oo.t|c
o sstcs |a||ucs t'at a
occu as a at o| oa|
ocat|os .'cc t'c |act
s|| couccs t'c c||cct|vc
ut|||t o| occsscs | t'c s'ot
tc.
During an outage parts of the
Business Continuity Plan
(BCP) may be activated in
order to deal with the
situation. The full activation
of a plan (ie. for a total
disaster) must be def ined for
each plan during the plan
development phase.
In a self-funding organisation,
a key business process would
be a billing system as the
organisation depends on cash
f low for its sur vival. In a
budget-funded organisation
that pays benef its, a key
business process may be a
benef its payments system
that is essential to ser vicing
client needs.
Maximum
Acceptable
Outage (MAO)
t'cat to ac'|cv|
ous|css oo,cct|vcs
!'c |AO |s t'c t|c |t .|||
ta'c oc|oc a outac t'catcs
a oa|sat|o ac'|cv| |ts
ous|css oo,cct|vcs.
!'c |AO oc| |cs t'c
a|u t|c a oa|sat|o
ca suv|vc .|t'out 'c
ous|css |uct|os oc|oc
ous|css cot|u|t |as ao
ccovc occoucs ust
coccc.
A disaster is used in this
Guide to mean an event
that leads to a business
interruption that will extend
beyond the period specif ied
for an MAO.
Business Impact
Analysis (BIA)
'c ous|css
occsscs
ccovc |o|t
!'c ||A |s uocta'c |o a||
'c ous|css occsscs ao
cstao||s'cs t'c ccovc
|o|t|cs, s'ou|o t'osc
occsscs oc o|sutco o |ost.
Key business processes should
have been identified as part
of other business planning or
risk management processes.
If this has not been done, the
BIA will need to do so.
Key business
processes
ous|css act|v|t|cs
ao csouccs
|c ous|css occsscs ac
t'osc occsscs cssct|a| to
oc||vc o| oututs ao
ac'|cvcct o| ous|css
oo,cct|vcs. |us|css act|v|t|cs
ao csouccs ac t'c cssct|a|
c|ccts t'at coo|c to a'c
u cac' 'c ous|css occss.
|oss o| a 'c ous|css occss
| cccss o| t'c |AO |s a
ous|css |tcut|o cvct
15
Concept Description Examples/Comments
Business activities
A ous|css act|v|t |s a sc|cs o|
act|os coo|| to ooucc
a |oct|| |ao|c outut ao/o
csu|t.
The billing process may require
customer sales information, a
system to record information
and calculate and print
invoices, and registr y or mail
system to send invoices and
receive remittances.
A benef its payments process
may rely on staff to inter view
clients and fill in forms;
entering that information on a
computer system; periodic
payments to bank accounts;
and include an an inquir y
facility to follow-up on
discrepancies.
Resources |csouccs ac t'c cas t'at
suot oc||vc o| a
|oct|| |ao|c outut ao/o
csu|t. |csouccs a oc
oc, 's|ca| asscts o, ost
|otat|, co|c. \|t'out
csouccs, act|v|t|cs (ao
t'cc|oc ous|css occsscs)
.ou|o s|| ot occu.
The customer billing system
relies on people to undertake
procedures; operate computer
systems; produce information;
off ice supplies for preparing
and mailing the invoices;
buildings and power to house
the people; and computers.
A benef its payments system
relies on people, computers,
off ice supplies, building and
power and also on having
suff icient funds available to
make payments when due.
Procedures |occoucs ac t'c stcs
uocta'c o a |o|v|oua| to
ac'|cvc a csu|t. |oct|| |cat|o
o| t'csc occoucs |s
|otat | cot|u|t
|a| as |t |s t'csc stcs
.'|c' .||| cco to oc
cccatco o cocs|co to oc
usco ou| a outac.
Customer billing and benef its
payments may rely on a series
of steps to ensure information
is correct prior to bills being
issued or benef its paid. If an
outage causes the loss of the
computer system supporting
these validations, alternate
processes may need to be
developed to ensure continuity
of that business function.
Risk event A o-t|v|a| cvct t'at
a||ccts t'c ao|||t o| a
oa|sat|o to ac'|cvc |ts
ous|css oo,cct|vcs.
Risk events may be considered
in terms of their causes,
likelihood and impacts.
Business
interruption event
A |s' cvct t'at 'as a ous|css
|tcut|o coscouccc.
Business interruption events
are outages and other
operational events that do not
affect business continuity.
16
Risk management
Overview of the risk management process
!'c |s' aacct occss cca|| usco | Austa||a tooa ao as
csousco | t'c |A|/||AC Guidelines for Managing Risk in the Australian Public
Sector
1
, |s ooc||co o t'c Austa||a/|c. Zca|ao Staoao AS/|ZS
-360.1999 'Risk Management.
!'c Staoao ooscs a |o|ca| ao sstcat|c ct'ooo|o |o |oct|||,
aa|s|, asscss|, tcat| ao o|to| |s's. | t'|s cotct, |s's a oc
cos|occo as cvcts t'at .|||, s'ou|o t'c occu, |act o t'c ac'|cvcct
o| oa|sat|oa| oo,cct|vcs.
\'||c |s' |s cca|| cos|occo | a cat|vc ||'t, t'at |s, as 'av| a
aovcsc |act, t'c Staoao cotc|atcs ot o| cvcts t'at a |cao to
|oss o 'a, out a|so t'osc t'at a |cao to a| o aovatac.
A ous|css cot|u|t cvct (ocsc|oco as a 'outac' | t'|s Cu|oc) |s a
adverse |s' cvct. !'c |a oo,cct|vc o| aa| suc' cvcts |s to
cvct t'c |o occu| | t'c ||st |acc, .'cc |t |s oot' .|t'| t'c
coto| o| t'c oa|sat|o ao .'cc |t |s cost-c||cct|vc to oo so. !catcts
ocs|co to cvct |s' cvcts occu| ac coo| c|cco to as
cvctat|vc coto|s. |o.cvc, cvc t'c ocst-ocs|co coto|s ca
oca'oo. | ocat|o ao a outac a occu.
| aoo|t|o, ccta| |s' cvcts a oc outs|oc t'c coto| o| t'c oa|sat|o
(c|cco to as external risks). !'|s |s at|cu|a| t'c casc | c|at|o to atua|
(c. ||c, ||ooo), o||t|ca| (c. c'ac o| ovcct o||c, c'acs to
|c|s|at|o), ao ccoo|c (c. | |ac|a| a'ct co||ascs, ccoo|c oo.tu)
cvcts.
!'c |a oo,cct|vc, .'c any |s' cvct (|c|uo| a outac) occocs a
ca||t, |s to 'avc | |acc tcatcts t'at .||| |t|atc t'c ous|css |act o|
t'c cvct. | t'c casc o| a outac, t'c c|cco outcoc |s to a|ta| t'c
cot|u|t o| scv|cc.
A coc'cs|vc aoac' to |s' aacct .||| t'cc|oc cos|oc |s'
tcatcts oot' oact|vc|o ocs|| ao ||cct| coto|s to
cvct |s' cvcts occu|ao cact|vc|o |t|at| t'c
coscoucccs o| suc' cvcts, s'ou|o t'c actua|| occu.
!'|s '||oso' ca oc ocst suco u as plan for the best but be
prepared for the worst. | act|cc, t'|s cou|cs |s' aacs to uocta'c
a aa|s|s o| |s's ao |s' tcatcts |o t'c top downstat| .|t'
oss|o|c |s' cvcts ao ocs|| coto|sao |o t'c bottom up
assu| a |s' cvct 'as occuco ao ca| ao|atc cot|cc
Risk management
1 |A|/||AC |cot |o. 22 Guidelines for Managing Risk in the Australian Public Ser vice, Octooc 1996.
17
|as. !'csc aoac'cs ac co|ccta ao s'ou|o oc uocta'c |
aa||c|, us| t'c occss ocsc|oco | t'c ||s' |aacct Staoao.
||uc 1 out||cs a |s' aacct occss ocvc|oco |o t'c Staoao
.'|c' |s c|cvat to ous|css cot|u|t aacct. !'cc ac |ou a,o
stcs | t'|s occss.
cstao||s' t'c oa|sat|oa| cotct,
|oct|| ao asscss |s's ao ocs| tcatcts,
||cct |s' tcatcts, ao
o|to ao cv|c. |s's ao tcatcts.
Figure 1Overview of risk management process
|us|css cot|u|t aacct |s a |tca| at o| t'|s occss. !'c
ca|oc o| t'|s scct|o oca|s .|t' t'osc asccts o| t'c |s' aacct
occss t'at c|atc o|cct| to ous|css cot|u|t. |ac' stc |s ca|co |
tu.
Establish context
Identify and
assess risks
Implement treatments
Monitor and review
Identify, aa|sc, atc ao |o|t|sc |s's
Evaluate ocs| o| c|st| coto|s ao tcatcts
Redesign coto|s ao tcatcts || cccssa
|ctc|c 'c ous|css oo,cct|vcs, occsscs ao csouccs
v v v v v
|stao||s' |a
||cct coto|s ao ot'c tcatcts
v v v v v
|cv|c. ocat|o o| coto|s ao cot|u| su|tao|||t o| ot'c
tcatcts
|cv|c. |s' asscsscts
v v v v v
18
Step one: establish context
||s' aacct |s uocta'c at oot' t'c statc|c (oa|sat|o.|oc) ao
ocat|oa| (ous|css occss) |cvc|s o| a oa|sat|o. !'c ||s'
|aacct Staoao o|scusscs t'c cco to ||st cstao||s' t'c oa|sat|oa|
ao |s' aacct cotct (||uc 2) | ooc to ccatc a |ac.o'
.|t'| .'|c' t'c occss |s ca|co out.
| at|cu|a, t'c oa|sat|oa| oo,cct|vcs ust oc c|ca| oc| |co, as .c|| as
t'c |uct|os, act|v|t|cs ao c|atco csouccs t'at ac to oc suo,cct to |s'
asscssct. !'|s stc cao|cs oa|sat|os to octc|c .'|c' ac t'c 'c
ous|css occsscs so t'at t'c a |ocus ao |o|t|sc t'c| |s' aacct
c||ots.
Figure 2Establishing the organisational context
Organisational objectives
Output group Output group Output group
Oa|sat|os s'ou|o |oct|| t'c| 'c ous|css occsscs ao ous|css suot occsscs o c|at| t'c to t'c| ovca|| oo,cct|vcs,
outcocs ao oututs. !'c act|v|t|cs ao csouccs att|outao|c to t'csc c|t|ca| occsscs s'ou|o oc a||ooco t'c '|'cst |o|t |
uocta'| |s' asscsscts.
v v v v v
v v v v v
v v v v v
v vv vv v vv vv
v vv vv
v vv vv
v vv vv
Link with business continuity management
!'c | |st stc to.ao ocvc|o| a ous|css cot|u|t |a |s to uocta'c
a business impact analysis. !'|s aa|s|s oc||cs t'c maximum
acceptable outage |o cac' 'c ous|css occss ao scts t'c ccovc
|o|t|cs |o t'c act|v|t|cs ao csouccs uoc|| t'c.
Key business
process
Key business
process
Key business
process
Business
process
Business
process
Business
process
v v v vv
v vv vv
v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv
Business support
process
Business support
process
Business support
process
19
|c ous|css occsscs a 'avc occ |oct|| |co ca||c ou| a ovca|| |s'
aacct o,cct. !'csc occoc a |ut to t'c ous|css |act aa|s|s.
Step two: identify and assess risks
!'|s 'asc o| t'c |s' aacct occss cou|cs oa|sat|os to.
|oct|| a|| o-t|v|a| ous|css |s's,
asscss t'osc |s's, ao
ocs| tcatcts t'at coucc t'c |s's to a accctao|c |cvc|.
!'csc asccts o| t'c ovca|| |s' aacct occss ac '|'||'tco |
||uc 3.
Occ |s's 'avc occ |oct|| |co, t'c ac aa|sco | tcs o| t'c| ||'c||'ooo ao coscoucccs. !'c o|aa |||ustatcs a t.o-stc
aoac' .'|c' aa|scs |s' oc|oc ao a|tc cos|ocat|o o| coto|s.
Figure 3Outline of the risk assessment phase of the risk management process
Identify
|ctc|c ||'||'ooo
ao coscouccc
.|t'out coto|
|ctc|c oss|o|c
|s' cvcts us| |s'
|ac.o'
|ctc|c |s' |cvc|
ao coac .|t'
accctao|c |s'
|va|uatc ocs| o|
c|st| coto|s ao
tcatcts
|ctc|c ||'||'ooo
ao coscoucccs
.|t' coto|
|ctc|c |s' |cvc|
ao coac .|t'
accctao|c |s'
|cocs| coto|s
ao ot'c
tcatcts
|ccoo | |s'
c|stc
Accctao|c. Accctao|c.
v v v v v
v v v v v
v v v v v
v v v v v
v vv vv
v v v v v
v v v v v
v v v v v
v v v v v
v v v v v
v v v v v
Analyse
Evaluate
Treat
Document
|o |o
`cs
`cs
20
Risk identification
!|ca||, oa|sat|os usc a |s' c|ass|| |cat|o |ac.o' to csuc t'at a||
||'c| |s's ac |oct|||co. A ca|c o| suc' a |ac.o' |s |||ustatco |
||uc -.
Figure 4Risk classification framework
External risks
External risks
E
x
t
e
r
n
a
l

r
i
s
k
s
E
x
t
e
r
n
a
l

r
i
s
k
s
Coct|t|vc co||us|o
Cucc ||uctuat|os
|coo|c oo.tu
|tcct 'soo| |', 'ac'|
!c|ccou|cat|os |a||uc
|-coccc causcs a |oss o| a'ct s'ac
Political/regulatory
C'ac o| ovcct o||c
|c. |c|s|at|o
C'acs to ao||stat|vc aaccts
Environmental/natural
||c
||ooo
|at'oua'c
Cc|oc
Economic/market Technological
Internal risks
Strategic
\o o|cct|o
Stuctua| |s-||t
Sta|| a||ct .|t' v|s|o
Sta|| caao|||t/s'|||s as
|aocouatc ca|ta| oasc
|oouct/scv|cc ocs|
Operational
|a||uc to cct outut tacts |o t|c, cost, ouat|t o oua||t
'aut'o|sco acccss to/o|sc|osuc o| scs|t|vc ||oat|o
|cocct ||oat|o usco to |ou|atc o||c aov|cc
O|8S |ssucs-acc|octs, usa|c .o' act|ccs
|c||ct |s-ccsctat|o
|cac'cs o| |a./cu|at|os
||oat|o sstc |a||uc
||occ |auo
Internal risks
||s's a a|sc oot' |o ctca| souccs ao |tca||caat| |o .|t'| t'c oa|sat|o ao a|s| |o |ts
statc|c ao ocat|oa| occsscs.
21
|ac' |s' cvct a 'avc a uoc o| coscoucccs t'at .||| ||c o a
oa|sat|o's ao|||t to ac'|cvc |ts ous|css oo,cct|vcs. !'c ct stc | t'c
|s' asscssct 'asc |s to aa|sc t'csc |acts ao octc|c t'c ||'c||'ooo
o| occuccc so t'at a risk level ca oc cstao||s'co |o cac' |s'.
Risk analysis
!'c oo,cct|vc o| t'|s aa|s|s |s to scaatc t'c |s's |oct|| |co | t'c cv|ous
stc |to |o (accctao|c) |s's ao a,o (uaccctao|c) |s's. !'|s |s
ac'|cvco o coa| t'c |s' |cvc| to c-octc|co c|tc|a o| accctao|||t.
!'cc ac uoc o| aoac'cs to |s' aa|s|s t'at a |vo|vc ouat|tat|vc,
oua||tat|vc o sc|-ouat|tat|vc cva|uat|o. |o .'atcvc aoac' |s aootco,
t'c ||'c||'ooo ao coscoucccs o| cac' |s' cvct ac octc|co ao t'c
coo|at|o o| t'csc t.o cva|uat|os ov|ocs t'c |s' |cvc|.
|t |s coo act|cc | t'|s stc to uocta'c a first pass cv|c. o| a|| |s's
|o to cos|oc| c|st| coto|s ao ot'c |s' tcatcts, to c|||atc
t|v|a| ao |o |s's |o |ut'c, octa||co cos|ocat|o.
Links with business continuity management
!'c coscoucccs (ous|css |acts) | a ous|css cot|u|t aacct cotct
c|atc to ous|css |tcut|o (outac). | aa|s| |oct|| |co |s' cvcts,
aacct s'ou|o cos|oc .'ct'c cac' cvct cou|o |tcut t'c oa|
cousc o| ous|css ocat|os. |vcts .'|c' 'avc a o|cct, oct|cta| c||cct o a
oa|sat|o's csouccs (sta||, |ac|||t|cs, tc|ccou|cat|os ||oat|o sstcs) suc' as | |c,
o.c su| |a||uc ao |auo, ac ||'c| to 'avc soc ous|css |tcut|o coscoucccs.
!'c aa|s|s o| coscoucccs |vo|vcs cstao||s'| cva|uat|o c|tc|a to u|oc aacct |
|o| a v|c. o 'o. s||| |cat a at|cu|a cvct |s to t'c ous|css. !'|s |s usua|| uocta'c
o cstao||s'| c|tc|a o a csca|at| sca|c aa|st |act acas. !o a|o | co|ctccss o| t'c
aa|s|s, t'csc |act acas a oc catco|sco as oututs, csouccs, cutat|o, co||acc ao
ous|css |tcut|o.
|o a |s' cvct t'at 'as a ous|css |tcut|o coscouccc, t'c c|cvat cva|uat|o c|tc|o |s
t'c ouat|o o| t'c ous|css |tcut|o.
| t'c ous|css cot|u|t aacct occss, a maximum acceptable outage |s cstao||s'co |o
cac' 'c ous|css occss ao csoucc. \'cc a |s' cvct |s ||'c| to causc a ous|css
|tcut|o t'at .||| cccco t'c t|c |||ts oc||co | t'c a|u accctao|c outac, t'|s |s a
extreme coscouccc ao accoo|| .ou|o ccc|vc t'c '|'cst at|. ||uc 5 |||ustatcs t'c |s'
aa|s|s occss |o |s' cvcts t'at 'avc a ous|css |tcut|o coscouccc.
\'ccas t'c ||'c||'ooo o| a |s' cvct occu| |s ot at o| t'c |us|css Cot|u|t ||a, |t |s
c|cvat at t'|s stac .'c octc|| o-act|vc tcatcts ao coto|s. !'c oc ||'c| a
cvct |s to occu, .'|c' .||| a|so 'avc a a,o o scvcc |act, t'c oc cost-c||cct|vc
cvctat|vc coto|s .||| cco to oc.
22
Figure 5Consequence analysis of events with business interruption impacts
As at o| t'c |s' asscssct occss, a occ||ts act scv|cc oa|sat|o |oct|||cs t'c u|tct|oa| oc|ct|o o |ts
c|occs o| c||ct ||oat|o as a |s' cvct. \|t'out t'|s ||oat|o |t |s uao|c to occss c. c||ct a||cat|os,
va|at|os to c||ct octa||s, o a |ts c||cts. |t 'as a |ot|'t| act cc|c.
!'|s cvct |s ccooco o a aa|s|s s'cct (ctact oc|o.) ao t'c va|ous ous|css |acts otco.
Benef its Payment Business Process (extract)
|us|css oo,cct|vc. a occ| |ts to ooa ||oc c||cts o|, o t|c ao |o t'c cocct aout.
Analyse consequence of risk events (without considering controls)
Business impact of event occurring
Risk events Oututs |csouccs |cutat|o Business C||cts/
Interruption sta'c'o|ocs Co||acc |at|
Internal Risks
Operational processes
Incorrect |o |act
classif ication
of client
benef it type
Unintentional |ocs ot |ta sta|| \||| cou|c |||u |ou 'ao|c to |o |act 5 - |tcc
deletion of ac'|cvc ao |||stc|a| .cc's to occss c||ct
Client Master t|c||css cosu|tats c|aat|o ccostuct |||c acts
File records ||| o| 99 costs to ao ||'c| to |o ac
by staff acts ccovc |cao to ccoos
o t|c |ost oata oucst|os
cst|atco | t'c
to oc |a||act
$500,000
Intentional As aoovc
deletion of
Client Master
File records
Employee fraud |o |act
bogus client
created
!'c |s' cvct '|'||'tco aoovc |os a at o| t'c |tca| |s's to t'c oa|sat|o ao c|atcs to |ts ocat|oa| occsscs.
A uoc o| ot'c ous|css |acts 'avc occ |oct|||co |o t'|s cvct | aoo|t|o to t'c ous|css |tcut|o |act.
!'c ovca|| |act 'as occ atco as extreme |o t'|s cvct. !'c coscouccc at| .as octc|co o c|cccc to t'c
|o||o.| cva|uat|o c|tc|a.
Consequence evaluation criteria by impact area
|at| Oututs |csouccs) |cutat|o Business C||cts/
Interruption sta'c'o|ocs Co||acc
5 |tcc ~10 c cct |cat' o| |oa| ~2 .cc's |cat' o| |cac' o|
va|acc |o c|occ Co|ss|o (|c. ~ |AO) c||ct Cost|tut|o
||| tacts ~$10 ||||o
'|oss'
- |a,o 1 2 .cc's
3 |oocatc 1 .cc'
2 ||o 1 oa
1 |c|||o|c |oc
!'c |a|u Accctao|c Outac (|AO) |o t'|s ||oat|o csoucc ao ous|css occss .as sct at t.o .cc's (|at
!.o o| t'c Cu|oc o|scusscs 'o. a |AO |s sct). !'c cst|atco t|c to ccostuct c||ct ccoos ccccos t'|s ouat|o-
accoo|| |o t'|s c|tc|o a Extreme at| a||cs. |otc t'at .'||c ot'c |acts |o t'c cvct a ac'|cvc a |o.c
at|, t'c '|'cst at| ovca|| s'ou|o oc usco | t'c |s' asscssct occss.
23
Risk treatment design
!'c | |a| at o| |s' asscssct |s to ocs| ao|atc |s' tcatcts.
!'c tcatct ot|os ava||ao|c to a oa|sat|o ac |o accct| t'c
|s' (.'cc |t caot ot'c.|sc oc cost-c||cct|vc| aaco) to coto||| t'c
|s', ao to tas|c| t'c |s'.
| a t.o-stac aoac' to |s' aa|s|s, t'c |s' |cvc| |s ||st octc|co |o a||
|s's.'|c' ac t'c catco|sco oct.cc |o ao a,ooc|oc
cos|oc| c|st| coto|s ao tcatcts. !'c a,o |s's ac t'c
cva|uatco | t'c cotct o| c|st| coto|s ao ot'c |s' tcatcts.
\'cc t'c |s' |cvc| ca|s uaccctao|c, ot.|t'stao| c|st| coto|s
ao tcatcts, |t |s |cuoct o aacct to ocs| c. coto|s o to
cos|oc ot'c tcatct ot|os.
Coto|s cstao||s'co o aacct to tcat |s's ca oc oc| |co c|t'c as
cvctat|vc (sto t'c |s' cvct |o occu| | t'c ||st |acc) o cocct|vc
(octcct t'c |s' cvct .'c |t occus ao csoo accoo||). |cvctat|vc
coto|s ocatc |a|| to coucc t'c ||'c||'ooo o| occuccc o| a |s' cvct,
.'ccas cocct|vc coto|s ocatc |a|| to |||sc t'c coscoucccs occ a |s' cvct 'as
occuco.
A ca|c o| a cvctat|vc coto| |s t'c usc o| ass.oos to a| acccss to t'c ||oat|o
sstcs o| a oa|sat|o. || cocct| ||cctco, t'|s coto| .||| cvct uaut'o|sco acccss.
A ca|c o| a cocct|vc coto| |s t'c cv|c. o| a coutc |o o| acccss at tcts. ||
cocct| ||cctco, t'|s s'ou|o octcct a uaut'o|sco acccss ao '|'||'t .'at ||oat|o,
|| a, .as a|tcco.
| a ous|css cot|u|t aacct cotct, t'c oa|sat|o stats |o t'c assut|o t'at t'c
cvctat|vc coto|s 'avc |a||co, o t'cc .cc o cvctat|vc coto|s | |acc, ao a ous|css
|tcut|o occus. !'c oa|sat|o ccos to csoo to suc' cvcts | oot|o to t'c|
s||| |caccat tcs o| ||'c||'ooo ao oot causc ac t'cc|oc o |oc c|cvat.
!'c oa|sat|o .||| cco to octc|c .'at ust oc ooc, o .'o, ao at .'at t|c after a
|s' cvct 'as occuco t'at .ou|o ot'c.|sc |cao to t'c oa|sat|o's csouccs o occsscs
oc| aovcsc| a||cctco |o a c|oo | cccss o| t'c a|u accctao|c outac.
|t .||| a|so 'avc to octc|c .'at ccos to oc ooc | aovacc o| a outac so t'at |ts
coscoucccs ca oc |t|atco. |o ca|c, ost oa|sat|os |st|tutc oac'-u ao ccovc
occoucs |o t'c ||oat|o stoco o t'c| coutc sstcs. | t'c cvct t'at t'cc |s a |oss
o| oata, t'c coscoucccs ac coucco to t'c ctct o| t'c a oct.cc t'c oata sct t'at .as |ost
ao t'c |ast savco vcs|o o| t'at oata sct.
24
Step three: implement treatments
!'|s stc o| t'c |s' aacct occss cou|cs oa|sat|os to cstao||s' a
|a |o ||cct| a c. tcatcts, aoo|t|oa| coto|s o
oo|||cat|os to c|st| coto|s a|s| |o t'c |s' asscssct 'asc.
|t ust t'c csuc t'at t'c ||cctat|o |a |s cccutco o cstao||s'|
csos|o|||t ao t|c|acs |o a act|os cou|co ao accoutao|||t |o
outcocs.
!'c ||s' |aacct Staoao ccocos t'c |o||o.| ||u
oocuctat|o
2
.
.'o 'as ovca|| csos|o|||t |o t'c ||cctat|o o| t'c |a,
.'at csouccs ac to oc ut|||sco,
ouoct a||ocat|o,
t|ctao|c |o ||cctat|o, ao
octa||s o| cc'a|s ao |coucc o| cv|c. o| co||acc .|t'
tcatct |a.
2 AS/|Z -360.1999 ||s' |aacct, scc Aco| |
!'c |us|css Cot|u|t ||a |s a risk treatment. |t is not t'c ||cctat|o
|a c|cco to aoovc. !'c ||cctat|o |a s'ou|o |c|uoc t'c cco to
cstao||s' a |C| || oc oocs ot a|cao c|st.
|| t'c |s' asscssct occss 'as |uct|oco c||cct|vc|, |t .||| 'avc |oct|||co
coto|s ao tcatcts t'at coucc t'c ||'c||'ooo ao coscoucccs o| a|| |s' cvcts, |c|uo|
ous|css |tcut|os cvcts, to a accctao|c |cvc|.
!'c |C| |s a cocct|vc coto| t'at |s act|vatco o| a| tc a ous|css |tcut|o 'as occuco.
25
Step four: monitor and review
!'c oo,cct|vc o| t'c | |a| stc | t'c |s' aacct occss |s to o|to
|s's ao t'c c||cct|vccss o| coto|s ovc t|c to csuc c'a|
c|custaccs oo ot a|tc |s' |o|t|cs o .ca'c t'c ocat|o o| coto|s.
|a oa|sat|os |tcatc |s' asscssct |to t'c| cooatc ao aua|
ous|css |a| occsscs. !'|s csucs cu|a, c|oo|c cv|c. o| oot'
statc|c ao ocat|oa| |s's.
|cv|c. o| coto|s, to csuc t'c ocatc as aacct |tcoco, 'as
tao|t|oa|| occ t'c a,o o|c o| t'c |tca| auo|t |uct|o. |o.cvc, t'c
a,o oa.oac' |s t'at |t a |cao ocat|oa| aacs to coc|uoc t'at
|tca| auo|t, ot t'c ocat|oa| aac, |s csos|o|c |o t'c sstc o|
coto|.
!o coutcact t'|s v|c., a oa|sat|os 'avc ||cctco Cooatc
Covcacc oas t'at '|'||'t aac's csos|o|||t|cs |o coto|s
3
.
!'c usc o| coto| 's|-o||s' ao t'c |toouct|o o| coto| sc||-asscssct
ac t.o usc|u| ||t|at|vcs | t'|s aca.
3 !'c A|AO 'as uo||s'co t.o |ct tc |act|cc Cu|ocs o|scuss| cooatc ovcacc
ao coto| c|cvat to t'|s |ssuc. Better Practice Guide to Effective ControlControlling
Performance and Outcomes, 19 ao Corporate Governance in Commonwealth Authorities
and Companies, 1999.
As .|t' a ot'c coto|, t'c |C| ccos to oc o|toco ao cv|c.co |o
c||cct|vccss. !'|s cou|cs t'at |t oc tcstco cu|a|. |t a|so cou|cs t'at t'c
|act o| oa|sat|oa| c'acs o a ot'c c'acs to c|custaccs oc
cos|occo to csuc t'c |a a|ta|s |ts cucc.
26
27
The business
continuity process
Part Two
The business
continuity process
Overview of the business continuity process
Step one: Project initiation
Step two: Key business processes identification
|stao||s' 'c ous|css occsscs
|a' 'c ous|css occsscs
|ctc|c act|v|t|cs t'at cost|tutc cac' occss
|atc' csouccs to act|v|t|cs
Step three: Business impact analysis (BIA)
Aa|s|s o| ocat|oa| ao ||ac|a| |acts
Step four: Design continuity treatments
|oct|| ao cva|uatc tcatct ot|os
Sc|cct a|tcatc act|v|t|cs ao csouccs
Step five: Implement continuity treatments
||cct caato coto|s
|cac t'c |us|css Cot|u|t ||a (|C|)
Step six: Test and maintain the plan
!cst t'c |a
|a|ta| t'c |a
28
29
Overview of the business
continuity process
C|vc t'c| c|osc |tc-c|at|os'|, |t |s ccococo t'at a |C| oc
ocvc|oco | co,uct|o .|t' t'c ||s' |aacct ||a |o t'c oa|sat|o.
!'|s |at o| t'c Cu|oc oca|s .|t' t'c stcs cou|co to ooucc t'c |C| ao
.'at ccos to oc ooc to csuc t'at |t |s oc| a|ta|co. !'cc |s a
'|' occc o| cooa||t oct.cc t'c stcs ocsc|oco 'cc| ao t'osc
o|scussco | |at Oc|ut'c c||oc| t'c cco to uocta'c t'csc stcs
as at o| a ovca|| |s' aacct occss. !'c s|||a|t | stcs a|so
scvcs to '|'||'t t'at |t |s ot t'c occss so uc' t'at o|||cs | costuct|
a |C| out t'c uoc|| aoac'.
!'c stcs | t'c ous|css cot|u|t aacct occss ac.
||t|atc t'c o,cct,
|oct|| 'c ous|css occsscs,
uocta'c a ous|css |act aa|s|s,
ocs| tcatcts,
|ou|atc a |C|, ao
tcst ao a|ta| t'c |C|.
!'csc stcs ac |||ustatco | ||uc 6 ao cac' stc |s o|scussco | octa|| | t'c
ca|oc o| t'|s |at.
Overview of the business
continuity process
As discussed in Part One of this Guide, business continuity management is an
integral part of total risk management. The top down approach to risk
managementwhich starts with business objectives and identifies risks; is
complemented by the bottom up approach to business continuitywhich starts
with identification of resources and processes being affected by an outage.
30
Figure 6Overview of the business continuity management process
Soucc. |c|o|ttc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999
31
Step one: project initiation
A |a s'ou|o oc caco oocuct| t'c oo,cct|vcs, scoc, ao oouoa|cs
o| t'c ous|css cot|u|t |a| o,cct. !'c aac, o aacct
co|t tcc, csos|o|c |o t'c o,cct s'ou|o aovc t'c |a, |c|uo| a
ouoct. !'c |a cco ot oc ovc| |ac o octa||co, out ccos to c||cct
t'c s|zc ao co|c|t o| ous|css cot|u|t |ssucs | t'c oa|sat|o.
!ca o|cs ao csos|o|||t|cs s'ou|o a|so oc cstao||s'co, ao c|cvat
c|cccc atc|a| o c|st| oocuctat|o co||cctco at t'|s stac.
||'c ost |as, t'c ous|css cot|u|t o,cct |a s'ou|o.
cot|uc to ocvc|o ou| t'c |||c o| t'c o,cct as oc aoout t'c
oa|sat|o ao |ts |s's |s |caco,
oc caco o aacs .'o uocstao t'c ous|css ao oc aovco
|o to t'c cocccct o| .o', ao
c||cct t'c oa|sat|o's aoac' to |s' aacct.
Checklist for the development of a business continuity project plan
|ocuct t'c o,cct's oo,cct|vcs
|c||c ao oocuct t'c o,cct's scoc ao a |||tat|os
||a| a assut|os aoc
Ass| csos|o|||t |o o,cct tas's
|csct t'c ouoct, |c|uo| sta|| csouccs, cou|co |o t'c o,cct
Sct o,cct t|c|acs ao oc||vcao|cs |o tas's
||a |s |oa|| aovco o C'|c| |ccut|vc ao/o ao|atc
aacct co|t tcc
Case study
|su| t'c ous|css cot|u|t |a| o,cct .as .c||-|ocussco ao
uocstooo o a|| at|c|ats, a uo||c statuto ooo ocvc|oco a
cou|cct scc|| |cat|o oocuct to out||c t'c scoc, tas's, oc||vcao|cs
ao ass|stacc |o t'c o,cct.
A ca|c o| t'|s |a |s | t'c \o'ooo' at Stc oc (. 6).
Document objectives,
scope and boundaries
Establish management
committee
Establish budget and
timetable
Executive
commitment
and
involvement
Project
plan
v v v v v
v v v v v
32
Identify key business
objectives
Identify key business
outputs
Align business
processes with outputs
Understand key
activities, resources and
dependencies
Project
plan
v v v v v
v v v v v
Step two: key business processes
identification
!'c |a |ut to t'c |us|css |act Aa|s|s (||A) | stc t'cc |s a ||st
.'|c' a's t'c 'c ous|css occsscs o| t'c oa|sat|ot'at |s, t'osc
occsscs cssct|a| to t'c oc||vc o| oututs ao ac'|cv| ous|css oo,cct|vcs.
|ac' 'c occss |s oc||co | tcs o| t'c act|v|t|cs uocta'c ao t'c
csouccs cosuco o t'osc act|v|t|cs. A stuctuco aoac' to t'|s stc
cou|cs oa|sat|os to.
cstao||s' ao a' 'c ous|css occsscs,
a act|v|t|cs uocta'c .|t'| cac' occss, ao
atc' csouccs to act|v|t|cs.
Establish key business processes
|t |s |otat, | caat|o |o t'c ||A, t'at aacct 'as a c|ca ao
acco uocstao| o| t'c oa|sat|o's ous|css oo,cct|vcs ao oututs,
ao t'c 'c ous|css occsscs .'|c' csuc t'csc oo,cct|vcs ac ct ao
oututs ac ac'|cvco.
Cooo stat| o|ts to ac'|cvc t'|s uocstao| ac '|'-|cvc| |a|
oocucts suc' as cooatc |as, ous|css |as ao ocat|oa| |as.
!'csc |as s'ou|o 'avc a|cao oocuctco t'c oa|sat|o's ous|css
oo,cct|vcs ao asscsscts o| statc|c ao ocat|oa| |s's.
!o ass|st | ac'|cv| cos|stcc | tc|o|o ao coo accct |
occss oc|||t|o, oa|sat|os a .|s' to ut|||sc a ous|css occss
c|ass|||cat|o sc'cc. Suc' sc'ccs ov|oc cc|c catco|sat|os o|
ous|css occsscs coo to ost oa|sat|os.
A ca|c o| suc' a sc'cc, a||co to t'c uo||c sccto, |s ov|oco |
||uc . !'|s o|aa out||cs t'c 'ca' ous|css occsscs catco|sco
oct.cc statc|c, ocat|oa| ao suot occsscs. \|t'| cac' mega
occss ac a uoc o| major ous|css occsscs.
|o ca|c.
Strategic processesMonitor and review .ou|o |c|uoc |tca| auo|t,
coto| ao |s' sc||-asscssct, oua||t aacct oas, ao
oa cva|uat|o occsscs,
Operational processesDevelop ser vices cou|o |c|uoc ocs|| a||cat|o
|os |o ats o cstao||s'| a ca|| cctc, Sell ser vices cou|o |c|uoc
occss| c||ct a||cat|os o c|a|s, Deliver ser vices cou|o |c|uoc
|ou|at|o ao ov|s|o o| o||c aov|cc, ao Monitor ser vices cou|o
|c|uoc at acou|t ta| occss|, ao
Support processesFinancial resource management |c|uocs uc'as| ao
acts, ao||, cost|, ao ouoct| ao |occast|.
Key activity
and resource
schedule
33
Figure 7Example of a process classification scheme for Government organisations
Understand stakeholders and clients
Develop objectives, outputs and outcomes
Define structure, processes and resource needs
Monitor and review
Financial resource management
Human resource management
Information resource management
Physical resource management
Design
services
Sell
services
Deliver
services
Monitor
services
Strategic
processes
Operating
processes
Support
processes
!'|s sc'cc |s oasco o t'c ''|vcsa| |occss C|ass|||cat|o Sc'cc' |o t'c |vatc sccto ocvc|oco o t'c Ac|ca
|oouct|v|t ao ua||t Cctc | co,uct|o .|t' At'u Aocsc, |||, ||C ao co.
34
Rank key business processes
!'c 'c ous|css occsscs cco to oc a'co | ooc o| t'c| |otacc to
t'c oa|sat|o. !'|s a'| s'ou|o c||cct t'c |otacc o| t'c ous|css
occss to ac'|cv| ous|css oo,cct|vcs ao oc||vc| oututs. !'c a'| o|
'c ous|css occsscs a cos|oc suc' |ssucs as.
|a||uc to cct statuto oo||at|os |o scv|cc oc||vc,
|a||uc to cct 'c sta'c'o|oc ccctat|os,
|oss o| cas' ||o.s cssct|a| to ous|css ocat|os, ao
occc o| occocc o ous|css occsscs o |tca| ous|css u|ts o
c||cts.
!o oota| t'c a'|, |t |s |otat t'at t'c coccs o| cccut|vc ao
sc|o aacct ac oota|co cao| ous|css |o|t|cs ao cot|u|t
|ssucs. !'c usc o| stuctuco |tcv|c.s ao/o |ac|||tatco ou cct|s ac
ccococo too|s |o at'c| t'|s ||oat|o.
| a sa|| oa|sat|o |t a oc oss|o|c to at'c t'|s ||oat|o |o oc
ou cct|. !'|s 'as t'c aooco aovatac o| csu| at|c|ats ac
a.ac o| a|| oa|sat|oa| |o|t|cs ao ca acc o t'c a'| o| 'c
occsscs, toct'c .|t' t'c| cocsoo| act|v|t|cs ao csouccs.
| a |ac oa|sat|o |t .||| cca|| oc cccssa to coouct a sc|cs o|
|tcv|c.s o |ac|||tatco ou scss|os. | c|t'c cvct, |t |s |otat t'at t'c
||oat|o co||cctco t'ou' t'csc aoac'cs |s cotco oac' to t'c
at|c|ats |o t'c| co||at|o.
Determine activities that constitute each process
!'c ous|css act|v|t|cs suot| 'c ous|css occsscs t'c cco to oc
|oct|| |co. !'csc ac t'c act|v|t|cs t'at ooucc a outut |o t'c 'c
ous|css occss.
!'csc a oc t'c act|v|t|cs o| a s||c ocat|oa| aca | t'c oa|sat|o, o
a oc t'c act|v|t|cs o| a uoc o| ocat|oa| acas, .'|c' coo|c to
ooucc t'c outut.
A t'oou' uocstao| o| act|v|t|cs |s cssct|a| to |oct|| suc'
|tc-occocc|cs. Soc act|v|t|cs a c| o t'c oututs |o ot'c
act|v|t|cs |o .|t'| t'c oa|sat|o (coo| c|cco to as enabling
oututs), o cvc |o outs|oc t'c oa|sat|o. |o ca|c, c-ous|css
so|ut|os c| ot o| o t'c |tca| ct.o' out a|so o t'c |tcct
Scv|cc |ov|oc.
!o a| t'c cccssa |cvc| o| uocstao| o| act|v|t|cs ao
|tc-occocc|cs, |t |s |otat to cct .|t' ocat|oa| ao suot
aca aacs to o|scuss t'c| o. uocstao| o| t'c act|v|t|cs. !'|s a
oc su|cctco o c|cccc to occss as ao ot'c sstcs
oocuctat|o oota|co |o occouc aua|s o |tca| auo|t.
35
Match resources to activities
!'c csouccs cccssa |o oc||vc o| t'c 'c ous|css occsscs a|so cco
to oc |oct|||co. !'csc ac t'c csouccs cou|co o t'c ocat|oa| acas to
suot t'c act|v|t|cs t'at oc||vc t'c oututs o csu|ts. \|t'out t'csc
csouccs, t'c ous|css occsscs .ou|o ot ac'|cvc t'c| oa|s. Soc
csouccs to cos|oc ac.
peopleoot' t'c oa|sat|o's sta|| ao co|c ctca| to t'c
oa|sat|o .'|c' a oc c|t|ca| to t'c succcss o| t'c act|v|t,
infrastructureou||o|s ao ot'c oct usco o t'c oa|sat|o to
oc||vc |ts scv|ccs ao ooucc |ts oututs,
assets and suppliescou|ct ao cosuao|cs .'|c' ac usco o t'c
co|c ao t'c occsscs as at o| t'c act|v|t, ao
financesoc act|v|t|cs cou|c oc to oc ava||ao|c to a'c acts
o t|c.
Checklist to ensure all key business processes, activities and resources
are identif ied
|ocuct ao co| | oa|sat|oa| oo,cct|vcs ao oututs
||st 'c ous|css occsscs t'at uoc| ac'|cvcct o| oo,cct|vcs
ao oc||vc o| oututs
|cv|c. t'c |uct|oa| oa|sat|o c'at to |oct|| cca| acas o|
ocat|oa| csos|o|||t
|tcv|c. aacs csos|o|c |o 'c ous|css occsscs to co| |
uocstao| o| act|v|t|cs (co|c oa|sat|o o|)
|ocuct t'c act|v|t|cs ao csouccs cssct|a| to cac' 'c ous|css
occss
|oa|| cou|catc t'c ||st o| 'c ous|css occsscs ao
suot| act|v|t|cs ao csouccs to t'c o,cct stcc| co|t tcc
Example: interdependent activities and resources
A custoc |au|t ca| act|v|t o| a ut|||t 'ao a '|' ous|css |o|t, |vc |ts |act o uo||c |ac.
!'c act|v|t .as occoct o a ca|| cctc as a custoc |tc|acc ao o t'c stocs aca |o cou|ct.
!'csc acas .cc | tu occoct o t'c ||oat|o tcc'o|o ||astuctuc |o custoc octa||,
||oat|o tas|c, ocss tac'| ao stoc' |cvc| ||oat|o.
|uc to t'csc |tcoccocc|cs, t'c ccovc t|c|ac |o t'c ca|| cctc, stocs ao ||oat|o
tcc'o|o .cc o|cct| |||uccco o t'c ccovc cou|ccts o| t'c |au|t ca| act|v|t|cs.
|vcst|at|o o| t'c stocs tuovc octc|co t'at t'c |cvc| o| stoc' cta|co | t'c ccta| ao satc|||tc
stocs .as su|| |c|ct to cot|uc act|v|t|cs |o u to a .cc'. !'|s ||oat|o csu|tco | a |o.c ccovc
|o|t |o t'c stocs act|v|t|cs ao assoc|atco ||oat|o tcc'o|o occsscs.
36
Step three: business impact analysis (BIA)
| t'|s stc t'c ||oat|o co||atco |c|uocs.
oocuctat|o o| 'c ous|css occsscs,
|oct|| |cat|o o| t'c act|v|t|cs ao csouccs c|t|ca| to t'c 'c ous|css
occsscs,
|tcoccocc|cs .|t'| ao oct.cc act|v|t|cs ao csouccs, ao
a |o|t a'| o| t'c occsscs, act|v|t|cs ao csouccs .'|c'
ccscts t'c oa|sat|o's acco v|c..
!'|s ||oat|o ust oc aa|sco, ao t'c ocat|oa| ao | |ac|a| |acts
t'at .ou|o csu|t |o o|sut|os to, o |oss o|, a ous|css occss asscssco.
|o t'|s, t'c a|u accctao|c outac ca oc octc|co |o t'c c|t|ca|
occsscs ao csouccs. !'at |s, 'o. |o ca t'c 'c ous|css occss
suv|vc .|t'out t'c c|t|ca| act|v|t ao/o csoucc oc|oc |t .||| 'avc a
oct|cta| c||cct.
Analysis of operational and financial impacts
A sc|cs o| business impact analysis inter views .|t' t'c aacs csos|o|c
|o c|t|ca| act|v|t|cs ao csouccs .||| oc t'c ou|c'cst .a to uocta'c t'c
aa|s|s.
!'c aa|s|s s'ou|o oc oasco o a outac | .'|c' a|| act|v|t|cs ao csouccs
(|c|uo| t'c actua| .o' |acc) ac ot ava||ao|c. Assu| t'c .ost casc
outcoc (tota| |oss o| t'c occss ao/o csouccs), .||| csuc a|| |acts
a|s| |o a outac ac cos|occo cao|css o| t'c |s' ||'c||'ooo, at |cast
| t'c | |st |stacc.
A aoac' |ouoco o |s' ||'c||'ooo .||| |a|| to oosc a tcatct |o
'|'| u||'c| cvcts, ocs|tc t'c| |act. |o ca|c, ot to 'avc a |a |
|acc to c|ocatc ocat|os o ccovc |o t'c |oss o| a ou||o| occausc
that will never happen .||| |cavc t'c oa|sat|o ||ouoc|, oss|o|
|cao| to |ts oc|sc, s'ou|o t'c impossible 'ac.
!'|s ascct o| |s' aacct |s aoout co| .|t' cvcts t'at ac |css ||'c|,
ao 'avc a a,o |act. |ost c||ot | |s' aacct, ao ,ust|| |ao| so,
|s ut |to aoocss| |s's .|t' '|' ||'c||'ooo ao '|' |act|s'
aacct ooc|s ao ct'ooo|o|cs ocv|sc ao ||cct coto|s
(o tcatcts) to c|||atc o coucc t'c c||cct o| t'csc |s's.
\'cc a cvct |s u||'c|, ct |ts |act |s s||||cat, |t a ot oc |cas|o|c to
tcat t'c |s', out |t |s |o|| to |oc t'c |s'. !catcts |o cac' cvct cco
to oc octc|co.
Identify key personnel
Schedule and conduct
interviews
Document concerns,
priorities and
expectations
Determine MAO
Maximum
Acceptable
Outage
Schedule
v v v v v
v v v v v
Key activity
and resource
schedule
The real purpose of a business
impact analysis is to identify those
systems that when absent would
create a danger to the enterprises
survival and to ensure those
systems reveive the correct priority
in the subsequent business
continuity plan.
Business Continuity Planning:
Creating a Business Impact
Analysis, InSide GartnerGroup
This Week (IGG), January 15,
1997, C. Gooding
GartnerGroup 1999
37
!'c |o||o.| c'cc'||st sua|scs t'c stcs to oc uocta'c to co|ctc
t'c aa|s|s ao octc|c a a|u accctao|c outac |o cac' 'c act|v|t
ao csoucc. |ac' stc | t'c c'cc'||st |s suotco o u|oacc ao
sc'cou|cs cota|co | t'c |us|css |act Aa|s|s (||A) oucst|oa|c .'|c'
|s | t'c \o'ooo' (.11)t'at accoa|cs t'|s Cu|oc.
Checklist for analysing each key business process
|va|uatc t'c |acts o| a |oss o| t'c occss |o t'c cscct|vc o|
t'c oa|sat|o's ouoct ao outcocs ao oututscos|oc.
- |oss o| cvcuc/|ccasco ccsc
- scv|cc oc||vc staoaos
- uo||c o o||t|ca| coaassct
- |oss o| c||ct co||occc
- |oss o| aacct coto|
- ||ac|a| |sstatcct
- cu|ato, statuto o cotactua| ||ao|||t
- scc|||c/u|ouc vu|cao|||t|cs, ao
- o||t|ca| a|||cat|os
|oct|| t'c c|t|ca| succcss |actos t'at csuc t'c occss ccts t'c
oa|sat|o's oo,cct|vcs
|oct|| aoo|t|oa| ccscs |cuco || act|v|t|cs ac c|oco
aua|| o | a suost|tutc ac ou| a outac
|oct|| |tc| occss| occoucs (a|tcat|vc o aua|
occss|) tcc'|oucs to oc aootco ou| t'c ccovc 'asc
|st|atc t'c t|c |t .||| ta'c to ovccoc t'c oac'|o o| .o'
accuu|atco ou| t'c outac
uat|| t'c ||u csoucc cou|ccts cccssa to
c|o t'c act|v|t
|oct|| t'c ccoos v|ta| to t'c ccovc occss
|va|uatc t'c aocouac o| cuct |C| | |acc
38
Checkpoint: management sign-off
Case studies
Small organisation
A sa|| statuto ooo .|t' 20 sta|| coouctco a s||c .o's'o to octc|c t'c |acts o| a
o|sut|o. !'c cca| aac ao sc|o ccsctat|vcs |o cac' act|v|t at tcoco t'c 2-'ou
.o's'o.
A 'o|sut|o scca|o' .as csctco .|t' cac' o| t'c at|c|ats ocsc|o| t'c |act to t'c| aca at
va|ous t|c|acs. !'c at|c|ats .cc ao|c to ou||o o cac' ot'c's aa|s|s ao a vc c|ca |ctuc
o| t'c |acts, |tcoccocc|cs ao ccovc |o|t|cs .as ooucco.
Medium-sized organisation
A statc ovcct ooo .|t' aouo 150 c|occs coouctco a sc|cs o| .o's'os. |ou 2-'ou
.o's'os .cc 'c|o .'|c' |c|uoco a sc|o ccsctat|vc |o cac' act|v|t as .c|| as aacct
|o uoc|| occsscs.
C|vc t'at t'c act|v|t|cs ao occsscs .cc co|c, |t .as cccssa to sco cta t|c to octc|c
t'c |acts, |tcoccocc|cs ao ccovc |o|t|cs. A |otat cta stc .as a|so ccoco | t'|s
occss | t'at a|| csoscs 'ao to oc coaco to csoscs |o ot'c act|v|t|cs | ooc to |||t a
o|as oct.cc t'c scaatc .o's'os. !'|s o|tc cas cv|s|t| ous|css u|ts o ct t| |ccooac'
|o sc|o aacct.
Large organisation
A sc|cs o| |us|css |act Aa|s|s |tcv|c.s .cc coouctco |o a |ac ao co|c ||stco coa
.|t' ovc 2000 c|occs. |uc to t'c oa|sat|o's s|zc, cac' ous|css u|t .as ca|co scaatc|,
ao | soc cascs occsscs .|t'| t'at ous|css u|t .cc cv|c.co scaatc|.
!'c | |st sc|cs o| |tcv|c.s ov|oco a uocstao| o| t'c |acts |o a |oss o| 'c act|v|t|cs ao
t'c |tcoccocc|cs oct.cc t'c ous|css u|ts. |ut'c |tcv|c.s .cc t'c coouctco .|t' sc|o
aacct to co| | t'c ccovc |o|t|cs ao a|u accctao|c outac t|c|acs |o a
ovca|| oa|sat|oa| cscct|vc.
As c t'c co|u oa|sat|o ca|c, t'|s aoac' a|so a|oco | |||t| a o|as t'at a 'avc
a|sc oct.cc ous|css u|ts/|tcv|c.ccs.
Obtain agreement from project
committee/ project sponsor and chief
executive regarding the MAO for each
key process, critical activity and resource
39
Step four: design continuity treatments
!'|s stc |oct|| |cs t'c tcatcts to aoocss, ao to |||sc t'c c||ccts o|,
o|sut|os to cac' c|t|ca| ous|css occss |o .'|c' a |AO 'as occ
cstao||s'co.
!'c tcatct aa|s|s |oct|| |cs t'c cou|ccts to csuc t'c cot|uco
ava||ao|||t o| c|t|ca| occsscs ao csouccs ou| outacs. !'csc
cou|ccts ac oasco o t'c a'|s acco | t'c ||A ao ov|oc.
t'c oas|s |o scc||| ao sc|cct| a|tcatc ao couoat caac|t to
coucc ||'c||'ooo o |act o| a outac, ao
ccovc ao cstoat|o cou|ccts to oc usco || a outac occus.
|ccocoat|os |o cac' scv|cc aca ac aoc oasco o t'c tcatct
ot|os sc|cctco ao, .'cc |oct|| |co, ccocoat|os |o |ovcct |
ous|css occss to oc ||cctco.
As at o| t'|s occss, a cv|c. o| v|ta| ccoos aacct ao oac'u ao
ccovc occoucs ust oc uocta'c. !'|s .||| csuc ccoos ao oata
ca oc ccostuctco |o||o.| a o|sastc. Aco| 6 o|scusscs t'c aoac'
to oua||t cv|c. o| t'c |C|, .'|c' |c|uocs cva|uat| oac'u occss| ao
o||-s|tc stoac. Aco| 9 ov|ocs c'cc'||sts |o cv|c. o| o||-s|tc oac'u
occoucs
!'c outcoc o| t'c tcatct aa|s|s .||| |o t'c oas|s o| t'c ous|css
cot|u|t |a.
|ac' 'asc o| t'c tcatct aa|s|s |s o|scussco | t'c |o||o.| scct|os.
Identify and evaluate treatment options
|o cac' o| t'c 'c ous|css occsscs |oct|| |co ao a'co | t'c ||A, t'cc
s'ou|o oc tcatcts t'at.
coucc t'c cosuc to, ao |act o|, |oss o| t'c occsscs ao csouccs
o .'|c' t'c |uct|os c|, ao
||cct a|tcatc occsscs ao csouccs to oc usco |o||o.| a
outac ao |as to ccovc |o t'c outac ao cstoc oa|
ocat|os.
|va|uat| t'c ot|os ava||ao|c to csuc t'c cot|uat|o o| ous|css .|||
|oct|| t'c a|tcatc act|v|t|cs ao csouccs to oc usco s'ou|o a outac
occu.
\a|at|os to, o cocs| o|, c|st| act|v|t|cs ao csouccs s'ou|o oc
cos|occo as a cas o| couc| t'c cosuc to, o |act o|, |oss o| a 'c
ous|css occss.
| sc|cct| a|tcatc act|v|t|cs ao/o csouccs, |t |s c|t|ca| t'c |o||o.| acas
ac aoocssco as at o| t'c ous|css cot|u|t |a| occss | cscct o|
Review existing controls
Identify and evaluate
options
Select alternate activities
and resources
Implement treatments
Maximun
Acceptable
Outage
Schedule
Risk
Treatment
Plan
v v v v v
v v v v v
40
cac' |oct|| |co o|sut|o, cao|css o| t'c oa|sat|o's, oo,cct|vcs, s|zc o
co|c|t.
co|c,
|ac|||t|cs (|c|uo| ou||o|s ao cou|ct),
tc|ccou|cat|os,
||oat|o sstcs, ao
ous|css act|v|t|cs.
|o a|| c|t|ca| act|v|t|cs ao csouccs, |t |s cccssa to |oct|| ot'c
aaccts t'at a oc usco | t'c| |acc, s'ou|o t'c oc |ost. |o t'osc
|oct|| |co, a|tcatc act|v|t|cs ao/o csouccs ac c'osc .'|c' a||o. t'at
at o| t'c ous|css to cot|uc .|t' ||a| o|sut|o.
A|tcatc act|v|t|cs ao csouccs a oc a coo|at|o o| o|||cct scv|ccs
o couoat caac|t cta|co ,ust | casc (c. 'ot, o co|o, coutc s|tcs).
Checklist for evaluating activity and resource alternatives
|ocuct a o|c| ocsc|t|o o| cac' v|ao|c ot|o
|ctc|c ot'c csouccs cou|co ao t'c costs |o cac' ot|o
(t'|s a cou|c ||oat|o |o vcoos)
Coac ccovc ot|os to |AO.
- |ocs t'c ot|o cct t'c ccovc ccos.
- |ocs t'c ot|o cccco ou ccos.
People
|co|c ac o|tc ovc|oo'co as t'c ost c|t|ca| csoucc | csu|
cot|u|t o| ous|css. !'c |act o| a uccctco |oss o| 'c csoc|, o
a tca, ca 'avc a s||||cat |act o a oa|sat|o's ous|css.
!'c |act o| o|sut|o o co|c s'ou|o a|so oc cos|occo | |so|at|o ao
as a csoucc t'at |s |tcoccoct .|t' cac' o| t'c acas oc|o.|ac|||t|cs,
tc|ccou|cat|os, ||oat|o sstcs ao ous|css occsscs.
!'c ous|css cot|u|t |a ccos to |c|uoc tcatcts |o co|c, .'|c'
|c|uocs.
aoac'cs to cou|cat|o,
'ua csoucc |ssucs, |c|uo| s'ot-tc c|acccts ao ta||,
|ssucs c|at| to t'c o|sastc cvct, ao
t'c sc'o|o|ca| c||ccts o| t'c o|sut|o o sta|| oa|c.
41
Example: treatment options for people
Treatment Description
Succcss|o |as A csc|oco |a o| act|o to c|acc 'c sta||
s'ou|o t'c oc uava||ao|c. !'|s a |c|uoc
|oct||| understudies | t'c oa|sat|o o
acccts .|t' o|css|oa| cotact| acc|cs
o .|t' ot'c oa|sat|os to soucc oua||||co sta||
at s'ot ot|cc.
S'|||s aacct |as |o |oct|| |co uocstuo|cs, csuc 'c ||oat|o
ao t'c oa|sat|o's 'o.|coc |s s'aco so t'c
ca assuc a c. o|c .|t' as ||t t|c |cao-t|c |o
|ca| as oss|o|c.
|c cso |suacc |suc aa|st t'c | |ac|a| |act o| |oss o| 'c sta||.
!'|s aoac' a ccovc t'c costs assoc|atco
.|t' |oss o| 'c sta|| out |t |s o| a so|ut|o to
sto o| |oos| sta||oact|vc sta||
aacct act|ccs ac a|.as c|cao|c.
Facilities
!'c |C| s'ou|o |c|uoc tcatcts t'at cocctatc o t'c ost c|t|ca|
coocts o| ocat|osusua|| co|c ao t'c| .o' cv|oct. !'|s
scct aoocsscs t'c 's|ca| cv|oct (cou|ct ao ou||o|s) o
.'|c' a ous|css occss occos.
!catcts s'ou|o oc ocvc|oco |o oaac asscssct, sa|vac ao
cstoat|o o| cou|ct ao ou||o|s. !'c s'ou|o aoocss t'c ou||o|s |
.'|c' t'c ous|css occss ocatcs ao t'c cou|ct ao csouccs
cota|co .|t'| t'osc c|scs. !'c tcatcts s'ou|o a|so a| to oc
ocvc|oco to csuc t|c| cstoat|o o c|ocat|o so t'c ous|css occss
ca oc ovco oac' to t'c cstoco c|scs o oc c|ocatco to c. c|scs
ao cot|uc cssct|a| ous|css act|v|t|cs.
Aaccts ao occoucs |o c|ocat| |ac|||t|cs s'ou|o oc aoocssco.
Aoo|t|oa| |ssucs to oc aoocssco |c|uoc.
ov|s|o |o oac'u occss| scv|ccs,
acccts ao act|v|t|cs cou|co to tas|c |uct|os, ao
oocuctco occoucs to suot ous|css |ac|||t ccovc ao
cstoat|o.
|o||o.| a a,o o|sut|o, |ac|||t ccovc tcatcts a|o t'c oa|sat|o
| su|ccta sta|| |, ovcct o c|ocat|o o| sta||, occoua| ao
ao||stat|vc c'acs, ao s|tc ao ||astuctuc oo|||cat|os.
42
Telecommunications
Cou|cat|o |s c|t|ca| to cot|u|t o| ous|css |uct|os. !'c |C| s'ou|o
t'cc|oc |c|uoc tcatcts t'at aoocss ccovc |o |oss o |tcut|o
o| vo|cc ao oata cou|cat|os, oot' .|t'| ao outs|oc t'c oa|sat|o.
| a oa|sat|os, vo|cc ct.o's ac oc c|t|ca| t'a oata ct.o's.
!catcts t'at oca| .|t' cou|cat|o |oss ca |c|uoc.
t'c 'ua csoucc occoucs ao ao||stat|o cou|co to suot
t'c ous|css |uct|o,
vcoo ao ca|c cot|at|os | .'|c' cotactua| o scv|cc |cvc|
acccts ac aoc .|t' tc|ccou|cat|o vcoos,
a|tcatc at' ocs| ao s.|tc'| scv|ccs couoac ca oc ou||t |to
cou|cat|os ct.o's suc' as |A| ao ct.o' sstcs .'|c'
cao|c cou|cat|os to oc o|vctco to ot'c |ocat|os ||, ao .'c,
cccssa,
oac'u cou|ct ao so|t.ac .'|c' |c|uocs oac'| u |A| oata,
ct.o' so|t.ac ao acou|| cccssa couoat cou|ct, ao
u|tcut|o|c o.c su||cs ('|S) ao o|to| |ac|||t|cs .'|c' 'c|
cvct sstc |oss ou| o.c |a||ucs.
Information systems
||oat|o sstcs aac t'c oa|sat|os 's|ca| ccoos
(c. cocsooccc, o,cct ao aacct |||cs) ao c|ccto|c ccoos
o cout| |ac|||t|cs (c. ca||, c|ccto|c o||c ao occouc aua|s,
|os ao |acs), .'ccvc t'c ac 'ousco.
!'c ||oat|o sstcs tcatcts |c|uoco | t'c |C| cco to cos|oc.
usc o| sccuc ao | |c-oo| |-'ousc stoac |ac|||t|cs,
acccts ao act|v|t|cs cou|co to tas|c occss| to ot'c
|ocat|os,
ov|s|o |o oac'u occss| |ac|||t|cs (c|ccto|c ao aua|), ao
o||-s|tc stoac o| c|t|ca| oata.
|cvctat|vc coto|s suc' as ooust sstcs ao a||cat|o ocs|, |au|t-
to|cat 'ao.ac, u|tcut|o|c o.c su||cs, ao o|to| |ac|||t|cs
s'ou|o a|so oc cos|occo. !'c csu|t s'ou|o oc a co|ctc ao .o'ao|c
statc |o cac' at o| t'c ||oat|o occss a||cctco o |oct|||co
o|sut|os.
||st|outco 'ao|| ao occss| o| ||oat|o |'cct| scaos t'c
ous|css cot|u|t |s's acoss a oa|sat|o. |o.cvc, as at o| a
coc'cs|vc |C|, |as s'ou|o oc ocvc|oco |o cac' o| t'csc sstcs,
ao cco|sc a |tcoccocc|cs oct.cc t'c (c. s||c s|tc o| t'c
aacct sstc).
43
Example: treatment options for facilities, telecommunications
and systems
Treatments Application
|uc'asc o |casc |a |o cta o|||cc sacc, |! ||astuctuc,
couoat caac|t cou|cat|os, ctc.
Cot|cc |tc a accct .|t' a outs|oc vcoo to
aaccts ov|oc scv|cc | t'c cvct o| a outac (|c. 'ot s|tc,
.a s|tc, ao co|o s|tc).
|utua|| occ||c|a| |tc |to a accct .|t' aot'c oa|sat|o to
acccts usc at o| t'c| |ac|||t|cs | t'c cvct o| a o|sastc.
!'csc tcs o| acccts ca oc ctcco |to .|t'
ot'c oa|sat|os to ac'|cvc t'c ot'c ot|os
(|c. uc'as| a 'ot-s|tc accct toct'c).
Business processes
As a outac a |act oc t'at oc ous|css occss, t'c tcatcts
ocvc|oco |o cac' occss cco to oc coso||oatco ao, u|t|atc|, |o|v|oua|
ous|css occss |as ac coo|co |to a oa|sat|o-.|oc |a.
\'||c t'|s |s t'c | |a| stc | octc|| tcatct ot|os, t'c cocct o|
cooo|at|o s'ou|o o|vc t'c ct|c aoac'. !'|s |s cuc|a| to a c||cct|vc
|C| as |t cco|scs t'c |tcoccocc|cs oct.cc ous|css occsscs .|t'|
t'c oa|sat|o.
|us|css occss tcatcts |c|uoco | t'c |C| s'ou|o aoocss t'c act|v|t|cs
ao csos|o|||t|cs o| a ous|css |uct|o to csuc cot|u|t o| cssct|a|
ous|css |uct|os |o t'c o|t o| o|sut|o to t'c ctu o| oa|
ocat|os.
Example: treatment options for business processes
Treatments Application
A|tc cuct O| tc cuct occsscs ao csouccs ca oc
aaccts c'aco as a cost-c||cct|vc so|ut|o. |o ca|c,
s||t t| oata occss| oct.cc t.o o|||ccs. | t'c
cvct o| |oss o| oc s|tc, t'c ot'c s|tc |s st|||
|uct|o|.
A|tc cuct O| tc a cuct (o cvc o-cuct) scv|cc
occsscs ov|oc .ou|o oc .|||| to |vc a uaatcco |cvc| o|
scv|cc | a o|sastc s|tuat|o to cstoc csouccs at
||a| cost.
44
Select alternate activities and resources
A cost-c||cct|vc statc |o ccovc, sat|s|| t'c cou|ccts o| t'c
ous|css s'ou|o oc sc|cctco |o t'c ot|os |oct|| |co. !o cao|c t'|s c'o|cc
to oc aoc, |t |s cccssa t'at cac' ot|o oc costco.
Costs |c|uoc.
o|cct costs- suc' as uc'asc |cc |o cta cou|ct, ao
|o|cct costs-suc' as cost to cstao||s' ao a|ta| c. cou|ct.
A|| costs cco to oc cac|u|| cos|occo as |o|cct costs suc' as a|tcacc
ca o|tc cccco o|cct uc'asc costs.
| a cascs |t |s oss|o|c to oc|c a||, o a s||||cat ot|o, o| t'c costs
ut|| a cvct occus ao t'c cot|u|t |a |s act|vatco. |o ca|c,
cstoat|o o| cssct|a| 'oc cou|cat|os aoc 'ao|co .|t' t'c
uc'asc o| su|| |c|ct oo||c 'ocs .'c cou|co, | t'c 'o.|coc ost
ca|cs ca ov|oc t'c .|t'| 'ous. Acccts .|t' vcoos a oc
cstao||s'co to csuc t|c| oc||vc o ocao at a sct |cc.
!'c sc|cctco a|tcatc occsscs ao csouccs s'ou|o oc oocuctco a|o
.|t' t'c at|oa|c |o t'c| sc|cct|o.
Case studies: alternate treatments
People
A statuto ooo 'ao cv|ous| ocvc|oco a Sta|| Cou|cat|os Statc out||| t'c ct'oos to
||o sta|| o| cvcts | t'c oa|sat|o. |o||o.| a cv|c., |t .as octc|co t'at t'|s statc .as
su|tao|c |o a o|sastc s|tuat|o ao .as |cooatco | t'c |C|. | us| o||c|cs a|cao | |acc, t'c
uoc o| |ssucs c|at| to co|c to oc aoocssco .as coucco.
Facilities
A oa|sat|o .|t' a c|at|vc| |ac a|u accctao|c outac octc|co t'cc .as o cco to
oota| |ac|||t|cs |co|atc| |o||o.| a o|sastc. |t cotactco a |oca| ca| cstatc act ao as'co |t to
a|ta| a ||st o| su|tao|c a|tcat|vc o|||cc sacc, so t'at | t'c cvct o| a outac t'|s ||oat|o cou|o
oc cas|| oota|co.
Telecommunications
A |ac uo||c sccto oa|sat|o 'ao a accct |o su| o| a \|oc Aca |ct.o' (\A|) .|t' a
|ac tc|ccou|cat|os ov|oc. !'c| ||oat|o sstcs ccovc statc sucstco t'at t'c
s'ou|o ovc occss| to t'c| sccoo o|| |cc, 'o.cvc, t'c \A| to t'|s |ocat|o cou|o ot suot t'c
ct.o' ta|| |c. |o||o.| cosu|tat|o, t'c scv|cc ov|oc acco to ov|oc cta oao.|ot' o a
cot|cc oas|s to t'c sccoo |ocat|o at o cost.
| aot'c ca|c, ao oa|sat|o oc||co |ts c|t|ca| 'oc uocs, ao t'c tc|ccou|cat|os
ov|oc acco to s.|tc' t'csc uocs to a a|tcat|vc |ocat|o |co|atc| |o||o.| a outac. !'|s
accct .as |cooatco |to t'c cotact.
45
Case studies: alternate treatments (continued)
Information systems
A oa|sat|o .|t' a a|u accctao|c outac |o ||oat|o sstcs o| | |vc oas, so'c to t'c|
cuct scv|cc ov|oc .'o acco to |c|uoc as at o| t'c a|tcacc/scv|cc cotact a o|sastc
ccovc c|ausc .'|c' statco t'at t'c .ou|o c|acc ||astuctuc .|t'| t'cc oas. !'|s .as oota|co
at o cost |vc t'at t'c oa|sat|o .as a |otat custoc o| t'c scv|cc ov|oc.
Step five: implement continuity treatments
Sc|cct|o o| cot|u|t ao ccovc tcatcts .||| |cao to.
||cctat|o o| occoucs to suot ccovc |o a o|sut|o to
ous|css, ao
oocuctat|o o| t'c ccovc aaccts.
|occoucs ||cctco to suot ccovc .||| cco to oc oot'
caato ao cact|vc.
|ca| |o ccovc |vo|vcs ut t| | |acc coto|s t'at .||| |t|atc t'c
coscoucccs o| a ous|css |tcut|o s'ou|o |t occu. !'cc o| t'c ost
|otat suc' coto|s |c|uoc oac'-u occsscs, ccoos aacct, ao
|oa| cot|cc aaccts .|t' ctca| at|cs.
|ocuctat|o o| t'c ccovc aaccts to oc ||cctco a|tc a
outac 'as occuco |s t'c o|c o| t'c |us|css Cot|u|t ||a.
A sc|cs o| c'cc'||sts |s |c|uoco | t'c aco|ccs to t'|s Cu|oc to ass|st .|t'
ocvc|o| cot|u|t tcatcts. !'c c'cc'||sts covc.
A|tcatc occss| cotact cos|ocat|os (Aco| 1),
|o|cs, csos|o|||t|cs ao a c'cc'||st |o t'c |oao ao auo|t
co|t tcc (Aco| 2),
|o|cs, csos|o|||t|cs ao a c'cc'||st |o t'c C'|c| |ccut|vc O|||cc
(Aco| 3),
|o|c ao csos|o|||t|cs o| t'c |ccovc Cooo|ato (Aco| -),
|o|cs ao csos|o|||t|cs o| t'c scv|cc aca ccovc tcas (Aco|5),
C'cc'||sts |o oua||t assuacc o| |C| ocvc|oct (Aco| 6), ao
|||tat|os o| |C|s (Aco| ).
Establish recovery teams
Document service area
recovery steps
Obtain contact and
inventory lists
Document recovery
management process
Risk
Treatment
Plan
v v v v v
v v v v v
Business
Continuity
Plan
46
Implement preparatory controls
Back-up
|asco o t'c csu|ts o| t'c |us|css |act Aa|s|s, t'c csouccs cou|co to
ccovc ao cstoc cssct|a| ous|css occsscs ac |oct|| |co.
!o act|vatc a |C| |t .||| oc cccssa to oota| acccss to ||oat|o ao
csouccs suot| t'c 'c ous|css |uct|os. | t'c cvct o| a outac |t
a st||| oc oss|o|c to oota| t'csc |o t'c oa|sat|o's c|scs, out t'|s
.||| ot a|.as oc t'c casc.
|c||ao|c o||-s|tc stoac ao oac'u occoucs .||| csuc ||oat|o
cssct|a| to cot|uco ous|css |s ava||ao|c as, ao .'c, ccoco.
|csouccs cou|co |o ccovc suc' as oocuctat|o, |os, su||cs, oata
ao oas s'ou|o oc oota|co (co|cs o oac'co-u | t'c casc o|
c|ccto|c oata) ao oc 'ct at a sccuc o||-s|tc |ac|||t.
O||-s|tc stoac |ac|||t|cs s'ou|o 'avc su|tao|c cv|octa| ao sccu|t
coto|s ao t'c csouccs ao ||oat|o s'ou|o oc otcctco |o
uaut'o|sco acccss oo|| |cat|o, o|sut|o o usc ou| stoac.
!'c |o||o.| c'cc'||st ocsc|ocs t'c stcs |o cva|uat| o||-s|tc stoac ao
oac'-u occss| cou|ccts.
Checklist for evaluating off-site storage and back-up processing
|suc a|| csouccs cou|co |o t'c sc|cctco statc|cs ac stoco
o||s|tc
|cv|c. oocuctco o||-s|tc oac'u occss| staoaos ao
occoucs, || t'c c|st || staoaos ao occoucs oo ot c|st,
csuc t'c ac ocvc|oco
|tcv|c. csoc| csos|o|c |o ||cctat|o o| oac'u
occoucs to scc || t'cc |s ao'cacc to occoucs
|ocuct 'c c|ccts o| t'c o||-s|tc oac'u occoucs |o
|c|us|o | t'c ao|atc scct|os o| t'c cot|cc |a
Aa|sc o||-s|tc oac'u occss| occoucs ao oocuct
coccs
|otc. A octtc act|cc c'cc'||st |o o||-s|tc stoac |s |c|uoco | Aco| 9 to t'|s Cu|oc
ca oc usco as t'c oas|s |o aa|s| |ssucs .|t' o||-s|tc oac'u occss|
Sc'cou|c cv|c. o| o||-s|tc stoac |ac|||t. (co|c oa|sat|o o|)
Cos|oc tcst| at|a| ccovc |o o||-s|tc |ac|||t|cs (co|c)
O||-s|tc stoac occoucs s'ou|o oc oo|||co to a|| out|c ocat|oa|
cou|ccts .|t' t'osc |oct|||co | t'c ccovc statc|cs to csuc
csouccs stoco o||-s|tc, ao acccss to t'c, |s ava||ao|c to cct oot'
s|tuat|os.
Soucc. |c|o|t tc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999
47
Records management
As at o| t'c ||A, v|ta| ccoos suot| t'c c|t|ca| ous|css occsscs
.cc |oct|||co. | ooc |o t'csc v|ta| ccoos to oc oc| cstoco |t |s
cccssa to csuc a su|tao|c ccoos aacct oa |s | |acc.
!'c |acts o| ot 'av| oc oocuct ao oata aacct
tcatcts | |acc ac a. !'c |c|uoc t'c aacct o| 'aoco ao
c|ccto|c ccoos oata as .c|| as ac'|v| o||c|cs |o oot' |os o| ccoos.
Cot|u|t |ssucs | ccoo aacct ctco ocoo ,ust 'cc| ous|css
occsscs | |acc. |ccoo aacct 'as |o-tc |||cat|os |o t'c
oa|sat|o ao statc|cs s'ou|o cos|oc.
|ca| cou|ccts ao cosucs,
aovcsc a||ccts o uo||c |ac t'ou' |ao|||t to oc||vc ||oat|o,
|c|||c|cc acoss a|| occsscs | |ocat| ao ut|||s| ||oat|o,
o||t|ca| a|| |cat|os o| o-oc||vc o| a scv|cc o ||oat|o,
sta'c'o|oc o|ssat|s|act|o, ao
occ|s|o-a'| occsscs .'|c' .||| oc a||cctco.
|cvc|oct ao ||cctat|o o| oocuct aacct occoucs
s'ou|o |c|uoc t'c occoucs cccssa |o aacct o| oot' 's|ca| ao
c|ccto|c ccoos.
|cvc|oct o| oocuct aacct occoucs |s at o| t'c
oa|sat|o's ovca|| ||oat|o aacct statc. ||s's assoc|atco .|t'
||oat|o aacct s'ou|o oc aoocssco | t'c |as t'at uoc| t'c
statc. |occoucs ca oc oo'c |to | |vc ats.
Develop hardcopy document
management guidelines
Develop archiving guidelines
Develop electronic and data
management guidelines
Develop data security and information
guidelines
Implement the guidelines
Figure 8Records management procedures
48
!'c Australian Archives Handbook on Record Management
-
sas a ooo ccoos
aacct sstc .||| csuc.
t'c |'t ccoos ac ccatco,
||oat|o |s 'ct o .'o uscs t'c ccoos, .' t'c ac usco ao 'o.
t'c ac a|u|atco,
co|c .'o cco t'c ccoos ca |ocatc t'c,
ccoos ac a|ta|co | a uscao|c |oat, ao
ccoos ac 'ct |o as |o as t'c ac ccoco ao |o o |oc.
!'c |ca| cou|ccts to a|ta| ccoos va acoss oa|sat|os ao
s'ou|o oc cos|occo | |ou|at| a |C|. A ooo ccoos aacct
sstc .||| |c|uoc cos|ocat|o o| t'c aacct o| ccoos v|ta| to
ous|css cot|u|t.
- |o t'|s oocuct ao |ut'c ||oat|o scc t'c |at|oa| Ac'|vcs o| Austa||a .cos|tc
'tt.//....aa.ov.au
Case study
!'c |a'sto. C|t Couc|| ||c .as cotco .|oc| | t'c css |o t'c |acts t'c o|sastc 'ao o
t'c Couc|| ao t'c cou|t. !'c Couc|| o|o ot 'avc a |us|css Cot|u|t ||a.
!'c t'c |oo |ao o| |a'sto. '|'||'tco, t'at ccovc o| ||oat|o tcc'o|o sstcs .as
ot, as soc a 'avc ccctco, a oo|c. !'cc .cc su|| |c|ct oac'u ao stoac occoucs |
|acc, ao |t .as ot too o||||cu|t to ccostuct t'c ||oat|o sstcs.
The biggest problem was that the f ire burned a lot of vital records and historical artefacts beyond recover y
and reconstruction. The lack of documented management procedures made recover y of information virtually
impossible.
Checklist for assessing vital records management program Current plan
|ocs |t ov|oc a |ac.o' to csuc sccu|t o|
||oat|o ocvc|oco. `cs t |o t
|ocs |t cstao||s' a |ac.o' o csu| |tc|t
ao co|ctccss o| ||oat|o. `cs t |o t
|ocs |t csuc o| aut'o|sco csoc| 'avc acccss to
||oat|o|c|uo| ||cct| a c|ass|||cat|o sstc. `cs t |o t
|ocs |t csuc uscs o| ||oat|o ac a.ac o| ao
ooscvc a|| c|cvat |a.s ao cu|at|os. `cs t |o t
|| t'c as.c to a oucst|o |s '|o', t'at ascct o| ccoos aacct ccos to oc cv|c.co.
49
Arrangements with external parties
|t |s cccssa to |oa||sc ao|atc aaccts .|t' vcoo(s) sc|cctco
as a|tcatc su||cs.
!'c |o||o.| c'cc'||st ca oc usco to csuc suc' cot|u|t tcatcts ac
oc| ||cctco.
Checklist for evaluating implementation of external arrangements
|suc |o cac' tcatct sc|cctco, t'c ||'c| costs ac t'c ost
cocc|a|| v|ao|c (|c. |vcst|atc ot'c vcoos | t'c a'ct|acc)
|oct|| ot'c cou|ccts o c'acs t'at cco to oc aoc |
ooc |o t'c tcatcts to oc c||cct|vc
C'acs to o||-s|tc stoac occoucs s'ou|o oc aoc as |oct|| |co
|cv|c. cotacts to csuc t'c ocostatc oct tc act|cc |o
cotact aacct as .c|| as co| .|t' |tca| u|oc||cs |o
cotact aacct
||a||sc cotacts
Case study
A oa|sat|o 'ao a a|tcacc accct .|t' a tc|ccou|cat|os ov|oc. !'|s oa|sat|o
.as o| ao|c to |c|uoc a o|sastc ccovc c|ausc | t'c| cotact at a |ac aoo|t|oa| cost. Aot'c
scv|cc ov|oc o||cco to ov|oc scv|ccs .|t' o aoo|t|oa| cost |o t'c o|sastc ccovc c|ausc. |o
t'|s caso, t'c oa|sat|o o|o ot cc. |ts cotact .|t' |ts tc|ccou|cat|os scv|cc ov|oc ao
c'aco to t'c oc cost-c||cct|vc ov|oc t'at ct t'c| ous|css cot|u|t ccos.
A checklist to assist with
consideration of
alternate processing
contract arrangements
can be found at
Appendix 1
50
Figure 9Stages in recovery of business operations.
|ac' 'asc |s oc| |co as |o||o.s.
Response: t'c t|c |o disaster occ|aat|o ut|| c|t|ca| sstcs ao
occsscs 'avc occ c-cstao||s'co us| statc|cs oocuctco | |C|.
Interim processing: t'c c|oo t'c oa|sat|o c||cs o a|tcatc
occsscs ao csouccs.
Restoration: t'c c|oo t'c oa|sat|o ctus |o us| a|tcatc
occsscs ao csouccs oac' to usc o| |ts usual cstao||s'co sstcs ao
business as usual.
!'c ous|css cot|u|t |as ooucco s'ou|o cos|st o| octa||co stc-o-stc
occoucs. !'c s'ou|o cota| act|o-o|ctco occoucs to oc usco o
ccovc tcas. !'csc occoucs ac oasco o t'c aovco ccovc
tcatcts ao a|tcatc act|v|t|cs ao csouccs |oct|| |co ao ta'c |to
accout t'c ccovc cao|css occoucs ao aaccts.
Act|v|t|cs cccssa to cstoc |a |ac|||t|cs ao ctu to oa|
ocat|os s'ou|o oc aoocssco oc | t'c |o o| u|oacc t'a o octa||co
act|o stcs .'|c' ca ou|c'| occoc oatco a |ac' cotct.
Prepare the Business Continuity Plan (BCP)
|us|css cot|u|t |as ac a co||at|o o| |o|v|oua| ccovc o
cot|cc |as, oou't toct'c .|t' a ovcac'| aacct |a to
cooo|atc t'c |o.c |as.
!'c |C| aoocsscs ous|css o|sut|o |o t'c ||t|a| o|sastc csosc to
t'c o|t at .'|c' oa| ous|css ocat|os ac csuco. !'c a |c|uoc
o|sastc csosc |as t'at ac scv|cc aca scc|||c, ocat|oa| ccovc
|as, as .c|| as cstoat|o ao tas|c o| ocat|os |as ao u|oc||cs as
ao|atc.
!'c tcatcts to ovccoc |oct|||co o|sut|os cco to aoocss t'c stacs
cccssa to co|ctc ccovc.
51
!o ooucc a coc'cs|vc |C| t'c |o||o.| stcs ac ccococo.
oc||c t'c ccovc oa|sat|o,
oc||c t'c ccovc tca,
ocvc|o ao |tcatc ser vice area ccovc |as,
ocvc|o t'c ovc-ac'| management ccovc |a, ao
co||atc cotact ||sts, |vcto ||sts ao ot'c c|ccccs.
The recovery organisation
||uc 10 ov|ocs a cc|c stuctuc |o t'c ccovc oa|sat|o. !'c
va|ous |acs | t'|s stuctuc ac.
|ccovc cooo|atocooo|atcs t'c va|ous tcas oc|o. ao
cots o|cct| to t'c C|O ao |ccut|vc.
|ccovc ao aacct tcasscv|cc aca tcas csos|o|c |o
||cctat|o o| |C| ao ccovc o| sstcs |o||o.| a |c|oct.
|ccovc |a suot occsscsoccsscs cccssa to suot t'c
aacct ao tcc'|ca| ccovc |as |c|uo| 'ua csoucc
aacct ao cou|cat|o.
Checklists to
assist in defining
the roles and
responsibilities
of the Board
and CEO, can
be found at
Appendix 2 and
Appendix 3,
respectively
The roles and
responsibilities of
the Recovery
Coordinator and
the service area
recovery teams,
can be found at
Appendix4 and
Appendix5,
respectively
Figure 10A generic structure for the recovery organisation
CEO and Board
Recovery
Coordinator
|o cac' ccovc aca, a tca |caoc s'ou|o oc |oct|||co | t'c |a as oc|
csos|o|c |o t'at aca.
| a sa||c oa|sat|o | a oc oss|o|c to 'avc o| oc cso
csos|o|c |o a|| cou|cat|os, .'ccas | a |ac oa|sat|o |t a
cco to oc s||t |to |ts cooct ats.
Management
recovery plan
Service area recovery teams
People
recovery team
Facilities
recovery team
Telecommunications
recovery team
Information systems
recovery team
Communication
plan
Accommodation
plan
Telephone, Fax
ect plan
Mainframe
recovery plan
Human
resources plan
Equipment
plan
Network
recovery plan
PC recovery
plan
52
|t a a|so oc t'c casc t'at t'c cccut|vc .|s'cs to ta'c t'c ||stc|a| ao
co|a cou|cat|o/||a|so o|c. |t |s |otat to csuc a|| scv|cc acas
ac su|||c|ct| covcco to csuc t'at csos|o|||t|cs ao .o'|oao ac cvc|
scao.
Example: roles and responsibilities of key continuity players
Chief executive
||c| |||stc (ao |oao) o s|tuat|o, ccctco |act ao ccovc t|c|ac
|ov|oc |oca| o|t |o t'c oa|sat|o to csuc t'c co|a ao uo||c ccc|vc t'c
cocct, ao o-cotao|cto ||oat|o
|suc sta|| ao sta'c'o|ocs ac aoc a.ac o| t'c oo|cs ao t'c cco|a|
act|o ta'c
|suc |ccovc Cooo|ato ao |ccovc !cas 'avc t'c csouccs ao suot
cccssa to oo t'c| ,oos
Recovery coordinator
|cc|s|o to act|vatc t'c |C|
|ctc|c t'c ccovc statc |o t'c |vc s|tuat|o
Asscss t'c ctct o| oaac to ou||o|, |ac|||t|cs ao cou|ct ao cot to t'c
C|O ao/o |oao, || cccssa
Cotact t'c cccssa sta|| cou|co |o t'c o|sastc (| t'c ||st |stacc)
Ass|st | cstao||s'| o| t'c ccovc s|tc, || a||cao|c
Cooo|atc co|a act|v|t|cs
||cct, cooo|atc ao o|to a|| ccovc ocat|os
Covcc ccovc status cct|s .|t' t'c C|O
Sc'cou|c suoscouct ccovc status cct|s
||a|sc .|t' ca| cstatc act, || a||cao|c
Cotact |suacc Asscssos to octc|c t'c| cou|ccts ao cooo|atc t'c|
o-o| ||a|so .|t' a|| ccovc tcas
||||sc |ut'c |osscs ao sa|vac ccovcao|c csouccs
|ov|oc assuacc ao ||oat|o uoatcs to sta|| ot |vo|vco | t'c ccovc
c||ot
|cac t'c ccovc s|tc
53
Example: roles and responsibilities of key continuity players (continued)
Human resource team
|o||o.| ot|||cat|o |o |ccovc Cooo|ato o| o|sastc csca|at|o.
cotact t'c sta|| cou|co |o t'c 'ua csoucc ccovc tca
covcc status cct| .|t' tca cocs
cot|ua|| asscss ao aoocss 'ua csoucc ccos, ||a|s| .|t' ot'c scv|cc
acas, ao
ov|oc cu|a uoatcs to t'c |ccovc Cooo|ato.
Communication teams
|ac|||tatc cou|cat|o oct.cc ccovc cooo|ato ao t'c tcas ocs|atco
|ocus ou
ov|oc cu|a uoatcs to |ccovc Cooo|ato
o|c| ocs|atco |ocus ou o t'c o|sastc
cot|ua|| 'cc ocs|atco |ocus ou ||oco o| c'acs to .'at t'c 'avc
occ ||oco, ao
csoo to ouc|cs |o ocs|atco |ocus ou.
Other service areas
cotact t'c cccssa sta|| cou|co to t'c| at|cu|a scv|cc aca
covcc o|sastc status cct| .|t' tca cocs
ass|st .|t' o|sastc asscssct as cou|co
co|ctc ccovc |a |o t'c| scv|cc aca
octc|c cou|ccts ao cooo|atc acou|s|t|o o| cou|ct, |u|tuc,
stat|oc ao cou|cat|os csouccs cccssa |o ccovc, ao
||a|sc .|t' ot'c ccovc tcas.
54
The recovery teams
|u| ccovc, a scc|a||sco oa|sat|oa| stuctuc |s cstao||s'co .'|c'
va|cs |o t'c oa|sat|o's stuctuc ou| c|oos o| oa| ocat|o.
!'c o|cs | t'c recover y organisation cco to csuc cot| ||cs ao
csos|o|||t|cs ac c|ca .'c t'c |C| |s act|vatco.
Sa|| ao o-co|c oa|sat|os .ou|o o| cco oc ccovc tca.
|ac ao co|c oa|sat|os a cco to cos|oc a uoc o| tcas
(cost|tutco, |o ca|c, o a |uct|oa| o coa'|ca| oas|s) .'|c' .ou|o
oc cooo|atco o a sa|| aacct tca.
|csoc| cco to oc |oct|| |co |o t'c tcas oc||co | t'c ccovc statc.
!'c tca cocs at|c|atc | custo|s| t'c| csos|o|||t|cs ao
occoucs ao tcst| t'c| ccovc |a.
!'c a'c-u o| t'c tca a oc oasco o cos|ocat|o o| a |o|v|oua|'s
csoa| c'aactc|st|cs as uc' as o| t'c| os|t|o .|t'| t'c oa|sat|o.
|caocs ao cocs o| a ccovc tca cco t'c |o||o.| csoa|
at t|outcs.
a ooo uocstao| o| t'c oa|sat|o,
a ao|||t to .o' .c|| | tcas,
ooo co|c ao cou|cat|o s'|||s,
cscct .|t'| t'c oa|sat|o, ao
t'c ao|||t to .o' .c|| uoc stcss ao oa|acc coct| |o|t|cs.
|at o| cac' |C| o,cct s'ou|o |c|uoc a c|ca uocstao| o| t'c 'ua
csoucc |acts ao t'c |ssucs to ta'c |to accout | |a|, ||cct|
ao tcst|.
|aacct ao c|occs ust uocstao, ao oc caao|c o| ca| out,
.'at |s cou|co o| t'c | a cot|cc s|tuat|o. As .c||, oot' ous ust
oc a.ac o| t'c oss|o|c o|sut|vc coscoucccs o| soc o| t'c| act|os ao
|act|o. !'|s cou|cs c||c|t cou|cat|o ao cooo|at|o t'ou' ,oo
ocsc|t|os, a.accss oas, scc|a| ta|| ao tcst| o| |as.
|co|c cco to oc t'c a,o |ocus o| a outac. |ou|ct, ||astuctuc
ao |ac|||t|cs a a|| oc ocat|oa| out || co|c caot cac' t'c| .o'
|acc, o c|o t'c| ,oos, 'c ous|css occsscs .||| ccasc.
|co|c ca oc a a,o |ssuc | succcss|u|| act|vat| t'c cot|cc |a. |o
ca|c, || t'c |C| ca||s |o sta|| to |c' u ao ovc to aot'c |ocat|o,
ou a ||o t'at s||c acts ao t'osc |caac|tatco occocts, at-t|c
stuocts, co|c .|t' sccoo ,oos, cocs o| vo|utcc o a|o uo||c
oa|sat|os, suc' as ||c o cccc scv|ccs, a ot oc ava||ao|c.
55
Service area recovery plans
A out||c o| t'c ccovc |a s'ou|o oc ocvc|oco |o cac' scv|cc aca
|oct|| |co | t'c ccovc statc. !'c |a s'ou|o cos|oc t'c co|c | t'c
ccovc tcas ao oc| ass|| |o|v|oua| csos|o|||t |o cac' act|o (|c.
oct.cc tca |caocs, tca cocs ao ot'c tcas) as .c|| as t|| ao
ccctco outcocs |o cac' act|o.
A|| t'c stcs cou|co |o ccovc o| a ous|css occss ust oc oocuctco
| ooc o| |o|t. !'c ooc o| t'csc stcs s'ou|o c||cct t'c |o|t
a'| |o ccovc ao ta'c |to cos|ocat|o a |tcoccocc|cs
oct.cc stcs.
!'c ccovc stcs a|so cco to cos|oc |ssucs c||cct| |tcact|o .|t'
ot'c scv|cc acas ao ccovc tcas.
Example: service area recovery plans
|| t'c | |acc aca ccovc tca c||cs o ccovc o| t'c ||oat|o sstcs, ao
ccovc o| t'c ||oat|o sstcs |s t'c csos|o|||t o| aot'c tcasa, t'c
||oat|o sstcs ccovc tcat'c stcs |o ccovc o| t'c ||oat|o sstcs
ac ot at o| t'c ||acc aca ccovc tca's ccovc |a.
!'c stcs to ccovc t'c ||oat|o sstcs ac |c|uoco | t'c ||oat|o sstcs
ccovc tca's ccovc |a. !'c | |acc aca ccovc tca's |a .ou|o cc|
a'c c|cccc to t'c |act t'at t'c ||oat|o sstcs ust oc ccovcco ao t'at |s
t'c csos|o|||t o| t'c ||oat|o sstcs ccovc tca.
|otc. t'c cso .|t' csos|o|||t |o co|ct|o o| a stc | t'c ccovc |a oocs ot cccssa|| 'avc to oc
t'c cso .'o uocta'cs t'at stc. \'||c t'c ccovc tca |caoc |s csos|o|c |o csu| a tas' |s
co|ctco, t'c a ass| t'c stc to t'c ccovc tca cocs.
A usc|u| |oat |o out||| scv|cc aca ccovc stcs |s.
No. Action Responsibility Timing
1. <Action Title> <Team Member <Due Date>
name>
<Short description of <Resource
action including estimate>
references>
2.
3.
56
As otco cv|ous|, t'c act|o stcs s'ou|o oc cos|occo | t'cc ats.
|t |s usua| to oca' cac' scv|cc aca's ccovc |a |to t'csc stcs as a
cas o| cooo|at| a|| |as.
|otc. at t'c co o| cac' stc | a actua| ccovc s|tuat|o |t |s cssct|a| t'c |ccovc Cooo|ato oc
o|c|co o t'c ocss o| t'c ccovc c||ot. !'c ct stc s'ou|o ot coccc ut|| t'c cv|ous
stc 'as occ co|ctco.
| cstao||s'| t'c ccovc stcs |o cac' scv|cc aca |t |s |otat t'at
cou|cat|os, |c|uo| ||oat|o ||o.s, ac |u|| c||cct|vc. !'c |o||o.|
c'cc'||st out||cs soc 'c o|ts to cos|oc.
Checklist: adequacy of communication and information flows Current plan
|s t'c |ccovc Cooo|ato 'ct aocouatc| ||oco t'ou'out t'c
ccovc occss. `cs t |o t
Ac t'c tca cocs 'ct aocouatc| ||oco o| t'c
Ac ot'c |tcc|atco tcas 'ct oc| ||oco o| t'c
Ac ao|atc ctca| at|cs/sta'c'o|ocs 'ct ||oco
(cc|uo| t'osc 'ct ||oco as at o| t'c aacct |a)
o| t'c ccovc occss. `cs t |o t
Ac ctca| ao |tca| at|cs t'at ac at o| t'c occss ||oco
u-|ot t'at t'c| ass|stacc a oc ca||co uo. `cs t |o t
Ac 'ua csoucc ccos oc| aoocssco. `cs t |o t
|s at o| t'c ccovc occss t'c c-||cctat|o o| coto|s
('s|ca|, |o|ca| ao cv|octa|). `cs t |o t
|| t'c as.c to a o| t'c aoovc oucst|os |s '|o', t'c ccovc |a(s) s'ou|o oc cv|c.co ao acoco to csuc t'cc .||| oc
aocouatc cou|cat|o |o||o.| a outac ao ou| ccovc o| ocat|os.
Figure 11Action steps in recovery plan
57
|o||o.| co|ct|o, |t o|tc occocs aact t'at a o| t'c ccovc
|as 'avc soc ccovc stcs | coo. !'csc stcs s'ou|o oc
|tcatco ao ass|co to oc ccovc tca (usua|| t'at tca .'|c' ccos
to co|ctc t'at ccovc stc ||st). !'c ot'c ccovc tcas s'ou|o st|||
|c|uoc t'c ccovc stcs | t'c| |a, ot| t'at t'c csos|o|||t |o
co|ct| t'c stc 'as occ ass|co to aot'c ccovc tca.
The management recovery plan
!'c aacct ccovc |a coo|cs |o|v|oua| scv|cc aca ccovc
|as |to oc cooo|atco c||ot. !'c ccovc stcs coo to scv|cc
acas s'ou|o oc coo|co |to t'|s |a (|c. ||o sta|| o| outac).
As .c|| as coo|| t'c |o|v|oua| scv|cc aca |as, t'c aacct
ccovc |a cota|s t'c c|tc|a |o act|vat| t'c |a. |ccc, t'c
aacct ccovc |a 'as a aoo|t|oa| 'ascdisaster escalation.
As s'o. | ||uc 12, disaster declaration cccocs t'c csosc
to a outac.
!'c aacct ccovc |a s'ou|o a|so aoocss t'c |ssucs to .'|c' t'c
oa|sat|o, as a .'o|c, ust csoo |o||o.| t'c disaster declaration.
|cc|aat|o o| a o|sastc |s a cc|c occ|s|o, oasco o oa|sat|o-scc|||c
||oat|ot'c occ|s|o occss |s s'o. | ||uc 13.
Figure 13Decision process for declaration of a disaster
|o|to
ocss
||sastc
occ|aat|o
w
w
w
w
|s
cstoat|o
t|c|ac catc
t'a a|u
accctao|c
outac.
|ctc|c 'o. |o
oc|oc ocat|os
ac ccctco to
oc cstoco
Yes
No
Figure 12Disaster escalation
w
|vct caus| outac
o| 'c ous|css
occss
58
Discussion: what constitutes a disaster?
As otco | |at Oc o| t'|s Cu|oc a outac |s ot ,ust a cvct t'at couccs t'c c||cct|vccss o|
sstcs, out a cvct t'at |s ctaoo|a, causcs a |oss o| 'c ous|css occsscs ao 'as a '|'
|act o t'c oa|sat|o. A disaster is an outage that exceeds the MAO.
A ca|c o| .'at |s |O! a o|sastc .ou|o oc t'c casc o| a |ac |ca| act|o | ocss o a
csu|tat occ|s|o. \'||c t'cc a oc a csoucc, ||ac|a| ao uo||c |ac |act (.'|c' a
oc caoco as a o|sastc to aacct), |t |s a ous|css |ssuc ot a cot|u|t |ssuc ouc to t'c
|act t'at ous|css occsscs ac ot a||cctco.
|t |s oss|o|c |o a aacct |ssuc to tu |to a cot|u|t |ssuc, || t'c |ssuc oc|s to a||cct
ous|css occsscs. Cot|u| t'c cout casc ca|c, || t'c a-out ccatco cas' ||o. oo|cs,
t'|s |'t |tcut ous|css occsscs ao |cao to ous|css cot|u|t |ssucs.
|o|v|oua| coocts o| t'c |a ca oc c||cct|vc| ut|||sco | o-o|sastc cascs. |o ca|c,
t'c cou|cat|os |a |'t oc c||cct|vc | cou|cat| a cvct to sta|| o t'c uo||c, as
a t'c ||oat|o tcc'o|o ccovc |a a oc c||cct|vc | ccovc| a coutc scvc
t'at 'as |a||co.
!'c | |st stc | t'c o|sastc occ|aat|o occss |s to octc|c 'o. |o |t |s
oc|oc cstoat|o o| t'c ous|css |uct|o ca oc ccctco. Cu|oc||cs to
cst|atc t'c ouat|o o| a outac cco to oc cstao||s'co.
!'c |o||o.| c'cc'||st a ass|st | cstao||s'| u|oc||cs to cst|atc t'c
ouat|o o| a outac.
Checklist: guidelines for estimating duration of an outage Current plan
Ac t'c co|c |vo|vco | t'c o|sastc asscssct occss c|ca| |oct|||co. `cs t |o t
Ac ot|| |cat|o occoucs |o t'osc |vo|vco | t'c o|sastc asscssct
occss c|ca| |oct|| |co. `cs t |o t
Ac t|c|acs |o t'c o|sastc asscssct c|ca| |oct|||co. `cs t |o t
Ac sa|ct occoucs |o o|sastc asscssct |oct|||co | ||c .|t'
Occuat|oa| |ca|t' ao Sa|ct Staoaos. `cs t |o t
|o outs|oc at|cs cco to oc at o| t'c o|sastc asscssct. `cs t |o t
|| cs, ac t'c a|| |oct|||co. `cs t |o t
Ac a|| c|cvat |suacc coa|cs ao|atc| ||oco o| t'c |c|oct
oc|oc o|sastc asscssct ta'cs |acc (soc |suacc |s vo|o || ccta| o|sastc
asscsscts ac ca|co out .|t'out t'c |suacc coa csct o .|t'out
t'c| 'o.|coc). `cs t |o t
59
Other details
!'cc .||| oc a aa o| ot'c octa||s to oc |c|uoco | t'c |C|. |ac'
oa|sat|o s'ou|o aa|sc t'c| ccos (|c. .'at ||oat|o ca't .c oo
.|t'out.). !'c ||u ccococo cou|ccts ac o|scussco oc|o..
Event log
!'c aacct ccovc |a s'ou|o a|so |o t'c cvcts |o |atc oco|c||
ao cv|c.. A cvct |o s'ou|o oc |c|uoco .'|c' a||o.s t'c ccovc
cooo|ato to ccoo octa||s o| t'c cvct. !'|s ca oc usco to o|c| ot'c
ccovc tcas, cccut|vc aacct ao t'c co|a so t'cc |s a cos|stct
ocsc|t|o o| t'c cvct. |o a ca|c cvct |o, scc Aco| 8.
Contact lists
!'ou'out t'c ccovc occss |t .||| oc cccssa to cotact a ac o|
co|c ao oa|sat|os. Coc'cs|vc cotact ||sts s'ou|o oc cstao||s'co
ao a|ta|co. Cotact ||sts to oc cstao||s'co |c|uoc.
cccc cotact ||sts,
ccovc tca cotact ||sts,
sta'c'o|oc cotact ||sts,
ccovc at|c|at cotact ||sts, ao
co|ctc sta|| ||sts .|t' a|tc 'ous cotact octa||s (|| too |ac, octa||s o|
.'cc to |ocatc a co).
|t |s cssct|a| t'csc ||sts oc 'ct u to oatc. |oa| ocat| occoucs
cco to ass| csos|o|||t |o a|ta|| ||sts |c|uo| uoat| t'c
ccovc vcs|os. Cos|oc oo||| t'c c|st| |tca| o|ccto to
accoooatc t'c cta octa||s cou|co. !'|s .||| ass|st | 'cc| t'c octa||s
u to oatc ao s|||| t'c a|tcacc o| ||sts.
Inventory list
A |vcto o| a|| atc|a|s ccoco |o t'c |C| to oc c||cct|vc s'ou|o oc
|c|uoco as at o| t'c |a, ao t'c |tcs stoco o||s|tc.
|| |vcto |tcs 'avc a |||tco |||c, oa| ocat| occoucs s'ou|o
|c|uoc csos|o|||t |o cv|c. o| stoco |vcto ao c|accct .|t'
|cs' stocs. | t'c casc o| cosuao|cs, t'|s a occoc at o| oa|
stocs ao o|st|out|o | t'c oa|sat|o.
Other references
A ot'c octa||co c|ccccs s'ou|o oc |c|uoco. || t'|s |s ot ao|atc o
act|ca|, t'c s'ou|o oc |c|uoco as at o| t'c |vcto ao stoco o||s|tc.
|t a oc oss|o|c to oota| ao stoc uc' o| t'|s atc|a| c|ccto|ca|| to
savc o sacc ao oss|o|c ocaoat|o. |o.cvc, ccovc aaccts
cco to |c|uoc aaccts to c|t ac vcs|os .'c ccoco.
60
Format and contents of the BCP
!'c |oat ao cotct o| t'c |C| |s ctcc| |otat. | a o|sastc
s|tuat|o, t'c caoc s'ou|o oc ao|c to |c' u t'c oocuct 'av| ot cao
|t (a|t'ou' |t |s c|cao|c t'at t'c 'avc), ao oc csctco .|t' act|o-
o|ctatco o|ts t'c ca |o||o., .|t' c|ccccs cota|co | t'c oac'.
!'cc s'ou|o a|so oc su|| |c|ct oo |o t'c cso ca| out t'c ccovc
occss to |acc cocts o t||, o |ssucs at cac' stc. !'|s .||| a||o.
t'c ccovc occss to oc c|t|ca|| cv|c.co as .c|| as usco as a soucc |o
oco|c| | sta|| o t'c |ssucs t'at aosc.
!'c |C| oocs ot cco to cota| cotctua| ||oat|o (c. oac'ouo,
cccut|vc sua|cs, ctc) as t'|s .as at o| t'c ocvc|oct ao aova|
occss ao s'ou|o oc stoco o o|| |c|a| |||cs. !'c |a s'ou|o s|| stat at
t'c o|t t'c |a 'as occ |st|atco ao u|oc t'c caoc t'ou' cac' stc
| t'c csosc ao ccovc occss.
!'c ca|c oos|tc |||ustatcs a sucstco stuctuc |o t'c |C|.
Quality assurance
ua||t assuacc cv|c.s o| t'c |C| ou| |ts caat|o ao t'ou'out
|ts |||c ac ccococo to csuc |ts cotct ca|s c|cvat. |t |s
ccococo t'c |ccovc Cooo|ato ao aacct co|t tcc
csos|o|c |o t'c |C| csuc t'|s |s uocta'c, | co,uct|o .|t' out|c
tcst|.
Checkpoint
A series of checklists is
included at Appendix 6
to assist in the quality
assurance of the BCP
development
Upon completion of the plan it must be
reviewed and signed-off. A suggested list
for review and signoff might include:
internal audit
audit committee
BCP steering committee
senior executives, and
CEO
61
Example: suggested structure for a business continuity plan
Part Information contained
1 Cover page t !|t|c
t Coc|sc statcct o| oo,cct|vc o| cot|u|t |a
t Oa|sat|oa| s|o||
2 Table of contents t Cotcts o| oocuct
3 Event log t |vct |o ac to oc | |||co | o |ccovc Cooo|ato
a| tc a outac
4 Management recovery plan t ||sastc csca|at|o occss
t !ca assco| aaccts
t |ccovc 'asc stcs
t |tc| occss| 'asc stcs
t |cstoat|o 'asc stcs
5 Service area recovery plans t |ccovc 'asc stcs
t !ca assco| aaccts
t |tc| occss| 'asc stcs
t |cstoat|o 'asc stcs
6 Referenced procedures t !c|c'oc c-o|cct|o occoucs
t Outsoucco vcoo acccts
7 Technical recovery items t Scvc co| |uat|os
t Cou|cat|o co| |uat|os
t |c-.|t tc oas |o |! ccovc
8 Contact lists t |tca| cotact ||sts
t |ccc scv|ccs cotact ||sts
t |tca|/sta'c'o|oc cotact ||sts
t Sta|| cotact ||sts
9 Inventory t Su| |vcto
t Aoo|t|oa| csouccs/ouoct cou|co
10 Limitations t |||tat|os uoc .'|c' t'c |a .as ocvc|oco
(c|c Aco| |o a ca|c sct o| |||tat|os)
11 Testing and maintenance t Sc'cou|c o| tcst| to oc c|oco
t |cv|c./uoatc t|ctao|cs ao ocao||cs (c|c to stc 6
|o ||oat|o o tcst| ao a|tcacc)
62
Step six: test and maintain the plan
|cv|c. o| t'c |C| |s cssct|a| to csuc |t c||ccts t'c oa|sat|o's
oo,cct|vcs, |ts 'c ous|css |uct|os, t'c cocsoo| occsscs ao
csouccs ao a acco |o|t |o ccovc. !cst| ao a|tcacc o| t'c
ccovc occss oocuctco | t'c |C| .||| ov|oc aacct assuacc
t'at t'c |a |s c||cct|vct'at |s, |t .||| csuc cot|u|t o| ous|css s'ou|o
'c |uct|os oc |ost.
Test the plan
|o at tc 'o. .c|| ocs|co ao t'ou't-out t'c |C| a scc, ca||st|c
ao ooust tcst| .||| cvca| acas cou|| at tct|o. || tcst csu|ts ac
||a.|css, ou s'ou|o ca|c t'c aocouac ao ca||s o| ou tcsts.
!'c a,o coocts o| t'c |C| s'ou|o oc tcstco aua|| ao uoatco
oasco o t'c csu|ts o| cac' tcst. |t |s |otat cac' cooct oc
|o|v|oua|| tcstco. !cst| ca oc o|sut|vc|t cou|cs co|tct |o
aacct to csuc su|| |c|ct csouccs ac ava||ao|c.
|t |s ot ccococo t'c |C| oc tcstco as a .'o|c as t'|s .ou|o oc
csoucc |tcs|vc ao a a||cct oa| ocat|os. |t 'as occ t'c casc
t'at tcst| t'c .'o|c |C| at occ, 'as |tsc|| ccatco a outac ao a,o
o|sut|o to ous|css.
!'c scv|cc aca ccovc ao aacct ccovc ats o| t'c |C| s'ou|o
oc tcstco toct'c. A aoac' a oc to sct t'c sccc at t'c ||st 'ou,
t'c | |st oa, to t'c o|t o| acccss to a tcoa s|tc. |ac' ccovc tca
c|a|s t'c occss t'c .ou|o o t'ou' | ccovc| t'c| ocat|os.
!'c ot'c tcas c'a||cc t'c aoac' ao o|t out a .ca'csscs
octcctco | t'c |a. |o ca|c, as'|.
'\'cc .ou|o ou oota| t'at ||oat|o.', o
'|s't t'at occss occoct o t'c co|ct|o o| aot'c act|v|t.'
!'cc ac scvca| aoac'cs t'at a oc aootco to tcst t'c |a.
Papercsucs t'cc |s aocouatc caac|t ao ava||ao|||t o| csouccs .'c
t'c |C| |s act|vatco.
!'c tcst cou|cs ca|cu|at| cou|ccts suc' as ||oo sacc, a| coo|t|o|
ao o.c cou|ccts |o t'c cou|ct to oc usco .'c t'c |C| |s
act|vatco.
Manual verificationcsucs t'c cou|co ccovc atc|a| |s ava||ao|c as
statco | t'c |C|.
!'|s tcst cou|cs c'cc'| a|| cou|co oata, su||cs ao/o ot'c 'aoco
oocucts (as oocuctco | t'c |C|) ac actua|| oac'co u ao cocct|
stoco o||-s|tc.
Establish recovery teams
Document service area
recovery steps
Obtain contact and
inventory lists
Document recovery
management process
Busines
Continuity
Plan
v v v v v
v v v v v
Test
Plan
Regular testing is necessary to
maximize the chances of a
successful plan in the event of a
disaster and should familiarize
the [Information System]
organization with an unexpected
interruption of critical
applications A business
continuity plan is only as useful
as effective testing proves it to
be.
Business Continuity Planning:
Maintaining Good Testing
Practices, InSide GartnerGroup
This Week (IGG), January 22,
1997, C. Gooding.
GartnerGroup, 1999
63
Supply validationva||oatcs a|| su||cs cou|co .||| oc ava||ao|c | t'c cvct
o| a o|sastc.
!'c tcst coacs t'c ||st o| |os ao su||cs usco ou| a tcst to t'c
|tcs oocuctco | t'c |C| to csuc t'c ||st |s co|ctc ao t'at a
aocouatc su| .||| oc ava||ao|c.
Supplies, equipment and services availability testcsucs ||oat|o
ao ||sts o| t'c |os, su||cs, cou|ct, |vcto|cs ao assoc|atco vcoo
cotact octa||s ac accuatc.
!o coouct t'|s tcst, oc o oc tcas .|t' c|t|ca| suot vcoos .ou|o
cotact cac' vcoo o t'c| ||st to csuc t'at a|| ||oat|o |s accuatc
|c|uo| 'oc uoc, aoocss ao 'c vcoo cotacts. !'c .ou|o
vc|| .'ct'c t'c ||stco su||cs, cou|ct o scv|ccs ac ava||ao|c |o
oc||vc o .'at t'c cuct |cao t|c |s. !'|s |cao t|c s'ou|o oc coaco
to t'c ccctco |cao t|c | t'c |C|.
Structured walk-throughcsucs t'c |C| occoucs ac aocouatc.
!'c tcst cou|cs t'c |ccovc Cooo|ato to ocvc|o a o|sastc scca|o
ao |cao t'c scv|cc tcas t'ou' a oc' ccovc.
!'c tcst |s coouctco as |o||o.s.
a|| tca |caocs cct | a oo to oc |vc t'c scca|o,
t'c cac' .o' t'ou' t'c| ccovc tca |as a| at|cu|a
at tct|o to t'c |tcact|o .|t' ot'c tcas, ao
|ssucs |oct|||co s'ou|o oc |co|atc| otco o t'c |ccovc
Cooo|ato.
Unannounced recovery team assemblycsucs t'c ||sts |o oo|||s|
ccovc tcas ac u to oatc ao t'c tcas ca oc oo|||sco | t'c cou|co
t|c.
!'c tcst |s coouctco as |o||o.s.
!'c |ccovc Cooo|ato cotacts uoc o| tca cocs o t'c
ot|| |cat|o cotact ||st.
!'c tcsts s'ou|o oc coouctco, o a otat| oas|s, at t'c |o||o.| t|cs.
- ou| oa| .o' 'ous,
- ou| |uc' t|c,
- a| tc oa| .o' 'ous o a .cc'oa, ao
- ou| t'c .cc'co.
!'c |ccovc Cooo|ato otcs t'c t|c t'c ca||| occss stats ao
t'c t|c at .'|c' cac' tca coc .as cotactco.
!ca cocs oo ot actua|| cco to assco|c.
!'c |ccovc Cooo|ato .||| cot o t'c tcst csu|ts.
64
Maintain the plan
|o|v|oua| ccovc tca |as ust oc continually a|ta|co to ov|oc
suot |o ous|css cot|u|t. Ao||stat|vc occoucs ao u|oc||cs
s'ou|o oc ocvc|oco to ov|oc |o c|oo|c tcst| ao oocuctat|o
a|tcacc o| t'c scv|cc aca ccovc |a(s) ao oo| ta||.
|csos|o|||t|cs |o va|ous asccts o| |C| a|tcacc ac a|so cstao||s'co.
Oo| csos|o|||t|cs s'ou|o oc oc| |co to csuc ao|atc |C|
a|tcacc. !'c |o||o.| ous 'avc scc|||c |C| a|tcacc
csos|o|||t|cs.
Role Responsibilities
Recovery Coordinator At cu|a |tcva|s (c at |cast s| ot'|).
aacs t'c |C|, |a|ta| a|tcatc occss| s|tc cotacts/acccts
cooo|atcs t'c ccovc Cooo|atc cu|a cv|c. o| t'c |C| oocuctat|o, aua||
tcas ao ||a|scs .|t' t'c at a ||u
C|O ao |ccut|vc Cooo|atc cv|c. ao aova| o| c'acs to t'c |C|
Cooo|atc |C| ta||
|c|o ao||stat|vc asccts o| uoatcs to t'c |C|
(|c. coouct|o ao co|st|out|o)
|a|ta| t'c |C| o|st|out|o ||sts
Sc'cou|c ao cooo|atc t'c |C| tcsts
Recovery teams At cu|a |tcva|s (c at |cast aua||).
csos|o|c |o uocta'| |a|ta| cscct|vc scv|cc aca tca occoucs
stcs oocuctco | t'c |a|ta| t'c c|cccc ||oat|o t'at |s at o| t'c scv|cc
|C| to ccovc |oct|| |co acas' |C| occoucs
sstcs |at|c|atc | |C| tcst|
End Users |o uscs s'ou|o.
cco to csuc t'c ac csuc ||oat|o cccssa to cot|uc c|t|ca|
a.ac o| t'c cotcts o| |uct|os, |o .'|c' t'c ac csos|o|c, |s stoco o||s|tc as
|C| ao 'o. |t a||ccts t'c at o| t'c |C|
at|c|atc | cot|cc |a ta||
at|c|atc | cot|cc |a tcst|
A |C| |s cas|| a|ta|co || c'acs | t'c ous|css ao/o oata occss|
cv|oct ||t|atc cv|c.s ao uoatc t'c |C|.
\'c a cooct o| t'c |C| |s a||cctco, t'c |o||o.| stcs s'ou|o oc
ta'c.
t'c |ccovc Cooo|ato s'ou|o oc ot|| |co o| t'c c'ac,
t'c c||cct o| t'c c'ac s'ou|o oc cva|uatco us| a ||A |ocuss| o t'c
c. cooct(s) ao a c. |tcc|at|os'|s .'|c' occu,
t'c |C| s'ou|o oc oo|||co o t'c ao|atc scv|cc aca to c||cct t'c
c'ac, ao
t'c |ccovc Cooo|ato s'ou|o octc|c tcst| cou|ccts ao
sc'cou|c a tcst, || cccssa.
65
Appendices
Appendices
1. Alternate processing service
contract considerations 66
2. Roles, responsibilities and a checklist for the
Board and audit committee 68
3. Roles, responsibilities and a checklist for the
Chief Executive Officer 69
4. Role and responsibilities of the Recovery
Coordinator 71
5. Roles and responsibilities of the service area
recovery teams 72
6. Checklists for quality assurance of BCP
development 73
7. Limitations of BCPs 82
8. Event log 84
9. Checklists for review of off-site backup
procedures 85
66
Task Completed
General Issues
!'c ocsc|t|o o| t'c a|tcatc occss| |ac|||t|cs s'ou|o |o|catc aocouatc
's|ca| sccu|t ao ao|atc cv|octa| coto|s `cs t |o t
Ava||ao|||t o| a|tcatc vcoo s|tcs ao t'c |'ts o| |o|v|oua| suosc|ocs |
t'c cvct o| u|t||c o|sastc occ|aat|os s'ou|o oc scc|| |co `cs t |o t
Aout o| atuc o| suot scv|ccs t'c vcoo .||| ov|oc s'ou|o oc
oc||co c|at|vc to.
||cctat|o ass|stacc
suot |o tcst|
|o|st|ca| suot, ao
a| tc 'ous suot `cs t |o t
!'c vcoo s'ou|o 'avc |||ts c|at|vc to t'c tota| uoc o| c||cts t'at a
suosc|oc to a |vc |ac|||t `cs t |o t
!'c vcoo caot cc. (ccct o autoat|c cc.a| c|ausc) o ccot|atc
t'c cotact .'||c t'c suosc|oc |s cc|cc| a o|sastc o | ccovc 'asc `cs t |o t
!'c aout ao sc'cou|| o| tcst t|c s'ou|o oc oc| |co `cs t |o t
Suosc|oc s'ou|o 'avc t'c |'t to c|oo|ca|| auo|t t'c |sta||at|o to csuc
t'at t'c scc|||co co||uat|o |s a|ta|co `cs t |o t
A cscac c|ausc s'ou|o a||o. t'c suosc|oc to tc|atc t'c cotact .|t'out
ca|t |o a o| t'c |o||o.| casos.
|a||uc to a|ta| tcc'|ca| coat|o|||t
|a||uc to ov|oc acco suot scv|ccs
|a||uc to a|ta| su|tao|c cv|octa| suot, ao
a ocac' o| cotact `cs t |o t
!'c cotact s'ou|o ov|oc a aua| .|oo. o| ootu|t to tc|atc
.|t'out ca|t `cs t |o t
!'c ot'| |ccs s'ou|o ot oc suo,cct to c'ac .|t'out t'c .|t tc cosct
o| t'c suosc|oc `cs t |o t
!'c cotact s'ou|o ot oc ass|ao|c .|t'out .|t tc cosct `cs t |o t
!'c vcoo s'ou|o oc suo,cct to ao|atc cos|oc o-o|sc|osuc coo|t|os `cs t |o t
Appendix 1
Alternate processing service contract considerations
Checklist: alternate processing service contract considerations
67
Checklist: alternate processing service contract considerations (continued)
Task Completed
IT Recovery Specific Issues
|c| ||t|o o| t'c oac'u caao|||t o| t'c vcoo s|tc s'ou|o oc c|ca ao
cos|stct t'ou'out t'c cotact `cs t |o t
Occuat|o o| t'c 'ot s|tc |o a ||u o| s| .cc's `cs t |o t
Coo|t|os uoc .'|c' t'c suosc|oc ca cot|uc to occu 'ot s|tc |ac|||t|cs
a| tc t'c s| .cc' c|oo s'ou|o oc oc| |co `cs t |o t
!'c uoc ao ocsc|t|o/tc o| |oca|| at tac'co tc|a|s ao/o ot'c
ocv|ccs ava||ao|c .'||c o-s|tc s'ou|o oc oc||co, t'|s |s at|cu|a| |otat
|o oata ct cou|ccts `cs t |o t
Cot|u| tcc'|ca| coat|o|||t s'ou|o oc assuco t'ou'out t'c |||c
o| t'c cotact `cs t |o t
!'c cotact s'ou|o scc|| a uaatcc o| acccss to t'c 'ot s|tc (|c|uo| a|tc
'ous acccss) ou| c|oo o| o|sastc ao ccovc `cs t |o t
!'c atuc ao ctct o| |! suot scv|ccs to oc ov|oco o t'c vcoo
'as occ oc| |co c|at|vc to.
ct.o' o|aost|c caao|||t|cs ao ||cctat|o ass|stacc
suot |o tcst| act|v|t|cs
ass|stacc | co||u| |ac|||t|cs (|c. cou|ct acou|s|t|o, tasotat|o,
stoac, cova| ao ctu)
acccss ao usc o| vcoo so| t.ac, oocuctat|o, ac|||a |ac|||t|cs
(|c. 'otoco|, |ooo scv|ccs), ao
|o|st|ca| suot. `cs t |o t
68
Appendix 2
Roles, responsibilities and a checklist for the Board and audit committee
Task Completed
|s t'c scoc o| t'c ous|css cot|u|t occss ao|atc |vc t'c
oa|sat|o's c|custaccs ao |s' aacct statc. `cs t |o t
|s |C| oc| cooo|atco to ta'c |to cos|ocat|o ot'c |s'
aacct ||t|at|vcs. `cs t |o t
Ac sc|cs oct.cc ot'c |s' aacct ||t|at|vcs (|c. `2| o,ccts)
ao ous|css cot|u|t |u|| usco. `cs t |o t
Ac |tca| ao ctca| auo|t ccocoat|os cao| |C| oc|
|o||o.co u. `cs t |o t
Ac t'c a|u accctao|c outacs (|AO) octc|co as at o| t'c
ous|css |act aa|s|s | ||c .|t' t'c auo|t co|t tcc's uocstao|
o| t'c ous|css. `cs t |o t
Ac t'c ccovc statc|cs ccococo ao|atc |vc ot'c
ous|css ||t|at|vcs. `cs t |o t
As at o| t'c cv|c. o| t'c |tca| auo|t statc|c ao aua| .o' |as |s
ous|css cot|u|t ao oc scc|||ca||, ous|css cot|u|t tcst| ao
a|tcacc oc| aoocssco. `cs t |o t
Ac ous|css cot|u|t ||t|at|vcs oc| cou|catco to a|| |cvc|s o|
aacct ao acoss t'c oa|sat|o (t'|s |s a |otat at o| a
succcss|u| ous|css cot|u|t o,cct). `cs t |o t
Roles and responsibilities
|suc ovcacc |ac.o' suots ous|css cot|u|t
|suc aoac' to |s' aacct suot statc|c oa|s o| oa|sat|o
69
Appendix 3
Roles, responsibilities and a checklist for the Chief Executive Officer
Roles and responsibilities
||c| |||stc ao |ccut|vc |oao o ous|css |tcut|o cvct, ccctco |act ao ccovc
t|c|ac
|ov|oc a |oca| o|t |o t'c oa|sat|o to csuc t'c uo||c ao co|a ccc|vc t'c cocct, ao
o-cotao|cto ||oat|o
|suc sta|| ao sta'c'o|ocs ac aoc a.ac o| t'c oo|cs
|suc |ccovc Cooo|ato ao |ccovc !cas 'avc t'c csouccs ao suot cccssa to oo
t'c| ,oo
Task Completed
|avc aacct ao sta|| aootco a at t|tuoc o| cot|u|t aacct
|a| .'|c' csucs t'at a os|t|vc coto| cv|oct |s a|ta|co. `cs t |o t
|ocs t'c oa|sat|o cu|a| cou|catc t'c oa|sat|o's v|s|o, oa|s ao
oo,cct|vcs to sta|| cocs. `cs t |o t
|ocs aacct ta'c a oa|acco aoac' to |s' ta'|, cac|u|| aa|s|
ao asscss| |s's ao otct|a| occ| |ts oc|oc aut'o|s| c. vctucs
o s||| |cat c'acs. `cs t |o t
|ocs t'c |C| co|cct t'c oa|sat|o's cooatc ovcacc ao
|s' aacct |ac.o'. `cs t |o t
|s t'c oa|sat|o csos|o|c |o ov|o| a u|ouc scv|cc to t'c uo||c o
t'c Covcct. `cs t |o t
|| cs, .'at .ou|o t'c |||cat|os oc || t'c scv|cc .cc uava||ao|c |o a
ctcoco c|oo o| t|c. `cs t |o t
Ac |C| act|ccs ao occoucs | |acc to csuc t|c| occ|s|o a'|
ou| a o|sastc ao to |st|| accoutao|||t |to sta||. `cs t |o t
|ocs a ous|css |act aa|s|s c|st t'at |oct|||cs t'c ccovc t|c|acs
o| t'c c|t|ca| ous|css occsscs. `cs t |o t
|ocs t'c oa|sat|o 'avc a cso |oct|| |co t'at |s csos|o|c |o |C|. `cs t |o t
|| so, 'as t'c cso occ ov|oco .|t' aocouatc ta|| ao csouccs to
c|o t'c o|c. `cs t |o t
|as t'c oa|sat|o's |C| occ suo,cct to |occoct cv|c.
(c. o |tca| auo|t). `cs t |o t
Ac t'c |C|s ||'co to t'c cccc aacct |as |o t'c oa|sat|o. `cs t |o t
70
Task (continued) Completed
|s t'cc a occss | |acc |o |C| cv|c.. `cs t |o t
|| t'c oa|sat|o 'as a |C|, oocs |t c||cct t'c cuct ao |utuc ccos o|
t'c oa|sat|o. `cs t |o t
|avc t'c cuct ao |utuc |C| ccos occ |oa|| cva|uatco as at o| t'c
oa|sat|o's ovca|| cooatc ovcacc aaccts. `cs t |o t
|as t'c oa|sat|o uococ cos|ocao|c oa|sat|oa| c'ac, o c'acs
| oa|sat|oa| |ocus ao o|cct|o o c'acs to ous|css csouccs
(csoc|, |ac|||t|cs, ||oat|o tcc'o|o, ao cou|cat|o). `cs t |o t
\'c .cc t'c cot|u|t |as |ast tcstco. |atc. //
\'at .cc t'c csu|ts o| t'c tcsts.
\cc ccocoat|os |o c'ac o |ovcct ta'c u ao tcstco. `cs t |o t
71
Appendix 4
Role and responsibilities of the Recovery Coordinator
|cc|s|o to act|vatc t'c |C|
|ctc|c t'c ccovc statc |o t'c |vc s|tuat|o
Asscss t'c ctct o| oaac to ou||o|, |ac|||t|cs ao cou|ct ao cot to t'c C|O, |ccut|vc
ao/o |oao, || cccssa
Cotact t'c cccssa sta|| cou|co |o t'c o|sastc (| t'c ||st |stacc)
Ass|st | cstao||s'| o| t'c ccovc s|tc, || a||cao|c
Cooo|atc co|a act|v|t|cs
||cct, cooo|atc ao o|to a|| ccovc ocat|os
Covcc ccovc status cct|s .|t' t'c |ccut|vc
Sc'cou|c suoscouct ccovc status cct|s
||a|sc .|t' ca| cstatc act, || a||cao|c
Cotact |suacc Asscssos to octc|c t'c| cou|ccts ao cooo|atc t'c| o-o| ||a|so
.|t' a|| ccovc tcas
||||sc |ut'c |osscs ao sa|vac ccovcao|c csouccs
|ov|oc assuacc ao ||oat|o uoatcs to sta|| ot |vo|vco | t'c ccovc c||ot
|cac t'c ccovc s|tc
Sc'cou|c ao coouct tcst o| t'c |C|
72
Appendix 5
Roles and responsibilities of the service area recovery teams
cotact t'c sta|| cou|co |o t'c 'ua csoucc ccovc tca
cot|ua|| asscss ao aoocss 'ua csoucc ccos, ||a|s| .|t' ot'c
scv|cc acas, ao
ov|oc cu|a uoatcs to t'c |ccovc Cooo|ato.
Communications team |o||o.| ot|||cat|o |o |ccovc Cooo|ato o| o|sastc csca|at|o.
|ac|||tatc cou|cat|o oct.cc ccovc cooo|ato ao t'c tcas
ocs|atco |ocus ou
o|c| ocs|atco |ocus ou o t'c o|sastc
cot|ua|| 'cc ocs|atco |ocus ou ||oco o| c'acs to .'at
t'c 'avc occ ||oco, ao
csoo to ouc|cs |o ocs|atco |ocus ou.
Other service areas |o||o.| ot|||cat|o |o |ccovc Cooo|ato o| o|sastc csca|at|o.
cotact t'c cccssa sta|| cou|co |o t'c| at|cu|a scv|cc aca
covcc o|sastc status cct| .|t' tca cocs
ass|st .|t' o|sastc asscssct as cou|co
co|ctc ccovc |a |o t'c| scv|cc aca
octc|c cou|ccts ao cooo|atc acou|s|t|o o| cou|ct,
|u|tuc, stat|oc ao cou|cat|os csouccs cccssa |o
ccovc, ao
||a|sc .|t' ot'c ccovc tcas.
Human resource
management team
73
Appendix 6
Checklists for quality assurance of BCP development
The BCP plan proposal
!'c ous|css cot|u|t o,cct |a s'ou|o aocouatc| ocsc|oc t'c o,cct, |ts
oo,cct|vc ao scoc, t'c o,cct tca ao |ts csos|o|||t|cs, ao t'c
csouccs cou|co. !'c C'|c| |ccut|vc o aacct co|t tcc
csos|o|c s'ou|o |oa|| aovc t'c |a. !'c c'cc'||st oc|o., ov|ocs a
ou|c' c|cccc o|t |o csu| t'c |a 'as su|| |c|ct octa||. | aoo|t|o, a
sucstco |oat |o a o,cct |a |s ocsc|oco at Stc oc o| t'c \o'ooo'.
Checklist: developing the business continuity project plan
Task Completed
|ocuct t'c o,cct's oo,cct|vcs `cs t |o t
|c||c ao oocuct t'c o,cct's scoc ao a |||tat|os `cs t |o t
||a| a assut|os aoc `cs t |o t
|cta|| cocs o| o,cct tca `cs t |o t
Ass| csos|o|||t |o o,cct tas's `cs t |o t
|csct t'c ouoct, |c|uo| sta|| csouccs, cou|co |o t'c o,cct `cs t |o t
Sct o,cct t|c|acs ao oc||vcao|cs |o tas's `cs t |o t
||a |s |oa|| aovco o ao|atc aacct co|t tcc `cs t |o t
74
Identifying key business processes, activities and resources
!'c ||A ccos to asscss t'c |act o| a outac to a|| 'c ous|css occsscs.
|t a's t'csc occsscs | ooc, to octc|c ccovc |o|t|cs ao
|oct|| |cs t'c act|v|t|cs ao csouccs .'|c' co|sc cac' occss, aa|,
a'co | ooc o| |o|t to octc|c ccovc |o|t|cs.
!o csuc t'c ||A |s co|ctc cac' ous|css u|t o scv|cc aca ccos to
|oct|| t'c occsscs |o .'|c' t'c ac csos|o|c ao t'c octc|c
.'|c' o| t'csc ac c|t|ca| to t'c oa|sat|o ac'|cv| |ts oo,cct|vcs. !'csc
'c ous|css occsscs s'ou|o t'c oc a'co | ooc |o|t to t'c ous|css
(t'us |o|cat| t'c| ccovc |o|t) ao t'c act|v|t|cs ao csouccs o| cac'
occss s'ou|o oc s|||a| a'co.
Checklist: ensuring all key business functions, processes and resources are identified and
included in the BIA
Task Completed
|ocuct ao co|| oa|sat|oa| oo,cct|vcs, oututs ao c|oacc
c|tc|a `cs t |o t
||st a|| ous|css occsscs .'|c' uoc| ac'|cvcct o| oo,cct|vcs ao oc||vc
o| oututs `cs t |o t
|a' t'c occsscs | ooc o| |otacc to t'c oa|sat|o's oo,cct|vcs ao
cc|uoc t'osc occsscs cos|occo ot 'c to ac'|cv| t'c oo,cct|vcs `cs t |o t
|cv|c. t'c |uct|oa| oa|sat|o c'at to |oct|| cca| acas o| ocat|oa|
csos|o|||t `cs t |o t
|tcv|c. aacs csos|o|c |o 'c ous|css |uct|os to co| |
uocstao| o| ous|css occsscs `cs t |o t
|cct .|t' scv|cc aca aacct ao suot csoc| to a| a
uocstao| o| cac' |uct|o |c|uoco | t'c scoc `cs t |o t
Oota| a suot| oocuctat|o t'at |s ava||ao|c .'|c' .ou|o ov|oc
a sua o| 'c ous|css |uct|os `cs t |o t
|ocuct t'c act|v|t|cs ao csouccs cssct|a| to cac' 'c ous|css occss. `cs t |o t
|suc a|| csouccs ous ac |oct|||co (|c. co|c, |ac|||t|cs,
tc|ccou|cat|os, ||oat|o sstcs, ous|css suot occsscs) `cs t |o t
|oa|| cou|catc t'c ||st o| 'c ous|css occsscs ao suot| occsscs
ao csouccs, .|t' t'c| cscct|vc a'|, to t'c o,cct stcc| co|t tcc `cs t |o t
Cos|oc |tcoccocc|cs t'at c|st oct.cc acas `cs t |o t
75
The BIA
!'c ||A octc|cs t'c |ct' o| t|c t'c oa|sat|o ca oc .|t'out 'c
ous|css occsscs oc|oc cco|a| act|o ust oc ta'c. As t'c 'c ous|css
occsscs ac aoc u o| act|v|t|cs ao csouccs, |t |s actua|| aoout a'|
a asscssct aoout t'c t|c ou ca oc .|t'out t'c act|v|t|cs o csouccs
oc|oc t'c 'c ous|css occss .ou|o |a||. !'c ||A cstao||s'cs t'c |a|u
Accctao|c Outac |o cac' act|v|t ao csoucc t'at suots t'c 'c
ous|css occsst'c |AO s'ou|o c||cct ao co| | t'c |o|t a'|
aoc | t'c ca||c stc.
Checklist: analysing each key business function for a BIA
Task Completed
|va|uatc t'c |acts o| a |oss o| t'c |uct|o |o t'c cscct|vc o| t'c
oa|sat|o's ouoct ao outcocs ao oututscos|oc.
|oss o| cvcuc/|ccasco ccsc
scv|cc oc||vc staoaos
uo||c o o||t|ca| coaassct
|oss o| c||ct co| |occc
|oss o| aacct coto|
||ac|a| |sstatcct
cu|ato, statuto o cotactua| ||ao|||t
scc|||c/u|ouc vu|cao|||t|cs, ao
o||t|ca| a|||cat|os `cs t |o t
|oct|| t'c c|t|ca| succcss |actos t'at csuc t'c |uct|o ccts t'c
oa|sat|os oo,cct|vcs `cs t |o t
|oct|| t'c occsscs ao csouccs .'|c' uoc| t'c 'c ous|css |uct|os `cs t |o t
|oct|| aoo|t|oa| ccscs |cuco || occss(cs) ac c|oco
aua|| o | a suost|tutc ac ou| a outac `cs t |o t
|oct|| |tc| occss| occoucs (a|tcat|vc o aua| occss|)
tcc'|oucs to oc aootco ou| t'c ccovc 'asc `cs t |o t
|st|atc t'c t|c |t .||| ta'c to ovccoc t'c oac'|o o| .o' accuu|atco
ou| t'c outac `cs t |o t
uat|| t'c ||u csoucc cou|ccts cccssa to c|o t'c |uct|o `cs t |o t
|oct|| t'c ccoos v|ta| to t'c ccovc occss `cs t |o t
|va|uatc t'c aocouac o| cuct |C| | |acc `cs t |o t
76
Selecting alternate activities and resources
!o sc|cct a|tcatc act|v|t|cs ao csouccs to oc usco ou| a outac,
cos|ocat|o o| a|| v|ao|c ot|os |s aaout. !'|s cos|ocat|o
ccoass cac' ot|os ao|||t to suost|tutc |o t'c |ost act|v|t|cs ao
csouccs | tcs o| cost, oua||t ao, ost |otat| (cos|oc| t'c
|AO) t|c||css. A aooco occ||t o| t'|s occss |t t'at |t a |oct||
oct tc act|v|t|cs ao csouccs t'a t'osc cuct| | |acc, ov|o| o-
o| cost sav|s as a outcoc o| t'|s occss.
Checklist: selecting process and resources alternatives
Task Completed
|ocuct a o|c| ocsc|t|o o| cac' v|ao|c ot|o `cs t |o t
|ctc|c ot'c csouccs cou|co ao t'c costs |o cac' ot|o (t'|s a cou|c
||oat|o |o vcoos) `cs t |o t
Coac ccovc ot|os, |c|uo| cost, .|t' ccovc |o|t|cs ao t'c |AO.
Cos|oc.
|ocs t'c ot|o cct t'c ccovc ccos. `cs t |o t
|ocs t'c ot|o cccco ou ccos. `cs t |o t
77
Evaluating backup processing and of f-site storage
|o a |C| to .o', ao .o' c||ao|, soc oact|vc casucs .||| cco to
oc cstao||s'co to csuc c|cvat csouccs ac ava||ao|c || t'c |C| |s
act|vatco. |uoacta| to ccovc |o a outac |s acccss to ccoo ao
||oat|ooot' c|ccto|c ao 's|ca|. |ac'u occss| ao o||-s|tc
stoac ac |uoacta| to ost ous|css occsscs tooat'c c'cc'||st
oc|o. ov|ocs a ||st o| |ssucs to cos|oc .'c cv|c.| t'c cou|ccts
|o t'c |C|
Checklist: evaluating backup processing and of f-site storage
Task Completed
|suc a|| csouccs cou|co |o t'c sc|cctco statc|cs ac stoco o||s|tc `cs t |o t
|cv|c. oocuctco o||-s|tc oac'u occss| staoaos ao occoucs, ||
t'c c|st. || staoaos ao occoucs oo ot c|st, csuc t'c ac ocvc|oco `cs t |o t
|tcv|c. csoc| csos|o|c |o ||cctat|o o| oac'u occoucs to scc
|| occoucs ac oc| ao'cco to `cs t |o t
|ocuct 'c c|ccts o| t'c o||-s|tc oac'u occoucs |o |c|us|o | t'c
ao|atc scct|os o| t'c cot|cc |a `cs t |o t
Aa|sc o||-s|tc oac'u occss| occoucs ao oocuct coccs `cs t |o t
Sc'cou|c cv|c. o| o||-s|tc stoac |ac|||t `cs t |o t
|at|a| ccovc |o o||-s|tc |ac|||t|cs 'as occ tcstco `cs t |o t
|otc. A octtc act|cc c'cc'||st |o o||-s|tc stoac |s |c|uoco | Aco| 9. !'|s ca oc usco as t'c oas|s |o aa|s| |ssucs .|t'
o||-s|tc oac'u occss|.
78
Implementing continuity strategies
|t |s cssct|a| t'at t'c sc|cctco cot|u|t statc|cs ac ||cctco oc|
ao tcstco. !'c |C| .||| c| o t'c sc|cctco cot|u|t statc|cs oc| |
|acc |o to ||a||sat|o o| t'c |C|. !'c c'cc'||st oc|o. .||| ov|oco
ass|stacc | csu| t'c |oct|||co cot|u|t statc|cs 'avc occ
||cctco.
Checklist: ensuring continuity strategies are properly implemented
Task Completed
|suc |o cac' statc sc|cctco, t'c ||'c| costs ac t'c ost cocc|a|| v|ao|c
(|c. |vcst|atc ot'c vcoos | t'c a'ct|acc) `cs t |o t
|oct|| ot'c cou|ccts o c'acs t'at cco to oc aoc | ooc |o t'c
statc|cs to oc c||cct|vc `cs t |o t
C'acs to o||-s|tc stoac occoucs s'ou|o oc aoc as |oct|||co `cs t |o t
|cv|c. cotacts to csuc t'c ocostatc oct tc act|cc |o cotact
aacct as .c|| as co| .|t' |tca| u|oc||cs |o cotact aacct `cs t |o t
||a||sc cotacts `cs t |o t
79
Evaluating the level of communication in the BCP
\'c act|vatco, t'c succcss o| a |C| .||| c| 'cav|| o oc cou|cat|o
ao s'a| o| c|cvat ||oat|o. |o||o.| occ|aat|o o| a o|sastc,
||oat|o o ||cctat|o o| a|tcatc act|v|t|cs ao csouccs, ccovc
o| |ost sstcs ao t'c ct stac o| t'c |a to oc ||cctco, ccos to oc
cocuct| ava||ao|c to a|| ccovc tcas, sc|o aacct ao a||cctco
sta||. !'c |o||o.| c'cc'||st ca oc usco to csuc t'c cou|cat|o | t'c
scv|cc aca |as ao t'c aacct |a |s aocouatc.
Checklist: ensuring communications and information flows in service area recovery plans are
adequate
Task Completed
|suc t'c |C| 'as cou|cat|o ||o.s .'|c' t'c cao|c t'c |ccovc
Cooo|ato to oc 'ct aocouatc| ||oco o t'c scv|cc aca ccovc tcas
t'ou'out t'c ccovc occss `cs t |o t
!'c |C| csucs scv|cc aca ccovc tca cocs ac 'ct aocouatc|
||oco o| .'cc t'c oa|sat|os |s | t'c ccovc occss `cs t |o t
|suc scv|cc aca ccovc tca .o'| to ccovc |tcc|atco ous|css
occsscs ac 'ct oc| ||oco o| t'c ccovc occss ao 'cc ot'c
tca ||oco o| t'c| ocss `cs t |o t
|suc scv|cc acas 'cc ao|atc ctca| at|cs ao sta'c'o|ocs ||oco
(ot |c|uo| at|cs/sta'c'o|ocs t'at .ou|o oc 'ct ||oco as at o| t'c
aacct |a) o| t'c ccovc occss `cs t |o t
|suc ctca| ao |tca| at|cs |c|uoco | |C| ac ||oco |co|atc| t'at
t'c| ass|stacc a oc ca||co uo `cs t |o t
|suc a|| 'ua csoucc ccos ac oc| aoocssco. Cos|oc. O|S,
cousc||| ao ot'c suot ||cs o| cou|cat|o, ctc `cs t |o t
|suc t'c ccovc occss aoocsscs c-||cctat|o o| out|c coto|s
('s|ca|, |o|ca| ao cv|octa|) `cs t |o t
80
Checklist: ensuring communications and information flows in the management plan is
adequate
Task Completed
|suc t'c |C| cou|cat|o ||o.s 'cc uoc|| scv|cc aca ccovc tcas
||oco t'ou'out t'c occss `cs t |o t
|suc t'c cccut|vc |s 'ct oc| ||oco t'ou'out t'c occss `cs t |o t
|suc ac ao|atc ctca| at|cs/sta'c'o|ocs ac 'ct oc| ||oco
t'ou'out t'c occss `cs t |o t
|suc t'c |C| ov|ocs scc|||c otoco|s |o co|a ||a|so ao aacct `cs t |o t
|suc ctca| ao |tca| at|cs |c|uoco | |C| ac ||oco |co|atc| t'at
t'c| ass|stacc a oc ca||co uo `cs t |o t
|suc a|| 'ua csoucc ccos oc| aoocssco. Cos|oc. O|S, cousc|||
ao ot'c suot, ||cs o| cou|cat|o, ctc `cs t |o t
|suc t'c ccovc occss aoocsscs c-||cctat|o o| out|c coto|s
('s|ca|, |o|ca| ao cv|octa|) `cs t |o t
81
Disaster assessment
!'c |C| cco to out||c t'c stcs ao |ssucs t'at cco to oc cos|occo
.'c asscss| t'c |act o| a o|sastc. !'c |ccovc Cooo|ato ust oc
ao|c to aov|sc t'c C'|c| |ccut|vc ao sc|o aacct o t'c |act o|
a outac ao asscss t'c t|c t'c ous|css occss a oc a||cctcoif the
MAO is exceeded, a disaster is declared and the BCP is activated.
Checklist: developing the disaster assessment guidelines
Task Completed
!'c |C| c|ca| |oct|||cs t'c co|c |vo|vco | t'c o|sastc asscssct `cs t |o t
!'c ot|||cat|o occss |o t'osc |vo|vco | t'c o|sastc asscssct |s c|ca|
|oct|||co | t'c |C| `cs t |o t
!'c t|c|acs |o t'c o|sastc asscssct ac c|ca| |oct|| |co | t'c |C| `cs t |o t
Sa|ct occoucs |o o|sastc asscssct |oct|||co | t'c |C| ac | ||c .|t'
Occuat|oa| |ca|t' ao Sa|ct cou|ccts `cs t |o t
!'c outs|oc at|cs .'|c' ac at o| t'c o|sastc asscssct occss ac
|oct|||co | t'c |C| a|o .|t' t'c| cotact octa||s `cs t |o t
Stcs ac | |acc to ||o a|| c|cvat |suacc coa|cs ac ao|atc|
||oco o| t'c |c|oct oc|oc o ou| t'c o|sastc asscssct ta'| |acc
(soc |suacc |s vo|o || ccta| o|sastc asscsscts ac ca|co out .|t'out
t'c |suacc coa csct o .|t'out t'c| 'o.|coc) `cs t |o t
82
Appendix 7
Limitations of BCPs
!'c |C| s'ou|o cco|sc t'c |actos t'at a |||t ccovc |o a ous|css
|tcut|o cvct. !'csc |actos s'ou|o oc oocuctco | t'c |C| to
csuc t'c ac oou't to at tct|o o| aacct.
Example: factors which may limit recovery from a business interruption event
Resource Possible limiting factors
People |su|| |c|ct uoc o| csoc| osscss| t'c ao|atc s'|||s ava||ao|c to
||cct ous|css cot|u|t ocat|os
C|t|ca| ocat|os ao sstcs oocuctat|o |o cac' |at|o ac ot stoco
o||-s|tc
|su|| |c|ct uoc o| oua||||co csoc| .||| oc ava||ao|c to c|o usc tas's
ou| t'c ccovc 'asc
|csoc| .'o |a a o|c | ccovc ac ua.ac o| t'c| csos|o|||t|cs ao 'avc
ot occ aocouatc| ta|co to c|o t'c ccovc tas's
Sta|| suot acas ac ot caco to suot t'c ccovc ocat|o
Facilities !'c |ccovc ||a .||| |O! covc a cvct .'|c' s|u|tacous| cocs oot' t'c
|a ao a|| a|tcatc oata cctc |ac|||t|cs |ocao|c
!'c |ccovc ||a .||| |O! covc a cvct .'|c' s|u|tacous| cocs t'c oata
cctc |ocao|c ao t'c cssct|a| o||-s|tc stoac |acccss|o|c
!'c o|sastc t'at cocs t'c oata cctc |ocao|c a |act |ac coa'|c
acas, uo||c ut|||t|cs, t'c tasotat|o ||astuctuc o ot'c |ac|||t|cs ao/o
scv|ccs oo|a|| ava||ao|c (|otc t'at t'|s cc|uocs a c|cct|ca| o|st|out|o |a||uc)
!asact|os |ost oct.cc t'c o|t o| t'c ost ccct oac'u ao t'c o|sastc
cvct caot oc ccostuctco ao c-ctcco to coutc sstcs .|t'| t'c
a|u a||o.ao|c outac c|oo
|c|oo|c tcst| o| t'c |C| ot |s coouctco
C|t|ca| sstcs ac ot c|oo|ca|| cva|uatco ao t'c| ||u cssct|a| |catucs
ca ot oc ov|oco |o a o|sastc
A co|ctc ||st| o| oouct|o | ||cs ao t'c| |ocat|o o oac'u tacs |s otatco
o||-s|tc .|t' aocouatc |coucc
!'c oa|sat|o a cc|ccc vo|uta o |vo|uta scaat|os o|
c|oct o c|at|os'| .|t' a c|occs, su||cs, o ot'c vcoos
oct.cc t'c occuccc o| t'c o|sastc cvct ao co|ctc ccovc
O||-s|tc stoac |ocat|os ac ot |tact ao acccss|o|c
O||-s|tc ||oat|o oac'u ao otat|o occoucs ac |aocouatc to ||cct
|u|| ccovc .|t'| a|u a||o.ao|c outac t|c |acs
|a|| tasact|os ccoco to ccostuct c|t|ca| oata ac ot otatco o||-s|tc .|t'
aocouatc |coucc
83
Example: factors which may limit recovery from a business interruption event (continued)
Resource Possible limiting factors
Telecommunications |cao acccss to uo||c ct.o'
't|c| acccss to c|accct oo||c 'ocs
|c|a | c-out| c|t|ca| 'ocs uoc to c. |ocat|o
|ac' o| acccss to ot'c cou|cat|os 'ao.ac (c. acs, |a, ca||
cocct|os, ctc.)
Information Systems |ac' o| a|tcatc occss| |ac|||t|cs ava||ao|c as ao .'c, cou|co
!'c oa|sat|o |ac's acccss to a |u|| co| |uco sccoo occss| s|tc
su|| |c|ct | caac|t to suot oata occss| |o cssct|a| ous|css
|uct|os .|t' c|t|ca| a||cat|o suot ccos
C|t|ca| uscs oo ot 'avc t'c ao|||t to ccostuct a |ost .o'-|-
ocss
C|t|ca| uscs oo ot 'avc ccovc |as ocvc|oco to oc ao|c to occss
at t'c a|tcatc occss| |ac|||t
Business Processes !'c oa|sat|o 'as aocouatc | |ac|a| csouccs to ||cct t'c
and Resources cot|cc |a accoo| to t'c t|c |acs cstao||s'co o t'c ous|css
|act aa|s|s
|aocouatc a|tcacc o| a|| ous|css cot|u|t occoucs |s c|oco
|o oo| c||ot to |||sc cosucs to o|sastcs .||| cot|uc ao
ocat|os/ sstcs vu|cao|||t|cs
|cs|atco usc ccsctat|vcs ac ot ot| ot|| |co || a o|sastc
occus
84
Appendix 8
Event log
|u| a ous|css |tcut|o cvct |t |s |otat to ccoo |otat
||oat|o ao occ|s|os .'|c' .cc aoc ou| t'c outac. !'|s
||oat|o ov|ocs a |otat |ut to cv|s| t'c |C| o |cooat|
actua| cvct cc|cccs | t'c |a. !'c cvct |o a a|so oc a usc|u| too|
|o t'c |ccovc Cooo|ato to usc ou| |C| tcsts to ccoo t'c scca|o
sct ao t'c outcocs o| t'c tcst csu|ts.
!'c |ccovc Cooo|ato s'ou|o co|ctc t'|s |vct |csc|t|o s'ot|
a| tc ot|| |cat|o o| a o|sastc. !'c |o |s usco to ccoo t'c |acts ao
.oo| o| t'c o|sastc occ|aat|o statcct to a||o. t'c |ccovc
Cooo|ato to c|a accuatc ||oat|o to ot'c cocs o| t'c tca ao
as a cas o| cv|c. a|tc t'c cvct.
!'c |o||o.| ca|c s'o.s t'c ||oat|o t'c |ccovc Cooo|ato
s'ou|o co||cct | t'c casc o| a ous|css |tcut|o cvct.
!'|s |o s'ou|o oc aoatco to su|t t'c scc|||c cou|ccts ao stuctuc o|
t'c oa|sat|o.
Example: a business interruption event log
Event Log:
Initial Notif ication. Briefly describe the event:
||sastc |cc|aco t o
Staoo |coucstco t .
(||casc !|c')
|atc.
!|c.
Notif ied by. |st|atco !|c to |vct |cso|ut|o
|as. |s.
Disaster Declared:
|atc. Recovery Site
!|c.
||CO\||` S|!| A||||SS~
Authorised by
85
Appendix 9
Checklists for review of off-site backup procedures
Checklist for review of non-IT off-site backup procedures
Area for Review Completed
|oct|| a|| catco|cs o| o||-s|tc oac'u aoocssco o t'c occoucs. Cos|oc.
'ao co oocuctat|o
|os (a||cat|o |os, aua| ccc|ts, c'couc o|a's
,
ctc)
su||cs, ao
cou|ct `cs t |o t
|t a oc oss|o|c to a'c scc|a| aaccts .|t' ou oa', |c|uo| uaatcco oc||vc t|c, .'|c'
.||| c'acc sccu|t o| t'csc |os
|o cac' o| t'c catco|cs o| |tcs |oct|| |co as oc| oac'co u, |oct|| t'c
t|cs |o aoo|/c|ac|/oc|ct| o||-s|tc oac'u |tcs `cs t |o t
|oct|| csos csos|o|c |o octc|| .'at |s to oc oac'co u `cs t |o t
|oct|| csos csos|o|c |o cv|c. ao aova| o| c'acs/tc|at|os `cs t |o t
o| o||-s|tc oac'u |tcs
|ctc|c || a |vcto o| |tcs |s ava||ao|c ao 'o. t'c |vcto |s
a|ta|co `cs t |o t
|ctc|c .'ct'c a 'aoco o| t'c o||-s|tc oac'u |vcto |s stoco o||-s|tc `cs t |o t
86
Checklist for review of IT off-site backup procedures
Area for Review
|oct|| a|| tcs o| |||cs oc| oac'co u o|| s|tc. Cos|oc.
sstc so| t.ac.
- ocat| sstcs
- suot so|t.ac
- ut|||t ac'acs
- cou|cat|os so|t.ac, ao
- oo Coto| |auac (C|), ctc. `cs t |o t
a||cat|o so| t.ac.
- soucc ||oa|cs
- oouct|o ||oa|cs (|ccutao|c Cooc)
- oata o|ct|oa |||cs
- oo Coto| |auac, ctc, ao
- oouct|o oata o|s' |||cs ao oataoascs `cs t |o t
usc | ||cs.
- o-||c oocuctat|o
- |oouct|o Sc'cou||
- coutc ocat|os oocuctat|o (c. ccovc/cstat), ao
- a||cat|o sstc/oa oocuctat|o `cs t |o t
ac'|va| |||cs `cs t |o t
|o cac' o| t'c catco|cs o| |tcs |oct|||co as oc| oac'co u, |oct|| t'c
ct'oo(s) o| oac'u. Cos|oc.
|u|| savcs (ct|c |||c o oataoasc oac'co u)
|cccta| savcs
oouct|o ,oo stca
o coucst o usc
a||cat|o |'t| oac'u oatc' u, ao
scc|a| ,oo stca `cs t |o t
87
Checklist for review of IT off-site backup procedures (continued)
Area for Review Completed
|ctc|c t'c oac'u |coucc ao uoc o| cc|cs cta|co o||-s|tc |o
cac' catco o| oac'u `cs t |o t
|oct|| csos csos|o|c |o octc|| .'at |s to oc oac'co u `cs t |o t
|oct|| csos csos|o|c |o cv|c. ao aova| o| c'acs/tc|at|os
o| o||-s|tc oac'u cc|| `cs t |o t
|otc t'c caso(s) .' a tcs o| | ||cs ac ot oc| oac'co u o|| s|tc `cs t |o t
|ctc|c || oac'u occoucs ac a||co a||cat|o o a||cat|o o to
a ct|c catco o| a||cat|os suc' as t'osc ocs|atco critical `cs t |o t
|O!|. \'c t'c tc 'a||cat|o(s)' |s usco aoovc, |t c|cs to ocat| sstc so|t.ac, suot
so|t.ac, ut|||t|cs, ao cou|cat|o so|t.ac | aoo|t|o to co usc ous|css a||cat|os.
|oct|| t'c too|(s) usco |o |oct||| ao ccoo| o||-s|tc oac'us. Cos|oc.
tac ||oa aacct so| t.ac ac'acs
aua| |os
scc|a| oa/sstc .|t' aua| |ut, ao
scc|a| oa/sstc .|t' autoatco |ut `cs t |o t
|ctc|c || vcoo ov|oco so| t.ac ooucts ac usco to c|o oac'us `cs t |o t.
|| a t'|o at ov|ocs o||-s|tc stoac, oocs t'c c|st| cotact |o ct|cva|
ao ccovc o| stoac co|a atc' t'c cou|ccts o| t'c |C|. `cs t |o t
88
1
Business
Continuity
Management
Business
Continuity
Management
Workbook
Guide to Effective ControlJanuary 2000
2
Better practice
Better practice
!'c Austa||a |at|oa| Auo|t O|||cc oouccs oct tc act|cc u|ocs as at
o| |ts |tcatco auo|t aoac' .'|c' |c|uocs ||oat|o scv|ccs to auo|t
c||cts.
A |ct tc |act|cc sc|cs 'as occ cstao||s'co to oca| .|t' 'c asccts o| t'c
coto| stuctucs o| ct|t|csa |tca| at o| ooo cooatc ovcacc.
!'|s \o'ooo' |os at o| t'at sc|cs. !'c accoa| Cu|oc oca|s .|t'
ous|css cot|u|t aacct .|t'| a |s' aacct |ac.o'.
|S|| 0 6-- 39018 2
Coo.ca|t' o| Austa||a, 2000
!'|s .o' |s co|'t. Aat |o a usc as c|ttco uoc t'c Co|'t Act 1968, o
at a oc cooucco o a uosc .|t'out |o .|ttc c|ss|o |o t'c
Austa||a |at|oa| Auo|t O|| |cc.
|coucsts ao |ou||cs cocc| coouct|o ao |'ts s'ou|o oc aoocssco to.
!'c |uo||cat|os |aac
Austa||a |at|oa| Auo|t O|| |cc
C|O |o 0
Caoca AC! 2601
||oat|o o Austa||a |at|oa| Auo|t O|||cc
uo||cat|os ao act|v|t|cs |s ava||ao|c o t'c |o||o.| |tcct aoocss.
't t.//....aao.ov.au
Disclaimer
!'c Auo|to-Ccca|, t'c A|AO, |ts o|||ccs ao c|occs ac ot ||ao|c, .|t'out
|||tat|o, |o a coscoucccs |cuco, o a |oss o oaac su||cco o a
oa|sat|o o o a ot'c cso as a csu|t o| t'c| c||acc o t'c ||oat|o
cota|co | t'|s \o'ooo' o csu|t| |o t'c| ||cctat|o o usc o| t'c
accoa| Cu|oc, ao to t'c a|u ctct c|ttco o |a., cc|uoc a|| ||ao|||t
(|c|uo| | c||ccc) | cscct o| t'c Cu|oc ao t'c accoa| \o'ooo'.
|cs|co o At Attac' |t |to Caoca
||tco o |||c ||tcs Caoca
3
Introduction 5
Step one: Project initiation 6
Step two: Key business processes identification 8
Step three: Business impact analysis (BIA) 11
Step four: Design continuity treatments 15
Appendices
1. Worksheet for key business processes
identification and business impact analysis 18
2. Worksheet for evaluation of recovery
treatment options 20
Contents
Contents
4
5
Introduction
Introduction
|t |s ocs|co to |cao ocat|oa| ao scv|cc aca sta|| t'ou' t'c occss o|.
|oct||| 'c ous|css occsscs,
cstao||s'| a a|u accctao|c outac |o cac' 'c ous|css occss,
ao
ocs|| ao|atc cost-c||cct|vc tcatcts | t'c cvct o| a outac.
!'c csu|ts |o t'|s \o'ooo' ca oc usco o t'c |us|css Cot|u|t
|o,cct |aac to ocvc|o a |us|css Cot|u|t ||a.
!'c stuctuc o| t'c \o'ooo' |s oasco o t'c stcs octa||co | t'c Business
Continuity Management |ct tc |act|cc Cu|oc uo||s'co o t'c Austa||a
|at|oa| Auo|t O|||cc. |t |s ccococo t'at uscs o| t'|s \o'ooo' ||st
|a|||a|sc t'csc|vcs .|t' t'c coccts ao occsscs o|scussco | t'c Cu|oc.
!'c cotct o| t'c \o'ooo' co|scs o| cca| u|oacc, ca|cs ao
.o's'ccts. !'csc s'ou|o oc aoatco as cou|co to csuc t'at 'c
||oat|o ao occ|s|os ac |u|| oocuctco.
|t |s |tcoco t'at t'c stcs | t'c \o'ooo' oc |o||o.co scouct|a||. !'c
\o'ooo' a oc co|ctco |o|v|oua|| o oc usco as t'c oas|s to |ac|||tatc
ou scss|os.
This Workbook is designed to assist organisations in the development of a
comprehensive business continuity plan.
6
A plan should be prepared to manage the business continuity project.
The following outline is a suggested structure for this plan. If a plan has
been completed, insert it in this section.
1. Introduction
1.1 |ac'ouo/|toouct|os \' |s t'c o,cct oc|
coouctco.
2. Business objectives
2.1 Oo,cct|vc o| t'c o,cct |cta||co oo,cct|vcs ao outcocs
o| t'c a,o stcs oc|o.
3. Requirements specification
3.1 Ccca| cou|ccts |o,cct soso
|o,cct aac
|us|css u|t |vo|vcct
3.2 Cotact| cos|ocat|os ||a cotacto
(|| cct cotactos |tc||cctua| oct
ac caco) |o,cct cot|
\a|at|os to cost
\aat
||'ts
3.x Phase Oo,cct|vc o| t'c 'asc
(for each phase of the project) !'c stcs |vo|vco
!'c outcocs |o t'c 'asc
Oa|sat|oa| csouccs t'at .|||
oc a||ocatco to t'c o,cct tca
!'c o,cct tca's o|cs ao
csos|o|||t|cs
|cot| cou|ccts |o t'c
'asc
7
4. Project deliverables and milestones
-.1 |o,cct cot| |o. .||| t'c o,cct tca cot
to t'c Oa|sat|o.
\'at ||oat|o t'c o,cct
tca .||| ov|oc.
Status o| t'c o,cct
|ccctac co|ctco
|cctco oc||vcao|cs
|ssucs |o otc o act|o
-.2 |c||vcao|cs ao ||cstocs !ao|cs ||st| t'c oc||vcao|cs ao
ccc|vao|cs t'at ac cou|co
to cct t'c oo,cct|vcs o| t'c
o,cct
5. Project budget and administration
5.1 |uoct Sta|| csouccs
Cotact csouccs
Souccs o| |uos
5.2 Ao||stat|o C'ac coto|
|csouccs ao act |a
||'co to oc||vcao|cs
|csouccs costa|ts
C|t|ca| succcss |actos
6. Roles and responsibilities
6.1 |csos|o|||t|cs Aova|s |o ouoct, s|-o||
'ascs, accctacc ao
||cctat|o o|
ccocoat|os
6.2 |o,cct '|cac' C'|c| |ccut|vc, |o,cct Stcc|
Co|t tcc, |o,cct |aac,
|o,cct !ca(s) cot| to
|o,cct |aac
6.3 Scv|cc ov|oc/cotacto |cctat|os ao oc||vcao|cs
csos|o|||t|cs o| t'c scv|cc ov|oc
8
Step two: Key business
processes
identification
Step two: Key business
processes
identification
Introduction
Business processes are made up of the activities undertaken within each process
and the resources consumed by, or applied to, each activity.
!'c oo,cct|vc o| t'|s stc |s to |oct||, ao a' | |o|t ooc, t'osc
statc|c, ocat|oa| ao suot ous|css occsscs t'at ac c|t|ca| to t'c
oouct|o o| oa|sat|oa| oututs ao 'ccc |u||||ct o| ous|css
oo,cct|vcs.
!'c |oct|| |cat|o o| 'c ous|css occsscs a a|cao 'avc occ co|ctco
| ot'c |s' aacct ao ous|css |a| act|v|t|cs uocta'c | t'c
oa|sat|o. !'c Oa|sat|o's Cooatc ||a, |us|css ||as ao ||s'
|aacct ||a ac ooo stat| o|ts. || t'|s |s t'c casc, t'|s stc |
|us|css Cot|u|t |aacct s'ou|o co| | t'at t'c occss ocsc|t|os
ac st||| va||o ao a' t'c occsscs | tcs o| t'c| c|at|vc |otacc to
ac'|cv| oa|sat|oa| oo,cct|vcs.
!'c |o||o.| |stuct|os .||| ass|st oa|sat|os |oct|| ao a' t'c|
ous|css occsscs. !'c csu|ts o| t'|s act|v|t s'ou|o oc ctcco o t'c
.o's'cct at Aco| 1.
Instructions for completing the worksheet (Appendix 1)
1. Determine and document overall business objectives
Oota| o cstao||s' t'c ous|css oo,cct|vcs |o t'c ous|css u|t. !'c
oo,cct|vcs |o cac' ous|css u|t s'ou|o suot, ao oc cos|stct .|t', t'c
ovca|| oa|sat|oa| oo,cct|vcs, v|s|o ao |ss|o cstao||s'co | t'c
Cooatc ||a.
Oo,cct|vcs ac usua|| |aco | tcs o| t'c c||cct|vccss o| oututs ao a
'avc a t|c, cost, ouat|t ao/o oua||t o|cs|o.
|ocuct t'c ous|css u|t oo,cct|vcs o t'c .o's'cct.
2. Identify business processes
|o cac' ous|css oo,cct|vc, a a|| o| t'c ous|css occsscs uocta'c
.|t'| t'c ous|css u|t o scv|cc aca.
!'c stuctuc o| a oa|sat|os |os t'c statc|c, ocat|oa| ao
suot ous|css occss catco|sat|os o|scussco | t'c accoa| Cu|oc.
9
|ac 32 o| t'c Cu|oc ov|ocs a out||c o| cc|c mega ao major ous|css
occsscs t'at a| to ost uo||c sccto oa|sat|os, uoc cac' o| t'csc
catco|cs. !'|s stuctuc a oc a usc|u| stat| o|t |o cstao||s'| a
coo |auac ao uocstao| o| .'at a ous|css occss |s.
3. Determine and rank key business processes
Occ a |vcto o| a|| ous|css occsscs 'as occ cstao||s'co |o t'c
ous|css u|t o scv|cc aca |t |s cccssa to octc|c .'|c' o| t'csc ac
c|t|ca| to ac'|cv| oa|sat|oa| oo,cct|vcs.
A|| ous|css occsscs .||| cot|outc | soc |o to oa|sat|oa| oo,cct|vcs.
Oc aoac' |s to ||st octc|c .'|c' oo,cct|vcs ac t'c ost |otat
ao to atc' t'c ous|css occsscs to t'osc oo,cct|vcs. |t |s t'c cccssa
to octc|c |o .|t'| t'csc occsscs t'osc t'at ac |tca| to
ac'|cvcct o| t'c 'c oo,cct|vcs.
Ccca||, a|| ocat|oa| occsscs ca oc cos|occo to oc 'c. |t |s oc
||'c| t'at soc suot occsscssuc' as uo||s'| ao uo||c c|at|os
ao soc statc|c occsscssuc' as t'osc assoc|atco .|t' occss
|ovcct ao oua||t assuacc (out ot oua||t coto|).||| ot oc
|ss|o c|t|ca|.
|t |s sucstco t'|s a'| o| occsscs |s uocta'c as a |ac|||tatco ou
scss|o us| a vct|ca| s||cc o| c|occs |o .|t' t'c ous|css u|t o
scv|cc aca.
4. Analyse key business processes into activities and resources
and rank in priority order for recovery
|ac' 'c ous|css occss s'ou|o oc o|sscctco |to t'c act|v|t|cs uocta'c
|o t'at occss ao t'c csouccs cosuco o a||co to t'c act|v|t|cs. !'|s
ca oc ac'|cvco o | |st cos|oc| t'c c|t|ca| succcss |actos cou|co |o t'c
occss to ct |ts ous|css oo,cct|vcs.
|csouccs a||co to act|v|t|cs s'ou|o oc cos|occo | tcs o| co|c,
|ac|||t|cs, tc|ccou|cat|o ||oat|o sstcs ao ous|css occsscs.
Ocat|oa| acas s'ou|o cos|oc o| t'c ocat|oa| act|v|t|cs ao csouccs
t'at cta| to t'c| occsscs. !'c suot act|v|t|cs ao csouccs .||| oc
aa|sco o t'c suot acas.
!'c ost c|t|ca| act|v|t|cs ao csouccs |o cac' 'c ous|css occss .||| oc
a||ooco t'c '|'cst |o|t | ccovc. !'cc|oc |t |s cccssa to a'
t'csc a|so .|t'| cac' occss.
Occ a a'| 'as occ acco |o cac' act|v|t ao csoucc t'csc s'ou|o
oc ctcco o t'c .o's'cct. !'c C'|c| |ccut|vc O|| |cc ao/o a
ao|atc aacct co|t tcc s'ou|o acc t'c a'| o| act|v|t|cs ao
csouccs.
!'c |o||o.| ca|c s'o.s .o's'ccts |o a ocat|oa| occss ao a
suot occss co|ctco to t'|s stc.
10
Priority listing of key business processes, activities and resources
Example: business support process
Oo,cct|vc. suot t'c oa|sat|o o ov|o| t|c|, accuatc, c||ao|c oua||t scv|ccs
|a' |occss C|t|ca| succcss |actos Act|v|t|cs ao csouccs |AO
1 |ao|| |act o| |ot|'t| 1. |ao|| tca
sa|a|cs ao a||o.accs to 2. ||| sstc
a|| sta|| o t|c 3. |ao|| sstc
-. Cou|cat|os ||' to oa'
2 |||||
3 |a| Accouts
Example: operational process
Oo,cct|vc. occss ao a occ| |ts to ooa ||oc cc||cts o t|c, |o t'c cocct aout
|a' |occss C|t|ca| succcss |actos Act|v|t|cs ao csouccs |AO
1 |a occ| |ts |act o t|c 1. |cc||ts act tcas
2. |cc| |ts act sstc
3. Cou|cat|os ||' to oa'
-. C'couc oouct|o sstc
A|so otc c||acc o a|| oo
|o t|c| o|satc' o| c'coucs
2 |occss c.
a||cat|os
3 |oo|| acc
octa||s
|otcs.
1. !'c |AO (a|u accctao|c outac) 'as ot occ co|ctco at t'|s stact'at |s t'c ct stc |
t'c occss.
2. !'c occ| |ts act occss 'as otco |ts c||acc o a ous|css suot occsst'at |s, t'c a||
oo (|c|st). A scaatc aa|s|s s'ou|o oc coouctco |o |c|st.
3. !'c csu|ts o| a|| aa|scs ac coo|co to octc|c c||acc o coo csouccs ao act|v|t|cs ao
|tc-occocc|cs oct.cc csouccs ao act|v|t|cs.
11
Step three: Business impact
analysis (BIA)
Step three: Business impact
analysis (BIA)
!'c ||A |s uocta'c |o a|| 'c ous|css occsscs ao scts t'c ccovc
|o|t|cs, s'ou|o t'osc occsscs oc o|sutco o |ost.
!'c |o||o.| coccts ac c|cvat.
Business continuity concepts relevant to the BIA
Concept Description
Outage
extraordinar y event
loss of key business processes
high impact
Maximum Acceptable
Outage (MAO)
threat to achieving business
objectives
Business impact analysis scenario
|t |s usc|u| to cstao||s' a scca|o | .'|c' t'c oa|sat|o 'as su||cco a
outac. !'|s ass|sts t'c co|c uocta'| t'|s ccc|sc to cos|oc t'c|
ous|css occsscs | t'at cotct.
!'c |o||o.| scca|o |s ccococo as a stat| o|t.
a ||ooo o ||c 'as occuco ao t'c ou||o| |s |acccss|o|ca|| coutc
sstcs ao suot| scv|ccs ac uava||ao|c |o a c|oo o| at |cast 30
oas,
assuc a .ost casc, t'at |s, t'c tota| ocstuct|o o| .o'|acc csouccs
ao ||oat|o tcc'o|o sstcs at t'c .ost oss|o|c t|c, ao
aut'o|sat|o 'as occ |vc |o aoo|t|oa| sta||, ovct|c, c|occ |ooo,
tavc| ao accoooat|o ccscs ctc, |o ass|stacc | csto|
cssct|a| ous|css act|v|t|cs.
A outac |s a ctaoo|a cvct, caus| a o|sut|o to, o
|oss o|, 'c ous|css occsscs, .'|c' 'as a '|' |act o t'c
oa|sat|o
!'|s |s o|st|ct |o oo.t|c o sstcs |a||ucs t'at a
occu as a at o| oa| ocat|os .'cc t'c |act s||
couccs t'c c||cct|vc ut|||t o| occsscs | t'c s'ot tc
!'c |AO |s t'c t|c |t .||| ta'c oc|oc a outac t'catcs a
oa|sat|o ac'|cv| |ts ous|css oo,cct|vcs
!'c |AO oc||cs t'c a|u t|c a oa|sat|o ca
suv|vc .|t'out 'c ous|css |uct|os oc|oc ccovc
occoucs ust coccc
The objective of this step is to determine a maximum acceptable outage (MAO)
for each critical activity and resource identified in step two.
12
|o ot cos|oc a cuct cot|u|t |as .'c octc|| |acts
csu|t| |o |oss o| scv|ccs.
A|| oas c|cccco ac ca|coa oas, ot ous|css oas.
Establishing a framework for assessing the impact of a
business interruption
\c ac a'| a asscssct |o t'c o|t o| v|c. a outac 'as occuco.
!'|s outac 'as a||cctco t'c c|oacc o| 'c occsscs | t'at c|t|ca|
act|v|t|cs 'avc ccasco ao c|t|ca| csouccs ac ot ava||ao|c. \c cco to
a'c a ,uocct o 'o. |o t'c oa|sat|o ca suv|vc .|t'out t'csc 'c
occsscs oc|oc |t t'catcs t'c ao|||t o| t'c oa|sat|o ac'|cv| |ts
oo,cct|vcs.
Occ |ts occus, ao outac a 'avc a a|| |cat|os. \c cco to asscss
t'c |act o| t'c outac aa|st a acco |ac.o' to octc|c ao
cstao||s' t'c a|u accctao|c outac (|AO) |o cac' ous|css occss.
!'|s ccos oc cos|occo at t.o |cvc|s.
asscss| t'c ovca|| |act o| |oss o| a occsst'|s 'as ooao| occ
ac'|cvco (at |cast | at) o a'| t'c occss| | ooc o| |o|t to
t'c oa|sat|o, ao
asscss| t'c |act o| t'c |oss o| t'c cocsoo| act|v|t|cs ao
csouccs to octc|c 'o. |o t'c occss ca oc .|t'out t'at act|v|t
o csouccs ut|| |ts o. succcss |s t'catcco.
The framework
A oo,cct|vc ao cos|stct oas|s o .'|c' to asscss t'c |act o| a outac
ccos to oc cstao||s'co. !'|s .||| csuc t'c oa|sat|o |s cos|oc| t'c
sac |actos .'c octc|| t'c |AO. !'c |cvc| o| |act ca oc
asscssco |o cac' act|v|t ao occssco us| a sca|c s|||a to t'c tao|c
oc|o..
Example: scoring level of impact of business disruption
Level of Impact Assessment Score
|tcc !'catcs o||t|ca| ao ous|css v|ao|||t 5
|a,o S||| |cat |act o ous|css o|vcs -
|oocatc |a,o |act o s'ot tc ous|css ocat|os 3
||o |covc|ct out o ca| oo| ous|css |act 2
||| |ccos|oc t'c |c|us|o o| t'|s as a c|t|ca| csoucc 1
!'c |AO |s sct at t'at o|t .'cc t'cc .ou|o oc a a,o |act
(Scoc-) o t'c ao|||t o| t'c act|v|t o csouccs ao t'cc|oc t'c occss
.ou|o |a||. | c||cct, .c ac sa| t'c ous|css occss ca oo .|t'out t'|s
act|v|t o csoucc |o a t|c uoc t'at o|t .'cc t'cc |s
a a,o |act ao |t .||| ot a||cct t'c oa|sat|o ac'|cv| |ts oo,cct|vcs.
13
Ccatc t'a tc
c cct |act
o ac'|cvcct
o| 'c
c|oacc
tacts
Example: detailed evaluation criteria for assessing business impact
5
(|tcc)
|cat' o| sta||
||ac|a| |oss |
cccss o| $1
||||o
|cstuct|o o
sc|ous oaac
to ost asscts
|oa|
Co|ss|o
Oa|sat|o
|ouo ||ao|c |
|ca| act|o
|cat' o sc|ous
|,u to c||cts
||ac|a| |oss to
c||cts | cccss
o| $1 ||||o
' to tc c
cct |act o
tacts
-
(|a,o)
|,u to sta||,
|oss o| c|t|ca|
ass o| sta||
||ac|a| |oss o|
u to $1 ||||o
|cstuct|o o
sc|ous oaac
to 'c 's|ca| o
||oat|o
asscts
|a||acta
|ou|
Oa|sat|o,
C|O ao t'c
|oao t'c
suo,cct o| |ca|
act|o
S||| |cat |oss o|
acccss to scv|cc
c.. |ao|||t to
ov|oc
aoato
o||os .|t'|
|c|s|at|vc
t|c|ac
|cac' o|
Coo.ca|t'
|a. ao
cu|at|os
' to ||vc c
cct |act
3
(|oocatc)
|cact |oss
o| 'c sta||
||ac|a| |os o|
u to $100,000
|aac to
's|ca| o
||oat|o
asscts
|||stc|a|
oucst|o | t'c
|a||act
|a,o o|sut|o
o| acccss to
scv|cc
|a||uc to co|
.|t' ||ac|a|
||cctos ao
C'|c| |ccut|vc
|stuct|os
' to oc c
cct |act
2
(||o)
!coa |oss
o| 'c sta||
||ac|a| |oss o|
u to $10,000
asscts | va|uc
Aovcsc
cocts |
css
||o o|sut|o
o| acccss to
scv|cc
|a||uc to co|
.|t' |tca|
u|oc||cs
|o |act o
ac'|cvcct o|
outut tacts
1
(|c|||o|c)
|c sta|| ava||ao|c
|o a |c. 'ous
|tca| |act
o|
|o |act o
c||cts/
sta'c'o|ocs
|a||uc to co|
.|t' |tca|
|stuct|os
Rating Outputs Resources Reputation Clients/ Compliance
(time, cost, (staf f, information, stakeholders
quality) financial assets)
|cac' o|
Cost|tut|o
Area of impact
|c|o. |s a ca|c o| octa||co c|tc|a .|t' .'|c' to octc|c t'c |cvc| o|
|act o| a outac |o a at|cu|a act|v|t o csoucc. !'csc c|tc|a s'ou|o
oc cos|stct .|t' a suc' c|tc|a cstao||s'co |o t'c top down |s'
aacct occss.
14
occ||ts
Example: assessing MAO for activities and resources
Key Activities and resources required Impact of Interruption MAO
business
process 1-2 3-5 6-15 16-30 ~ 30
oas oas oas oas oas
|ao|| 1. |||sa|a|cs tca 1 - - - 5 2 oas
2. Sa|a|cs sstc 1 2 - - 5 15 oas
3. || sstc 1 1 1 2 - 30 oas
-. Cou|cat|os ||' to oa' 1 1 2 3 - 30 oas
|act o| 1. |cc||ts act tca 1 2 - - 5 5 oas
2. |cc| |ts act sstc 1 1 2 - - 15 oas
3. Cou|cat|os ||' to oa' 1 1 - 5 5 15 oas
-. C'couc oouct|o 1 1 2 3 - 30 oas
Notes:
1. !'c |AO |o cac' act|v|t/csoucc |s sct at t'c o|t .'cc a - at| ao aoovc |s asscssco.
2. !'c |AOs cstao||s'co s'ou|o oc acco to o t'c C'|c| |ccut|vc ao t'c |us|css Cot|u|t |aacct Stcc| Co|t tcc.
|cta||s o| t'c acco |AOs s'ou|o oc ctcco o t'c .o's'cct | Aco| 1.
The assessment of the MAO practice
's| t'c ca||c ca|c, t'c |AO |o cac' act|v|t ao csoucc |s scoco
t'c scoc |s oasco o cos|ocat|o o| t'c |act o| |ts |oss. !'c asscssct
| t'c |o||o.| tao|c |s oasco o t'c |act c|tc|a octa||co o t'c cv|ous
ac.
Consolidation of MAOs by resource
!'c aoovc ca|c ocostatcs a coo csoucc t'at |s usco | oot'
occsscs. !o ass|st | octc|| |tc-occocc|cs ao to cstao||s'| t'c
|AO |o coo csouccs t'c oa|sat|o a .|s' to coso||oatc t'c
|AO sc'cou|c o a csoucc oas|s. !'c |o||o.| tao|c ca oc usco |o t'|s
uosc.
Example: consolidation of common resources
Resources Impact of interruption MAO
1-2 3-5 6-15 16-30 ~ 30
oas oas oas oas oas
Ocat|oa| sta|| (o ous|css u|t)
Suot sta|| (o scv|cc aca)
Ocat|oa| |! sstcs (o sstc)
Suot |! sstcs (o sstc)
Cou|cat|osvo|cc
Cou|cat|osoata
|ac|||t|csou||o|s (o |ocat|o)
|ac|||t|cs|at ao cou|ct (o catco)
||oat|o's|ca| ccoos
||oat|oc|ccto|c oata
15
Step four: Design continuity
treatments
!'c accoa| Cu|oc (at ac 39) o|scusscs a ac o| oss|o|c tcatct
ot|os |o va|ous csouccs. |ac' ot|o ccos to oc cva|uatco | |st |
tcs o| |ts t|c to ||cct ao t'c | tcs o| |ts cost.
!'c t|c to ||cct cac' ot|o |s coaco to t'c |AO |o t'c
csoucc/act|v|t. O| t'osc ot|os t'at ca oc ||cctco .|t'| t'c
|AO cco to oc cos|occo |ut'c. !'c c|at|vc cost o| t'csc ot|os |s
t'c coaco to octc|c t'c ost cost-c||cct|vc so|ut|o.
A s||c ca|c |vo|vcs t'c c'o|cc oct.cc a 'ot s|tc ao a co|o s|tc |o
oac'-u coutc occss|. || oot' ot|os ca oc ||cctco .|t'| t'c
|AO |o t'c act|v|t|cs ao csouccs t'c c|acc, |t .||| cca|| oc |css
ccs|vc to a|ta| a 'co|o' s|tc. |o.cvc, || a|ta|| a 'ot s|tc |s t'c
o| cas o| c-cstao||s'| t'c act|v|t o csoucc .|t'| t'c |AO, t'c
cost |s ot so uc' t'c |ssucout 'o. to ac'|cvc |t at t'c ocst cost.
!'c |o||o.| costs a oc c|cvat | t'c ccovc c|oo |o |tc|
occss| aaccts.
outs|oc scv|ccs,
tcoa c|occs,
cccc uc'ascs,
cta|/|casc o| cou|ct,
.acs a|o to |o|c sta||, ao
tcoa c|ocat|o o| c|occs.
!'c .o's'cct at Aco| 2 ca oc usco to oocuct t'|s occss ao as a
at|oa|c to suot t'c tcatcts ot|os sc|cctco.
Step four: Design continuity
treatments
The objective of this step is to determine cost-effective treatments for responding
to an outage, establishing interim processing arrangements and restoring the
lost activity(ies) and resource(s).
16
17
Appendices
Appendices
1. Worksheet for key business
processes identification and
business impact analysis
2. Worksheet for evaluation of
treatment recovery options
18
Appendix 1. Worksheet for key business processes identification and business
impact analysis
1.1 Business unit/service area details
|us|css u|t/scv|cc aca
Cotact ac
!|t|c
|'oc uoc
|ocat|o
|a||
1.2 Business unit key objectives, outputs, and performance indicators
|us|css u|t oo,cct|vcs Oututs o scv|ccs |o cac' |c|oacc |o|catos
(| |o|t ooc) oo,cct|vc
1
2
3
19
1.3 Identification of key business processes and business impact analysis
Business objective:
Column 1 Column 2 Column 3 Column 4
Key business process Critical success factors Activities and resources required MAO
1 1
2
3
2 1
2
3
3 1
2
3
- 1
2
3
20
Appendix 2. Worksheet for evaluation of recovery treatment options
|csoucc(s).
Options Time to Within MAO Full cost Cost-ef fective
implement (days) Yes/No (list components) Yes/No
|csosc
1
2
3
|tc| occss|
1
2
3
|cstoat|o
1
2
3
Ot'c |ssucs
1
2
3

Business Continuity Management

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Business Continuity Management

Загружено:

Авторское право:

Доступные форматы

|S|| 0 6-- 39018 2

Coo.ca|t' o| Austa||a, 2000

Вам также может понравиться