!'|s .o' |s co|'t. Aat |o a usc as c|ttco uoc t'c Copyright Act 1968, o at a oc cooucco o a uosc .|t'out |o .|ttc c|ss|o |o t'c Austa||a |at|oa| Auo|t O|| |cc. |coucsts ao |ou||cs cocc| coouct|o ao |'ts s'ou|o oc aoocssco to. !'c |uo||cat|os |aac Austa||a |at|oa| Auo|t O|| |cc C|O |o 0 Caoca AC! 2601 ||oat|o o Austa||a |at|oa| Auo|t O|| |cc uo||cat|os ao act|v|t|cs |s ava||ao|c o t'c |o||o.| |tcct aoocss. 'tt.//....aao.ov.au Disclaimer !'c Auo|to-Ccca|, t'c A|AO, |ts o|||ccs ao c|occs ac ot ||ao|c, .|t'out |||tat|o, |o a coscoucccs |cuco, o a |oss o oaac su||cco o a oa|sat|o o o a ot'c cso as a csu|t o| t'c| c||acc o t'c ||oat|o cota|co | t'|s Cu|oc o csu|t| |o t'c| ||cctat|o o usc o| t'c accoa| \o'ooo', ao to t'c a|u ctct c|ttco o |a., cc|uoc a|| ||ao|||t (|c|uo| | c||ccc) | cscct o| t'c Cu|oc ao t'c accoa| \o'ooo'. |cs|co o At At tac' |t |to Caoca ||tco o |||c ||tcs Caoca 1 Business Continuity Management Business Continuity Management Business Continuity Management Business Continuity Management Guide to Effective ControlJanuary 2000 Keeping the wheels in motion 2 Guide to Effective Control Guide to Effective Control Better practice Better practice !'c Austa||a |at|oa| Auo|t O|| |cc oouccs oct tc act|cc u|ocs as at o| |ts |tcatco auo|t aoac' .'|c' |c|uocs ||oat|o scv|ccs to auo|t c||cts. A |ct tc |act|cc sc|cs 'as occ cstao||s'co to oca| .|t' 'c asccts o| t'c coto| stuctucs o| ct|t|csa |tca| at o| ooo cooatc ovcacc. !'|s Cu|oc |os at o| t'at sc|cs. |t oca|s .|t' ous|css cot|u|t aacct .|t'| a |s' aacct |ac.o'. !'c accoa| \o'ooo' |s ocs|co to ass|st oa|sat|os | t'c ocvc|oct o| a coc'cs|vc ous|css cot|u|t |a. Acknowledgments !'c Cu|oc 'as occ caco .|t' t'c va|uao|c ass|stacc ao |s|'ts |o a uoc o| Coo.ca|t' oa|sat|os, |a||. A| Scv|ccs Austa||a, Austa||a |uc|ca Sc|ccc ao !cc'o|o Oa|sat|o, Austa||a |a|t|c Sa|ct Aut'o|t, ao !'cacut|c Cooos Ao||stat|o. |ut |o Staoaos Austa||a ao |ccc |aacct Austa||a 'as a|so occ |va|uao|c | c||| t'c aoac' ocvc|oco |o t'|s Cu|oc so t'at |t |u|| |tcatcs |to t'c |s' aacct |ac.o' .|t'| a oa|sat|o. ||a||, t'c va|uao|c ass|stacc o| |c|o|t tc !ouc'c !o'atsu | ocvc|o| t'c ous|css cot|u|t |a (|C|) o,cct stcs o|scussco | |at !.o |s a|so cco|sco. !'c A|AO ccoos |ts acc|at|o o| t'|s ass|stacc. 3 Business Continuity Management Business Continuity Management Auditor-Generals foreword Auditor-Generals foreword !'c u|tcutco ava||ao|||t o| a|| 'c csouccs to suot cssct|a| ous|css occsscs o s||, business continuity, 'as occ ta'| a cos|ocao|c aout o| aacs' t|c ao at tct|o ccct|. |uc' o| t'c |ctus to cv|c. ous|css cot|u|t csu|tco |o a cco to tcat ous|css cot|u|t |s's assoc|atco .|t' a sstcs |a||ucs at t'c c'ac to t'c ca 2000 o, as |t |s oc coo| 'o., t'c `2| ou. Cos|ocao|c csouccs .cc ccoco to csuc ||a| o|sut|o |o t'c at|c|atco oo|cs. !'c cuct |ocus o| ous|css cot|u|t c||ots o `2| cco|cs ao cot|cc |a| .as accctao|c | t'c c|custaccs. |o.cvc, ocoo t'|s, oa|sat|os s'ou|o aoocss ao cu|a| cv|c. all asccts o| t'c| ous|css cot|u|t aacct. !'|s Cu|oc cscts a stuctuco aoac' to ous|css cot|u|t aacct. !'c aoac' |vo|vcs |oct||| cvctat|vc tcatcts |o cot|u|t |s's t'at ca oc out|c| aaco, ao ocvc|o| a oa|sat|o- .|oc ous|css cot|u|t |ato oca| .|t' t'c coscoucccs s'ou|o t'c cvctat|vc tcatcts |a||. !'c aoac' s'ou|o oc ta||oco to cct oa|sat|oa| ccos .'||c sat|s|| t'c a,o stcs |oct|| |co |o ous|css cot|u|t aacct | t'c cotct o| ovca|| |s' aacct. |aacs s'ou|o 'avc a oo| |ocus o ous|css cot|u|t as a c|cct o| t'c ovca|| |s' aacct |ac.o' | t'c| oa|sat|o. \'||c t'c o| ||c o| ous|css cot|u|t |s st||| '|', |t .ou|o oc ootuc to ou||o o t'c .o' ao aa|scs ooc | c|at|o to t'c |s's assoc|atco .|t' `2|, to csuc ous|css cot|u|t |s's ac |oct|| |co, asscssco, aa|sco ao tcatco, as .c|| as oc| o|toco ao cv|c.co. !'c Cu|oc |ut'c ocvc|os t'c aoac' ootco o |ccc |aacct Austa||a | |ts uo||cat|o. Non-stop Ser vice. !'c |ccas| |cvc| o| ocvo|vco aut'o|t ao aacct | t'c uo||c sccto, a catc usc o| cotactco scv|cc oc||vc ao t'c usu|t o| |ovco c|||c|cc|cs ao c|oacc, cas t'at t'c cco to aac oact|vc| a oa|sat|o's ovca|| |s' 'as cvc occ catc. |t .ou|o oc |||-aov|sco to |oc |s's to ous|css cot|u|t occausc t'c| ||'c||'ooo |s too Continuity of public sector business is a critical issue to be considered by Boards, chief executives and senior management in Australian public sector organisations and for business activities. Many services delivered by government organisations are critical to the economic and social well-being of our societya failure to deliver these could have very significant consequences for those concerned. 4 Guide to Effective Control Guide to Effective Control cotc| t'c co|u to |oc tc t'|s cou|o .c|| ovc cost| |o oot' t'c oa|sat|os ao t'c c||cts (c|t|zcs). !'cc ac su|| |c|ct ca|cs | t'c uo||c sccto to ocostatc t'c u||'c| ca, ao oocs, 'ac . usua|| .'c .c |cast ccct |t. O|tc t'csc cvcts ac outs|oc t'c o|cct coto| o| t'c oa|sat|o, out t'|s oocs ot ca ou s'ou|o ot |a |o t'c| |act. !'c |o||o.| |c|octs ov|oc coc||| casos |o ous|css cot|u|t to oc ta'c sc|ous|. severe hailstorms in Sydney, NSW, (1999) oaac to a ovcct ao ous|css ou||o|s ao cat cccc casucs 'ao to oc ta'c to c|ocatc ocat|os .'||c cot|u| to ov|oc a scv|cc to t'c| c||cts, the Victorian gas crisis (1999) |o||o.| a c|os|o at a as oouct|o |ac|||t, t'c ct|c Statc |acco .cc's .|t'out as su||cs ao t'c costs to ous|css ao ovcct .as cst|atco | t'c o||||os o| oo||as, Brisbane, Queensland and Auckland, New Zealand, power outages (1998) |o||o.| ccato ao |o |a||ucs, t'c c|t|cs .cc .|t'out c|cct|c|t ovcct ao ous|css a||'c 'as to ocatc | a c|t .|t'out c||ao|c o.c su||cs |o a ctcoco c|oo, fires at the Bankstown Council, NSW, (1997) and Knox Council, VIC, (1994) | .'|c' t'c couc|| c'aocs .cc out oo. ao v|ta| ccoos as .c|| as |! .cc |ost, ao Jolimont Centre incident, Canberra, ACT (1993) |o||o.| a s|cc ao | |c, t'c t'c Coo.ca|t' |catct o| |oust|a| |c|at|os .as |occo to c|ocatc aoout -00 sta|| ao t'c suot| ||astuctuc. !'c ac, soucc ao |act o| |s' to .'|c' a oa|sat|o |s cosco | tooa's ous|css .o|o ocao t'at ous|css cot|u|t 'as to a' '|'| |o oo| aacct at tct|o. |occo, |t s'ou|o oc a |tca| c|cct o| t'c oa|sat|o's |s' |a| statc. |.. |act t Auo|to-Ccca| aua 2000 5 Business Continuity Management Business Continuity Management Contents Overview of this Guide 1. Continuity and risk concepts |toouct|o 11 |us|css cot|u|t aacct 12 ||s' aacct 16 2. The business continuity process Ovcv|c. o| t'c ous|css cot|u|t occss 29 |o,cct ||t|at|o 31 |c ous|css occsscs |oct|| |cat|o 32 |us|css |act aa|s|s (||A) 36 |cs| cot|u|t tcatcts 39 ||cct cot|u|t tcatcts -5 !cst ao a|ta| t'c |a 62 Appendices 65 Contents 6 Guide to Effective Control Guide to Effective Control 7 Business Continuity Management Business Continuity Management Overview of this Guide Overview of this Guide !'|s Cu|oc 'as occ caco |a|| |o t'c co|c |vo|vco | a ous|css cot|u|t o,cct|o |o|v|oua| tca cocs t'ou' to t'c C'|c| |ccut|vc ao |oao. |ac' at|c|at |as a |otat o|c ao 'as a aa o| csos|o|||t|cs | csu| t'c succcss o| t'c o,cct ao cot|u| va||o|t o| t'c |a. Succcss|u| ous|css cot|u|t aacct c||cs o t'c cct|sc |o .|t'| t'c oa|sat|o|t |s t'c co|c t'at uocstao t'c oa|sat|o|ts ous|css, occsscs ao ous|css |s's. |o.cvc, t'c Cu|oc oocs ot assuc cvcoc |s a cct | t'c | |c|o o| |s' aacct so ocsc|ocs cac' 'asc o| ous|css cot|u|t aa|st a accctco, cc|c |s' aacct |ac.o'. |ac' |s', occo| o |ts atuc, .||| 'avc a catc o |cssc c'acc o| occuccc (||'c||'ooo) ao a catc o |cssc ous|css |act o t'c oa|sat|o (coscouccc). !'c ous|css |act o| cac' |s' .||| a|so va accoo| to |ts atuc|o a at|cu|a |s' cvct t'cc a oc, |o ca|c, a | |ac|a| coscouccc, a |ca| coscouccc, a sta|| sa|ct coscouccc, ao a ous|css |tcut|o coscouccc. Oa|sat|os, t'ou' a stuctuco, sstcat|c occss at tct to aac a|| s||| |cat ous|css |s's o-act|vc|, o ||cct| ao|atc cvctat|vc coto|s ao ot'c |s' tcatcts. !'|s |s' aacct occss |s ocs|co to coucc t'c cs|oua| |s' o| a cvct| tcs o| |ts ||'c||'ooo o| occuccc ao/o |ts coscoucccs, to a accctao|c |cvc|. |o.cvc, cvctat|vc coto|s ao ot'c o-act|vc tcatcts ac o uaatcc t'at |s' cvcts .||| ot occu, t'at |s, t'c caot ct|c| c|||atc t'c| ||'c||'ooo o| occuccc. !'cc|oc, |o c||cct|vc |s' aacct |t |s coua|| |otat t'at oa|sat|os ocs| coto|s t'at ac ||cctco occ a |s' cvct 'as occuco. Business continuity management is an integral part of the risk management framework within an organisation. All organisations face a variety of risks. These may be sourced externally, and therefore largely out of the immediate control of the organisation, or internally. Internal risks arise both at the strategic (organisation-wide) level and at the operational (business process) level. 8 Guide to Effective Control Guide to Effective Control !'c ocs| (ao t'cc|oc cost) o| suc' cocct|vc coto|s ao tcatcts .||| cco to ta'c |to accout asscsscts o| t'c o-act|vc coto|s ao t'c cs|oua| |s' |cvc|s. !'c 'c oucst|o |s 'o. uc' t|c, c||ot ao csouccs cco to oc |vcstco | cocct|vc coto|s| ca| |o a cvctua||t t'at a cvc occu. !'|s Cu|oc 'as occ ocs|co to ass|st oa|sat|os as.c t'|s oucst|o |o t'osc |s' cvcts t'at 'avc a ous|css |tcut|o coscouccc o| a atuc ao |act t'at .aats c||cct|vc aacct act|o. !'c uoc|| aoac' aootco | t'|s Cu|oc |s to stat |o t'c o|t t'at a |s' cvct 'as occuco .'|c' 'as |tcutco ous|css ocat|ost'at |s, assu| a worst case scca|o .'cc a|| occsscs ao csouccs ac ot ava||ao|c. | t'|s cotct t'c causc o atuc o| t'c actua| |s' cvcts ac ot cos|occo to oc t'c o|vcs |o aacct act|o. |t |s t'c ous|css |tcut|o consequence t'at a|| octc|cs t'c occss. !'|s bottom-up aoac' co|ccts t'c 'to oo.' aoac' |'cct | t'c ovc-ac'| |s' aacct occss. |t csucs co|ctccss o| cos|ocat|o o| a|| coscoucccs a|s| |o a ous|css |tcut|o |s' cvct. |t a|so csucs o-act|vc ao cocct|vc coto|s ac co|ccta ao s'ou|o a||o. oa|sat|os, |o ca|c, to ac'|cvc a cost-c||cct|vc coo|sc oct.cc cacocss |o t'c worst case scca|o ao t'c ||'c||'ooo o| suc' a scca|o cvc a|s|. !'c Cu|oc |s o|v|oco |to t.o a,o atst'c ||st at oca|s .|t' ous|css cot|u|t aacct coccts | a |s' aacct cotct, t'c sccoo at |oct|||cs t'c occsscs ao occoucs cou|co to oc uocta'c to ooucc a ous|css cot|u|t |a. A uoc o| suot| o-|oa sc'cou|cs, .o'| acs ao oucst|oa|cs 'avc occ caco to |ac|||tatc t'c ovca|| occss ocsc|oco | t'c Cu|oc. !'csc ac cota|co | t'c |us|css Cot|u|t \o'ooo' t'at accoa|cs t'|s Cu|oc. 9 Business Continuity Management Business Continuity Management Continuity and risk concepts Part One Continuity and risk concepts Introduction Business continuity management Oo,cct|vc Oututs 'oc|| aoac' !c|o|o Risk management Ovcv|c. o| t'c |s' aacct occss Stc oc. cstao||s' cotct Stc t.o. |oct|| ao asscss |s's |s' |oct|| |cat|o |s' aa|s|s |s' tcatct ocs| Stc t'cc. ||cct tcatcts Stc |ou. o|to ao cv|c. 10 Guide to Effective Control Guide to Effective Control 11 Business Continuity Management Business Continuity Management Introduction A oa|sat|o's ous|css statc|cs ao occ|s|os ac oasco o a assut|o o| t'c ous|css cot|u|. A cvct t'at v|o|atcs t'|s assut|o |s a s||| |cat occuccc | t'c |||c o| a oa|sat|o, ||| o|cct| o |ts ao|||t to |u|| || |ts ous|css oo,cct|vcs ao t'c ||vc||'ooo o| t'osc |vo|vco. Ao ot'c t'|s, |s' aacct |s aoout ut t| | |acc tcatcts t'at scc' to cvct ous|css |tcut|o cvcts (outacs) |o occu| | t'c | |st |acc. |t a|so ccoasscs cstao||s'| ao|atc csoscs (tcatcts) s'ou|o suc' a cvct occu. |us|css cot|u|t aacct |s t'cc|oc t'at at o| |s' aacct t'at cstao||s'cs cost-c||cct|vc tcatcts s'ou|o a outac occu. As suc', |t oca|s .|t' actua| cvctsa |s' cvct .'|c' 'as occucoao t'c act|o cou|co to csoo to t'c cvct. !o t'|s ctct, |t co|ccts t'c ovca|| |s' aacct occss .'|c' oca|s |ocost .|t' oss|o|||t o| occuccc o| |s's cvcts (|c|uo| outacs) t'at a occu, ao t'c aa|s|s ao o-act|vc tcatct o| suc' cvcts. !'|s scct|o o| t'c Cu|oc out||cs t'c |s' aacct occss ao o|scusscs 'o. ous|css cot|u|t aacct | |ts .|t'| t'|s occss. |t |s ot |tcoco to covc a|| asccts o| |s' aacct. |stcao, t'c Cu|oc .||| |ocus o t'osc ats o| t'c occss .'cc ous|css cot|u|t |s's s'ou|o oc scc|| |ca|| aoocssco. |o.cvc, oc|oc oca|| .|t' t'c |s' aacct occss, t'c Cu|oc |toouccs a uoc o| 'c ous|css cot|u|t coccts. |t |s |otat t'at caocs o| t'c Cu|oc |a|||a|sc t'csc|vcs .|t' t'csc coccts ao | at|cu|a, t'c tc|o|o usco, oc|oc coa'| o t'c ous|css cot|u|t aacct occss. |at !.o o| t'|s Cu|oc ta'cs t'c caoc t'ou' t'c octa||co stcs |o t'c ous|css cot|u|t aacct occss. Introduction Business continuity means maintaining the uninterrupted availability of all key business resources required to support essential business activities. 12 Guide to Effective Control Guide to Effective Control Business continuity management Objective !'c oo,cct|vc o| ous|css cot|u|t aacct |s to ensure the uninterrupted availability of all key business resources required to support essential (or critical) business activities. !'|s 'o||st|c v|c. o| ous|css cot|u|t aacct o|||cs |o .'at a aacs tao|t|oa|| tc Disaster Recover y Planning .'|c' 'as occ c|osc|, || ot so|c|, assoc|atco .|t' ||oat|o tcc'o|o. | c'a| t'c |ocus, t'c c'as|s |s |acco o t'c .'o|c ous|css, ot ,ust o tcc'o|o |ssucs a|oc. !'|s c||occs t'c cocct o| cot|u|t o| all key processes, ctco| ocoo ||oat|o tcc'o|o sstcs, |otat t'ou' t'c ac | ooc ous|css. Outputs !'c |a outut |o t'c ous|css cot|u|t aacct occss |s a Business Continuity Plan (BCP). !'c |C| co|scs a c|ccts .'|c', co||cct|vc|, oc| |c t'c aoac' to oca|| .|t' a oca' | ous|css cot|u|t, ao .'|c' csc|ocs t'c stcs a oa|sat|o s'ou|o ta'c to ccovc |ost ous|css |uct|os. Aost ot'c at tcs, t'c |C| .||| o| toct'c t'c. scv|cc aca Cot|cc ||as, ||sastc |ccovc ||a (|||), ao |us|css |csut|o ||a (|||). !'c ous|css cot|u|t aacct occss ao t'c |C| cco to o| toct'c a|| suc' c|ccts to csuc t'c aocouatc| aoocss t'c oa|sat|o's ous|css |tcut|o |s's. !'cc ac ooao| a|cao soc ats o| t'c |C| t'c oa|sat|o 'as | |acc as at o| |ts oa| ous|css ocat|os. !'c |c|uoc. |! o|sastc ccovc |as, cccc csosc occoucs, o||-s|tc o| ccoos, oac'u ao ccovc occoucs, cvacuat|o |as, cou|cat|os statc|cs, ao co|a ||a|so statc|cs. A|oc t'csc oo ot cost|tutc a co|ctc |C|, out ac |otat c|ccts o| a ooust cot|u|t |a. Business continuity management The difference between business continuity and disaster recovery is not a what but a whose. Business continuity now appears on the boardroom agenda, but there was a time when disaster recovery was relegated to one corner of the computer room. Planning for business continuity should be a top-level concern for enterprises, considering the potentially devastating financial and organizational impact of a disaster. An Introduction to Business Continuity Planning, InSide GartnerGroup This Week (IGG), C. Gooding, January 8, 1997 GartnerGroup, 1999. In the business continuity management process it is important to consider what plans are already in place, so effort is not wasted. 13 Business Continuity Management Business Continuity Management Underlying approach !'c |C| |s ||t|atco .'c a |s' cvct occus t'at 'as a business interruption coscouccc. !'c ous|css |tcut|os t'at ac o| cocc |o a cot|u|t v|c.o|t ac c|cco to as outages. !'csc cvcts .||| causc a s||| |cat o|sut|o to, o |oss o|, 'c ous|css occsscs. |t |o||o.s t'at suc' cvcts .||| 'avc a '|' |act o, ao scvcc coscoucccs |o, t'c oa|sat|o. Outacs cco to oc o|st|u|s'co |o ot'c ous|css |tcut|os suc' as t'osc a|s| |o sstcs oo.t|c o |a||ucs t'at a occu as a at o| oa| ocat|ossuc' as a o|c| |oss o|| a cou|cat|os ||' .'|c' ccos to oc c-cstao||s'co .|t' a scv|cc ov|oc. !'c cocct o| a outac 'as a t|c o|cs|o as .c|| as a ous|css occss o|cs|o. !'c ous|css cot|u|t aacct occss |c|uocs cstao||s'| t'c a|u c|oos |o .'|c' cac' |uct|o ca oc o|sutco o |ost a|toct'c, oc|oc |t t'catcs t'c ac'|cvcct o| oa|sat|oa| oo,cct|vcs. !'c aa|s|s o| t'c |act o| a outac |ocuscs o coscoucccs. |t |s ot coccco .|t' t'c ||'c||'ooo o causc o| occuccc, as t'c ac ot c|ccts o| t'c |C|. |at tcs o| ||'c||'ooo ao causc s'ou|o a|cao 'avc occ aoocssco as at o| t'c top down |s' aacct occss ao cvctat|vc coto|s s'ou|o a|cao 'avc occ cstao||s'co to coucc t'c ||'c||'ooo ao coscoucccs o| a|| |s' cvcts (|c|uo| ous|css |tcut|o cvcts) to |cvc|s t'at ac accctao|c to aacct. !'c bottom-up aoac' to ous|css cot|u|t aacct co|ccts t'c top down aoac' aootco |o ovca|| |s' aacct o as'| '.'at 'acs || t'c coto|s |a||'. |t uts | |acc |aco, cooo|atco csoscs .'|c' csca|atc accoo| to t'c atuc o| t'c outac. !'|s ctcos to a co|ctc |oss o| a|| ous|css occsscs ao csouccs, c|cco to as a disaster. \'||c disasters t'a'|u|| ac a ctcc| ac occuccc | t'c |||c o| ost oa|sat|os, t'c coscouccc (o ous|css |act) aa|s|s assucs t'at a o|sastc ca occu. !'|s worst case scca|o ooc||| .||| csuc t'at a|| |acts a|s| |o a outac ac cos|occo cao|css o| t'c ||'c||'ooo o| occuccc. As o|scussco aoovc, cos|ocat|o o| causcs ao souccs o| t'cats |s ot at o| t'c |C|. |t |s |otat t'at cot|u|t |as ac ot ocvc|oco so|c| |o t'|s cscct|vc as |t |s u||'c| oa|sat|os .||| oc ao|c to |oct|| a|| oss|o|c causcs o| outacs o t'c soucc o| a|| t'cats. | t'c ast, a |as 'avc |a||co as t'c 'avc co||co t'csc|vcs to oc tc o| outac oasco o a |||tco t'cat aa|s|susua|| a 's|ca| o|sut|o. What is the maximum time the business can survive without key business functions before the BCP must be initiated and recovery procedures must commence? 14 Guide to Effective Control Guide to Effective Control Terminology !'c aoovc o|scuss|o |tooucco a uoc o| 'c tcs ao coccts. !'c |o||o.| tao|c sua|scs t'csc tcs ao t'c| ca|s |o casc o| c|cccc ao uocstao|. Concept Description Examples/Comments Outage ctaoo|a cvct |oss o| 'c ous|css occsscs '|' |act A outac |s a ctaoo|a cvct, caus| a o|sut|o to, o |oss o|, 'c ous|css occsscs, .'|c' 'as a '|' |act o t'c oa|sat|o. !'|s |s o|st|ct |o oo.t|c o sstcs |a||ucs t'at a occu as a at o| oa| ocat|os .'cc t'c |act s|| couccs t'c c||cct|vc ut|||t o| occsscs | t'c s'ot tc. During an outage parts of the Business Continuity Plan (BCP) may be activated in order to deal with the situation. The full activation of a plan (ie. for a total disaster) must be def ined for each plan during the plan development phase. In a self-funding organisation, a key business process would be a billing system as the organisation depends on cash f low for its sur vival. In a budget-funded organisation that pays benef its, a key business process may be a benef its payments system that is essential to ser vicing client needs. Maximum Acceptable Outage (MAO) t'cat to ac'|cv| ous|css oo,cct|vcs !'c |AO |s t'c t|c |t .||| ta'c oc|oc a outac t'catcs a oa|sat|o ac'|cv| |ts ous|css oo,cct|vcs. !'c |AO oc| |cs t'c a|u t|c a oa|sat|o ca suv|vc .|t'out 'c ous|css |uct|os oc|oc ous|css cot|u|t |as ao ccovc occoucs ust coccc. A disaster is used in this Guide to mean an event that leads to a business interruption that will extend beyond the period specif ied for an MAO. Business Impact Analysis (BIA) 'c ous|css occsscs ccovc |o|t !'c ||A |s uocta'c |o a|| 'c ous|css occsscs ao cstao||s'cs t'c ccovc |o|t|cs, s'ou|o t'osc occsscs oc o|sutco o |ost. Key business processes should have been identified as part of other business planning or risk management processes. If this has not been done, the BIA will need to do so. Key business processes ous|css act|v|t|cs ao csouccs |c ous|css occsscs ac t'osc occsscs cssct|a| to oc||vc o| oututs ao ac'|cvcct o| ous|css oo,cct|vcs. |us|css act|v|t|cs ao csouccs ac t'c cssct|a| c|ccts t'at coo|c to a'c u cac' 'c ous|css occss. |oss o| a 'c ous|css occss | cccss o| t'c |AO |s a ous|css |tcut|o cvct 15 Business Continuity Management Business Continuity Management Concept Description Examples/Comments Business activities A ous|css act|v|t |s a sc|cs o| act|os coo|| to ooucc a |oct|| |ao|c outut ao/o csu|t. The billing process may require customer sales information, a system to record information and calculate and print invoices, and registr y or mail system to send invoices and receive remittances. A benef its payments process may rely on staff to inter view clients and fill in forms; entering that information on a computer system; periodic payments to bank accounts; and include an an inquir y facility to follow-up on discrepancies. Resources |csouccs ac t'c cas t'at suot oc||vc o| a |oct|| |ao|c outut ao/o csu|t. |csouccs a oc oc, 's|ca| asscts o, ost |otat|, co|c. \|t'out csouccs, act|v|t|cs (ao t'cc|oc ous|css occsscs) .ou|o s|| ot occu. The customer billing system relies on people to undertake procedures; operate computer systems; produce information; off ice supplies for preparing and mailing the invoices; buildings and power to house the people; and computers. A benef its payments system relies on people, computers, off ice supplies, building and power and also on having suff icient funds available to make payments when due. Procedures |occoucs ac t'c stcs uocta'c o a |o|v|oua| to ac'|cvc a csu|t. |oct|| |cat|o o| t'csc occoucs |s |otat | cot|u|t |a| as |t |s t'csc stcs .'|c' .||| cco to oc cccatco o cocs|co to oc usco ou| a outac. Customer billing and benef its payments may rely on a series of steps to ensure information is correct prior to bills being issued or benef its paid. If an outage causes the loss of the computer system supporting these validations, alternate processes may need to be developed to ensure continuity of that business function. Risk event A o-t|v|a| cvct t'at a||ccts t'c ao|||t o| a oa|sat|o to ac'|cvc |ts ous|css oo,cct|vcs. Risk events may be considered in terms of their causes, likelihood and impacts. Business interruption event A |s' cvct t'at 'as a ous|css |tcut|o coscouccc. Business interruption events are outages and other operational events that do not affect business continuity. 16 Guide to Effective Control Guide to Effective Control Risk management Overview of the risk management process !'c |s' aacct occss cca|| usco | Austa||a tooa ao as csousco | t'c |A|/||AC Guidelines for Managing Risk in the Australian Public Sector 1 , |s ooc||co o t'c Austa||a/|c. Zca|ao Staoao AS/|ZS -360.1999 'Risk Management. !'c Staoao ooscs a |o|ca| ao sstcat|c ct'ooo|o |o |oct|||, aa|s|, asscss|, tcat| ao o|to| |s's. | t'|s cotct, |s's a oc cos|occo as cvcts t'at .|||, s'ou|o t'c occu, |act o t'c ac'|cvcct o| oa|sat|oa| oo,cct|vcs. \'||c |s' |s cca|| cos|occo | a cat|vc ||'t, t'at |s, as 'av| a aovcsc |act, t'c Staoao cotc|atcs ot o| cvcts t'at a |cao to |oss o 'a, out a|so t'osc t'at a |cao to a| o aovatac. A ous|css cot|u|t cvct (ocsc|oco as a 'outac' | t'|s Cu|oc) |s a adverse |s' cvct. !'c |a oo,cct|vc o| aa| suc' cvcts |s to cvct t'c |o occu| | t'c ||st |acc, .'cc |t |s oot' .|t'| t'c coto| o| t'c oa|sat|o ao .'cc |t |s cost-c||cct|vc to oo so. !catcts ocs|co to cvct |s' cvcts occu| ac coo| c|cco to as cvctat|vc coto|s. |o.cvc, cvc t'c ocst-ocs|co coto|s ca oca'oo. | ocat|o ao a outac a occu. | aoo|t|o, ccta| |s' cvcts a oc outs|oc t'c coto| o| t'c oa|sat|o (c|cco to as external risks). !'|s |s at|cu|a| t'c casc | c|at|o to atua| (c. ||c, ||ooo), o||t|ca| (c. c'ac o| ovcct o||c, c'acs to |c|s|at|o), ao ccoo|c (c. | |ac|a| a'ct co||ascs, ccoo|c oo.tu) cvcts. !'c |a oo,cct|vc, .'c any |s' cvct (|c|uo| a outac) occocs a ca||t, |s to 'avc | |acc tcatcts t'at .||| |t|atc t'c ous|css |act o| t'c cvct. | t'c casc o| a outac, t'c c|cco outcoc |s to a|ta| t'c cot|u|t o| scv|cc. A coc'cs|vc aoac' to |s' aacct .||| t'cc|oc cos|oc |s' tcatcts oot' oact|vc|o ocs|| ao ||cct| coto|s to cvct |s' cvcts occu|ao cact|vc|o |t|at| t'c coscoucccs o| suc' cvcts, s'ou|o t'c actua|| occu. !'|s '||oso' ca oc ocst suco u as plan for the best but be prepared for the worst. | act|cc, t'|s cou|cs |s' aacs to uocta'c a aa|s|s o| |s's ao |s' tcatcts |o t'c top downstat| .|t' oss|o|c |s' cvcts ao ocs|| coto|sao |o t'c bottom up assu| a |s' cvct 'as occuco ao ca| ao|atc cot|cc Risk management 1 |A|/||AC |cot |o. 22 Guidelines for Managing Risk in the Australian Public Ser vice, Octooc 1996. 17 Business Continuity Management Business Continuity Management |as. !'csc aoac'cs ac co|ccta ao s'ou|o oc uocta'c | aa||c|, us| t'c occss ocsc|oco | t'c ||s' |aacct Staoao. ||uc 1 out||cs a |s' aacct occss ocvc|oco |o t'c Staoao .'|c' |s c|cvat to ous|css cot|u|t aacct. !'cc ac |ou a,o stcs | t'|s occss. cstao||s' t'c oa|sat|oa| cotct, |oct|| ao asscss |s's ao ocs| tcatcts, ||cct |s' tcatcts, ao o|to ao cv|c. |s's ao tcatcts. Figure 1Overview of risk management process |us|css cot|u|t aacct |s a |tca| at o| t'|s occss. !'c ca|oc o| t'|s scct|o oca|s .|t' t'osc asccts o| t'c |s' aacct occss t'at c|atc o|cct| to ous|css cot|u|t. |ac' stc |s ca|co | tu. Establish context Identify and assess risks Implement treatments Monitor and review Identify, aa|sc, atc ao |o|t|sc |s's Evaluate ocs| o| c|st| coto|s ao tcatcts Redesign coto|s ao tcatcts || cccssa |ctc|c 'c ous|css oo,cct|vcs, occsscs ao csouccs v v v v v |stao||s' |a ||cct coto|s ao ot'c tcatcts v v v v v |cv|c. ocat|o o| coto|s ao cot|u| su|tao|||t o| ot'c tcatcts |cv|c. |s' asscsscts v v v v v 18 Guide to Effective Control Guide to Effective Control Step one: establish context ||s' aacct |s uocta'c at oot' t'c statc|c (oa|sat|o.|oc) ao ocat|oa| (ous|css occss) |cvc|s o| a oa|sat|o. !'c ||s' |aacct Staoao o|scusscs t'c cco to ||st cstao||s' t'c oa|sat|oa| ao |s' aacct cotct (||uc 2) | ooc to ccatc a |ac.o' .|t'| .'|c' t'c occss |s ca|co out. | at|cu|a, t'c oa|sat|oa| oo,cct|vcs ust oc c|ca| oc| |co, as .c|| as t'c |uct|os, act|v|t|cs ao c|atco csouccs t'at ac to oc suo,cct to |s' asscssct. !'|s stc cao|cs oa|sat|os to octc|c .'|c' ac t'c 'c ous|css occsscs so t'at t'c a |ocus ao |o|t|sc t'c| |s' aacct c||ots. Figure 2Establishing the organisational context Organisational objectives Output group Output group Output group Oa|sat|os s'ou|o |oct|| t'c| 'c ous|css occsscs ao ous|css suot occsscs o c|at| t'c to t'c| ovca|| oo,cct|vcs, outcocs ao oututs. !'c act|v|t|cs ao csouccs att|outao|c to t'csc c|t|ca| occsscs s'ou|o oc a||ooco t'c '|'cst |o|t | uocta'| |s' asscsscts. v v v v v v v v v v v v v v v v vv vv v vv vv v vv vv v vv vv v vv vv Link with business continuity management !'c | |st stc to.ao ocvc|o| a ous|css cot|u|t |a |s to uocta'c a business impact analysis. !'|s aa|s|s oc||cs t'c maximum acceptable outage |o cac' 'c ous|css occss ao scts t'c ccovc |o|t|cs |o t'c act|v|t|cs ao csouccs uoc|| t'c. Key business process Key business process Key business process Business process Business process Business process v v v vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv Business support process Business support process Business support process 19 Business Continuity Management Business Continuity Management |c ous|css occsscs a 'avc occ |oct|| |co ca||c ou| a ovca|| |s' aacct o,cct. !'csc occoc a |ut to t'c ous|css |act aa|s|s. Step two: identify and assess risks !'|s 'asc o| t'c |s' aacct occss cou|cs oa|sat|os to. |oct|| a|| o-t|v|a| ous|css |s's, asscss t'osc |s's, ao ocs| tcatcts t'at coucc t'c |s's to a accctao|c |cvc|. !'csc asccts o| t'c ovca|| |s' aacct occss ac '|'||'tco | ||uc 3. Occ |s's 'avc occ |oct|| |co, t'c ac aa|sco | tcs o| t'c| ||'c||'ooo ao coscoucccs. !'c o|aa |||ustatcs a t.o-stc aoac' .'|c' aa|scs |s' oc|oc ao a|tc cos|ocat|o o| coto|s. Figure 3Outline of the risk assessment phase of the risk management process Identify |ctc|c ||'||'ooo ao coscouccc .|t'out coto| |ctc|c oss|o|c |s' cvcts us| |s' |ac.o' |ctc|c |s' |cvc| ao coac .|t' accctao|c |s' |va|uatc ocs| o| c|st| coto|s ao tcatcts |ctc|c ||'||'ooo ao coscoucccs .|t' coto| |ctc|c |s' |cvc| ao coac .|t' accctao|c |s' |cocs| coto|s ao ot'c tcatcts |ccoo | |s' c|stc Accctao|c. Accctao|c. v v v v v v v v v v v v v v v v v v v v v vv vv v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v Analyse Evaluate Treat Document |o |o `cs `cs 20 Guide to Effective Control Guide to Effective Control Risk identification !|ca||, oa|sat|os usc a |s' c|ass|| |cat|o |ac.o' to csuc t'at a|| ||'c| |s's ac |oct|||co. A ca|c o| suc' a |ac.o' |s |||ustatco | ||uc -. Figure 4Risk classification framework External risks External risks E x t e r n a l
r i s k s E x t e r n a l
r i s k s Coct|t|vc co||us|o Cucc ||uctuat|os |coo|c oo.tu |tcct 'soo| |', 'ac'| !c|ccou|cat|os |a||uc |-coccc causcs a |oss o| a'ct s'ac Political/regulatory C'ac o| ovcct o||c |c. |c|s|at|o C'acs to ao||stat|vc aaccts Environmental/natural ||c ||ooo |at'oua'c Cc|oc Economic/market Technological Internal risks Strategic \o o|cct|o Stuctua| |s-||t Sta|| a||ct .|t' v|s|o Sta|| caao|||t/s'|||s as |aocouatc ca|ta| oasc |oouct/scv|cc ocs| Operational |a||uc to cct outut tacts |o t|c, cost, ouat|t o oua||t 'aut'o|sco acccss to/o|sc|osuc o| scs|t|vc ||oat|o |cocct ||oat|o usco to |ou|atc o||c aov|cc O|8S |ssucs-acc|octs, usa|c .o' act|ccs |c||ct |s-ccsctat|o |cac'cs o| |a./cu|at|os ||oat|o sstc |a||uc ||occ |auo Internal risks ||s's a a|sc oot' |o ctca| souccs ao |tca||caat| |o .|t'| t'c oa|sat|o ao a|s| |o |ts statc|c ao ocat|oa| occsscs. 21 Business Continuity Management Business Continuity Management |ac' |s' cvct a 'avc a uoc o| coscoucccs t'at .||| ||c o a oa|sat|o's ao|||t to ac'|cvc |ts ous|css oo,cct|vcs. !'c ct stc | t'c |s' asscssct 'asc |s to aa|sc t'csc |acts ao octc|c t'c ||'c||'ooo o| occuccc so t'at a risk level ca oc cstao||s'co |o cac' |s'. Risk analysis !'c oo,cct|vc o| t'|s aa|s|s |s to scaatc t'c |s's |oct|| |co | t'c cv|ous stc |to |o (accctao|c) |s's ao a,o (uaccctao|c) |s's. !'|s |s ac'|cvco o coa| t'c |s' |cvc| to c-octc|co c|tc|a o| accctao|||t. !'cc ac uoc o| aoac'cs to |s' aa|s|s t'at a |vo|vc ouat|tat|vc, oua||tat|vc o sc|-ouat|tat|vc cva|uat|o. |o .'atcvc aoac' |s aootco, t'c ||'c||'ooo ao coscoucccs o| cac' |s' cvct ac octc|co ao t'c coo|at|o o| t'csc t.o cva|uat|os ov|ocs t'c |s' |cvc|. |t |s coo act|cc | t'|s stc to uocta'c a first pass cv|c. o| a|| |s's |o to cos|oc| c|st| coto|s ao ot'c |s' tcatcts, to c|||atc t|v|a| ao |o |s's |o |ut'c, octa||co cos|ocat|o. Links with business continuity management !'c coscoucccs (ous|css |acts) | a ous|css cot|u|t aacct cotct c|atc to ous|css |tcut|o (outac). | aa|s| |oct|| |co |s' cvcts, aacct s'ou|o cos|oc .'ct'c cac' cvct cou|o |tcut t'c oa| cousc o| ous|css ocat|os. |vcts .'|c' 'avc a o|cct, oct|cta| c||cct o a oa|sat|o's csouccs (sta||, |ac|||t|cs, tc|ccou|cat|os ||oat|o sstcs) suc' as | |c, o.c su| |a||uc ao |auo, ac ||'c| to 'avc soc ous|css |tcut|o coscoucccs. !'c aa|s|s o| coscoucccs |vo|vcs cstao||s'| cva|uat|o c|tc|a to u|oc aacct | |o| a v|c. o 'o. s||| |cat a at|cu|a cvct |s to t'c ous|css. !'|s |s usua|| uocta'c o cstao||s'| c|tc|a o a csca|at| sca|c aa|st |act acas. !o a|o | co|ctccss o| t'c aa|s|s, t'csc |act acas a oc catco|sco as oututs, csouccs, cutat|o, co||acc ao ous|css |tcut|o. |o a |s' cvct t'at 'as a ous|css |tcut|o coscouccc, t'c c|cvat cva|uat|o c|tc|o |s t'c ouat|o o| t'c ous|css |tcut|o. | t'c ous|css cot|u|t aacct occss, a maximum acceptable outage |s cstao||s'co |o cac' 'c ous|css occss ao csoucc. \'cc a |s' cvct |s ||'c| to causc a ous|css |tcut|o t'at .||| cccco t'c t|c |||ts oc||co | t'c a|u accctao|c outac, t'|s |s a extreme coscouccc ao accoo|| .ou|o ccc|vc t'c '|'cst at|. ||uc 5 |||ustatcs t'c |s' aa|s|s occss |o |s' cvcts t'at 'avc a ous|css |tcut|o coscouccc. \'ccas t'c ||'c||'ooo o| a |s' cvct occu| |s ot at o| t'c |us|css Cot|u|t ||a, |t |s c|cvat at t'|s stac .'c octc|| o-act|vc tcatcts ao coto|s. !'c oc ||'c| a cvct |s to occu, .'|c' .||| a|so 'avc a a,o o scvcc |act, t'c oc cost-c||cct|vc cvctat|vc coto|s .||| cco to oc. 22 Guide to Effective Control Guide to Effective Control Figure 5Consequence analysis of events with business interruption impacts As at o| t'c |s' asscssct occss, a occ||ts act scv|cc oa|sat|o |oct|||cs t'c u|tct|oa| oc|ct|o o |ts c|occs o| c||ct ||oat|o as a |s' cvct. \|t'out t'|s ||oat|o |t |s uao|c to occss c. c||ct a||cat|os, va|at|os to c||ct octa||s, o a |ts c||cts. |t 'as a |ot|'t| act cc|c. !'|s cvct |s ccooco o a aa|s|s s'cct (ctact oc|o.) ao t'c va|ous ous|css |acts otco. Benef its Payment Business Process (extract) |us|css oo,cct|vc. a occ| |ts to ooa ||oc c||cts o|, o t|c ao |o t'c cocct aout. Analyse consequence of risk events (without considering controls) Business impact of event occurring Risk events Oututs |csouccs |cutat|o Business C||cts/ Interruption sta'c'o|ocs Co||acc |at| Internal Risks Operational processes Incorrect |o |act classif ication of client benef it type Unintentional |ocs ot |ta sta|| \||| cou|c |||u |ou 'ao|c to |o |act 5 - |tcc deletion of ac'|cvc ao |||stc|a| .cc's to occss c||ct Client Master t|c||css cosu|tats c|aat|o ccostuct |||c acts File records ||| o| 99 costs to ao ||'c| to |o ac by staff acts ccovc |cao to ccoos o t|c |ost oata oucst|os cst|atco | t'c to oc |a||act $500,000 Intentional As aoovc deletion of Client Master File records Employee fraud |o |act bogus client created !'c |s' cvct '|'||'tco aoovc |os a at o| t'c |tca| |s's to t'c oa|sat|o ao c|atcs to |ts ocat|oa| occsscs. A uoc o| ot'c ous|css |acts 'avc occ |oct|||co |o t'|s cvct | aoo|t|o to t'c ous|css |tcut|o |act. !'c ovca|| |act 'as occ atco as extreme |o t'|s cvct. !'c coscouccc at| .as octc|co o c|cccc to t'c |o||o.| cva|uat|o c|tc|a. Consequence evaluation criteria by impact area |at| Oututs |csouccs) |cutat|o Business C||cts/ Interruption sta'c'o|ocs Co||acc 5 |tcc ~10 c cct |cat' o| |oa| ~2 .cc's |cat' o| |cac' o| va|acc |o c|occ Co|ss|o (|c. ~ |AO) c||ct Cost|tut|o ||| tacts ~$10 ||||o '|oss' - |a,o 1 2 .cc's 3 |oocatc 1 .cc' 2 ||o 1 oa 1 |c|||o|c |oc !'c |a|u Accctao|c Outac (|AO) |o t'|s ||oat|o csoucc ao ous|css occss .as sct at t.o .cc's (|at !.o o| t'c Cu|oc o|scusscs 'o. a |AO |s sct). !'c cst|atco t|c to ccostuct c||ct ccoos ccccos t'|s ouat|o- accoo|| |o t'|s c|tc|o a Extreme at| a||cs. |otc t'at .'||c ot'c |acts |o t'c cvct a ac'|cvc a |o.c at|, t'c '|'cst at| ovca|| s'ou|o oc usco | t'c |s' asscssct occss. 23 Business Continuity Management Business Continuity Management Risk treatment design !'c | |a| at o| |s' asscssct |s to ocs| ao|atc |s' tcatcts. !'c tcatct ot|os ava||ao|c to a oa|sat|o ac |o accct| t'c |s' (.'cc |t caot ot'c.|sc oc cost-c||cct|vc| aaco) to coto||| t'c |s', ao to tas|c| t'c |s'. | a t.o-stac aoac' to |s' aa|s|s, t'c |s' |cvc| |s ||st octc|co |o a|| |s's.'|c' ac t'c catco|sco oct.cc |o ao a,ooc|oc cos|oc| c|st| coto|s ao tcatcts. !'c a,o |s's ac t'c cva|uatco | t'c cotct o| c|st| coto|s ao ot'c |s' tcatcts. \'cc t'c |s' |cvc| ca|s uaccctao|c, ot.|t'stao| c|st| coto|s ao tcatcts, |t |s |cuoct o aacct to ocs| c. coto|s o to cos|oc ot'c tcatct ot|os. Links with business continuity management Coto|s cstao||s'co o aacct to tcat |s's ca oc oc| |co c|t'c as cvctat|vc (sto t'c |s' cvct |o occu| | t'c ||st |acc) o cocct|vc (octcct t'c |s' cvct .'c |t occus ao csoo accoo||). |cvctat|vc coto|s ocatc |a|| to coucc t'c ||'c||'ooo o| occuccc o| a |s' cvct, .'ccas cocct|vc coto|s ocatc |a|| to |||sc t'c coscoucccs occ a |s' cvct 'as occuco. A ca|c o| a cvctat|vc coto| |s t'c usc o| ass.oos to a| acccss to t'c ||oat|o sstcs o| a oa|sat|o. || cocct| ||cctco, t'|s coto| .||| cvct uaut'o|sco acccss. A ca|c o| a cocct|vc coto| |s t'c cv|c. o| a coutc |o o| acccss at tcts. || cocct| ||cctco, t'|s s'ou|o octcct a uaut'o|sco acccss ao '|'||'t .'at ||oat|o, || a, .as a|tcco. | a ous|css cot|u|t aacct cotct, t'c oa|sat|o stats |o t'c assut|o t'at t'c cvctat|vc coto|s 'avc |a||co, o t'cc .cc o cvctat|vc coto|s | |acc, ao a ous|css |tcut|o occus. !'c oa|sat|o ccos to csoo to suc' cvcts | oot|o to t'c| s||| |caccat tcs o| ||'c||'ooo ao oot causc ac t'cc|oc o |oc c|cvat. !'c oa|sat|o .||| cco to octc|c .'at ust oc ooc, o .'o, ao at .'at t|c after a |s' cvct 'as occuco t'at .ou|o ot'c.|sc |cao to t'c oa|sat|o's csouccs o occsscs oc| aovcsc| a||cctco |o a c|oo | cccss o| t'c a|u accctao|c outac. |t .||| a|so 'avc to octc|c .'at ccos to oc ooc | aovacc o| a outac so t'at |ts coscoucccs ca oc |t|atco. |o ca|c, ost oa|sat|os |st|tutc oac'-u ao ccovc occoucs |o t'c ||oat|o stoco o t'c| coutc sstcs. | t'c cvct t'at t'cc |s a |oss o| oata, t'c coscoucccs ac coucco to t'c ctct o| t'c a oct.cc t'c oata sct t'at .as |ost ao t'c |ast savco vcs|o o| t'at oata sct. 24 Guide to Effective Control Guide to Effective Control Step three: implement treatments !'|s stc o| t'c |s' aacct occss cou|cs oa|sat|os to cstao||s' a |a |o ||cct| a c. tcatcts, aoo|t|oa| coto|s o oo|||cat|os to c|st| coto|s a|s| |o t'c |s' asscssct 'asc. |t ust t'c csuc t'at t'c ||cctat|o |a |s cccutco o cstao||s'| csos|o|||t ao t|c|acs |o a act|os cou|co ao accoutao|||t |o outcocs. !'c ||s' |aacct Staoao ccocos t'c |o||o.| ||u oocuctat|o 2 . .'o 'as ovca|| csos|o|||t |o t'c ||cctat|o o| t'c |a, .'at csouccs ac to oc ut|||sco, ouoct a||ocat|o, t|ctao|c |o ||cctat|o, ao octa||s o| cc'a|s ao |coucc o| cv|c. o| co||acc .|t' tcatct |a. 2 AS/|Z -360.1999 ||s' |aacct, scc Aco| | Links with business continuity management !'c |us|css Cot|u|t ||a |s a risk treatment. |t is not t'c ||cctat|o |a c|cco to aoovc. !'c ||cctat|o |a s'ou|o |c|uoc t'c cco to cstao||s' a |C| || oc oocs ot a|cao c|st. || t'c |s' asscssct occss 'as |uct|oco c||cct|vc|, |t .||| 'avc |oct|||co coto|s ao tcatcts t'at coucc t'c ||'c||'ooo ao coscoucccs o| a|| |s' cvcts, |c|uo| ous|css |tcut|os cvcts, to a accctao|c |cvc|. !'c |C| |s a cocct|vc coto| t'at |s act|vatco o| a| tc a ous|css |tcut|o 'as occuco. 25 Business Continuity Management Business Continuity Management Step four: monitor and review !'c oo,cct|vc o| t'c | |a| stc | t'c |s' aacct occss |s to o|to |s's ao t'c c||cct|vccss o| coto|s ovc t|c to csuc c'a| c|custaccs oo ot a|tc |s' |o|t|cs o .ca'c t'c ocat|o o| coto|s. |a oa|sat|os |tcatc |s' asscssct |to t'c| cooatc ao aua| ous|css |a| occsscs. !'|s csucs cu|a, c|oo|c cv|c. o| oot' statc|c ao ocat|oa| |s's. |cv|c. o| coto|s, to csuc t'c ocatc as aacct |tcoco, 'as tao|t|oa|| occ t'c a,o o|c o| t'c |tca| auo|t |uct|o. |o.cvc, t'c a,o oa.oac' |s t'at |t a |cao ocat|oa| aacs to coc|uoc t'at |tca| auo|t, ot t'c ocat|oa| aac, |s csos|o|c |o t'c sstc o| coto|. !o coutcact t'|s v|c., a oa|sat|os 'avc ||cctco Cooatc Covcacc oas t'at '|'||'t aac's csos|o|||t|cs |o coto|s 3 . !'c usc o| coto| 's|-o||s' ao t'c |toouct|o o| coto| sc||-asscssct ac t.o usc|u| ||t|at|vcs | t'|s aca. 3 !'c A|AO 'as uo||s'co t.o |ct tc |act|cc Cu|ocs o|scuss| cooatc ovcacc ao coto| c|cvat to t'|s |ssuc. Better Practice Guide to Effective ControlControlling Performance and Outcomes, 19 ao Corporate Governance in Commonwealth Authorities and Companies, 1999. Links with business continuity management As .|t' a ot'c coto|, t'c |C| ccos to oc o|toco ao cv|c.co |o c||cct|vccss. !'|s cou|cs t'at |t oc tcstco cu|a|. |t a|so cou|cs t'at t'c |act o| oa|sat|oa| c'acs o a ot'c c'acs to c|custaccs oc cos|occo to csuc t'c |a a|ta|s |ts cucc. 26 Guide to Effective Control Guide to Effective Control 27 Business Continuity Management Business Continuity Management The business continuity process Part Two The business continuity process Overview of the business continuity process Step one: Project initiation Step two: Key business processes identification |stao||s' 'c ous|css occsscs |a' 'c ous|css occsscs |ctc|c act|v|t|cs t'at cost|tutc cac' occss |atc' csouccs to act|v|t|cs Step three: Business impact analysis (BIA) Aa|s|s o| ocat|oa| ao ||ac|a| |acts Step four: Design continuity treatments |oct|| ao cva|uatc tcatct ot|os Sc|cct a|tcatc act|v|t|cs ao csouccs Step five: Implement continuity treatments ||cct caato coto|s |cac t'c |us|css Cot|u|t ||a (|C|) Step six: Test and maintain the plan !cst t'c |a |a|ta| t'c |a 28 Guide to Effective Control Guide to Effective Control 29 Business Continuity Management Business Continuity Management Overview of the business continuity process C|vc t'c| c|osc |tc-c|at|os'|, |t |s ccococo t'at a |C| oc ocvc|oco | co,uct|o .|t' t'c ||s' |aacct ||a |o t'c oa|sat|o. !'|s |at o| t'c Cu|oc oca|s .|t' t'c stcs cou|co to ooucc t'c |C| ao .'at ccos to oc ooc to csuc t'at |t |s oc| a|ta|co. !'cc |s a '|' occc o| cooa||t oct.cc t'c stcs ocsc|oco 'cc| ao t'osc o|scussco | |at Oc|ut'c c||oc| t'c cco to uocta'c t'csc stcs as at o| a ovca|| |s' aacct occss. !'c s|||a|t | stcs a|so scvcs to '|'||'t t'at |t |s ot t'c occss so uc' t'at o|||cs | costuct| a |C| out t'c uoc|| aoac'. !'c stcs | t'c ous|css cot|u|t aacct occss ac. ||t|atc t'c o,cct, |oct|| 'c ous|css occsscs, uocta'c a ous|css |act aa|s|s, ocs| tcatcts, |ou|atc a |C|, ao tcst ao a|ta| t'c |C|. !'csc stcs ac |||ustatco | ||uc 6 ao cac' stc |s o|scussco | octa|| | t'c ca|oc o| t'|s |at. Overview of the business continuity process As discussed in Part One of this Guide, business continuity management is an integral part of total risk management. The top down approach to risk managementwhich starts with business objectives and identifies risks; is complemented by the bottom up approach to business continuitywhich starts with identification of resources and processes being affected by an outage. 30 Guide to Effective Control Guide to Effective Control Figure 6Overview of the business continuity management process Soucc. |c|o|ttc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 31 Business Continuity Management Business Continuity Management Step one: project initiation A |a s'ou|o oc caco oocuct| t'c oo,cct|vcs, scoc, ao oouoa|cs o| t'c ous|css cot|u|t |a| o,cct. !'c aac, o aacct co|t tcc, csos|o|c |o t'c o,cct s'ou|o aovc t'c |a, |c|uo| a ouoct. !'c |a cco ot oc ovc| |ac o octa||co, out ccos to c||cct t'c s|zc ao co|c|t o| ous|css cot|u|t |ssucs | t'c oa|sat|o. !ca o|cs ao csos|o|||t|cs s'ou|o a|so oc cstao||s'co, ao c|cvat c|cccc atc|a| o c|st| oocuctat|o co||cctco at t'|s stac. ||'c ost |as, t'c ous|css cot|u|t o,cct |a s'ou|o. cot|uc to ocvc|o ou| t'c |||c o| t'c o,cct as oc aoout t'c oa|sat|o ao |ts |s's |s |caco, oc caco o aacs .'o uocstao t'c ous|css ao oc aovco |o to t'c cocccct o| .o', ao c||cct t'c oa|sat|o's aoac' to |s' aacct. Checklist for the development of a business continuity project plan |ocuct t'c o,cct's oo,cct|vcs |c||c ao oocuct t'c o,cct's scoc ao a |||tat|os ||a| a assut|os aoc Ass| csos|o|||t |o o,cct tas's |csct t'c ouoct, |c|uo| sta|| csouccs, cou|co |o t'c o,cct Sct o,cct t|c|acs ao oc||vcao|cs |o tas's ||a |s |oa|| aovco o C'|c| |ccut|vc ao/o ao|atc aacct co|t tcc Case study |su| t'c ous|css cot|u|t |a| o,cct .as .c||-|ocussco ao uocstooo o a|| at|c|ats, a uo||c statuto ooo ocvc|oco a cou|cct scc|| |cat|o oocuct to out||c t'c scoc, tas's, oc||vcao|cs ao ass|stacc |o t'c o,cct. A ca|c o| t'|s |a |s | t'c \o'ooo' at Stc oc (. 6). Document objectives, scope and boundaries Establish management committee Establish budget and timetable Executive commitment and involvement Project plan v v v v v v v v v v Soucc. |c|o|ttc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 32 Guide to Effective Control Guide to Effective Control Identify key business objectives Identify key business outputs Align business processes with outputs Understand key activities, resources and dependencies Project plan v v v v v v v v v v Step two: key business processes identification !'c |a |ut to t'c |us|css |act Aa|s|s (||A) | stc t'cc |s a ||st .'|c' a's t'c 'c ous|css occsscs o| t'c oa|sat|ot'at |s, t'osc occsscs cssct|a| to t'c oc||vc o| oututs ao ac'|cv| ous|css oo,cct|vcs. |ac' 'c occss |s oc||co | tcs o| t'c act|v|t|cs uocta'c ao t'c csouccs cosuco o t'osc act|v|t|cs. A stuctuco aoac' to t'|s stc cou|cs oa|sat|os to. cstao||s' ao a' 'c ous|css occsscs, a act|v|t|cs uocta'c .|t'| cac' occss, ao atc' csouccs to act|v|t|cs. Establish key business processes |t |s |otat, | caat|o |o t'c ||A, t'at aacct 'as a c|ca ao acco uocstao| o| t'c oa|sat|o's ous|css oo,cct|vcs ao oututs, ao t'c 'c ous|css occsscs .'|c' csuc t'csc oo,cct|vcs ac ct ao oututs ac ac'|cvco. Cooo stat| o|ts to ac'|cvc t'|s uocstao| ac '|'-|cvc| |a| oocucts suc' as cooatc |as, ous|css |as ao ocat|oa| |as. !'csc |as s'ou|o 'avc a|cao oocuctco t'c oa|sat|o's ous|css oo,cct|vcs ao asscsscts o| statc|c ao ocat|oa| |s's. !o ass|st | ac'|cv| cos|stcc | tc|o|o ao coo accct | occss oc|||t|o, oa|sat|os a .|s' to ut|||sc a ous|css occss c|ass|||cat|o sc'cc. Suc' sc'ccs ov|oc cc|c catco|sat|os o| ous|css occsscs coo to ost oa|sat|os. A ca|c o| suc' a sc'cc, a||co to t'c uo||c sccto, |s ov|oco | ||uc . !'|s o|aa out||cs t'c 'ca' ous|css occsscs catco|sco oct.cc statc|c, ocat|oa| ao suot occsscs. \|t'| cac' mega occss ac a uoc o| major ous|css occsscs. |o ca|c. Strategic processesMonitor and review .ou|o |c|uoc |tca| auo|t, coto| ao |s' sc||-asscssct, oua||t aacct oas, ao oa cva|uat|o occsscs, Operational processesDevelop ser vices cou|o |c|uoc ocs|| a||cat|o |os |o ats o cstao||s'| a ca|| cctc, Sell ser vices cou|o |c|uoc occss| c||ct a||cat|os o c|a|s, Deliver ser vices cou|o |c|uoc |ou|at|o ao ov|s|o o| o||c aov|cc, ao Monitor ser vices cou|o |c|uoc at acou|t ta| occss|, ao Support processesFinancial resource management |c|uocs uc'as| ao acts, ao||, cost|, ao ouoct| ao |occast|. Key activity and resource schedule 33 Business Continuity Management Business Continuity Management Figure 7Example of a process classification scheme for Government organisations Understand stakeholders and clients Develop objectives, outputs and outcomes Define structure, processes and resource needs Monitor and review Financial resource management Human resource management Information resource management Physical resource management Design services Sell services Deliver services Monitor services Strategic processes Operating processes Support processes !'|s sc'cc |s oasco o t'c ''|vcsa| |occss C|ass|||cat|o Sc'cc' |o t'c |vatc sccto ocvc|oco o t'c Ac|ca |oouct|v|t ao ua||t Cctc | co,uct|o .|t' At'u Aocsc, |||, ||C ao co. 34 Guide to Effective Control Guide to Effective Control Rank key business processes !'c 'c ous|css occsscs cco to oc a'co | ooc o| t'c| |otacc to t'c oa|sat|o. !'|s a'| s'ou|o c||cct t'c |otacc o| t'c ous|css occss to ac'|cv| ous|css oo,cct|vcs ao oc||vc| oututs. !'c a'| o| 'c ous|css occsscs a cos|oc suc' |ssucs as. |a||uc to cct statuto oo||at|os |o scv|cc oc||vc, |a||uc to cct 'c sta'c'o|oc ccctat|os, |oss o| cas' ||o.s cssct|a| to ous|css ocat|os, ao occc o| occocc o ous|css occsscs o |tca| ous|css u|ts o c||cts. !o oota| t'c a'|, |t |s |otat t'at t'c coccs o| cccut|vc ao sc|o aacct ac oota|co cao| ous|css |o|t|cs ao cot|u|t |ssucs. !'c usc o| stuctuco |tcv|c.s ao/o |ac|||tatco ou cct|s ac ccococo too|s |o at'c| t'|s ||oat|o. | a sa|| oa|sat|o |t a oc oss|o|c to at'c t'|s ||oat|o |o oc ou cct|. !'|s 'as t'c aooco aovatac o| csu| at|c|ats ac a.ac o| a|| oa|sat|oa| |o|t|cs ao ca acc o t'c a'| o| 'c occsscs, toct'c .|t' t'c| cocsoo| act|v|t|cs ao csouccs. | a |ac oa|sat|o |t .||| cca|| oc cccssa to coouct a sc|cs o| |tcv|c.s o |ac|||tatco ou scss|os. | c|t'c cvct, |t |s |otat t'at t'c ||oat|o co||cctco t'ou' t'csc aoac'cs |s cotco oac' to t'c at|c|ats |o t'c| co||at|o. Determine activities that constitute each process !'c ous|css act|v|t|cs suot| 'c ous|css occsscs t'c cco to oc |oct|| |co. !'csc ac t'c act|v|t|cs t'at ooucc a outut |o t'c 'c ous|css occss. !'csc a oc t'c act|v|t|cs o| a s||c ocat|oa| aca | t'c oa|sat|o, o a oc t'c act|v|t|cs o| a uoc o| ocat|oa| acas, .'|c' coo|c to ooucc t'c outut. A t'oou' uocstao| o| act|v|t|cs |s cssct|a| to |oct|| suc' |tc-occocc|cs. Soc act|v|t|cs a c| o t'c oututs |o ot'c act|v|t|cs |o .|t'| t'c oa|sat|o (coo| c|cco to as enabling oututs), o cvc |o outs|oc t'c oa|sat|o. |o ca|c, c-ous|css so|ut|os c| ot o| o t'c |tca| ct.o' out a|so o t'c |tcct Scv|cc |ov|oc. !o a| t'c cccssa |cvc| o| uocstao| o| act|v|t|cs ao |tc-occocc|cs, |t |s |otat to cct .|t' ocat|oa| ao suot aca aacs to o|scuss t'c| o. uocstao| o| t'c act|v|t|cs. !'|s a oc su|cctco o c|cccc to occss as ao ot'c sstcs oocuctat|o oota|co |o occouc aua|s o |tca| auo|t. 35 Business Continuity Management Business Continuity Management Match resources to activities !'c csouccs cccssa |o oc||vc o| t'c 'c ous|css occsscs a|so cco to oc |oct|||co. !'csc ac t'c csouccs cou|co o t'c ocat|oa| acas to suot t'c act|v|t|cs t'at oc||vc t'c oututs o csu|ts. \|t'out t'csc csouccs, t'c ous|css occsscs .ou|o ot ac'|cvc t'c| oa|s. Soc csouccs to cos|oc ac. peopleoot' t'c oa|sat|o's sta|| ao co|c ctca| to t'c oa|sat|o .'|c' a oc c|t|ca| to t'c succcss o| t'c act|v|t, infrastructureou||o|s ao ot'c oct usco o t'c oa|sat|o to oc||vc |ts scv|ccs ao ooucc |ts oututs, assets and suppliescou|ct ao cosuao|cs .'|c' ac usco o t'c co|c ao t'c occsscs as at o| t'c act|v|t, ao financesoc act|v|t|cs cou|c oc to oc ava||ao|c to a'c acts o t|c. Checklist to ensure all key business processes, activities and resources are identif ied |ocuct ao co| | oa|sat|oa| oo,cct|vcs ao oututs ||st 'c ous|css occsscs t'at uoc| ac'|cvcct o| oo,cct|vcs ao oc||vc o| oututs |cv|c. t'c |uct|oa| oa|sat|o c'at to |oct|| cca| acas o| ocat|oa| csos|o|||t |tcv|c. aacs csos|o|c |o 'c ous|css occsscs to co| | uocstao| o| act|v|t|cs (co|c oa|sat|o o|) |ocuct t'c act|v|t|cs ao csouccs cssct|a| to cac' 'c ous|css occss |oa|| cou|catc t'c ||st o| 'c ous|css occsscs ao suot| act|v|t|cs ao csouccs to t'c o,cct stcc| co|t tcc Example: interdependent activities and resources A custoc |au|t ca| act|v|t o| a ut|||t 'ao a '|' ous|css |o|t, |vc |ts |act o uo||c |ac. !'c act|v|t .as occoct o a ca|| cctc as a custoc |tc|acc ao o t'c stocs aca |o cou|ct. !'csc acas .cc | tu occoct o t'c ||oat|o tcc'o|o ||astuctuc |o custoc octa||, ||oat|o tas|c, ocss tac'| ao stoc' |cvc| ||oat|o. |uc to t'csc |tcoccocc|cs, t'c ccovc t|c|ac |o t'c ca|| cctc, stocs ao ||oat|o tcc'o|o .cc o|cct| |||uccco o t'c ccovc cou|ccts o| t'c |au|t ca| act|v|t|cs. |vcst|at|o o| t'c stocs tuovc octc|co t'at t'c |cvc| o| stoc' cta|co | t'c ccta| ao satc|||tc stocs .as su|| |c|ct to cot|uc act|v|t|cs |o u to a .cc'. !'|s ||oat|o csu|tco | a |o.c ccovc |o|t |o t'c stocs act|v|t|cs ao assoc|atco ||oat|o tcc'o|o occsscs. Soucc. |c|o|ttc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 36 Guide to Effective Control Guide to Effective Control Step three: business impact analysis (BIA) | t'|s stc t'c ||oat|o co||atco |c|uocs. oocuctat|o o| 'c ous|css occsscs, |oct|| |cat|o o| t'c act|v|t|cs ao csouccs c|t|ca| to t'c 'c ous|css occsscs, |tcoccocc|cs .|t'| ao oct.cc act|v|t|cs ao csouccs, ao a |o|t a'| o| t'c occsscs, act|v|t|cs ao csouccs .'|c' ccscts t'c oa|sat|o's acco v|c.. !'|s ||oat|o ust oc aa|sco, ao t'c ocat|oa| ao | |ac|a| |acts t'at .ou|o csu|t |o o|sut|os to, o |oss o|, a ous|css occss asscssco. |o t'|s, t'c a|u accctao|c outac ca oc octc|co |o t'c c|t|ca| occsscs ao csouccs. !'at |s, 'o. |o ca t'c 'c ous|css occss suv|vc .|t'out t'c c|t|ca| act|v|t ao/o csoucc oc|oc |t .||| 'avc a oct|cta| c||cct. Analysis of operational and financial impacts A sc|cs o| business impact analysis inter views .|t' t'c aacs csos|o|c |o c|t|ca| act|v|t|cs ao csouccs .||| oc t'c ou|c'cst .a to uocta'c t'c aa|s|s. !'c aa|s|s s'ou|o oc oasco o a outac | .'|c' a|| act|v|t|cs ao csouccs (|c|uo| t'c actua| .o' |acc) ac ot ava||ao|c. Assu| t'c .ost casc outcoc (tota| |oss o| t'c occss ao/o csouccs), .||| csuc a|| |acts a|s| |o a outac ac cos|occo cao|css o| t'c |s' ||'c||'ooo, at |cast | t'c | |st |stacc. A aoac' |ouoco o |s' ||'c||'ooo .||| |a|| to oosc a tcatct |o '|'| u||'c| cvcts, ocs|tc t'c| |act. |o ca|c, ot to 'avc a |a | |acc to c|ocatc ocat|os o ccovc |o t'c |oss o| a ou||o| occausc that will never happen .||| |cavc t'c oa|sat|o ||ouoc|, oss|o| |cao| to |ts oc|sc, s'ou|o t'c impossible 'ac. !'|s ascct o| |s' aacct |s aoout co| .|t' cvcts t'at ac |css ||'c|, ao 'avc a a,o |act. |ost c||ot | |s' aacct, ao ,ust|| |ao| so, |s ut |to aoocss| |s's .|t' '|' ||'c||'ooo ao '|' |act|s' aacct ooc|s ao ct'ooo|o|cs ocv|sc ao ||cct coto|s (o tcatcts) to c|||atc o coucc t'c c||cct o| t'csc |s's. \'cc a cvct |s u||'c|, ct |ts |act |s s||||cat, |t a ot oc |cas|o|c to tcat t'c |s', out |t |s |o|| to |oc t'c |s'. !catcts |o cac' cvct cco to oc octc|co. Identify key personnel Schedule and conduct interviews Document concerns, priorities and expectations Determine MAO Maximum Acceptable Outage Schedule v v v v v v v v v v Key activity and resource schedule The real purpose of a business impact analysis is to identify those systems that when absent would create a danger to the enterprises survival and to ensure those systems reveive the correct priority in the subsequent business continuity plan. Business Continuity Planning: Creating a Business Impact Analysis, InSide GartnerGroup This Week (IGG), January 15, 1997, C. Gooding GartnerGroup 1999 37 Business Continuity Management Business Continuity Management !'c |o||o.| c'cc'||st sua|scs t'c stcs to oc uocta'c to co|ctc t'c aa|s|s ao octc|c a a|u accctao|c outac |o cac' 'c act|v|t ao csoucc. |ac' stc | t'c c'cc'||st |s suotco o u|oacc ao sc'cou|cs cota|co | t'c |us|css |act Aa|s|s (||A) oucst|oa|c .'|c' |s | t'c \o'ooo' (.11)t'at accoa|cs t'|s Cu|oc. Checklist for analysing each key business process |va|uatc t'c |acts o| a |oss o| t'c occss |o t'c cscct|vc o| t'c oa|sat|o's ouoct ao outcocs ao oututscos|oc. - |oss o| cvcuc/|ccasco ccsc - scv|cc oc||vc staoaos - uo||c o o||t|ca| coaassct - |oss o| c||ct co||occc - |oss o| aacct coto| - ||ac|a| |sstatcct - cu|ato, statuto o cotactua| ||ao|||t - scc|||c/u|ouc vu|cao|||t|cs, ao - o||t|ca| a|||cat|os |oct|| t'c c|t|ca| succcss |actos t'at csuc t'c occss ccts t'c oa|sat|o's oo,cct|vcs |oct|| aoo|t|oa| ccscs |cuco || act|v|t|cs ac c|oco aua|| o | a suost|tutc ac ou| a outac |oct|| |tc| occss| occoucs (a|tcat|vc o aua| occss|) tcc'|oucs to oc aootco ou| t'c ccovc 'asc |st|atc t'c t|c |t .||| ta'c to ovccoc t'c oac'|o o| .o' accuu|atco ou| t'c outac uat|| t'c ||u csoucc cou|ccts cccssa to c|o t'c act|v|t |oct|| t'c ccoos v|ta| to t'c ccovc occss |va|uatc t'c aocouac o| cuct |C| | |acc Soucc. |c|o|ttc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 38 Guide to Effective Control Guide to Effective Control Checkpoint: management sign-off Case studies Small organisation A sa|| statuto ooo .|t' 20 sta|| coouctco a s||c .o's'o to octc|c t'c |acts o| a o|sut|o. !'c cca| aac ao sc|o ccsctat|vcs |o cac' act|v|t at tcoco t'c 2-'ou .o's'o. A 'o|sut|o scca|o' .as csctco .|t' cac' o| t'c at|c|ats ocsc|o| t'c |act to t'c| aca at va|ous t|c|acs. !'c at|c|ats .cc ao|c to ou||o o cac' ot'c's aa|s|s ao a vc c|ca |ctuc o| t'c |acts, |tcoccocc|cs ao ccovc |o|t|cs .as ooucco. Medium-sized organisation A statc ovcct ooo .|t' aouo 150 c|occs coouctco a sc|cs o| .o's'os. |ou 2-'ou .o's'os .cc 'c|o .'|c' |c|uoco a sc|o ccsctat|vc |o cac' act|v|t as .c|| as aacct |o uoc|| occsscs. C|vc t'at t'c act|v|t|cs ao occsscs .cc co|c, |t .as cccssa to sco cta t|c to octc|c t'c |acts, |tcoccocc|cs ao ccovc |o|t|cs. A |otat cta stc .as a|so ccoco | t'|s occss | t'at a|| csoscs 'ao to oc coaco to csoscs |o ot'c act|v|t|cs | ooc to |||t a o|as oct.cc t'c scaatc .o's'os. !'|s o|tc cas cv|s|t| ous|css u|ts o ct t| |ccooac' |o sc|o aacct. Large organisation A sc|cs o| |us|css |act Aa|s|s |tcv|c.s .cc coouctco |o a |ac ao co|c ||stco coa .|t' ovc 2000 c|occs. |uc to t'c oa|sat|o's s|zc, cac' ous|css u|t .as ca|co scaatc|, ao | soc cascs occsscs .|t'| t'at ous|css u|t .cc cv|c.co scaatc|. !'c | |st sc|cs o| |tcv|c.s ov|oco a uocstao| o| t'c |acts |o a |oss o| 'c act|v|t|cs ao t'c |tcoccocc|cs oct.cc t'c ous|css u|ts. |ut'c |tcv|c.s .cc t'c coouctco .|t' sc|o aacct to co| | t'c ccovc |o|t|cs ao a|u accctao|c outac t|c|acs |o a ovca|| oa|sat|oa| cscct|vc. As c t'c co|u oa|sat|o ca|c, t'|s aoac' a|so a|oco | |||t| a o|as t'at a 'avc a|sc oct.cc ous|css u|ts/|tcv|c.ccs. Obtain agreement from project committee/ project sponsor and chief executive regarding the MAO for each key process, critical activity and resource 39 Business Continuity Management Business Continuity Management Step four: design continuity treatments !'|s stc |oct|| |cs t'c tcatcts to aoocss, ao to |||sc t'c c||ccts o|, o|sut|os to cac' c|t|ca| ous|css occss |o .'|c' a |AO 'as occ cstao||s'co. !'c tcatct aa|s|s |oct|| |cs t'c cou|ccts to csuc t'c cot|uco ava||ao|||t o| c|t|ca| occsscs ao csouccs ou| outacs. !'csc cou|ccts ac oasco o t'c a'|s acco | t'c ||A ao ov|oc. t'c oas|s |o scc||| ao sc|cct| a|tcatc ao couoat caac|t to coucc ||'c||'ooo o |act o| a outac, ao ccovc ao cstoat|o cou|ccts to oc usco || a outac occus. |ccocoat|os |o cac' scv|cc aca ac aoc oasco o t'c tcatct ot|os sc|cctco ao, .'cc |oct|| |co, ccocoat|os |o |ovcct | ous|css occss to oc ||cctco. As at o| t'|s occss, a cv|c. o| v|ta| ccoos aacct ao oac'u ao ccovc occoucs ust oc uocta'c. !'|s .||| csuc ccoos ao oata ca oc ccostuctco |o||o.| a o|sastc. Aco| 6 o|scusscs t'c aoac' to oua||t cv|c. o| t'c |C|, .'|c' |c|uocs cva|uat| oac'u occss| ao o||-s|tc stoac. Aco| 9 ov|ocs c'cc'||sts |o cv|c. o| o||-s|tc oac'u occoucs !'c outcoc o| t'c tcatct aa|s|s .||| |o t'c oas|s o| t'c ous|css cot|u|t |a. |ac' 'asc o| t'c tcatct aa|s|s |s o|scussco | t'c |o||o.| scct|os. Identify and evaluate treatment options |o cac' o| t'c 'c ous|css occsscs |oct|| |co ao a'co | t'c ||A, t'cc s'ou|o oc tcatcts t'at. coucc t'c cosuc to, ao |act o|, |oss o| t'c occsscs ao csouccs o .'|c' t'c |uct|os c|, ao ||cct a|tcatc occsscs ao csouccs to oc usco |o||o.| a outac ao |as to ccovc |o t'c outac ao cstoc oa| ocat|os. |va|uat| t'c ot|os ava||ao|c to csuc t'c cot|uat|o o| ous|css .||| |oct|| t'c a|tcatc act|v|t|cs ao csouccs to oc usco s'ou|o a outac occu. \a|at|os to, o cocs| o|, c|st| act|v|t|cs ao csouccs s'ou|o oc cos|occo as a cas o| couc| t'c cosuc to, o |act o|, |oss o| a 'c ous|css occss. | sc|cct| a|tcatc act|v|t|cs ao/o csouccs, |t |s c|t|ca| t'c |o||o.| acas ac aoocssco as at o| t'c ous|css cot|u|t |a| occss | cscct o| Review existing controls Identify and evaluate options Select alternate activities and resources Implement treatments Maximun Acceptable Outage Schedule Risk Treatment Plan v v v v v v v v v v 40 Guide to Effective Control Guide to Effective Control cac' |oct|| |co o|sut|o, cao|css o| t'c oa|sat|o's, oo,cct|vcs, s|zc o co|c|t. co|c, |ac|||t|cs (|c|uo| ou||o|s ao cou|ct), tc|ccou|cat|os, ||oat|o sstcs, ao ous|css act|v|t|cs. |o a|| c|t|ca| act|v|t|cs ao csouccs, |t |s cccssa to |oct|| ot'c aaccts t'at a oc usco | t'c| |acc, s'ou|o t'c oc |ost. |o t'osc |oct|| |co, a|tcatc act|v|t|cs ao/o csouccs ac c'osc .'|c' a||o. t'at at o| t'c ous|css to cot|uc .|t' ||a| o|sut|o. A|tcatc act|v|t|cs ao csouccs a oc a coo|at|o o| o|||cct scv|ccs o couoat caac|t cta|co ,ust | casc (c. 'ot, o co|o, coutc s|tcs). Checklist for evaluating activity and resource alternatives |ocuct a o|c| ocsc|t|o o| cac' v|ao|c ot|o |ctc|c ot'c csouccs cou|co ao t'c costs |o cac' ot|o (t'|s a cou|c ||oat|o |o vcoos) Coac ccovc ot|os to |AO. - |ocs t'c ot|o cct t'c ccovc ccos. - |ocs t'c ot|o cccco ou ccos. People |co|c ac o|tc ovc|oo'co as t'c ost c|t|ca| csoucc | csu| cot|u|t o| ous|css. !'c |act o| a uccctco |oss o| 'c csoc|, o a tca, ca 'avc a s||||cat |act o a oa|sat|o's ous|css. !'c |act o| o|sut|o o co|c s'ou|o a|so oc cos|occo | |so|at|o ao as a csoucc t'at |s |tcoccoct .|t' cac' o| t'c acas oc|o.|ac|||t|cs, tc|ccou|cat|os, ||oat|o sstcs ao ous|css occsscs. !'c ous|css cot|u|t |a ccos to |c|uoc tcatcts |o co|c, .'|c' |c|uocs. aoac'cs to cou|cat|o, 'ua csoucc |ssucs, |c|uo| s'ot-tc c|acccts ao ta||, |ssucs c|at| to t'c o|sastc cvct, ao t'c sc'o|o|ca| c||ccts o| t'c o|sut|o o sta|| oa|c. Soucc. |c|o|ttc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 41 Business Continuity Management Business Continuity Management Example: treatment options for people Treatment Description Succcss|o |as A csc|oco |a o| act|o to c|acc 'c sta|| s'ou|o t'c oc uava||ao|c. !'|s a |c|uoc |oct||| understudies | t'c oa|sat|o o acccts .|t' o|css|oa| cotact| acc|cs o .|t' ot'c oa|sat|os to soucc oua||||co sta|| at s'ot ot|cc. S'|||s aacct |as |o |oct|| |co uocstuo|cs, csuc 'c ||oat|o ao t'c oa|sat|o's 'o.|coc |s s'aco so t'c ca assuc a c. o|c .|t' as ||t t|c |cao-t|c |o |ca| as oss|o|c. |c cso |suacc |suc aa|st t'c | |ac|a| |act o| |oss o| 'c sta||. !'|s aoac' a ccovc t'c costs assoc|atco .|t' |oss o| 'c sta|| out |t |s o| a so|ut|o to sto o| |oos| sta||oact|vc sta|| aacct act|ccs ac a|.as c|cao|c. Facilities !'c |C| s'ou|o |c|uoc tcatcts t'at cocctatc o t'c ost c|t|ca| coocts o| ocat|osusua|| co|c ao t'c| .o' cv|oct. !'|s scct aoocsscs t'c 's|ca| cv|oct (cou|ct ao ou||o|s) o .'|c' a ous|css occss occos. !catcts s'ou|o oc ocvc|oco |o oaac asscssct, sa|vac ao cstoat|o o| cou|ct ao ou||o|s. !'c s'ou|o aoocss t'c ou||o|s | .'|c' t'c ous|css occss ocatcs ao t'c cou|ct ao csouccs cota|co .|t'| t'osc c|scs. !'c tcatcts s'ou|o a|so a| to oc ocvc|oco to csuc t|c| cstoat|o o c|ocat|o so t'c ous|css occss ca oc ovco oac' to t'c cstoco c|scs o oc c|ocatco to c. c|scs ao cot|uc cssct|a| ous|css act|v|t|cs. Aaccts ao occoucs |o c|ocat| |ac|||t|cs s'ou|o oc aoocssco. Aoo|t|oa| |ssucs to oc aoocssco |c|uoc. ov|s|o |o oac'u occss| scv|ccs, acccts ao act|v|t|cs cou|co to tas|c |uct|os, ao oocuctco occoucs to suot ous|css |ac|||t ccovc ao cstoat|o. |o||o.| a a,o o|sut|o, |ac|||t ccovc tcatcts a|o t'c oa|sat|o | su|ccta sta|| |, ovcct o c|ocat|o o| sta||, occoua| ao ao||stat|vc c'acs, ao s|tc ao ||astuctuc oo|||cat|os. 42 Guide to Effective Control Guide to Effective Control Telecommunications Cou|cat|o |s c|t|ca| to cot|u|t o| ous|css |uct|os. !'c |C| s'ou|o t'cc|oc |c|uoc tcatcts t'at aoocss ccovc |o |oss o |tcut|o o| vo|cc ao oata cou|cat|os, oot' .|t'| ao outs|oc t'c oa|sat|o. | a oa|sat|os, vo|cc ct.o's ac oc c|t|ca| t'a oata ct.o's. !catcts t'at oca| .|t' cou|cat|o |oss ca |c|uoc. t'c 'ua csoucc occoucs ao ao||stat|o cou|co to suot t'c ous|css |uct|o, vcoo ao ca|c cot|at|os | .'|c' cotactua| o scv|cc |cvc| acccts ac aoc .|t' tc|ccou|cat|o vcoos, a|tcatc at' ocs| ao s.|tc'| scv|ccs couoac ca oc ou||t |to cou|cat|os ct.o's suc' as |A| ao ct.o' sstcs .'|c' cao|c cou|cat|os to oc o|vctco to ot'c |ocat|os ||, ao .'c, cccssa, oac'u cou|ct ao so|t.ac .'|c' |c|uocs oac'| u |A| oata, ct.o' so|t.ac ao acou|| cccssa couoat cou|ct, ao u|tcut|o|c o.c su||cs ('|S) ao o|to| |ac|||t|cs .'|c' 'c| cvct sstc |oss ou| o.c |a||ucs. Information systems ||oat|o sstcs aac t'c oa|sat|os 's|ca| ccoos (c. cocsooccc, o,cct ao aacct |||cs) ao c|ccto|c ccoos o cout| |ac|||t|cs (c. ca||, c|ccto|c o||c ao occouc aua|s, |os ao |acs), .'ccvc t'c ac 'ousco. !'c ||oat|o sstcs tcatcts |c|uoco | t'c |C| cco to cos|oc. usc o| sccuc ao | |c-oo| |-'ousc stoac |ac|||t|cs, acccts ao act|v|t|cs cou|co to tas|c occss| to ot'c |ocat|os, ov|s|o |o oac'u occss| |ac|||t|cs (c|ccto|c ao aua|), ao o||-s|tc stoac o| c|t|ca| oata. |cvctat|vc coto|s suc' as ooust sstcs ao a||cat|o ocs|, |au|t- to|cat 'ao.ac, u|tcut|o|c o.c su||cs, ao o|to| |ac|||t|cs s'ou|o a|so oc cos|occo. !'c csu|t s'ou|o oc a co|ctc ao .o'ao|c statc |o cac' at o| t'c ||oat|o occss a||cctco o |oct|||co o|sut|os. ||st|outco 'ao|| ao occss| o| ||oat|o |'cct| scaos t'c ous|css cot|u|t |s's acoss a oa|sat|o. |o.cvc, as at o| a coc'cs|vc |C|, |as s'ou|o oc ocvc|oco |o cac' o| t'csc sstcs, ao cco|sc a |tcoccocc|cs oct.cc t'c (c. s||c s|tc o| t'c aacct sstc). 43 Business Continuity Management Business Continuity Management Example: treatment options for facilities, telecommunications and systems Treatments Application |uc'asc o |casc |a |o cta o|||cc sacc, |! ||astuctuc, couoat caac|t cou|cat|os, ctc. Cot|cc |tc a accct .|t' a outs|oc vcoo to aaccts ov|oc scv|cc | t'c cvct o| a outac (|c. 'ot s|tc, .a s|tc, ao co|o s|tc). |utua|| occ||c|a| |tc |to a accct .|t' aot'c oa|sat|o to acccts usc at o| t'c| |ac|||t|cs | t'c cvct o| a o|sastc. !'csc tcs o| acccts ca oc ctcco |to .|t' ot'c oa|sat|os to ac'|cvc t'c ot'c ot|os (|c. uc'as| a 'ot-s|tc accct toct'c). Business processes As a outac a |act oc t'at oc ous|css occss, t'c tcatcts ocvc|oco |o cac' occss cco to oc coso||oatco ao, u|t|atc|, |o|v|oua| ous|css occss |as ac coo|co |to a oa|sat|o-.|oc |a. \'||c t'|s |s t'c | |a| stc | octc|| tcatct ot|os, t'c cocct o| cooo|at|o s'ou|o o|vc t'c ct|c aoac'. !'|s |s cuc|a| to a c||cct|vc |C| as |t cco|scs t'c |tcoccocc|cs oct.cc ous|css occsscs .|t'| t'c oa|sat|o. |us|css occss tcatcts |c|uoco | t'c |C| s'ou|o aoocss t'c act|v|t|cs ao csos|o|||t|cs o| a ous|css |uct|o to csuc cot|u|t o| cssct|a| ous|css |uct|os |o t'c o|t o| o|sut|o to t'c ctu o| oa| ocat|os. Example: treatment options for business processes Treatments Application A|tc cuct O| tc cuct occsscs ao csouccs ca oc aaccts c'aco as a cost-c||cct|vc so|ut|o. |o ca|c, s||t t| oata occss| oct.cc t.o o|||ccs. | t'c cvct o| |oss o| oc s|tc, t'c ot'c s|tc |s st||| |uct|o|. A|tc cuct O| tc a cuct (o cvc o-cuct) scv|cc occsscs ov|oc .ou|o oc .|||| to |vc a uaatcco |cvc| o| scv|cc | a o|sastc s|tuat|o to cstoc csouccs at ||a| cost. 44 Guide to Effective Control Guide to Effective Control Select alternate activities and resources A cost-c||cct|vc statc |o ccovc, sat|s|| t'c cou|ccts o| t'c ous|css s'ou|o oc sc|cctco |o t'c ot|os |oct|| |co. !o cao|c t'|s c'o|cc to oc aoc, |t |s cccssa t'at cac' ot|o oc costco. Costs |c|uoc. o|cct costs- suc' as uc'asc |cc |o cta cou|ct, ao |o|cct costs-suc' as cost to cstao||s' ao a|ta| c. cou|ct. A|| costs cco to oc cac|u|| cos|occo as |o|cct costs suc' as a|tcacc ca o|tc cccco o|cct uc'asc costs. | a cascs |t |s oss|o|c to oc|c a||, o a s||||cat ot|o, o| t'c costs ut|| a cvct occus ao t'c cot|u|t |a |s act|vatco. |o ca|c, cstoat|o o| cssct|a| 'oc cou|cat|os aoc 'ao|co .|t' t'c uc'asc o| su|| |c|ct oo||c 'ocs .'c cou|co, | t'c 'o.|coc ost ca|cs ca ov|oc t'c .|t'| 'ous. Acccts .|t' vcoos a oc cstao||s'co to csuc t|c| oc||vc o ocao at a sct |cc. !'c sc|cctco a|tcatc occsscs ao csouccs s'ou|o oc oocuctco a|o .|t' t'c at|oa|c |o t'c| sc|cct|o. Case studies: alternate treatments People A statuto ooo 'ao cv|ous| ocvc|oco a Sta|| Cou|cat|os Statc out||| t'c ct'oos to ||o sta|| o| cvcts | t'c oa|sat|o. |o||o.| a cv|c., |t .as octc|co t'at t'|s statc .as su|tao|c |o a o|sastc s|tuat|o ao .as |cooatco | t'c |C|. | us| o||c|cs a|cao | |acc, t'c uoc o| |ssucs c|at| to co|c to oc aoocssco .as coucco. Facilities A oa|sat|o .|t' a c|at|vc| |ac a|u accctao|c outac octc|co t'cc .as o cco to oota| |ac|||t|cs |co|atc| |o||o.| a o|sastc. |t cotactco a |oca| ca| cstatc act ao as'co |t to a|ta| a ||st o| su|tao|c a|tcat|vc o|||cc sacc, so t'at | t'c cvct o| a outac t'|s ||oat|o cou|o oc cas|| oota|co. Telecommunications A |ac uo||c sccto oa|sat|o 'ao a accct |o su| o| a \|oc Aca |ct.o' (\A|) .|t' a |ac tc|ccou|cat|os ov|oc. !'c| ||oat|o sstcs ccovc statc sucstco t'at t'c s'ou|o ovc occss| to t'c| sccoo o|| |cc, 'o.cvc, t'c \A| to t'|s |ocat|o cou|o ot suot t'c ct.o' ta|| |c. |o||o.| cosu|tat|o, t'c scv|cc ov|oc acco to ov|oc cta oao.|ot' o a cot|cc oas|s to t'c sccoo |ocat|o at o cost. | aot'c ca|c, ao oa|sat|o oc||co |ts c|t|ca| 'oc uocs, ao t'c tc|ccou|cat|os ov|oc acco to s.|tc' t'csc uocs to a a|tcat|vc |ocat|o |co|atc| |o||o.| a outac. !'|s accct .as |cooatco |to t'c cotact. 45 Business Continuity Management Business Continuity Management Case studies: alternate treatments (continued) Information systems A oa|sat|o .|t' a a|u accctao|c outac |o ||oat|o sstcs o| | |vc oas, so'c to t'c| cuct scv|cc ov|oc .'o acco to |c|uoc as at o| t'c a|tcacc/scv|cc cotact a o|sastc ccovc c|ausc .'|c' statco t'at t'c .ou|o c|acc ||astuctuc .|t'| t'cc oas. !'|s .as oota|co at o cost |vc t'at t'c oa|sat|o .as a |otat custoc o| t'c scv|cc ov|oc. Step five: implement continuity treatments Sc|cct|o o| cot|u|t ao ccovc tcatcts .||| |cao to. ||cctat|o o| occoucs to suot ccovc |o a o|sut|o to ous|css, ao oocuctat|o o| t'c ccovc aaccts. |occoucs ||cctco to suot ccovc .||| cco to oc oot' caato ao cact|vc. |ca| |o ccovc |vo|vcs ut t| | |acc coto|s t'at .||| |t|atc t'c coscoucccs o| a ous|css |tcut|o s'ou|o |t occu. !'cc o| t'c ost |otat suc' coto|s |c|uoc oac'-u occsscs, ccoos aacct, ao |oa| cot|cc aaccts .|t' ctca| at|cs. |ocuctat|o o| t'c ccovc aaccts to oc ||cctco a|tc a outac 'as occuco |s t'c o|c o| t'c |us|css Cot|u|t ||a. A sc|cs o| c'cc'||sts |s |c|uoco | t'c aco|ccs to t'|s Cu|oc to ass|st .|t' ocvc|o| cot|u|t tcatcts. !'c c'cc'||sts covc. A|tcatc occss| cotact cos|ocat|os (Aco| 1), |o|cs, csos|o|||t|cs ao a c'cc'||st |o t'c |oao ao auo|t co|t tcc (Aco| 2), |o|cs, csos|o|||t|cs ao a c'cc'||st |o t'c C'|c| |ccut|vc O|||cc (Aco| 3), |o|c ao csos|o|||t|cs o| t'c |ccovc Cooo|ato (Aco| -), |o|cs ao csos|o|||t|cs o| t'c scv|cc aca ccovc tcas (Aco|5), C'cc'||sts |o oua||t assuacc o| |C| ocvc|oct (Aco| 6), ao |||tat|os o| |C|s (Aco| ). Establish recovery teams Document service area recovery steps Obtain contact and inventory lists Document recovery management process Risk Treatment Plan v v v v v v v v v v Business Continuity Plan 46 Guide to Effective Control Guide to Effective Control Implement preparatory controls Back-up |asco o t'c csu|ts o| t'c |us|css |act Aa|s|s, t'c csouccs cou|co to ccovc ao cstoc cssct|a| ous|css occsscs ac |oct|| |co. !o act|vatc a |C| |t .||| oc cccssa to oota| acccss to ||oat|o ao csouccs suot| t'c 'c ous|css |uct|os. | t'c cvct o| a outac |t a st||| oc oss|o|c to oota| t'csc |o t'c oa|sat|o's c|scs, out t'|s .||| ot a|.as oc t'c casc. |c||ao|c o||-s|tc stoac ao oac'u occoucs .||| csuc ||oat|o cssct|a| to cot|uco ous|css |s ava||ao|c as, ao .'c, ccoco. |csouccs cou|co |o ccovc suc' as oocuctat|o, |os, su||cs, oata ao oas s'ou|o oc oota|co (co|cs o oac'co-u | t'c casc o| c|ccto|c oata) ao oc 'ct at a sccuc o||-s|tc |ac|||t. O||-s|tc stoac |ac|||t|cs s'ou|o 'avc su|tao|c cv|octa| ao sccu|t coto|s ao t'c csouccs ao ||oat|o s'ou|o oc otcctco |o uaut'o|sco acccss oo|| |cat|o, o|sut|o o usc ou| stoac. !'c |o||o.| c'cc'||st ocsc|ocs t'c stcs |o cva|uat| o||-s|tc stoac ao oac'-u occss| cou|ccts. Checklist for evaluating off-site storage and back-up processing |suc a|| csouccs cou|co |o t'c sc|cctco statc|cs ac stoco o||s|tc |cv|c. oocuctco o||-s|tc oac'u occss| staoaos ao occoucs, || t'c c|st || staoaos ao occoucs oo ot c|st, csuc t'c ac ocvc|oco |tcv|c. csoc| csos|o|c |o ||cctat|o o| oac'u occoucs to scc || t'cc |s ao'cacc to occoucs |ocuct 'c c|ccts o| t'c o||-s|tc oac'u occoucs |o |c|us|o | t'c ao|atc scct|os o| t'c cot|cc |a Aa|sc o||-s|tc oac'u occss| occoucs ao oocuct coccs |otc. A octtc act|cc c'cc'||st |o o||-s|tc stoac |s |c|uoco | Aco| 9 to t'|s Cu|oc ca oc usco as t'c oas|s |o aa|s| |ssucs .|t' o||-s|tc oac'u occss| Sc'cou|c cv|c. o| o||-s|tc stoac |ac|||t. (co|c oa|sat|o o|) Cos|oc tcst| at|a| ccovc |o o||-s|tc |ac|||t|cs (co|c) O||-s|tc stoac occoucs s'ou|o oc oo|||co to a|| out|c ocat|oa| cou|ccts .|t' t'osc |oct|||co | t'c ccovc statc|cs to csuc csouccs stoco o||-s|tc, ao acccss to t'c, |s ava||ao|c to cct oot' s|tuat|os. Soucc. |c|o|t tc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 47 Business Continuity Management Business Continuity Management Records management As at o| t'c ||A, v|ta| ccoos suot| t'c c|t|ca| ous|css occsscs .cc |oct|||co. | ooc |o t'csc v|ta| ccoos to oc oc| cstoco |t |s cccssa to csuc a su|tao|c ccoos aacct oa |s | |acc. !'c |acts o| ot 'av| oc oocuct ao oata aacct tcatcts | |acc ac a. !'c |c|uoc t'c aacct o| 'aoco ao c|ccto|c ccoos oata as .c|| as ac'|v| o||c|cs |o oot' |os o| ccoos. Cot|u|t |ssucs | ccoo aacct ctco ocoo ,ust 'cc| ous|css occsscs | |acc. |ccoo aacct 'as |o-tc |||cat|os |o t'c oa|sat|o ao statc|cs s'ou|o cos|oc. |ca| cou|ccts ao cosucs, aovcsc a||ccts o uo||c |ac t'ou' |ao|||t to oc||vc ||oat|o, |c|||c|cc acoss a|| occsscs | |ocat| ao ut|||s| ||oat|o, o||t|ca| a|| |cat|os o| o-oc||vc o| a scv|cc o ||oat|o, sta'c'o|oc o|ssat|s|act|o, ao occ|s|o-a'| occsscs .'|c' .||| oc a||cctco. |cvc|oct ao ||cctat|o o| oocuct aacct occoucs s'ou|o |c|uoc t'c occoucs cccssa |o aacct o| oot' 's|ca| ao c|ccto|c ccoos. |cvc|oct o| oocuct aacct occoucs |s at o| t'c oa|sat|o's ovca|| ||oat|o aacct statc. ||s's assoc|atco .|t' ||oat|o aacct s'ou|o oc aoocssco | t'c |as t'at uoc| t'c statc. |occoucs ca oc oo'c |to | |vc ats. Develop hardcopy document management guidelines Develop archiving guidelines Develop electronic and data management guidelines Develop data security and information guidelines Implement the guidelines Figure 8Records management procedures 48 Guide to Effective Control Guide to Effective Control !'c Australian Archives Handbook on Record Management - sas a ooo ccoos aacct sstc .||| csuc. t'c |'t ccoos ac ccatco, ||oat|o |s 'ct o .'o uscs t'c ccoos, .' t'c ac usco ao 'o. t'c ac a|u|atco, co|c .'o cco t'c ccoos ca |ocatc t'c, ccoos ac a|ta|co | a uscao|c |oat, ao ccoos ac 'ct |o as |o as t'c ac ccoco ao |o o |oc. !'c |ca| cou|ccts to a|ta| ccoos va acoss oa|sat|os ao s'ou|o oc cos|occo | |ou|at| a |C|. A ooo ccoos aacct sstc .||| |c|uoc cos|ocat|o o| t'c aacct o| ccoos v|ta| to ous|css cot|u|t. - |o t'|s oocuct ao |ut'c ||oat|o scc t'c |at|oa| Ac'|vcs o| Austa||a .cos|tc 'tt.//....aa.ov.au Case study !'c |a'sto. C|t Couc|| ||c .as cotco .|oc| | t'c css |o t'c |acts t'c o|sastc 'ao o t'c Couc|| ao t'c cou|t. !'c Couc|| o|o ot 'avc a |us|css Cot|u|t ||a. !'c t'c |oo |ao o| |a'sto. '|'||'tco, t'at ccovc o| ||oat|o tcc'o|o sstcs .as ot, as soc a 'avc ccctco, a oo|c. !'cc .cc su|| |c|ct oac'u ao stoac occoucs | |acc, ao |t .as ot too o||||cu|t to ccostuct t'c ||oat|o sstcs. The biggest problem was that the f ire burned a lot of vital records and historical artefacts beyond recover y and reconstruction. The lack of documented management procedures made recover y of information virtually impossible. Checklist for assessing vital records management program Current plan |ocs |t ov|oc a |ac.o' to csuc sccu|t o| ||oat|o ocvc|oco. `cs t |o t |ocs |t cstao||s' a |ac.o' o csu| |tc|t ao co|ctccss o| ||oat|o. `cs t |o t |ocs |t csuc o| aut'o|sco csoc| 'avc acccss to ||oat|o|c|uo| ||cct| a c|ass|||cat|o sstc. `cs t |o t |ocs |t csuc uscs o| ||oat|o ac a.ac o| ao ooscvc a|| c|cvat |a.s ao cu|at|os. `cs t |o t || t'c as.c to a oucst|o |s '|o', t'at ascct o| ccoos aacct ccos to oc cv|c.co. 49 Business Continuity Management Business Continuity Management Arrangements with external parties |t |s cccssa to |oa||sc ao|atc aaccts .|t' vcoo(s) sc|cctco as a|tcatc su||cs. !'c |o||o.| c'cc'||st ca oc usco to csuc suc' cot|u|t tcatcts ac oc| ||cctco. Checklist for evaluating implementation of external arrangements |suc |o cac' tcatct sc|cctco, t'c ||'c| costs ac t'c ost cocc|a|| v|ao|c (|c. |vcst|atc ot'c vcoos | t'c a'ct|acc) |oct|| ot'c cou|ccts o c'acs t'at cco to oc aoc | ooc |o t'c tcatcts to oc c||cct|vc C'acs to o||-s|tc stoac occoucs s'ou|o oc aoc as |oct|| |co |cv|c. cotacts to csuc t'c ocostatc oct tc act|cc |o cotact aacct as .c|| as co| .|t' |tca| u|oc||cs |o cotact aacct ||a||sc cotacts Case study A oa|sat|o 'ao a a|tcacc accct .|t' a tc|ccou|cat|os ov|oc. !'|s oa|sat|o .as o| ao|c to |c|uoc a o|sastc ccovc c|ausc | t'c| cotact at a |ac aoo|t|oa| cost. Aot'c scv|cc ov|oc o||cco to ov|oc scv|ccs .|t' o aoo|t|oa| cost |o t'c o|sastc ccovc c|ausc. |o t'|s caso, t'c oa|sat|o o|o ot cc. |ts cotact .|t' |ts tc|ccou|cat|os scv|cc ov|oc ao c'aco to t'c oc cost-c||cct|vc ov|oc t'at ct t'c| ous|css cot|u|t ccos. A checklist to assist with consideration of alternate processing contract arrangements can be found at Appendix 1 Soucc. |c|o|ttc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 50 Guide to Effective Control Guide to Effective Control Figure 9Stages in recovery of business operations. |ac' 'asc |s oc| |co as |o||o.s. Response: t'c t|c |o disaster occ|aat|o ut|| c|t|ca| sstcs ao occsscs 'avc occ c-cstao||s'co us| statc|cs oocuctco | |C|. Interim processing: t'c c|oo t'c oa|sat|o c||cs o a|tcatc occsscs ao csouccs. Restoration: t'c c|oo t'c oa|sat|o ctus |o us| a|tcatc occsscs ao csouccs oac' to usc o| |ts usual cstao||s'co sstcs ao business as usual. !'c ous|css cot|u|t |as ooucco s'ou|o cos|st o| octa||co stc-o-stc occoucs. !'c s'ou|o cota| act|o-o|ctco occoucs to oc usco o ccovc tcas. !'csc occoucs ac oasco o t'c aovco ccovc tcatcts ao a|tcatc act|v|t|cs ao csouccs |oct|| |co ao ta'c |to accout t'c ccovc cao|css occoucs ao aaccts. Act|v|t|cs cccssa to cstoc |a |ac|||t|cs ao ctu to oa| ocat|os s'ou|o oc aoocssco oc | t'c |o o| u|oacc t'a o octa||co act|o stcs .'|c' ca ou|c'| occoc oatco a |ac' cotct. Prepare the Business Continuity Plan (BCP) |us|css cot|u|t |as ac a co||at|o o| |o|v|oua| ccovc o cot|cc |as, oou't toct'c .|t' a ovcac'| aacct |a to cooo|atc t'c |o.c |as. !'c |C| aoocsscs ous|css o|sut|o |o t'c ||t|a| o|sastc csosc to t'c o|t at .'|c' oa| ous|css ocat|os ac csuco. !'c a |c|uoc o|sastc csosc |as t'at ac scv|cc aca scc|||c, ocat|oa| ccovc |as, as .c|| as cstoat|o ao tas|c o| ocat|os |as ao u|oc||cs as ao|atc. !'c tcatcts to ovccoc |oct|||co o|sut|os cco to aoocss t'c stacs cccssa to co|ctc ccovc. 51 Business Continuity Management Business Continuity Management !o ooucc a coc'cs|vc |C| t'c |o||o.| stcs ac ccococo. oc||c t'c ccovc oa|sat|o, oc||c t'c ccovc tca, ocvc|o ao |tcatc ser vice area ccovc |as, ocvc|o t'c ovc-ac'| management ccovc |a, ao co||atc cotact ||sts, |vcto ||sts ao ot'c c|ccccs. The recovery organisation ||uc 10 ov|ocs a cc|c stuctuc |o t'c ccovc oa|sat|o. !'c va|ous |acs | t'|s stuctuc ac. |ccovc cooo|atocooo|atcs t'c va|ous tcas oc|o. ao cots o|cct| to t'c C|O ao |ccut|vc. |ccovc ao aacct tcasscv|cc aca tcas csos|o|c |o ||cctat|o o| |C| ao ccovc o| sstcs |o||o.| a |c|oct. |ccovc |a suot occsscsoccsscs cccssa to suot t'c aacct ao tcc'|ca| ccovc |as |c|uo| 'ua csoucc aacct ao cou|cat|o. Checklists to assist in defining the roles and responsibilities of the Board and CEO, can be found at Appendix 2 and Appendix 3, respectively The roles and responsibilities of the Recovery Coordinator and the service area recovery teams, can be found at Appendix4 and Appendix5, respectively Figure 10A generic structure for the recovery organisation CEO and Board Recovery Coordinator |o cac' ccovc aca, a tca |caoc s'ou|o oc |oct|||co | t'c |a as oc| csos|o|c |o t'at aca. | a sa||c oa|sat|o | a oc oss|o|c to 'avc o| oc cso csos|o|c |o a|| cou|cat|os, .'ccas | a |ac oa|sat|o |t a cco to oc s||t |to |ts cooct ats. Management recovery plan Service area recovery teams People recovery team Facilities recovery team Telecommunications recovery team Information systems recovery team Communication plan Accommodation plan Telephone, Fax ect plan Mainframe recovery plan Human resources plan Equipment plan Network recovery plan PC recovery plan 52 Guide to Effective Control Guide to Effective Control |t a a|so oc t'c casc t'at t'c cccut|vc .|s'cs to ta'c t'c ||stc|a| ao co|a cou|cat|o/||a|so o|c. |t |s |otat to csuc a|| scv|cc acas ac su|||c|ct| covcco to csuc t'at csos|o|||t|cs ao .o'|oao ac cvc| scao. Example: roles and responsibilities of key continuity players Chief executive ||c| |||stc (ao |oao) o s|tuat|o, ccctco |act ao ccovc t|c|ac |ov|oc |oca| o|t |o t'c oa|sat|o to csuc t'c co|a ao uo||c ccc|vc t'c cocct, ao o-cotao|cto ||oat|o |suc sta|| ao sta'c'o|ocs ac aoc a.ac o| t'c oo|cs ao t'c cco|a| act|o ta'c |suc |ccovc Cooo|ato ao |ccovc !cas 'avc t'c csouccs ao suot cccssa to oo t'c| ,oos Recovery coordinator |cc|s|o to act|vatc t'c |C| |ctc|c t'c ccovc statc |o t'c |vc s|tuat|o Asscss t'c ctct o| oaac to ou||o|, |ac|||t|cs ao cou|ct ao cot to t'c C|O ao/o |oao, || cccssa Cotact t'c cccssa sta|| cou|co |o t'c o|sastc (| t'c ||st |stacc) Ass|st | cstao||s'| o| t'c ccovc s|tc, || a||cao|c Cooo|atc co|a act|v|t|cs ||cct, cooo|atc ao o|to a|| ccovc ocat|os Covcc ccovc status cct|s .|t' t'c C|O Sc'cou|c suoscouct ccovc status cct|s ||a|sc .|t' ca| cstatc act, || a||cao|c Cotact |suacc Asscssos to octc|c t'c| cou|ccts ao cooo|atc t'c| o-o| ||a|so .|t' a|| ccovc tcas ||||sc |ut'c |osscs ao sa|vac ccovcao|c csouccs |ov|oc assuacc ao ||oat|o uoatcs to sta|| ot |vo|vco | t'c ccovc c||ot |cac t'c ccovc s|tc Soucc. |c|o|t tc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 53 Business Continuity Management Business Continuity Management Example: roles and responsibilities of key continuity players (continued) Human resource team |o||o.| ot|||cat|o |o |ccovc Cooo|ato o| o|sastc csca|at|o. cotact t'c sta|| cou|co |o t'c 'ua csoucc ccovc tca covcc status cct| .|t' tca cocs cot|ua|| asscss ao aoocss 'ua csoucc ccos, ||a|s| .|t' ot'c scv|cc acas, ao ov|oc cu|a uoatcs to t'c |ccovc Cooo|ato. Communication teams |o||o.| ot|||cat|o |o |ccovc Cooo|ato o| o|sastc csca|at|o. |ac|||tatc cou|cat|o oct.cc ccovc cooo|ato ao t'c tcas ocs|atco |ocus ou covcc status cct| .|t' tca cocs ov|oc cu|a uoatcs to |ccovc Cooo|ato o|c| ocs|atco |ocus ou o t'c o|sastc cot|ua|| 'cc ocs|atco |ocus ou ||oco o| c'acs to .'at t'c 'avc occ ||oco, ao csoo to ouc|cs |o ocs|atco |ocus ou. Other service areas |o||o.| ot|||cat|o |o |ccovc Cooo|ato o| o|sastc csca|at|o. cotact t'c cccssa sta|| cou|co to t'c| at|cu|a scv|cc aca covcc o|sastc status cct| .|t' tca cocs ass|st .|t' o|sastc asscssct as cou|co ov|oc cu|a uoatcs to |ccovc Cooo|ato co|ctc ccovc |a |o t'c| scv|cc aca octc|c cou|ccts ao cooo|atc acou|s|t|o o| cou|ct, |u|tuc, stat|oc ao cou|cat|os csouccs cccssa |o ccovc, ao ||a|sc .|t' ot'c ccovc tcas. 54 Guide to Effective Control Guide to Effective Control The recovery teams |u| ccovc, a scc|a||sco oa|sat|oa| stuctuc |s cstao||s'co .'|c' va|cs |o t'c oa|sat|o's stuctuc ou| c|oos o| oa| ocat|o. !'c o|cs | t'c recover y organisation cco to csuc cot| ||cs ao csos|o|||t|cs ac c|ca .'c t'c |C| |s act|vatco. Sa|| ao o-co|c oa|sat|os .ou|o o| cco oc ccovc tca. |ac ao co|c oa|sat|os a cco to cos|oc a uoc o| tcas (cost|tutco, |o ca|c, o a |uct|oa| o coa'|ca| oas|s) .'|c' .ou|o oc cooo|atco o a sa|| aacct tca. |csoc| cco to oc |oct|| |co |o t'c tcas oc||co | t'c ccovc statc. !'c tca cocs at|c|atc | custo|s| t'c| csos|o|||t|cs ao occoucs ao tcst| t'c| ccovc |a. !'c a'c-u o| t'c tca a oc oasco o cos|ocat|o o| a |o|v|oua|'s csoa| c'aactc|st|cs as uc' as o| t'c| os|t|o .|t'| t'c oa|sat|o. |caocs ao cocs o| a ccovc tca cco t'c |o||o.| csoa| at t|outcs. a ooo uocstao| o| t'c oa|sat|o, a ao|||t to .o' .c|| | tcas, ooo co|c ao cou|cat|o s'|||s, cscct .|t'| t'c oa|sat|o, ao t'c ao|||t to .o' .c|| uoc stcss ao oa|acc coct| |o|t|cs. |at o| cac' |C| o,cct s'ou|o |c|uoc a c|ca uocstao| o| t'c 'ua csoucc |acts ao t'c |ssucs to ta'c |to accout | |a|, ||cct| ao tcst|. |aacct ao c|occs ust uocstao, ao oc caao|c o| ca| out, .'at |s cou|co o| t'c | a cot|cc s|tuat|o. As .c||, oot' ous ust oc a.ac o| t'c oss|o|c o|sut|vc coscoucccs o| soc o| t'c| act|os ao |act|o. !'|s cou|cs c||c|t cou|cat|o ao cooo|at|o t'ou' ,oo ocsc|t|os, a.accss oas, scc|a| ta|| ao tcst| o| |as. |co|c cco to oc t'c a,o |ocus o| a outac. |ou|ct, ||astuctuc ao |ac|||t|cs a a|| oc ocat|oa| out || co|c caot cac' t'c| .o' |acc, o c|o t'c| ,oos, 'c ous|css occsscs .||| ccasc. |co|c ca oc a a,o |ssuc | succcss|u|| act|vat| t'c cot|cc |a. |o ca|c, || t'c |C| ca||s |o sta|| to |c' u ao ovc to aot'c |ocat|o, ou a ||o t'at s||c acts ao t'osc |caac|tatco occocts, at-t|c stuocts, co|c .|t' sccoo ,oos, cocs o| vo|utcc o a|o uo||c oa|sat|os, suc' as ||c o cccc scv|ccs, a ot oc ava||ao|c. 55 Business Continuity Management Business Continuity Management Service area recovery plans A out||c o| t'c ccovc |a s'ou|o oc ocvc|oco |o cac' scv|cc aca |oct|| |co | t'c ccovc statc. !'c |a s'ou|o cos|oc t'c co|c | t'c ccovc tcas ao oc| ass|| |o|v|oua| csos|o|||t |o cac' act|o (|c. oct.cc tca |caocs, tca cocs ao ot'c tcas) as .c|| as t|| ao ccctco outcocs |o cac' act|o. A|| t'c stcs cou|co |o ccovc o| a ous|css occss ust oc oocuctco | ooc o| |o|t. !'c ooc o| t'csc stcs s'ou|o c||cct t'c |o|t a'| |o ccovc ao ta'c |to cos|ocat|o a |tcoccocc|cs oct.cc stcs. !'c ccovc stcs a|so cco to cos|oc |ssucs c||cct| |tcact|o .|t' ot'c scv|cc acas ao ccovc tcas. Example: service area recovery plans || t'c | |acc aca ccovc tca c||cs o ccovc o| t'c ||oat|o sstcs, ao ccovc o| t'c ||oat|o sstcs |s t'c csos|o|||t o| aot'c tcasa, t'c ||oat|o sstcs ccovc tcat'c stcs |o ccovc o| t'c ||oat|o sstcs ac ot at o| t'c ||acc aca ccovc tca's ccovc |a. !'c stcs to ccovc t'c ||oat|o sstcs ac |c|uoco | t'c ||oat|o sstcs ccovc tca's ccovc |a. !'c | |acc aca ccovc tca's |a .ou|o cc| a'c c|cccc to t'c |act t'at t'c ||oat|o sstcs ust oc ccovcco ao t'at |s t'c csos|o|||t o| t'c ||oat|o sstcs ccovc tca. |otc. t'c cso .|t' csos|o|||t |o co|ct|o o| a stc | t'c ccovc |a oocs ot cccssa|| 'avc to oc t'c cso .'o uocta'cs t'at stc. \'||c t'c ccovc tca |caoc |s csos|o|c |o csu| a tas' |s co|ctco, t'c a ass| t'c stc to t'c ccovc tca cocs. A usc|u| |oat |o out||| scv|cc aca ccovc stcs |s. No. Action Responsibility Timing 1. <Action Title> <Team Member <Due Date> name> <Short description of <Resource action including estimate> references> 2. 3. 56 Guide to Effective Control Guide to Effective Control As otco cv|ous|, t'c act|o stcs s'ou|o oc cos|occo | t'cc ats. |t |s usua| to oca' cac' scv|cc aca's ccovc |a |to t'csc stcs as a cas o| cooo|at| a|| |as. |otc. at t'c co o| cac' stc | a actua| ccovc s|tuat|o |t |s cssct|a| t'c |ccovc Cooo|ato oc o|c|co o t'c ocss o| t'c ccovc c||ot. !'c ct stc s'ou|o ot coccc ut|| t'c cv|ous stc 'as occ co|ctco. | cstao||s'| t'c ccovc stcs |o cac' scv|cc aca |t |s |otat t'at cou|cat|os, |c|uo| ||oat|o ||o.s, ac |u|| c||cct|vc. !'c |o||o.| c'cc'||st out||cs soc 'c o|ts to cos|oc. Checklist: adequacy of communication and information flows Current plan |s t'c |ccovc Cooo|ato 'ct aocouatc| ||oco t'ou'out t'c ccovc occss. `cs t |o t Ac t'c tca cocs 'ct aocouatc| ||oco o| t'c ccovc occss. `cs t |o t Ac ot'c |tcc|atco tcas 'ct oc| ||oco o| t'c ccovc occss. `cs t |o t Ac ao|atc ctca| at|cs/sta'c'o|ocs 'ct ||oco (cc|uo| t'osc 'ct ||oco as at o| t'c aacct |a) o| t'c ccovc occss. `cs t |o t Ac ctca| ao |tca| at|cs t'at ac at o| t'c occss ||oco u-|ot t'at t'c| ass|stacc a oc ca||co uo. `cs t |o t Ac 'ua csoucc ccos oc| aoocssco. `cs t |o t |s at o| t'c ccovc occss t'c c-||cctat|o o| coto|s ('s|ca|, |o|ca| ao cv|octa|). `cs t |o t || t'c as.c to a o| t'c aoovc oucst|os |s '|o', t'c ccovc |a(s) s'ou|o oc cv|c.co ao acoco to csuc t'cc .||| oc aocouatc cou|cat|o |o||o.| a outac ao ou| ccovc o| ocat|os. Figure 11Action steps in recovery plan Soucc. |c|o|t tc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 57 Business Continuity Management Business Continuity Management |o||o.| co|ct|o, |t o|tc occocs aact t'at a o| t'c ccovc |as 'avc soc ccovc stcs | coo. !'csc stcs s'ou|o oc |tcatco ao ass|co to oc ccovc tca (usua|| t'at tca .'|c' ccos to co|ctc t'at ccovc stc ||st). !'c ot'c ccovc tcas s'ou|o st||| |c|uoc t'c ccovc stcs | t'c| |a, ot| t'at t'c csos|o|||t |o co|ct| t'c stc 'as occ ass|co to aot'c ccovc tca. The management recovery plan !'c aacct ccovc |a coo|cs |o|v|oua| scv|cc aca ccovc |as |to oc cooo|atco c||ot. !'c ccovc stcs coo to scv|cc acas s'ou|o oc coo|co |to t'|s |a (|c. ||o sta|| o| outac). As .c|| as coo|| t'c |o|v|oua| scv|cc aca |as, t'c aacct ccovc |a cota|s t'c c|tc|a |o act|vat| t'c |a. |ccc, t'c aacct ccovc |a 'as a aoo|t|oa| 'ascdisaster escalation. As s'o. | ||uc 12, disaster declaration cccocs t'c csosc to a outac. !'c aacct ccovc |a s'ou|o a|so aoocss t'c |ssucs to .'|c' t'c oa|sat|o, as a .'o|c, ust csoo |o||o.| t'c disaster declaration. |cc|aat|o o| a o|sastc |s a cc|c occ|s|o, oasco o oa|sat|o-scc|||c ||oat|ot'c occ|s|o occss |s s'o. | ||uc 13. Figure 13Decision process for declaration of a disaster |o|to ocss ||sastc occ|aat|o w w w w |s cstoat|o t|c|ac catc t'a a|u accctao|c outac. |ctc|c 'o. |o oc|oc ocat|os ac ccctco to oc cstoco Yes No Figure 12Disaster escalation w |vct caus| outac o| 'c ous|css occss 58 Guide to Effective Control Guide to Effective Control Discussion: what constitutes a disaster? As otco | |at Oc o| t'|s Cu|oc a outac |s ot ,ust a cvct t'at couccs t'c c||cct|vccss o| sstcs, out a cvct t'at |s ctaoo|a, causcs a |oss o| 'c ous|css occsscs ao 'as a '|' |act o t'c oa|sat|o. A disaster is an outage that exceeds the MAO. A ca|c o| .'at |s |O! a o|sastc .ou|o oc t'c casc o| a |ac |ca| act|o | ocss o a csu|tat occ|s|o. \'||c t'cc a oc a csoucc, ||ac|a| ao uo||c |ac |act (.'|c' a oc caoco as a o|sastc to aacct), |t |s a ous|css |ssuc ot a cot|u|t |ssuc ouc to t'c |act t'at ous|css occsscs ac ot a||cctco. |t |s oss|o|c |o a aacct |ssuc to tu |to a cot|u|t |ssuc, || t'c |ssuc oc|s to a||cct ous|css occsscs. Cot|u| t'c cout casc ca|c, || t'c a-out ccatco cas' ||o. oo|cs, t'|s |'t |tcut ous|css occsscs ao |cao to ous|css cot|u|t |ssucs. |o|v|oua| coocts o| t'c |a ca oc c||cct|vc| ut|||sco | o-o|sastc cascs. |o ca|c, t'c cou|cat|os |a |'t oc c||cct|vc | cou|cat| a cvct to sta|| o t'c uo||c, as a t'c ||oat|o tcc'o|o ccovc |a a oc c||cct|vc | ccovc| a coutc scvc t'at 'as |a||co. !'c | |st stc | t'c o|sastc occ|aat|o occss |s to octc|c 'o. |o |t |s oc|oc cstoat|o o| t'c ous|css |uct|o ca oc ccctco. Cu|oc||cs to cst|atc t'c ouat|o o| a outac cco to oc cstao||s'co. !'c |o||o.| c'cc'||st a ass|st | cstao||s'| u|oc||cs to cst|atc t'c ouat|o o| a outac. Checklist: guidelines for estimating duration of an outage Current plan Ac t'c co|c |vo|vco | t'c o|sastc asscssct occss c|ca| |oct|||co. `cs t |o t Ac ot|| |cat|o occoucs |o t'osc |vo|vco | t'c o|sastc asscssct occss c|ca| |oct|| |co. `cs t |o t Ac t|c|acs |o t'c o|sastc asscssct c|ca| |oct|||co. `cs t |o t Ac sa|ct occoucs |o o|sastc asscssct |oct|||co | ||c .|t' Occuat|oa| |ca|t' ao Sa|ct Staoaos. `cs t |o t |o outs|oc at|cs cco to oc at o| t'c o|sastc asscssct. `cs t |o t || cs, ac t'c a|| |oct|||co. `cs t |o t Ac a|| c|cvat |suacc coa|cs ao|atc| ||oco o| t'c |c|oct oc|oc o|sastc asscssct ta'cs |acc (soc |suacc |s vo|o || ccta| o|sastc asscsscts ac ca|co out .|t'out t'c |suacc coa csct o .|t'out t'c| 'o.|coc). `cs t |o t Soucc. |c|o|t tc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 59 Business Continuity Management Business Continuity Management Other details !'cc .||| oc a aa o| ot'c octa||s to oc |c|uoco | t'c |C|. |ac' oa|sat|o s'ou|o aa|sc t'c| ccos (|c. .'at ||oat|o ca't .c oo .|t'out.). !'c ||u ccococo cou|ccts ac o|scussco oc|o.. Event log !'c aacct ccovc |a s'ou|o a|so |o t'c cvcts |o |atc oco|c|| ao cv|c.. A cvct |o s'ou|o oc |c|uoco .'|c' a||o.s t'c ccovc cooo|ato to ccoo octa||s o| t'c cvct. !'|s ca oc usco to o|c| ot'c ccovc tcas, cccut|vc aacct ao t'c co|a so t'cc |s a cos|stct ocsc|t|o o| t'c cvct. |o a ca|c cvct |o, scc Aco| 8. Contact lists !'ou'out t'c ccovc occss |t .||| oc cccssa to cotact a ac o| co|c ao oa|sat|os. Coc'cs|vc cotact ||sts s'ou|o oc cstao||s'co ao a|ta|co. Cotact ||sts to oc cstao||s'co |c|uoc. cccc cotact ||sts, ccovc tca cotact ||sts, sta'c'o|oc cotact ||sts, ccovc at|c|at cotact ||sts, ao co|ctc sta|| ||sts .|t' a|tc 'ous cotact octa||s (|| too |ac, octa||s o| .'cc to |ocatc a co). |t |s cssct|a| t'csc ||sts oc 'ct u to oatc. |oa| ocat| occoucs cco to ass| csos|o|||t |o a|ta|| ||sts |c|uo| uoat| t'c ccovc vcs|os. Cos|oc oo||| t'c c|st| |tca| o|ccto to accoooatc t'c cta octa||s cou|co. !'|s .||| ass|st | 'cc| t'c octa||s u to oatc ao s|||| t'c a|tcacc o| ||sts. Inventory list A |vcto o| a|| atc|a|s ccoco |o t'c |C| to oc c||cct|vc s'ou|o oc |c|uoco as at o| t'c |a, ao t'c |tcs stoco o||s|tc. || |vcto |tcs 'avc a |||tco |||c, oa| ocat| occoucs s'ou|o |c|uoc csos|o|||t |o cv|c. o| stoco |vcto ao c|accct .|t' |cs' stocs. | t'c casc o| cosuao|cs, t'|s a occoc at o| oa| stocs ao o|st|out|o | t'c oa|sat|o. Other references A ot'c octa||co c|ccccs s'ou|o oc |c|uoco. || t'|s |s ot ao|atc o act|ca|, t'c s'ou|o oc |c|uoco as at o| t'c |vcto ao stoco o||s|tc. |t a oc oss|o|c to oota| ao stoc uc' o| t'|s atc|a| c|ccto|ca|| to savc o sacc ao oss|o|c ocaoat|o. |o.cvc, ccovc aaccts cco to |c|uoc aaccts to c|t ac vcs|os .'c ccoco. 60 Guide to Effective Control Guide to Effective Control Format and contents of the BCP !'c |oat ao cotct o| t'c |C| |s ctcc| |otat. | a o|sastc s|tuat|o, t'c caoc s'ou|o oc ao|c to |c' u t'c oocuct 'av| ot cao |t (a|t'ou' |t |s c|cao|c t'at t'c 'avc), ao oc csctco .|t' act|o- o|ctatco o|ts t'c ca |o||o., .|t' c|ccccs cota|co | t'c oac'. !'cc s'ou|o a|so oc su|| |c|ct oo |o t'c cso ca| out t'c ccovc occss to |acc cocts o t||, o |ssucs at cac' stc. !'|s .||| a||o. t'c ccovc occss to oc c|t|ca|| cv|c.co as .c|| as usco as a soucc |o oco|c| | sta|| o t'c |ssucs t'at aosc. !'c |C| oocs ot cco to cota| cotctua| ||oat|o (c. oac'ouo, cccut|vc sua|cs, ctc) as t'|s .as at o| t'c ocvc|oct ao aova| occss ao s'ou|o oc stoco o o|| |c|a| |||cs. !'c |a s'ou|o s|| stat at t'c o|t t'c |a 'as occ |st|atco ao u|oc t'c caoc t'ou' cac' stc | t'c csosc ao ccovc occss. !'c ca|c oos|tc |||ustatcs a sucstco stuctuc |o t'c |C|. Quality assurance ua||t assuacc cv|c.s o| t'c |C| ou| |ts caat|o ao t'ou'out |ts |||c ac ccococo to csuc |ts cotct ca|s c|cvat. |t |s ccococo t'c |ccovc Cooo|ato ao aacct co|t tcc csos|o|c |o t'c |C| csuc t'|s |s uocta'c, | co,uct|o .|t' out|c tcst|. Checkpoint A series of checklists is included at Appendix 6 to assist in the quality assurance of the BCP development Upon completion of the plan it must be reviewed and signed-off. A suggested list for review and signoff might include: internal audit audit committee BCP steering committee senior executives, and CEO 61 Business Continuity Management Business Continuity Management Example: suggested structure for a business continuity plan Part Information contained 1 Cover page t !|t|c t Coc|sc statcct o| oo,cct|vc o| cot|u|t |a t Oa|sat|oa| s|o|| 2 Table of contents t Cotcts o| oocuct 3 Event log t |vct |o ac to oc | |||co | o |ccovc Cooo|ato a| tc a outac 4 Management recovery plan t ||sastc csca|at|o occss t !ca assco| aaccts t |ccovc 'asc stcs t |tc| occss| 'asc stcs t |cstoat|o 'asc stcs 5 Service area recovery plans t |ccovc 'asc stcs t !ca assco| aaccts t |tc| occss| 'asc stcs t |cstoat|o 'asc stcs 6 Referenced procedures t !c|c'oc c-o|cct|o occoucs t Outsoucco vcoo acccts 7 Technical recovery items t Scvc co| |uat|os t Cou|cat|o co| |uat|os t |c-.|t tc oas |o |! ccovc 8 Contact lists t |tca| cotact ||sts t |ccc scv|ccs cotact ||sts t |tca|/sta'c'o|oc cotact ||sts t Sta|| cotact ||sts 9 Inventory t Su| |vcto t Aoo|t|oa| csouccs/ouoct cou|co 10 Limitations t |||tat|os uoc .'|c' t'c |a .as ocvc|oco (c|c Aco| |o a ca|c sct o| |||tat|os) 11 Testing and maintenance t Sc'cou|c o| tcst| to oc c|oco t |cv|c./uoatc t|ctao|cs ao ocao||cs (c|c to stc 6 |o ||oat|o o tcst| ao a|tcacc) 62 Guide to Effective Control Guide to Effective Control Step six: test and maintain the plan |cv|c. o| t'c |C| |s cssct|a| to csuc |t c||ccts t'c oa|sat|o's oo,cct|vcs, |ts 'c ous|css |uct|os, t'c cocsoo| occsscs ao csouccs ao a acco |o|t |o ccovc. !cst| ao a|tcacc o| t'c ccovc occss oocuctco | t'c |C| .||| ov|oc aacct assuacc t'at t'c |a |s c||cct|vct'at |s, |t .||| csuc cot|u|t o| ous|css s'ou|o 'c |uct|os oc |ost. Test the plan |o at tc 'o. .c|| ocs|co ao t'ou't-out t'c |C| a scc, ca||st|c ao ooust tcst| .||| cvca| acas cou|| at tct|o. || tcst csu|ts ac ||a.|css, ou s'ou|o ca|c t'c aocouac ao ca||s o| ou tcsts. !'c a,o coocts o| t'c |C| s'ou|o oc tcstco aua|| ao uoatco oasco o t'c csu|ts o| cac' tcst. |t |s |otat cac' cooct oc |o|v|oua|| tcstco. !cst| ca oc o|sut|vc|t cou|cs co|tct |o aacct to csuc su|| |c|ct csouccs ac ava||ao|c. |t |s ot ccococo t'c |C| oc tcstco as a .'o|c as t'|s .ou|o oc csoucc |tcs|vc ao a a||cct oa| ocat|os. |t 'as occ t'c casc t'at tcst| t'c .'o|c |C| at occ, 'as |tsc|| ccatco a outac ao a,o o|sut|o to ous|css. !'c scv|cc aca ccovc ao aacct ccovc ats o| t'c |C| s'ou|o oc tcstco toct'c. A aoac' a oc to sct t'c sccc at t'c ||st 'ou, t'c | |st oa, to t'c o|t o| acccss to a tcoa s|tc. |ac' ccovc tca c|a|s t'c occss t'c .ou|o o t'ou' | ccovc| t'c| ocat|os. !'c ot'c tcas c'a||cc t'c aoac' ao o|t out a .ca'csscs octcctco | t'c |a. |o ca|c, as'|. '\'cc .ou|o ou oota| t'at ||oat|o.', o '|s't t'at occss occoct o t'c co|ct|o o| aot'c act|v|t.' !'cc ac scvca| aoac'cs t'at a oc aootco to tcst t'c |a. Papercsucs t'cc |s aocouatc caac|t ao ava||ao|||t o| csouccs .'c t'c |C| |s act|vatco. !'c tcst cou|cs ca|cu|at| cou|ccts suc' as ||oo sacc, a| coo|t|o| ao o.c cou|ccts |o t'c cou|ct to oc usco .'c t'c |C| |s act|vatco. Manual verificationcsucs t'c cou|co ccovc atc|a| |s ava||ao|c as statco | t'c |C|. !'|s tcst cou|cs c'cc'| a|| cou|co oata, su||cs ao/o ot'c 'aoco oocucts (as oocuctco | t'c |C|) ac actua|| oac'co u ao cocct| stoco o||-s|tc. Establish recovery teams Document service area recovery steps Obtain contact and inventory lists Document recovery management process Busines Continuity Plan v v v v v v v v v v Test Plan Regular testing is necessary to maximize the chances of a successful plan in the event of a disaster and should familiarize the [Information System] organization with an unexpected interruption of critical applications A business continuity plan is only as useful as effective testing proves it to be. Business Continuity Planning: Maintaining Good Testing Practices, InSide GartnerGroup This Week (IGG), January 22, 1997, C. Gooding. GartnerGroup, 1999 63 Business Continuity Management Business Continuity Management Supply validationva||oatcs a|| su||cs cou|co .||| oc ava||ao|c | t'c cvct o| a o|sastc. !'c tcst coacs t'c ||st o| |os ao su||cs usco ou| a tcst to t'c |tcs oocuctco | t'c |C| to csuc t'c ||st |s co|ctc ao t'at a aocouatc su| .||| oc ava||ao|c. Supplies, equipment and services availability testcsucs ||oat|o ao ||sts o| t'c |os, su||cs, cou|ct, |vcto|cs ao assoc|atco vcoo cotact octa||s ac accuatc. !o coouct t'|s tcst, oc o oc tcas .|t' c|t|ca| suot vcoos .ou|o cotact cac' vcoo o t'c| ||st to csuc t'at a|| ||oat|o |s accuatc |c|uo| 'oc uoc, aoocss ao 'c vcoo cotacts. !'c .ou|o vc|| .'ct'c t'c ||stco su||cs, cou|ct o scv|ccs ac ava||ao|c |o oc||vc o .'at t'c cuct |cao t|c |s. !'|s |cao t|c s'ou|o oc coaco to t'c ccctco |cao t|c | t'c |C|. Structured walk-throughcsucs t'c |C| occoucs ac aocouatc. !'c tcst cou|cs t'c |ccovc Cooo|ato to ocvc|o a o|sastc scca|o ao |cao t'c scv|cc tcas t'ou' a oc' ccovc. !'c tcst |s coouctco as |o||o.s. a|| tca |caocs cct | a oo to oc |vc t'c scca|o, t'c cac' .o' t'ou' t'c| ccovc tca |as a| at|cu|a at tct|o to t'c |tcact|o .|t' ot'c tcas, ao |ssucs |oct|||co s'ou|o oc |co|atc| otco o t'c |ccovc Cooo|ato. Unannounced recovery team assemblycsucs t'c ||sts |o oo|||s| ccovc tcas ac u to oatc ao t'c tcas ca oc oo|||sco | t'c cou|co t|c. !'c tcst |s coouctco as |o||o.s. !'c |ccovc Cooo|ato cotacts uoc o| tca cocs o t'c ot|| |cat|o cotact ||st. !'c tcsts s'ou|o oc coouctco, o a otat| oas|s, at t'c |o||o.| t|cs. - ou| oa| .o' 'ous, - ou| |uc' t|c, - a| tc oa| .o' 'ous o a .cc'oa, ao - ou| t'c .cc'co. !'c |ccovc Cooo|ato otcs t'c t|c t'c ca||| occss stats ao t'c t|c at .'|c' cac' tca coc .as cotactco. !ca cocs oo ot actua|| cco to assco|c. !'c |ccovc Cooo|ato .||| cot o t'c tcst csu|ts. 64 Guide to Effective Control Guide to Effective Control Maintain the plan |o|v|oua| ccovc tca |as ust oc continually a|ta|co to ov|oc suot |o ous|css cot|u|t. Ao||stat|vc occoucs ao u|oc||cs s'ou|o oc ocvc|oco to ov|oc |o c|oo|c tcst| ao oocuctat|o a|tcacc o| t'c scv|cc aca ccovc |a(s) ao oo| ta||. |csos|o|||t|cs |o va|ous asccts o| |C| a|tcacc ac a|so cstao||s'co. Oo| csos|o|||t|cs s'ou|o oc oc| |co to csuc ao|atc |C| a|tcacc. !'c |o||o.| ous 'avc scc|||c |C| a|tcacc csos|o|||t|cs. Role Responsibilities Recovery Coordinator At cu|a |tcva|s (c at |cast s| ot'|). aacs t'c |C|, |a|ta| a|tcatc occss| s|tc cotacts/acccts cooo|atcs t'c ccovc Cooo|atc cu|a cv|c. o| t'c |C| oocuctat|o, aua|| tcas ao ||a|scs .|t' t'c at a ||u C|O ao |ccut|vc Cooo|atc cv|c. ao aova| o| c'acs to t'c |C| Cooo|atc |C| ta|| |c|o ao||stat|vc asccts o| uoatcs to t'c |C| (|c. coouct|o ao co|st|out|o) |a|ta| t'c |C| o|st|out|o ||sts Sc'cou|c ao cooo|atc t'c |C| tcsts Recovery teams At cu|a |tcva|s (c at |cast aua||). csos|o|c |o uocta'| |a|ta| cscct|vc scv|cc aca tca occoucs stcs oocuctco | t'c |a|ta| t'c c|cccc ||oat|o t'at |s at o| t'c scv|cc |C| to ccovc |oct|| |co acas' |C| occoucs sstcs |at|c|atc | |C| tcst| End Users |o uscs s'ou|o. cco to csuc t'c ac csuc ||oat|o cccssa to cot|uc c|t|ca| a.ac o| t'c cotcts o| |uct|os, |o .'|c' t'c ac csos|o|c, |s stoco o||s|tc as |C| ao 'o. |t a||ccts t'c at o| t'c |C| at|c|atc | cot|cc |a ta|| at|c|atc | cot|cc |a tcst| A |C| |s cas|| a|ta|co || c'acs | t'c ous|css ao/o oata occss| cv|oct ||t|atc cv|c.s ao uoatc t'c |C|. \'c a cooct o| t'c |C| |s a||cctco, t'c |o||o.| stcs s'ou|o oc ta'c. t'c |ccovc Cooo|ato s'ou|o oc ot|| |co o| t'c c'ac, t'c c||cct o| t'c c'ac s'ou|o oc cva|uatco us| a ||A |ocuss| o t'c c. cooct(s) ao a c. |tcc|at|os'|s .'|c' occu, t'c |C| s'ou|o oc oo|||co o t'c ao|atc scv|cc aca to c||cct t'c c'ac, ao t'c |ccovc Cooo|ato s'ou|o octc|c tcst| cou|ccts ao sc'cou|c a tcst, || cccssa. Soucc. |c|o|t tc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 65 Business Continuity Management Business Continuity Management Appendices Appendices 1. Alternate processing service contract considerations 66 2. Roles, responsibilities and a checklist for the Board and audit committee 68 3. Roles, responsibilities and a checklist for the Chief Executive Officer 69 4. Role and responsibilities of the Recovery Coordinator 71 5. Roles and responsibilities of the service area recovery teams 72 6. Checklists for quality assurance of BCP development 73 7. Limitations of BCPs 82 8. Event log 84 9. Checklists for review of off-site backup procedures 85 66 Guide to Effective Control Guide to Effective Control Task Completed General Issues !'c ocsc|t|o o| t'c a|tcatc occss| |ac|||t|cs s'ou|o |o|catc aocouatc 's|ca| sccu|t ao ao|atc cv|octa| coto|s `cs t |o t Ava||ao|||t o| a|tcatc vcoo s|tcs ao t'c |'ts o| |o|v|oua| suosc|ocs | t'c cvct o| u|t||c o|sastc occ|aat|os s'ou|o oc scc|| |co `cs t |o t Aout o| atuc o| suot scv|ccs t'c vcoo .||| ov|oc s'ou|o oc oc||co c|at|vc to. ||cctat|o ass|stacc suot |o tcst| |o|st|ca| suot, ao a| tc 'ous suot `cs t |o t !'c vcoo s'ou|o 'avc |||ts c|at|vc to t'c tota| uoc o| c||cts t'at a suosc|oc to a |vc |ac|||t `cs t |o t !'c vcoo caot cc. (ccct o autoat|c cc.a| c|ausc) o ccot|atc t'c cotact .'||c t'c suosc|oc |s cc|cc| a o|sastc o | ccovc 'asc `cs t |o t !'c aout ao sc'cou|| o| tcst t|c s'ou|o oc oc| |co `cs t |o t Suosc|oc s'ou|o 'avc t'c |'t to c|oo|ca|| auo|t t'c |sta||at|o to csuc t'at t'c scc|||co co||uat|o |s a|ta|co `cs t |o t A cscac c|ausc s'ou|o a||o. t'c suosc|oc to tc|atc t'c cotact .|t'out ca|t |o a o| t'c |o||o.| casos. |a||uc to a|ta| tcc'|ca| coat|o|||t |a||uc to ov|oc acco suot scv|ccs |a||uc to a|ta| su|tao|c cv|octa| suot, ao a ocac' o| cotact `cs t |o t !'c cotact s'ou|o ov|oc a aua| .|oo. o| ootu|t to tc|atc .|t'out ca|t `cs t |o t !'c ot'| |ccs s'ou|o ot oc suo,cct to c'ac .|t'out t'c .|t tc cosct o| t'c suosc|oc `cs t |o t !'c cotact s'ou|o ot oc ass|ao|c .|t'out .|t tc cosct `cs t |o t !'c vcoo s'ou|o oc suo,cct to ao|atc cos|oc o-o|sc|osuc coo|t|os `cs t |o t Appendix 1 Alternate processing service contract considerations Checklist: alternate processing service contract considerations 67 Business Continuity Management Business Continuity Management Checklist: alternate processing service contract considerations (continued) Task Completed IT Recovery Specific Issues |c| ||t|o o| t'c oac'u caao|||t o| t'c vcoo s|tc s'ou|o oc c|ca ao cos|stct t'ou'out t'c cotact `cs t |o t Occuat|o o| t'c 'ot s|tc |o a ||u o| s| .cc's `cs t |o t Coo|t|os uoc .'|c' t'c suosc|oc ca cot|uc to occu 'ot s|tc |ac|||t|cs a| tc t'c s| .cc' c|oo s'ou|o oc oc| |co `cs t |o t !'c uoc ao ocsc|t|o/tc o| |oca|| at tac'co tc|a|s ao/o ot'c ocv|ccs ava||ao|c .'||c o-s|tc s'ou|o oc oc||co, t'|s |s at|cu|a| |otat |o oata ct cou|ccts `cs t |o t Cot|u| tcc'|ca| coat|o|||t s'ou|o oc assuco t'ou'out t'c |||c o| t'c cotact `cs t |o t !'c cotact s'ou|o scc|| a uaatcc o| acccss to t'c 'ot s|tc (|c|uo| a|tc 'ous acccss) ou| c|oo o| o|sastc ao ccovc `cs t |o t !'c atuc ao ctct o| |! suot scv|ccs to oc ov|oco o t'c vcoo 'as occ oc| |co c|at|vc to. ct.o' o|aost|c caao|||t|cs ao ||cctat|o ass|stacc suot |o tcst| act|v|t|cs ass|stacc | co||u| |ac|||t|cs (|c. cou|ct acou|s|t|o, tasotat|o, stoac, cova| ao ctu) acccss ao usc o| vcoo so| t.ac, oocuctat|o, ac|||a |ac|||t|cs (|c. 'otoco|, |ooo scv|ccs), ao |o|st|ca| suot. `cs t |o t Soucc. |c|o|ttc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 68 Guide to Effective Control Guide to Effective Control Appendix 2 Roles, responsibilities and a checklist for the Board and audit committee Task Completed |s t'c scoc o| t'c ous|css cot|u|t occss ao|atc |vc t'c oa|sat|o's c|custaccs ao |s' aacct statc. `cs t |o t |s |C| oc| cooo|atco to ta'c |to cos|ocat|o ot'c |s' aacct ||t|at|vcs. `cs t |o t Ac sc|cs oct.cc ot'c |s' aacct ||t|at|vcs (|c. `2| o,ccts) ao ous|css cot|u|t |u|| usco. `cs t |o t Ac |tca| ao ctca| auo|t ccocoat|os cao| |C| oc| |o||o.co u. `cs t |o t Ac t'c a|u accctao|c outacs (|AO) octc|co as at o| t'c ous|css |act aa|s|s | ||c .|t' t'c auo|t co|t tcc's uocstao| o| t'c ous|css. `cs t |o t Ac t'c ccovc statc|cs ccococo ao|atc |vc ot'c ous|css ||t|at|vcs. `cs t |o t As at o| t'c cv|c. o| t'c |tca| auo|t statc|c ao aua| .o' |as |s ous|css cot|u|t ao oc scc|||ca||, ous|css cot|u|t tcst| ao a|tcacc oc| aoocssco. `cs t |o t Ac ous|css cot|u|t ||t|at|vcs oc| cou|catco to a|| |cvc|s o| aacct ao acoss t'c oa|sat|o (t'|s |s a |otat at o| a succcss|u| ous|css cot|u|t o,cct). `cs t |o t Roles and responsibilities |suc ovcacc |ac.o' suots ous|css cot|u|t |suc aoac' to |s' aacct suot statc|c oa|s o| oa|sat|o Soucc. |c|o|t tc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 69 Business Continuity Management Business Continuity Management Appendix 3 Roles, responsibilities and a checklist for the Chief Executive Officer Roles and responsibilities ||c| |||stc ao |ccut|vc |oao o ous|css |tcut|o cvct, ccctco |act ao ccovc t|c|ac |ov|oc a |oca| o|t |o t'c oa|sat|o to csuc t'c uo||c ao co|a ccc|vc t'c cocct, ao o-cotao|cto ||oat|o |suc sta|| ao sta'c'o|ocs ac aoc a.ac o| t'c oo|cs |suc |ccovc Cooo|ato ao |ccovc !cas 'avc t'c csouccs ao suot cccssa to oo t'c| ,oo Task Completed |avc aacct ao sta|| aootco a at t|tuoc o| cot|u|t aacct |a| .'|c' csucs t'at a os|t|vc coto| cv|oct |s a|ta|co. `cs t |o t |ocs t'c oa|sat|o cu|a| cou|catc t'c oa|sat|o's v|s|o, oa|s ao oo,cct|vcs to sta|| cocs. `cs t |o t |ocs aacct ta'c a oa|acco aoac' to |s' ta'|, cac|u|| aa|s| ao asscss| |s's ao otct|a| occ| |ts oc|oc aut'o|s| c. vctucs o s||| |cat c'acs. `cs t |o t |ocs t'c |C| co|cct t'c oa|sat|o's cooatc ovcacc ao |s' aacct |ac.o'. `cs t |o t |s t'c oa|sat|o csos|o|c |o ov|o| a u|ouc scv|cc to t'c uo||c o t'c Covcct. `cs t |o t || cs, .'at .ou|o t'c |||cat|os oc || t'c scv|cc .cc uava||ao|c |o a ctcoco c|oo o| t|c. `cs t |o t Ac |C| act|ccs ao occoucs | |acc to csuc t|c| occ|s|o a'| ou| a o|sastc ao to |st|| accoutao|||t |to sta||. `cs t |o t |ocs a ous|css |act aa|s|s c|st t'at |oct|||cs t'c ccovc t|c|acs o| t'c c|t|ca| ous|css occsscs. `cs t |o t |ocs t'c oa|sat|o 'avc a cso |oct|| |co t'at |s csos|o|c |o |C|. `cs t |o t || so, 'as t'c cso occ ov|oco .|t' aocouatc ta|| ao csouccs to c|o t'c o|c. `cs t |o t |as t'c oa|sat|o's |C| occ suo,cct to |occoct cv|c. (c. o |tca| auo|t). `cs t |o t Ac t'c |C|s ||'co to t'c cccc aacct |as |o t'c oa|sat|o. `cs t |o t 70 Guide to Effective Control Guide to Effective Control Task (continued) Completed |s t'cc a occss | |acc |o |C| cv|c.. `cs t |o t || t'c oa|sat|o 'as a |C|, oocs |t c||cct t'c cuct ao |utuc ccos o| t'c oa|sat|o. `cs t |o t |avc t'c cuct ao |utuc |C| ccos occ |oa|| cva|uatco as at o| t'c oa|sat|o's ovca|| cooatc ovcacc aaccts. `cs t |o t |as t'c oa|sat|o uococ cos|ocao|c oa|sat|oa| c'ac, o c'acs | oa|sat|oa| |ocus ao o|cct|o o c'acs to ous|css csouccs (csoc|, |ac|||t|cs, ||oat|o tcc'o|o, ao cou|cat|o). `cs t |o t \'c .cc t'c cot|u|t |as |ast tcstco. |atc. // \'at .cc t'c csu|ts o| t'c tcsts. \cc ccocoat|os |o c'ac o |ovcct ta'c u ao tcstco. `cs t |o t Soucc. |c|o|ttc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 71 Business Continuity Management Business Continuity Management Appendix 4 Role and responsibilities of the Recovery Coordinator |cc|s|o to act|vatc t'c |C| |ctc|c t'c ccovc statc |o t'c |vc s|tuat|o Asscss t'c ctct o| oaac to ou||o|, |ac|||t|cs ao cou|ct ao cot to t'c C|O, |ccut|vc ao/o |oao, || cccssa Cotact t'c cccssa sta|| cou|co |o t'c o|sastc (| t'c ||st |stacc) Ass|st | cstao||s'| o| t'c ccovc s|tc, || a||cao|c Cooo|atc co|a act|v|t|cs ||cct, cooo|atc ao o|to a|| ccovc ocat|os Covcc ccovc status cct|s .|t' t'c |ccut|vc Sc'cou|c suoscouct ccovc status cct|s ||a|sc .|t' ca| cstatc act, || a||cao|c Cotact |suacc Asscssos to octc|c t'c| cou|ccts ao cooo|atc t'c| o-o| ||a|so .|t' a|| ccovc tcas ||||sc |ut'c |osscs ao sa|vac ccovcao|c csouccs |ov|oc assuacc ao ||oat|o uoatcs to sta|| ot |vo|vco | t'c ccovc c||ot |cac t'c ccovc s|tc Sc'cou|c ao coouct tcst o| t'c |C| 72 Guide to Effective Control Guide to Effective Control Appendix 5 Roles and responsibilities of the service area recovery teams |o||o.| ot|||cat|o |o |ccovc Cooo|ato o| o|sastc csca|at|o. cotact t'c sta|| cou|co |o t'c 'ua csoucc ccovc tca covcc status cct| .|t' tca cocs cot|ua|| asscss ao aoocss 'ua csoucc ccos, ||a|s| .|t' ot'c scv|cc acas, ao ov|oc cu|a uoatcs to t'c |ccovc Cooo|ato. Communications team |o||o.| ot|||cat|o |o |ccovc Cooo|ato o| o|sastc csca|at|o. |ac|||tatc cou|cat|o oct.cc ccovc cooo|ato ao t'c tcas ocs|atco |ocus ou covcc status cct| .|t' tca cocs ov|oc cu|a uoatcs to |ccovc Cooo|ato o|c| ocs|atco |ocus ou o t'c o|sastc cot|ua|| 'cc ocs|atco |ocus ou ||oco o| c'acs to .'at t'c 'avc occ ||oco, ao csoo to ouc|cs |o ocs|atco |ocus ou. Other service areas |o||o.| ot|||cat|o |o |ccovc Cooo|ato o| o|sastc csca|at|o. cotact t'c cccssa sta|| cou|co |o t'c| at|cu|a scv|cc aca covcc o|sastc status cct| .|t' tca cocs ass|st .|t' o|sastc asscssct as cou|co ov|oc cu|a uoatcs to |ccovc Cooo|ato co|ctc ccovc |a |o t'c| scv|cc aca octc|c cou|ccts ao cooo|atc acou|s|t|o o| cou|ct, |u|tuc, stat|oc ao cou|cat|os csouccs cccssa |o ccovc, ao ||a|sc .|t' ot'c ccovc tcas. Human resource management team 73 Business Continuity Management Business Continuity Management Appendix 6 Checklists for quality assurance of BCP development The BCP plan proposal !'c ous|css cot|u|t o,cct |a s'ou|o aocouatc| ocsc|oc t'c o,cct, |ts oo,cct|vc ao scoc, t'c o,cct tca ao |ts csos|o|||t|cs, ao t'c csouccs cou|co. !'c C'|c| |ccut|vc o aacct co|t tcc csos|o|c s'ou|o |oa|| aovc t'c |a. !'c c'cc'||st oc|o., ov|ocs a ou|c' c|cccc o|t |o csu| t'c |a 'as su|| |c|ct octa||. | aoo|t|o, a sucstco |oat |o a o,cct |a |s ocsc|oco at Stc oc o| t'c \o'ooo'. Checklist: developing the business continuity project plan Task Completed |ocuct t'c o,cct's oo,cct|vcs `cs t |o t |c||c ao oocuct t'c o,cct's scoc ao a |||tat|os `cs t |o t ||a| a assut|os aoc `cs t |o t |cta|| cocs o| o,cct tca `cs t |o t Ass| csos|o|||t |o o,cct tas's `cs t |o t |csct t'c ouoct, |c|uo| sta|| csouccs, cou|co |o t'c o,cct `cs t |o t Sct o,cct t|c|acs ao oc||vcao|cs |o tas's `cs t |o t ||a |s |oa|| aovco o ao|atc aacct co|t tcc `cs t |o t Soucc. |c|o|t tc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 74 Guide to Effective Control Guide to Effective Control Identifying key business processes, activities and resources !'c ||A ccos to asscss t'c |act o| a outac to a|| 'c ous|css occsscs. |t a's t'csc occsscs | ooc, to octc|c ccovc |o|t|cs ao |oct|| |cs t'c act|v|t|cs ao csouccs .'|c' co|sc cac' occss, aa|, a'co | ooc o| |o|t to octc|c ccovc |o|t|cs. !o csuc t'c ||A |s co|ctc cac' ous|css u|t o scv|cc aca ccos to |oct|| t'c occsscs |o .'|c' t'c ac csos|o|c ao t'c octc|c .'|c' o| t'csc ac c|t|ca| to t'c oa|sat|o ac'|cv| |ts oo,cct|vcs. !'csc 'c ous|css occsscs s'ou|o t'c oc a'co | ooc |o|t to t'c ous|css (t'us |o|cat| t'c| ccovc |o|t) ao t'c act|v|t|cs ao csouccs o| cac' occss s'ou|o oc s|||a| a'co. Checklist: ensuring all key business functions, processes and resources are identified and included in the BIA Task Completed |ocuct ao co|| oa|sat|oa| oo,cct|vcs, oututs ao c|oacc c|tc|a `cs t |o t ||st a|| ous|css occsscs .'|c' uoc| ac'|cvcct o| oo,cct|vcs ao oc||vc o| oututs `cs t |o t |a' t'c occsscs | ooc o| |otacc to t'c oa|sat|o's oo,cct|vcs ao cc|uoc t'osc occsscs cos|occo ot 'c to ac'|cv| t'c oo,cct|vcs `cs t |o t |cv|c. t'c |uct|oa| oa|sat|o c'at to |oct|| cca| acas o| ocat|oa| csos|o|||t `cs t |o t |tcv|c. aacs csos|o|c |o 'c ous|css |uct|os to co| | uocstao| o| ous|css occsscs `cs t |o t |cct .|t' scv|cc aca aacct ao suot csoc| to a| a uocstao| o| cac' |uct|o |c|uoco | t'c scoc `cs t |o t Oota| a suot| oocuctat|o t'at |s ava||ao|c .'|c' .ou|o ov|oc a sua o| 'c ous|css |uct|os `cs t |o t |ocuct t'c act|v|t|cs ao csouccs cssct|a| to cac' 'c ous|css occss. `cs t |o t |suc a|| csouccs ous ac |oct|||co (|c. co|c, |ac|||t|cs, tc|ccou|cat|os, ||oat|o sstcs, ous|css suot occsscs) `cs t |o t |oa|| cou|catc t'c ||st o| 'c ous|css occsscs ao suot| occsscs ao csouccs, .|t' t'c| cscct|vc a'|, to t'c o,cct stcc| co|t tcc `cs t |o t Cos|oc |tcoccocc|cs t'at c|st oct.cc acas `cs t |o t Soucc. |c|o|ttc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 75 Business Continuity Management Business Continuity Management The BIA !'c ||A octc|cs t'c |ct' o| t|c t'c oa|sat|o ca oc .|t'out 'c ous|css occsscs oc|oc cco|a| act|o ust oc ta'c. As t'c 'c ous|css occsscs ac aoc u o| act|v|t|cs ao csouccs, |t |s actua|| aoout a'| a asscssct aoout t'c t|c ou ca oc .|t'out t'c act|v|t|cs o csouccs oc|oc t'c 'c ous|css occss .ou|o |a||. !'c ||A cstao||s'cs t'c |a|u Accctao|c Outac |o cac' act|v|t ao csoucc t'at suots t'c 'c ous|css occsst'c |AO s'ou|o c||cct ao co| | t'c |o|t a'| aoc | t'c ca||c stc. Checklist: analysing each key business function for a BIA Task Completed |va|uatc t'c |acts o| a |oss o| t'c |uct|o |o t'c cscct|vc o| t'c oa|sat|o's ouoct ao outcocs ao oututscos|oc. |oss o| cvcuc/|ccasco ccsc scv|cc oc||vc staoaos uo||c o o||t|ca| coaassct |oss o| c||ct co| |occc |oss o| aacct coto| ||ac|a| |sstatcct cu|ato, statuto o cotactua| ||ao|||t scc|||c/u|ouc vu|cao|||t|cs, ao o||t|ca| a|||cat|os `cs t |o t |oct|| t'c c|t|ca| succcss |actos t'at csuc t'c |uct|o ccts t'c oa|sat|os oo,cct|vcs `cs t |o t |oct|| t'c occsscs ao csouccs .'|c' uoc| t'c 'c ous|css |uct|os `cs t |o t |oct|| aoo|t|oa| ccscs |cuco || occss(cs) ac c|oco aua|| o | a suost|tutc ac ou| a outac `cs t |o t |oct|| |tc| occss| occoucs (a|tcat|vc o aua| occss|) tcc'|oucs to oc aootco ou| t'c ccovc 'asc `cs t |o t |st|atc t'c t|c |t .||| ta'c to ovccoc t'c oac'|o o| .o' accuu|atco ou| t'c outac `cs t |o t uat|| t'c ||u csoucc cou|ccts cccssa to c|o t'c |uct|o `cs t |o t |oct|| t'c ccoos v|ta| to t'c ccovc occss `cs t |o t |va|uatc t'c aocouac o| cuct |C| | |acc `cs t |o t Soucc. |c|o|ttc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 76 Guide to Effective Control Guide to Effective Control Selecting alternate activities and resources !o sc|cct a|tcatc act|v|t|cs ao csouccs to oc usco ou| a outac, cos|ocat|o o| a|| v|ao|c ot|os |s aaout. !'|s cos|ocat|o ccoass cac' ot|os ao|||t to suost|tutc |o t'c |ost act|v|t|cs ao csouccs | tcs o| cost, oua||t ao, ost |otat| (cos|oc| t'c |AO) t|c||css. A aooco occ||t o| t'|s occss |t t'at |t a |oct|| oct tc act|v|t|cs ao csouccs t'a t'osc cuct| | |acc, ov|o| o- o| cost sav|s as a outcoc o| t'|s occss. Checklist: selecting process and resources alternatives Task Completed |ocuct a o|c| ocsc|t|o o| cac' v|ao|c ot|o `cs t |o t |ctc|c ot'c csouccs cou|co ao t'c costs |o cac' ot|o (t'|s a cou|c ||oat|o |o vcoos) `cs t |o t Coac ccovc ot|os, |c|uo| cost, .|t' ccovc |o|t|cs ao t'c |AO. Cos|oc. |ocs t'c ot|o cct t'c ccovc ccos. `cs t |o t |ocs t'c ot|o cccco ou ccos. `cs t |o t Soucc. |c|o|ttc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 77 Business Continuity Management Business Continuity Management Evaluating backup processing and of f-site storage |o a |C| to .o', ao .o' c||ao|, soc oact|vc casucs .||| cco to oc cstao||s'co to csuc c|cvat csouccs ac ava||ao|c || t'c |C| |s act|vatco. |uoacta| to ccovc |o a outac |s acccss to ccoo ao ||oat|ooot' c|ccto|c ao 's|ca|. |ac'u occss| ao o||-s|tc stoac ac |uoacta| to ost ous|css occsscs tooat'c c'cc'||st oc|o. ov|ocs a ||st o| |ssucs to cos|oc .'c cv|c.| t'c cou|ccts |o t'c |C| Checklist: evaluating backup processing and of f-site storage Task Completed |suc a|| csouccs cou|co |o t'c sc|cctco statc|cs ac stoco o||s|tc `cs t |o t |cv|c. oocuctco o||-s|tc oac'u occss| staoaos ao occoucs, || t'c c|st. || staoaos ao occoucs oo ot c|st, csuc t'c ac ocvc|oco `cs t |o t |tcv|c. csoc| csos|o|c |o ||cctat|o o| oac'u occoucs to scc || occoucs ac oc| ao'cco to `cs t |o t |ocuct 'c c|ccts o| t'c o||-s|tc oac'u occoucs |o |c|us|o | t'c ao|atc scct|os o| t'c cot|cc |a `cs t |o t Aa|sc o||-s|tc oac'u occss| occoucs ao oocuct coccs `cs t |o t Sc'cou|c cv|c. o| o||-s|tc stoac |ac|||t `cs t |o t |at|a| ccovc |o o||-s|tc |ac|||t|cs 'as occ tcstco `cs t |o t |otc. A octtc act|cc c'cc'||st |o o||-s|tc stoac |s |c|uoco | Aco| 9. !'|s ca oc usco as t'c oas|s |o aa|s| |ssucs .|t' o||-s|tc oac'u occss|. Soucc. |c|o|t tc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 78 Guide to Effective Control Guide to Effective Control Implementing continuity strategies |t |s cssct|a| t'at t'c sc|cctco cot|u|t statc|cs ac ||cctco oc| ao tcstco. !'c |C| .||| c| o t'c sc|cctco cot|u|t statc|cs oc| | |acc |o to ||a||sat|o o| t'c |C|. !'c c'cc'||st oc|o. .||| ov|oco ass|stacc | csu| t'c |oct|||co cot|u|t statc|cs 'avc occ ||cctco. Checklist: ensuring continuity strategies are properly implemented Task Completed |suc |o cac' statc sc|cctco, t'c ||'c| costs ac t'c ost cocc|a|| v|ao|c (|c. |vcst|atc ot'c vcoos | t'c a'ct|acc) `cs t |o t |oct|| ot'c cou|ccts o c'acs t'at cco to oc aoc | ooc |o t'c statc|cs to oc c||cct|vc `cs t |o t C'acs to o||-s|tc stoac occoucs s'ou|o oc aoc as |oct|||co `cs t |o t |cv|c. cotacts to csuc t'c ocostatc oct tc act|cc |o cotact aacct as .c|| as co| .|t' |tca| u|oc||cs |o cotact aacct `cs t |o t ||a||sc cotacts `cs t |o t Soucc. |c|o|t tc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 79 Business Continuity Management Business Continuity Management Evaluating the level of communication in the BCP \'c act|vatco, t'c succcss o| a |C| .||| c| 'cav|| o oc cou|cat|o ao s'a| o| c|cvat ||oat|o. |o||o.| occ|aat|o o| a o|sastc, ||oat|o o ||cctat|o o| a|tcatc act|v|t|cs ao csouccs, ccovc o| |ost sstcs ao t'c ct stac o| t'c |a to oc ||cctco, ccos to oc cocuct| ava||ao|c to a|| ccovc tcas, sc|o aacct ao a||cctco sta||. !'c |o||o.| c'cc'||st ca oc usco to csuc t'c cou|cat|o | t'c scv|cc aca |as ao t'c aacct |a |s aocouatc. Checklist: ensuring communications and information flows in service area recovery plans are adequate Task Completed |suc t'c |C| 'as cou|cat|o ||o.s .'|c' t'c cao|c t'c |ccovc Cooo|ato to oc 'ct aocouatc| ||oco o t'c scv|cc aca ccovc tcas t'ou'out t'c ccovc occss `cs t |o t !'c |C| csucs scv|cc aca ccovc tca cocs ac 'ct aocouatc| ||oco o| .'cc t'c oa|sat|os |s | t'c ccovc occss `cs t |o t |suc scv|cc aca ccovc tca .o'| to ccovc |tcc|atco ous|css occsscs ac 'ct oc| ||oco o| t'c ccovc occss ao 'cc ot'c tca ||oco o| t'c| ocss `cs t |o t |suc scv|cc acas 'cc ao|atc ctca| at|cs ao sta'c'o|ocs ||oco (ot |c|uo| at|cs/sta'c'o|ocs t'at .ou|o oc 'ct ||oco as at o| t'c aacct |a) o| t'c ccovc occss `cs t |o t |suc ctca| ao |tca| at|cs |c|uoco | |C| ac ||oco |co|atc| t'at t'c| ass|stacc a oc ca||co uo `cs t |o t |suc a|| 'ua csoucc ccos ac oc| aoocssco. Cos|oc. O|S, cousc||| ao ot'c suot ||cs o| cou|cat|o, ctc `cs t |o t |suc t'c ccovc occss aoocsscs c-||cctat|o o| out|c coto|s ('s|ca|, |o|ca| ao cv|octa|) `cs t |o t Soucc. |c|o|t tc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 80 Guide to Effective Control Guide to Effective Control Checklist: ensuring communications and information flows in the management plan is adequate Task Completed |suc t'c |C| cou|cat|o ||o.s 'cc uoc|| scv|cc aca ccovc tcas ||oco t'ou'out t'c occss `cs t |o t |suc t'c cccut|vc |s 'ct oc| ||oco t'ou'out t'c occss `cs t |o t |suc ac ao|atc ctca| at|cs/sta'c'o|ocs ac 'ct oc| ||oco t'ou'out t'c occss `cs t |o t |suc t'c |C| ov|ocs scc|||c otoco|s |o co|a ||a|so ao aacct `cs t |o t |suc ctca| ao |tca| at|cs |c|uoco | |C| ac ||oco |co|atc| t'at t'c| ass|stacc a oc ca||co uo `cs t |o t |suc a|| 'ua csoucc ccos oc| aoocssco. Cos|oc. O|S, cousc||| ao ot'c suot, ||cs o| cou|cat|o, ctc `cs t |o t |suc t'c ccovc occss aoocsscs c-||cctat|o o| out|c coto|s ('s|ca|, |o|ca| ao cv|octa|) `cs t |o t Soucc. |c|o|ttc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 81 Business Continuity Management Business Continuity Management Disaster assessment !'c |C| cco to out||c t'c stcs ao |ssucs t'at cco to oc cos|occo .'c asscss| t'c |act o| a o|sastc. !'c |ccovc Cooo|ato ust oc ao|c to aov|sc t'c C'|c| |ccut|vc ao sc|o aacct o t'c |act o| a outac ao asscss t'c t|c t'c ous|css occss a oc a||cctcoif the MAO is exceeded, a disaster is declared and the BCP is activated. Checklist: developing the disaster assessment guidelines Task Completed !'c |C| c|ca| |oct|||cs t'c co|c |vo|vco | t'c o|sastc asscssct `cs t |o t !'c ot|||cat|o occss |o t'osc |vo|vco | t'c o|sastc asscssct |s c|ca| |oct|||co | t'c |C| `cs t |o t !'c t|c|acs |o t'c o|sastc asscssct ac c|ca| |oct|| |co | t'c |C| `cs t |o t Sa|ct occoucs |o o|sastc asscssct |oct|||co | t'c |C| ac | ||c .|t' Occuat|oa| |ca|t' ao Sa|ct cou|ccts `cs t |o t !'c outs|oc at|cs .'|c' ac at o| t'c o|sastc asscssct occss ac |oct|||co | t'c |C| a|o .|t' t'c| cotact octa||s `cs t |o t Stcs ac | |acc to ||o a|| c|cvat |suacc coa|cs ac ao|atc| ||oco o| t'c |c|oct oc|oc o ou| t'c o|sastc asscssct ta'| |acc (soc |suacc |s vo|o || ccta| o|sastc asscsscts ac ca|co out .|t'out t'c |suacc coa csct o .|t'out t'c| 'o.|coc) `cs t |o t Soucc. |c|o|ttc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 82 Guide to Effective Control Guide to Effective Control Appendix 7 Limitations of BCPs !'c |C| s'ou|o cco|sc t'c |actos t'at a |||t ccovc |o a ous|css |tcut|o cvct. !'csc |actos s'ou|o oc oocuctco | t'c |C| to csuc t'c ac oou't to at tct|o o| aacct. Example: factors which may limit recovery from a business interruption event Resource Possible limiting factors People |su|| |c|ct uoc o| csoc| osscss| t'c ao|atc s'|||s ava||ao|c to ||cct ous|css cot|u|t ocat|os C|t|ca| ocat|os ao sstcs oocuctat|o |o cac' |at|o ac ot stoco o||-s|tc |su|| |c|ct uoc o| oua||||co csoc| .||| oc ava||ao|c to c|o usc tas's ou| t'c ccovc 'asc |csoc| .'o |a a o|c | ccovc ac ua.ac o| t'c| csos|o|||t|cs ao 'avc ot occ aocouatc| ta|co to c|o t'c ccovc tas's Sta|| suot acas ac ot caco to suot t'c ccovc ocat|o Facilities !'c |ccovc ||a .||| |O! covc a cvct .'|c' s|u|tacous| cocs oot' t'c |a ao a|| a|tcatc oata cctc |ac|||t|cs |ocao|c !'c |ccovc ||a .||| |O! covc a cvct .'|c' s|u|tacous| cocs t'c oata cctc |ocao|c ao t'c cssct|a| o||-s|tc stoac |acccss|o|c !'c o|sastc t'at cocs t'c oata cctc |ocao|c a |act |ac coa'|c acas, uo||c ut|||t|cs, t'c tasotat|o ||astuctuc o ot'c |ac|||t|cs ao/o scv|ccs oo|a|| ava||ao|c (|otc t'at t'|s cc|uocs a c|cct|ca| o|st|out|o |a||uc) !asact|os |ost oct.cc t'c o|t o| t'c ost ccct oac'u ao t'c o|sastc cvct caot oc ccostuctco ao c-ctcco to coutc sstcs .|t'| t'c a|u a||o.ao|c outac c|oo |c|oo|c tcst| o| t'c |C| ot |s coouctco C|t|ca| sstcs ac ot c|oo|ca|| cva|uatco ao t'c| ||u cssct|a| |catucs ca ot oc ov|oco |o a o|sastc A co|ctc ||st| o| oouct|o | ||cs ao t'c| |ocat|o o oac'u tacs |s otatco o||-s|tc .|t' aocouatc |coucc !'c oa|sat|o a cc|ccc vo|uta o |vo|uta scaat|os o| c|oct o c|at|os'| .|t' a c|occs, su||cs, o ot'c vcoos oct.cc t'c occuccc o| t'c o|sastc cvct ao co|ctc ccovc O||-s|tc stoac |ocat|os ac ot |tact ao acccss|o|c O||-s|tc ||oat|o oac'u ao otat|o occoucs ac |aocouatc to ||cct |u|| ccovc .|t'| a|u a||o.ao|c outac t|c |acs |a|| tasact|os ccoco to ccostuct c|t|ca| oata ac ot otatco o||-s|tc .|t' aocouatc |coucc 83 Business Continuity Management Business Continuity Management Example: factors which may limit recovery from a business interruption event (continued) Resource Possible limiting factors Telecommunications |cao acccss to uo||c ct.o' 't|c| acccss to c|accct oo||c 'ocs |c|a | c-out| c|t|ca| 'ocs uoc to c. |ocat|o |ac' o| acccss to ot'c cou|cat|os 'ao.ac (c. acs, |a, ca|| cocct|os, ctc.) Information Systems |ac' o| a|tcatc occss| |ac|||t|cs ava||ao|c as ao .'c, cou|co !'c oa|sat|o |ac's acccss to a |u|| co| |uco sccoo occss| s|tc su|| |c|ct | caac|t to suot oata occss| |o cssct|a| ous|css |uct|os .|t' c|t|ca| a||cat|o suot ccos C|t|ca| uscs oo ot 'avc t'c ao|||t to ccostuct a |ost .o'-|- ocss C|t|ca| uscs oo ot 'avc ccovc |as ocvc|oco to oc ao|c to occss at t'c a|tcatc occss| |ac|||t Business Processes !'c oa|sat|o 'as aocouatc | |ac|a| csouccs to ||cct t'c and Resources cot|cc |a accoo| to t'c t|c |acs cstao||s'co o t'c ous|css |act aa|s|s |aocouatc a|tcacc o| a|| ous|css cot|u|t occoucs |s c|oco |o oo| c||ot to |||sc cosucs to o|sastcs .||| cot|uc ao ocat|os/ sstcs vu|cao|||t|cs |cs|atco usc ccsctat|vcs ac ot ot| ot|| |co || a o|sastc occus 84 Guide to Effective Control Guide to Effective Control Appendix 8 Event log |u| a ous|css |tcut|o cvct |t |s |otat to ccoo |otat ||oat|o ao occ|s|os .'|c' .cc aoc ou| t'c outac. !'|s ||oat|o ov|ocs a |otat |ut to cv|s| t'c |C| o |cooat| actua| cvct cc|cccs | t'c |a. !'c cvct |o a a|so oc a usc|u| too| |o t'c |ccovc Cooo|ato to usc ou| |C| tcsts to ccoo t'c scca|o sct ao t'c outcocs o| t'c tcst csu|ts. !'c |ccovc Cooo|ato s'ou|o co|ctc t'|s |vct |csc|t|o s'ot| a| tc ot|| |cat|o o| a o|sastc. !'c |o |s usco to ccoo t'c |acts ao .oo| o| t'c o|sastc occ|aat|o statcct to a||o. t'c |ccovc Cooo|ato to c|a accuatc ||oat|o to ot'c cocs o| t'c tca ao as a cas o| cv|c. a|tc t'c cvct. !'c |o||o.| ca|c s'o.s t'c ||oat|o t'c |ccovc Cooo|ato s'ou|o co||cct | t'c casc o| a ous|css |tcut|o cvct. !'|s |o s'ou|o oc aoatco to su|t t'c scc|||c cou|ccts ao stuctuc o| t'c oa|sat|o. Example: a business interruption event log Event Log: Initial Notif ication. Briefly describe the event: ||sastc |cc|aco t o Staoo |coucstco t . (||casc !|c') |atc. !|c. Notif ied by. |st|atco !|c to |vct |cso|ut|o |as. |s. Disaster Declared: |atc. Recovery Site !|c. ||CO\||` S|!| A||||SS~ Authorised by 85 Business Continuity Management Business Continuity Management Appendix 9 Checklists for review of off-site backup procedures Checklist for review of non-IT off-site backup procedures Area for Review Completed |oct|| a|| catco|cs o| o||-s|tc oac'u aoocssco o t'c occoucs. Cos|oc. 'ao co oocuctat|o |os (a||cat|o |os, aua| ccc|ts, c'couc o|a's , ctc) su||cs, ao cou|ct `cs t |o t |t a oc oss|o|c to a'c scc|a| aaccts .|t' ou oa', |c|uo| uaatcco oc||vc t|c, .'|c' .||| c'acc sccu|t o| t'csc |os |o cac' o| t'c catco|cs o| |tcs |oct|| |co as oc| oac'co u, |oct|| t'c t|cs |o aoo|/c|ac|/oc|ct| o||-s|tc oac'u |tcs `cs t |o t |oct|| csos csos|o|c |o octc|| .'at |s to oc oac'co u `cs t |o t |oct|| csos csos|o|c |o cv|c. ao aova| o| c'acs/tc|at|os `cs t |o t o| o||-s|tc oac'u |tcs |ctc|c || a |vcto o| |tcs |s ava||ao|c ao 'o. t'c |vcto |s a|ta|co `cs t |o t |ctc|c .'ct'c a 'aoco o| t'c o||-s|tc oac'u |vcto |s stoco o||-s|tc `cs t |o t Soucc. |c|o|t tc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 86 Guide to Effective Control Guide to Effective Control Checklist for review of IT off-site backup procedures Area for Review |oct|| a|| tcs o| |||cs oc| oac'co u o|| s|tc. Cos|oc. sstc so| t.ac. - ocat| sstcs - suot so|t.ac - ut|||t ac'acs - cou|cat|os so|t.ac, ao - oo Coto| |auac (C|), ctc. `cs t |o t a||cat|o so| t.ac. - soucc ||oa|cs - oouct|o ||oa|cs (|ccutao|c Cooc) - oata o|ct|oa |||cs - oo Coto| |auac, ctc, ao - oouct|o oata o|s' |||cs ao oataoascs `cs t |o t usc | ||cs. - o-||c oocuctat|o - |oouct|o Sc'cou|| - coutc ocat|os oocuctat|o (c. ccovc/cstat), ao - a||cat|o sstc/oa oocuctat|o `cs t |o t ac'|va| |||cs `cs t |o t |o cac' o| t'c catco|cs o| |tcs |oct|||co as oc| oac'co u, |oct|| t'c ct'oo(s) o| oac'u. Cos|oc. |u|| savcs (ct|c |||c o oataoasc oac'co u) |cccta| savcs oouct|o ,oo stca o coucst o usc a||cat|o |'t| oac'u oatc' u, ao scc|a| ,oo stca `cs t |o t 87 Business Continuity Management Business Continuity Management Checklist for review of IT off-site backup procedures (continued) Area for Review Completed |ctc|c t'c oac'u |coucc ao uoc o| cc|cs cta|co o||-s|tc |o cac' catco o| oac'u `cs t |o t |oct|| csos csos|o|c |o octc|| .'at |s to oc oac'co u `cs t |o t |oct|| csos csos|o|c |o cv|c. ao aova| o| c'acs/tc|at|os o| o||-s|tc oac'u cc|| `cs t |o t |otc t'c caso(s) .' a tcs o| | ||cs ac ot oc| oac'co u o|| s|tc `cs t |o t |ctc|c || oac'u occoucs ac a||co a||cat|o o a||cat|o o to a ct|c catco o| a||cat|os suc' as t'osc ocs|atco critical `cs t |o t |O!|. \'c t'c tc 'a||cat|o(s)' |s usco aoovc, |t c|cs to ocat| sstc so|t.ac, suot so|t.ac, ut|||t|cs, ao cou|cat|o so|t.ac | aoo|t|o to co usc ous|css a||cat|os. |oct|| t'c too|(s) usco |o |oct||| ao ccoo| o||-s|tc oac'us. Cos|oc. tac ||oa aacct so| t.ac ac'acs aua| |os scc|a| oa/sstc .|t' aua| |ut, ao scc|a| oa/sstc .|t' autoatco |ut `cs t |o t |ctc|c || vcoo ov|oco so| t.ac ooucts ac usco to c|o oac'us `cs t |o t. || a t'|o at ov|ocs o||-s|tc stoac, oocs t'c c|st| cotact |o ct|cva| ao ccovc o| stoac co|a atc' t'c cou|ccts o| t'c |C|. `cs t |o t Soucc. |c|o|ttc !ouc'c !o'atsu |otcc'/||S |ct'ooo|o, 1999 88 Guide to Effective Control Guide to Effective Control 1 Business Continuity Management Business Continuity Management Business Continuity Management Business Continuity Management Workbook Guide to Effective ControlJanuary 2000 2 Guide to Effective Control Guide to Effective Control Better practice Better practice !'c Austa||a |at|oa| Auo|t O|||cc oouccs oct tc act|cc u|ocs as at o| |ts |tcatco auo|t aoac' .'|c' |c|uocs ||oat|o scv|ccs to auo|t c||cts. A |ct tc |act|cc sc|cs 'as occ cstao||s'co to oca| .|t' 'c asccts o| t'c coto| stuctucs o| ct|t|csa |tca| at o| ooo cooatc ovcacc. !'|s \o'ooo' |os at o| t'at sc|cs. !'c accoa| Cu|oc oca|s .|t' ous|css cot|u|t aacct .|t'| a |s' aacct |ac.o'. |S|| 0 6-- 39018 2 Coo.ca|t' o| Austa||a, 2000 !'|s .o' |s co|'t. Aat |o a usc as c|ttco uoc t'c Co|'t Act 1968, o at a oc cooucco o a uosc .|t'out |o .|ttc c|ss|o |o t'c Austa||a |at|oa| Auo|t O|| |cc. |coucsts ao |ou||cs cocc| coouct|o ao |'ts s'ou|o oc aoocssco to. !'c |uo||cat|os |aac Austa||a |at|oa| Auo|t O|| |cc C|O |o 0 Caoca AC! 2601 ||oat|o o Austa||a |at|oa| Auo|t O|||cc uo||cat|os ao act|v|t|cs |s ava||ao|c o t'c |o||o.| |tcct aoocss. 't t.//....aao.ov.au Disclaimer !'c Auo|to-Ccca|, t'c A|AO, |ts o|||ccs ao c|occs ac ot ||ao|c, .|t'out |||tat|o, |o a coscoucccs |cuco, o a |oss o oaac su||cco o a oa|sat|o o o a ot'c cso as a csu|t o| t'c| c||acc o t'c ||oat|o cota|co | t'|s \o'ooo' o csu|t| |o t'c| ||cctat|o o usc o| t'c accoa| Cu|oc, ao to t'c a|u ctct c|ttco o |a., cc|uoc a|| ||ao|||t (|c|uo| | c||ccc) | cscct o| t'c Cu|oc ao t'c accoa| \o'ooo'. |cs|co o At Attac' |t |to Caoca ||tco o |||c ||tcs Caoca 3 Business Continuity Management Business Continuity Management Introduction 5 Step one: Project initiation 6 Step two: Key business processes identification 8 Step three: Business impact analysis (BIA) 11 Step four: Design continuity treatments 15 Appendices 1. Worksheet for key business processes identification and business impact analysis 18 2. Worksheet for evaluation of recovery treatment options 20 Contents Contents 4 Guide to Effective Control Guide to Effective Control 5 Business Continuity Management Business Continuity Management Introduction Introduction |t |s ocs|co to |cao ocat|oa| ao scv|cc aca sta|| t'ou' t'c occss o|. |oct||| 'c ous|css occsscs, cstao||s'| a a|u accctao|c outac |o cac' 'c ous|css occss, ao ocs|| ao|atc cost-c||cct|vc tcatcts | t'c cvct o| a outac. !'c csu|ts |o t'|s \o'ooo' ca oc usco o t'c |us|css Cot|u|t |o,cct |aac to ocvc|o a |us|css Cot|u|t ||a. !'c stuctuc o| t'c \o'ooo' |s oasco o t'c stcs octa||co | t'c Business Continuity Management |ct tc |act|cc Cu|oc uo||s'co o t'c Austa||a |at|oa| Auo|t O|||cc. |t |s ccococo t'at uscs o| t'|s \o'ooo' ||st |a|||a|sc t'csc|vcs .|t' t'c coccts ao occsscs o|scussco | t'c Cu|oc. !'c cotct o| t'c \o'ooo' co|scs o| cca| u|oacc, ca|cs ao .o's'ccts. !'csc s'ou|o oc aoatco as cou|co to csuc t'at 'c ||oat|o ao occ|s|os ac |u|| oocuctco. |t |s |tcoco t'at t'c stcs | t'c \o'ooo' oc |o||o.co scouct|a||. !'c \o'ooo' a oc co|ctco |o|v|oua|| o oc usco as t'c oas|s to |ac|||tatc ou scss|os. This Workbook is designed to assist organisations in the development of a comprehensive business continuity plan. 6 Guide to Effective Control Guide to Effective Control Step one: Project initiation Step one: Project initiation A plan should be prepared to manage the business continuity project. The following outline is a suggested structure for this plan. If a plan has been completed, insert it in this section. 1. Introduction 1.1 |ac'ouo/|toouct|os \' |s t'c o,cct oc| coouctco. 2. Business objectives 2.1 Oo,cct|vc o| t'c o,cct |cta||co oo,cct|vcs ao outcocs o| t'c a,o stcs oc|o. 3. Requirements specification 3.1 Ccca| cou|ccts |o,cct soso |o,cct aac |us|css u|t |vo|vcct 3.2 Cotact| cos|ocat|os ||a cotacto (|| cct cotactos |tc||cctua| oct ac caco) |o,cct cot| \a|at|os to cost \aat ||'ts 3.x Phase Oo,cct|vc o| t'c 'asc (for each phase of the project) !'c stcs |vo|vco !'c outcocs |o t'c 'asc Oa|sat|oa| csouccs t'at .||| oc a||ocatco to t'c o,cct tca !'c o,cct tca's o|cs ao csos|o|||t|cs |cot| cou|ccts |o t'c 'asc 7 Business Continuity Management Business Continuity Management 4. Project deliverables and milestones -.1 |o,cct cot| |o. .||| t'c o,cct tca cot to t'c Oa|sat|o. \'at ||oat|o t'c o,cct tca .||| ov|oc. Status o| t'c o,cct |ccctac co|ctco |cctco oc||vcao|cs |ssucs |o otc o act|o -.2 |c||vcao|cs ao ||cstocs !ao|cs ||st| t'c oc||vcao|cs ao ccc|vao|cs t'at ac cou|co to cct t'c oo,cct|vcs o| t'c o,cct 5. Project budget and administration 5.1 |uoct Sta|| csouccs Cotact csouccs Souccs o| |uos 5.2 Ao||stat|o C'ac coto| |csouccs ao act |a ||'co to oc||vcao|cs |csouccs costa|ts C|t|ca| succcss |actos 6. Roles and responsibilities 6.1 |csos|o|||t|cs Aova|s |o ouoct, s|-o|| 'ascs, accctacc ao ||cctat|o o| ccocoat|os 6.2 |o,cct '|cac' C'|c| |ccut|vc, |o,cct Stcc| Co|t tcc, |o,cct |aac, |o,cct !ca(s) cot| to |o,cct |aac 6.3 Scv|cc ov|oc/cotacto |cctat|os ao oc||vcao|cs csos|o|||t|cs o| t'c scv|cc ov|oc 8 Guide to Effective Control Guide to Effective Control Step two: Key business processes identification Step two: Key business processes identification Introduction Business processes are made up of the activities undertaken within each process and the resources consumed by, or applied to, each activity. !'c oo,cct|vc o| t'|s stc |s to |oct||, ao a' | |o|t ooc, t'osc statc|c, ocat|oa| ao suot ous|css occsscs t'at ac c|t|ca| to t'c oouct|o o| oa|sat|oa| oututs ao 'ccc |u||||ct o| ous|css oo,cct|vcs. !'c |oct|| |cat|o o| 'c ous|css occsscs a a|cao 'avc occ co|ctco | ot'c |s' aacct ao ous|css |a| act|v|t|cs uocta'c | t'c oa|sat|o. !'c Oa|sat|o's Cooatc ||a, |us|css ||as ao ||s' |aacct ||a ac ooo stat| o|ts. || t'|s |s t'c casc, t'|s stc | |us|css Cot|u|t |aacct s'ou|o co| | t'at t'c occss ocsc|t|os ac st||| va||o ao a' t'c occsscs | tcs o| t'c| c|at|vc |otacc to ac'|cv| oa|sat|oa| oo,cct|vcs. !'c |o||o.| |stuct|os .||| ass|st oa|sat|os |oct|| ao a' t'c| ous|css occsscs. !'c csu|ts o| t'|s act|v|t s'ou|o oc ctcco o t'c .o's'cct at Aco| 1. Instructions for completing the worksheet (Appendix 1) 1. Determine and document overall business objectives Oota| o cstao||s' t'c ous|css oo,cct|vcs |o t'c ous|css u|t. !'c oo,cct|vcs |o cac' ous|css u|t s'ou|o suot, ao oc cos|stct .|t', t'c ovca|| oa|sat|oa| oo,cct|vcs, v|s|o ao |ss|o cstao||s'co | t'c Cooatc ||a. Oo,cct|vcs ac usua|| |aco | tcs o| t'c c||cct|vccss o| oututs ao a 'avc a t|c, cost, ouat|t ao/o oua||t o|cs|o. |ocuct t'c ous|css u|t oo,cct|vcs o t'c .o's'cct. 2. Identify business processes |o cac' ous|css oo,cct|vc, a a|| o| t'c ous|css occsscs uocta'c .|t'| t'c ous|css u|t o scv|cc aca. !'c stuctuc o| a oa|sat|os |os t'c statc|c, ocat|oa| ao suot ous|css occss catco|sat|os o|scussco | t'c accoa| Cu|oc. 9 Business Continuity Management Business Continuity Management |ac 32 o| t'c Cu|oc ov|ocs a out||c o| cc|c mega ao major ous|css occsscs t'at a| to ost uo||c sccto oa|sat|os, uoc cac' o| t'csc catco|cs. !'|s stuctuc a oc a usc|u| stat| o|t |o cstao||s'| a coo |auac ao uocstao| o| .'at a ous|css occss |s. 3. Determine and rank key business processes Occ a |vcto o| a|| ous|css occsscs 'as occ cstao||s'co |o t'c ous|css u|t o scv|cc aca |t |s cccssa to octc|c .'|c' o| t'csc ac c|t|ca| to ac'|cv| oa|sat|oa| oo,cct|vcs. A|| ous|css occsscs .||| cot|outc | soc |o to oa|sat|oa| oo,cct|vcs. Oc aoac' |s to ||st octc|c .'|c' oo,cct|vcs ac t'c ost |otat ao to atc' t'c ous|css occsscs to t'osc oo,cct|vcs. |t |s t'c cccssa to octc|c |o .|t'| t'csc occsscs t'osc t'at ac |tca| to ac'|cvcct o| t'c 'c oo,cct|vcs. Ccca||, a|| ocat|oa| occsscs ca oc cos|occo to oc 'c. |t |s oc ||'c| t'at soc suot occsscssuc' as uo||s'| ao uo||c c|at|os ao soc statc|c occsscssuc' as t'osc assoc|atco .|t' occss |ovcct ao oua||t assuacc (out ot oua||t coto|).||| ot oc |ss|o c|t|ca|. |t |s sucstco t'|s a'| o| occsscs |s uocta'c as a |ac|||tatco ou scss|o us| a vct|ca| s||cc o| c|occs |o .|t' t'c ous|css u|t o scv|cc aca. 4. Analyse key business processes into activities and resources and rank in priority order for recovery |ac' 'c ous|css occss s'ou|o oc o|sscctco |to t'c act|v|t|cs uocta'c |o t'at occss ao t'c csouccs cosuco o a||co to t'c act|v|t|cs. !'|s ca oc ac'|cvco o | |st cos|oc| t'c c|t|ca| succcss |actos cou|co |o t'c occss to ct |ts ous|css oo,cct|vcs. |csouccs a||co to act|v|t|cs s'ou|o oc cos|occo | tcs o| co|c, |ac|||t|cs, tc|ccou|cat|o ||oat|o sstcs ao ous|css occsscs. Ocat|oa| acas s'ou|o cos|oc o| t'c ocat|oa| act|v|t|cs ao csouccs t'at cta| to t'c| occsscs. !'c suot act|v|t|cs ao csouccs .||| oc aa|sco o t'c suot acas. !'c ost c|t|ca| act|v|t|cs ao csouccs |o cac' 'c ous|css occss .||| oc a||ooco t'c '|'cst |o|t | ccovc. !'cc|oc |t |s cccssa to a' t'csc a|so .|t'| cac' occss. Occ a a'| 'as occ acco |o cac' act|v|t ao csoucc t'csc s'ou|o oc ctcco o t'c .o's'cct. !'c C'|c| |ccut|vc O|| |cc ao/o a ao|atc aacct co|t tcc s'ou|o acc t'c a'| o| act|v|t|cs ao csouccs. !'c |o||o.| ca|c s'o.s .o's'ccts |o a ocat|oa| occss ao a suot occss co|ctco to t'|s stc. 10 Guide to Effective Control Guide to Effective Control Priority listing of key business processes, activities and resources Example: business support process Oo,cct|vc. suot t'c oa|sat|o o ov|o| t|c|, accuatc, c||ao|c oua||t scv|ccs |a' |occss C|t|ca| succcss |actos Act|v|t|cs ao csouccs |AO 1 |ao|| |act o| |ot|'t| 1. |ao|| tca sa|a|cs ao a||o.accs to 2. ||| sstc a|| sta|| o t|c 3. |ao|| sstc -. Cou|cat|os ||' to oa' 2 ||||| 3 |a| Accouts Example: operational process Oo,cct|vc. occss ao a occ| |ts to ooa ||oc cc||cts o t|c, |o t'c cocct aout |a' |occss C|t|ca| succcss |actos Act|v|t|cs ao csouccs |AO 1 |a occ| |ts |act o t|c 1. |cc||ts act tcas 2. |cc| |ts act sstc 3. Cou|cat|os ||' to oa' -. C'couc oouct|o sstc A|so otc c||acc o a|| oo |o t|c| o|satc' o| c'coucs 2 |occss c. a||cat|os 3 |oo|| acc octa||s |otcs. 1. !'c |AO (a|u accctao|c outac) 'as ot occ co|ctco at t'|s stact'at |s t'c ct stc | t'c occss. 2. !'c occ| |ts act occss 'as otco |ts c||acc o a ous|css suot occsst'at |s, t'c a|| oo (|c|st). A scaatc aa|s|s s'ou|o oc coouctco |o |c|st. 3. !'c csu|ts o| a|| aa|scs ac coo|co to octc|c c||acc o coo csouccs ao act|v|t|cs ao |tc-occocc|cs oct.cc csouccs ao act|v|t|cs. 11 Business Continuity Management Business Continuity Management Step three: Business impact analysis (BIA) Step three: Business impact analysis (BIA) !'c ||A |s uocta'c |o a|| 'c ous|css occsscs ao scts t'c ccovc |o|t|cs, s'ou|o t'osc occsscs oc o|sutco o |ost. !'c |o||o.| coccts ac c|cvat. Business continuity concepts relevant to the BIA Concept Description Outage extraordinar y event loss of key business processes high impact Maximum Acceptable Outage (MAO) threat to achieving business objectives Business impact analysis scenario |t |s usc|u| to cstao||s' a scca|o | .'|c' t'c oa|sat|o 'as su||cco a outac. !'|s ass|sts t'c co|c uocta'| t'|s ccc|sc to cos|oc t'c| ous|css occsscs | t'at cotct. !'c |o||o.| scca|o |s ccococo as a stat| o|t. a ||ooo o ||c 'as occuco ao t'c ou||o| |s |acccss|o|ca|| coutc sstcs ao suot| scv|ccs ac uava||ao|c |o a c|oo o| at |cast 30 oas, assuc a .ost casc, t'at |s, t'c tota| ocstuct|o o| .o'|acc csouccs ao ||oat|o tcc'o|o sstcs at t'c .ost oss|o|c t|c, ao aut'o|sat|o 'as occ |vc |o aoo|t|oa| sta||, ovct|c, c|occ |ooo, tavc| ao accoooat|o ccscs ctc, |o ass|stacc | csto| cssct|a| ous|css act|v|t|cs. A outac |s a ctaoo|a cvct, caus| a o|sut|o to, o |oss o|, 'c ous|css occsscs, .'|c' 'as a '|' |act o t'c oa|sat|o !'|s |s o|st|ct |o oo.t|c o sstcs |a||ucs t'at a occu as a at o| oa| ocat|os .'cc t'c |act s|| couccs t'c c||cct|vc ut|||t o| occsscs | t'c s'ot tc !'c |AO |s t'c t|c |t .||| ta'c oc|oc a outac t'catcs a oa|sat|o ac'|cv| |ts ous|css oo,cct|vcs !'c |AO oc||cs t'c a|u t|c a oa|sat|o ca suv|vc .|t'out 'c ous|css |uct|os oc|oc ccovc occoucs ust coccc The objective of this step is to determine a maximum acceptable outage (MAO) for each critical activity and resource identified in step two. 12 Guide to Effective Control Guide to Effective Control |o ot cos|oc a cuct cot|u|t |as .'c octc|| |acts csu|t| |o |oss o| scv|ccs. A|| oas c|cccco ac ca|coa oas, ot ous|css oas. Establishing a framework for assessing the impact of a business interruption \c ac a'| a asscssct |o t'c o|t o| v|c. a outac 'as occuco. !'|s outac 'as a||cctco t'c c|oacc o| 'c occsscs | t'at c|t|ca| act|v|t|cs 'avc ccasco ao c|t|ca| csouccs ac ot ava||ao|c. \c cco to a'c a ,uocct o 'o. |o t'c oa|sat|o ca suv|vc .|t'out t'csc 'c occsscs oc|oc |t t'catcs t'c ao|||t o| t'c oa|sat|o ac'|cv| |ts oo,cct|vcs. Occ |ts occus, ao outac a 'avc a a|| |cat|os. \c cco to asscss t'c |act o| t'c outac aa|st a acco |ac.o' to octc|c ao cstao||s' t'c a|u accctao|c outac (|AO) |o cac' ous|css occss. !'|s ccos oc cos|occo at t.o |cvc|s. asscss| t'c ovca|| |act o| |oss o| a occsst'|s 'as ooao| occ ac'|cvco (at |cast | at) o a'| t'c occss| | ooc o| |o|t to t'c oa|sat|o, ao asscss| t'c |act o| t'c |oss o| t'c cocsoo| act|v|t|cs ao csouccs to octc|c 'o. |o t'c occss ca oc .|t'out t'at act|v|t o csouccs ut|| |ts o. succcss |s t'catcco. The framework A oo,cct|vc ao cos|stct oas|s o .'|c' to asscss t'c |act o| a outac ccos to oc cstao||s'co. !'|s .||| csuc t'c oa|sat|o |s cos|oc| t'c sac |actos .'c octc|| t'c |AO. !'c |cvc| o| |act ca oc asscssco |o cac' act|v|t ao occssco us| a sca|c s|||a to t'c tao|c oc|o.. Example: scoring level of impact of business disruption Level of Impact Assessment Score |tcc !'catcs o||t|ca| ao ous|css v|ao|||t 5 |a,o S||| |cat |act o ous|css o|vcs - |oocatc |a,o |act o s'ot tc ous|css ocat|os 3 ||o |covc|ct out o ca| oo| ous|css |act 2 ||| |ccos|oc t'c |c|us|o o| t'|s as a c|t|ca| csoucc 1 !'c |AO |s sct at t'at o|t .'cc t'cc .ou|o oc a a,o |act (Scoc-) o t'c ao|||t o| t'c act|v|t o csouccs ao t'cc|oc t'c occss .ou|o |a||. | c||cct, .c ac sa| t'c ous|css occss ca oo .|t'out t'|s act|v|t o csoucc |o a t|c uoc t'at o|t .'cc t'cc |s a a,o |act ao |t .||| ot a||cct t'c oa|sat|o ac'|cv| |ts oo,cct|vcs. 13 Business Continuity Management Business Continuity Management Ccatc t'a tc c cct |act o ac'|cvcct o| 'c c|oacc tacts Example: detailed evaluation criteria for assessing business impact 5 (|tcc) |cat' o| sta|| ||ac|a| |oss | cccss o| $1 ||||o |cstuct|o o sc|ous oaac to ost asscts |oa| Co|ss|o Oa|sat|o |ouo ||ao|c | |ca| act|o |cat' o sc|ous |,u to c||cts ||ac|a| |oss to c||cts | cccss o| $1 ||||o ' to tc c cct |act o tacts - (|a,o) |,u to sta||, |oss o| c|t|ca| ass o| sta|| ||ac|a| |oss o| u to $1 ||||o |cstuct|o o sc|ous oaac to 'c 's|ca| o ||oat|o asscts |a||acta |ou| Oa|sat|o, C|O ao t'c |oao t'c suo,cct o| |ca| act|o S||| |cat |oss o| acccss to scv|cc c.. |ao|||t to ov|oc aoato o||os .|t'| |c|s|at|vc t|c|ac |cac' o| Coo.ca|t' |a. ao cu|at|os ' to ||vc c cct |act 3 (|oocatc) |cact |oss o| 'c sta|| ||ac|a| |os o| u to $100,000 |aac to 's|ca| o ||oat|o asscts |||stc|a| oucst|o | t'c |a||act |a,o o|sut|o o| acccss to scv|cc |a||uc to co| .|t' ||ac|a| ||cctos ao C'|c| |ccut|vc |stuct|os ' to oc c cct |act 2 (||o) !coa |oss o| 'c sta|| ||ac|a| |oss o| u to $10,000 asscts | va|uc Aovcsc cocts | css ||o o|sut|o o| acccss to scv|cc |a||uc to co| .|t' |tca| u|oc||cs |o |act o ac'|cvcct o| outut tacts 1 (|c|||o|c) |c sta|| ava||ao|c |o a |c. 'ous |tca| |act o| |o |act o c||cts/ sta'c'o|ocs |a||uc to co| .|t' |tca| |stuct|os Rating Outputs Resources Reputation Clients/ Compliance (time, cost, (staf f, information, stakeholders quality) financial assets) |cac' o| Cost|tut|o Area of impact |c|o. |s a ca|c o| octa||co c|tc|a .|t' .'|c' to octc|c t'c |cvc| o| |act o| a outac |o a at|cu|a act|v|t o csoucc. !'csc c|tc|a s'ou|o oc cos|stct .|t' a suc' c|tc|a cstao||s'co |o t'c top down |s' aacct occss. 14 Guide to Effective Control Guide to Effective Control occ||ts Example: assessing MAO for activities and resources Key Activities and resources required Impact of Interruption MAO business process 1-2 3-5 6-15 16-30 ~ 30 oas oas oas oas oas |ao|| 1. |||sa|a|cs tca 1 - - - 5 2 oas 2. Sa|a|cs sstc 1 2 - - 5 15 oas 3. || sstc 1 1 1 2 - 30 oas -. Cou|cat|os ||' to oa' 1 1 2 3 - 30 oas |act o| 1. |cc||ts act tca 1 2 - - 5 5 oas 2. |cc| |ts act sstc 1 1 2 - - 15 oas 3. Cou|cat|os ||' to oa' 1 1 - 5 5 15 oas -. C'couc oouct|o 1 1 2 3 - 30 oas Notes: 1. !'c |AO |o cac' act|v|t/csoucc |s sct at t'c o|t .'cc a - at| ao aoovc |s asscssco. 2. !'c |AOs cstao||s'co s'ou|o oc acco to o t'c C'|c| |ccut|vc ao t'c |us|css Cot|u|t |aacct Stcc| Co|t tcc. |cta||s o| t'c acco |AOs s'ou|o oc ctcco o t'c .o's'cct | Aco| 1. The assessment of the MAO practice 's| t'c ca||c ca|c, t'c |AO |o cac' act|v|t ao csoucc |s scoco t'c scoc |s oasco o cos|ocat|o o| t'c |act o| |ts |oss. !'c asscssct | t'c |o||o.| tao|c |s oasco o t'c |act c|tc|a octa||co o t'c cv|ous ac. Consolidation of MAOs by resource !'c aoovc ca|c ocostatcs a coo csoucc t'at |s usco | oot' occsscs. !o ass|st | octc|| |tc-occocc|cs ao to cstao||s'| t'c |AO |o coo csouccs t'c oa|sat|o a .|s' to coso||oatc t'c |AO sc'cou|c o a csoucc oas|s. !'c |o||o.| tao|c ca oc usco |o t'|s uosc. Example: consolidation of common resources Resources Impact of interruption MAO 1-2 3-5 6-15 16-30 ~ 30 oas oas oas oas oas Ocat|oa| sta|| (o ous|css u|t) Suot sta|| (o scv|cc aca) Ocat|oa| |! sstcs (o sstc) Suot |! sstcs (o sstc) Cou|cat|osvo|cc Cou|cat|osoata |ac|||t|csou||o|s (o |ocat|o) |ac|||t|cs|at ao cou|ct (o catco) ||oat|o's|ca| ccoos ||oat|oc|ccto|c oata 15 Business Continuity Management Business Continuity Management Step four: Design continuity treatments !'c accoa| Cu|oc (at ac 39) o|scusscs a ac o| oss|o|c tcatct ot|os |o va|ous csouccs. |ac' ot|o ccos to oc cva|uatco | |st | tcs o| |ts t|c to ||cct ao t'c | tcs o| |ts cost. !'c t|c to ||cct cac' ot|o |s coaco to t'c |AO |o t'c csoucc/act|v|t. O| t'osc ot|os t'at ca oc ||cctco .|t'| t'c |AO cco to oc cos|occo |ut'c. !'c c|at|vc cost o| t'csc ot|os |s t'c coaco to octc|c t'c ost cost-c||cct|vc so|ut|o. A s||c ca|c |vo|vcs t'c c'o|cc oct.cc a 'ot s|tc ao a co|o s|tc |o oac'-u coutc occss|. || oot' ot|os ca oc ||cctco .|t'| t'c |AO |o t'c act|v|t|cs ao csouccs t'c c|acc, |t .||| cca|| oc |css ccs|vc to a|ta| a 'co|o' s|tc. |o.cvc, || a|ta|| a 'ot s|tc |s t'c o| cas o| c-cstao||s'| t'c act|v|t o csoucc .|t'| t'c |AO, t'c cost |s ot so uc' t'c |ssucout 'o. to ac'|cvc |t at t'c ocst cost. !'c |o||o.| costs a oc c|cvat | t'c ccovc c|oo |o |tc| occss| aaccts. outs|oc scv|ccs, tcoa c|occs, cccc uc'ascs, cta|/|casc o| cou|ct, .acs a|o to |o|c sta||, ao tcoa c|ocat|o o| c|occs. !'c .o's'cct at Aco| 2 ca oc usco to oocuct t'|s occss ao as a at|oa|c to suot t'c tcatcts ot|os sc|cctco. Step four: Design continuity treatments The objective of this step is to determine cost-effective treatments for responding to an outage, establishing interim processing arrangements and restoring the lost activity(ies) and resource(s). 16 Guide to Effective Control Guide to Effective Control 17 Business Continuity Management Business Continuity Management Appendices Appendices 1. Worksheet for key business processes identification and business impact analysis 2. Worksheet for evaluation of treatment recovery options 18 Guide to Effective Control Guide to Effective Control Appendix 1. Worksheet for key business processes identification and business impact analysis 1.1 Business unit/service area details |us|css u|t/scv|cc aca Cotact ac !|t|c |'oc uoc |ocat|o |a|| 1.2 Business unit key objectives, outputs, and performance indicators |us|css u|t oo,cct|vcs Oututs o scv|ccs |o cac' |c|oacc |o|catos (| |o|t ooc) oo,cct|vc 1 2 3 19 Business Continuity Management Business Continuity Management 1.3 Identification of key business processes and business impact analysis Business objective: Column 1 Column 2 Column 3 Column 4 Key business process Critical success factors Activities and resources required MAO 1 1 2 3 2 1 2 3 3 1 2 3 - 1 2 3 20 Guide to Effective Control Guide to Effective Control Appendix 2. Worksheet for evaluation of recovery treatment options |csoucc(s). Options Time to Within MAO Full cost Cost-ef fective implement (days) Yes/No (list components) Yes/No |csosc 1 2 3 |tc| occss| 1 2 3 |cstoat|o 1 2 3 Ot'c |ssucs 1 2 3