Post Incident Management

Business Continuity Plan

Do I need Business Continuity?

You are part of a successful business. However, in this uncertain world, you need a business that is flexible. Which can change with differing conditions and be strong through any disaster, be it natural or malicious.

 What if a crisis prevented delivery to a key customer? How would a major incident affect the morale of your employees? Would serious damage to your premises or resources affect your ability to carry on the business?

Small Business
If you are part of a small business then you are more likely to suffer from any incident that prevents your business from functioning normally. The slightest delay in supporting your customers can and will be costly.

What is a Business Continuity Plan?

Business Continuity Planning (BCP) takes business protection beyond the disaster recovery plan, which just focuses on the short term reestablishment of your business following an incident. It is a proactive approach, identifying potential threats before they occur and planning an organised response so that the effects of the incident are minimised.

For example
If your business was hit by a fire:
A BCP would cover all anticipated effects of such a disaster and detail plans and actions to minimise the damage to your business. Most importantly, it would guide you through the incident and direct your resources and efforts in the right direction to bring normality back to your business as soon as possible.

A generic BCP can provide the basis of any response no matter what the nature of the incident is.
(specific details can be aimed at particular problems within the plan)

Concerns?
If your premises was hit by a fire, would all the computer systems also be affected? If so, would you lose vital information about suppliers, customers and orders? Would documents and paperwork also be destroyed?

BCP Benefits
Business Survival
Prepare for the worst. If well practiced, staff and management will be able to respond to an incident appropriately Resources necessary to support the business through an incident will be identified and available Any alternative premises and resources will be ready for use

Business Continuity Plan

Increased dependency by the business over recent years on computerised production and sales delivery mechanisms, creates increased risk of loss of normal services Increased dependency by the business over recent years on computerised information systems Increased likelihood of inadequate IT and information security safeguards Increased recognition of the impact that a serious incident could have on the business Need to establish a formal process to be followed when a disaster occurs Need to develop effective back up and recovery strategies to mitigate the impact of disruptive events An intention to lower costs or losses arising from serious incidents Avoidance of business failure from disruptive incidents.

BCP Benefits
Risk management
Identify, manage and mitigate as many risks as possible Reduce the risks where necessary Promotes a safer working environment and improves working conditions

BCP Benefits
Responsibility
A company that takes BCP seriously will be a more attractive proposition for Bankers, investors, insurers, customers and employees A business with a BCP will have a responsible management

BCP Benefits
Employee satisfaction
A sound working environment Welfare and safety concerns of the employee addressed A BCP shows your employees that they are important to the survival of the company Training exercises and drills are vital to the successful implementation of a BCP

Policy Statement
A formal risk assessment should be undertaken in order to determine the requirements for the Business Continuity Plan. The Business Continuity Plan should cover all essential and critical business activities. The Business Continuity Plan should be periodically tested in a simulated environment to ensure that it can be implemented in emergency situations and that the management and staff understand how it is to be executed. All staff must be made aware of the Business Continuity Plan and their own respective roles. The Business Continuity Plan is to be kept up to date to take into account changing circumstances. A similar policy statement to this should be communicated to all management and staff as part of its information security policy management process.

Planning Costs
Cost of the Resources required to support BCP Project Management BCP Planning Tools, Templates and Reference Materials Additional equipment e.g. PCs, printers, laptops, mobiles, software etc. for the BCP Planning Team

Project Manager
Position on Project Team Date position becomes effective The person to whom the Project Manager reports Levels of authority for operational issues and financial expenditure Level of resources required by the position Project structure Responsibilities for assessing risk and measuring impact Responsibilities for preparing and testing the Plan Deliverables from the project Responsibilities in the event of an emergency occurring Duties in respect of training and awareness Responsibilities for on-going BCP maintenance

Project Team Meeting

Introduction to BCP by the BCP Project Manager Project organisation structure Project initial information requirements Consideration of causes of potential disasters or emergencies Preliminary consideration of key business processes Consideration of impact of potential disaster or emergencies BCP methodology Project milestones BCP testing BCP training Frequency of BCP Team Meetings

Objectives
Business Risk and Impact Analysis Documented activities necessary to prepare the organisation for possible emergencies (including strategic recovery measures) Detailed activities for dealing with the Disaster Recovery Phase Procedure for managing the Business Recovery Process Plan for testing the Business Recovery Process Plan for training the staff in the Business Recovery Process Procedure for keeping the Plan up to date

Required Information
Organisation chart showing names and positions Existing BCP (if available) Staff emergency contact information List of suppliers and contact numbers List of professional advisers and emergency contact information List of emergency services and contact numbers Premises addresses and maps IT system specification Communication system specification Copies of maintenance agreements / service level agreements

Required Information
Existing evacuation procedures and fire regulations Health and Safety procedures Operations and Administrative procedures Personnel administrative procedures Copies of floor plans Asset inventories Inventories of information assets IT inventories Off-site storage procedures Relevant industry regulations and guidelines Insurance information

Potential Hazards
Tornado Hurricane Flood Snow Drought Earthquake Electrical Strom Fire Subsidence and Landslides Freezing Weather Contamination Environmental Hazards Epidemic Explosion Suicide Bomber Dirty Bomb WMD

BCP Process

Disruption
Terrorism Sabotage War Crime Arson Labour Disputes

Utilities
Electric Failure Loss of Gas supply Loss of Water Contaminated Water Fuel Shortage Lack of Communications Loss of Waste removal

Security System
Cyber Crime Loss of Data Disclosure of Materials IT failure Virus

Other Emergencies
Workplace Violence Public Transport Neighborhood Issues Health and Safety Morale Take over Legal Matters

Key Processes
E-commerce processes E-mail based communications Other on-line real-time customer services Production line Production processes Quality control mechanisms Customer service handling Maintenance and support services Sales and sales administration

Key Processes
Finance and treasury Research and development activities Human resources management Employees Information technology services Premises (Head Office and branches) Marketing and public relations Accounting and reporting Strategic and business planning activities Internal audit

Impact Factors

Key Personnel
This section includes information on each of the key personnel responsible for handling emergency procedures. These persons should be fully familiar with the implementation of these procedures and should have received any necessary training (if appropriate) for handling technical or specialised tasks.

BCP Leader
Typical responsibilities include:
Determine the objectives and policies surrounding the BCP Coordinate, organise and manage the BCP team and project Provide a point of contact for emergency services and develop a coherent message for the organisation Present the BCP to management and employees Develop a project plan and forecast financial implications Define the BCP management structure and team Manage the whole process from plan to execution

BCP Team
Plan Coordinator
Manages the process and coordinates various tasks and teams

Senior Management
Approves the plan, authorises finances and sets realistic goals

Human Resources
Hires additional personnel if assistance is required during the planning stages

Media Liaison
Prepares and delivers a media strategy in the event of a disaster

BCP Team
Legal
Available to assist with any insurance issues, legal matters and welfare concerns

IT Security
Responsible for IT, before, during and after an incident. Maintain the data throughout the process

Security
Liaises with first responders and responsible for the physical security of your business

BCP Team
Facilities
Maintain facilities during a crisis

Emergency Team (selected employees)

Responds to the incident and implements the BCP

Damage Assessment
Reports on the damage and effects of any incident

Off-site
Maintains records, data, documentation and files essential to the business

BCP Team
Alternate Site
Identify an alternative location from which the business can continue to operate

Repair
Responsible for getting the business up and running by carrying out any repairs to premises and / or IT systems

Emergency Services
A comprehensive list of services and contact numbers should be kept up to date Liaisons should be maintained between your Organisation and personnel you will rely on

Building Requirements
Freehold or leasehold Responsibility for maintenance Insurance coverage Responsibility for emergency repairs External approvals needed before work can commence Internal approvals needed before commissioning contractors Procedures for obtaining approvals in emergency situations Persons responsible for premises recovery activities, with emergency contact details Persons responsible for approving repairs or replacement for equipment or furniture, with emergency contact details

Organizational Chart

Disaster Recovery Team

Key members of Senior Management Personnel Manager Facilities Manager Fire and Safety Officer Maintenance Staff IT technicians Communication technicians Security staff Information Security Officer

Status
Is there an actual or potential threat to human safety Is there an actual or potential serious threat to buildings or equipment Is there likely to be a need to involve the emergency services If the answers to any of the above are positive then the Disaster Recovery Team should also be notified.

Training
"The training is to be carried out in a comprehensive and exhaustive manner so that staff become familiar with all aspects of the recovery process. The training will cover all aspects of the Business Recovery activities section of the BCP including IT systems recovery". Consideration should also be given to the development of a comprehensive corporate awareness programme for communicating the procedures for the business recovery process.