Government of Saskatchewan Government of Saskatchewan
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
Government of Saskatchewan
Disclaimer This guide has been developed by employees of the Government of Saskatchewan for use by Government Departments and Agencies, Executive Management, and those with the delegated responsibility for Business Continuity Planning. The guide is published by Government of Saskatchewan. Copies of this guide have been distributed by the ITO and are available for public use. This work is copyright, all Rights are reserved. The Writing Team acknowledges the time and expertise voluntarily given in the development of both The BCI Good Practice Guidelines and this Planning Guide. Contributors to the new guidelines have freely donated their copyright and information proprietary rights so that we will be able to ensure that the guidelines remain current and complete. The Writing Team also thanks all copyright holders for permission to reproduce their material. If any holders have been inadvertently omitted we will be pleased to make the necessary amendments to acknowledge copyright at the earliest possible opportunity. The sponsors and participants in the development are not liable, without limitation, for any consequences incurred, or any loss or damage suffered by an organization or by any other person as a result of their reliance on the information contained in this Guide or resulting from their implementation or use of the accompanying Workbook. Inclusions of references to vendor concepts or methods in these guidelines are for information purposes only. The appearance or absence of a vendor or product in this publication should not be construed as an endorsement or non-endorsement of a specific vendor, product, or company by any persons involved in the development of these guidelines. These Guidelines may be used freely provided that the source of the material is fully acknowledged, it is not amended (except with permission) and that it is not used directly for commercial gain. Permission is given by the copyright owner for any person to reproduce this document or any part thereof, for educational purposes and on a non-profit basis. Requests and inquiries concerning reproduction and rights should be addressed to the ITO. Acknowledgements Acknowledgment is given to the following individuals and their organizations for their insight, support and participation in the development and authorship of this document. Writing Team: Information Technology Office
- Judy Dudley
-
co-chairperson
Saskatchewan Research Council
- Dave Arnott, MBCI, CBCP
-
co-chairperson
Information Technology Office
- Jo Wu,
-
member
Saskatchewan Property Management
- Sue Mepham, CRM
-
member
Saskatchewan Property Management
- Marnie MacCallum, CRM
-
member
Public Service Commission
- Don Black,
-
member
Justice / Corrections and Public Safety
- Tricia Flude, BAdmin, ABCP
-
member
Review Team: CPS, Emergency Management Office
-
Kevin Roche
Saskatchewan Health Information Network
-
Jeff Livingstone
Saskatchewan Highways and Transportation
-
Randy Schmidt
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
Government of Saskatchewan
Table of Contents
Preface Glossary A. Business Continuity Management Overview The Business Continuity Management Life Cycle B. Business Continuity Management Program BCM Policy Managing the Program Incident Readiness and Response C. Business Continuity Responses Crisis Management Plan Business Continuity Plan Business Unit Resumption Plans D. Business Continuity Implementation Components Understanding Your Business Organization Strategy Business Impact Analysis Risk Assessment BCM Strategies Department (Organization) Strategy Mission Critical Strategy Resource Recovery Strategy E. Business Continuity Sustaining Components Developing a BCM Culture Assessing BCM Awareness Developing Culture Monitoring Cultural Change Exercising, Maintenance and Audit Exercising Maintenance Audit Appendices Appendix A - NFPA 1600 - Planning Guide Relationship Appendix B - Professional Skills Mapping Appendix C – BC Coordinator Position Description Appendix D – Examples
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
i iv 1 5 6 6 8 10 12 14 17 19 23 23 24 27 31 37 43 46 48 51 51 52 55 59 61 62 67 69 73 74 80 83 85
Government of Saskatchewan
Preface The Government of Saskatchewan must ensure that its services and programs are available when required. It must ensure that it can recover from incidents and outages or widespread disasters in a prudent, timely fashion. In addition to continuing to provide services during major disaster, governments have the added responsibility of continuing governance itself. Continuity of Government plans are necessary to ensure that government is maintained. These plans should include lines of succession, delegations of authority in the event of emergency, alternate locations for government agencies, and processes to reconstitute a government body. In all circumstances LIFE and SAFETY will be our first priority. Our policy and practice is to conduct operations with the highest regard for the safety and health of our employees and the public and for the protection and preservation of property and the environment. In the event of major or catastrophic community wide or regional loss it is recognized that our first priority will be to deal with the well being of our families. In hazardous environments and situations we err on the side of caution to safeguard personal life and safety at all times. As Saskatchewan Government agencies continue to adopt enterprise management approaches, business continuity practices must follow suit. A factor contributing to the need for an enterprise approach of business continuity within government is the increasing reliance of organizations on information sharing and communication to perform functions. Because of the need for an enterprise-wide perspective in business continuity, governments must view business continuity as a Business priority rather than just an IT priority. The Provincial Auditor Fall 2002 Volume 2 Report, indicated the following: •
Many agencies that had Disaster Recovery plans in 1999 have not kept them current.
•
Most of the agencies reported that they periodically back-up their systems and data, and store their back-ups offsite.
•
Fifty percent (50%) of agencies reported that they have a contingency plan for their significant IT systems. This is down considerably from 1999.
•
Only sixteen percent (16%) of agencies that have contingency plans, meet all of the criteria listed in the survey.
•
The 32 agencies that completed the survey listed over 400 critical systems. Agencies ranked over 250 of these systems as being very critical.
The Provincial Auditor 2004 Report recommended that agencies: •
Specify which systems are critical to the mission of the agency.
•
Base their contingency plans on a risk analysis which ensures management is aware of its significant risks and how to address those risks.
•
Specify in their contingency plans the acceptable recovery time for each IT system. and
•
Test and approve their contingency plans and store them off-site in a safe location.
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
i
Government of Saskatchewan
The ITO has adopted ISO 17799 Code of Practice for Information Security Management. The Standard offers guidelines and directions for information security management. The document includes controls on Business Continuity Management that are outlined briefly below as Business Continuity Management Process: •
Understand the risks faced in terms of likelihood and impact
•
Understand the impact which interruptions are likely to have as well as serious incidents that could threaten the viability of the organization
•
Formulate and document a business continuity strategy consistent with the agreed business objectives and priorities;
•
Regularly test and update the plans
•
Ensure the management of business continuity is incorporated in the organizations processes and structure.
Objective The objective of this guide is to provide a consistent approach to Business Continuity plan development within the government. All government departments and agencies are encouraged to adopt this guide in developing their departmental plan so that there is a uniform and consistent process in Business Continuity Management in government.
Audiences The principles in these guidelines are applicable to all organizations of any size, sector and location – from those with a single site to those with multiple and remote locations. The approach taken in development included research of other jurisdictions’ experiences and industry best practices in business continuity planning. These guidelines are intended for use by designated department or agency Business Continuity planners, risk managers, auditors and regulators. It is recommended that newcomers to the discipline attend an appropriate selection of the many endorsed Business Continuity Management courses or work alongside an experienced practitioner.
Reference Sources The primary source for this guide is The Business Continuity Institutes (The BCI) Good Practice Guidelines – 2005. The valuable assistance of The BCI in permitting the use and adaptation of their Guidelines to meet our Provincial requirements is greatly appreciated. Government of Saskatchewan, Justice – Business Continuity Management Planning Guide Government of Saskatchewan, SPM - Business Continuation Planning Guide Province of Alberta, Municipal Affairs, Emergency management Alberta – Business Resumption Guide Province of British Columbia, Risk Management Branch – General Management Guidelines, Business Continuity Management
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
ii
Government of Saskatchewan
Australian National Audit Office – Better Practice Guide Business Continuity Management – Keeping the Wheels in Motion National Fire Protection Association – NFPA 1600, Standard on Disaster/Emergency Management and Business Continuity Programs, 2004 Edition British Standards Institute (BSI) – Publicly Available Standard 56 (PAS 56) The BCI and DRII - Professional Practices for Business Continuity Planners ISO/IEC 17799: 2005 – Code of Practice for Information Security Management
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
iii
Government of Saskatchewan
Glossary Business
The day-to-day operational, administrative and support activities that enable and facilitate the attainment of an entity’s Missions, Goals and Visions.
Business Continuity Management (BCM)
A holistic management process that identifies potential disruptive event’s, provides a framework for building resilience and builds the capability for an effective response that safeguards the interests of key stakeholders, reputation and value creating activities.
Business Continuity Management Program (BCMP)
An ongoing process supported by senior management and funded to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and recovery plans, and ensure continuity of services through personnel training, plan testing, and maintenance.
Business Continuity Plan(s) (BCP)
A Plan by an organization to respond to unforeseen incidents, accidents, and disasters that could affect the normal operations of the organization’s critical operations or functions.
Business Impact Analysis (BIA)
A management level analysis that identifies the impacts of losing the entity’s resources. The analysis measures the effect of resource loss and escalating losses over time in order to provide the entity with reliable data upon which to base decisions concerning hazard mitigation, recovery strategies, and continuity planning.
Business Unit Resumption Plan(s) (BRP)
The operational structured response of each department to an interruption / incident of each department of the organization. It identifies, quantifies and qualifies the business impacts of a loss, interruption or disruption of business processes on an organization and provides the data from which appropriate continuity strategies can be determined.
Crisis Management Plan (CMP)
It defines how the strategic issues of a crisis affecting the organization would be addressed and managed by the Executive. The media response to any incident is usually managed through a CMP though some organizations would manage the media under a BCP.
Disaster Recovery Plan (DRP)
Plans by an organization to respond to unforeseen incidents, accidents and disasters that could affect the normal operation of a computerized system.
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
iv
Government of Saskatchewan
Entity
A governmental agency or jurisdiction, private or public company, partnership, not for profit organization, or other organization that has disaster/emergency management and continuity of operations responsibilities.
Incident Management System.
In disaster/emergency management applications, the combination of facilities, equipment, personnel, procedures, and communications operating within a common organizational structure with responsibility for the management of assigned resources to effectively accomplish stated objectives pertaining to an incident.
Maximum Tolerable Outage (MTO)
The timeframe during which a recovery must become effective before an outage compromises the ability of the organization to achieve its business objectives.
Mission Critical Activity (MCA)
The critical operational and/or business support activity without which the organization would quickly be unable to achieve its business objectives.
Mission Critical Record
All administrative and operational records in any form (paper, microfilm, digital or electronic format), which are critical and essential to the resumption of business operations after a disruption.
Mitigation
Activities taken to eliminate or reduce the probability of the event, or reduce its severity or consequences, either prior to or following a disaster/emergency.
Preparedness
Activities, programs, and systems developed and implemented prior to a disaster/emergency that are used to support and enhance mitigation of, response to, and recovery from disasters/emergencies.
Recovery Point Objective (RPO)
The point to which information must be restored to ensure business objectives can be met in line with Maximum Tolerable Outage and Recovery Time Objective for the activity.
Recovery Time Objective (RTO)
The time by which Mission Critical Activity and/or their dependencies must be recovered.
Recovery
Activities and programs designed to return conditions to a level that is acceptable to the entity.
Response
In disaster/emergency management applications, activities designed to address the immediate and short-term effects of the disaster/emergency.
Risk Appetite
The willingness of an organization to accept a defined level of risk in order to conduct its business costeffectively.
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
v
Government of Saskatchewan
Risk Assessment (RA)
An activity to help identify potential causes of interruption to an organization, the probability of occurrence and the potential impact of the threat.
Single Point of Failure
The only (single) source of a service, activity and/or process whose failure would lead to the total failure of a Mission Critical Activity.
Standards: NFPA 1600 BSI PAS 56
National Fire Protection Association – Standard on Disaster/Emergency Management and Business Continuity Programs 2004 Edition. British Standards Institution, Publicly Available Standard 56 - Guide to Business Continuity Management.
Strategy
Broad term usually referring to the formation of a vision and direction, setting mission statements, identifying objectives so that the organizations objectives and goals can be achieved.
Vital Record
Records essential to protect the critical financial, legal, and operational functions of the organization and its customers, employees, shareholders, or other client group’s information without which the business could not operate. Uniqueness and irreplaceability must also be considered.
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
vi
Government of Saskatchewan
A.
Business Continuity Management Overview
What is Business Continuity Management (BCM)? Business Continuity Management is a holistic management process that identifies potential disruptive events, provides a framework for building resilience and builds the capability for an effective response that safeguards the interests of key stakeholders, reputation and value creating activities. To this end BCM must be owned and fully integrated into the organization as an embedded management process. BCM aims to improve an organization’s resilience. By identifying, in advance, the potential impacts of a wide variety of sudden disruptions to the organization’s ability to succeed; it is able to prioritise the efforts of various specialists to achieve resilience in their areas of expertise such as human resources, security, facilities and IT. While concerned with all scales of disruptions, BCM is particularly concerned with developing organization-wide resilience allowing an organization to survive the loss of part or all of its operational capability. It should also look at surviving significant losses of resources such as staff or equipment. Because an organization’s BCM resilience depends on its management and operational staff as well as technology and geographical diversity, this resilience must be developed throughout the organization from senior management to operations staff and across all sites and the supply chain. The driver for this organizational resilience is the responsibility Executive Management has for the long-term wellbeing of the staff, clients and all those who depend on the organization in some way. While it may be possible to calculate the financial losses of disruption the most significant impact is usually in damaged reputation or loss of trust that results from a mismanaged incident. Conversely a well-managed incident can enhance the reputation of the department or organization and its executive management team.
The Case for Business Continuity Management The term “business” is not intended to be a restrictive description of a commercial enterprise, but is used in its broadest context. Where the term business is used it is intended as a generic term to recognize that all organizations are in the business of whatever is their reason for existence. “It won’t happen to us”, “We will cope – we always do”, “We are too big to fail” and “We are not a terrorist target” are frequent responses when the question of the lack of preparedness arises. Others believe their insurance company will pay for everything. Most think they do not have the time to prepare for something that will never happen. The catalogue of organizations that have failed following an incident suggests that these responses are based on false assumptions. While bombs, fires and floods capture the headlines almost 90% of business-threatening incidents are ‘quiet catastrophes’ which go unreported in the media but can have a devastating impact on an organization’s ability to function. Many of the causes are outside of an organization’s control and they are often fully reliant on the capabilities of the emergency services or suppliers who define the recovery timescale of an interruption.
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
Overview - 1
Government of Saskatchewan
In managing any event, a successful outcome is judged by both the technical response and the perceived competence of the leadership. Where an organization has successfully dealt with a crisis the public perception of their value has increased in the long-term; in contrast to those who did not manage the crisis well and whose publicly perceived value and relevance declined and, after a year, had still not recovered.
How will it benefit my organization? The main purpose of BCM is to ensure that the organization has a planned response to major disruptions that threaten its ability to deliver its services. Whilst this must be worthwhile in itself, there are other benefits that can be gained by embracing BCM as a management discipline. Some organizations have statutory and regulatory requirements either specifically for BCM or more generally for ‘risk management’ as part of their governance requirement. An appropriate BCM plan will satisfy both the specific requirements and contribute both a response to specific risks and to the overall ‘risk awareness’ of an organization. However the primary driver for BCM should always be that it is undertaken because it adds value to an organization rather than because of governance or regulatory considerations. A thorough review of the business through Business Impact Assessment and Plan exercises can highlight business inefficiencies and focus on priorities that would not otherwise have come to light. The team spirit generated during the successful management of an incident can improve business performance well after the problem has been solved.
Relationship with other specialist disciplines Defining what is the responsibility of the Business Continuity Management role within a particular organization is influenced by the delegation of responsibility to an individual as well as the jobholder's past experience. This may mean that an individual Business Continuity Manager sees security, IT availability or risk management as the key issue with other areas taking a less prominent role. The view presented in these Guidelines attempts to provide the core discipline of Business Continuity Management while recognising that individual planners are often required, by common sense or direction, to broaden their role because of the circumstances within the organization they work for.
Using the Guidelines Every department and organization is different; it is managed in different ways, is sited in different locations and it changes over time. It is not possible to be prescriptive about the solutions that an organization should adopt.
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
Overview - 2
Government of Saskatchewan
The approach of these guidelines is therefore to outline a process and to suggest methods on the assumption that an appropriate solution will emerge if the correct process is followed. It is recognised that there may be a case where the process outlined may need to be modified to meet the specific needs of an organization. Therefore each organization needs to assess how to apply the guidelines to their own organization. They must ensure that their BCM competence and capability is appropriate to the nature, scale and complexity of their business, and reflects their individual culture and operating environment.
Scope of the Guidelines Analysis of the response of organizations to disruptive incidents shows that those who cope best have integrated their response across the organization. In practice this means that the Crisis Management capability of the senior management team is supported by Business Continuity logistics and the technical support for resumption. The Guidelines therefore focus on the primary role of the BCM practitioner and assume that specialist in other disciplines (IT, Security, HR, Finance and Facilities etc.) will be available to advise on the implementation of these aspects.
Layout of the Guidelines The Guide follows The Business Continuity Institute’s Good Practice Guidelines - Business Continuity Management Life Cycle, which starts with Program Management, and then follows the Cycle from Stage 1 to Stage 5. Though this model demonstrates how the stages fit together in theory, in practice the experienced practitioner will not necessarily strictly follow this progression. For example a ‘scenario-based’ exercise (Stage 5) may provide ‘buy-in’ at the start of a program and plans may be written to provide incident-readiness for the most ‘critical’ functions before requirements for other functions in the organization have been investigated. This guide focuses on the development of Business Continuity Responses (Stage 3) with the other life cycle stages developed as business continuity management implementation and sustaining components. However progress should always be measured against the whole life cycle and across the whole organization.
Structure and Format of the Guidelines Each stage contains: Questions answered
Guideline Stage •
Introduction
•
Skills required
•
The components
What BCM skills are required for this stage Contents described below
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
Overview - 3
Government of Saskatchewan
The structure and format of each component follows a common pattern: Questions answered
Guideline Component •
Introduction
• •
Precursors Purpose
•
Concepts and Assumptions
• • • • •
Process Methods and Techniques Outcomes and Deliverables Review Evaluation Criteria
What needs to be done before this? Why do we need to do it? What will it achieve? What do we need to understand? What assumptions are we making? What do we need to do? What are the tools we need to do it? What should it produce? When should it be done? How do we know if we have got it right?
Feedback All constructive feedback in respect of the guidelines is encouraged and welcomed as it provides a valuable source of comment that will improve the guidelines. Any feedback or suggestions concerning additions or alterations to the content, style or structure of the workbook should be sent to the Information and Technology Office.
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
Overview - 4
Government of Saskatchewan
The Business Continuity Management Life Cycle
The Business Continuity Management Program: • Organization BCM Strategy and BCM Policy. • Business Continuity Management • Incident Readiness and Response Stage No.1: Understanding Your Business: • Organizational Strategy • Business Impact Analysis. • Risk Assessment and Control. Stage No.2: Business Continuity Management Strategies: • Organization BCM Strategy. • Process Level BCM Strategy. • Resource Recovery BCM Strategy. Stage No.3: Developing and Implementing a BCM Response • Crisis Management, Public Relations and the Media. • Business Continuity Plans • Business Unit Plans, Incident Response Stage No.4: Developing a Business Continuity Management Culture • Assessing • Designing and delivering • Measuring results Stage No.5: Exercising, Maintenance and Audit • Exercising of BCM plans • BCM Maintenance • BCM Audit
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
Overview - 5
Government of Saskatchewan
B.
Business Continuity Management Program BCM Policy
Managing the Program
Incident Readiness & Response Introduction To be effective Business Continuity Management must be an accepted management process driven from the top of the organization. It has to be set out in a vision statement that is fully endorsed and actively promoted by the Executive – this is formally presented as the BCM Policy for the organization. A member of the Executive should be given overall accountability for the effectiveness of the organization’s BCM capability. This ensures that a BCM program is given the correct level of importance within the organization and a greater chance of effective implementation. Regulatory Authorities consider that BCM is a cost of doing business and needs to be funded properly. The key to a successful BCM program is the early identification of clearly defined roles, responsibilities and authorities to manage the BCM program and process throughout the organization and the continued readiness of the appropriate personnel to respond when required.
BCM Policy Managing the Program
Incident Readiness & Response
Introduction The BCM Policy of an organization provides the framework around which the Business Continuity Management capability is designed and built. It is a documented statement by the organization’s executive of the level of importance that it places on Continuity Management.
Purpose The purpose of a BCM Policy is to provide a documentation of the principles to which the organization aspires and against which its performance can be audited.
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
BCM - 6
Government of Saskatchewan
Concepts and Assumptions Though the BCM Policy is owned by the executive management, it is assumed that the BCM Team will actually produce it and review it as appropriate.
Process The process to develop a BCM Policy includes: •
Identify a definition of Business Continuity Management
•
Identify and document the components of a BCM Policy
•
Identify any relevant standards, regulations and legislation that must be included in the Policy
•
Identify any good practice guidelines or other organization’s policies that could act as a benchmark
•
Review and conduct a ‘gap analysis’ of the organization’s current Policy (where appropriate) and the external benchmark policy or new Policy requirements
•
Develop a draft of a new or amended Policy
•
Review the draft Policy against organization standards for policies or similar and related policies e.g. IT security
•
Circulate the draft policy for consultation
•
Amend the draft Policy, as appropriate, based on consultation feedback
•
Agree the ‘sign-off’ of the BCM Policy and a strategy for its implementation by the organization’s executive / senior management
•
Publish and distribute the Business Continuity Management Policy using an appropriate version control system
Methods and Techniques The methods, tools and techniques of developing a BCM Policy include: •
Review of organization’s current BCM Policy.
•
Desktop research of external sources for guidance e.g. regulatory, legal, industry good practice, professional bodies.
•
Liaison with industry and professional bodies to understand current and developing issues and drivers.
•
Identification and adoption of components of a Policy of another organization that is considered Good Practice.
•
A current state assessment ‘gap’ analysis and review of internal and external policies to derive core components of a new or amended Policy.
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
BCM - 7
Government of Saskatchewan
Outcomes and Deliverables The BCM Policy which will include: •
The organization’s definition of Business Continuity Management
•
A documented set of BCM Principles, guidelines and minimum standards
•
A documented BCM Operational Framework for the management of the organization’s program
•
An implementation plan for the Policy.
An example of a policy statement is shown in Appendix D.
Review While all organizational policies should be reviewed on an on-going basis, a formal review of Policy is likely to be triggered by a change in the external environment in which the organization operates. Such changes could be regulatory or operational.
BCM Policy
Managing the Program Incident Readiness & Response
Introduction An effective BCM Program will involve the participation of various managerial, operational, administrative and technical disciplines that need to be co-ordinated throughout its life cycle using procedures such as those outlined in these Guidelines. The Program should be managed within the framework and according to the principles contained in the organization’s BCM Policy document.
Purpose The purpose of the management process is to provide the effective ongoing management of the organization’s BCM program.
Concepts and Assumptions Staffing The number of professional BCM planners and staff from other disciplines that may be required to support and manage the program depends upon the size, nature, complexity and geographical location of the department / organization.
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
BCM - 8
Government of Saskatchewan
In some departments and organizations the BCM function may be assigned to an individual along with other operational roles. This may not be fully satisfactory and has the potential to develop into capacity shortfalls and conflicts of interest where the other role involves daily operational responsibilities.
Process The Executive of the organization should: •
Appoint a person or team to manage the BCM Program.
•
Define the scope of the management process and program.
•
Monitor the performance of the management process.
•
The appointed BCM team should (in consultation with the executive): ° Develop and approve a BCM planning process and program. ° Determine the key approaches to each stage of the BCM life cycle as described below ° Undertake or manage the appropriate BCM activities within the organization ° Research the current state of readiness required by legislation and regulation ° Report on the current state of readiness to the Executive on a regular basis highlighting where there are identified gaps
Methods and Techniques The methods, tools and techniques to manage an organization’s BCM program may include: •
These Planning Guidelines.
•
A BCM Program self assessment scorecard. (Example shown at Appendix D)
•
Annual personal performance objectives, agreements and reviews.
•
Supplier and outsource provider relationship management of business services and products.
•
Relationship management i.e. understanding supply capabilities and maintaining key contact lists with suppliers of BCM specialist resources and services.
•
Financial management.
•
Legal and regulatory advice.
•
National and International BCM Standards such as NFPA 1600 and BSI’s PAS 56.
•
Internal and/or independent BCM audits.
•
Cost-benefit analysis.
•
Review and challenge the plan and assumptions.
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
BCM - 9
Government of Saskatchewan
Outcomes and Deliverables The deliverables of the BCM program include: •
A clearly defined and documented BC management program that is agreed by the organization’s executive and senior management.
•
BCM assurance reports at a predetermined frequency.
•
Clearly defined and documented BCM Strategy and Standards.
•
A management process that is an integral part of the organization’s BCM Program and life cycle.
•
The overview and provision of the organization’s recovery solutions.
•
The BCM program annual budget projection.
•
The BCM program audit report.
•
The provision and maintenance of an effective BCM competence and capability.
•
Successful notification, escalation, invocation and recovery experiences.
Review An organization’s BCM program should be managed on an ongoing basis.
BCM Policy
Managing the Program
Incident Readiness and Response
Introduction Though Business Continuity Management is primarily a planning activity, the BC team that was appointed to develop the program and plans will traditionally be expected to provide a lead during incident response.
Purpose To maintain a state of readiness so that incident management takes over smoothly to put into action the required plans.
Concepts and Assumptions It is often assumed that those who have developed the plan are the best individuals to respond to an incident but the personality characteristics required of planners and leaders are often contradictory. Any difficulties in this area should be exposed by realistic exercising of plans. BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
BCM - 10
Government of Saskatchewan
Process •
Receive notification of problem
•
Assess situation then either:
•
°
Manage response through appropriate prepared plans, or
°
Escalate the response to the required level within the organization i.e. business resumption team / crisis management team.
If a response is required then immediate things to consider include: °
Are you physically and emotionally fit to assist or lead a response
°
Are the others from whom a response is required present and able to undertake the roles assigned to them - some people may react to an incident with unusual behaviour
°
Have you communicated what has happened to senior management
Methods & Techniques There are many incident management methods; a generic one is suggested here. •
Contain - Is there anything that can be done immediately to stop the problem getting worse
•
Look at the Plan - Is there a pre-planned response that fits this incident?
•
Follow the documented procedure which may include the following steps: °
Communicate - Trying to solve the problem on your own may waste time if the situation then gets out of control.
°
If necessary assemble a team to respond to the incident
°
Assess the situation - Find out as much as you can without putting yourselves at risk
•
Predict the likely outcome - and adapt the BC Plan to provide a response strategy.
•
Predict a ‘worst case’ outcome - and have a ‘back-up’ response strategy.
•
Escalate the response to the required level within the organization.
•
Implement the response strategy.
•
Evaluate the progress of the response against the likely outcome.
•
As soon as the situation allows, review the effectiveness of the response.
Outcomes and Deliverables The outcome of a successful response is a controlled return of the organization to business as usual.
Review As soon as possible after the disruption the organization’s response should be evaluated and any necessary changes made to procedures, personnel or contracts.
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
BCM - 11
Government of Saskatchewan
C.
Business Continuity Responses Crisis Management Plan Business Continuity Plan Business Unit Resumption Plans
Introduction The aim of the various plan(s) covered in this stage is to identify, as far as possible, the actions that are necessary and the resources which are needed to enable the organization to manage a disruption whatever its cause. The actions outlined in the plan are not intended to cover every eventuality as, by their nature, all incidents are different. Likewise the predefined procedures may need to be adapted with flexibility and initiative to the specific event that has occurred and the opportunities it may have opened up. If the event falls outside the scope of the assumptions on which the Business Continuity Plan was based then the situation should be escalated to those responsible for implementing the Crisis Management Plan. One model of incident response, borrowed from the UK Emergency Services, shows three tiers of incident response often referred to as Gold, Silver and Bronze.
L
ES
RO NT
CA LA TIO N
CO
Strategic Level - Crisis Management Plan (CMP): It defines how the strategic issues of a crisis affecting the organization would be addressed and managed by the Executive. This may be when the incident is not entirely within the scope of the Business Continuity Plan. This may include crises that do not result from interruptions, such as a hostile take-over or media exposure and those where the impact is over a wider area than allowed for in the BCM Strategy - such as a national emergency. The LEVEL 1 STRATEGIC media response to any incident is usually managed (GOLD) through a CMP though some organizations would manage the media under a BCP. LEVEL 2 TACTICAL (SILVER)
Tactical: Business Continuity Plan: addresses business disruption, interruption or loss from the initial response to the point at which normal business LEVEL 3 OPERATIONAL operations are resumed. They are based upon the (BRONZE) agreed Business Continuity Strategies and provide procedures and processes for both the business continuity and resource recovery teams. In particular the plans allocate roles and their accountability, responsibility and authority. The plans must also detail the interfaces and the principles for dealing with a number of external players in the response such as recovery services suppliers and emergency services. BUSINESS CONTINUITY PLANNING GUIDELINES – V 06.1 (March 06)
BC Responses - 12
Government of Saskatchewan
Operational: Business Unit Resumption Plan: For operational department the plans provide for resumption of its normal business functions. For departments, such as Facilities and IT that are managing infrastructure, the plans will provide a structure for restoring existing services or providing alternative facilities. Timeline In a destructive incident the three types of plans will address different issues during the various phases of the event. For example: Event Phase One
Situation Immediate aftermath
Crisis Management Plan
Business Continuity Plan
Business Unit Resumption Plans
Media management
Emergency Services Liaison
Damage limitation and salvage (Facilities)
Strategic assessment
Damage assessment Formal invocation of BC services Mobilising alternative resources
Staff communication
Stood down
Managing alternative resources
Resumption of business critical functions
Review
Stood down
Resumption of further functions and projects
Damage contained
Media management
Three
Resumption beginning
Four
Consolidation
Two
Casualty management (HR)
Monitoring BC team
Review
Scalability While the three levels provide a suitable model for a medium sized organization with a single site a smaller organization may have a single ‘hands-on’ management group with both tactical and strategic responsibilities. However it is still important that this group addresses the strategic issues despite the pressing issues of a tactical response. For multiple site organizations a variety of models may be appropriate, perhaps with additional tiers beyond the three named above, for example: •
A response team at each site with a central Business Continuity ‘response management team’.
•
A Business Continuity team at each major site with a central Crisis Management Team.
•
Both BCM and CMT at a provincial level with limited involvement from the Federal level unless national reputation is threatened.
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
BC Responses - 13
Government of Saskatchewan
Crisis Management Plan
Business Continuity Plan
Business Unit Resumption Plans
Introduction Case studies of major incidents (Knight and Pretty) suggest that effective and timely management of a crisis is the significant factor in protecting an organization from financial and reputation damage.
Precursors For organizations with no plans in place, the Crisis Management Plan (CMP) may be the first element to develop, providing a limited amount of protection while other plans are developed.
Purpose The purpose of a CMP is to provide a documented framework to enable an organization to manage any crisis event regardless of cause, including those where no Business Unit response is appropriate such as a threat to reputation.
Concepts and Assumptions The terms used in these Guidelines for the various plans are not universally applied; in particular the term crisis team may be applied to what others would call an incident response team. It is important that an organization chooses names that fit into its culture and structure, but that the roles described here are covered.
Process The key steps in developing a Crisis Management Plan include: •
Appoint an owner for the Crisis Management Plan on the Executive.
•
Define the objectives and scope of the plan.
•
Develop and approve a Crisis Management plan development process and program.
•
If no plan exists it may be useful to run an exercise with the Executive Management team, exerting minimal pressure, so that the many requirements of a plan become apparent. (including the need for a plan)
•
Create a crisis management planning team to develop the plan.
•
Agree on the responsibilities of the Crisis Management Team and their relationship with other plans. Example list of responsibilities is shown at Appendix D.
•
Decide the structure, format, components and content of the plan
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
BC Responses - 14
Government of Saskatchewan
•
Determine the strategies, such as alternative locations, on which the plan is based
•
Gather information to populate the plan
•
Nominate individuals to fulfil roles within the plan
•
Draft the plan
•
Circulate the draft of the plan for consultation and review
•
Gather feedback from the consultation
•
Amend plan as appropriate
•
Agree and validate the plan, for example by using it in an exercise
•
Repeat process for the Crisis Communications Plan (if separate)
•
Agree to a program of ongoing exercising and maintenance of the plan to ensure it remains current
Methods and Techniques. Building the CM Plan The methods, tools and techniques to enable the planning and development of a Crisis Management Plan include: •
Stakeholder analysis
•
Scenario planning
•
Checklist(s)
•
Workshops
A variety of software products are available to assist in building and maintaining a Crisis Management Plan. They can provide significant benefits in the areas of plan maintenance, key reference accuracy and integrity but they are not always necessary and do not replace knowledge of the business.
Crisis Management Plan Contents As, by their nature, all crises are different the Crisis Management Plan is a set of components and resources which should be useful ready references and aids. The contents will also depend on the nature and complexity of the organization. The Crisis Management Plan should be modular in design so that single sections can be supplied to individuals and/or teams on a need-to-know basis. It is suggested that the different sections are printed on different coloured paper to provide ease of use at the time of a crisis. A sample table of contents of a Crisis Management Plan is shown in Appendix D.
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
BC Responses - 15
Government of Saskatchewan
Crisis Communications Plan Consider in advance: •
What crises could hit us? (a Risk Assessment may be appropriate)
•
Who are the audiences?
•
How do we communicate with them?
•
What are the “Core” messages?
•
Who will form the Crisis Team?
•
What are the resources and facility needs?
•
Are the crisis team and spokespeople trained?
•
What Crisis Manual documentation do we need? (examples key client and media contact lists, core message development templates, Spokesperson designation and authorities)
•
Have we built lines of communication with our audiences?
When a crisis or business failure gets into the public domain, effective communication will play a key role in rescuing and maintaining an organization's most valuable asset - its reputation. If faced with a crisis consider: •
Ownership of the plan: all those who will have to make decisions about how to communicate must have agreed beforehand on the who, how and what of communication.
•
Perception is reality: your reputation is affected not so much by what has happened as by what people think has happened - and by their perceptions of how you handle it.
•
Understand your key audiences and what they need to hear.
•
Act fast: With every passing hour of silence your reputation problem doubles. You need to seize the communications on high ground.
•
Be open: give as much information to your various audiences as you legally and practically can. Showing that you have nothing to hide helps to allay suspicion.
•
Show you care: see it from your audiences' point of view and tailor your messages to what they need to hear, not just what you want to say.
Outcomes and Deliverables The outcomes of the Crisis Management Planning process include: •
A Crisis Management Plan that can support the role of the organization’s Crisis Management Team during a crisis event
•
A Crisis Communications Plan that can manage the media and stakeholder communication during a crisis
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
BC Responses - 16
Government of Saskatchewan
•
Demonstration of preparation for effective crisis management to the media, markets, customers, stakeholders and regulators
•
Compliance with legal requirements
•
Compliance with regulatory requirements
Review The review or audit should be aligned with the review of other BCM and Crisis Management related strategies, plans and solutions. A review of the plan may be triggered by a major business or executive management change or significant change in the external operating environment.
Crisis Management Plan
Business Continuity Plan
Business Unit Resumption Plans
Introduction The Business Continuity Plan (BC Plan) pulls together the responses of the whole organization to a disruptive incident. Those using the plan should be able to analyse information from the response team concerning the impact of the incident, select and deploy appropriate strategies from those available in the plan and direct the resumption of business units according to agreed priorities. The components and content of a Business Continuity Plan will vary from organization to organization and will have a different level of detail based on the culture of the organization and the technical complexity of the solutions.
Precursors It is rarely possible to write an effective Business Continuity Plan unless the key elements of the resumption strategy are in place or are well advanced in their planning.
Purpose The purpose of a Business Continuity Plan(s) is to provide a documented framework and process to enable the organizations to resume all of its business processes (or, as a minimum those required most rapidly) within their Maximum Tolerable Outage limits. A Business Continuity Plan on its own does not demonstrate a Business Continuity Management competence or capability; but the presence of a current plan which has been produced by the organization does suggest an effective capability
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
BC Responses - 17
Government of Saskatchewan
Concepts and Assumptions The plan should be ‘action orientated’ and should therefore be easy to quickly refer to and should not include documentation that will not be required during an incident. (for example the Business Impact Analysis)
Process The key steps in the development of a Business Continuity Plan are: •
Appoint an owner for the BC Plan (or each plan for multiple sites)
•
Define the objectives and scope of the plan with reference to the organizational strategy and BCM Policy
•
Develop and approve a planning process and timetable program
•
Create a planning team to carry out the plan development
•
Decide the structure, format, components and content of the plan
•
Determine the strategies which the plan will document and what will be documented in other plans
•
Determine the circumstances that are beyond the scope of the BC Plan
•
Gather information to populate the plan
•
Draft the plan – See Section 11.0 in the Government of Saskatchewan Business Continuity Planning Workbook
•
Circulate the draft of the plan for consultation and review
•
Gather feedback from consultation process
•
Amend the plan as appropriate.
•
Test the plan using a tabletop exercise – See Section 12.0 in the Government of Saskatchewan Business Continuity Planning Workbook
•
Schedule ongoing exercising and maintenance of the plan to establish it remains current
Methods and Techniques A Business Continuity Plan should be modular in design so that separate sections can be supplied to teams on a need-to-know basis. Each section could be printed on different coloured paper to provide ease of use and reference. A further suggestion is to ensure that all regularly changing information – such as contact details are kept in appendices at the back of the plan which can more easily be amended, with job titles rather than names in the text of the document. A variety of software products are available to assist in building and maintaining a Business Continuity Plan however it is not essential. Using normal office software (Word processor and spreadsheet) may suffice and is more inclusive of all staff since its use does not require special training. Customised software can however provide significant benefits in the areas of plan maintenance and reference information integrity. Whatever the planning solution there must be a clearly defined and documented control and change management process for the production, update and distribution of the Business Continuity Plan. BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
BC Responses - 18
Government of Saskatchewan
Outcomes and Deliverables The deliverables of the Business Continuity Management planning process include: •
A Business Continuity Plan which should be ‘signed-off’ by the Executive
•
A framework within which Business Unit plans (next section) can operate
Review Some information within a Business Continuity Plans such as contact details will require monthly or quarterly review. Other information should be formally reviewed annually and tested through exercising. Other triggers leading to a review are: •
A significant change in the technology and/or telecommunications
•
There is a major business process change
•
A significant change in staff
•
A change in the supplier of BC solutions
Crisis Management Plan
Business Continuity Plan
Business Unit Resumption Plans Introduction The Business Unit Resumption Plans provide the Operational Response to the incident of each department of the organization. Examples of Business Unit plans are: •
An incident response team usually lead by a Facilities department who deal with the specific incident and its physical impact (if any).
•
A Human Resources response to wellness issues of an incident.
•
A business department plan to resume its mission critical functions within a predefined timescale.
•
An IT department’s logistical response to the loss and subsequent resumption of IT services to the business.
•
Depending on the complexity of the organization, the business unit Resumption plans may be supported by more detailed plans for specific responses, locations or equipment.
Precursors Because of the many links between the BC Plan and those of the Business Units, the BC Plan should be written, at least in outline, before these business unit plans.
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
BC Responses - 19
Government of Saskatchewan
Purpose The purpose of the Business Unit Resumption plan is to structure the response of each department to an interruption.
Concepts and Assumptions The plan should be owned by the business unit and as with the organization the BC Plan should be ‘action orientated’. The Business Unit plan should be a detailed, easily deployed, quickly referred to plan that must not include documentation not required during an incident. (for example the Business Impact Analysis)
Process The key steps of the Business Unit Resumption Plan development and planning process include: •
Appoint a person to be responsible for development of the plans overall and a representative within each business unit to develop their plan.
•
Define the objective and scope of the plans.
•
Develop a planning process and timetabled program. Where possible, begin with the plans for the most urgent functions.
•
Determine the overall BCM strategies on which the plan is based.
•
Decide the structure, format, components and content of the plans.
•
Develop an outline or template plan to encourage standardisation of documentation but allow individual variations where this is appropriate.
•
Ensure that Business Unit's nominate individuals to fulfil roles within their plans.
•
Manage and mentor the development of plans within the Business Units.
•
Circulate the draft of the plan for consultation, review and challenge within and, where necessary outside, the department.
•
Gather feedback from consultation.
•
Amend plan as appropriate.
•
Validate the plan through a unit test.
•
Consolidate the BU plans and review for consistency.
•
Document connections with the BC Plan and between Unit plans.
•
Conduct a resource requirements analysis across all plans to define resource requirements for support functions.
Methods and Techniques The methods, tools and techniques to develop a Business Unit Resumption Plan include: •
Interviews (structured and unstructured).
•
Checklists and templates.
•
Workshops.
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
BC Responses - 20
Government of Saskatchewan
Specific Business Unit plans may include the following: Facilities (Incident Response Team) • Building Evacuation and Invocation plans. •
Response to Bomb Threat and similar scenarios.
•
Evacuation points (including alternate or off-site).
•
Dispersal of staff and visitors.
•
Salvage Resources and contracted assistance.
•
Escalation circumstances.
Human Resources • Wellness and employee support issues. •
Environment, Health and Safety legal liabilities.
•
Procedure for accounting for staff.
•
Procedure for contacting staff.
•
Counselling and rehabilitation resources.
Operational Business Unit Resumption • Escalation criteria for invoking Business Continuity Response, for example when the disruption impact is out of the ‘comfort zone’ for a business unit. •
Escalation procedure for the Business Continuity Team (BCT).
•
Initial contact from BCT.
•
Contacting team members.
•
Resumption Plan for each mission critical activity.
•
Staff numbers.
•
Key contacts.
•
Equipment and Consumables.
•
Vital records lists.
Outcomes and Deliverables The outcomes of the Business Unit Resumption Plan include: •
A documented Business Unit Resumption Plan for each department.
•
Criteria for Business Unit to escalate issue to BCT.
•
Clearly defined BCM roles within the department.
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
BC Responses - 21
Government of Saskatchewan
Review Some information within a Business Continuity Plans such as contact details will require monthly or quarterly review. Other information should be formally reviewed annually and tested through exercising. Other triggers leading to a review are: •
A significant change in the technology and/or telecommunications
•
There is a major business process change
•
A significant change in staff
•
A change in the supplier of BC solutions
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
BC Responses - 22
Government of Saskatchewan
D.
Business Continuity Implementation Components
Understanding Your Business Organization Strategy Business Impact Analysis Risk Assessment
Introduction To be able to develop an appropriate Business Continuity Management program you must first understand your business and what activities or processes are essential to ensure continuity of business critical activity to at least a minimum level. These questions need to be asked: •
What are the objectives of the organization?
•
How are the business objectives achieved?
•
What are the products/services of the organization?
•
Who is involved (both internally and externally) in the achievement of the business objectives?
•
What are the time imperatives on the delivery of the products or services?
The first questions are standard to business analysis, but the last one is central to the analysis for Business Continuity purposes. The understanding must be focussed on the activities, which most quickly threaten the achievement of business objectives. These tend to be the ‘operational’ functions, which interact directly with customers or other outside organizations. However these activities may depend on the ‘support’ of other internal and external process, which must also be analysed. Organization function types: •
Examples of operational functions include: ° Internal and External customer service ° Regulatory and Control responsibilities ° Government policy production and communications
BUSINESS CONTINUITY PLANNING GUIDELINES – V 06.1 (March 06)
Implementation Components - 23
Government of Saskatchewan
•
Examples of support functions include: ° IT ° Human Resources ° Purchasing and Supply Chain
•
Strategic activities include: ° Program Management ° Long Term Projects ° Financial Planning
The tools for understanding your business for business continuity purposes are: •
Business Impact Analysis (BIA) - a mandatory tool forming the foundation for the selection of recovery strategies and plans.
•
Risk Assessment (RA) focussing on specific functions and known threats.
The Business Impact Analysis (BIA) identifies the urgency of each business function undertaken by the organization by assessing the impact over time of interruption to this activity. This information is used to identify appropriate continuity and resumption strategies for each function both individually and in relation to one another. The business functions identified during the BIA as being in need of urgent resumption support are sometimes termed ‘Mission Critical Activities’ however, unless the organization is undertaking unnecessary activities, it must be assumed that all major business processes need to be resumed at some point. At least to start with, an organization should focus its BCM effort on those in most urgent need of resumption, referred to in this guidance ‘critical business functions’. Risk Assessment (RA) activity helps in identifying potential causes of interruption to an organization, the probability of occurrence and the potential impact of the threat. Within the BCM program, a Risk Assessment should focus on the specific technologies and inherent risks of the business functions identified as most urgent, in the Business Impact Analysis results rather than on all risks to the organization.
Organization Strategy
Business Impact Analysis
Risk Assessment
Introduction In some organizations a high level risk assessment of risks that might threaten the achievement of an organization's strategic and operational objectives will be undertaken as part of the strategic business planning processes. The output of this exercise can provide a useful input when setting the overall context for the Business Impact Analysis (BIA). In some regulated environments this Risk Assessment is a mandated activity. BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
Implementation Components - 24
Government of Saskatchewan
A Business Impact Analysis is conducted without reference to a disruption cause. However it is necessary to decide on a number of generic scenarios which may result in interruption to business, against which the impact of the interruption can be assessed. This should take into account the scope set out in the organization’s own BCM Policy and should where possible take into consideration anticipated business change.
Precursors A documented Business Continuity Management (BCM) Policy.
Purpose The purpose of aligning Business Continuity to the organization’s overall strategy at the start is to: •
Understand the direction and focus of the organization before embarking on business impact or risk assessment activity.
•
Help understand the business plan for growth, downsize, restructure, etc., in the short, medium or long term. This type of information may not be visible to the person charged with business continuity planning activity and is very much dependent on the type and size of organization being planned for. Knowledge of business plans will assist in developing recommendations on suitable and flexible resumption strategies.
Concepts and Assumptions It is possible, and desirable, that a BIA is used to determine the impact of interruption in advance of major business change such as: •
Introduction of a new service, program, process or technology.
•
Office relocation or a change in the geographical spread of the business.
•
Significant change in business operations, structure or staffing levels.
•
A significant new supplier or outsourcing contract.
Process Steps to identifying the organizational strategy are: •
Review, and challenge if necessary, the scope set out in the BCM Policy.
•
Decide on the maximum extent of an interruption that the organization wants to, or needs to, plan to survive. This could be determined by: ° ° ° °
Geographical extent (or market/customer area) Regulatory or statutory requirements Products, market sectors or specific customers Specific interruption scenarios – such as computer failure or denial of access
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
Implementation Components - 25
Government of Saskatchewan
This will result in a series of high-level scenarios against which a BIA can be conducted that may include: •
Loss of staff.
•
Loss of location (single and/or multiple).
•
Communications systems failure.
•
Computer system failure (component and/or total).
•
Equipment failure (e.g. building management systems, HVAC systems).
•
Supplier and / or service provider failure.
The number of scenarios against which Business Impact Analysis (BIA's) are undertaken is very much the choice of the organization. Their scope may be modified as planning activities progress to either increase or reduce the number of scenarios. It should also be remembered that certain events can encompass multiple scenarios, e.g. loss of a building may include loss of staff, voice & data systems, key documentation, etc.
Methods and Techniques Key tools to assist: •
Overview understanding of the department’s / organization’s strategic operational, 3 or 5 year, plan.
•
Current management information outlining process details, volumes, targets and, where possible, quantified value of the activity.
•
End-to-End (E2E) service / product process mapping.
It is possible that some information will be government / industry sensitive and so in some organizations it will not be visible to the BCM planner. Not having this information should not stop the impact analysis or risk analysis activity being undertaken but may prejudice the accuracy of the end results.
Outcomes and Deliverables •
A scope and terms of reference document for the Business Impact Analysis and Risk Assessment.
Review The impact of organizational strategy on business continuity management should be reviewed as a minimum annually as part of, or at least to coincide with, the business operational and strategic planning processes. More frequent review may be triggered by any of the following: •
Key program or service change.
•
Restructuring.
•
Expansion / contraction.
•
New program or service introduction.
•
Relocation or location consolidation.
•
An incident and the associated recovery.
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
Implementation Components - 26
Government of Saskatchewan
Organization Strategy
Business Impact Analysis
Risk Assessment
Introduction The Business Impact Analysis (BIA) is the foundation work from which the whole BCM process is built. It identifies, quantifies and qualifies the business impacts of a loss, interruption or disruption of business processes on an organization and provides the data from which appropriate continuity strategies can be determined.
Precursors It is necessary to obtain the full support of the Executive or most Senior Management Group before a Business Impact Analysis is attempted. It is unlikely that managers will be prepared to dedicate time to this exercise unless this top tier support is demonstrated. Appointment of a project sponsor and champion from within the Executive or Senior Management Group is essential.
Purpose The purpose of a Business Impact Analysis is to: •
Obtain an understanding of the organizations most critical objectives, the priority of each and the timeframes for resumption of these following unscheduled interruptions.
•
Inform management of the Maximum Tolerable Outage for each function.
•
Provide information on critical resource requirements i.e. staff, technology, facility, from which an appropriate recovery strategy can be determined and recommended.
•
Outline dependencies that exist both internally and externally to achieve critical objectives.
Concepts and Assumptions Concepts •
Maximum Tolerable Outage (MTO), this is the timeframe during which a recovery must become effective before an outage compromises the ability of the organization to achieve its business objectives and therefore has the potential to threaten its reputation or ongoing effectiveness.
•
Seasonal cycles may affect the MTO. As examples, a financial year end may reduce the tolerable outage for the finance function and a one-off contract with significant time penalties may reduce the tolerable outage for a range of functions within the organization.
•
Recovery Point Objective (RPO) - is the point to which information must be restored to ensure business objectives can be met in line with maximum tolerable outage for the activity.
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
Implementation Components - 27
Government of Saskatchewan
Assumptions •
It is assumed that the department / organization core responsibilities will be identified by analysis of its critical business functions.
•
The maximum tolerable outage (MTO) may be difficult to determine for seasonal or periodic functions such as year-end processing and projects. In such instances impact analysis should assume worst-case scenario and focus on an interruption to the activity during one of these peaks.
•
Where resilience measures are already in place, they should be assumed to be in operation, though they need to be proven adequate.
Process Scope and Scale •
If the organization is part of a larger group – identify the relationship between the various parts of the organization.
•
If the organization has multiple locations identify and define the geographical scope of the Business Impact Analysis.
•
Identify the critical business functions, objectives and success criteria of each.
•
Select appropriate scenarios for impact analysis (see previous section regarding high-level scenarios against which a BIA can be conducted i.e. loss of staff, loss of location, etc.)
•
Sign off the terms of reference with the project sponsor, Executive or Senior Management Group.
Business Impact Analysis •
Identify business processes that are dispersed across the organization (which may cut across several departments) and the management owners of these processes.
•
Identify suitable staff from whom information can be sought about the business processes – subject matter experts.
•
Identify the impacts which may result in damage to the organization’s reputation, assets or financial position.
•
Quantify the timescale within which the interruption of each business function becomes unacceptable to the organization.
Resource Requirements •
Quantify the resources required over time to maintain the business functions at an acceptable level and within the maximum tolerable outage period.
Reporting •
Obtain sign-off by the function owner to confirm accuracy of information.
•
Obtain support of the BCM sponsor for the findings and conclusions.
•
Present to the Executive to determine whether results will be impacted by any proposed business change and to attain approval to move to continuity strategy design.
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
Implementation Components - 28
Government of Saskatchewan
•
Proceed to development of Organizational, Mission Critical Activity and Resource BCM strategy.
Methods and Techniques Data collection Methods, tools and techniques to carry out Business Impact Analyses include: •
Workshops.
•
Questionnaire(s) - paper and / or automated software. (An example is shown in the Workbook)
•
Interviews (structured and unstructured).
•
On site inspections.
As a general guideline: •
Workshops can provide rapid results and an opportunity for hands-on engagement with the program provided there is consistent buy-in from all departments and participants.
•
Questionnaires provide large amounts of data but information quality can be very questionable if not completed with consistency.
•
Interviews can provide very good information but are time consuming and output can vary in format and detail.
•
On site inspections can provide information not identified by any other means.
•
Combinations of the above methods can provide excellent results providing an appropriate level of detail and a standard reporting format which will assist in consistency of recording and analysing information across multiple functions.
Data Collection Questionnaires There is no ‘one size fits all’ methodology for business impact analysis data collection. Methods vary from one sector to another and from one practitioner to another. Each Department / Business Unit has its own specific needs in result content, information types, depth and coverage. However a few basic principles that should be considered are: •
What is the aim of the BIA?
•
How will the information collected be used?
•
What is the best format of data collection to report results effectively?
•
What basic information is needed to establish criticality of the activity being analysed in isolation and as part of the organization as a whole:
° Timeframes within which the activity must be resumed ° Locations from which activity is undertaken ° Influences on the activity, e.g. what can impact the activity i.e. peak periods, regulatory reporting • What is the impact of not continuing the activity and how long can the organization last without it (are there any alternatives?): ° Volumes, e.g. calls per hour / day, complaints and claims processed per day BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
Implementation Components - 29
Government of Saskatchewan
° ° ° ° °
Contractual, regulatory or legal requirements People – skill set Equipment – IT, telecommunications, office work space, desks, photocopiers Data – paper and electronic Dependencies – internal and external to organization
Resource requirements analysis Resource requirements analysis as part of the BIA process quantifies minimum requirements e.g. people, technology, telephony, etc., following an interruption to support continuity of each business process at a tolerable level of service. The resources required to operate a function at an alternative location may all be required at the same time or be phased in over a period. Note that some functions (e.g. call centre) may require additional staff (above the normal complement) to deal with backlogs and extra tasks especially if relocation involves additional travel time to work and limited functionality of systems or equipment.
Software There are a variety of proprietary software products available to conduct Business Impact Analyses which may be useful but are not essential. The key benefits of utilising a software tool include ease of analysing results, storage of information and potentially reporting of the results. Their use does not however remove the need for interviews with or involvement of individuals knowledgeable in the activity being analysed.
Reporting Every organization has its own preferred style of reporting and in some instances the reporting style may need to be adjusted to accommodate multiple audience groups within the one organization and may include tables, graphs and charts. The organizations preferred reporting format should be established and agreed at the time of setting the scope of activity as requirements for the final report format may impact the way you choose to collect, aggregate analyse and present information.
Outcomes and Deliverables The outcomes from a Business Impact Analysis are: •
A statement of Organizational aims and objectives.
•
The timeframe within which both financial and non-financial impacts on those aims and objectives as a result of the disruption on each business process (Maximum Tolerable Outage) will be realised.
•
Resource requirements over time to enable each business function within the organization to achieve continuity or resumption of activity within the timeframes established as part of BIA activity. It will identify: ° Staff numbers and key skills ° Vital Records and data currency (Recovery Point Objective) ° Voice and data applications and systems ° Infrastructure (cabling and network links) ° Facilities (alternative location needs)
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
Implementation Components - 30
Government of Saskatchewan
° Suppliers (intra-organization and/or outsourced providers) and their interdependencies ° Constraints (such as contractual issues) This information feeds directly into the Recovery Strategy stage. •
The Organization Aims will set the scope and scale of the Recovery Strategy.
•
The Maximum Tolerable Outage (MTO) and resource requirements will provide the data to evaluate alternative recovery solutions for adequacy.
•
The Recovery Point Objective will determine the appropriate information back-up strategy for the organization.
Review Good practice indicates that a Business Impact Analysis should be reviewed as a minimum annually but more frequently in the event of: •
A particularly aggressive pace of business change.
•
Significant change in the internal business processes, location or technology.
•
Significant change in the external business environment – such as client expectations or regulatory change.
This does not necessarily require the BIA to be completely redone. Careful design of the BIA report can facilitate this process by providing a benchmark against which changes in the above areas can be measured and their changed impact assessed.
Organization Strategy
Business Impact Analysis
Risk Assessment Introduction In the context of BCM, a Risk Assessment looks at the probability and impact of a variety of specific threats that could cause a business interruption. By prioritisation it may be possible to implement measures to reduce the likelihood or mitigate the impact of these threats. Risk Assessment activity should be focussed on the most urgent business functions identified during the BIA process. In evaluating catastrophic operational risks it maybe impossible to identify all threats, estimates of probability are based on historic and sometimes inaccurate information. However, by focussing on the most urgent functions, the scope of the Risk Assessment can be reduced to a more manageable scope. The Risk Assessment may identify unacceptable concentrations of risk and what are known as ‘single points of failure’. These should be highlighted to the business continuity sponsor at Executive or Senior Management level at the earliest possible opportunity along with options for BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
Implementation Components - 31
Government of Saskatchewan
addressing the issue. The strategic decision to mitigate, transfer or accept the risk should be formally documented and signed off. In some Departments and government sectors the use of Risk Assessment is mandated.
Precursors A Business Impact Analysis should be completed in advance of a Risk Assessment to identify the urgent functions upon which the risk assessment should be focused.
Purpose The Purpose of a Risk Assessment is to: •
Identify the internal and external threats that could cause a disruption and assess their probability and impact
•
To prioritise the threats according to an agreed formula, i.e. high probability / high impact risks would be assigned a priority one designation
•
To formulate a risk management control program and action plan.
Concepts & Assumptions Concepts: Whatever the complexity of the actual formula adopted the following relationship is assumed: •
Risk = Threat Impact x Probability
Some risk models then order risks by: Priority = Risk * Ability to control that risk. This prioritises the threats that are easiest to control with, presumably, the argument that this will give the best return on investment of time and money but ignoring many external impacts. In other risk models the risks assessed are examined with no controls in place and then again with current and desired controls in place. Example: With no control measures Risk “A” = High impact x Medium probability; o with control measure / treatment “C” at a cost of $X in place, o assessed to reduce Risk “A” = Medium impact This second step serves to emphasise that assumptions when managing the risk control environment should not be made and that the effectiveness of controls should always be examined and as applicable, challenged and improved. If an organization decides after taking this second step that they do not wish to improve controls perhaps due to prohibitive cost - then the Risk and BCM managers need to be aware of this and factor this decision into their approach. The organization’s ‘risk appetite’ or ‘risk tolerance’ is the amount of risk that an organization is prepared to accept and drives the level of action it will take to control identified threats.
Assumptions •
All realistic threats can be identified.
•
Accurate and applicable statistics may be available to estimate the probability of occurrence.
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
Implementation Components - 32
Government of Saskatchewan
•
Threats which are easier to control (staff or own building issues) are to be prioritised at the expense of those which are less susceptible to influence – such as bad weather.
•
The use of a numerical scale to assign a value to impacts can adequately reflect the relative importance of less-quantifiable assets such as reputation.
•
The use of a numerical scale (1,2,3,4...) represents a reasonable relationship between the different impact and probability bands (in reality due to collateral and cascading events a logarithmic scale is more true to life e.g. Low = 1, Medium = low x 10, High = medium x 100, Catastrophic = high x 1000...)
Process The key stages in a Risk Assessment are: •
Tabulate a scoring system for impacts and probabilities and agree with project sponsor.
•
List threats to the urgent business processes determined in the BIA.
•
Estimate the impact on the organization of the threat using a numerical scoring system.
•
Determine the likelihood (probability or frequency) of each threat occurring and weight according to a numerical scoring system.
•
Calculate a risk by combining the scores for impact and probability of each threat according to an agreed formula.
•
Optionally prioritise the risks according to a formula which includes a measure of the ability to control that threat e.g. Risk = Impact x Probability / Treatment.
•
Obtain organization sponsor’s approval and sign-off of these risk priorities.
•
Review existing risk management control strategies noting where the assessed risk level is out of step with the current risk management strategies for that threat.
•
Consider appropriate measures to: ° ° ° °
•
Transfer the risk e.g. through insurance Accept the risk e.g. where impact / probability are low Reduce the risk e.g. through the introduction of further controls Avoid the risk e.g. by removing the cause or source of the threat
The risk management process refers to this as examining alternative risk management techniques and includes: ° ° ° ° ° °
Loss prevention – reducing the probability or frequency Loss reduction – reducing the severity of a loss Separate the risk or duplicate the information Contractual transfer of risk (i.e. insurance) Risk Avoidance – stop doing the activity that has risk Accept the risk
•
Ensure that planned risk measures do not increase other risks. For example, outsourcing a function may decrease some types of risk but increase others.
•
Obtain the organization sponsor’s approval, a budget and sign-off for the proposed risk management control(s).
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
Implementation Components - 33
Government of Saskatchewan
Methods and Techniques The methods, tools and techniques to provide a Risk Assessment include:
Determining threats •
Event Tree Analysis
An event tree begins with an initiating event, such as a component failure, increase in temperature/pressure or a release of a hazardous substance. The consequences of the event are followed through a series of possible paths. Each path may be assigned a probability of occurrence and the probability of the various possible outcomes can be calculated. In the example fire protection is provided by a sprinkler system. A detector will either detect the rise in temperature or it will not. If the detector succeeds the control box will either work correctly or it will not - and so on. There is only one branch in the tree that indicates that all the subsystems have succeeded •
Fault Tree Analysis This is a graphical technique that provides a systematic description of the combinations of possible occurrences in a system, which can result in an undesirable outcome. This method can combine hardware failures and human failures.
The most serious outcome such as explosion, toxic release, etc. is selected as the Top Event. A fault tree is then constructed by relating the sequences of events, which individually or in combination, could lead to the Top Event. This may be illustrated by considering the probability of a crash at a road junction and constructing a tree with AND OR logic gates. The tree is constructed by deducing in turn the preconditions for the top event and then successively for the next levels of events, until the basic causes are identified. BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
Implementation Components - 34
Government of Saskatchewan
Assessing probabilities •
Insurance statistics
•
Published disaster frequency statistics
•
Local and industry knowledge
Tabulating Threats •
Threat Vulnerability Matrix – Type of threat
Likelihood of occurrence (probability or frequency) Extreme Daily
High Weekly or < than
Medium Monthly
Low Annually or >than
Fire Power failure Flood Bomb Lost Data Communications failure
Scoring systems The sample matrix below illustrates threat examples, and demonstrates how risks can be categorized and quantified. Note: this list is not exhaustive and should be tailored to reflect the organization’s operating environment. Additional variables can also be added as additional columns and entered in the formula: e.g. probability x (onset speed + forewarning + duration + intensity) x impact = relative weight: (Adapted from ASIS GBL BC 10 2004) onset speed (1=slow, 2=fast), forewarning (1=sufficient, 2=insufficient), duration (1=short, 2=long) and intensity (1=low, 2=high) Threat or Trigger
Probability (Rate 1-4)
X
Impact (Rate 1-4)
=
Relative Weight
1=Low 2=Medium 3=High 4=Extreme Power Failure Communications Failure Fire Tornado Flood Bomb CBRN Incident Cyber Attack Sabotage Public Health Incident
x x x x x x x x x x
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
= = = = = = = = = =
Implementation Components - 35
Government of Saskatchewan
•
Risk Matrix
Evaluating solutions •
Cost Benefit Analysis.
Outcomes & Deliverables The outcomes from a Risk Assessment include the identification and documentation of: •
Single points of failure.
•
Prioritised list of threats to the organization or to the specific business processes analysed.
•
Information for a risk control management strategy and action plan for risks to be addressed.
•
Document identified risks that are not to be addressed or treated.
Review A Risk Assessment should be carried out as defined in the organization’s risk management strategy. This may be annually for business critical processes but more frequently if: •
The pace of business change is particularly aggressive.
•
There is a significant change in the internal business processes, location or technology.
•
There is a significant change in the external business environment – such as client expectations or regulatory change
BUSINESS CONTINUITY PLANNING GUIDELINES - v 06.1 (March 06)
Implementation Components - 36
Government of Saskatchewan
BCM Strategies Department (Organization) Strategy Mission Critical Strategy Resource Recovery Strategy Introduction This section is about determining and selecting Business Continuity Management Strategies to be used to maintain the organization’s business activities and processes though an interruption. Strategy is a broad term usually referring to the formation of a vision and direction, setting mission statements, identifying objectives so that the organizations objectives and goals can be achieved. In the context of Business Continuity Management it concerns the determination and selection of alternative operating strategies to be used to maintain the Mission Critical Activities. Business Continuity Management Strategies concern: •
the selection of alternative operating methods to be used after an interruption to maintain the organization’s business critical processes and their dependencies (internal and external) to a priority and time table determined in the Business Impact Analysis
•
the protection of vulnerabilities and single points of failure in business critical processes identified in the Risk Analysis
There are three levels of BCM strategy and planning that need to be considered: •
Department (Organization) Strategy An organization strategy framework providing policy that reflects the key business, stakeholder, legislative and regulatory requirements
•
Mission Critical Strategy The resumption strategies for mission critical business processes and activities
•
Resource Recovery Strategy The deployment of appropriate resources to ensure acceptable continuity across all business processes and activities
Strategy Options and Considerations Introduction The Business Impact Analysis provides the information from which to choose an appropriate strategy because it identifies the point at which the organization’s survival is threatened by an
BUSINESS CONTINUITY PLANNING GUIDELINES – V 06.1 (March 06)
Implementation Components - 37
Government of Saskatchewan
interruption (Maximum Tolerable Outage - MTO). A strategy that cannot meet the MTO is certain to fail if implemented. The organization may then set a shorter recovery objective, a recovery time objective (RTO) that gives a margin of error on the maximum tolerances. For example our maximum tolerable outage (MTO) for function “F” is 48 hours, but with our current capability we can achieve recovery in 12 hours (RTO). There are a number of generic strategies to mitigate the impact of a disruption or reduce the probability of a threat event. Each strategy has parameters for speed of resumption, reliability, availability and cost which may be appropriate to the different aspects of the enterprise. An organization may require several measures or a combination of measures to form an appropriate mitigation solution. Measures providing functional relocation. • A ‘do nothing’ strategy may be acceptable for certain non mission critical functions identified in the BIA. Purchasing buildings and installing utilities may take several months. •
Re-assigned space makes use of existing internal accommodation such as a training facility or canteen to provide recovery space or increase the office density. This will require careful planning and some technical preparation.
•
Displacement involves the displacing of staff performing less urgent business processes with staff performing a higher priority activity. Care must be taken when using this option that backlogs of the less urgent work suspended do not become unmanageable.
•
Remote Working includes the concept of “working from home” and working from other commercial locations e.g. hotels (Internet Cafes should not be considered). Working from home can be a very effective solution but care must be taken to ensure Health and Safety issues are addressed and sufficient dial-up capacity is available.
•
Reciprocal agreements can work in some selected services but care must be taken when establishing this type of agreement. Procedures must be in place to ensure that periodic checks are performed to ensure that the required arrangements have not changed. Reciprocal agreements must have a clause in the contract to ensure that testing is allowed.
•
‘Ship in’ Contracts includes generators, IT equipment such as PCs, servers and printers and specialist hardware and equipment such as telephony systems. This may be an appropriate strategy if an unprepared building is to be equipped to provide an appropriate working environment. Most ship-in contracts permit the delivery location to be nominated at invocation, allowing a more flexible response to a specific incident compared to a fixed site recovery capability. Contract terms vary from ‘best efforts’ to guaranteed delivery.
•
Resilient Operations include dual site operations and continuous availability solutions. In the event of an interruption at one site the business function is transferred to one or more alternate locations at which staff and facilities are already prepared to handle it. These options are normally amongst the more expensive to implement but provide the appropriate solution where quick resumption is necessary. To be a viable recovery strategy this configuration should have no single points of failure, an appropriate geographical separation and diversity of the two or more sites.
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
Implementation Components - 38
Government of Saskatchewan
Saskatchewan Property Management has the mandate and authority for establishing the following measures that can also provide functional relocation. • Third party alternative site arrangements from a commercial or service company may be an option for consideration if these can ensure the organization’s recovery time objectives (RTO) are achieved. There are a range of commercial services including fixed, mobile and prefabricated sites. •
Dedicated space provides guaranteed and immediate availability but is more expensive than syndicated space.
•
Syndicated space usually provides access within 4 hours but may take more than 48 hours for a large number of staff to become productive from the site (Issues with syndication are discussed under Concepts)
•
Mobile facilities can be in use rapidly but provide limited space and may require service connections and significant preparation of foundations
•
Prefabricated units can take a minimum of 4 days to build (average 8) assuming preprepared foundations and depending on site and weather conditions
Summary of Relocation Strategies against recovery time
Ownership MTO
In-house
• Extend commercial recovery site contract (if permitted)
• Rebuild, Rent or Purchase
• Prefabricated
• Expansion at Recovery Site
• Furnished Offices
• Adapt buildings from other uses
• Contracted prefabs and mobile units
• Subcontract processes
• In-house Recovery Site
• Commercial recovery site
• Re-assigned space
• Reciprocal Agreements
• Managed Offices (if available)
• Home-working
• Mobile facilities
buildings on site
Days
Ad-hoc
• Rebuild or relocate Months
Weeks
Contracted
• Subcontract processes
Hours
• Diverse locations with staff redeployed from other tasks
• Relocate a small team ONLY to contracted commercial site*
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
• None
Implementation Components - 39
Government of Saskatchewan
Ownership MTO
In-house
Contracted
• Diverse locations for each function
• Initiate contracted ‘switch-over’ of IT only at commercial recovery site
Immediate
Ad-hoc • None
*Access is available within a few hours but logistics and welfare issues make it unlikely that operations can be resumed reliably within a day or two. Issues with specific business services: • Data Centre(s) BCM strategy and solutions must be agreed at a Department (Organization) Level. The cost of the solutions and the widespread impact of the loss can have a major financial impact on an organization. There are a number of options that can provide a suitable solution including in-house resilience, recovery or third party support. •
Technology Duplication at separated locations is required when resumption timescales are tight, but result in increases in expense according to the degree of duplication.
•
Technology Recovery provides replacement through third-party contracts.
•
The decision as to whether to duplicate or contract hardware in advance or acquire postincident must take into account the expected lead-time for acquiring the items in a widespread incident which may be long when less-prepared organizations may be chasing the same equipment. Verbal promises by a supplier to keep a contingency stock should be treated as non-contractual.
•
There is often a budget conflict between: ° the desire to increase machine-resilience (to minimize downtime due to failure of that machine) ° the need for geographical diversity (which minimizes the downtime when the machine, or the building it is in, does fail).
•
Telephone: the unplanned redirection of telephones to alternative locations may not be possible within an acceptable timescale particularly during wide-area events. Most telecommunications operators will offer, for a charge, a range of flexible planned solutions that will allow instantaneous or rapid redirection of calls from one site to one or more alternatives. The logistical problem of handling telephone calls during an interruption, once they have been redirected, needs to be addressed.
•
Techniques include: ° ° ° ° ° °
Broadcast notification to staff and other stakeholders Call rerouting Resumption plan Managed network services Mobile switchboard Site and network resilience
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
Implementation Components - 40
Government of Saskatchewan
•
The convergence of telephone and data networks VOIP (Voice over IP) creates new opportunities and continuity issues, these issues need to be assessed and the risks and impacts thoroughly analysed.
•
Call Centre(s): A convergence of IT, voice recording and intelligent telephones in a call centre may provide significant recovery challenges. Call Centres handling incoming calls will usually have Maximum Tolerable Outage’s measured in hours rather than days so two or more centres geographically dispersed which load share the calls are the usual solution. During a sustained period of outage this can present manpower challenges in the event that staff are unwilling or unable to relocate. Some companies can provide a call answering service with varying abilities to handle call volumes at varying levels of competence.
•
Electronic Commerce and Internet / Intranet strategies will have a choice based on how the whole organization views the importance of these services and the role they play - whether for communication only or for interactive business.
•
The resumption parameters of Electronic Commerce Services need to be determined by a Business Impact Analysis in the same way as other functions. Electronic Commerce Services are often seen as needing rapid resumption because of their visibility and customer expectations.
•
The Internet and Department (Organization) Intranet may also provide an excellent vehicle for communications during an incident.
•
Task Completion (Production) solutions ° Geographical diversity – task performance (production) at more than one site increases resilience to a variety of events but is usually at the expense of economies of scale ° Subcontracting - Though each organization’s total process may be unique, there may be various processes which can be duplicated by other organizations. The affected organization can then use a number of subcontractors to continue with the task while their own facilities are unavailable. This can rarely be achieved quickly without advance preparation due to the need for setting-up. ° Warehousing stock – For products that can be stored, an off-site stock can provide a time window in which supply can be maintained while a disruption is resolved
•
Supply chain solutions include: ° Dual sourcing of materials where interruption of supply would rapidly halt a critical function ° Holding inventories off-site, at another site or at the supplier’s site ° Significant penalty clauses on supply contracts (though this will not protect against bankruptcy) ° Inspection of supplier’s business continuity plans and test performance record
•
Off-site storage of paper and electronic records. These are best negotiated at a department / organization level ensuring the best value for money through economies of scale. The storage site should be sufficiently far away to ensure that they are not also affected by an incident, but not so far that access takes so long that Maximum Tolerable Outage’s are threatened. The Recovery Time Objective (RTO) of the function using the records will determine the suitable back-up strategy. Some papers may be work-in progress and be required in short timescales
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
Implementation Components - 41
Government of Saskatchewan
while others may be archives retained for legal or regulatory purposes for which deep storage, at lower cost, will be suitable. •
Paper records off-site storage solutions include off-site recovery team boxes, fire-’proof’ cabinets, and photocopies, managed in-house or by a service provider.
•
Electronic record storage can be managed in-house but are also provided by a range of suppliers. Records can be sent off-site by physical collection of storage media or by electronic transmission.
Other strategies • Outsourcing. More and more organizations are outsourcing business critical processes and activities to create virtual organizations. It is critical to remember that the risk to the organization’s reputation and brand image cannot be shifted to either intra-organization sourcing or outsourced providers. The risk and responsibility always remains with the business. •
Using outsource providers away from the centre of the business, introduces additional complications in security, political and environmental risk which may attract heightened interest from customers and regulators.
•
Changing the process may provide an opportunity to continue with the business as far as the customers are concerned, but the deliverable is ‘assembled’ in a different way, usually by outsourcing all or part of the operation. For example an internal volume printing organization may become a distributor by outsourcing production and importing the finished product.
•
Fortress – for sites with unique process or where the location is unique then a relocation strategy may not be possible. In this case all the effort must go into minimising specific threats with the understanding that, if the worst happens, the uniqueness of the organization requires its reinstatement, however long that takes.
•
Asset restoration services are provided by a range of specialist companies who can often minimise damage after fire and flood to papers, equipment and buildings. These firms may provide an advance registration service and advice, as well as being available on request post incident.
•
Insurance, when properly arranged, can provide financial compensation for loss of assets, increased costs of working and protection for associated legal liabilities. However it may not provide cover for the full expense of an incident or damage including the loss of clients, impact of stakeholder value or loss of reputation. The Business Continuity Manager should work closely with the Insurance Manager to dovetail insurance cover with BCM parameters,
•
An ‘All Risks’ type Policy will compensate for the assessed value of the damaged or lost physical assets and electronic records.
•
Business Interruption insurance may pay for either the “increased cost of working” during resumption or for ‘loss of profits’ over the disrupted period.
•
Liability insurance may provide protection for liabilities incurred including those associated with employees and third-party property and people.
Site resilience and specific threats • Monitoring systems may provide prompt warning of utility failures, equipment failures and destructive threats. BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
Implementation Components - 42
Government of Saskatchewan
•
Uninterruptible Power Supply (UPS) and back-up generators can protect buildings or specific equipment from power failures. They need to be maintained and tested regularly to ensure performance when required. There are also specialist recovery contractors that will supply portable generators either as a contracted service or on demand (subject to availability).
•
Sprinkler and Fire Suppression systems are often mandatory for buildings with high population levels and large quantities of flammable materials or expensive equipment. While water can put out fires effectively, it can cause considerable damage to papers and electronic equipment.
•
Cross-Training & Plan documentation can provide some protection against loss or absence of key staff.
•
There are many other measures able to protect a site or pieces of equipment against specific threats identified in a risk analysis
General considerations Continuation or recovery capabilities need to be realistic. Physically moving staff and operations will take more time than expected and impact on the available working day. It is important to allow sufficient continuation/restart time into the expected Recovery Time Objectives (RTO) to ensure resumption of business critical processes and activities can be met. It is usually the case that the faster the recovery requirement, the greater the cost of a solution therefore, to minimise costs, it is important to ensure that an appropriate, but not excessively rapid, recovery strategy is chosen.
Department (Organization) Strategy
Mission Critical Strategy
Resource Recovery Strategy
Introduction An organization’s Business Continuity Management Strategy works best when its vision, direction and parameters are given from the top of the organization. There should be a clear transition between each of the above BCM Strategies. There are dependencies between each strategy that must follow a natural progression from one to the other.
Precursors The organization-wide strategy must adhere to the BCM Policy.
Purpose The purpose of a Department (Organizational) Business Continuity Management Strategy is to provide a clearly defined and documented policy, framework and operational direction to ensure continuance of that organization.
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
Implementation Components - 43
Government of Saskatchewan
Concepts and Assumptions Separation distance – what is off-site? Since the BC events against which we are planning frequently result in loss of access to or destruction of a location it is necessary to ensure that electronic and other vital records are duplicated at another geographically separated location in a form that allows them to be accessible and recovered for use within business-defined time objectives. While it is self-evident that greater geographical separation decreases the likelihood of two sites being affected by the same incident, there is no ‘minimum’ or ‘correct’ distance for separation as the ability of world-wide infections and computer viruses to cause concurrent incidents demonstrates. However a few hundred metres is likely to provide little protection even in localised incidents because of the methods that emergency services use to control the site, cordons, and the likely disruption to local transport. Some organizations can use their geographic or jurisdiction area to define the limit of their dispersion (see discussion of survivable incidents in the Introduction to Stage One); others may choose the pragmatic alternative of placing a relocation site within the limit of how far they judge their staff would travel (which may be about 1 hour away). Contracted Alternate Site (Syndication) Ratios • “Dedicated” work area where a subscriber has exclusive use of accommodation. This is generally used where a rapid RTO is required, for high value-generating functions, where specialist equipment is used or where the non-availability associated with syndicated space are judged unacceptable. An example would be dealing desks for an investment company. •
“Syndicated or Subscription” work area where a subscriber pays for the use of available accommodation, not already in use by a prior invocation by another subscriber.
•
The general industry ratio is a maximum of between 40 & 25 to 1 i.e. each desk is sold a maximum of up to 40 times, but great care should be taken to understand who are the other customers potentially using each desk e.g. some suppliers provide client details by postal code. The parameters acceptable to an organization should be clearly defined within its BCM Resource Recovery Strategy and should not be left to individual contract negotiations.
•
At the current time there are two basis on which the available resources may be allocated by a recovery supplier to subscribers during a concurrent invocation: ° First come, first served: The first subscriber to invoke the service gets their full allocation of resource, any remainder is available to subsequent subscribers. ° Equitable share: The available resources are allocated in proportion to the resources subscribed to.
Exclusion Zones (Third-party recovery sites) The exclusion zone is the distance within which the recovery supplier will not resell the resources you have subscribed to another potential customer. The organization’s definition of exclusion zones should be clearly defined within the department / corporate BCM Strategy e.g. within the City of Saskatoon a 800 metre exclusion zone (vehicle size bomb) may be a minimum acceptable standard for this specific threat but may not be appropriate for other types of incident.
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
Implementation Components - 44
Government of Saskatchewan
Resilience This term is used to indicate that something can suffer a failure and yet still continue operations. It is often used as if it were an absolute (e.g. this computer is resilient); however, like the words ‘near’ or ‘far’, the term resilience is a relative one whose scope needs to be qualified at each use. This is best illustrated by examples. •
The addition of RAID technology to a computer increases machine-resilience (but only to hard-disc failures) and does nothing to protect against loss of that machine in a fire.
•
Duplication of power feeds to a site increases site-resilience to power interruptions but the site can still become unusable if the power failure affects both supplies.
•
Expanding the geographical dispersion and diversity of the organizations locations increases organizational-resilience
Process The process includes the following stages: •
Form a Business Continuity Management Strategy Team.
•
Identify the Organization’s Business Strategy, its objectives, legal and regulatory requirements and understand how a Continuity Strategy will support these objectives.
•
Review the scope, assumptions and findings of the Business Impact Analysis
•
Generate outline strategy options for consideration.
•
Provide executive management with the evaluation report to choose options, which they can agree on based on the organizations current and future business strategy and risk appetite.
•
Ensure the agreed outline option is ‘signed-off’ by the executive management including the financial and resource provisions.
•
Develop the detail of the approved strategy for business processes and resource recovery.
•
Implement an on-going process to ensure the Organization’s BCM Strategy planning is regularly reviewed.
Methods and Techniques The tools that could be used to develop a Department (Organization) Business Continuity Management Strategy include: •
Strategy planning tools
•
Benchmarking against appropriate national and international standards
•
PEST Analysis (Political/ Environment/Social/Technical)
•
Cost Benefit Analysis (including stakeholder, legislative and regulatory assessment)
•
SWOT Analysis (Strengths/Weaknesses/Opportunities/Threats)
•
Financial Planning and Management
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
Implementation Components - 45
Government of Saskatchewan
Outcomes and Deliverables The outcomes are: •
A organization-wide BCM Strategy based on the organization’s business strategy and risk appetite
•
An operational BCM framework which supports the BCM Strategy.
Review A review of the Department (Organization) BCM Strategy should be carried out at least every 12 months. However, events may prompt re-examination of the BCM Strategy such as: •
A Business Impact Assessment revision identifies changes in business critical processes and priorities.
•
A significant change in one or more of the following: key technology, telecommunications, business risk appetite, accommodation, staffing, acquisition or merger, new products or services, service suppliers, regulatory or legislative requirements
Department (Organization) Strategy
Mission Critical Strategy
Resource Recovery Strategy
Introduction A Business Impact Analysis will identify the priority for the resumption of business mission critical processes and activities. At the Mission Critical Strategy development stage the complexity of interdependencies on services, business processes, data and technologies needs to be analysed. In determining the Mission Critical Activity Strategy, there must be a clear transition between each of the BCM Strategies. There are dependencies between each strategy that must follow a natural progression from one to the other.
Precursors The Mission Critical Activity BCM Strategies need to be developed within the context of the Organization’s overall BCM Strategy.
Purpose The purpose of a Mission Critical Activity, Business Continuity Management Strategy is to provide a documented framework for the resumption for one or a number of business critical processes and activities.
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
Implementation Components - 46
Government of Saskatchewan
Process The process includes the following stages: •
Create a high-level Mission Critical Activity Strategy within the parameters of the Organization Recovery Strategy
•
From the Business Impact Analysis and Risk Assessment identify business critical processes and activities including their dependencies and any single points of failure.
•
Using the results from the Business Impact Analysis identify the Maximum Tolerable Outage (MTO).
•
Decide on a Recovery Time Objective (RTO) for the mission critical process, which should be shorter than the MTO.
•
If there is an existing resumption strategy conduct a ‘Gap Analysis’ to identify where existing performance is measured against the required performance.
•
Identify appropriate recovery strategy or strategies for each business critical process and / or activity and generate Mission Critical Activity Strategic options.
•
Evaluate the cost benefit analysis for the Mission Critical Strategic options to optimise efficiency, to attain recovery time objectives and to ensure cost effectiveness.
•
Provide executive management with a strategic option’s evaluation, which they can review and approve based on the organization’s risk appetite.
•
Ensure the agreed option is ‘signed-off’ by the executive management including the financial and resource provisions.
•
Create Mission Critical Activity Strategy implementation project and action plans. A Risk Assessment, if completed for that process, may suggest priority areas for implementation.
•
Implement an on-going process to ensure the Mission Critical Activity Strategy planning is reviewed.
Methods and Techniques The tools available to develop a Mission Critical Activity Business Continuity Management Strategy include: •
Results from the Business Impact Analysis and Risk Assessment.
•
PEST Analysis. (Political/ Environment/Social/Technical)
•
Cost Benefit Analysis.
•
End-to-End service and process mapping.
•
Crisis Management planning.
Outcomes and Deliverables The outcomes and deliverables from a Mission Critical Activity Strategy include: •
A documented Mission Critical Activity BCM Strategy agreed to and ‘signed-off’ by the organization’s executive management.
•
A project plan for implementing the agreed strategy.
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
Implementation Components - 47
Government of Saskatchewan
•
An agreed relationship with the organization’s Business Continuity Management process to develop a Mission Critical Business Continuity Plan (BCP) for one or a number of critical processes and activities.
•
A developed and agreed relationship in the organization’s Crisis Management process.
•
Compliance with legal and/or regulatory requirements for a Business Continuity Plan.
Review A review of the Mission Critical Activity Strategy should be carried out at least every 12 months. However, events may prompt re-examination of the BCM Strategy such as: •
A Business Impact Assessment revision identifies changes in business critical processes and priorities.
•
A significant change in the following: key technology, telecommunications, accommodation, staffing, acquisition or merger, new products or services, service suppliers, regulatory or legislative requirements, any one of these changes may cause a review of the Mission Critical Activity Strategies.
Department (Organization) Strategy
Mission Critical Strategy
Resource Recovery Strategy Introduction This step provides the Resource Recovery BCM Strategy, is directly linked to the Business Impact Analysis and must document and evaluate the factors for: •
Deployment of appropriate recovery resources across a number of business critical processes and activities.
•
Work area requirements – staff ratio, priority of business processes, location (in-house or third party), equipment and technology requirements
Precursors The parameters for the Resource Recovery BCM Strategy will be derived from the timescales in the Mission Critical Activity Strategy and the resources identified in the Recovery Resource Analysis.
Purpose The purposes of a Resource Recovery Strategy are to co-ordinate and provide a predetermined level of resources, i.e. personnel, equipment, information, within a Business Continuity Plan (BCP) to enable the implementation of the previously defined Department / Organization and Mission Critical Activity Business Continuity Strategies.
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
Implementation Components - 48
Government of Saskatchewan
Concepts and Assumptions Availability of solutions It is possible that the contracted recovery services required by the business processes do not exist in the vicinity. Some organizations may decide to create their own internal recovery facilities, and then offer to share them (commercially) with other departments faced by the same dilemma.
Process This process includes the following stages: •
Consolidate the recovery strategy or strategies identified in the previously developed Mission Critical Activity strategic framework.
•
Group Mission Critical Activity solutions that also provide support for the Resource Recovery strategy.
•
Identify appropriate strategy or strategies for each business critical process and activity and generate Resource Recovery strategic options.
•
Evaluate the cost benefit analysis for each of the Resource Recovery Strategy options to attain recovery time objectives and to ensure cost effectiveness.
•
Provide executive management with a strategic evaluation, which they can approve based on the organization’s risk appetite.
•
Ensure the agreed options are ‘signed-off’ by the executive management including the financial and resource provisions.
•
Create Strategy implementation project and action plans
•
Apply the agreed strategy to implement the project and action plans (including the development of Business Continuity Plans).
•
Implement an on-going process to ensure the Resource Level BCM Strategy planning is reviewed.
Methods and Techniques The tools used to select appropriate solutions from those listed above to create a Resource Recovery Strategy include: •
Results from the Business Impact Analysis and Resource Recovery Analysis as refined by the Mission Critical Activity recovery strategy.
•
Evaluation tools for purchasing services including value-for-money and contractual terms assessment.
•
Alternative site working strategies for: work areas, IT facilities, and telecommunications.
•
Provision for off-site data storage, damage assessment and salvage operations.
•
Measures to manage loss of staff.
•
Cost Benefit Analysis.
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
Implementation Components - 49
Government of Saskatchewan
Outcomes and Deliverables The outcomes and deliverables from a Resource Recovery Business Continuity Management Strategy include: •
A set of recovery resources and services which can be deployed under the control of the Business Continuity Plan (BCP) that provides for the restoration of acceptable functionality for business processes. ° within their desired Recovery Time (RTO) and Maximum Tolerable Outage (MTO) target. ° with data recovered to within their Recovery Point Objectives (RPO).
Review A review of the Resource Recovery BCM Strategy should be carried out every 12 months. However, events may prompt re-examination of the strategy such as: •
Changes required by adjusted Mission Critical Activity recovery requirements.
•
A significant change in accommodation, staffing or available technology that may provide alternative resumption strategies.
•
A change in the availability of recovery services in the vicinity such as closure, merger or opening of a facility.
BUSINESS CONTINUITY PLANNING GUIDELINES – v 06.1 (March 06)
Implementation Components - 50
Government of Saskatchewan
E.
Business Continuity Sustaining Components
Developing a BCM Culture Assessing Awareness Developing Culture Monitoring Skills & Culture
Introduction The successful establishment of a Business Continuity Management (BCM) culture within an organization is dependent upon its integration with the organization’s strategic and day-to-day, management and alignment with business priorities. The main techniques for developing a sustainable BCM culture within an organization include: •
Assessing the current level of awareness of and commitment to, BCM against the desired level; thus identifying the ‘training gap’ that exists between the two.
•
Designing and delivering a campaign to create awareness and develop the skills, knowledge and commitment required to ensure successful Business Continuity Management.
•
Checking that the awareness campaign has achieved the desired results, and monitoring BCM awareness in the longer term.
There is a limit to which any program can alter the culture of an organization and attempts to change attitudes may have unexpected effects which may be the opposite of those intended. Critical factors for success include: •
Visible and continued support by senior management. This must include adequate budget to support the awareness campaign over time. It is also important to gain commitment from managers and operational staff who are required to implement Business Continuity Management.
•
Consultation, with everyone involved with BCM, in developing the campaign. As well as providing focus for the awareness effort, consultation in itself helps raise awareness and may help prepare the way for commitment to new working practices.
•
Focus on the business priorities of the organization. Relating the campaign message to department/corporate and individual WIIFM (“What’s In It For Me”?) factor helps to provide justification for BCM and working practices that support it.
BUSINESS CONTINUITY PLANNING GUIDELINES
V
06.1 (March 06)
Sustaining Components - 51
Government of Saskatchewan
The awareness campaign and its messages should be tailored to target audiences. These audiences are both internal, for example BCM planners and general staff, and external, for example key stakeholders and third parties that are dependent on (or may adversely affect) the organization’s own business continuity management effort. External awareness is particularly important where BCM operates in an outsourced environment. Organizational culture is manifested in shared values, operating norms, styles and patterns of behaviour. It is frequently described as ‘the way we do things around here’ or ‘what you have to do to get on’. Experience has shown that behavioural change initiatives fail to attract lasting commitment unless attitudes and beliefs are also engaged. In order to really change behaviours, it is necessary to influence the attitudes. In order to influence attitudes, it is necessary to develop and establish beliefs. Thus, achieving cultural change can be a subtle and lengthy process.
Assessing BCM Awareness Developing Culture
Monitoring Skills & Culture
Introduction Before planning, and designing the components of an awareness campaign, it is critical to understand what level of awareness currently exists, and what level is desired following the delivery of education, training and awareness. It is also important to identify how the desired level of awareness will be measured and what changes will manifest the new BCM culture.
Precursors The BCM Policy provides the framework for supporting the need and requirement for cultural change.
BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
Sustaining Components - 52
Government of Saskatchewan
Purpose The purpose of this activity is to assess current and desired levels of BCM awareness, define what areas the awareness campaign must target and how the campaign can most effectively be run.
Concepts and Assumptions An audit of current BCM awareness should seek to establish the level of knowledge of and commitment to BCM. Evidence will be found chiefly in behaviours, but there are other sources within the organization. Those involved in making the awareness assessment should have a good understanding of the business and its BCM aims. They should also have, or be able to call on those with, an appropriate level of competency in education, training and awareness activities, and suitable diagnostic and interpersonal skills. As for other stages in the awareness campaign, this activity requires consultation with, and the co-operation of, staff throughout the organization, from executive and senior management through appointed BCM planners to staff without specific BCM roles, but a general responsibility to “play their part” in BCM. In particular, senior management should, from the outset, provide support for the awareness work, both in terms of material resource and commitment to the mission.
Process The awareness assessment activity is effectively a Training Needs Analysis and comprises three principal tasks: •
Establishing the current level of awareness of BCM
•
Specifying the desired level of awareness, and how this will be measured
•
Identifying the nature and scope of the “Training Gap” to be bridged by the campaign
Methods and Techniques Establishing the current level of awareness of BCM This activity is an information gathering exercise. The objective should be to establish statistical indicators of any gaps in awareness, and an assessment of the appreciation of, and commitment to, BCM in target groups of staff. Sources should include: •
Documentation: including corporate policy statements and procedures, incident and crisis response reports, accounts of previous BCM tests and exercises, relevant IT system and business metrics
•
People Feedback: including interviews with senior management and business managers, focus groups with practitioners and end-users
•
Observation: including on-the-job reviews of current working practices (for example, in comparison with corporate policy)
BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
Sustaining Components - 53
Government of Saskatchewan
Specifying the desired level of awareness, and how this will be measured This activity is about specifying the behaviours and related performance indicators that will confirm to the organization a satisfactory level of BCM awareness in each staff target group. This specification should be agreed with senior management (in terms of department/corporate performance on BCM) and with managers and BCM planners (in terms of the feasibility and integration with working practices). The specification will depend on the nature and scope of the business, its BCM requirements and effort, but may include the following: •
Enhanced working practices that support BCM.
•
A better understanding of, and material support for, BCM issues by staff generally.
•
A higher BCM profile in corporate decision-making, policy and culture.
Identifying the nature and scope of the “Training Gap” to be bridged by the campaign This activity requires the comparison of the results of steps 1 and 2 described above. The nature and scope of the Training Gap should be identified both in terms of the BCM subjects to be addressed by the campaign, and which delivery type - education (information), training (skills) or awareness (appreciation of, and commitment to BCM) – is most effective. The awareness of staff may be defined at one of four levels: •
Unconscious Ineffectiveness is defined as the condition in which staff are unaware of BCM issues. They do not know what they don’t know.
•
Conscious Ineffectiveness is defined as the condition in which staff are aware of BCM generally, but know little about its detailed requirements.
•
Conscious Competence is defined as the condition in which staff are cognisant of the BCM issue and are proficient (e.g. in following documented procedures) in supporting BCM.
•
Unconscious Competence is defined as the condition in which staff are fully competent in applying BCM in a variety of circumstances.
Outcomes and Deliverables The outcomes from the awareness assessment should include: •
A statement of the current level of awareness and effectiveness of staff to support BCM.
•
A statement of the desired level of awareness and how this will be measured.
•
A definition of the Training Gap, including BCM subjects which require greater awareness, staff attitudes to BCM - since this will help define the overall message of the awareness campaign and the level(s) of competence found in each target group.
Review The awareness assessment should be carried out at the start of the awareness campaign, again following the main thrust of the campaign, and periodically thereafter as a monitoring capability. Additionally, awareness assessments may be needed in response to changes in:
BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
Sustaining Components - 54
Government of Saskatchewan
•
Organizational business processes that affect BCM priorities.
•
Legislation affecting BCM requirements.
•
The BCM risks including security threats and vulnerabilities and other business-related risks.
•
Corporate and client/partner requirements for the availability of information and services, including accepted industry Best Practice e.g. NFPA 1600, PAS56 and ISO17799
Assessing Awareness
Developing Culture Monitoring Skills & Culture
Introduction Designing and delivering education, training and awareness comprises three principal activities: •
Training & Awareness Design.
•
Training & Awareness Delivery Planning.
•
Training & Awareness Delivery.
Precursors The BCM Policy provides the framework for supporting the need and requirement for cultural change. Within the BCM culture and awareness activity, the design and delivery of education, training and awareness must be derived from a detailed Training Needs Analysis.
Purpose The purpose of this activity is to define the BCM messages to be understood by staff, and select the most effective means to deliver those messages.
Concepts and Assumptions Education, training and awareness can be delivered in many ways; it is critical to the success of an awareness campaign that the most appropriate and effective methods of delivery are selected. The planning and design of the campaign should be hierarchical, starting with objectives derived from the definition of the Training Gap and its constituent features. Teaching points should in turn be identified from the specific knowledge, skills and awareness items that need to be assimilated by staff to bridge the Gap.
BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
Sustaining Components - 55
Government of Saskatchewan
Staff with no particular responsibility for BCM may need to attain only awareness, or a prescribed level of proficiency, in carrying out those BCM-related tasks that are part of the role within the organization. BCM planners, however, should receive a structured training path that delivers knowledge, skill and finally includes competency in BCM via opportunities to put their skills into practice. The campaign must be costed and the effort required agreed upon by senior management at an early stage in the process. The availability of staff to attend training events should also be taken into account when planning the strategy and the campaign timetable.
Process Designing and delivering education, training and awareness comprises three principal activities: •
Training & Awareness Design.
•
Training & Awareness Delivery Planning.
•
Training & Awareness Delivery.
Training & Awareness Design The overall design may consider first raising awareness of the BCM issue generally, to create an appetite for formal training or similar events where the key information will be delivered. Following formal learning events, further information and opportunities for learning should be provided through, for example, corporate newsletter pages and Intranet sites, discussion groups and other activities. In designing the campaign, the following key tasks should be completed: •
Identify the audiences and the key education, training and awareness issues to be delivered.
•
Prioritise the teaching points that comprise the BCM education, training and awareness issues.
•
Select the order and delivery methods required for the prioritised teaching points.
Training & Awareness Delivery Planning The term “campaign” has been used throughout, for emphasis: the achievement of cultural change will require a long term, campaigning approach. The delivery planning task should consider the most cost-effective forms of delivery and take into account staff availability and working practices. This task should also consider publicising the campaign itself as part of the awareness drive. Key activities in this task should include: •
Discussion and agreement of the proposed campaign by Executive Management.
•
Piloting key elements of the campaign with a selection of business managers and staff focus groups and defining success criteria.
•
Planning for integration of the BCM message with induction and refresher training, and its inclusion in other staff training.
•
Pilot runs and assessments of proposed training events.
BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
Sustaining Components - 56
Government of Saskatchewan
Training & Awareness Delivery The strategies chosen for education, training and awareness tend to depend on each organization’s situation and awareness goals; therefore only the following general recommendations for a campaign can be offered: •
The campaign should raise awareness of BCM issues for the organization and the individual employee. Executive and Senior Management support for the campaign should be evident in training literature and events.
•
Formal training should be offered when there is evidence that awareness of the issues has been accepted. The acceptance and application of the knowledge or skills delivered by the training should be regularly assessed, and any shortfalls addressed.
•
Following the completion of formal training events, refresher Education, Training and Awareness effort should be made, to ensure that staff remain aware of the continuing (and changing) needs for BCM.
Methods and Techniques There are many theories about how adults learn, and a corresponding variety of delivery strategies. While BCM planners can supply the Business Continuity content of the training, they should consider working with training experts to develop the strategy and deliver the campaign. It is important to recognise that awareness is not confined to formal training, and requires that the issue, in this case BCM, be integrated with working practices. Opportunities should be found to include BCM “on the agenda” wherever possible. Examples are offered below. Information resources: •
Internet BCM sites
•
Books, periodicals and industry publications
•
Conferences and seminars
Training resources: •
External approved training courses
•
Formal academic educational programs
•
Business Continuity Regional Forums and working groups
•
Industry sector working groups
•
Certification bodies
•
Internal training, including specifically designed introduction and refresher courses
•
Distance learning (internet, video, reading)
•
BCM and Crisis Management exercises (internal or external)
Awareness resources: •
Briefing Papers
•
Internal newsletters, bulletins, articles and staff magazines
•
Visits to work area recovery sites and crisis management centres
BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
Sustaining Components - 57
Government of Saskatchewan
•
Intranet Web Sites
•
Exercising, Rehearsal and Testing of the organization’s BCM plans
•
Certified BCM practitioners within the organization
•
Incentive and performance rewards
•
Participation in other organization’s BCM exercises or real events
•
Inclusion of BCM related objectives through the organization’s performance and appraisal mechanisms
Outcomes and Deliverables The deliverables of the campaign will include a range of learning events, including live training, distance learning, awareness events and the promotion of BCM issues in working practices. Clearly, the nature and scope of these are dependant on the specific BCM awareness goals of the campaign. The outcomes of the campaign should include: •
Higher general awareness of the need for BCM.
•
Awareness of BCM risks to the organization and of business priorities.
•
Identification of an acceptable approach to BCM which can be integrated into working practices.
•
Improved effectiveness in conducting specific BCM tasks.
•
More effective responses to actual business continuity incidents.
•
Higher demands on BCM planners e.g. through increased concern about BCM by business managers.
Review Training should be carried out as part of staff orientation and refresher training, and revised and presented in response to changes in: •
Organizational business activities that affect BCM priorities.
•
Legislation affecting BCM requirements.
•
BCM risks, including security threats and vulnerabilities and other business-related risks.
•
Corporate and client/partner requirements for the availability of information and services, including accepted industry Best Practice e.g. NFPA 1600, PAS56 and ISO17799.
BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
Sustaining Components - 58
Government of Saskatchewan
Assessing Awareness
Developing Culture
Monitoring Cultural Change Introduction Clearly, both the overall achievement of the campaign and the success or otherwise of specific components, must be reviewed in order to continuously improve the relevance and effectiveness of the work done. The awareness campaign should be viewed as an ongoing task, and periodic reviews made to check awareness and identify efforts required to maintain it at an acceptable level.
Precursors The BCM Policy provides the framework for supporting the need and requirement for cultural change. Within the BCM culture and awareness activity, the maintenance and improvement of education, training and awareness efforts must be derived from comparison against the original objectives identified in the awareness assessment and training needs analysis.
Purpose The purpose of education, training and awareness assessment is to maintain the quality and effectiveness of the campaign, ensure currency with organization, corporate, industry and other pertinent BCM issues, and ensure that the required level of BCM awareness is achieved.
Concepts and Assumptions The effectiveness of education, training and awareness can be measured on a number of levels: improved performance in individuals, higher standards across the organization, increased emphasis on the issue, in this case BCM, in the corporate culture. As with all research, care must be taken to ask the right questions to bring out the relevant responses, to interpret data correctly, and to remain vigilant for issues outside the central training concern which may be relevant for BCM culture generally.
Process •
Seek and collate feedback on specific training events. While some training events may be successful and others less so, it is important to look for the underlying trends – for example, particular modules within a training course that consistently draw criticism.
•
Monitor effectiveness. While short-term feedback can provide information about campaign components and allow their improvement, the long-term effect of the campaign is more important and may be manifested in less tangible terms (for example, heightened awareness). However, the effectiveness of the campaign should be quantified wherever possible in terms of business improvement and “the bottom line”.
BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
Sustaining Components - 59
Government of Saskatchewan
•
Periodically monitor awareness. Executive management should be prepared to budget for assessment exercises and possible subsequent action on a regular (minimum annual) basis.
Methods and Techniques Evaluation may take many forms. Effective evaluation will combine a range of short- and longterm methods, reviewing both the form and content of the campaign itself and its effect on BCM within the organization. Wherever possible, the evaluation results should be expressed in terms of the benefits of the campaign to the organization. The evaluation of training courses may include discussions, quizzes or short examinations during the course to check and align teaching during presentation. Course Evaluation Forms may be used to continuously improve the course structure and content. Evaluation of a course should be based on a number of completed sessions, rather than a single instance.
Outcomes and Deliverables The deliverables of the training and awareness campaign review should include a range of reports for appropriate levels within the organization. These should include executive and senior management, relevant business managers and BCM planners and training providers. The outcomes of the campaign assessment should be reported to staff, and may include: •
Identification of further education, training and awareness requirements.
•
Identification of professional development opportunities for BCM planners.
•
Improvements in working practices.
Review Evaluation of the campaign should be made both during, to allow realignment of the strategy and after the bulk of the campaign has run to review whether the campaign has achieved its overall objective of bridging the training gaps identified in the initial awareness assessment. A regular awareness audit should be conducted, and any shortfall addressed.
BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
Sustaining Components - 60
Government of Saskatchewan
Exercising, Maintenance and Audit Exercising Maintenance Audit
Introduction Exercising A Business Continuity Management (BCM) capability cannot be considered reliable until it has been exercised. Exercising can take various forms, including technical tests, desktop walk-through and full live exercises. No matter how well designed and thought-out a BCM Strategy or Business Continuity Plan; a series of robust and realistic exercises will identify issues and assumptions that require attention. Time and resources spent exercising BCM Strategies and Continuity Plan's are crucial parts of the overall process as they develop competence, instil confidence and impart knowledge that is essential at times of crisis. Though effort needs to be put into testing technical recovery capabilities, the key element is the role of people and their resilience in terms of skills, knowledge, management and decision making. While a service or function may be outsourced, the accountability for the risk cannot. Consequently organizations must assure themselves of the readiness of suppliers of outsourced services to cope with disruption, by exercising their own plans and requiring evidence of the viability of their supplier’s contingency plans and the testing of them.
Maintenance Most organizations exist in a dynamic environment and are subject to change in people, processes, client expectations, risk, environment, geography, and business strategy. To ensure that their BCM capability continues to reflect the nature, scale and complexity of the organization it supports, it must be current, accurate, complete, exercised and understood by all stakeholders and participants. A Business Continuity Maintenance Program must be established to ensure that all relevant stakeholders have the current and relevant parts of the Business Continuity Plan.
BUSINESS CONTINUITY PLANNING GUIDELINES
V 06.1
(March 06)
Sustaining Components - 61
Government of Saskatchewan
Audit The BCM Audit process ensures that an organization has an effective Business Continuity capability. Audit has five key functions: •
To validate compliance with the organization’s BCM policies and standards.
•
To review the organization’s BCM solutions.
•
To validate the organization’s BCP’s.
•
To verify that appropriate exercising and maintenance activities are taking place.
•
To highlight deficiencies and issues and ensure their resolution.
The Audit process can be undertaken by an organization’s Internal Audit function, an External Auditor, or External Professional BC Practitioner. The process should be conducted annually or biannually. In the interim, self-auditing, or ‘Performance Monitoring’ may be carried out more frequently, by the owners of the BC plans.
Exercising
Maintenance
Audit
Introduction The development a BCM capability is achieved through a structured exercising program; to be successful an exercising program must begin simply and escalate gradually. Exercising is a generic phrase used here to describe the exercising of Business Continuity Plans, rehearsing team members and staff and testing of technology and procedures. Three terms are in general use: •
Test: Usually used when a technological procedure and/or business process is being tried, often against a target timescale. In this sense the result can be either a ‘pass’ or ‘fail’ (for the procedure, not the individual). An example is the rebuilding of a server environment from back-up tapes.
•
Rehearsal: A practice of a specific set of procedures which require the following of a script to impart knowledge and familiarity. An example is a fire drill.
•
Exercise: Usually for a scenario-based event when decision-making abilities are being examined. An example is a desktop exercise to manage a major incident.
Regardless of the term used, it is important to demonstrate that an exercise is an opportunity to measure the quality of planning, competence of individuals and effectiveness of capability rather than a simple ‘pass or fail’ examination. A positive attitude towards BCM exercising makes the process more acceptable and enables strengths to be acknowledged and weaknesses to be seen as opportunities for improvement rather than criticism.
BUSINESS CONTINUITY PLANNING GUIDELINES
V 06.1 (March
06)
Sustaining Components - 62
Government of Saskatchewan
Precursors Not understanding how the plan would function if it were called into action is a key driver for initiating testing activities.
Purpose The purpose of exercising is: •
To evaluate the organization’s current Business Continuity Management competence.
•
To identify areas for improvement or missing information.
•
To highlight assumptions which need to be questioned.
•
To provide information and instil confidence in exercise participants.
•
To develop team work.
•
To raise awareness of Business Continuity throughout the organization by publicising the exercise.
•
To test the effectiveness and timeliness of resumption procedures at the end of the exercise.
Concepts and Assumptions In order for any exercise to be “useful”, it needs to meet the following criteria: Stringency, Realism, and Minimal Exposure. These three criteria often have conflicting requirements, and will require a compromise to be reached between them.
Stringency Exercises should be carried out, wherever possible, using the same procedures and methods as would be used in a real event, making the event as real as possible. This is the ideal, but it may not be possible to run certain tests without alterations to “live” procedures. This applies especially to technical testing.
Realism The usefulness of an exercise is reduced by the selection of an unrealistic scenario. The simulation of an event is needed to prove the viability of plans in such circumstances. The setting of a realistic business scenario ensures that the audience engages fully in the event and ultimately gains more from it.
Minimal Exposure Exercises may place the business at a level of increased risk. The designer of the test should ensure that: •
the risk and impact of disruption is minimised
•
the business understands and accepts the risk
For more complex technical tests, the test manager should ensure that there are agreed stop/go points at key stages throughout the test, and adequate back-out plans in case of things going wrong.
BUSINESS CONTINUITY PLANNING GUIDELINES
V 06.1 (March
06)
Sustaining Components - 63
Government of Saskatchewan
Similarly for desktop or live exercises the exercise manager requires the capability to call a time out during the event if the team are making decisions that would not be appropriate in the given scenario.
Process A technical test may include the following steps: •
Agree on the scope and objectives of the test.
•
Agree on budget for the test if required.
•
Assign appropriate personnel to the task.
•
Devise a simple scenario and set of assumptions that puts the test in context.
•
Conduct a Risk Assessment of the test to minimise the risk of an impact on live operations.
•
Conduct the test and record the results.
•
Assess and report the results.
•
Address any issues raised.
A scenario exercise will require similar steps though each will be more complex •
Agree on the scope and objectives of the exercise with senior management.
•
Agree on the budget for the test.
•
Agree with the appropriate managers of the organization and any suppliers of logistics/services required to enable the exercise to take place.
•
Prepare a realistic and suitably detailed scenario.
•
Include aspects such as date, time, current workload, political and economic conditions and temporal/seasonal issues.
•
Ensure required participants are available.
•
Conduct a Risk Assessment of the exercise to minimise the risk of an impact on live operations.
•
Brief observers and prepare questionnaires for use during the exercise to capture lessons learned by all players and observers.
•
Pre-exercise information and briefing of participants.
•
Conduct the exercise.
•
Debrief participants immediately after the exercise.
•
Conduct a formal executive level debrief at a later date.
•
Evaluate exercise, consolidate results and prepare a Post Exercise Report with recommendations.
•
Prepare an open-issues report during and immediately following the test.
•
Circulate reports to participants and executive management.
BUSINESS CONTINUITY PLANNING GUIDELINES
V 06.1 (March
06)
Sustaining Components - 64
Government of Saskatchewan
•
Create an action plan to implement post exercise report recommendations i.e. update the strategy and plan as approved, review exercising schedule for further exercising to prove the effectiveness of the changes.
Methods and Techniques A progression and potential combinations of exercises are illustrated in the following matrix: Type
Desk Check
Walkthrough Plan and/or Infrastructur e
Techniques
• Audit • Validation • Verification
• Scenario • Free-play
Simulation
• Controlled • Time-lapse
Process
Participants
Frequency
Complexity
Review and Challenge the contents of the plan. Extended Desk Check to check interaction and the roles of participants Incorporates associated plans:
• Author of plan • Independent
High
Low
• Business • Site/Building • Communication • Public Relations • BCM Resource
• Facilitator • Observers • Co-ordinators • Umpires
^ . . . . . . . . . . . . v
^ . . . . . . . . . . . . v
Functions
• Tabletop
Low
High
• Author of plan • Main participants
• Main Participants
Recovery Suppliers
• Unannounced • Live
checker
Moves to and recreates one or a number of business functions at an alternative pre-planned site.
• Individual Component(s)
• Employees and staff in specific business area
• Facilitator • Co-ordinators • Observers • BC Resource recovery Providers
• Integrated Components Close down of entire site/building and relocation of work Full Plan
• Staff required for recovery activities included in the BC Plans.
• Facilitator • Co-ordinators • Umpires • Observers • BC Resource Recovery Providers
Exercising types and methods (Adapted by Smith from Source: Elliot, Swartz and Herbane 1999 p.84)
BUSINESS CONTINUITY PLANNING GUIDELINES
V 06.1 (March
06)
Sustaining Components - 65
Government of Saskatchewan
Participants Possible participants, in addition to staff, in desktop or scenario exercises include: •
Suppliers of specialist BCM resources and services.
•
Insurance representatives.
•
Emergency Services.
•
Security.
•
Local Authority Emergency Planning Officer.
•
Communications and Public Relations.
•
Subject Experts (where appropriate)
•
Suppliers of business services/products.
Outcomes and Deliverables The outcomes of the BCM exercising process include:
•
Validation that the Business Continuity Plan and strategies are effective.
•
Enhanced familiarity of team members and staff with their roles, accountability, responsibilities and authority in response to an incident.
•
Testing of the technical, logistical, administration aspects of the Business Continuity Plan(s).
•
Testing of the recovery infrastructure that includes command centres, work area, technology and telecommunications resource recovery.
•
The rehearsal of the availability and relocation of staff.
•
Documentation of exercise results in a Post Exercise Report for executive management, auditors, insurers, regulators and others.
•
Documentation and resolution of open-issues (gaps) arising during the exercise.
•
An increased awareness of emergency procedures.
•
An increased awareness of the significance of Business Continuity Management.
•
The opportunity to identify shortcomings and improvements to the organization’s Business Continuity readiness
Review The frequency of a BCM Exercise Program is dependent upon the nature, scale and complexity of the organization. An exercise of the organization’s overall BCM capability should take place at least once every 12 months. Other events which may require an exercise to be scheduled include: •
A significant change in the processes, staff or technology.
•
There is a major external business environment change.
BUSINESS CONTINUITY PLANNING GUIDELINES
V 06.1 (March
06)
Sustaining Components - 66
Government of Saskatchewan
Exercising
Maintenance
Audit
Introduction The BCM Maintenance Program ensures that the organization remains ready to handle incidents despite constant changes that all organizations experience. To be effective the BCM Maintenance Program should be embedded within the organization’s normal management processes rather than be a separate structure that can be forgotten.
Precursors Most of the issues that show up in tests and exercises are the result of internal changes to the organization, i.e. staff, locations or technology. An effective change management process is a prerequisite of maintenance of the BCM program.
Purpose The purpose of the Business Continuity and Crisis Management maintenance program is to ensure that the organization’s BCM capability remains fit-for-purpose, sustainable and effective despite changes to internal business processes and external influences.
Concepts and Assumptions Process •
Review internal changes to (for example):
° business processes, ° technology, ° staff. This review may be triggered by the change management process highlighting the change, by post exercise ‘learning points’ action plan or an audit report. •
Review and challenging the assumptions made in the Business Impact Analysis (BIA) about the environment in which the organization operates to determine whether the time imperatives, maximum tolerable outages, have changed since the last review.
•
Review the adequacy and availability of external services that might be required by an organization in times of difficulty such as asset restoration, recovery sites and subcontracts.
•
Review the Business Continuity arrangements of suppliers of time-critical components to the business.
•
Assess whether changes and amendments create a training, awareness and/ or communication need.
BUSINESS CONTINUITY PLANNING GUIDELINES
V 06.1 (March
06)
Sustaining Components - 67
Government of Saskatchewan
•
Deliver appropriate training, awareness and / or communication where applicable.
•
Distribute updated, amended, changed BCM policy, strategies, solutions, processes and plans to key stakeholders under the formal change (version) control process.
Methods and Techniques •
Each plan owner is responsible for updating the team’s BC plans and dynamic data such as staff out-of-office contact numbers, team tasks, notification and supplier contact details, recovery team box contents etc.
•
Plan components are updated at frequencies ranging from monthly to annually, in accordance with the schedule laid down in the BC Plan Maintenance Chapter/Section. The appropriate update months are also specified in the BC Plan Maintenance Chapter/Section.
•
‘Date of last update’ is clearly displayed at the beginning of each BC plan to provide an effective reference and audit trail.
Outcomes and Deliverables The outcomes from the BC maintenance process include: •
A documented BC monitoring and maintenance program.
•
A clearly defined and documented Maintenance Report (including recommendations) agreed and ‘signed-off’ by an appropriate senior manager.
•
A clearly defined and documented BCM Maintenance Report Action Plan agreed and ‘signed-off’ by an appropriate senior manager.
•
Effective and current BC Plan’s, strategies and solutions.
Review The frequency of a BC Maintenance Program is dependent upon the nature, scale and pace of business change. Maintenance is likely to be required when: •
There is a major change in business processes, locations or technology.
•
After an exercise or test.
•
After an audit recommending improvements.
•
In accordance with the schedule defined in the BC Plan Maintenance Chapter/Section.
BUSINESS CONTINUITY PLANNING GUIDELINES
V 06.1 (March
06)
Sustaining Components - 68
Government of Saskatchewan
Exercising
Maintenance
Audit Introduction An audit function is one of impartial review against defined standards and policies to provide remedial recommendations. However the nature of Business Continuity Management may require a different audit approach because standards are constantly evolving.
Precursors The Audit should be conducted against a Business Continuity Management Policy and the appropriate standards identified by it.
Purpose The purpose of a BCM audit is to scrutinise an organization’s existing Business Continuity competence and capability; verify them against predefined standards and criteria and deliver a structured audit opinion report. In addition the BCM function itself should periodically be subject to an assurance process.
Concepts and assumptions This approach assumes that if the process is correct and properly applied then the outcome should provide an effective and fit-for-purpose Business Continuity competence and capability. It is assumed that the available standards provide a suitable framework for audit. These include: •
Regulatory requirements i.e. Security Controls for Protection of Personal Information,
•
Legislative requirements.
•
Industry standards e.g. ISO 17799 (IT Security). NFPA 1600, BSI PAS 56
Process The BCM audit, like BC planning, implementation and maintenance is concerned with a complex process and requires interaction with a wide range of executive, managerial and operational roles from both a business and technical perspective. The BCM audit process includes an audit plan, which should include: •
Identification of the type of audit to be carried out e.g. compliance, project management/control, feasibility study, due diligence or investigative.
•
Identification of the audit objectives i.e. outcomes and deliverables. The audit objectives may in part be driven and governed or restricted by legal or regulatory requirements. This includes key issues of high priority.
BUSINESS CONTINUITY PLANNING GUIDELINES
V 06.1 (March
06)
Sustaining Components - 69
Government of Saskatchewan
•
Identification of the standard audit framework (where appropriate) to be used e.g. NFPA 1600. The audit framework may be governed or restricted by legal or regulatory requirements.
•
Definition of the audit scope.
•
Determine the governance, compliance or other issues to be audited.
•
Determine the area/department/site of the organization to be audited.
•
Definition of the audit approach and the auditing activities that will be undertaken e.g. questionnaires/face-to-face interview/document review/solution review.
•
Activity timetable and due dates.
•
Identification of the audit evaluation criteria (standards).
•
Determine the requirement for specific subject expertise or third party assistance to conduct the audit.
•
Review and information gathering via the BCM audit activities.
•
Compile and summarise interview notes, questionnaires and other sources.
•
Identify gaps in content and level of information gathered and conduct further or follow up interviews as appropriate.
•
Obtain and compare relevant documentation e.g. Business Impact Analysis with interview data and other sources such as walkthrough, physical inspection and sampling.
•
Refer to secondary sources e.g. standards, regulations, ‘good practice’ guidelines to validate preliminary findings.
•
Form an opinion that should reflect the interests of the audit sponsor and the ‘yardstick’ set by external sources e.g. regulatory, legal, industry standard.
•
Assign a risk weighting to individual audit item to distinguish between critical, high, medium and low risk findings.
•
Define criteria for rating factual findings by using a clearly differentiated categorised predefined rating level.
•
Provide a draft audit opinion report for discussion with key stakeholders.
•
Provide an agreed audit opinion report incorporating recommendations as well as audit responses where differences of opinion persist.
•
Provide an agreed remedial action plan including timescales to implement the agreed recommendations of the audit report. This should also form a key element of the BCM Maintenance Program.
•
Provide a monitoring process (in addition to the BCM Maintenance Program) to ensure that the audit action plan to address material deficiencies is implemented within the agreed timescale.
The BCM Assurance process includes: •
Define role accountabilities, responsibilities and authority
•
Define Key Performance Indicators (KPIs) objectives, measurement targets and standards.
•
Define success factors.
BUSINESS CONTINUITY PLANNING GUIDELINES
V 06.1 (March
06)
Sustaining Components - 70
Government of Saskatchewan
•
Incorporate Key Performance Indicators in internal and external contract terms and annual appraisal.
•
Evaluate and review performance against Key Performance Indicators, objectives, targets and defined industry standards.
Methods and Techniques The methods, tools and techniques to audit an organization’s BCM program include:
Audit Self-auditing or ‘Performance Monitoring’ may be carried out more frequently, by the owners of the BC plans themselves. The BC Plans are measured against specified performance levels, in topics such as: •
Number of months since last active exercise.
•
Number of open-issues still outstanding since last exercise.
•
Completeness of the BC plan documentation.
•
Number of months since last business impact analysis.
•
Number of open-issues still outstanding since last business impact analysis.
•
New IT application assessed for inclusion in BC Management Plans.
•
New or changed business process assessed for inclusion in BC Management/Plans.
•
Adequacy/viability of Recovery Team dynamic data such as team members, contact telephone numbers, notification/supplier list, recovery site workstation allocation.
BCM Assurance •
Creation of a BCM Budget for implementation and maintenance.
•
Budgetary control.
•
Document analysis and review.
•
Self assessment assurance scorecard.
•
Interviews.
BUSINESS CONTINUITY PLANNING GUIDELINES
V 06.1 (March
06)
Sustaining Components - 71
Government of Saskatchewan
Outcomes and Deliverables The outcomes of a BCM audit include: •
An independent BCM audit opinion report that is agreed and ‘signed-off’ by executive management.
•
A remedial action plan(s) that is agreed and ‘signed-off’ by the executive management
The outcome of an unfavourable performance rating could be: •
Acceptance of the BC Plans by the Internal Audit department as ‘in-adequate’.
•
The initiation of a BC review conducted by a third party BC professional to assist the team in improving their position.
•
Review of the BCM function.
Review The policy concerning the frequency of audit should be clearly defined and documented within the organizations ‘Audit Policy and Standards’.
BUSINESS CONTINUITY PLANNING GUIDELINES
V 06.1 (March
06)
Sustaining Components - 72
Government of Saskatchewan
BUSINESS CONTINUITY MANAGEMENT PLANNING GUIDE
Appendices
BUSINESS CONTINUITY PLANNING GUIDELINES
V 06.1
(March 06)
Government of Saskatchewan
Appendix A - NFPA 1600 - Planning Guide Relationship NFPA 1600 Article 1.1 Scope. This standard establishes a common set of criteria for disaster management, emergency management, and business continuity programs hereinafter referred to as the program. 1.2 Purpose. This standard shall provide those with the responsibility for disaster and emergency management and business continuity programs the criteria to assess current programs or to develop, implement, and maintain a program to mitigate, prepare for, respond to, and recover from disasters and emergencies. 1.3 Application. This document shall apply to both public and private programs. Chapter 4 – Program management 4.1Program Administration. The entity shall have a documented program that defines the following: (1) Executive policy including vision, mission statement, and enabling authority (2) Program goals and objectives
BCM Planning Guide
Section D - BCM Strategies Organization Level Strategy Section B - BCM Program management
(3) Program plan and procedures (4) Applicable authorities, legislation, regulations, and/or industry codes of practice (5) Program budget, project schedule, and milestones 4.2 Program Coordinator. The program coordinator shall be appointed by the entity and authorized to administer and keep current the program.
Section B - BCM Program
4.3 Advisory Committee. 4.3.1 An advisory committee shall be established by the entity in accordance with its policy. 4.3.2 The advisory committee shall provide input to or assist in the coordination of the preparation, implementation, evaluation, and revision of the program. 4.3.3 The committee shall include the program coordinator and others who have the appropriate expertise and knowledge of the entity and the capability to identify resources from all key functional areas within the entity and shall solicit applicable external representation.
Section D - BCM Strategies Organization Level BCM Strategy Organization Level BCM Strategy
4.4 Program Evaluation. The entity shall establish performance objectives for program elements listed in Chapter 4 and Chapter 5 and shall conduct a periodic evaluation of the objectives as described in Section 5.13
Section E - BCM Sustainment
BUSINESS CONTINUITY PLANNING GUIDELINES
V 06.1
(March 06)
A - 74
Government of Saskatchewan
NFPA 1600 Article
BCM Planning Guide
Chapter 5 - Program Elements 5.1 General. 5.1.1 The program shall include the elements given in Section 5.2 through Section 5.15, the scope of which shall be determined by the impact of the hazards affecting the entity. 5.1.2 These elements shall be applicable to the four phases of disaster/emergency management: mitigation, preparedness, response, and recovery. 5.2 Laws and Authorities. 5.2.1 The disaster/emergency management program shall comply with applicable legislation, regulations, directives, policies, and industry codes of practice. 5.2.2 The entity shall implement a strategy for addressing needs for legislative and regulatory revisions that evolve over time. 5.3 Hazard Identification, Risk Assessment, and Impact Analysis.
5.3.1 The entity shall identify hazards, the likelihood of their occurrence, and the vulnerability of people, property, the environment, and the entity itself to those hazards. 5.3.2 Hazards to be considered at a minimum shall include, but shall not be limited to, the following: (1) Natural hazards (geological, meteorological, and biological) (2) Human-caused events (accidental and intentional) 5.3.3 The entity shall conduct an impact analysis to determine the potential for detrimental impacts of the hazards on conditions including, but not limited to, the following: (1) Health and safety of persons in the affected area at the time of the incident (injury and death) (2) Health and safety of personnel responding to the incident (3) Continuity of operations (4) Property, facilities, and infrastructure (5) Delivery of services (6) The environment (7) Economic and financial condition (8) Regulatory and contractual obligations (9) Reputation of or confidence in the entity
BUSINESS CONTINUITY PLANNING GUIDELINES
V
06.1 (March 06)
Section B - BCM Program
Section D – Business Impact Analysis and Risk Assessment Identify Mission Critical activities Identify Mission Critical dependencies
Impact Analysis - Risk Assessment Human resources Stakeholders Suppliers Customer clients Facilities Functions / processes Materials Technology / telecommunications Data
A - 75
Government of Saskatchewan
NFPA 1600 Article 5.4 Hazard Mitigation. 5.4.1 The entity shall develop and implement a strategy to eliminate hazards or mitigate the effects of hazards that cannot be eliminated. 5.4.2 The mitigation strategy shall be based on the results of hazard identification and risk assessment, impact analysis, program assessment, operational experience, and cost-benefit analysis. 5.4.3 The mitigation strategy shall consider, but not be limited to: (1) The use of applicable building construction standards (2) Hazard avoidance through appropriate land-use practices (3) Relocation, retrofitting, or removal of structures at risk (4) Removal or elimination of the hazard (5) Reduction or limitation of the amount or size of the hazard (6) Segregation of the hazard from that which is to be protected (7) Modification of the basic characteristics of the hazard (8) Control of the rate of release of the hazard (9) Provision of protective systems or equipment for both cyber or physical risks (10) Establishment of hazard warning and communication procedures (11) Redundancy or duplication of essential personnel, critical systems, equipment, information, operations, or materials
BCM Planning Guide Section D - Department / Organization, Mission Critical and Resource Level Strategies –
5.5 Resource Management. 5.5.1 The entity shall establish resource management objectives consistent with the overall program goals and objectives as identified in Section 4.1 for the hazards as identified in Section 5.3. 5.5.2 The resource management objectives established shall consider, but not be limited to, the following: (1) Personnel, equipment, training, facilities, funding, expert knowledge, materials, and the time frames within which they will be needed (2) Quantity, response time, capability, limitations, cost, and liability connected with using the involved resources 5.5.3 An assessment shall be conducted to identify the resource capability shortfalls and the steps necessary to overcome any shortfalls. 5.5.4 A current inventory of internal and external resources shall be maintained. 5.6 Mutual Aid.
Section D – BCM Strategies – Resource Recovery strategy Section D – BCM Strategies – Resource Recovery strategy
Section E – BCM Sustainment Section D – BCM Strategies
5.6.1 The need for mutual aid shall be determined and agreements established. 5.6.2 Mutual aid agreements shall be referenced in the applicable program plan. BUSINESS CONTINUITY PLANNING GUIDELINES
Section D – BCM Strategies – Corporate Level BCM Strategy
V
06.1 (March 06)
Resource Recovery strategy
A - 76
Government of Saskatchewan
NFPA 1600 Article
BCM Planning Guide Section C and D
5.7.1 The program shall include, but shall not be limited to, a strategic plan, an emergency operations/response plan, a mitigation plan, a recovery plan, and a continuity plan. 5.7.2 Plans. 5.7.2.1 The strategic plan shall define the vision, mission, goals, and objectives of the program as it relates to the policy of the entity that is required in Section 4.1. 5.7.2.2 The emergency operations/response plan shall assign responsibilities to organizations and individuals for carrying out specific actions at projected times and places in an emergency or disaster. 5.7.2.3 The mitigation plan shall establish interim and long-term actions to eliminate hazards that impact the entity or to reduce the impact of those hazards that cannot be eliminated. 5.7.2.4 The recovery plan shall be developed using strategies based on the short-term and long-term priorities, processes, vital resources, and acceptable time frames for restoration of services, facilities, programs, and infrastructure. 5.7.2.5 A continuity plan shall identify the critical and time sensitive applications, vital records, processes, and functions that shall be maintained, as well as the personnel and procedures necessary to do so, while the damaged entity is being recovered.
Section C – Develop and Implement a BCM Response Section C – Business Continuity Plan Section D – Continuity Strategies
5.7.3 Common Plan Elements. 5.7.3.1 The functional roles and responsibilities of internal and external agencies, organizations, departments, and individuals shall be identified. 5.7.3.2 Lines of authority for those agencies, organizations, departments, and individuals shall be established or identified.
Section C – BC Responses
5.8 Direction, Control, and Coordination.
Section C – BC Reponses
5.7 Planning.
Section C – Developing the Response Section D – Continuity Strategies Section D – Understanding Your Business Section D – Understanding Your Business
5.8.1 The entity shall develop the capability to direct, control, and coordinate response and recovery operations. 5.8.2 The capabilities shall include, but shall not be limited to, the following: (1) An incident management system (2) The specific organizational roles, titles, and responsibilities for each incident management function specified in the emergency operations/response plan 5.8.3 The incident management system utilized shall be communicated to and coordinated with appropriate authorizations and resources identified in Section 5.5. 5.8.4 The entity shall establish applicable procedures and policies for coordinating response, continuity, and recovery activities with appropriate authorities and resources while ensuring compliance with applicable statutes or regulations.
BUSINESS CONTINUITY PLANNING GUIDELINES
V
06.1 (March 06)
A - 77
Government of Saskatchewan
NFPA 1600 Article 5.9 Communications and Warning. 5.9.1 Communications systems and procedures shall be established and regularly tested to support the program. 5.9.2 The entity shall develop and maintain a reliable capability to notify officials and alert emergency response personnel. 5.9.3 Emergency communications and warning protocols, processes, and procedures shall be developed, periodically tested, and used to alert people potentially impacted by an actual or impending emergency. 5.9.4 The program shall address communications including, but not limited to, the following: (1) Communication needs and capabilities to execute all components of the response and recovery plans (2) The inter-operability of multiple responding organizations and personnel
BCM Planning Guide Section C – BC Responses
5.10 Operations and Procedures. 5.10.1 The entity shall develop, coordinate, and implement operational procedures to support the program. 5.10.2 The safety, health, and welfare of people and the protection of property and the environment under the jurisdiction of the entity shall be addressed in the procedures. 5.10.3 Procedures, including life safety, incident stabilization, and property conservation, shall be established and implemented for response to, and recovery from, the consequences of those hazards identified in Section 5.3. 5.10.4 A situation analysis that includes a damage assessment and the identification of resources needed to support response and recovery operations shall be conducted. 5.10.5 Procedures shall be established to allow for initiating recovery and mitigation activities during the emergency response. 5.10.6 Procedures shall be established for succession of management/government as required in 5.7.2.5.
Section C – BC Responses
5.11 Logistics and Facilities. 5.11.1 The entity shall establish logistical capability and procedures to locate, acquire, store, distribute, maintain, test, and account for services, personnel, resources, materials, and facilities procured or donated to support the program. 5.11.2 A primary and alternate facility capable of supporting continuity, response, and recovery operations shall be established, equipped, periodically tested, and maintained. 5.12 Training. 5.12.1 The entity shall assess training needs and shall develop and implement a training/educational curriculum to support the program. The training and education curriculum shall comply with all applicable regulatory requirements. 5.12.2 The objective of the training shall be to create awareness and enhance the skills required to develop, implement, maintain, and execute the program. 5.12.3 Frequency and scope of training shall be identified. 5.12.4 Personnel shall be trained in the entity’s incident management system. BUSINESS CONTINUITY PLANNING GUIDELINES
V
06.1 (March 06)
Section C - Developing the Response Section D - Continuity Strategy
Section E – BC Sustainment
A - 78
Government of Saskatchewan
NFPA 1600 Article
BCM Planning Guide
5.13 Exercises, Evaluations, and Corrective Actions. 5.13.1 The entity shall evaluate program plans, procedures, and capabilities through periodic reviews, testing, post incident reports, lessons learned, performance evaluations, and exercises. 5.13.2 Exercises shall be designed to test individual essential elements, interrelated elements, or the entire plan(s). 5.13.3 Procedures shall be established to ensure that corrective action is taken on any deficiency identified in the evaluation process and to revise the relevant program plan.
Section E – BC Sustainment
5.12.5 Training records shall be maintained.
5.14 Crisis Communication and Public Information.
Section C – Developing the Response
5.14.1 The entity shall develop procedures to disseminate and respond to requests for pre-disaster, disaster, and post-disaster information, including procedures to provide information to internal and external audiences, including the media, and deal with their inquiries. 5.14.2 The entity shall establish and maintain a disaster/emergency public information capability that includes, but is not limited to, the following: (1) A central contact facility for the media (2) A disaster/emergency information handling system (3) Pre-scripted information bulletins (4) A method to coordinate and clear information for release (5) The capability of communicating with special needs populations (6) Protective action guidelines/recommendations (e.g. shelter-in-place or evacuation) 5.14.3 Where the public is potentially impacted by a hazard, a public awareness program shall be implemented. 5.15 Finance and Administration.
Section E – BC Sustainment
5.15.1 The entity shall develop financial and administrative procedures to support the program before, during, and after an emergency or a disaster. 5.15.2 Procedures shall be established to ensure that fiscal decisions can be expedited and shall be in accordance with established authority levels and accounting principles. The procedures shall include, but not be limited to, the following: (1) Establishing and defining responsibilities for the program finance authority, including its reporting relationships to the program coordinator (2) Program procurement procedures (3) Payroll (4) Accounting systems to track and document costs BUSINESS CONTINUITY PLANNING GUIDELINES
V
06.1 (March 06)
A - 79
Government of Saskatchewan
Appendix B - Professional Skills Mapping This is a mapping of the BCI/DRII Certification Standards into the six stages of the BCI Good Practice Guidelines to indicate which skills are required at each stage. Note that some skills are applicable to more than one stage.
Business Continuity Management •
1.A.1 Lead Sponsors in Defining Objectives, Policies, and Critical Success Factors ° ° °
•
Scope and objectives Legal and requirements reasons Case histories and industry best practices
1. A.2. Co-ordinate and Organise/Manage the initiation of the overall BCM Process °
Using a steering committee and project task force.
•
1.A.3 Oversee the BCM Process Through Effective Control Methods and Change Management
•
1. A.4. Present (Sell) the Process to Management and Staff
•
1. A.5 Develop Budget to initiate the process.
•
1.A.6 Define and Recommend BCM Structure and Management
•
1.A.7 Develop and implement the BCM Process
Stage 1. Understanding your Business •
2. A.1 Identify Knowledgeable Functional Area Representatives for the Business Impact Analysis (BIA) process.
•
2. A.2 Identify Organization Functions including information and resource (people, technology, facilities, etc.)
•
2.A.3 Identify and Define Criticality Criteria
•
2.A.4 Obtain management approval for criteria defined
•
2.A.5 Co-ordinate Analysis
•
2.A.6 Identify Interdependencies (internal and external to the organization)
•
2.A.7 Define Recovery Objectives and Timeframes
•
2.A.8 Define Report Format
•
2.A.9 Prepare and Present Agreed BIA to Management
•
3.A.1 Identify Potential Risks to the Organization °
3.A.1.a Probability
°
3.A.1.b Consequences/Impact/severity
BUSINESS CONTINUITY PLANNING GUIDELINES
V
06.1 (March 06)
B - 80
Government of Saskatchewan
•
3.A.2 Understand the Function of Risk Reduction/Mitigation Within the Organization
•
3.A.3 Identify Outside Expertise Required
•
3.A.4 Identify Exposures
•
3.A.5 Identify Risk Reduction/Mitigation Alternatives
•
3.A.6 Confirm with Management to Determine Acceptable Risk Levels
•
3.A.7 Document and Present Findings
Stage 2. BCM Strategies •
4.A.1 Understand Available Alternatives and Their Advantages, Disadvantages, and Cost Ranges, including mitigation as a recovery strategy
•
4.A.2 Identify Viable Recovery Strategies within Business Functional Areas
•
4.A.3 Consolidate Strategies
•
4.A.4 Identify Off-site Requirements and Alternative Facilities
•
4.A.5 Develop Business Unit Strategies
•
4.A.6 Obtain Commitment from Management for developed Strategies
Stage 3. Develop a BCM Response •
Stage 3.1. Crisis Management Plan
•
9.A.1 Establish Programs for Proactive Crisis Communications
•
9. A.2 Establish Necessary Crisis Communication Co-ordination with External Agencies (local, state, national government, emergency responders, etc.)
•
9.A.3 Establish Essential Crisis Communications with Relevant Stakeholder Groups
•
9.A.4 Establish and Exercise Media Handling Plans for the Organization and its Business Units
Stage 3.2. Business Continuity Plan • 6.A.1 Identify the Components of the Planning Process °
6.A.1.a Planning methodology
°
6.A.1.b Plan organization
°
6.A.1.c Direction of efforts
°
6.A.1.d Staffing requirements
•
6.A.2 Control the Planning Process and Produce the Plans
•
6.A.3 Implement the Plans
•
6.A.4 Test the Plans
•
6.A.5 Maintain the Plans
•
5.A.5 Identify the Command and Control Requirements of Managing an Emergency
BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
B - 81
Government of Saskatchewan
•
5.A.6 Recommend the Development of Command and Control Procedures to Define Roles, Authority, and Communications Processes for Managing an Emergency
•
10.A.1 Identify and establish liaison procedures for Emergency Management
•
10.A.2 Co-ordinate Emergency Management with External Agencies
•
10.A.3 Maintain current knowledge of laws and regulations concerning Emergency Management as it pertains to the organization
•
5.A.1 Identify Potential Types of Emergencies and the Responses Needed (e.g., fire, hazardous materials leak, medical)
•
5.A.2 Identify the Existence of Appropriate Emergency Response Procedures
•
5.A.3 Recommend the Development of Emergency Procedures where none exist
•
5.A.4 Integrate Disaster Recovery/Business Continuity/Crisis Management Procedures with Emergency Response and Escalation Procedures
•
5.A.7 Ensure Emergency Response Procedures are Integrated with Requirements of Public Authorities (Refer also to Subject Area 10, Co-ordination With External Agencies)
Stage 4. Developing a BCM Culture •
7.A.1 Establish Objectives and Components of Corporate BCM Awareness & Training Program
•
7.A.2 Identify Functional Awareness & Training Requirements
•
7.A.3 Develop Awareness & Training Methodology
•
7.A.4 Acquire or Develop Awareness & Training Tools
•
7.A.5 Identify External Awareness & Training Opportunities
•
7.A.6 Identify Alternative Options for Corporate Awareness & Training
Stage 5. Exercising, Maintenance and Audit •
8.A.1 Pre-plan and co-ordinate the Exercises
•
8.A.2 Facilitate the Exercises
•
8.A.3 Evaluate and Document the Exercise Results
•
8.A.4 Update the Plans
•
8.A.5 Report Results/Evaluation to Management
•
8.A.6 Co-ordinate on-going Maintenance of plans
•
8.A.7 Assist in Establishing Audit Program for the Plans
BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
B - 82
Government of Saskatchewan
Appendix C – BC Coordinator Position Description Defining what is the responsibility of the Business Continuity Coordinator within a particular organization is influenced by the context of the allocation of responsibility to an individual as well as the individuals past experience. This may mean that an individual Business Continuity Manager may see security, IT availability or risk management as the key issue with other areas taking a less prominent role. The following portion of the Universal Classification System (USC) - Business Resumption Planning Coordinator - SEC0002 position description is provided as a sample. Key Activities • • • • • • • •
Develops and promotes Departmental Business Resumption Planning (BRP) policy, guidelines, standards, models, plans, templates and tools; Establishes, participates in, and provides research and support for the Department Business Resumption Planning Steering Committee; Represents and / or chairs Department and Inter-departmental BRP working groups and coordinates related departmental working groups; Plans, conducts, and assesses Business Impact Analyses (BIAs); Negotiates Memorandums of Understanding (MOUs) with other Government Departments, other levels of government and service providers respecting the provision of off-site alternative facilities, services and logistical support to enable business resumption; Designs, develops and manages the delivery of BRP awareness sessions and technical BRP training; Develops and evaluates BRP exercises (field and table top exercise) and tests, evaluates results and adjusts program to incorporate the results of test evaluations. Manages the department's Crisis Control Centre and ensures its continuing state of readiness.
Work Characteristics / Responsibility - Information for the Use of Others: •
Researches business resumption planning policies and infrastructures for use in the public and private sectors, assesses their transportability and correlates them with departmental services and business delivery systems.
•
Consults with senior and other departmental managers and develops departmental policy, guidelines, standards and a business resumption planning organizational infrastructure for the approval and use of senior management.
•
Business resumption planning policies, guidelines and standards are used by departmental client managers and employees to develop and implement business resumption plans which enable the restoration of essential departmental services during / following emergency situations. The organizational infrastructure includes a senior management Departmental Steering Committee and branch, sector and facility committees.
BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
C - 83
Government of Saskatchewan
•
Identifies needs, defines content, produces and manages the delivery of awareness sessions, technical training programs and information on business impact analysis, business resumption planning and interactive software to sensitize managers and employees on their business resumption planning requirements. This enables managers to develop business resumption plans and to prepare them to cope with and respond to emergencies where a department's essential services are interrupted.
•
Interprets the results of departmental business impact analysis which identify for managers critical / essential business functions, vulnerabilities, acceptable service downtime(s), and the financial, health & safety, legal and national interest’s impacts which can be incurred as the result of not having business resumption plans. This information serves as a critical base from which recovery strategies and business resumption plans are developed by managers which enable them to assign resources and to take remedial steps to improve their readiness and capacity to quickly restore essential services to the department and the Canadian public in the event of business interruptions.
•
Designs, plans, schedules, implements and evaluates the results of exercises and tests to assess the effectiveness of business resumption plans and the department's capacity to respond against different scenarios and risks. This information is synthesized and presented to senior departmental management with recommendations for corrective measures for their approval and for use by business resumption planners and managers to institute remedial measures to enhance existing business resumptions plans and improve their state of readiness.
•
Prepares status reports and analysis of departmental plans and arrangements and assesses their compatibility with those of client departments and agencies. Results are provided to senior management to support their business resumption planning decisions for priority setting, planning and resource allocation.
•
Analyses and evaluates incomplete, conflicting, and confused information coming in successively on unfolding events during emergency situations. This information is synthesized quickly, reflects rapidly changing circumstances and is given to senior management to provide them with up to date situational assessments and recommend options for the resumption of essential business services. This information is used by senior management and business resumption planners to adjust their responses to business interruptions and to maximize the allocation of resources available to restore essential business services.
•
Develops and obtains senior management approval of the terms of reference for the Departmental Business Resumption Planning Steering Committee. Generates and presents to the steering committee recommendations on research, assessments of plans and high level business resumption planning issues. The steering committee is informed on the above information and other issues and concerns in order to obtain their commitment / approval of business resumption planning initiatives, approval for changes and to assist them in their decision making and control accountabilities.
•
Drafts Ministerial Briefing Notes and Questions and Answers on Business Resumption Planning issues and / or responses to business interruptions. This information is used by the Minister to respond to questions posed in the House.
BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
C - 84
Government of Saskatchewan
Appendix D – Examples 1. Sample BCM Policy Statement Purpose Business continuity management includes the processes, procedures, decisions and activities to ensure that an agency can continue to function through an operational interruption. Furthermore, it is an ongoing process of risk assessment and management. While the likelihood of a business disruption or disaster occurring is uncertain, the Department of ______________ will ensure that it can continue to provide essential services in the event of a disruption. Policy Statement The Department of ___________________ shall develop, exercise, validate and maintain a Business Continuity Plan for its critical services in the event of a service disruption or disaster. This Business Continuity Plan will facilitate the rapid, efficient and cost effective continuity of the Department’s critical services. Government Departments and Agencies at all levels have the responsibility to plan for and respond to disruptions resulting from hazards that are known to threaten the jurisdiction. In view of this fact, we have established a program to provide overall planning and coordination for major disruptive events and emergencies. The Business Continuity Program coordinator is the (insert title) ; duties and responsibilities are further delegated to department directors and the Program Committee. Disruptions might seriously overextend local government resources and may require us to operate in a manner different from our normal day-to-day routines. This Continuity Management program and associated plans provides specific guidance to our departments during major disruptive events. The plans also serve as an indicator of our capability. If we are unable to provide adequate coverage for a particular function, resource or potential hazard, alternate sources or contingency plans will be developed within political and budgetary constraints. Responsibilities Divisions and Branches Division and branch heads are responsible for the development, activation and implementation of the Business Continuity Plan for their area of responsibility. Division and branch heads will assign a representative who is responsible for the business resources and processes to work with the Business Continuity Co-ordinator in the planning, maintenance, testing and implementation of their Business Continuity Plan. Business Continuity Co-ordinator The Business Continuity Co-ordinator is responsible for coordinating and managing the development, exercising, validation, maintenance and implementation of business continuity plans. For that reason, the Business Continuity Co-ordinator provides divisions and branches with the assistance in the development, validation and testing of their business continuity plans. As well, the Business Continuity Co-ordinator contributes to the effective activation and implementation of business continuity plans during disruptive events or incidents. BUSINESS CONTINUITYPLANNING GUIDELINES
v 06.1 (March 06)
D - 85
Government of Saskatchewan
Plan Activation The authority for the activation of branch/division business continuity plans rests with the branch or division head. Accordingly, the authority for the activation of the Departmental Business Continuity Plan rests with the Deputy Minister or assigned delegates. Plan Testing Testing and exercising business continuity plans enables the Business Continuity Management Program to remain active, up-to-date, understood and usable. It also provides a mechanism for maintaining and updating the plan. Program maintenance and plan review, updating and exercising is an integral part of the plan development and implementation process. Business Continuity Plans will be periodically practiced and tested. Exercise scenarios will be created to approximate the types of adverse events the organization is likely to experience and the impacts associated with these incidents. Plan Maintenance The responsibility for the maintenance of completed Business Continuity Plans rests with the branch or division head. The Business Continuity Plan will be reviewed on an annual basis by: • • •
Branch Head Business Continuity Co-ordinator Internal Audit
(adopted from NPFA 1600 (2000) samples)
BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
D - 86
Government of Saskatchewan
2. BC Program - Self assessment Scorecard This is a quick assessment for you to determine the health of your Business Continuity planning. The assessment has been split into sections for ease of reference. “No” and “Don’t Know” responses maybe be an indication of continuity and preparedness planning gaps. Y(Yes) N(No) DK(Don’t Know)
Y
N
Do you have a business continuity plan (BCP)? If yes, have you tested your plan within the last 12 months? Do you have a policy for when to activate your plan? Do you regularly review your plan? Are your staff trained in activating your plan? Is there someone in your organisation who is responsible for looking after a BCP? Is there a designated spokesperson and alternate spokesperson for your organization? Is the plan easily accessible? General Assessment: Have you made a list of all key contacts’ telephone numbers? Do you have a current list of all employees’ home telephone numbers? Do you have vital information stored on back up disks held off premises? Have you familiarised yourself and your staff with the location of the mains switches and valves (i.e. for electricity, gas and water)? Have you prepared an emergency team box? If you have prepared an emergency team box have you included the following essential items: Business recovery plan List of team members with contact details Details of Information Technology recovery resource providers Contact details for clients and suppliers Building site plan Spare keys Computer back up tapes/discs BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
D - 87
DK
Government of Saskatchewan
Y(Yes) N(No) DK(Don’t Know)
Y
N
First aid kit Stationery Flash Light Megaphone Spare batteries Tape Message pads and flip charts Coloured pens and pencils Dust and toxic fume masks Digital or disposable cameras What do you do on a day-to-day basis? Do you carry out end of day inspections? i.e. to check everybody has left Do you make sure that all appliances are switched off? Do you check that all doors are locked? Do you have a clear desk policy? Building Facilities: Do you have evacuation procedures for your building? Are the fire exits clearly marked? Do you regularly practice fire drills and evacuation? Do you have a primary and secondary evacuation safe gathering points? Do you have floor plans for your building? Do you have fire prevention and safety procedures in place? Do you have generator backup systems in place? Do you have an alternative building to use in an emergency? Personnel: Do you have an up to date and regularly reviewed job description and succession chart for your organization? (include temporary and contract workers) Do you have staff personal information on file i.e. communication with next of kin (include temporary and contract workers) BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
D - 88
DK
Government of Saskatchewan
Y(Yes) N(No) DK(Don’t Know)
Y
N
Do you and your staff know what to do in an after hours emergency? Do you know where to go for advice/information? Does your staff know who is in charge in the time of a crisis? Has your staff been given specific roles in the event of a crisis? Have you thought about dealing with people issues – relocation arrangements, etc. Do you have staff members with first aid or medical training? Do you have staff trained in evacuation duties? Security: Is there a security system installed? Do you have a physical security policy? Do you give any advice or training on security? Do you check references fully? Are contractors checked fully (i.e. company as well as each individual)? Do you regularly check the integrity of external doors? Paper and Electronic Documents: Do you copy/backup your information? Do you store your paper documents in reinforced containers? Have these plans been reviewed within the last 12 months? Do you have copies of your files and accounts at a separate location? Is someone responsible for the upkeep of your vital files and accounts? Company Equipment: Do you have someone accountable for the assets of your organization? Do you have controls over the movements of your organizations equipment? Have you completed a recent inventory of your organizations equipment? IT: Are your IT systems critical to the running of your mission critical functions? Do you have a tested IT continuity response and recovery plan? Is your computer anti virus software up to date? BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
D - 89
DK
Government of Saskatchewan
Y(Yes) N(No) DK(Don’t Know)
Y
N
Are computer errors and logs adequately monitored? Are documented IT security policies and procedures in place? Are all computer users fully aware of e-mail and internet usage policies? Do you know how many platforms/servers/applications or operating systems support critical business functions? Is your organizations system part of a larger network? Do you know how long it would take to recover IT functions? Suppliers: Do your key or vital suppliers have a business continuity plan? Customers: Do you have the current contact details for all your internal / external clients? Do you have any key clients / stakeholders who you will need to be in constant contact with during a disaster or crisis? Would it affect your business if one of your key clients went out of business? Do your clients / regulators require that you have a BCP? Do your clients have a BCP? Location: Have you thought about the types of risk that might occur due to the actions/operations of other businesses near to you? i.e. restaurants, bulk fuel storage Have you considered risk associated with environment? i.e. water, climate, forestry etc. Insurance: Do you have sufficient insurance to pay for disruption to business, cost of repairs, hiring temporary employees, leasing temporary accommodation and equipment? Do you have your insurance company's contact details in order to contact them immediately at the time of the incident?
BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
D - 90
DK
Government of Saskatchewan
3. Crisis Management Sample Team Membership and Responsibilities Member
Responsibilities
Team Leader - Designated spokesperson
•Keep next level of authority advised.
(i.e. Minister, Deputy Minister, Director)
•Approve and deliver core messages to public, partners •Lead strategic continuity and resumption responses.
Alternate Team Leader - Alternate Spokesperson
•Back-up and replace Team leader in completion of messaging and leadership tasks.
Information Officer
•Develop core messages for internal and external audiences.
Business Unit - Senior Management Representatives
•HR plan
(number depends on business unit size and complexity)
•Finance plan •Operations plan •Administration plan •Logistical / Support plan (to name a few)
Crisis Team Administrative Support
•Executive Assistant, Secretary •Administrative and logistics Support
BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
D - 91
Government of Saskatchewan
Sample Continuity Management Plan Table of Contents Heading Aim / Objectives / Authority
Description •Executive management policy •Regulations and Authorities •Lines and limits of delegated authority
Direction, Control and Coordination
•Event management system / process including escalation criteria •Response management system •Succession plan •Communications and Warning system
Operations and Procedures
•Disruption assessment •Business Continuity Response invocation •Logistical support and plan
Crisis Communications Procedures
•Procedures to disseminate information and respond to inquiries from team members and other internal audiences •Procedures to disseminate information and respond to inquiries from external audiences •Core message development and approval procedures •Public and media core message delivery process and location
Finance and Administration
•Financial authorities •Procurement authorities and procedures •Pay •Expense accounting system
BUSINESS CONTINUITY PLANNING GUIDELINES
v 06.1 (March 06)
D - 92