A Professional’s Guide to the Contents of a Business Continuity Plan
______
A Professional’s Guide
to the Contents of a
Business Continuity Plan
by William M. Adney
InfoSolutions, Inc.
3642 Racquet Club Drive
Grand Prairie, TX 75052-6107
Phone: 972-642-4549
Email:
Reviewed by:
Kelley Goggins, MBCP
______
Adney-MBCP3-paper.doc Page iv
A Professional’s Guide to the Contents of a Business Continuity Plan
______
TABLE OF CONTENTS
EXECUTIVE SUMMARY 1
Objectives 1
Business Continuity Plan (BCP) Overview 1
Chapter 1 – Overview and General Information 2
Chapter 2 – Critical Business Continuity Plan Information 2
Chapter 3 – Plan Administration and Maintenance 2
Chapter 4 – Plan Testing and Test Reports 2
Chapter 5 – Appendices 3
The Crisis Management Plan (CMP) and the BCP 3
About the Author 3
Contents of a Business Continuity Plan 5
Chapter 1 – Overview and General Information 5
1.0 Before You Begin 5
1.0.1 Cover page 6
1.0.2 Confidentiality Statement 6
1.0.3 Distribution/Update List 6
1.0.4 Table of Contents 6
1.1 Business Continuity Plan Overview 7
1.1.1 Objectives 7
1.1.2 Scope 7
1.2 Business Continuity Plan Policy 8
1.3 Business Continuity Plan Assumptions 8
1.4 Business Impact Analysis (BIA) Summary 9
1.5 Business Continuity Strategy 9
1.5.1 Emergency Operations Center (EOC) Locations/Contacts 9
1.5.2 Alternate Site Locations and Contacts 10
1.6 BCP Team Description and Organization Chart 10
1.6.1 BCP Team Responsibilities 10
1.6.2 BCP Team Organization Chart 12
Chapter 2 – Critical Business Continuity Plan Information 13
2.1 Executive Management Team 13
2.1.1 Executive Management Team Call List 13
2.1.2 Executive Management Team Task List 13
2.1.3 Executive Management Team Customer List 13
2.1.4 Executive Management Team Equipment List 13
2.1.5 Executive Management Team Software List 13
2.1.6 Executive Management Team Supplies List 14
2.1.7 Executive Management Team Telecommunications List 14
2.1.8 Executive Management Team Vendor List 14
2.1.9 Executive Management Team Vital Records List 14
2.2 Business Continuity Coordinator (BCC) 14
2.3 Damage Assessment/Salvage Team 14
2.4 Logistics/Transportation Team 14
2.5 PR/Communications Team 14
2.6 Facilities/Security Team 14
2.7 Accounting Team 14
2.8 Telecommunications Team 14
2.9 Information Technology Team 14
2.10 Marketing Team 14
Chapter 3 – Plan Administration and Maintenance 15
3.1 Business Continuity Coordinator (BCC) 15
3.1.1 Responsibilities 15
3.2 Business Continuity Plan Administrators (BCA) 16
3.2.1 Responsibilities 17
3.3 Business Continuity Plan Administration 17
3.3.1 BCP Awareness and Training 17
3.3.2 Exercising (Testing) the BCP 17
3.4 Business Continuity Plan Maintenance 18
3.4.1 When and How to Update the BCP 18
3.4.2 Business Impact Analysis (BIA) Maintenance 18
3.5 BCP Approvals 19
3.5.1 Senior Management Approval 19
3.5.2 Board of Directors Approval (if applicable) 20
Chapter 4 – Plan Exercises and Exercise Reports 21
4.1 BCP Exercise (Testing) Methodology 21
4.2 When to Exercise (Test) the BCP 21
4.3 Developing the Exercise (Test) Scenario or Plan 22
4.4 Exercise (Test) Evaluation 23
4.5 Exercise (Test) Reports 23
Chapter 5 – Appendixes 24
APPENDIX A – GLOSSARY 25
APPENDIX B – HOT SITE INFORMATION (Sample) 34
APPENDIX C – JCN Model 00 Server Recovery Procedure (Sample) 35
List of Tables
Table 1 – BCP Distribution/Update List 6
Table 2 – BIA Summary Example 9
List of Figures
Figure 1 – BCP Team Organization Chart 12
______
Adney-MBCP3-paper.doc Page iv
A Professional’s Guide to the Contents of a Business Continuity Plan
______
EXECUTIVE SUMMARY
Objectives
If you have never created a Business Continuity Plan (BCP), it seems to be one of the most difficult tasks based on my observations and experience, and there always seems to be a lot of questions about what should and should not be included in the BCP.
This document will help you determine and structure the basic information that should be in an effective and viable BCP. Information in this document is based on DRI International’s Professional Practices for Business Continuity Planners (see www.drii.org for the latest version) and other references as documented in the footnotes.
The objectives of A Professional’s Guide to the Contents of a Business Continuity Plan are to:
· Document a structure for your Business Continuity Plan.
· Describe the general contents of each section and subsection.
· Provide guidelines, recommendations, and some examples of items that you may need in your Business Continuity Plan.
· Suggest a structure to integrate a Crisis Management Plan (CMP) with your Business Continuity Plan.
Business Continuity Plan (BCP) Overview
The Business Continuity Plan (BCP) is generally organized so that information required during a recovery operation is closer to the beginning of the document, except for detailed recovery procedures (e.g., Recovery Procedures for the Windows 2000 Server). The Table of Contents contains five chapters as shown in the following sections.
One other important point: this document is intended as a guide, not an absolute requirement, to help you determine the contents of a BCP that is most appropriate for your organization. For example, I have shown five (5) chapters because it is easy to obtain 5-tab indexes, but I have written BCPs that contain twenty (20) or more chapters. In general, how you organize your BCP is not as important as being certain that you have all of the information required to effectively implement your plan.
Chapter 1 – Overview and General Information
Chapter 1 contains an overview of the BCP including the purpose, scope, objectives, and assumptions made for the plan. Additional sections and subsections include, but are not limited to, a company’s BCP Policy, BIA[1] Summary, recovery strategy, EOC location(s), damage assessment, escalation plans/procedures, and general information about the Crisis Management Team in this chapter. The BCP team organization chart are also included in this chapter.
Chapter 2 – Critical Business Continuity Plan Information
Chapter 2 contains the call lists, task lists, and various resource inventories by team to make it easier to execute the BCP, as well as improving the ease of distribution and updating. Inventories include lists of Customers, Equipment, Software, Supplies, Telecommunications, Vendors, and Vital Records that are required to support the BCP.
Chapter 3 – Plan Administration and Maintenance
Chapter 3 contains a variety of information related to administering and maintaining the BCP. It includes sections and subsections on administration, training, maintenance, awareness programs, education, and auditing the BCP. While most of this information is the responsibility of the Business Continuity Coordinator, it also documents important procedures such as the Board of Directors’ annual approval of the BCP for bank and other financial institution operations as required by the Federal Financial Institutions Examination Council (FFIEC).[2] This policy applies to all FFIEC agencies including the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).
Chapter 4 – Plan Testing and Test Reports
Chapter 4 contains information on the various types and frequency of plan testing. New terms will be added to the Glossary as required, such as tactical exercise (“war game”), etc. This chapter also provides a repository for test reports, although some Business Continuity Coordinators prefer to place test reports in an appendix.
Chapter 5 – Appendices
Chapter 5 contains various appendixes, including detailed procedures, that support the BCP. For example:
A Glossary
B Recovery Site Information (e.g., directions, maps, contract copies, etc.)
Other appendixes (for detailed procedures, etc.) as required.
Appendix A includes a glossary which is a substantial revision of the current DRII terminology plus some new terminology, such as Business Continuity Coordinator, Business Continuity Plan, and Business Continuity Planner. Some of the current terms are not consistent with DRII Professional Practices and will be replaced in the glossary.
The Crisis Management Plan (CMP) and the BCP
Every organization has a variety of crises which may range from a simple building evacuation for some reason (e.g., a bomb threat) to full-scale, easily recognized disaster. The objective of the Crisis Management Plan (CMP) is to manage these crises, and provide a framework and structure for activating the Business Continuity Plan (BCP).
For example, I normally include three essential teams in the CMP:
· Damage Assessment/Salvage Team
· Logistics/Transportation Team
· Public Relations/Communications Team
Also, I include an Escalation Plan in the CMP to provide the Crisis Management Team (CMT) with a guideline on when a disaster declaration may be appropriate. A guideline is just that – a guideline, and it is up to an organization’s most senior management (i.e., the CMT) to determine what is appropriate based on the circumstances at the time of the specific event.
For purposes of this paper, all teams shown above and the Escalation Plan will be shown as part of the BCP; however, you may need to adjust these teams and names for consistency in your own BCP and/or CMP.
About the Author
Bill Adney has over 35 years’ experience in data processing and over 25 years’ experience in Business Continuity Planning.
Mr. Adney is currently president and owner of InfoSolutions, Inc. He has performed a wide variety of disaster recovery, information/physical security, and programming consulting assignments for major firms in the retail, insurance, financial, manufacturing, and aerospace industries, involving work with a wide variety of system configurations, including IBM mainframes, minicomputers, LAN/WAN networks, and personal computers. These assignments have included responsibility for large project management, business continuity/disaster recovery project planning and implementation/testing, and information security project planning and implementation, and have required knowledge of data center security and operations, applications development and implementation, and programming.
As Manager of Security and Contingency Programs for a large West Coast oil company, he was directly responsible for the planning and implementation of the corporate disaster recovery plan and user recovery procedures for the critical financial systems. His overall data processing dates experience dates back to 1967, and he has actively developed a wide variety of disaster recovery and business continuity plans since 1977. Mr. Adney has successfully developed DRPs and BCPs for companies such as Texas Instruments, McDonnell Douglas, Household International, E-Systems, Chief Auto Parts, FootActionUSA, Metropolitan Life, Texas Department of Criminal Justice, Sunbeam Corporation, The Associates, PEMCO Financial Services, The South Financial Group, Washington Mutual, and the Veterans Administration – Financial Services Center.
Contents of a Business Continuity Plan
Chapter 1 – Overview and General Information
Chapter 1 contains an overview of the BCP including the purpose, scope, objectives, and assumptions made for the plan. Additional sections and subsections include, but are not limited to, a company’s BCP Policy, BIA Summary, recovery strategy, EOC location(s), damage assessment, escalation plans/procedures, and general information about the Crisis Management Team in this chapter. The team organization and an organization chart are also included in this chapter.
1.0 Before You Begin
In accordance with the DRII Professional Practices, there are several steps you should have completed before you begin the preparation of your Business Continuity Plan:
1. Project Initiation and Control
2. Risk Evaluation and Control
3. Business Impact Analysis
4. Developing Recovery Strategies
5. Emergency Response and Operations
10. Coordination with Public Authorities
I have found that item 5. Emergency Response and Operations and item 10. Coordination with Public Authorities seem to be most appropriate in the Crisis Management Plan.
The following DRII Professional Practices areas will be specifically addressed in this Business Continuity Plan:
6. Developing and Implementing Business Continuity Plans
7. Awareness and Training Programs
8. Maintaining and Exercising Business Continuity Plans
9. Public Relations and Crisis Coordination
There are at least two documents you should prepare before you get too far along in your BCP: a cover page and a table of contents. Other documents you should also have are described in the following sections.
1.0.1 Cover page
The cover page may be the most important part of your BCP, at least in the beginning. When someone asks to see your plan, even if you don’t have a professional binding, a nice cover page will make a good impression. Your company logo on the cover page helps convey a professional image. Keep the cover page simple and professional.
1.0.2 Confidentiality Statement
The information in your BCP is quite sensitive and usually confidential within your organization or company, so you should at least have a Confidentiality Statement immediately after the cover page. Some organizations have security requirements that dictate a statement of confidentiality appear on every page, usually in a footer. Be sure to find out any special requirements for your organization or company.
1.0.3 Distribution/Update List
Your BCP will need updating, especially the call lists when people change positions or leave the organization, and you will need some way of tracking who has the BCP and when the last update was made to that particular copy. A distribution/update list helps with this task, especially if you are the Business Continuity Coordinator and need to be able to look at a particular BCP to determine its latest update.
The distribution/update list only needs to have the following information:
Name / Phone / Mail Location / Date Issued / BCP Updated on / BCP Updated byTable 1 – BCP Distribution/Update List
If you have the mail location on your list as shown above, you can simply attach the page to the updates you send out and highlight the name and mail location.
1.0.4 Table of Contents
I have found it’s always helpful to prepare a draft table of contents, or at least an outline, of what I expect to have in a BCP before I actually begin writing. A few minutes’ thought and planning can save you a lot of time later on. Of course, you will want to use the automated feature of most word processors to generate your table of contents as a final document.
1.1 Business Continuity Plan Overview
An overview and description of the organization of the Business Continuity Plan.
For example…
Chapter 1 contains an overview of the BCP including the purpose, scope, objectives, and assumptions made for the plan. Additional sections and subsections include, but are not limited to, ABC company’s BCP Policy, BIA Summary, recovery strategy, EOC location(s), damage assessment, escalation plans/procedures, and general information about the Crisis Management Team in this chapter. The team organization and an organization chart are also included in this chapter.