Business Continuity Planning Instructions



Similar documents
Business Continuity Planning (800)

NHS 24 - Business Continuity Strategy

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

Unit Guide to Business Continuity/Resumption Planning

Disaster Recovery and Business Continuity Plan

Desktop Scenario Self Assessment Exercise Page 1

I S O I E C I N F O R M A T I O N S E C U R I T Y A U D I T T O O L

(Mr. Krirk Vanikkul) Assistant Governor, Financial Institutions Policy Group Governor For

Business Continuity Management

IT Disaster Recovery Plan Template

How To Manage A Disruption Event

Clinic Business Continuity Plan Guidelines

Interagency Statement on Pandemic Planning

BUSINESS CONTINUITY PLAN. Specific Issues for Public Health Emergencies. Guidelines for Air Carriers

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Statement of Guidance

Why Should Companies Take a Closer Look at Business Continuity Planning?

Offsite Disaster Recovery Plan

Business Continuity Plan

Emergency Response and Business Continuity Management Policy

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

BUSINESS CONTINUITY PLAN (TEMPLATE)

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Business Continuity Management

Information Services IT Security Policies B. Business continuity management and planning

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

Business Continuity Management

Tips and techniques a typical audit programme

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Clinic Business Continuity Plan Guidelines

Continuity of Business

BUSINESS CONTINUITY PLANNING GUIDELINES

Business Continuity Management

: Chief Executive Officers of all Licensed Commercial Banks, Primary Dealers, Central Depository Systems (Pvt) Ltd. and LankaClear (Pvt.) Ltd.

Business Continuity Management

BUSINESS CONTINUITY PLAN

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

BUSINESS CONTINUITY POLICY

Business Continuity & Disaster Recovery

Business Continuity and Disaster Planning

Prudential Practice Guide

Business Continuity Plan Template

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

How To Manage A Financial Institution

BUSINESS CONTINUITY PLAN OVERVIEW

Temple university. Auditing a business continuity management BCM. November, 2015

Principles for BCM requirements for the Dutch financial sector and its providers.

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

White Paper: BMC Service Management Process Model 7.6 BMC Best Practice Flows

Overview of how to test a. Business Continuity Plan

Creating a Business Continuity Plan for your Health Center

Moving from BS to ISO The new international standard for business continuity management systems. Transition Guide

BUSINESS CONTINUITY PLAN

A BCP Tale: From Theory to Practice

Business Continuity Planning. Donna Curran, Director Audit and Risk Management February, 2014

Prudential Practice Guide

Business Continuity Management Software

CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard

Q uick Guide to Disaster Recovery Planning An ITtoolkit.com White Paper

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

Fundamentals of Business Continuity Planning Have a Plan!

COMCARE BUSINESS CONTINUITY MANAGEMENT

IT Disaster Recovery and Business Resumption Planning Standards

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

Business Continuity Planning and Disaster Recovery Planning

Guideline on Business Continuity Management

Business Continuity (Policy & Procedure)

Business Continuity Position Description

Guideline - Business Continuity Plan

CISM Certified Information Security Manager

Guidance Note XGN XXX.1

BUSINESS CONTINUITY PLAN

Business Continuity Planning. Presentation and. Direction

Business continuity management policy

HOW CAN YOU ENSURE BUSINESS CONTINUITY? ISO AUDITS, CERTIFICATION AND TRAINING

Business Continuity Overview

BCP and DR. P K Patel AGM, MoF

Prepared by Rod Davis, ABCP, MCSA November, 2011

NHS Durham Dales, Easington and Sedgefield Clinical Commissioning Group. Business Continuity Plan

BUSINESS RESILIENCE READY OR NOT

Business Continuity Planning for Schools, Departments & Support Units

Ohio Supercomputer Center

Intel Business Continuity Practices

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

Assessment of natural hazards, man made hazards, technical and societal related risks and associated impact.

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

Business Continuity Policy

A Guide to Business Continuity Planning

Transcription:

Business Continuity Planning Instructions Business continuity planning is a proactive planning process that ensures critical services or products are delivered during a disruption. In creating the plan, forethought is given to the plans, measures, arrangements and identification of necessary resources needed to ensure continuous delivery. This planning process can be broken down into 5 key steps. 1. Establishing control: Creating the structure and key responsibilities for the plan within your business. 2. Business impact analysis (BIA): Identifying and prioritizing the critical services or products your business provides and determining what internal or external events can disrupt their delivery. 3. The actual plans for business continuity (BCP): Detailing in advance of the disruption the response or recovery plans 4. Readiness procedures: Communicating the details of the plans in advance of any disruption and training staff on what to do in the event of the disruption. 5. Continuous review of the plan on a regular basis (at least annually): It is not enough to complete the plan and put it in a binder on the shelf. Review of the plan a regular basis (at least annually) and certainly when your business operations change such as when you offer a new product or service, is critical to the plan being effective when you need it. The Business Continuity Online Tool contains documents which will help you work through this process step by step. In these instructions, we will reference the template documents contained in The Business Continuity Online Tool. Step 1 Establish Control It is essential to have someone or a group of people responsible for ensuring your business continuity planning process is done correctly, completely and is tested and updated on a regular basis. This person or group should include senior staff which have the authority to do the following: approve the governance structure; clarify their roles, and those of participants in the program; oversee the creation of a list of appropriate committees, working groups and teams to develop and execute the plan; provide strategic direction and communicate essential messages; approve the results of the BIA; review the critical services and products that have been identified; approve the continuity plans and arrangement; monitor quality assurance activities; and resolve conflicting interests and priorities. November 2010 Page 1 of 5

Step 2 Business Impact Analysis Overview of the Process The Business Impact Analysis (BIA) document is the second step in the business continuity process. Its purpose is to analyze each business process and determine the effect a disaster may have upon it. The results of this analysis will determine the business process level of criticality. This will assist in developing the appropriate recovery strategy. Upon completion of a BIA for all business processes and support functions (e.g., IT applications and infrastructure), a complete business continuity strategy can be formulated that includes critical inter-dependencies between business processes and related support processes. For the following refer to the Business Impact Analysis Template (BIA) included in the Online Tool Business Impact Analysis Guidelines The BIA document includes the following: Business Process Description Non-quantitative Loss Assessment Quantitative or Financial Loss Assessment Business Process Description All business processes must be summarized and a recovery timeframe determined. The recovery timeframe (in hours or days) should be determined by considering the maximum acceptable outage beyond which the non-performance of the business process becomes critical and unacceptable to your business. This section will identify dependencies (other business processes or departments, applications, etc). It also is critical to identify all other business processes (including external service providers) or functions that are vital to or reliant on business process performance. Non-quantitative Loss Assessment This section evaluates the non-financial loss that would be experienced if your business process cannot perform its function. This includes items such as adverse and negative publicity, loss of physical assets, inability to address customer needs, etc. For the purposes of this assessment, the loss is requested for three time periods one day, one week and greater than a week. These time periods are used during the assessment phase to provide an overall understanding of the loss that would be experienced should a business process be unable to function. The timeframe in which the business process would be recovered in the event of a disaster will be determined by reviewing a combination of the established maximum allowable outage, loss assessment, associated costs, etc. Quantitative or Financial Loss Assessment This section evaluates any financial loss experienced if the business process is unavailable for a period of time one day, one week and greater than a week. November 2010 Page 2 of 5

On completion of the BIA document, the business process criticality will be determined to be a high, medium or low risk. If the business process is rated one day or one week critical, an in-depth Business Continuity plan is required. The BCP template should be filled out. If the business process is rated greater than a week critical, development of business continuity procedures by completing the BCP plan template should be considered but less attention to Step 4 detailed testing of its procedures would be required. Step 3 Business Continuity Plan This step consists of the preparation of detailed response/recovery plans and arrangements to ensure continuity. These plans and arrangements detail the ways and means to ensure critical services and products are delivered at a minimum service levels within tolerable down times. Continuity plans should be made for each critical service or product as identified during your Business Impact Analysis. Use the BCP plan template provided in the Online Tool and complete one template for each of the identified critical services or products. These templates should be developed with input from the people within your business who are most familiar with the critical service or product. In the template you will be asked to gather information contact information for employees, suppliers and customers, design a phone tree to notify your employees in the event of a disruption and research emergency contact numbers and resources. You will have to review the Where, Who, What and When of operating your business in the event of a disruption. Some of the questions you will consider include: The Where? Where will my business operate from? Can I outsource all or part of my operations? Can all or some of my employees work from home? Do I need to temporarily set up part or all of my operations at another location which may or may not be currently owned or used by my business? What does my current lease require me to do? The Who? People who are critical to your operations may be unwilling or unable to work if their own homes and families are threatened in a crisis. In this section, consider what happens if key people are lost or unavailable. What would be the minimal amount of staff you require to maintain delivery of your critical products or services and who are they? The What? Your business needs things to operate. This section allows you to review those things necessary to maintain your critical products and services. The When? The timing of when you will institute these plans is also important. In this section we will ask you to think through the actions you will take pre- disruption, within the first 24 and 72 hours, the first week and first month and then how you will return to your original site. November 2010 Page 3 of 5

For the purpose of declaring a disaster you may wish to consider the following definition: Disaster Definition A disaster is defined as a sudden calamitous event resulting in great damage, loss or destruction; broadly, a sudden or great misfortune or failure. This definition may be refined to fit the context within your business, but its common meaning is always the unforeseen occurrence of any event that causes a significant disruption to business operations in one of the following ways: A service providing support to a critical business function fails; service cannot be restored before the point at which it becomes vital to the business. An event, such as a pandemic or terrorist threat prevents employees from reporting to work as scheduled. Loss of access to the facility that affects operations negatively. Time anticipated to restore a critical function on-site exceeds the time required to recover the function at an alternate recovery site. Included in the Online Tool is a sample Damage Assessment Checklist you can customize to your business. This will help you to document and assess the damage before you make your disaster declaration and evoke part or all of your business continuity plan. Step 4 Readiness Procedures In order for your plan to be effective when you need it, you should make certain all of your affected staff know what to do, when and how to do it. For critical products and services it is recommended that you test your plan in advance of a disruption and make any amendments to it. Neither the training for, or the testing of your plan should be a one time event. These areas need to be reviewed and potentially redone, on a regular basis (at least annually) and any time you make a change to your operations. Training Business continuity plans can be smoothly and effectively implemented by: Having all employees and staff briefed on the contents of the BCP and aware of their individual responsibilities Having employees trained for tasks they will be required to perform, and be aware of other teams' functions Exercises After training, exercises should be developed and scheduled in order to achieve and maintain high levels of competence and readiness. While exercises are time and resource consuming, they are the best method for validating a plan. Exercise complexity level can also be enhanced by focusing the exercise on one part of the BCP instead of involving the entire organization. November 2010 Page 4 of 5

Step 5 Continuous Review Review of the BCP should assess the plan's accuracy, relevance and effectiveness. It should also uncover which aspects of a BCP need improvement. Continuous appraisal of the BCP is essential to maintaining its effectiveness. The appraisal can be performed by an internal review, or by an external audit. You should consider establishing a set time to review the plan. You may want to consider keeping a list of plan holders and assigning copy numbers to control the number of copies and that everyone has the current version. When issued or revised the plan holder should confirm in writing their understanding and acceptance of the procedures. This confirmation can be kept with the list of manual holders. Control of plan revisions can be maintained by the use of a revision index. This index would contain the date of revision, page number revised, revision number, and approval containing the signature of the person responsible. It is important that each page of the revised plan show the revision number. The BCP template included in this Online Tool allows for the date and version number to be included on the front page and is recorded again in the header, so it automatically is contained on each page. Therefore it is important to change the date and version number on both the title page and header whenever you amend your plan. November 2010 Page 5 of 5 Aviva and the Aviva logo are registered trademarks of Aviva plc and used under license by Aviva Canada Inc. for use by its family of companies. Information provided in this document is for reference only.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information