BUSINESS CONTINUITY PLANNING TOOL KIT GUIDE



Similar documents
BUSINESS CONTINUITY TABLETOP EXERCISE (TTEX) GUIDE

Solihull Clinical Commissioning Group

How To Manage A Disruption Event

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy

FRAMEWORK. Approving authority. University Council. Approval date

Business Continuity Policy

Business Continuity Management

Business continuity management policy

Principles for BCM requirements for the Dutch financial sector and its providers.

NHS Hardwick Clinical Commissioning Group. Business Continuity Policy

Flinders University IT Disaster Recovery Framework

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

Business Continuity Planning (800)

Business Continuity Management

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Business Continuity Management

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

abcdefghijklmnopqrstu

Corporate Risk Management Policy

Business Continuity Planning Instructions

Business Continuity Business Continuity Management Policy

How To Plan For An Event Like Ebola

HOW CAN YOU ENSURE BUSINESS CONTINUITY? ISO AUDITS, CERTIFICATION AND TRAINING

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

Bank of Papua New Guinea Prudential Standard BPS251: Business Continuity Management

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

Business Continuity Plan

Subject Area 3 Business Impact Analysis

Business Continuity Management

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

Business Resiliency Business Continuity Management - January 14, 2014

ISO 22301: Societal Security Terminology ISO 22313: BCMS Guidance ISO 22398: Exercises and Testing - Guidance

Business Continuity Management Policy

Business Continuity Management Framework

Checklist of ISO Mandatory Documentation

DRAFT Revised Guide to the National CDEM Plan 2015 July 2015

Business Continuity Planning and Disaster Recovery Planning

Yale University Business Continuity Planning (BCP) Quick Start Guide

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

BUSINESS CONTINUITY PLAN

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

How to write a DISASTER RECOVERY PLAN. To print to A4, print at 75%.

Statement of Guidance

Disaster Recovery and Business Continuity Plan

ESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four

Temple university. Auditing a business continuity management BCM. November, 2015

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

Coping with a major business disruption. Some practical advice

Clinic Business Continuity Plan Guidelines

BUSINESS CONTINUITY PLANNING GUIDELINES

9/3/2009. Information Systems Disaster Recovery. Learning Objectives. Why have a plan? unexpected? APPA-Institute for Facilities Management

UNIVERSITY OF LONDON GUIDE TO RISK MANAGEMENT. Purpose of the guide... 2

RISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer

Virginia Commonwealth University School of Medicine Information Security Standard

Meeting FFIEC Requirements: Enterprise-Wide Testing of Your. Business Continuity Plan

NHS Central Manchester Clinical Commissioning Group (CCG) Business Continuity Management (BCM) Policy. Version 1.0

PBSi Business Continuity Planning

Australia Pacific LNG Project. Narrows Crossing Pipeline Environmental Management Plan Attachment 3 Crisis and Emergency Management Directive

Success or Failure? Your Keys to Business Continuity Planning. An Ingenuity Whitepaper

Business Continuity Management (BCM) Policy

Business Continuity Management. Policy Statement and Strategy

Emergency Response and Business Continuity Management Policy

Business Continuity Policy and Business Continuity Management System

Business Continuity (Policy & Procedure)

Emergency Management & Business Continuity Program Self-Assessment Checklist

Business Continuity and Disaster Recovery Planning

Creating a Business Continuity Plan for your Health Center

BUSINESS CONTINUITY MANAGEMENT POLICY

Business Continuity Policy. Version 1.0

Proposal for Business Continuity Plan and Management Review 6 August 2008

Data center transformation: an application focus that breeds success

Business resilience: Providing targeted resilience solutions for the enterprise

Business Continuity Planning

Moving from BS to ISO The new international standard for business continuity management systems. Transition Guide

Business Continuity Plan Template

Business Continuity Management Systems. Protecting for tomorrow by building resilience today

Beyond Disaster Recovery: Why Your Backup Plan Won t Work

Business Continuity Management

This presentation will introduce you to the concepts and terminology related to disaster recovery planning for businesses.

Business Continuity Planning for Water Utilities: Guidance Document [Project #4319]

Business Continuity. Is your Business Prepared for the worse? What is Business Continuity? Why use a Business Continuity Plan?

Hanh Do, Director, Information System Audit Division, GAA. SUBJECT: Review of HUD s Information Technology Contingency Planning and Preparedness

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

The PNC Financial Services Group, Inc. Business Continuity Program

Acknowledgement. First edition August 2006 Second edition July 2009 Third edition June 2015

PROCEDURES BUSINESS CONTINUITY MANAGEMENT FRAMEWORK PURPOSE INTRODUCTION. 1 What is Business Continuity Management? 2 Link to Risk Management

Best Practices in Disaster Recovery Planning and Testing

Business Continuity Policy

Assessment of natural hazards, man made hazards, technical and societal related risks and associated impact.

Need to protect your business from potential disruption? Prepare for the unexpected with ISO

BCP and DR. P K Patel AGM, MoF

BUSINESS CONTINUITY MANAGEMENT POLICY

Business Continuity Planning. Donna Curran, Director Audit and Risk Management February, 2014

Business Continuity and Disaster Planning

Chapter I: Fundamentals of Business Continuity Management

Transcription:

BUSINESS CONTINUITY PLANNING TOOL KIT GUIDE 1

Table of Contents INTRODUCTION... 3 What is Business Continuity?... 3 When is a process critical?... 3 What is Business Continuity Planning?... 3 Why you should do it... 3 HOW TO USE THIS GUIDE... 4 Part 1 Tab 1: Process Dependencies... 4 Part 2 Tab 2: Business Impact MAO & RTO... 5 Part 3 Tab 3: Continuity Preparedness... 6 Part 4 Tab 4: Disruption Response Protocol... 7 Part 5 Tab 5: Quality Assurance Review... 8 2

INTRODUCTION What is Business Continuity? The capability to maintain operational performance with minimal disruption especially during an emergency or other disruptive event. Business continuity is linked to reliability, which is a critical aspect of the University s brand, reputation and overall resilience to disruption-risk events. When is a process critical? When it directly supports University core teaching and research functions and/or could threaten University strategy (financial, reputational, competitive position) if not quickly recovered. Critical processes must be continued throughout, or quickly re-started, after a disruptive event. What is Business Continuity Planning? A means to deal with change and unpredictability by preparing actions to take if a disruptive event occurs. A business continuity plan (BCP) will be your reference document. It costs next-to-nothing to produce only a little time, information and experience. Why you should do it Disruption is always a possibility and will bring new rules. You will need to respond quickly, make defensible decisions with little or incomplete information, support your staff to work in changed conditions and manage activities to recover and/or adapt how you do business in the future. The planning process will help you put arrangements in place so when disruption occurs you: know the first steps to get activity happening again; know the timeframe to get your activities back up and running; know the people who will be involved / affected and how to contact them; know your/stakeholder information needs and how to access it; know the resources / supplies you ll need, where and how to get them; get back to business as usual or better business quicker. Additionally, the planning process will provide you the opportunity to: be innovative unpack and improve the way you work; keep the knowledge where you need it - embed succession planning and cross-skill staff; empower your staff and enhance your leadership plan ahead, practice your response to common problems to build competence and confidence, get expert help on side; save money highlight efficiencies, avoid damage upfront; demonstrate your great value proposition - show your customer you re serious about service reliability and the University mission, vision and values. Remember: Risk is the chance of something happening which could have a good or bad effect on what you want to achieve. Business continuity planning is a key factor to manage uncertainty and a major contributor to becoming risk-resilient. It s smart business management. 3

HOW TO USE THIS GUIDE This Guide is divided into 5 parts. Read the parts in order, and in conjunction with the 5 tabs in the toolkit. Further information on risk and business continuity is available at the University Risk advisory and assurance intranet website located at Griffith Portal; Safety, security and emergency. Part 1 Tab 1: Process Dependencies This step is about dependency-modelling and is part of the business impact analysis (BIA). Processes use resources (assets) to transform inputs into outputs (results) the University needs. In this tab record the tasks which must be completed, skill sets required and what you must have access to, at the minimum, to keep your process operational. Also record the entities/groups you rely on and those which depend on what you do to achieve their objectives. Think systemically and holistically. Follow the italic prompts in the toolkit. Tab 1: Process Dependencies - BCP Toolkit Remember: A process is a set of activities or tasks which interact with one another to achieve a desired output (result). Processes are interdependent when the output from one process becomes the input for another. Look internally and externally to uncover what/who you rely on most and who relies on you. It s good business to engage in a continuity dialogue with these entities to avoid making false assumptions around asset availability, response time and reliability, and to reduce your process exposure to single points of risk (SPOR). Make sure you record peak periods or regulatory obligations which could accelerate and exacerbate the harm caused if your process is interrupted. 4

Part 2 Tab 2: Business Impact MAO & RTO This step is the final part of the business impact analysis. The objective is to understand what might be at risk, the extent of loss (harm) which could likely occur over time if your process is unavailable and set a realistic timeframe to get operational again. 1. Record a severity impact rating for each duration of outage in the seven areas of disruption-related risk. Consider these ratings and decide potential overall impact to University strategy. 2. Using this information set a realistic time when the disruption would pose unacceptable risks to University strategy (where risk exceeds tolerance). This is the maximum acceptable outage (MAO). Next set a timeframe for process(es) to be back in operation at minimum agreed capacity. This is your recovery time objective (RTO). Tab 2: Business Impact Analysis BCP Toolkit Remember: You are concerned with the worst case scenario so consider impact of outage during peak period(s) you recorded in tab 1. Refer to Tab 6 to help you rate the risks. 5

Part 3 Tab 3: Continuity Preparedness This is the engine room of your continuity planning process and should be regularly reviewed and updated. The aim is to create a plan which suits the nature of your business. The information you use to populate this worksheet will assist you make risk treatment (control) decisions based on a consideration of all relevant factors, build your preparedness to manage through a disruptive event regardless of its nature (all hazards approach) and support your risk response decisions. Objectives are: detail strategies and contingencies to protect your key assets and keep your process operational (your continuity plan); reduce future loss; lower insurance costs. provide evidence of best practice business continuity planning for Audit Tab 3: Continuity Preparedness BCP Toolkit From your analysis so far you should have a clear idea of what you depend on to continue operations including your customer, regulatory and stakeholder obligations (tab 1); the potential for loss and harm to the University if your critical process is suspended; the timeframe you need to get operational within to avoid this (tab 2) and the current controls to prevent or mitigate disruption (risk register/risk management plan). Taking these factors into consideration use the headings in the worksheet to decide your risk action: How vulnerable (exposed, susceptible) is your process to disruption? What are the potential problems/concerns if key assets are unavailable? Where should you allocate time and resources to reduce vulnerability (contingencies)? What strategies would provide a sufficient response to recover operations on time? Follow the italic prompts in the toolkit. For further support access the Griffith University Business Continuity Management Framework from the policy library or the Risk advisory and assurance intranet website. Remember: It is important to balance cost of contingency controls and process recovery. Control and response strategies are a matter of costs v benefits v cost of not doing anything. The costs aren t always financial: they might include reputation, staff or customer retention and/or missed business opportunities. In this case, insurance is not a cure-all risk treatment. 6

Part 4 Tab 4: Disruption Response Protocol This will be your go to information, following or in anticipation of a disruptive event, to help you decide the best fit recovery response strategy including: who to call (with contact numbers); what to do and what you ll need (information, equipment, supplies, other); when to do it; where you can go. Follow the italic prompts in the toolkit and use information from tabs 1, 2 and 3 to fill in the boxes Tab 4: Recovery Response Protocol BCP Toolkit Note the objective of the response protocol is to Recover (restart) business process within desired timeframe using response protocol, strategies and resources described or others if needed Your response protocol is not designed to be prescriptive, as the nature of uncertainty is we can t foresee every type of disruptive situation we may face. However, the planning you do prior to this occurring (tabs, 1,2 and 3) will ensure you are well prepared to work around sudden, adverse changes to your work environment. Refer to the accompanying Word document in Tab 4 as a broad checklist of issues to manage as you step through the lifecycle of activating, deactivating and debriefing your recovery response. Back-up your recovery response protocol and make sure everyone who needs access to it can get it. Make sure the records, procedures and other vital information referenced in the protocol is also backed-up. Remember: You may find yourself in a novel situation where you don t have a best fit response strategy. If this is the case, use the information in your response protocol (tab 4) to help you make contact with key people and decide a recovery solution based on what you need to continue operations, risks and the time threshold. Back-up your recovery response protocol and make sure everyone who needs access to it can get it. Make sure the records, procedures and other vital information referenced in the protocol is also backed-up. 7

Part 5 Tab 5: Quality Assurance Review The fifth and most critical step in the planning process is to demonstrate your business area is well prepared to manage disruption with current capacity and capability or with what it thinks will be available. A tabletop exercise is the University s preferred method to test continuity and recovery response arrangements. Exercises should be conducted at least once a year against a relevant and challenging scenario, and facilitated by the senior manager of the business area. Record your learnings from the post-exercise debrief and review. These might include whether: your unit had skills, experience, delegation and/or direction to recover the process; required procedures were in place and practiced; your unit had resources (or access to) necessary to achieve recovery; required ICT back-up, recovery and security mechanisms in place; opportunities exist to prevent future loss; opportunities exist to enhance preparedness. Follow the italic prompts in the toolkit Tab 5: Quality Assurance Review BCP Toolkit Make sure the relevant authorising officer signs-off of any corrective actions for follow-up. Copy and paste the corrective actions into Tab 3 under the heading, Priorities for Action (who, when) and enter the next continuity preparedness review date. Record who participated in the exercise. Record staff observations either as a concensus or as relating to an individual which needs corrective action. Remember: Your business continuity preparedness should be tested and evaluated on a regular basis, results documented and corrective actions implemented. You should include regular monitor and review of key contact numbers, process dependencies and business impact to ensure your arrangements remain relevant, current and effective. Record where live events occurred, your business response and any improvement actions to be followed-up. Include your stakeholders in this process. 8

9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information