Business Continuity Planning Guide



Similar documents
Business Continuity Template

How to Design and Implement a Successful Disaster Recovery Plan

Business continuity plan

Good Security. Good Business

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 125. When Disaster Strikes Are You Prepared?

BUSINESS CONTINUITY PLAN

NCUA LETTER TO CREDIT UNIONS

STEP-BY-STEP BUSINESS CONTINUITY AND EMERGENCY PLANNING MAY

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

Coping with a major business disruption. Some practical advice

BUSINESS IMPACT ANALYSIS.5

Beyond Effective Security. The Art and Science of Business Continuity Planning

Temple university. Auditing a business continuity management BCM. November, 2015

Business Continuity Planning. Donna Curran, Director Audit and Risk Management February, 2014

Business Continuity Plan

Desktop Scenario Self Assessment Exercise Page 1

An Introduction to. Business Continuity Planning

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 10

4 Insurance 5 Availability of alternate sources for critical supplies/services

Business Continuity Management

Business Continuity Planning in IT

ASX SETTLEMENT OPERATING RULES Guidance Note 10

Assessment of natural hazards, man made hazards, technical and societal related risks and associated impact.

Prepared by Rod Davis, ABCP, MCSA November, 2011

Business Continuity and Disaster Recovery Planning from an Information Technology Perspective

Business Continuity Planning. Presentation and. Direction

AUSTRACLEAR REGULATIONS Guidance Note 10

Business Continuity Plan Template

Continuity of Operations Planning. A step by step guide for business

Unit Guide to Business Continuity/Resumption Planning

CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE

This presentation will introduce you to the concepts and terminology related to disaster recovery planning for businesses.

DISASTER RECOVERY PLANNING GUIDE

This document contains the text of Secretary of the State regulations concerning

DASTA Guide to Business Continuity (BC) and Disaster Recovery (DR) Planning

Fundamentals of Business Continuity Planning Have a Plan!

TO AN EFFECTIVE BUSINESS CONTINUITY PLAN

Application / Hardware - Business Impact Analysis Template. MARC Configuration Requirements. Business Impact Analysis

Creating a Business Continuity Plan for your Health Center

BUSINESS CONTINUITY PLAN OVERVIEW

How To Manage A Disruption Event

Protecting your Enterprise

Business Continuity Planning and Disaster Recovery Planning

Creating a Business Continuity Plan

Business Continuity and Disaster Recovery Planning

Business Continuity Plan

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

2014 NABRICO Conference

Disaster Recovery Plan (DRP) / Business Continuity Plan (BCP)

Information Security Management System. Business Continuity and Disaster Recovery Plan Policy. The Smart Cube. Description Change

Disaster Preparedness: Are You Ready? District of Columbia Homeland Security and Emergency Management Agency

Business Continuity and Disaster Planning

Business Resiliency Business Continuity Management - January 14, 2014

Clinic Business Continuity Plan Guidelines

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

EMERGENCY PREPAREDNESS PLAN FOR

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

Small businesses: What you need to know about cyber security

Disaster Recovery. Tips for business survival. A Guide for businesses looking for disaster recovery November 2005

Dealing with risk. Why is risk management important?

Disaster Recovery and Business Continuity What Every Executive Needs to Know

Business Continuity Plan For Disaster Recovery in the event of a Critical Incident

BUSINESS CONTINUITY PLANNING GUIDELINES

Clinic Business Continuity Plan Guidelines

DISASTER RECOVERY Steps You Need to Take (Before It s Too Late)

Disaster Recovery. Hendry Taylor Tayori Limited

Disaster and Pandemic Planning for Nonprofits. Continuity and Recovery Plan Template

BCP and DR. P K Patel AGM, MoF

Business Continuity Planning Toolkit. (For Deployment of BCP to Campus Departments in Phase 2)

Emergency Preparedness: Learning Objectives. Minimizing and Controlling Future Disasters. SHRM Disaster Preparedness Survey 3.

PROCEDURES BUSINESS CONTINUITY MANAGEMENT FRAMEWORK PURPOSE INTRODUCTION. 1 What is Business Continuity Management? 2 Link to Risk Management

Business Continuity Planning

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

Disaster Recovery Planning

University of Prince Edward Island. Emergency Management Plan

It s the Business! Business continuity considerations for all organisations

Business Continuity Planning for Schools, Departments & Support Units

Expecting the Unexpected. Disaster Preparedness Strategies for Small Business

NAIT Guidelines. Implementation Date: February 15, 2011 Replaces: July 1, Table of Contents. Section Description Page

Business Continuity Planning (800)

The Supply Chain and Business Continuity: Preparing to Survive the Next Disaster

Interactive-Network Disaster Recovery

Business Continuity Planning (BCP) / Disaster Recovery (DR)

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Assisted Living Facilities & Adult Care Comprehensive Emergency Management Plans

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

Security Risk Assessment Tool

Transcription:

Business Continuity Planning Guide For Small Businesses Prepared by the City of Vaughan Emergency Planning Department 1

Business Continuity Planning Business Continuity Planning (BCP) is a planning process that guarantees critical services or products are delivered during a disruption or disaster. Critical services or products are those that must be delivered to: ensure survival of your business, avoid causing injury, and meet legal or other obligations of an organization. BCP is important because every business, big or small, is at risk of potential disasters. This guide will take you step by step through the process of determining the potential disasters your business may face as well as the potential effect they could have on your organization. Throughout this guide, you will learn: 1. How to complete a Hazard Identification and Risk Assessment of your business. 2. How to create a Business Impact Analysis. 3. Tips on how to prevent and prepare for future business disruptions. 1

Hazard Identification and Risk Assessment Hazard Identification and Risk Assessment is the process of identifying the potential hazards your business may face and determining the risk associated with each one individually. This is important as it will help business owners identify the biggest threats to their organization. Hazard Identification In order to assess risk for your business, you must first complete a Hazard Identification. The Hazard Identification process is done by creating a list of all hazards or threats that could potentially effect your business. This list could include but is not limited to: Power Outage Multi Day Power Outage Earthquake Flooding Ice Storm Tornado Heavy Snowfall/Blizzard Epidemic/Pandemic Internal Fire Industrial Installation (Hazardous Material Incident or Fire) Water Supply Failure Natural Gas Leak Transport Route Closure Train Derailment Bomb Threat Cyber Attack (Computer Hacking/ Data Loss) Computer Equipment Failure Operation Equipment Failure Human Error (Operation) Water Leak/Plumbing Failure Hostage Situation/Act of Violence Strike/Protest Breaking and Entering/Robbery Risk Assessment Once you have completed the Hazard Identification process, you must then determine each hazards associated risk. To determine risk you must compare a specific hazard s likelihood with the consequences if it were to occur. Remember: Likelihood Risk = Likelihood x Consequences Likelihood is the probability or chance of a specific hazard occurring each year. Each likelihood has a number value associate with it to quantify risk. This is determined by the following: Likelihood Frequency of Occurrence Certain (3) It is guaranteed that this hazard will occur at least once a year. Possible (2) There is a possible chance that this hazard will occur at least once a year, but it is not guaranteed. Unlikely (1) It is not likely or rare that this hazard will occur at least once in a year. 2

Consequences Consequences are the severity of the negative effects a specific hazard may have on your business if it were to occur. Consequences can either be minor, moderate or major. The consequence of a hazard is determined based on the highest degree of negative impacts that is given. For example, if a hazard has at least one Major negative impact, then this hazard s consequences are Major. Each consequence has a number value associate with it to quantify risk. Use the following table to determine each hazards consequences: Consequence Negative Impacts Major (3) Moderate (2) Minor (1) Risk Matrix One or more of the following: Significant property damage Theft over $1000 Injury to staff (hospitalization or worse) Long term power outage (greater than 48 hours) Communication systems down (greater than 48 hours) Significant negative impact on reputation One or more of the following: Moderate property damage Theft $500-$1000 Injury to staff (first aid treatment required) Short term power outage (9-48 hours) Communication systems down (9-48 hours) Minor negative Impact on reputation One or more of the following: Minor property damage Theft under $500 Injury to staff (minor injury requiring no medical attention) Insignificant power outage (less than 8 hours) Communication systems down (less than 8 hours) Insignificant impact on reputation Significant economic loss Business disruption for greater than 48 hours Significant damage to access and egress routes Significant environmental implications Unable to send/receive goods or services (greater than 48 hours) Minor economic loss Business disruption between 8-48 hours Minor damage to access and egress routes Minor environmental implications Unable to send/receive goods or services ( 9-48 hours) Insignificant economic loss Business disruption for less than 8 hours Insignificant damage to access and egress routes Insignificant environmental implications. Unable to send/receive goods or services (less than 8 hours) Once you have determined the likelihood and consequences for each individual hazard, you can then determine their associated risk. The colour associated with each box on the grid will determine the level of risk for each hazard. The hazards with the highest risk should be your main focus when designing and developing emergency preparedness plans for your business. Use the chart on the next page to organize and document your business risks. 3

Major (3) Moderate (2) Minor (1) Certain (3) Possible (2) Unlikely (1) Hazard Identification and Risk Analysis Hazard Likelihood Consequences Risk (Low, Medium or High) Ranking/Priority (The numeric value of risk) Risk =Likelihood x Consequences Example Cyber Attack X X Medium (2 x 3) 6 Power Outage Multi-day Power Outage Earthquake Flooding Ice Storm Tornado Heavy Snowfall/Blizzards Epidemic/Pandemic Internal Fire Industrial Installations (HAZMAT or Fire) Water Supply Failure Natural Gas Leak Transport Route Closure Train Derailment Bomb Threat Computer Equipment Failure Operations Equipment Failure Human Error (Operation) Water Leak/Plumbing Failure Hostage Situation/Act of Violence Strike/Protest Breaking and Entering/Robbery 4

Business Impact Analysis Now that you have completed a Hazard Analysis and Risk Assessment for your business, the next step is to complete a Business Impact Analysis. The purpose of a Business Impact Analysis (BIA) is to identify all of your business critical services, and determine what the implications would be if these services were lost. Critical Services First you must determine the services that are critical to your business. Select the services that pertain to your business: Sales and Marketing (i.e. Product Sales or Marketing Customer Service (i.e. Customer Satisfaction) Operations and Manufacturing (i.e. Product Assembly) Administration (i.e. Management and Support Staff) Communication i.e. Public Relations/Information) Supply Chain (i.e. Raw Materials to Product Delivery) Finance and Human Resources (i.e. Payroll or Accounts Payable) Technology (i.e. Computers or Phone Systems) Questionnaire Once you have identified all of your business critical services, you must then collect specific information about each one to develop a Business Continuity Plan. The required information can be collected by answering the following questionnaire. It is important to answer the following questions for each service. Remember to be as detailed as possible and consider the worst scenario possible when answering these questions. Impacts of the Disruption How long can you operate without this specific service before it negatively affects your business (hours-days)? This is also known as Recovery Time Objective (RTO). Sales and Marketing Communication Administration Supply Chain Finance and Human Resources Technology Customer Service Operations and Manufacturing 5

Potential Revenue Loss How much revenue will be lost if the service cannot be provided? Sales and Marketing Communication Administration Supply Chain Finance and Human Resources Technology Customer Service Operations and Manufacturing Additional Expenses Would there be any additional expenses that would add up if the service could not be provided? I.e. fines or penalties. If so, how much would they be? Service Fine or Penalty Expense (Cost) Example: Late Reporting of WSIB Incidents $25,000-$100,000 + Jail time Plus and additional $250 per infraction $250-$100,000 6

Intangible Losses Would there be any intangible losses if a service could not be provided? I.e. bad reputation, angry employees or loss of customers. If so, what would they be? Service Intangible Loss Description Example Human Resources Unavailable Angry employees Employees will be angry that they will not be receiving pay and could potentially leave the company, creating holes in our administrative staff. The angry employees may also make negative statements about the company, which will negatively affect the company s reputation. 7

Dependencies It is important to determine your business internal and external dependencies as your business critical services rely on these in order to function. Internal Dependencies include: Employee availability Corporate assets (equipment, facilities, computer applications, data, tools, vehicles) Support services (finance, human resources, security and information technology support) External Dependencies include: Suppliers Any external corporate assets (equipment, facilities, computer applications, data, tools, vehicles) External support services (Facility management, utilities, communications transportation, finance institutions, insurance providers, government services, legal services, and health and safety service) List all of your businesses internal and external dependencies. Internal Dependencies External Dependencies 8

Please state step by step how you would restore each service during a business interruption: Sales and Marketing 1. 2. 3. 4. 5. 6. Administration 1. 2. 3. 4. 5. 6. Finance and Human Resources 1. 2. 3. 4. 5. 6. Customer Service 1. 2. 3. 4. 5. 6. 9

Communication 1. 2. 3. 4. 5. 6. Technology 1. 2. 3. 4. 5. 6. Operations and Manufacturing 1. 2. 3. 4. 5. 6. Supply Chain 1. 2. 3. 4. 5. 6. 10

Business Continuity Planning Strategy Example Based on the information you have collected on your business, complete a Business Continuity Planning (BCP) strategy for each critical service. Below is an example of what your BCP strategy should look like. Which critical business service has been affected? What is the priority of this interruption? Human Resources What is the issue? Human Resources department is currently lost; payroll will be unavailable for the next pay period or even over several payroll periods. How does this impact your business? (i.e. Revenue Loss, Fines/Penalties, Intangible Losses. etc.) Disgruntled employees. Significant revenue loss. Key employees might leave the company leaving gaps in our ability to perform business functions. This in turn would affect our ability to earn sufficient revenue to keep the company running during a disaster. What will you do to restore this service? 1. Our current system will provide the bank with a payroll tape on a weekly basis. 2. In the event of a prolong interruption to the in house computerized payroll system, we will get the bank to issue cheques based on the last payroll tape received. 3. Overtime and expenses will be tracked manually and a manual cheque written to each applicable employee. 4. When the in house computerized system is running again, all manual transactions will be entered into the system in order to bring the payroll up to date. 11

Business Continuity Planning Strategy Which critical business service has been affected? (Refer to pg. 5) What is the priority of this interruption? (Refer to pg. 3) What is the issue? How does this impact your business? (i.e. Revenue Loss, Fines/Penalties, Intangible Losses. etc.) (Refer to pg. 6-8) What will you do to restore this service? (Refer to pg. 9-10) Approved by: Date: 12

Business Impact Analysis Use the table provided to document your business BIA. Critical Service Recovery Time Objective (RTO) Negative Impacts Priority EXAMPLE Communication 1 hour Failure to communicate with clients could result in loss of customers and negative publicity. Potential Revenue Loss of $100,000 High 13

Tips on How to Protect Your Business Business Insurance The full cost of recovery from a disaster can be very expensive, and many small businesses are not able to afford this. Business Insurance ensures that the damages that result from a disaster will be either fully or partially financed. It is important to ensure that all potential threats to your business are covered by business insurance placing emphasis on the hazards with the highest risks. Training and Exercises It is important to train all staff on your business BCP procedures. Training staff will help BCP procedures run smoothly in the event of a disaster or disruption. Training will help staff members understand their roles and responsibilities as well as the proper procedures that are to be followed while the BCP is in effect. A very useful form of staff training is to develop exercises. Exercises are designed to simulate and practices the response to a real incident. Exercises will help identify areas that your staff may need to improve on as well as their strengths when responding to a business disruption. Emergency Kit In an emergency, you may be left without power or water for long periods of time. It is important to have an emergency kit filled with basic supplies (i.e. water, flashlight, non-perishable food. etc.) that will allow you to be self-sufficient for up to 72 hours. Backup Key Documents In some emergencies, computer systems may be damaged and data stored on these systems may be lost. It is important to back up or save important data or documents on an external or alternate drive. How to prevent Cyber Crime Tips on how to prevent cybercrime include: password lock, securing your computer (firewall, anti-virus. etc.), always update software, and do not trust unfamiliar sources. Password Lock It is important to protect access to all important electronic data with passwords. This will allow only those who have authorization to access the data. Tune In During an emergency, be sure to tune into emergency public alerting to receive updates on the status of the response and potential recovery times. Some examples of public alerting methods include: radio, television, newspaper, social media, loud speaker, door to door, email, city website and automated calling. York Regional Police Visit the York Regional Police website for information on crime prevention. Website link: www.yrp.ca 14

City of Vaughan Emergency Planning 2141 Major Mackenzie Dr. Vaughan, ON L6A 1T1 Tel: (905) 832-2281 Email: PrepE@Vaughan.ca www.vaughan.ca/prepe 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information