Business Continuity Planning 101

Starting your BCP process? Here’s what you need to build into your plan

Once objectives and scope are buttoned up, you'll want to build out your strategy, or the approach by which the BCP's objectives will be met. Foremost considerations in developing your strategy are the type of disaster and the applicable recovery objectives. Since there are many possible events that can cause a disaster, the most probable events should be examined carefully in terms of their potential business impact together with the applicable BCP objectives. The strategy should be devised for each disaster type deemed to be within the BCP's scope. Depending on the types of disasters on the list, a distinct strategy may be needed for each. For instance, a pandemic may call for a "work from home" strategy while a dirty bomb attack may warrant a "lock down/shelter-in" strategy.

Assembling the Plan

With the foundational pieces in order, three activities remain: (1) Define and document procedures that would be executed before and during a disaster event, (2) assemble a repository of information that would be utilized during and while recovering from the disaster event, and (3) deploy the plan throughout the organization.

Viewing scope, objectives and strategy as the "foundation" of the plan, procedures may be thought of as the "machinery" that runs during a disaster. When the term "procedures" is used in this context, it is inclusive of not just tasks but also decisions, protocols for communicating, company policies and perhaps even regulations dictated by governmental bodies. This collection should entail the following essential procedures:

Incident Response - When an incident occurs, the appropriate individuals must respond according to a pre-defined sequence of steps. This will include "declaring" the disaster and classifying it according to severity, scope and other characteristics. In addition to defining the incident response steps, the persons involved and their responsibilities should be clearly called out in the BCP.

Notification Procedures - Once a disaster is declared by management, notification of the various participants must begin immediately. The participants and their responsibilities should be clearly called out in the plan.

Recovery Teams Responsibilities, Staffing and Procedures - As soon as the BCP participants have been notified, they will become part of one or more recovery teams. Therefore, recovery roles and responsibilities should be documented in this section.

Emergency Procedures and Information - This section is a requirement by external regulators for plans. At a minimum, it should contain emergency contact information, alarm system response procedures and evacuation procedures.

Mission Critical Operating Specifications - Everything you will need to quickly establish your mission critical operations should be documented in this section, e.g., command center locations, service level agreements from your vendors, etc.

Rebuilding/Restoring Specifications and Inventories - At the same time that you are establishing your mission critical operations, attention should be given to restoring and rebuilding. The actual rebuilding/restoring should begin in earnest as soon as practical.

Testing & Maintenance Procedures - To ensure satisfactory execution, the plan should be tested and updated as a matter of routine procedure. Particulars as to the nature and frequency of tests as well as the "measures of performance" should be defined here. Identifying the elements of the plan that need maintenance, how often the maintenance should be performed and by whom should all be spelled out in the plan.

The next element, Information Resources, should be referenced or otherwise included within the plan. In either case, these resources should be made readily accessible by those persons who may have a need for their use during a disaster. While there is no hard and fast list, at a minimum the following should be included:

Equipment - An inventory of the equipment you had before the disaster as well as what equipment you will need for recovery.

Facilities - A description of the facilities, including contact information and directions, which would assist you in your recovery activities. These may include your offsite storage facility, hot site, command centers, alternate offices, etc.

Forms & Stationery - A description of any special forms or stationery items that would be necessary to achieve your RTO. For example, blank company checks, etc.

Personnel - Detailed contact information on all your personnel will be essential for recovery.

Recovery Tasks - A description of the tasks that need to be accomplished for recovery.

Software - An inventory of the software you had before the disaster as well as the software you will need for recovery, including any temporary software license keys