Develop a Business Continuity Plan

Develop a Business Continuity Plan

Streamline the traditional approach to make BCP development manageable and repeatable.

Analyst Perspective

A BCP touches every aspect of your organization, making it potentially the most complex project you’ll take on. Streamline this effort or you won’t get far.

None of us needs to look very far to find a reason to have an effective business continuity plan.

From pandemics to natural disasters to supply chain disruptions to IT outages, there’s no shortage of events that can disrupt your complex and interconnected business processes. How in the world can anyone build a plan to address all these threats?

Don’t try to boil the ocean. Use these tactics to streamline your BCP project and stay on track:

• Focus on one business unit at a time. Keep the effort manageable, establish a repeatable process, and produce deliverables that provide a starting point for the rest of the organization.
• Don’t start with an extensive risk analysis. It takes too long and at the end you’ll still need a plan to resume business operations following a disruption. Rather than trying to predict what could cause a disruption, focus on how to recover.
• Keep your BCP documentation concise. Use flowcharts, checklists, and diagrams instead of traditional manuals.

No one can predict every possible disruption, but by following the guidance in this blueprint, you can build a flexible continuity plan that allows you to withstand the threats your organization may face.

Frank Trovato

Research Director,
IT Infrastructure & Operations Practice
Info-Tech Research Group

Andrew Sharp

Senior Research Analyst,
IT Infrastructure & Operations Practice
Info-Tech Research Group

Executive Summary

Your Challenge

• Recent crises have increased executive awareness and internal pressure to create a BCP.
• Industry- and government-driven regulations require evidence of sound business continuity practices.
• Customers demand their vendors provide evidence of a workable BCP prior to signing a contract.

IT leaders, because of their cross-functional view and experience with incident management and DR, are often asked to lead BCP efforts.

Common Obstacles

• IT managers asked to lead BCP efforts are dealing with processes and requirements beyond IT and outside of their control.
• BCP requires input from multiple departments with different and sometimes conflicting objectives.
• Typically there are few, if any, dedicated resources for BCP, so it can't be a full-time, resource-intensive project.

Info-Tech’s Approach

• Focus on implementing a structured and repeatable process that can be applied to one business unit at a time to avoid BCP from becoming an overwhelming project.
• Enable business leaders to own the BCP going forward by establishing a template that the rest of the organization can follow.
• Leverage BCP outcomes to refine IT DRP recovery objectives and achieve DRP-BCP alignment.

Info-Tech Insight

As an IT leader you have the skill set and organizational knowledge to lead a BCP project, but you must enable business leaders to own their department’s BCP practices and outputs. They know their processes and, therefore, their requirements to resume business operations better than anyone else.

Use this research to create business unit BCPs and structure your overall BCP

A business continuity plan (BCP) consists of separate but related sub-plans, as illustrated below. This blueprint enables you to:

• Develop a BCP for a selected business unit (as a pilot project), and thereby establish a methodology that can be repeated for remaining business units.
• Through the BCP process, clarify requirements for an IT disaster recovery plan (DRP). Refer to Info-Tech’s Disaster Recovery Planning workshop for instructions on how to create an IT DRP.
• Implement ongoing business continuity management to govern BCP, DRP, and crisis management.

Overall Business Continuity Plan

IT Disaster Recovery Plan

A plan to restore IT application and infrastructure services following a disruption.

Info-Tech’s disaster recovery planning blueprint provides a methodology for creating the IT DRP. Leverage this blueprint to validate and provide inputs for your IT DRP.

BCP for Each Business Unit

A set of plans to resume business processes for each business unit. This includes:

• Identifying business processes and dependencies.
• Defining an acceptable recovery timeline based on a business impact analysis.
• Creating a step-by-step recovery workflow.

Crisis Management Plan

A plan to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage.

Info-Tech’s Implement Crisis Management Best Practices blueprint provides a framework for planning a response to any crisis, from health and safety incidents to reputational damage.

IT leaders asked to develop a BCP should start with an IT Disaster Recovery Plan

It’s a business continuity plan. Why should you start continuity planning with IT?

1. IT services are a critical dependency for most business processes. Creating an IT DRP helps you mitigate a key risk to continuity quicker than it takes to complete your overall BCP, and you can then focus on other dependencies such as people, facilities, and suppliers.
2. A BCP requires workarounds for IT failures. But it’s difficult to plan workarounds without a clear understanding of the potential IT downtime and data loss. Your DRP will answer those questions, and without a DRP, BCP discussions can get bogged down in IT discussions. Think of payroll as an example: if downtime might be 24 hours, the business might simply wait for recovery; if downtime might be a week, waiting it out is not an option.
3. As an IT manager, you can develop an IT DRP primarily with resources within your control. That makes it an easier starting point and puts IT in a better position to shift responsibility for BCP to business leaders (where it should reside) since essentially the IT portion is done.

Create a Right-Sized Disaster Recovery Plan today.

Modernize the BCP

If your BCP relies heavily on paper-based processes as workarounds, it’s time to update your plan.

Back when transactions were recorded on paper and then keyed into the mainframe system later, it was easier to revert to deskside processes. There is very little in the way of paper-based processes anymore, and as a result, it is increasingly difficult to resume business processes without IT.

Think about your own organization. What IT system(s) are absolutely critical to business operations? While you might be able to continue doing business without IT, this requires regular preparation and training. It’s likely a completely offline process and won’t be a viable workaround for long even if staff know how to do the work. If your data center and core systems are down, technology-enabled workarounds (such as collaboration via mobile technologies or cloud-based solutions) could help you weather the outage, and may be more flexible and adaptable for day-to-day work.

The bottom line:

Technology is a critical dependency for business processes. Consider the role IT systems play as process dependencies and as workarounds as part of continuity planning.

Info-Tech’s approach

The traditional approach to BCP takes too long and produces a plan that is difficult to use and maintain.

The Problem: You need to create a BCP, but don’t know where to start.

• BCP is being demanded more and more to comply with regulations, mitigate business risk, meet customer demands, and obtain insurance.
• IT leaders are often asked to lead BCP.

The Complication: A traditional BCP process takes longer to show value.

• Traditional consultants don’t usually have an incentive to accelerate the process.
• At the same time, self-directed projects with no defined process go months without producing useful deliverables.
• The result is a dense manual that checks boxes but isn’t maintainable or usable in a crisis.

The Info-Tech difference:

Use Info-Tech’s methodology to right-size and streamline the process.

• Reduce required effort. Keep the work manageable and maintain momentum by focusing on one business unit at a time; allow that unit to own their BCP.
• Prioritize your effort. Evaluate the current state of your BCP to identify the steps that are most in need of attention.
• Get valuable results faster. Functional deliverables and insights from the first business unit’s BCP can be leveraged by the entire organization (e.g. communication, assessment, and BC site strategies).

Expedite BCP development

Info-Tech’s Approach to BCP:

• Start with one critical business unit to manage scope, establish a repeatable process, and generate deliverables that become a template for remaining business units.
• Resolve critical gaps as you identify them, generating early value and risk mitigation.
• Create concise, practical documentation to support recovery.

Embed training and awareness throughout the planning process.

BCP for Business Unit A:

Scope → Pilot BIA → Response Plan → Gap Analysis

→ Lessons Learned:

• Leverage early results to establish a BCM framework.
• Take action to resolve critical gaps as they are identified.
• BCP for Business Units B through N.
• Scope→BIA→Response Plan→Gap Analysis

= Ongoing governance, testing, maintenance, improvement, awareness, and training.

By comparison, a traditional BCP approach takes much longer to mitigate risk:

• An extensive, upfront commitment of time and resources before defining incident response plans and mitigating risk.
• A “big bang” approach that makes it difficult to predict the required resourcing and timelines for the project.

Organizational Risk Assessment and Business Impact Analysis → Solution Design to Achieve Recovery Objectives → Create and Validate Response Plans

Case Study

Continuity Planning Supports COVID-19 Response

Industry: Non-Profit
Source: Info-Tech Advisory Services

A charitable foundation for a major state university engaged Info-Tech to support the creation of their business continuity plan.

With support from Info-Tech analysts and the tools in this blueprint, they worked with their business unit stakeholders to identify recovery objectives, confirm recovery capabilities and business process workarounds, and address gaps in their continuity plans.

Results

The outcome wasn’t a pandemic plan – it was a continuity plan that was applicable to pandemics. And it worked. Business processes were prioritized, gaps in work-from-home and business process workarounds had been identified and addressed, business leaders owned their plan and understood their role in it, and IT had clear requirements that they were able and ready to support.

“The work you did here with us was beyond valuable! I wish I could actually explain how ready we really were for this…while not necessarily for a pandemic, we were ready to spring into action, set things up, the priorities were established, and most importantly some of the changes we’ve made over the past few years helped beyond words! The fact that the groups had talked about this previously almost made what we had to do easy.“ -- VP IT Infrastructure

Download the BCP Case Study

Project Overview: BCP

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

BCP Business Impact Analysis Tool: Conduct and document a business impact analysis using this document.

BCP Recovery Workflows Example: Model your own recovery workflows on this example.

BCP Project Roadmap: Use this tool to prioritize projects that can improve BCP capabilities and mitigate gaps and risks.

BCP Relocation Checklists: Plan for and manage a site relocation – whether to an alternate site or work from home.

Key deliverable:

BCP Summary Document

Summarize your organization's continuity capabilities and objectives in a 15-page, easy-to-consume template.

This document consolidates data from the supporting documentation and tools to the right.

Download Info-Tech’s BCP Summary Document

Insight summary

Focus less on risk, and more on recovery

Avoid focusing on risk and probability analysis to drive your continuity strategy. You never know what might disrupt your business, so develop a flexible plan to enable business resumption regardless of the event.

Small teams = good pilots

Choose a small team for your BCP pilot. Small teams are better at trialing new techniques and finding new ways to think about problems.

Calculate downtime impact

Develop and apply a scoring scale to develop a more-objective assessment of downtime impact for the organization. This will help you prioritize recovery.

It’s not no, but rather not now…

You can’t address all the organization’s continuity challenges at once. Prioritize high value, low effort initiatives and create a long-term roadmap for the rest.

Show Value Now

Get to value quickly. Start with one business unit with continuity challenges, and a small, focused project team who can rapidly learn the methodology, identify continuity gaps, and define solutions that can also be leveraged by other departments right away.

Lightweight Testing Exercises

Outline recovery capabilities using lightweight, low risk tabletop planning exercises. Our research shows tabletop exercises increase confidence in recovery capabilities almost as much as live exercises, which carry much higher costs and risks.

Blueprint benefits

Demonstrate compliance with demands from regulators and customers

• Develop a plan that satisfies auditors, customers, and insurance providers who demand proof of a continuity plan.
• Demonstrate commitment to resilience by identifying gaps in current capabilities and projects to overcome those gaps.
• Empower business users to develop their plans and perform regular maintenance to ensure plans don’t go stale.
• Establish a culture of business readiness and resilience.

Leverage your BCP to drive value (Business Benefits)

• Enable flexible, mobile, and adaptable business operations that can overcome disruptions large and small. This includes making it easier to work remotely in response to pandemics or facility disruptions.
• Clarify the risk of the status quo to business leaders so they can make informed decisions on where to invest in business continuity.
• Demonstrate to customers your ability to overcome disruptions and continue to deliver your services.

Info-Tech Advisory Services lead to Measurable Value

Info-Tech members told us they save an average of $44,522 and 23 days by working with an Info-Tech analyst on BCP (source: client response data from Info-Tech's Measured Value Survey).

Why do members report value from analyst engagement?

1. Expert advice on your specific situation to overcome obstacles and speed bumps.
2. Structure the project and stay on track.
3. Review project deliverables and ensure the process is applied properly.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostic and consistent frameworks are used throughout all four options.

Guided Implementation

Your Trusted Advisor is a call away.

A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between eight to twelve calls over the course of four to six months.

Scoping

Call 1: Scope requirements, objectives, and stakeholders. Identify a pilot BCP project.

Business Processes and Dependencies

Calls 2 - 4: Assess current BCP maturity. Create business process workflows, dependencies, alternates, and workarounds.

Conduct a BIA

Calls 5 – 7: Create an impact scoring scale and conduct a BIA. Identify acceptable RTO and RPO.

Recovery Workflow

Calls 8 – 9: Create a recovery workflow based on tabletop planning.

Documentation & BCP Framework

Call 10: Summarize the pilot results and plan next steps. Define roles and responsibilities. Make the case for a wider BCP program.

Workshop Overview

Contact your account representative for more information.

workshops@infotech.com | 1-888-670-8889

Phase 1

Identify BCP Maturity and Document Process Dependencies

Phase 1

1.1 Assess Current BCP Maturity

1.2 Establish the pilot BCP team

1.3 Identify business processes, dependencies, and alternatives

Insights & Outcomes

Define the scope for the BCP project: assess the current state of the plan, create a pilot project team and pilot project charter, and map the business processes that will be the focus of the pilot.

Participants

• BCP Coordinator
• BCP Executive Sponsor
• Pilot Business Unit Manager & Process SMEs

Step 1.1

Assess current BCP Maturity

This step will walk you through the following activities:

• Complete Info-Tech’s BCP Maturity Scorecard

This step involves the following participants:

• Executive Sponsor
• BCP Coordinator

You'll use the following tools & templates:

• BCP Maturity Scorecard

Outcomes & Insights

Establish current BCP maturity using Info-Tech’s ISO 22301-aligned BCP Maturity Scorecard.

Evaluate the current state of your continuity plan

Use Info-Tech’s Maturity Scorecard to structure and accelerate a BCP maturity assessment.

Conduct a maturity assessment to:

• Create a baseline metric so you can measure progress over time. This metric can also drive buy-in from senior management to invest time and effort into your BCP.
• Understand the scope of work to create a complete business continuity plan.
• Measure your progress and remaining gaps by updating your assessment once you’ve completed the activities in this blueprint.

This blueprint primarily addresses the first four sections in the scorecard, which align with the creation of the core components of your business continuity plan.

Info-Tech’s BCP Maturity Scorecard

Info-Tech’s maturity scorecard is aligned with ISO 22301, the international standard that describes the key elements of a functioning business continuity management system or program – the overarching set of documents, practices, and controls that support the ongoing creation and maintenance of your BCP. A fully functional BCMS goes beyond business continuity planning to include crisis management, BCP testing, and documentation management.

Audit tools tend to treat every bullet point in ISO 22301 as a separate requirement – which means there’s almost 400 lines to assess. Info-Tech’s BCP Maturity Scorecard has synthesized key requirements, minimizing repetition to create a high-level self-assessment aligned with the standard.

A high score is a good indicator of likely success with an audit.

Download Info-Tech's BCP Maturity Scorecard

Tool: BCP Maturity Scorecard

Assess your organization’s BCP capabilities.

Use Info-Tech’s BCP Maturity Scorecard to:

• Assess the overall completeness of your existing BCP.
• Track and demonstrate progress towards completion as you work through successive planning iterations with additional business units.

1. Download a copy of the BCP Maturity Scorecard. On tab 1, indicate the percent completeness for each item using a 0-10 scale (0 = 0% complete, 10 = 100% complete).
2. If you anticipate improvements in a certain area, make note of it in the “Comments” column.
3. Review a visual representation of your overall scores on tab 2.

Download Info-Tech's BCP Maturity Scorecard

"The fact that this aligns with ISO is huge." - Dr. Bernard Jones MBCI, CBCP

Step 1.2

Establish the pilot BCP team

This step will walk you through the following activities:

• Assign accountability, responsibility, and roles.
• Develop a project charter.
• Identify dependencies and alternates for those dependencies.

This step involves the following participants:

• Executive Sponsor
• BCP Coordinator

In this step, you’ll use these tools and templates:

• BCP Pilot Project Charter Template

Outcomes & Insights

Assign roles and responsibilities for the BCP pilot project. Set milestones and timelines for the pilot.

Take a pilot approach for BCP

Limit the scope of an initial BCP project to get to value faster.

Pilot Project Goals

• Establish a repeatable methodology that fits your organization and will accelerate BCP development, with tangible deliverables that provide a template for the rest of the business.
• Identify high-priority business continuity gaps for the pilot business unit, many of which will also apply to the overall organization.
• Identify initiatives to start addressing gaps now.
• Enable business users to learn the BCP methodology and toolset so they can own and maintain their business unit BCPs.

Accomplishments expected:

• Define key business processes and process dependencies, and alternatives if dependencies are not available.
• Classify key business processes by criticality for one business unit, using an objective impact scoring scale.
• Set recovery objectives for these key processes.
• Document workarounds and recovery plans.
• Identify gaps in recovery plans and list action items to mitigate risks.
• Develop a project plan to structure a larger continuity project.

What not to expect from a pilot project:

• A complete organizational BCP (the pilot is a strong starting point).
• Implemented solutions to all BCP gaps (proposed solutions will need to be evaluated first).

Structure IT’s role in continuity planning

Clearly define IT’s role in the pilot BCP project to deliver a successful result that enables business units to own BCP in the future.

Though IT is a critical dependency for most processes, IT shouldn’t own the business continuity plan. IT should be an internal BCP process consultant, and each business unit must own their plan.

IT should be an internal BCP consultant.

• IT departments interact with all business units, which gives IT leaders at least a high-level understanding of business operations across the organization.
• IT leaders typically also have at least some knowledge of disaster recovery, which provides a foundation for tackling BCP.
• By contrast, business leaders often have little or no experience with disaster recovery, and don’t have the same level of experience as IT when it comes to working with other business units.

Why shouldn’t IT own the plan?

• Business unit managers have the authority to direct resources in their department to participate in the BCP process.
• Business users are the experts in their processes, and are in the best position to identify dependencies, downtime impacts, recovery objectives, and viable solutions (e.g., acceptable alternate sites or process workarounds).
• Ultimately, business unit managers and executives must decide whether to mitigate, accept, or transfer risks.

Info-Tech Insight

A goal of the pilot is to seed success for further planning exercises. This is as much about demonstrating the value of continuity planning to the business unit, and enabling them to own it, as it is about implementing the methodology successfully.

Create a RACI matrix for the pilot

Assemble a small, focused team for the pilot project empowered to discover, report, and present possible solutions to continuity planning challenges in your organization.

Outline roles and responsibilities on the pilot team using a “RACI” exercise. Remember, only one party can be ultimately accountable for the work being completed.

Example Pilot BCP Project RACI

R: Responsible for doing the work.

A: Accountable to ensure the activity/work happens.

C: Consulted prior to decision or action.

I: Informed of the decision/action once it’s made.

"Large teams excel at solving problems, but it is small teams that are more likely to come up with new problems for their more sizable counterparts to solve." – Wang & Evans, 2019

Info-Tech Insight

Small teams tend to be better at trialing new techniques and finding new ways to think about problems, both of which are needed for a BCP pilot project.

Choose one business unit for the pilot

Many organizations begin their BCP project with a target business unit in mind. It’s still worth establishing whether this business unit meets the criteria below.

Good candidates for a pilot project:

• Business processes are standardized and documented.
• Management and staff are motivated to improve business continuity.
• The business unit is sufficiently well resourced to spare time (e.g. a few hours a week) to dedicate to the BCP process.

• If the business unit doesn’t meet these criteria, consider addressing shortfalls before the pilot (e.g. via stakeholder management or business process analysis) or selecting another unit.
• Many of the decisions will ultimately require input and support from the business unit’s manager(s). It is critical that they are bought into and engaged with the project.
• The leader of the first business unit will be a champion for BCP within the executive team.
• Sometimes, there’s no clear place to start. If this is the case for you, consider using Info-Tech’s Business Unit BCP Prioritization Tool to determine the order in which business units should undergo BCP development.

Create role descriptions for the pilot project

Use these role descriptions and your RACI chart to define roles for the pilot.

These short descriptions establish the functions, expectations, and responsibilities of each role at a more granular level.

The Board and executives have an outsized influence on the speed at which the project can be completed. Ensure that communication with these stakeholders is clear and concise. Avoid involving them directly in activities and deliverable creation, unless it’s required by their role (e.g. as a business unit manager).

Identify a suitable BCP Coordinator

A skilled and committed coordinator is critical to building an effective and durable BCP.

• Coordinating the BC planning effort requires a perspective that’s informed by IT, but goes beyond IT.
• For example, many IT professionals only see business processes where they intersect with IT. The BCP Coordinator needs to be able to ask the right questions to help the business units think through dependencies for critical processes.
• Business analysts can thrive in this role, which requires someone effective at dissecting business processes, working with business users, identifying requirements, and managing large projects.

Structure the role of the BCP Coordinator

The BCP Coordinator works with the pilot business unit as well as remaining business units to provide continuity and resolve discrepancies as they come up between business units.

Specifically, this role includes:

• Project management tasks (e.g. scheduling, assigning tasks, coordinating resources, and reporting progress).
• Learning the BCP methodology (through the pilot) so that this person can lead remaining business units through their BCP process. This enables the IT leader who had been assigned to guide BCP development to step back into a more appropriate consulting role.
• Managing the BCP workflow.

"We found it necessary to have the same person work with each business unit to pass along lessons learned and resolve contingency planning conflicts for common dependencies." – Michelle Swessel, PM and IT Bus. Analyst, Wisconsin Compensation Rating Bureau (WCRB)

Template: Pilot Project Charter

Formalize participants, roles, milestones, risks for the pilot project.

Your charter should:

1. Define project parameters, including drivers, objectives, deliverables, and scope.
2. Identify the pilot business unit.
3. Assign a BCP pilot team, including a BCP Coordinator, to execute the methodology.
4. Define before-and-after metrics to enable the team to measure pilot success.
5. Set achievable, realistic target dates for specific project milestones.
6. Document risks, assumptions, and constraints.

Download Info-Tech’s BCP Pilot Project Charter Template

Step 1.3

Identify business processes, dependencies, and alternatives

This step will walk you through the following activities:

• Identify key business processes.
• Document the process workflow.
• Identify dependencies and alternates for those dependencies.

This step involves the following participants:

• BCP Coordinator
• Pilot Business Unit Manager
• Expert Business Unit Staff

You'll use the following tools & templates:

• BCP Business Impact Analysis Tool

Outcomes & Insights

Documented workflows, process dependencies, and workarounds when dependencies are unavailable.

Flowchart business processes

Workflows help you visually identify process dependencies and optimization opportunities.

• Business continuity planning is business process focused. You need to document business processes, dependencies, and downtime workarounds.
• Process documentation is a basic BCP audit requirement, but it will also:
  • Keep discussions about business processes well-scoped and focused – by documenting the process, you also clarify for everyone what you’re actually talking about.
  • Remind participants of process dependencies and workarounds.
  • Make it easier to spot possible process breakdowns or improvements.
  • Capture your work, which can be used to create or update SOP documentation.
• Use flowcharts to capture process workflows. Flowcharts are often quicker to create, take less time to update, and are ultimately more usable than a dense manual.

Info-Tech Insight

Process review often results in discovering informal processes, previously unknown workarounds or breakdowns, shadow IT, or process improvement opportunities.

1.3.1 Prioritize pilot business unit processes

Input

• List of key business unit processes.

Output

• List of key business unit processes, now prioritized (at a high-level)

Materials

• Whiteboard/flip charts
• BCP Business Impact Analysis Tool

Participants

• BCP Coordinator (leads the discussion)
• Pilot Business Unit Manager

30 minutes

1. Create a list of all formal and informal business processes executed by the pilot business unit.
2. Discuss the impact of process downtime, and do a quick assessment whether impact of downtime for each process would be high, medium, or low across each of these criteria:
   • Revenue or costs (e.g. supports sales, billing, or productivity)
   • Goodwill (e.g. affects internal or external reputation)
   • Compliance (e.g. affects legal or industry requirements)
   • Health or safety (e.g. affects employee/public health & safety)

Note: A more in-depth analysis will be conducted later to refine priorities. The goal here is a high-level order of priority for the next steps in the planning methodology (identify business processes and dependencies).

3. In the BCP Business Impact Analysis Tool, Processes and Dependencies tab, record the following:
   • The business processes in rough order of criticality.
   • For each process, provide a brief description that focuses on purpose and impact.
   • For each process, name a process owner (i.e. accountable for process completion – could be a manager or senior staff, not necessarily those executing the process).

1.3.2 Review process flows & identify dependencies

Input

• List of key business unit processes (prioritized at a high level in Activity 1.3.1).
• Business process flowcharts.

Output

• Business process flowcharts

Materials

• Whiteboard/flip charts
• Microsoft Visio, or other flowcharting software
• BCP Business Impact Analysis Tool

Download Info-Tech’s Business Process Workflows Example

1.5 hours

1. Use a whiteboard to flowchart process steps. Collaborate to clarify process steps and dependencies. If processes are not documented, use this as an opportunity to create standard operating procedures (SOPs) to drive consistency and process optimization, as described in the Info-Tech blueprint, Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind.
2. Record the dependencies in tab 1 of the BCP Business Impact Analysis Tool in the appropriate columns:
   • People – Anyone involved in the process, from providing guidance to executing the steps.
   • IT Applications – Core IT services (e.g. ERP, CRM) required for this process.
   • End-user devices & equipment – End-user devices, locally-installed apps, IoT, etc.
   • Facility – Any special requirements beyond general office space.
   • Suppliers & Service Providers – Third-parties who support this process.

Info-Tech Insight

Policies and procedures manuals, if they exist, are often out of date or incomplete. Use these as a starting point, but don’t stop there. Identify the go-to staff members who are well versed in how a process works.

1.3.3 Document workarounds

Input

• Business process flowcharts.
• List of process dependencies.

Output

• Workarounds and alternatives in the event dependencies aren’t available.

Materials

• BCP Business Impact Analysis Tool

Participants

• BCP Coordinator (facilitates the activity)
• Pilot Business Unit Manager
• Business Process Subject Matter Experts (SMEs)

1.5 hours

Identify alternatives to critical dependencies to help you create contingency plans.

1. For each business process, identify known alternatives for each primary dependency. Ignore for the moment how long the workaround or alternate would be feasible.
2. Record alternatives in the Business Continuity Business Impact Analysis Tool, Processes and Dependencies tab, Alternatives columns (a separate column for each category of dependency):
   • People – Can other staff execute the process steps? (Example: managers can step in if needed.)
   • IT Applications – Is there a manual workaround or other alternative while enterprise technology services are unavailable? (Example: database is down, but data is stored on physical forms.)
   • End-User Devices and Equipment – What alternatives exist to the usual end-user technologies, such as workstations and desk phones? (Example: some staff have cell phones.)
   • Facility Location and Requirements – Is there an alternate location where this work can be conducted? (Example: work from home, or from another building on the campus.)
   • Suppliers and External Services – Is there an alternative source for key suppliers or other external inputs? (Example: find alternate suppliers for key inputs.)
   • Additional Inputs or Requirements – What workarounds exist for additional artifacts that enable process steps (e.g. physical inventory records, control lists)? (Example: if hourly pay information is missing, run the same payroll as the previous run and reconcile once that information is available.)

Phase 2

Conduct a BIA to Determine Acceptable RTOs and RPOs

Phase 2

2.1 Define an objective impact scoring scale

2.2 Estimate the impact of downtime

2.3 Determine acceptable RTO/RPO targets

Insights & Outcomes

Assess the impact of business process downtime using objective, customized impact scoring scales. Sort business processes by criticality and by assigning criticality tiers, recovery time, and recovery point objectives.

Participants

• BCP Coordinator
• Pilot Business Unit Manager
• Business Process SMEs

Step 2.1

Define an objective scoring scale

This step will walk you through the following activities:

• Identify impact criteria that are relevant to your business.
• Create a scale that defines a range of impact for relevant criteria.

This step involves the following participants:

• BCP Coordinator
• Pilot Business Unit Manager
• Expert Business Unit Staff

In this step, you’ll use these tools and templates:

• BCP Business Impact Analysis Tool

Outcomes & Insights

Define an impact scoring scale relevant to your business, which allows you to more-objectively assess the impact of business process downtime.

Set appropriate recovery objectives

Recovery time and recovery point objectives should align with business impact.

The activities in Phase 2 will help you set appropriate, acceptable recovery objectives based on the business impact of process downtime.

• The recovery time objective (RTO) and recovery point objective (RPO) are the recovery goals set for individual processes and dependencies to ensure your business unit meets its overall acceptable recovery timeline.

For example:

• An RTO of four hours means staff and other required resources must be available to support the business processes within four hours of an incident (e.g. relocate to an alternate worksite if necessary, access needed equipment, log-in to needed systems, get support for completing the process from alternate staff, etc.)
• An RPO of four hours for a customer database means the most recent secondary copy of the data must never be more than four hours old – e.g. running a backup every four hours or less.

Conduct a Business Impact Analysis (BIA)

Create Impact Scoring Scales→Assess the impact of process downtime→Review overall impact of process downtime→Set Criticality Tiers→Set Recovery Time and Recovery Point Objectives

Create financial impact scales

Identify maximum cost and revenue impacts to build financial impact scales to measure the financial impact of process downtime.

Work with the Business Unit Manager and Executive Sponsor to identify the maximum impact in each category to the entire business. Use a worst-case scenario to estimate the maximum for each scale. In the future, you can use this scoring scale to estimate the impact of downtime for other business units.

• Loss of Revenue: Estimate the upper bound for this figure from the previous year, and divide that by the number of business days in the year. Note: Some organizations may choose to exclude revenue as a category where it won’t be lost (e.g. public-sector organizations).
• Loss of Productivity: Proxy for lost workforce productivity using payroll numbers. Use the fully loaded payroll for the company, divided by the number of working days in the year as the maximum.
• Increased Operating Costs: Isolate this to known additional costs resulting from a disruption. Does the interruption itself increase operating costs (e.g. if using timesheets for hourly/contract employees and that information is lost or unavailable, do you assume a full work week)?
• Financial Penalties: If there are known financial penalties (e.g. due to failure to meet SLAs or other contractual obligations), include those values in your cost estimates.

Info-Tech Insight

Cost estimates are like hand grenades and horseshoes: you don’t need to be exact. It’s much easier to get input and validation from other stakeholders when you have estimates. Even weak estimates are far better than a blank sheet.

Create goodwill, compliance, and safety impact scales

Create a quantitative, more-objective scoring scale for goodwill, compliance and safety by following the guidance below.

• Impact on Customers: By default, the customer impact scale is based on the percent of your total customer base impacted. You can also modify this scale to include severity of impact or alter it to identify the maximum number of customers that would be impacted.
• Impact on Staff: Consider staff that are directly employed by the organization or its subsidiaries.
• Impact on Business Partners: Which business partners would be affected by a business disruption?
• Impact on Health & Safety: Consider the extent to which process downtime could increase the risk of the health & safety of staff, customers, and the general public. In addition, degradation of health & safety services should be noted.
• Impact on Compliance: Set up the scale so that you can capture the impact of any critical regulatory requirements that might not be met if a particular process was down for 24 hours. Consider whether you expect to receive leeway or a grace period from the governance body that requires evidence of compliance.

Info-Tech Best Practice

Use just the impact scales that are relevant to your organization.

Tool: Impact Scoring Scales

• Define 4-point scoring scales in the BCP business impact analysis tool for a more objective assessment than gut-feel rankings.
• You don’t need to include every category, if they aren’t relevant to your organization.
• Refine the scoring scale as needed through the pilot project.
• Use the same scoring scale for impact analyses with additional business units in the future.

Step 2.2

Estimate the impact of downtime

This step will walk you through the following activities:

• Apply the scoring scale developed in step 2.1 to assess the impact of downtime for specific business processes.

This step involves the following participants:

• BCP Coordinator
• Pilot Business Unit Manager
• Expert Business Unit Staff

In this step, you’ll use these tools and templates:

• BCP Business Impact Analysis Tool

Outcomes & Insights

Develop an objective view of the impact of downtime for key business processes.

2.2.1 Estimate the impact of downtime

1.5 hours

Input

• List of business processes, dependencies, and workarounds, all documented in the BIA tool.

Output

• Impact of downtime scores for key business unit processes.

Materials

• BCP Business Impact Analysis Tool

Participants

• BCP Coordinator (facilitates the discussion)
• Business Process Subject Matter Experts (SMEs)
• Pilot Business Unit Manager

1. Print a copy of the Scoring Criteria tab to use as a reference, or have it open on another screen. In tab 3 of the BCP Business Impact Analysis Tool use the drop-down menu to assign a score of 0 to 4 based on levels of impact defined in the Scoring Criteria tab.
2. Work horizontally across all categories for a single process. This will set a benchmark, familiarize you with the scoring system, and allow you to modify any scoring scales if needed. In general, begin with the process that you know to be most critical.
   • For example, if call center sales operations are down:
     • Loss of Revenue would be the portion of sales revenue generated through the call center. This might score a 2 or 3 depending on the proportion of sales generated through the call center.
     • The Impact on Customers might be a 1 or 2 depending on the extent that existing customers might be using the call center to purchase new products or services.
     • The Legal/Regulatory Compliance and Health or Safety Risk might be a 0.
3. Next, work vertically across all processes within a single category. This will allow you to compare scores within the category as you create them.

Tool: Impact Analysis

• The goal of the exercise is to arrive at a defensible ranking of process criticality, based on the impact of downtime.
• Make sure participants can see the scores you’re assigning during the exercise (e.g. by writing out the scores on a whiteboard, or displaying the tool on a projector or screen) and can reference the scoring scales tab to understand what the scores mean.
• Take notes to record the rationale behind the impact scores. Consider assigning note-taking duties to one of the participants.

2.2.2 Sort processes into Criticality Tiers

30 minutes

Input

• Processes, with assigned impact scores (financial impact, goodwill impact, compliance and safety impact).

Output

• Business processes sorted into criticality tiers, based on the impact of downtime.

Materials

• BCP Business Impact Analysis Tool

Participants

• BCP Coordinator (facilitates the discussion)
• Business Process Subject Matter Experts (SMEs)
• Pilot Business Unit Manager

1. In general, consider the Total Impact on Goodwill, Compliance, and Safety first.
   • An effective tactic to start the process is to assign a tier 1 rating to all processes with a Goodwill, Compliance, and Safety score that’s 50% or more of the highest total score, tier 2 where scores are between 25% and 50%, and tier 3 where scores are below 25% (see table below for an example).
   • In step 2.3, you’ll align recovery time objectives with the criticality tiers. So, Tier 1 processes will target recovery before Tier 2 processes, and Tier 2 processes will target recovery before Tier 3 processes.
2. Next, consider the Total Cost of Downtime.

• The Total Cost is calculated by the tool based on the Scoring Criteria in tab 2 and the estimates in the BIA.
• Consider whether the total cost impact justifies changing the criticality rating. “Smoke test” categorization with participants. Are there any surprises (processes more or less critical than expected)?

Example: Highest total Goodwill, Compliance, and Safety impact score is 18.

Step 2.3

Determine acceptable RTO and RPO targets

This step will walk you through the following activities:

• Identify acceptable Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for business processes.

This step involves the following participants:

• BCP Coordinator
• Pilot Business Unit Manager
• Expert Business Unit Staff

In this step, you’ll use these tools and templates:

• BCP Business Impact Analysis Tool

Outcomes and Insights

Right-size recovery objectives based on business impact.

Right-size recovery objectives

Acceptable RTOs and RPOs must be right-sized to the impact of downtime.

Rapid recovery typically requires more investment.

The impact of downtime for most business processes tends to look something like the increasing impact curve in the image to the right.

In the moments after a disruption, impact tends to be minimal. Imagine, for example, that your organization was suddenly unable to pay its suppliers (don’t worry about the reason for the disruption, for the moment). Chances are, this disruption wouldn’t affect many payees if it lasted just a few minutes, or even a few hours. But if the disruption were to continue for days, or weeks, the impact of downtime would start to spiral out of control.

In general, we want to target recovery somewhere between the point where impact begins, and the point where impact is intolerable. We want to balance the impact of downtime with the investment required to make processes more resilient.

Info-Tech Insight

Account for hard copy files as well as electronic data. If that information is lost, is there a backup? BCP can be the driver to remove the last resistance to paperless processes, allowing IT to apply appropriate data protection.

Set recovery time objectives and recovery point objectives in the “Debate Space”

2.3.1 Define process-level recovery objectives

1 hour

Input

• Processes, ranked by criticality.

Output

• Initial business-defined recovery objectives for each process.

Materials

• BCP Business Impact Analysis Tool

Participants

• BCP Coordinator (facilitates the discussion)
• Business Process Subject Matter Experts (SMEs)
• Pilot Business Unit Manager

1. Review the “Debate Space” diagram (shown in previous section) with all participants.
2. Ask business participants for each process: how much downtime is tolerable, acceptable, or appropriate? How much data loss is tolerable?
   • If participants aren’t yet comfortable setting recovery objectives, identify the point at which downtime and data loss first becomes noticeable and the point at which downtime and data loss becomes intolerable.
   • Choose an RTO and RPO for each process that falls within the range set by these two extremes.

RTOs and RPOs are business-defined, impact-aligned objectives that you may not be able to achieve today. It may require significant investments of time and capital to enable the organization to meet RTO and RPO.

2.3.2 Align RTOs within and across criticality tiers

1 hour

Input

• Results from pilot BCP impact analysis.

Output

• Initial business-defined recovery objectives for each process.

Materials

• BCP Business Impact Analysis Tool
• Whiteboard/ flipchart

Participants

• BCP Coordinator
• BCP Project Sponsor
• Business Process Subject Matter Experts (SMEs)
• Pilot Business Unit Manager (optional)

Set a range for RTO for each Tier.

1. Start with your least critical/Tier 3 processes. Use the filter in the “Criticality Rating” column in the Impact Analysis tab of the BIA tool to show only Tier 3 processes.
   • What range of RTOs did the group assign for processes in this Tier? Does the group agree that these targets are appropriate for these processes?
   • Record the range of RTOs on the whiteboard or flipchart.
2. Next, look at Tier 2 processes. Use the same filter to show just Tier 2 processes.
   • Record the range of RTOs, confirm the range with the group, and ensure there’s no overlap with the Tier 3 range.
   • If the RTOs in one Tier overlap with RTOs in another, you’ll need to adjust RTOs or move processes between Tiers (if the impact analysis justifies it).

Phase 3

Document the Recovery Workflow and Projects to Close Gaps

3.1 Determine current recovery procedures

3.2 Identify and prioritize projects to close gaps

3.3 Evaluate business continuity site and command center options

Insights & Outcomes

Outline business recovery processes. Highlight gaps and risks that could hinder business recovery. Brainstorm ideas to address gaps and risks. Review alternate site and business relocation options.

Participants

• BCP Coordinator
• Pilot Business Unit Manager
• Business Process SMEs

Step 3.1

Determine current recovery procedures

This step will walk you through the following activities:

• Create a step-by-step, high-level recovery workflow.
• Highlight gaps and risks in the recovery workflow.
• Test the workflow against multiple scenarios.

This step involves the following participants:

• BCP Coordinator
• Crisis Management Team
• Pilot Business Unit Manager
• Expert Business Unit Staff

In this step, you’ll use these tools and templates:

• BCP Tabletop Planning Template

Outcomes & Insights

Establish steps required for business recovery and current recovery timelines.

Identify risks & gaps that could delay or obstruct an effective recovery.

Conduct a tabletop planning exercise to draft business recovery plans

Tabletop exercises are the most effective way to test and increase business confidence in business recovery capabilities.

Why is tabletop planning so effective?

• It enables you play out a wider range of scenarios than technology-based testing (e.g. full-scale, parallel) due to cost and complexity factors.
• It is non-intrusive, so it can be executed more frequently than other testing methodologies.
• It provides a thorough test of your recovery workflow since the exercise is, essentially, paper-based.
• After you have a BCP in place, this exercise can continue to be a valuable testing exercise for BCP to capture changes in your recovery process.

Step 2 - 2 hours
Establish command center.

Step 2: Risks

• Command center is just 15 miles away from primary site.

Step 2: Gaps

• Confirm what’s required to set up the command center.
• Who has access to the EOC?
• Does the center have sufficient bandwidth, workstations, phones, telephone lines?

3.1.1 Choose a scenario for your first tabletop exercise

30 minutes

Input

• List of past incidents.
• Risks to business continuity that are of high concern.

Output

• Scenario for the tabletop exercise.

Materials

• N/A

Participant

• BCP Coordinator (facilitates the exercise)
• Business Process Subject Matter Experts (SMEs)
• Pilot business unit manager

At the business unit level, the goal is to define a plan to resume business processes after an incident.

A good scenario is one that helps the group focus on the goal of tabletop planning – to discuss and document the steps required to recover business processes. We suggest choosing a scenario for your first exercise that:

• Disrupts many process dependencies (i.e. facilities, staff, IT services, suppliers).
• Does not result in major property damage, harm, or loss of life. Business resumption is the focus of this exercise, not emergency response.
• Has happened in the past, or is of concern to the business.

An example: a gas leak at company HQ that requires the area to be cordoned off and power to be shut down. The business must resume processes from another location without access to materials, equipment, or IT services at the primary location.

A plan that satisfies the gas leak scenario should meet the needs of other scenarios that affect your normal workspace. Then use BCP testing to validate that the plan meets a wider range of incidents.

3.1.2 Define the BCP activation process

1 hour

Input

• Any existing crisis management, incident response or emergency response plans.
• BC Scenario.

Output

• High level incident notification, assessment, and declaration workflow.

Materials

• Cue cards, sticky notes, whiteboard and markers, or Visio template.

Participants

• BCP Coordinator
• Crisis Management Team (if one exists)
• Business Process SMEs
• Pilot Business Unit Manager

Answer the questions below to structure your notification, assessment, and BCP activation procedures.

Notification

How will you be notified of a disaster event? How will this be escalated to leadership? How will the team responsible for making decisions coordinate (if they can’t meet on-site)? What emergency response plans are in place to protect health and safety? What additional steps are involved if there’s a risk to health and safety?

Assessment

Who’s in charge of the initial assessment? Who may need to be involved in the assessment? Who will coordinate if multiple teams are required to investigate and assess the situation? Who needs to review the results of the assessment, and how will the results of the assessment be communicated (e.g. phone bridge, written memo)? What happens if your primary mode of communication is unavailable (e.g. phone service is down)?

Declaration

Who is responsible today for declaring a disaster and activating business continuity plans? What are the organization’s criteria for activating continuity plans, and how will BCP activation be communicated? Establish a crisis management team to guide the organization through a wide range of crises by Implementing Crisis Management Best Practices.

3.1.3 Document the business recovery workflow

1 hour

Input

• Pilot BIA.
• Any existing crisis management, incident response, or emergency response plans.
• BC Scenario

Output

• Outline of your BCP declaration and business recovery plan.

Materials

• Cue cards, sticky notes, whiteboard and markers, or Visio template.

Participants

• BCP Coordinator (facilitates the exercise)
• Business Process Subject Matter Experts (SMEs)
• Pilot Business Unit Manager

Do the following:

1. Create separate flows for facility, IT, and staff disruptions. Include additional workflows as needed.
   • We suggest you outline the recovery process at least to the point where business processes are restored to a minimum viable functional level.
2. On white cue cards:
   1. Record the step.
   2. Indicate the task owner.
   3. Estimate how long the step will take.
3. On yellow cue cards, document gaps in people, process, and technology requirements to complete the step.
4. On red cue cards, indicate risks (e.g. no backup person for a key staff member).

Info-Tech Best Practice

Tabletop planning is most effective when you keep it simple.

• Be focused; stay on task and on time.
• Revisit each step and record risks and mitigation strategies.
• Discuss each step from start to finish.
• Revise the plan with key task owners.
• Don’t get weighed down by tools.
• Simple tools, like cue cards or whiteboards, can be very effective.

Tool: BCP Recovery Workflow

Document the steps you identified in the tabletop to create your draft recovery workflow.

Why use a flowchart?

• Flowcharts provide an at-a-glance view, are ideal for crisis scenarios where pressure is high and effective, and where timely communication is necessary.
• For experienced managers and staff, a high-level reminder of process flows or key steps is sufficient.
• Where more detail is required, include links to supporting documentation (which could include checklists, vendor documentation/contracts, other flowcharts, etc.)

Create one recovery workflow for all scenarios.

Traditional planning calls for separate plans for different “what-if” scenarios. This is challenging not just because it’s a lot more documentation – and maintenance – but because it’s impossible to predict every possible incident. Use the template, aligned to recovery of process dependencies, to create one recovery workflow for each business unit that can be used in and tested against different scenarios.

Download Info-Tech’s BCP Recovery Workflow Example

"We use flowcharts for our declaration procedures. Flowcharts are more effective when you have to explain status and next steps to upper management." – Assistant Director-IT Operations, Healthcare Industry

"Very few business interruptions are actually major disasters. It’s usually a power outage or hardware failure, so I ensure my plans address ‘minor’ incidents as well as major disasters."- BCP Consultant

3.1.4 Document achievable recovery metrics (RTA/RPA)

30 minutes

Input

• Pilot BCP BIA.
• Draft recovery workflow.

Output

• RTA and RPA for each business process.

Materials

• Pilot BCP BIA.

Participants

• BCP Coordinator (facilitates the exercise)
• Business Process Subject Matter Experts (SMEs)
• Pilot Business Unit Manager

Add the following data to your copy of the BCP Business Impact Analysis Tool.

1. Estimate the recovery time achievable (RTA) for each process based on the required time for the process to be restored to a minimum acceptable functional level. Review your recovery workflow to identify this timeline. For example, if the full process from notification, assessment, and declaration to recovery and relocation would take a full day, set the RTA to 24 hours.
2. Estimate the recovery point achievable (RPA) for each process based on the maximum amount of data that could be lost. For example, if data on a particular system is backed up offsite once per day, and the onsite system was destroyed just before that backup began, the entire day’s data could be lost and the achievable RPO is 24 hours. Note: Enter a value of 9999 to indicate that data is unrecoverable.

Info-Tech Insight

Operating at a minimum acceptable functional level may not be feasible for more than a few days or weeks. Develop plans for immediate continuity first, then develop further plans for long-term continuity processes as required. Recognize that for longer term outages, you will evolve your plans in the crisis to meet the needs of the situation.

3.1.5 Test the workflow of other scenarios

1 hour

Input

• Draft recovery workflow.

Output

• Updated draft recovery workflow.

Materials

• Draft recovery workflow.
• Projector or screen.

Participants

• BCP Coordinator (facilitates the exercise)
• Business Process Subject Matter Experts (SMEs)
• Pilot Business Unit Manager

Work from and update the soft copy of your recovery workflow.

1. Would any steps change if the scenario changes? If yes, capture the different flow with a decision diamond. See the example Recovery Workflow for a workflow that uses decision diamonds. Identify any new gaps or risks you encounter with red and yellow cards.
2. Make sure the decision diamonds are as generalized as possible. For example, instead of creating a separate response plan for each scenario that would require you to relocate from your existing building, create one response plan for relocation and one response plan for remaining in place.
3. See the next section for some examples of different types of scenarios that you may include in your recovery workflow.

Info-Tech Insight

Remember that health and safety risks must be dealt with first in a crisis. The business unit recovery workflow will focus on restoring business operations after employees are no longer at risk (e.g. the risk has been resolved or employees have been safely relocated). See Implement Crisis Management Best Practices for ideas on how to respond to and assess a wide range of crises.

Not all scenarios will have full continuity plans

Risk management is a business decision. Business continuity planning can help decision makers understand and decide on whether to accept or mitigate high impact, low probability risks.

For some organizations, it’s not practical or possible to invest in the redundancy that would be necessary to recover in a timely manner from certain major events.

Leverage existing risk management practices to identify key high impact events that could present major business continuity challenges that could cause catastrophic disruptions to facility, IT, staffing, suppliers, or equipment. If you don’t have a risk register, review the scenarios on the next slide and brainstorm risks with the working group.

Work through tabletop planning to identify how you might work through an event like this, at a high level. In step 3.2, you can estimate the effort, cost, and benefit for different ideas that can help mitigate the damage to the business to help decision makers choose between investment in mitigation or accepting the risk.

Document any scenarios that you identify as outside the scope of your continuity plans in the “Scope” section of your BCP Summary document.

For example:

A single location manufacturing company is creating a BCP.

The factory is large and contains expensive equipment; it’s not possible to build a second factory for redundancy. If the factory is destroyed, operations can’t be resumed until the factory is rebuilt. In this case, the BCP outlines how to conduct an orderly business shutdown while the factory is rebuilt.

Contingency planning to resume factory operations after less destructive events, as well as a BCP for corporate services, is still practical and necessary.

Considerations for other BCP scenarios

Step 3.2

Identify and prioritize projects to close gaps

This step will walk you through the following activities:

• Brainstorm solutions to identified gaps and risks.
• Prioritize projects and action items to close gaps and risks.
• Assess the impact of proposed projects on the recovery workflow.

This step involves the following participants:

• BCP Coordinator
• Pilot Business Unit Manager
• Expert Business Unit Staff

In this step, you’ll use these tools and templates:

• BCP Project Roadmap

Outcomes & Insights

Identify and prioritize projects and action items that can improve business continuity capabilities.

3.2.1 Brainstorm solutions to address risks and gaps

1 hour

Input

• Draft recovery workflow.
• Known continuity risks and gaps.

Output

• Ideas for action items and projects to improve business continuity.

Materials

• Flipchart

Participants

• BCP Coordinator (facilitates the exercise)
• Business Process Subject Matter Experts (SMEs)
• Pilot Business Unit Manager

1. Review each of the risk and gap cards from the tabletop exercise.
2. As a group, brainstorm ideas to address gaps, mitigate risks, and improve resiliency. Write the list of ideas on a whiteboard or flip chart paper. The solutions can range from quick-wins and action items to major capital investments. The following slides can help you seed ideas to support brainstorming and idea generation.

Info-Tech Best Practice

Try to avoid debates about feasibility at this point. The goal is to get ideas on the board.

When you’re brainstorming solutions to problems, don’t stop with the first idea, even if the solution seems obvious. The first idea isn’t always the best or only solution – other ideas can expand on it and improve it.

Step 4: No formal process to declare a disaster and invoke business continuity.

Step 7: Alternate site could be affected by the same regional event as the main office.

Step 12: Need to confirm supplier service-level agreements (SLAs).

1. Continue to create BCP documentation.
2. Identify a third location for regional disasters.
3. Contact suppliers to confirm SLAs and validate alignment with RTOs/RPOs.
4. Add BCP requirements collection to service procurement process?

Discuss your remote work capabilities

With COVID-19, most organizations have experience with mass work-from-home.

Review the following case studies. Do they reflect your experience during the COVID-19 pandemic?

Unacceptable risk

• A small insurance company provided laptops to staff so they could work remotely.
• Complication: Cheque and print stock is a dependency and no plan was made to store check stock offsite in a secure fashion.

Key dependencies missing

• A local government provided laptops to key staff so they could work remotely.
• Complication: The organization didn’t currently own enough Citrix licenses for every user to be online concurrently.

Unable to serve customers

• The attestation and land services department of a local government agency provided staff with remote access to key apps.
• Complication: Their most critical business processes were designed to be in-person – they had no plan to execute these processes from home.

Consider where your own work-from-home plans fell short.

• Were your collaboration and communication solutions too difficult for users to use effectively?
• Did legacy infrastructure affect performance or limit capabilities? Were security concerns appropriately addressed?
• What challenges did IT face supporting business users on break-fix and new requests?
• Were there logistical needs (shipping/receiving, etc.) that weren’t met?
• Develop an updated plan to support work-from-home using Info-Tech’s BCP Relocation Checklists and Home Office Survey template, and integrate these into your overall BCP documentation. Stakeholders can easily appreciate the value of this plan since it’s relevant to recent experience.

Identify opportunities to improve continuity plans

What gaps in your continuity response could be addressed with better planning?

People

• Alternates are not identified
• Roles in a disaster are not formalized
• No internal/external crisis comm. strategy

→

• Identify people dependencies and alternates.
• Create response and management teams.
• Implement Crisis Management Best Practices.

Site & Facilities

• No alternate place of business or command center identified
• No formal planning or exercises to test alternate site viability

→

• Identify a viable secondary site and/or work-from-home plan, and develop a schedule for testing activities. Review in Step 3.3 of the Develop a Business Continuity Plan blueprint.

External Services & Suppliers

• Contingency plans for a disruption not planned or formalized
• No formal review of service-level agreements (SLAs)

→

• Contact key suppliers and vendors to establish SLAs, and ensure they meet requirements.
• Review supplier continuity plans.

Technology & Physical Assets

• No secondary site or redundancy for critical IT systems
• No documented end-to-end IT DR plan

→

• Create a Right-Sized DR Plan.
• Verify SLAs with key IT infrastructure and service providers and review their DRP.

Tool: BCP Project Roadmap

Prioritize and visualize BCP projects to present options to decision makers.

Not all BCP projects can be tackled at once. Enable decision makers to defer, rather than outright reject, projects that aren’t feasible at this time.

1. Configure the tool in Tab 1. Setup. Adjust criteria and definitions for criteria. Note that shaded columns are required for reporting purposes and can’t be modified.
2. Add projects and action items in Tab 2. Data Entry. Fields highlighted in red are all required for the dashboard to populate. All other fields are optional but will provide opportunities to track more detailed data on project ideas.
3. To generate the dashboard in Tab 3. Roadmap, open the Data ribbon and under Queries and Connections click Refresh All. You can now use the slicers on the right of the sheet.

Download Info-Tech’s BCP Project Roadmap Tool

Demonstrate BCP project impacts

Illustrate the benefits of proposed projects.

1. Review your recovery workflow.
2. Make updates to a second copy of the high-level outline to illustrate how the business response to a disaster scenario will change once proposed projects are complete.

• Remove steps that have been made unnecessary.
• Remove any risks or gaps that have been mitigated or addressed.
• Verify that proposed projects close gaps between acceptable and achievable recovery capabilities in the BIA tool.

Step 3.3

Evaluate business continuity site and command center options

This step will walk you through the following activities:

• Take a deep dive on the requirements for working from an alternate location.
• Assess different options for an alternate location.

This step involves the following participants:

• BCP Coordinator
• Pilot Business Unit Manager
• Expert Business Unit Staff

In this step, you’ll use these tools and templates:

• BCP Relocation Checklists

Outcomes & Insights

Identify requirements for an alternate business site.

Tool: Relocation Checklists

An alternate site could be another company building, a dedicated emergency operations center, or work-from-home. Use this tool to guide and prepare for any relocation exercise.

• Coordinate your response with the pre-populated checklists in Tabs 1 & 2, identify who’s responsible for items on the checklists, and update your recovery workflows to reflect new steps. When reviewing the checklist, consider what can be done to prepare ahead of a crisis.
  • For example, you may wish to create crisis communication templates to streamline crisis communications during a disaster.
• Calculate the effort required to provision equipment for relocated users in Tabs 3 & 4.
• Evaluate your options for alternate sites with the requirements matrix in Tab 5. Use your evaluation to identify how the organization could address shortcomings of viable options either ahead of time or at the time of an incident.

Download Info-Tech’s BCP Relocation Checklists

Create a checklist of requirements for an alternate site

Leverage the roll-up view, in tab 3, of dependencies required to create a list of requirements for an alternate site in tab 4.

1. The table on Tab 5 of the relocation checklists is pre-populated with some common requirements. Modify or replace requirements to suit your needs for an alternate business/office site. Be sure to consider distance, transportation, needed services, accessibility, IT infrastructure, security, and seating capacity at a minimum.
2. Don’t assume. Verify. Confirm anything that requires permissions from the site owner. What network providers have a presence in the building? Can you access the site 24/7 and conduct training exercises? What facilities and services are available? Are you guaranteed the space if needed?

"There are horror stories about organizations that assumed things about their alternate site that they later found out they weren’t true in practice." – Dr. Bernard Jones, MBCI CBCP

Info-Tech Insight

If you choose a shared location as a BCP site, a regional disaster may put you in competition with other tenants for space.

Identify a command center

For command center and alternate worksite selection, remember that most incidents are local and short term. Identify an onsite and an offsite command center.

1. For events where the building is not compromised, identify an onsite location, ideally with remote conferencing capabilities and planning and collaboration tools (projectors, whiteboards, flipcharts). The onsite location can also be used for BCM and crisis management meetings. Remember, most business continuity events are not regional or massively destructive.
2. For the offsite command center, select a location that is sufficiently far away from your normal business location to maintain separation from local incidents while minimizing commute time. However, consider a geographically distant option (e.g. more than 50 miles away) identified for those scenarios where it is a regional disaster, or plan to leverage online tools to create a virtual command center (see the Insight box below).
3. The first members of the Emergency Response Team to be notified of the incident will determine which location to use or whether a third alternative is required.

Info-Tech Insight

For many organizations, a dedicated command center (TVs on the wall, maps and charts in filing cabinets) isn’t necessary. A conference bridge and collaboration tools allowing everyone to work remotely can be an acceptable offsite command center as long as digital options can meet your command center requirements.

Create a plan for a return to normal

Operating in continuity mode for an extended period of time tends to result in higher costs and reduced business capabilities. It’s important to restore normal operations as soon as possible.

Advance planning can minimize risks and delays in returning to normal operations.

Leverage the methodology and tools in this blueprint to define your return to normal (repatriation) procedures:

1. Repeat the tabletop planning exercise to determine the repatriation steps and potential gaps. How will you return to the primary site from your alternate site? Does data need to be re-entered into core systems if IT services are down? Do you need to transfer job duties back to primary staff?
2. What needs to be done to address the gaps in the return to normal workflow? Are there projects or action items that could make return to normal easier?

For more on supporting a business move back to the office from the IT perspective, see Responsibly Resume IT Operations in the Office

Potential business impacts of ongoing operations at a failover site

• The cost of leasing alternate business worksites.
• Inability to deliver on strategic initiatives while in emergency/interim operations mode, resulting in lost business opportunities.
• A growing backlog of work that falls outside of emergency operations mode.
• Travel and accommodation costs if the alternate site is geographically remote.
• Additional vendor licensing and contract costs.

Phase 4

Extend the Results of the Pilot BCP and Implement Governance

Phase 4

4.1 Consolidate BCP pilot insights to support an overall BCP project plan

4.2 Outline a business continuity management (BCM) program

4.3 Test and maintain your BCP

Insights & Outcomes

Summarize and consolidate your initial insights and documentation. Create a project plan for overall BCP. Identify teams, responsibilities, and accountabilities, and assign documentation ownership. Integrate BCP findings in DR and crisis management practices. Set guidelines for testing, plan maintenance, training, and awareness.

Participants

• BCP Coordinator
• Pilot Business Unit Manager
• BCP Executive Sponsor

Step 4.1

Consolidate BCP pilot insights to support an overall BCP project plan

This step will walk you through the following activities:

• Summarize and consolidate outputs and key insights from the BCP pilot.
• Identify outputs from the pilot that can be re-used for the overall BCP.
• Create a project charter for an overall BCP.

This step involves the following participants:

• BCP Coordinator
• Pilot Business Unit Manager
• BCP Executive Sponsor

In this step, you’ll use these tools and templates:

• BCP Pilot Results Presentation
• BCP Summary

Outcomes & Insights

Present results from the pilot BCP, and outline how you’ll use the pilot process with other business units to create an overall continuity program.

Structure the overall BCP program.

Template: BCP Pilot Results Presentation

Highlight key findings from the BCP pilot to make the case for next steps.

• Highlight critical gaps or risks identified, any potential process improvements, and progress made toward improving overall BCP maturity through the pilot project. Summarize the benefits of the pilot project for an executive audience.
• Review process recovery objectives (RTO/RPO). Provide an overview of recovery capabilities (RTA/RPA). Highlight any significant gaps between objectives and capabilities.
• Propose next steps, including an overall BCP project and program, and projects and action items to remediate gaps and risks.
• Develop a project plan to estimate resource requirements for an overall BCP project prior to delivering this presentation. Quantifying required time and resources is a key outcome as it enables the remaining business units to properly scope and resource their BCP development activities and can help managers overcome the fear of the unknown.

Download Info-Tech’s BCP Pilot Results Presentation

Tool: BCP Summary

Sum up information from completed BCP documents to create a high-level BCP overview for auditors and executives.

The BCP Summary document is the capstone to business unit continuity planning exercises. It consolidates your findings in a short overview of your business continuity requirements, capabilities, and maintenance procedures.

Info-Tech recommends embedding hyperlinks within the Summary to the rest of your BCP documentation to allow the reader to drill down further as needed. Leverage the following documents:

• Business Impact Analysis
• BCP Recovery Workflows
• Business Process Workflows
• BCP Project Roadmap
• BCP Relocation Checklists
• Business Continuity Policy

Download Info-Tech’s BCP Summary Document

Reuse templates for additional exercises

The same methodology described in this blueprint can be repeated for each business unit. Also, many of the artifacts from the BCP pilot can be reused or built upon to give the remaining business units a head start. For example:

• BCP Pilot Project Charter Template. Make a copy to use as a base for the next business unit’s BCP project charter, and update the stakeholders/roles and milestone dates. The rest of the content can remain the same in most cases.
• BCP Reference Workbook. This tool contains information common to all business units and can be updated as needed.
• BCP Business Impact Analysis Tool. You may need to start a separate copy for each business unit to allow enough space to capture all business processes. However, use the same scoring scale to drive consistent assessments. In addition, the scoring completed by the pilot business unit provides an example and benchmark for assessing other business processes.
• BCP Recovery Workflow. The notification, assessment, and declaration steps can be standardized so remaining business units can focus primarily on recovery after a disaster is declared. Similarly, many of the steps related to alternate sites and IT workarounds will also apply to other business units.
• BCP Project Roadmap Tool. Many of the projects identified by the pilot business unit will also apply to other business units – update the list as needed.
• The Business Unit BCP Prioritization Tool, BCP Executive Presentation, and Business Continuity Policy Template do not need to be updated for each business unit.

Info-Tech Best Practice

You may need to create some artifacts that are site specific. For example, relocation plans or emergency plans may not be reusable from one site to another. Use your judgement to reuse as much of the templates as you can – similar templates simplify audit, oversight, and plan management.

Create an Overall BCP Project Charter

Modify the pilot project charter to encompass the larger BCP project.

Adjust the pilot charter to answer the following questions:

• How much time and effort should the rest of the project take, based on findings from the pilot? When do you expect to meet certain milestones? What outputs and outcomes are expected?
• In what order should additional business units complete their BCP? Who needs to be involved?
• What projects to address continuity gaps were identified during the pilot? What investments will likely be required?
• What additional documentation is required? This section and the appendix include templates to document your BCM Policy, Teams & Contacts, your notification procedures, and more.
• How does this integrate with the other areas of business resilience and continuity (IT disaster recovery planning and crisis management planning)?
• What additional activities, such as testing, are required?

Prioritize business units for further BCP activities.

As with the pilot, choose a business unit, or business units, where BCP will have the greatest impact and where further BCP activities will have the greatest likelihood of success. Prioritize business units that are critical to many areas of the business to get key results sooner.

Work with one business unit at a time if:

• Required resources from the business unit are available to focus on BCP full-time over a short period (one to two weeks).
• More hands-on guidance (less delegation) is needed.
• The business unit is large or has complex processes.

Work with several business units at the same time if:

• Required resources are only available sporadically over a longer period of time.
• Less guidance (more delegation) is possible.
• All business units are small and have well-documented processes.

Download Info-Tech’s Business Unit BCP Prioritization Tool

Step 4.2

Outline a Business Continuity Management (BCM) Program

This step will walk you through the following activities:

• Identify teams and roles for BCP and business continuity management.
• Identify individuals to fill key roles.

This step involves the following participants:

• BCP Coordinator
• Executive Sponsor

In this step, you’ll use these tools and templates:

• Business Continuity Teams and Roles Tool

Outcomes & Insights

Document BCP teams, roles, and responsibilities.

Document contact information, alternates, and succession rules.

Outline a Business Continuity Management Program

A BCM program, also known as a BCM system, helps structure business continuity activities and practices to deliver long-term benefits to your business.

A BCM program should:

• Establish who is responsible and accountable for BCP practices, activities, and documentation, and set documentation management practices.
• Define a process to improve plans. Review and update continuity requirements, suggest enhancements to recovery capabilities, and measure progress and improvements to the plan over time.
• Coordinate disaster recovery, business continuity, and crisis management planning outputs and practices.
• Communicate the value of the continuity program to the organization.

Develop a Business Continuity Management Program

Phase 4 of this blueprint will focus on the following elements of a business continuity management program:

• BCM Roles, Responsibilities, and Accountabilities
• BCM Document Management Practices
• Integrate BC, IT DR, Crisis Management, and Emergency Management
• Business Continuity Plan maintenance and testing
• Training and awareness

Schedule a call with an Info-Tech Analyst for help building out these core elements, and for advice on developing the rest of your BCM program.

Create BCM teams

Include a mix of strong leaders and strong planners on your BC management teams.

BC management teams (including the secondary teams such as the emergency response team) have two primary roles:

1. Preparation, Planning, and Governance: Conduct and consolidate business impact analyses. Review, and support the development of recovery workflows, including emergency response plans and business unit recovery workflows. Organize testing and training. Report on the state of the continuity plan.
2. Leadership During a Crisis: Coordinate and support the execution of business recovery processes. To meet these goals, each team needs a mix of skill sets.

Crisis leaders require strong crisis management skills:

• Ability to make quick decisions under pressure with incomplete information.
• Excellent verbal communication skills.
• Strong leadership skills. Calm in stressful situations.
• Team leaders are ideally, but not necessarily, those with the most senior title on each team. It’s more important that the team leader has the appropriate skill set.

Collectively, the team must include a broad range of expertise as well as strong planning skills:

• Diverse expertise to be able to plan for and respond to a wide range of potential incidents, from health and safety to reputational damage.
• Excellent organizational skills and attention to detail.
• Excellent written communication skills.

Note: For specific BC team roles and responsibilities, including key resources such as Legal, HR, and IT SMEs required to prepare for and execute crisis management plans, see Implement Crisis Management Best Practices.

Structure the BCM Team

Create a hierarchy of teams to govern and coordinate business continuity planning and crisis management.

BCM Team: Govern business continuity, DR, and crisis management planning. Support the organization’s response to a crisis, including the decision to declare a disaster or emergency.

Emergency Response Teams: Assist staff and BC teams during a crisis, with a focus first on health and safety. There’s usually one team per location. Develop and maintain emergency response plans.

Emergency Response Teams: Assist staff and BC teams during a crisis, with a focus first on health and safety. There’s usually one team per location. Develop and maintain emergency response plans.

IT Disaster Recovery Team: Manage the recovery of IT services and data following an incident. Develop and maintain the IT DRP.

Business Unit BCP Teams: Coordinate business process recovery at the business unit level. Develop and maintain business unit BCPs.

“Planning Mode”

Executive Team → BC Management Team ↓

• Emergency Response Teams (ERT)
• Crisis Management Team
• IT DR Management Team
• Business Unit BCP Teams

“Crisis Mode”

Executive Team ↔Crisis Management Team↓ ↔ Emergency Response Teams (ERT)

• BC Management Team
• IT DR Management Team
• Business Unit BCP Teams

For more details on specific roles to include on these teams, as well as more information on crisis management, review Info-Tech’s blueprint, Implement Crisis Management Best Practices.

Tool: BCM Teams, Roles, Contacts, and Vendors

Track teams, roles, and contacts in this template. It is pre-populated with roles and responsibilities for business continuity, crisis management, IT disaster recovery, emergency response, and vendors and suppliers critical to business operations.

• Expect overlap across teams. For example, the BC Management Team will include representation from each secondary team to ensure plans are in sync. Similarly, both the Crisis Communication Team and BC Management Team should include a representative from your legal team to ensure legal issues are considered in communications as well as overall crisis management.
• Clarify spending and decision authority for key members of each team during a crisis.

Track contact information in this template only if you don’t have a more streamlined way of tracking it elsewhere.

Download Info-Tech’s Business Continuity Teams and Roles Tool

Manage key vendors

Review supplier capabilities and contracts to ensure they meet your requirements.

Suppliers and vendors might include:

• Material shipments
• IT/telecoms service providers
• Integrators and business process outsourcing providers
• Independent contractors
• Utilities (power, water, etc.)

Supplier RTOs and RPOs should align with the acceptable RTOs and RPOs defined in the BIA. Where they do not, explore options for improvement.

Confirm the following:

1. The supplier’s own BC/DR capabilities – how they would recover their own operations in a disaster scenario.
2. Any continuity services the supplier provides – how they can help you recover your operations in a disaster scenario.
3. Their existing contractual obligations for service availability (e.g. SLAs).

Download Info-Tech’s BCP Supplier Evaluation Questionnaire

Organize your BCMS documentation

Your BCP isn’t any one document. It’s multiple documents that work together.

Continue to work through any additional required documentation. Build a repository where master copies of each document will reside and can be updated as required. Assign ownership of document management to someone with an understanding of the process (e.g. the BCP Coordinator).

Info-Tech Best Practice

Recovery documentation has a different audience, purpose, and lifecycle than governance documentation, and keeping the documents separate can help with content management. Disciplined document management keeps the plan current and accessible.

Align your IT DRP with your BCP

Use the following BCP outputs to inform your DRP:

• Business process technology dependencies. This includes technology not controlled by IT (e.g. cloud-based services).
• RTOs and RPOs for business processes.
• Technology projects identified by the business to improve resilience (e.g. improved mobility support).

Info-Tech Insight

Don’t think of inconsistencies between your DRP and BCP as a problem. Discrepancies between the plans are part of the discovery process, and they’re an opportunity to have a conversation that can improve alignment between IT service capabilities and business needs. You should expect that there will be discrepancies – managing discrepancies is part of the ongoing process to refine and improve both plans.

Schedule activities to keep BC and DR in sync

BC/DR Planning Workflow

1. Collect BCP outputs that impact IT DRP (e.g. technology RTOs/RPOs).

2. As BCPs are done, BCP Coordinator reviews outputs with IT DRP Management Team.

3. Use the RTOs/RPOs from the BCPs as a starting point to determine IT recovery plans.

4. Identify investments required to meet business-defined RTOs/RPOs, and validate with the business.

5. Create a DR technology roadmap to meet validated RTOs/RPOs.

6. Review and update business unit BCPs to reflect updated RTOs/RPOs.

Find and address shadow IT

Reviewing business processes and dependencies can identify workarounds or shadow IT solutions that weren’t visible to IT and haven’t been included in IT’s DR plan.

• If you identify technology process dependencies that IT didn’t know about, it can be an opportunity to start a conversation about service support. This can be a “teachable moment” to highlight the risks of adopting and implementing technology solutions without consulting IT.
• Highlight the possible impact of using technology services that aren’t supported by IT. For example:
  • RTOs and RPOs may not be in line with business requirements.
  • Costs could be higher than supported solutions.
  • Security controls may not be in line with compliance requirements.
  • IT may not be able to offer support when the service breaks or build new features or functionality that might be required in the future.
• Make sure that if IT is expected to support shadow IT solutions, these systems are included in the IT DRP and that the risks and costs of supporting the non-core solution are clear to all parties and are compared to an alternative, IT-recommended solutions.

Shadow IT can be a symptom of larger service support issues. There should be a process for requesting and tracking non-standard services from IT with appropriate technical, security, and management oversight.

Review and reprioritize BC projects to create an overall BC project roadmap

Assign the BCP Coordinator the task of creating a master list of BC projects, and then work with the BC management team to review and reprioritize this list, as described below:

1. Build a list of BC projects as you work with each business unit.
   1. Add proposed projects to a master copy of the BCP Project Roadmap Tool
   2. For each subsequent business unit, copy project names, scoring, and timelines into the master roadmap tool.
2. Work with the Executive Sponsor, the IT BCM representative, and the BCM team to review and reprioritize projects.
   1. In the master BCP Project Roadmap Tool, review and update project scoring, taking into account the relative importance of each project within the overall list. Rationalize the list (e.g. eliminate duplicate projects).
3. The project roadmap is a suggested list of projects at this stage. Assign a project sponsor and project manager (from the BC management team or appropriate delegates) to each project to take it through your organization’s normal project scoping and approval process.

Improving business continuity capabilities is a marathon, not a sprint. Change for the better is still change and introduces risk – massive changes introduce massive risk. Incremental changes help minimize disruption. Use Info-Tech research to deliver organizational change.

"Developing a BCP can be like solving a Rubik’s Cube. It’s a complex, interdepartmental concern with multiple and sometimes conflicting objectives. When you have one side in place, another gets pushed out of alignment." – Ray Mach, BCP Expert

Step 4.3

Test and maintain your BCP

This step will walk you through the following activities:

• Create additional documentation to support your business continuity plan.
• Create a repository for documentation, and assign ownership for BCP documentation.

This step involves the following participants:

• BCP Coordinator

In this step, you’ll use these tools and templates:

• BCP-DRP Maintenance Checklist

Outcomes & Insights

Create a plan to maintain the BCP.

Iterate on your plan

Tend your garden, and pull the weeds.

Mastery comes through practice and iteration. Iterating on and testing your plan will help you keep up to date with business changes, identify plan improvements, and help your organization’s employees develop a mindset of continuity readiness. Maintenance drives continued success; don’t let your plan become stagnant, messy, and unusable.

Your BCM program should structure BCP reviews and updates by answering the following:

1. When do we review the plan?
2. What are the goals of a review?
3. Who must lead reviews and update BCP documents?
4. How do we track reviews, tests, and updates?

Structure plan reviews

There are more opportunities for improvements than just planned reviews.

At a minimum, review goals should include:

1. Identify and document changes to BCP requirements.
2. Identify and document changes to BCP capabilities.
3. Identify gaps and risks and ways to remediate risks and close gaps.

Who leads reviews and updates documents?

The BCP Coordinator is likely heavily involved in facilitating reviews and updating documentation, at least at first. Look for opportunities to hand off document ownership to the business units over time.

How do we track reviews, tests, and updates?

Keep track of your good work by keeping a log of document changes. If you don’t have one, you can use the last tab on the BCP-DRP Maintenance Checklist.

When do we review the plan?

1. Scheduled reviews: At a minimum, plan reviews once a year. Plan owners should review the documents, identify needed updates, and notify the coordinator of any changes to their plan.
2. As-needed reviews: Project launches, major IT upgrades, office openings or moves, organizational restructuring – all of these should trigger a BCP review.
3. Testing exercises: Schedule controlled exercises to test and improve different aspects of your continuity plan, and ensure that lessons learned become part of plan documentation.
4. Retrospectives: Take the opportunity to learn from actual continuity events and crises by conducting retrospectives to evaluate your response and brainstorm improvements.

Conduct a retrospective after major incidents

Use a retrospective on your COVID-19 response as a starting point. Build on the questions below to guide the conversation.

• If needed, how did we set up remote work for our users? What worked, and what didn’t?
• Did we discover any long-term opportunities to improve business processes?
• Did we use any continuity plans we have documented?
• Did we effectively prioritize business processes for recovery?
• Were expectations from our business users in line with our plans?
• What parts of our plan worked, and where can we improve the plan?

1. Gather stakeholders and team members
2. Ask:
   1. What happened?
   2. What did we learn?
   3. What did we do well?
   4. What should we have done differently?
   5. What gaps should we take action to address?
3. Prepare a plan to take action

Outcomes and benefits

• Confirm business priorities.
• Validate that business recovery solutions and procedures are effective in meeting business requirements (i.e. RTOs and RPOs).
• Identify gaps in continuity resources, procedures, or documentation, and options to close gaps.
• Build confidence in the response team and recovery capabilities.

Tool: Testing and Maintenance Schedule

Build a light-weight maintenance schedule for your BCP and DRP plans.

This tool helps you set a schedule for plan update activities, identify document and exercise owners, and log updates for audit and governance purposes.

• Add the names of your documents and brainstorm update activities.
• Activities (document updates, testing, etc.) might be scheduled regularly, as-needed, or both. If they happen “as needed,” identify the trigger for the activity.
• Start tracking past activities and resulting changes in Tab 3. You can also track crises that tested your continuity capabilities on this tab.

Info-Tech Insight

Everyone gets busy. If there’s a meeting you can schedule months in advance, schedule it months in advance! Then send reminders closer to the date. As soon as you’re done the pilot BCP, set aside time in everyone’s calendar for your first review session, whether that’s three months, six months, or a year from now.

Appendix

Additional BCP Tools and Templates

Template Library: Business Continuity Policy

Create a high-level policy to govern BCP and clarify BCP requirements.

Use this template to:

• Outline the organizational commitment to BCM.
• Clarify the mandate to prepare, validate, and maintain continuity plans that align with business requirements.
• Define specific policy statements that signatories to the policy are expected to uphold.
• Require key stakeholders to review and sign off on the template.

Download Info-Tech’s Business Continuity Policy template

Template Library: Workarounds & Recovery Checklists

Capture the step-by-step details to execute workarounds and steps in the business recovery process.

If you require more detail to support your recovery procedures, you can use this template to:

• Record specific steps or checklists to support specific workarounds or recovery procedures.
• Identify prerequisites for workarounds or recovery procedures.

Download Info-Tech’s BCP Process Workarounds & Recovery Checklists Template

Template Library: Notification, Assessment, Declaration

Create a procedure that outlines the conditions for assessing a disaster situation and invoking the business continuity plan.

Use this template to:

• Guide the process whereby the business is notified of an incident, assesses the situation, and declares a disaster.
• Set criteria for activating business continuity plans.
• Review examples of possible events, and suggest options on how the business might proceed or react.

Download Info-Tech’s BCP Notification, Assessment, and Disaster Declaration Plan template

Template Library: BCP Recovery Workflow Example

Review an example of BCP recovery workflows.

Use this template to:

• Generate ideas for your own recovery processes.
• See real examples of recovery processes for warehousing, supply, and distribution operations.
• Review an example of working BCP documentation.

Download Info-Tech’s BCP Recovery Workflows Example

Create a Pandemic Response Plan

If you’ve been asked to build a pandemic-specific response plan, use your core BCP findings to complete these pandemic planning documents.

• At the onset of the COVID-19 crisis, IT departments were asked to rapidly ramp up work-from-home capabilities and support other process workarounds.
• IT managers already knew that obstacles to working from home would go beyond internet speed and needing a laptop. Business input is critical to uncover unexpected obstacles.
• IT needed to address a range of issues from security risk to increased service desk demand from users who don’t normally work from home.
• Workarounds to speed the process up had to be balanced with good IT practices and governance (Asset Management, Security, etc.)
• If you’ve been asked to update your Pandemic Response Plan, use this template and your core BCP deliverables to deliver a set of streamlined documentation that draws on lessons learned from the COVID-19 pandemic.

Structure HR’s role in the pandemic plan

Leverage the following materials from Info-Tech’s HR-focused sister company, McLean & Company.

These HR research resources live on the website of Info-Tech’s sister company, McLean & Company. Contact your Account Manager to gain access to these resources.

• Crisis Communication Guides for HR: Communicate calmly and transparently, and reinforce the business continuity plan.
• Launch Emergency Work-from-Home: A short guide to supporting a remote workforce during the COVID-19 pandemic – or any rapid relocation to the home office.
• Bring Employees Back to the Workplace Amid the COVID-19 Pandemic Storyboard: Balance the need for physical distancing with the business need for customer interaction, travel, in-person collaboration, and other activities that are higher-risk during a pandemic.
• The Essential COVID-19 Child Care Policy for Every Organization, Yesterday: A holistic strategy for HR practitioners to use in support of managers and employees who are integrating expanded dependent caregiving responsibilities with working from home during a pandemic.

Summary of Accomplishment

Knowledge Gained

This blueprint outlined:

• The streamlined approach to BCP development.
• A BIA process to identify acceptable, appropriate recovery objectives.
• Tabletop planning exercises to document and validate business recovery procedures.

Processes Optimized

• Business continuity development processes were optimized, from business impact analysis to incident response planning.
• In addition, pilot business unit processes were identified and clarified to support BCP development, which also provided the opportunity to review and optimize those processes.

Key Deliverables Completed

• Core BCP deliverables for the pilot business unit, including a business impact analysis, recovery workflows, and a project roadmap.
• BCP Executive Presentation to communicate pilot results as well as a summary of the methodology to the executive team.
• BCP Summary to provide a high-level view of BCP scope, objectives, capabilities, and requirements.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com

1-888-670-8889

Research Contributors and Experts

Dr. Bernard A. Jones, MBCI, CBCP

Professor and Continuity Consultant Berkeley College

Dr. Jones is a professor at Berkeley College within the School of Professional Studies teaching courses in Homeland Security and Emergency Management. He is a member of the National Board of Directors for the Association of Continuity Professionals (ACP) as well as the Information & Publications Committee Chair for the Garden State Chapter of the ACP. Dr. Jones earned a doctorate degree in Civil Security Leadership, Management & Policy from New Jersey City University where his research focus was on organizational resilience.

Kris L. Roberson

Disaster Recovery Analyst Veterans United Home Loans

Kris Roberson is the Disaster Recovery Analyst for Veterans United Home Loans, the #1 VA mortgage lender in the US. Kris oversees the development and maintenance of the Veterans United Home Loans DR program and leads the business continuity program. She is responsible for determining the broader strategies for DR testing and continuity planning, as well as the implementation of disaster recovery and business continuity technologies, vendors, and services. Kris holds a Masters of Strategic Leadership with a focus on organizational change management and a Bachelors in Music. She is a member of Infragard, the National Association of Professional Women, and Sigma Alpha Iota, and holds a Project+ certification.

Trevor Butler

General Manager of Information Technology City of Lethbridge

As the General Manager of Information Technology with the City of Lethbridge, Trevor is accountable for providing strategic management and advancement of the city’s information technology and communications systems consistent with the goals and priorities of the corporation while ensuring that corporate risks are appropriately managed. He has 15+ years of progressive IT leadership experience, including 10+ years with public sector organizations. He holds a B.Mgt. and PMP certification along with masters certificates in both Project Management and Business Analysis.

Robert Miller

Information Services Director Witt/Kieffer

Bob Miller is the Information Services Director at Witt/Kieffer. His department provides end-user support for all company-owned devices and software for Oak Brook, the regional offices, home offices, and traveling employees. The department purchases, implements, manages, and monitors the infrastructure, which includes web hosting, networks, wireless solutions, cell phones, servers, and file storage. Bob is also responsible for the firm’s security planning, capacity planning, and business continuity and disaster preparedness planning to ensure that the firm has functional technology to conduct business and continue business growth.

Related Info-Tech Research

Create a Right-Sized Disaster Recovery Plan

Close the gap between your DR capabilities and service continuity requirements.

Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind

Go beyond satisfying auditors to drive process improvement, consistent IT operations, and effective knowledge transfer.

Select the Optimal Disaster Recovery Deployment Model

Determine which deployment models, including hybrid solutions, best meet your DR requirements.

Bibliography

“Business Continuity Planning.” IT Examination HandBook. The Federal Financial Institution Examination Council (FFIEC), February 2015. Web.

“Business Continuity Plans and Emergency Contact Information.” FINRA, 12 February 2015. Web.

“COBIT 5: A Business Framework for the Governance and Management of Enterprise IT.” ISACA, n.d. Web.

Disaster Resource GUIDE. Emergency Lifeline Corporation, n.d. Web.

“DR Rules & Regulations.” Disaster Recovery Journal, March 2017. Web.

“Federal Information Security Management Act (FISMA).” Homeland Security, 2014. Web.

FEMA. “Planning & Templates.” FEMA, n.d. Web.

“FINRA-SEC-CFTC Joint Advisory (Regulatory Notice 13-25).” FINRA, August 2013. Web.

Gosling, Mel and Andrew Hiles. “Business Continuity Statistics: Where Myth Meets Fact.” Continuity Central, 24 April 2009. Web.

Hanwacker, Linda. “COOP Templates for Success Workbook.” The LSH Group, 2016. Web.

Potter, Patrick. “BCM Regulatory Alphabet Soup – Part Two.” RSA Link, 28 August 2012. Web.

The Good Practice Guidelines. Business Continuity Institute, 2013. Web.

Wang, Dashun and James A. Evans. “When Small Teams are Better than Big Ones.” Harvard Business Review, 21 February 2019. Web.