Presentation is loading. Please wait.

Presentation is loading. Please wait.

Business Continuity Plan

Published byRoy Lester Modified over 8 years ago

Similar presentations

Presentation on theme: "Business Continuity Plan"— Presentation transcript:

1 Business Continuity Plan

2 Business continuity planning

3 Business continuity planning
A business continuity plan is a roadmap for continuing operations under adverse conditions such as a storm or a crime

4 Business continuity planning
Any event that could impact operations is included, such as supply chain interruption, loss of or damage to critical infrastructure (major machinery or computing/network resource). As such, risk management must be incorporated as part of BCP.

5 Business continuity planning
In December 2006, the British Standards Institution (BSI) released an independent standard for BCP — BS Prior to the introduction of BS 25999, BCP professionals relied on information security standard BS 7799, which only peripherally addressed BCP to improve an organization's information security procedures. BS 25999's applicability extends to all organizations. In 2007, the BSI published BS "Specification for Business Continuity Management", which specifies requirements for implementing, operating and improving a documented business continuity management system (BCMS).

6 Business continuity planning
Business continuity management is standardised across the UK by British Standards (BS) through BS :2007 and BS :2006. BS :2007 business continuity management is the British Standard for business continuity management across all organizations. This includes industry and its sectors. The standard provides a best practice framework to minimize disruption during unexpected events that could bring business to a standstill. The document gives you a practical plan to deal with most eventualities – from extreme weather conditions to terrorism, IT system failure and staff sickness. (British Standards Institution, 2006)

7 Business continuity planning
This document was superseded in November 2012 by the British standard BS ISO22301:2012. (British Standards Institution, 2012)

8 Business continuity planning
In 2004, following crises in the preceding years, the UK government passed the Civil Contingencies Act 2004 (The Act). This provides the legislation for civil protection in the UK.

9 Business continuity planning
The Act was separated into two distinct parts: Part 1 focuses on local arrangements for civil protection, establishing a statutory framework of roles and responsibilities for local responders. Part 2 focused on emergency powers, establishing a modern framework for the use of special legislative measures that might be necessary to deal with the effects of the most serious emergencies.

10 Business continuity planning
The Act is telling responders and planners that businesses need to have continuity planning measures in place in order to survive and continue to thrive whilst working towards keeping the incident as minimal as possible. (Cabinet Office, 2004)

11 Business continuity planning - Business impact analysis (BIA)
A Business impact analysis (BIA) differentiates critical (urgent) and non-critical (non-urgent) organization functions/activities. Critical functions are those whose disruption is regarded as unacceptable. Perceptions of acceptability are affected by the cost of recovery solutions. A function may also be considered critical if dictated by law. For each critical (in scope) function, two values are then assigned:

12 Business continuity planning - Business impact analysis (BIA)
Recovery Time Objective (RTO) – the acceptable amount of time to restore the function

13 Business continuity planning - Business impact analysis (BIA)
The recovery point objective must ensure that the maximum tolerable data loss for each activity is not exceeded. The Recovery Time Objective must ensure that the Maximum Tolerable Period of Disruption (MTPoD) for each activity is not exceeded.

14 Business continuity planning - Business impact analysis (BIA)
Next, the impact analysis results in the recovery requirements for each critical function. Recovery requirements consist of the following information:

15 Business continuity planning - Business impact analysis (BIA)
The business requirements for recovery of the critical function, and/or

16 Business continuity planning - Business impact analysis (BIA)
The technical requirements for recovery of the critical function

17 Business continuity planning - Threat and risk analysis (TRA)
After defining recovery requirements, each potential threat may require unique recovery steps. Common threats include:

18 Business continuity planning - Threat and risk analysis (TRA)
The impact of an epidemic can be regarded as purely human, and may be alleviated with technical and business solutions. However, if people behind these plans are affected by the disease, then the process can stumble.

19 Business continuity planning - Threat and risk analysis (TRA)
During the 2002–2003 SARS outbreak, some organizations grouped staff into separate teams, and rotated the teams between primary and secondary work sites, with a rotation frequency equal to the incubation period of the disease. The organizations also banned face-to-face intergroup contact during business and non-business hours. The split increased resiliency against the threat of quarantine measures if one person in a team was exposed to the disease.

20 Business continuity planning - Impact scenarios
After defining threats, impact scenarios form the basis of the business recovery plan. In general, planning for the most wide-reaching impact is preferable. A typical impact scenario such as "building loss" encompasses most critical business functions. A BCP may document scenarios for each building. More localized impact scenarios – for example loss of a specific floor in a building – may also be documented.

21 Business continuity planning - Recovery requirement
After the analysis phase, business and technical recovery requirements precede the solutions phase. Asset inventories allow for quick identification of deployable resources. For an office-based, IT-intensive business, the plan requirements may cover desks, human resources, applications, data, manual workarounds, computers and peripherals.

22 Business continuity planning - Recovery requirement
Other business environments, such as production, distribution, warehousing etc. will need to cover these elements, but likely have additional issues.

23 Business continuity planning - Solution design
The solution design phase identifies the most cost-effective disaster recovery solution that meets two main requirements from the impact analysis stage. For IT purposes, this is commonly expressed as the minimum application and data requirements and the time in which the minimum application and application data must be available.

24 Business continuity planning - Solution design
Outside the IT domain, preservation of hard copy information, such as contracts, skilled staff or restoration of embedded technology in a process plant must be considered. This phase overlaps with disaster recovery planning methodology. The solution phase determines:

25 Business continuity planning - Solution design
crisis management command structure

26 Business continuity planning - Solution design
telecommunication architecture between primary and secondary work sites

27 Business continuity planning - Solution design
applications and data required at the secondary work site, and

28 Business continuity planning - Solution design
physical data requirements at the secondary work site.

29 Business continuity planning - Implementation
The implementation phase involves policy changes, material acquisitions, staffing and testing.

30 Business continuity planning - Testing and organizational acceptance
The purpose of testing is to achieve organizational acceptance that the solution satisfies the recovery requirements. Plans may fail to meet expectations due to insufficient or inaccurate recovery requirements, solution design flaws or solution implementation errors. Testing may include:

31 Business continuity planning - Testing and organizational acceptance
Crisis command team call-out testing

32 Business continuity planning - Testing and organizational acceptance
At minimum, testing is conducted on a biannual schedule.

33 Business continuity planning - Testing and organizational acceptance
The 2008 book Exercising for Excellence, published by The British Standards Institution identified three types of exercises that can be employed when testing business continuity plans.

34 Business continuity planning - Tabletop exercises
Tabletop exercises typically involve a small number of people and concentrates on a specific aspect of a BCP. They can easily accommodate complete teams from a specific area of a business.

35 Business continuity planning - Tabletop exercises
Another form involves a single representative from each of several teams. Typically, participants work through simple scenario and then discuss specific aspects of the plan. For example, a fire is discovered out of working hours.

36 Business continuity planning - Tabletop exercises
The exercise consumes only a few hours and is often split into two or three sessions, each concentrating on a different theme.

37 Business continuity planning - Medium exercises
A medium exercise is conducted within a "Virtual World" and brings together several departments, teams or disciplines. It typically concentrates on multiple BCP aspects, prompting interaction between teams. The scope of a medium exercise can range from a few teams from one organisation co-located in one building to multiple teams operating across dispersed locations. The environment needs to be as realistic as practicable and team sizes should reflect a realistic situation. Realism may extend to simulated news broadcasts and websites.

38 Business continuity planning - Medium exercises
A medium exercise typically lasts a few hours, though they can extend over several days. They typically involve a "Scenario Cell" that adds pre-scripted "surprises" throughout the exercise.

39 Business continuity planning - Complex exercises
A complex exercise aims to have as few boundaries as possible. It incorporates all the aspects of a medium exercise. The exercise remains within a virtual world, but maximum realism is essential. This might include no-notice activation, actual evacuation and actual invocation of a disaster recovery site.

40 Business continuity planning - Complex exercises
While start and stop times are pre-agreed, the actual duration might be unknown if events are allowed to run their course.

41 Business continuity planning - Maintenance
Biannual or annual maintenance cycle maintenance of a BCP manual is broken down into three periodic activities.

42 Business continuity planning - Maintenance
Confirmation of information in the manual, roll out to staff for awareness and specific training for critical individuals.

43 Business continuity planning - Maintenance
Testing and verification of technical solutions established for recovery operations.

44 Business continuity planning - Maintenance
Testing and verification of organization recovery procedures.

45 Business continuity planning - Maintenance
Issues found during the testing phase often must be reintroduced to the analysis phase.

46 Business continuity planning - Information/targets
The BCP manual must evolve with the organization. Activating the call tree verifies the notification plan's efficiency as well as contact data accuracy. Types of changes that should be identified and updated in the manual include:

47 Business continuity planning - Information/targets
Organization structure changes

48 Business continuity planning - Information/targets
Communication and transportation infrastructure such as roads and bridges

49 Business continuity planning - Technical
Specialized technical resources must be maintained. Checks include:

50 Business continuity planning - Technical
Application security and service patch distribution

51 Business continuity planning - Testing and verification of recovery procedures
As work processes change, previous recovery procedures may no longer be suitable. Checks include:

52 Are all work processes for critical functions documented?
Business continuity planning - Testing and verification of recovery procedures Are all work processes for critical functions documented?

53 Have the systems used for critical functions changed?
Business continuity planning - Testing and verification of recovery procedures Have the systems used for critical functions changed?

54 Are the documented work checklists meaningful and accurate?
Business continuity planning - Testing and verification of recovery procedures Are the documented work checklists meaningful and accurate?

55 Business continuity planning - Testing and verification of recovery procedures
Do the documented work process recovery tasks and supporting disaster recovery infrastructure allow staff to recover within the predetermined recovery time objective?

56 Business continuity planning - Notes
Jump up ^ Elliot, D.; Swartz, E.; Herbane, B. (1999) Just waiting for the next big bang: business continuity planning in the UK finance sector. Journal of Applied Management Studies, Vol. 8, No, pp. 43–60. Here: p. 48.

57 Business continuity planning - Notes
Jump up ^ Intrieri, Charles (10 September 2013). "Business Continuity Planning". Flevy. Retrieved 29 September 2013.

58 Business continuity planning - Notes
Jump up ^ British Standards Institution (2006). Business continuity management-Part 1: Code of practice :London

59 Business continuity planning - Notes
Jump up ^ British Standards Institution (2012). Societal security – Business continuity management Systems – Requirements: London

60 Business continuity planning - Notes
Jump up ^ Cabinet Office. (2004). overview of the Act. In: Civil Contingencies Secretariat Civil Contingencies Act 2004: a short. London: Civil Contingencies Secretariat

61 Business continuity planning - Bibliography
Business Continuity Planning, FEMA, Retrieved: June 16, 2012

62 Business continuity planning - Bibliography
Continuity of Operations Planning (no date). U.S. Department of Homeland Security. Retrieved July 26, 2006.

63 Business continuity planning - Bibliography
Purpose of Standard Checklist Criteria For Business Recovery (no date). Federal Emergency Management Agency. Retrieved July 26, 2006.

64 Business continuity planning - Bibliography
NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs — PDF (2010). National Fire Protection Association.

65 Business continuity planning - Bibliography
United States General Accounting Office Y2k BCP Guide (August 1998). United States Government Accountability Office.

66 Business continuity planning - International Organization for Standardization
ISO/IEC 27001:2005 (formerly BS :2002) Information Security Management System

67 Business continuity planning - International Organization for Standardization
ISO/IEC 27002:2005 (renumerated ISO17999:2005) Information Security Management – Code of Practice

68 Business continuity planning - International Organization for Standardization
ISO/IEC 27031:2011 Information technology - Security techniques - Guidelines for information and communication technology readiness for business continuity

69 Business continuity planning - International Organization for Standardization
ISO/PAS 22399:2007 Guideline for incident preparedness and operational continuity management

70 Business continuity planning - International Organization for Standardization
ISO/IEC 24762:2008 Guidelines for information and communications technology disaster recovery services

71 Business continuity planning - International Organization for Standardization
ISO 22301:2012 Societal security - Business continuity management systems - Requirements

72 Business continuity planning - International Organization for Standardization
ISO 22313:2012 Societal security - Business continuity management systems - Guidance

73 Business continuity planning - British Standards Institution
BS :2006 Business Continuity Management Part 1: Code of practice

74 Business continuity planning - Others
"A Guide to Business Continuity Planning" by James C. Barnes

75 Business continuity planning - Others
"Business Continuity Planning", A Step-by-Step Guide with Planning Forms on CDROM by Kenneth L Fulmer

76 Business continuity planning - Others
"Business Continuity Plan Design, 8 Steps for Getting Started Designing a Plan" By Richard Kepenach

77 Business continuity planning - Others
"Disaster Survival Planning: A Practical Guide for Businesses" by Judy Bell

78 Business continuity planning - Others
Harney, J.(2004). Business continuity and disaster recovery: Back up or shut down.

79 Business continuity planning - Others
Dimattia, S. (November 15, 2001).Planning for Continuity. Library Journal,32–34.

80 Business continuity planning - Others
Exercising for Excellence (Delivering successful business continuity management exercises) by Crisis Solutions

81 Crisis management - Business continuity planning
When a crisis will undoubtedly cause a significant disruption to an organisation, a business continuity plan can help minimize the disruption

82 Crisis management - Business continuity planning
Each critical function and or/process must have its own contingency plan in the event that one of the functions/processes ceases or fails, then the business/organisation is more resilient, which in itself provides a mechanism to lessen the possibility of having to invoke recovery plans (Osborne, 2007). Testing these contingency plans by rehearsing the required actions in a simulation will allow those involved to become more acutely aware of the possibility of a crisis. As a result, and in the event of an actual crisis, the team members will act more quickly and effectively.

83 Crisis management - Business continuity planning
A note of caution when planning training scenarios, all too often simulations can lack ingenuity, an appropriate level of realism and as a consequence potentially lose their training value. This part can be improved by employing external exercise designers who are not part of the organisational culture and are able to test an organisations response to crisis, in order to bring about a crisis of confidence for those who manage vital systems (Borodzicz, Edward P. (2005). Risk, Crisis Security Management).

84 Crisis management - Business continuity planning
Following a simulation exercise, a thorough and systematic debriefing must be conducted as a key component of any crisis simulation. The purpose of this is to create a link and draw lessons from the reality of the simulated representation and the reality of the real world. (Borodzicz, 2005).

85 Crisis management - Business continuity planning
The whole process relating to business continuity planning should be periodically reviewed to identify any number of changes that may invalidate the current plan. (Osborne, 2007).

86 Facility management - Business continuity planning
All organisations should have in place a continuity plan so that in the event of a fire or major failure the business can recover quickly. In large organisations it may be that the staff move to another site that has been set up to model the existing operation. The facilities management department would be one of the key players should it be necessary to move the business to a recovery site.

87 Disaster recovery plan - Relationship to the Business Continuity Plan
The Institute further states that a Business Continuity Plan (BCP) consists of the five component plans:[ The Disaster Recovery Plan.] Chad Bahan

88 Disaster recovery plan - Relationship to the Business Continuity Plan
* Business Resumption Plan

89 Disaster recovery plan - Relationship to the Business Continuity Plan
* Continuity of Operations Plan

90 Disaster recovery plan - Relationship to the Business Continuity Plan
The Institute states that the first three plans (Business Resumption, Occupant Emergency, and Continuity of Operations Plans) do not deal with the IT infrastructure. They further state that the Incident Management Plan (IMP) does deal with the IT infrastructure, but since it establishes structure and procedures to address cyber attacks against an organization’s IT systems, it generally does not represent an agent for activating the Disaster Recovery Plan, leaving The Disaster Recovery Plan as the only BCP component of interest to IT.

91 Disaster recovery plan - Relationship to the Business Continuity Plan
The Disaster Recovery Institute International states that disaster recovery is the area of business continuity that deals with technology recovery as opposed to the recovery of business operations.Disaster Recovery Institute International. Course BCLE Participant Guide: Professional Practice 6. Page

92 Facilities management - Business continuity planning
All organizations should have in place a continuity plan so that in the event of a fire or major failure the business can recover quickly. In large organizations it may be that the staff move to another site that has been set up to model the existing operation. The facilities management department would be one of the key players should it be necessary to move the business to a recovery site.

93 Emergency procedure - Business Continuity Planning
Business continuity planning may also feed off of the emergency procedures, enabling an organization to identify points of vulnerability and minimise the risk to the business by preparing backup plans and improving resilience. The act of producing the procedures may also highlight failings in current arrangements that if corrected, could reduce the risk levels.

94 For More Information, Visit:
The Art of Service

Download ppt "Business Continuity Plan"

Similar presentations

Continuity of Operations (COOP) Awareness Training

Continuity of Operations (COOP) Awareness Training
Business Continuity Training & Awareness by Sulia Toutai (ANZ)

Business Continuity Training & Awareness by Sulia Toutai (ANZ)
Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.

Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.
Disaster Preparedness I Lessons Learned Don Hall Thomson Prometric 2006 Annual ConferenceAlexandria, Virginia Council on Licensure, Enforcement and Regulation.

Disaster Preparedness I Lessons Learned Don Hall Thomson Prometric 2006 Annual ConferenceAlexandria, Virginia Council on Licensure, Enforcement and Regulation.
Unit 1: Introductions and Course Overview Administrative Information  Daily schedule  Restroom locations  Breaks and lunch  Emergency exit routes 

Unit 1: Introductions and Course Overview Administrative Information  Daily schedule  Restroom locations  Breaks and lunch  Emergency exit routes 
Business Continuity https://store.theartofservice.com/the-business-continuity-toolkit.html.

Business Continuity
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
1 Disaster Recovery “Protecting City Data” Ron Bergman First Deputy Commissioner Gregory Neuhaus Assistant Commissioner THE CITY OF NEW YORK.

1 Disaster Recovery “Protecting City Data” Ron Bergman First Deputy Commissioner Gregory Neuhaus Assistant Commissioner THE CITY OF NEW YORK.
Business Continuity Mark Holloway Former Head of Change Management at Co-operative Food.

Business Continuity Mark Holloway Former Head of Change Management at Co-operative Food.
1 Continuity Planning for transportation agencies.

1 Continuity Planning for transportation agencies.
BCP/DRP Consultancy Project- An approach

BCP/DRP Consultancy Project- An approach
Security Controls – What Works

Security Controls – What Works
Business Crisis and Continuity Management (BCCM) Class Session 3 3 - 1.

Business Crisis and Continuity Management (BCCM) Class Session
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Unit 8: Tests, Training, and Exercises Unit Introduction and Overview Unit objectives:  Define and explain the terms tests, training, and exercises. 

Unit 8: Tests, Training, and Exercises Unit Introduction and Overview Unit objectives:  Define and explain the terms tests, training, and exercises. 
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Planning for Contingencies

Planning for Contingencies
Session 3 – Information Security Policies

Session 3 – Information Security Policies
The Business Continuity Plan Chris Owens/Annette Mercer Public Health Knowsley MBC Local Pharmaceutical Committee 18 June 2014.

The Business Continuity Plan Chris Owens/Annette Mercer Public Health Knowsley MBC Local Pharmaceutical Committee 18 June 2014.
Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.

Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.

Similar presentations

Ads by Google