|S|| 0 6-- 39018 2

© Co¬¬o·.ca|t' o| Aust·a||a, 2000
!'|s .o·' |s coø¸·|¿'t. Aøa·t |·o¬ a·¸ usc as øc·¬|ttco u·oc· t'c Copyright Act 1968, ·o
øa·t ¬a¸ oc ·cø·ooucco o¸ a·¸ øu·øosc .|t'out ø·|o· .·|ttc· øc·¬|ss|o· |·o¬ t'c
Aust·a||a· |at|o·a| Auo|t O|| |cc.
|coucsts a·o |·ou|·|cs co·cc··|·¿ ·cø·oouct|o· a·o ·|¿'ts s'ou|o oc aoo·cssco to.
!'c |uo||cat|o·s |a·a¿c·
Aust·a||a· |at|o·a| Auo|t O|| |cc
C|O |o× ´0´
Ca·oc··a AC! 2601
|·|o·¬at|o· o· Aust·a||a· |at|o·a| Auo|t O|| |cc øuo||cat|o·s a·o act|v|t|cs |s ava||ao|c o·
t'c |o||o.|·¿ |·tc··ct aoo·css. 'ttø.//....a·ao.¿ov.au
Disclaimer
!'c Auo|to·-Cc·c·a|, t'c A|AO, |ts o|||cc·s a·o c¬ø|o¸ccs a·c ·ot ||ao|c, .|t'out
||¬|tat|o·, |o· a·¸ co·scouc·ccs |·cu··co, o· a·¸ |oss o· oa¬a¿c su||c·co o¸ a·
o·¿a·|sat|o· o· o¸ a·¸ ot'c· øc·so· as a ·csu|t o| t'c|· ·c||a·cc o· t'c |·|o·¬at|o·
co·ta|·co |· t'|s Cu|oc o· ·csu|t|·¿ |·o¬ t'c|· |¬ø|c¬c·tat|o· o· usc o| t'c acco¬øa·¸|·¿
\o·'ooo', a·o to t'c ¬a×|¬u¬ c×tc·t øc·¬|ttco o¸ |a., c×c|uoc a|| ||ao|||t¸ (|·c|uo|·¿ |·
·c¿||¿c·cc) |· ·csøcct o| t'c Cu|oc a·o t'c acco¬øa·¸|·¿ \o·'ooo'.
|cs|¿·co o¸ A·t At tac' |t¸ |to Ca·oc··a
|·|·tco o¸ ||·|c |·|·tc·s Ca·oc··a
1
Business Continuity Management
Business Continuity Management
Business Continuity
Management
Business Continuity
Management
Guide to Effective Control—January 2000
Keeping the wheels in motion
2
Guide to Effective Control
Guide to Effective Control
Better practice
Better practice
!'c Aust·a||a· |at|o·a| Auo|t O|| |cc ø·oouccs oct tc· ø·act|cc ¿u|ocs as øa·t
o| |ts |·tc¿·atco auo|t aøø·oac' .'|c' |·c|uocs |·|o·¬at|o· sc·v|ccs to auo|t
c||c·ts.
A |ct tc· |·act|cc sc·|cs 'as occ· cstao||s'co to oca| .|t' 'c¸ asøccts o| t'c
co·t·o| st·uctu·cs o| c·t|t|csa· |·tc¿·a| øa·t o| ¿ooo co·øo·atc ¿ovc··a·cc.
!'|s Cu|oc |o·¬s øa·t o| t'at sc·|cs. |t oca|s .|t' ous|·css co·t|·u|t¸
¬a·a¿c¬c·t .|t'|· a ·|s' ¬a·a¿c¬c·t |·a¬c.o·'. !'c acco¬øa·¸|·¿
\o·'ooo' |s ocs|¿·co to ass|st o·¿a·|sat|o·s |· t'c ocvc|oø¬c·t o| a
co¬ø·c'c·s|vc ous|·css co·t|·u|t¸ ø|a·.
Acknowledgments
!'c Cu|oc 'as occ· ø·cøa·co .|t' t'c va|uao|c ass|sta·cc a·o |·s|¿'ts |·o¬ a ·u¬oc· o|
Co¬¬o·.ca|t' o·¿a·|sat|o·s, ø·|¬a·||¸.
· A|· Sc·v|ccs Aust·a||a,
· Aust·a||a· |uc|ca· Sc|c·cc a·o !cc'·o|o¿¸ O·¿a·|sat|o·,
· Aust·a||a· |a·|t|¬c Sa|ct¸ Aut'o·|t¸, a·o
· !'c·aøcut|c Cooos Ao¬|·|st·at|o·.
|·øut |·o¬ Sta·oa·os Aust·a||a a·o |¬c·¿c·c¸ |a·a¿c¬c·t Aust·a||a 'as a|so occ·
|·va|uao|c |· ·c||·|·¿ t'c aøø·oac' ocvc|oøco |o· t'|s Cu|oc so t'at |t |u||¸ |·tc¿·atcs |·to
t'c ·|s' ¬a·a¿c¬c·t |·a¬c.o·' .|t'|· a· o·¿a·|sat|o·. ||·a||¸, t'c va|uao|c ass|sta·cc o|
|c|o|t tc !ouc'c !o'¬atsu |· ocvc|oø|·¿ t'c ous|·css co·t|·u|t¸ ø|a· (|C|) ø·o,cct stcøs
o|scussco |· |a·t !.o |s a|so ·cco¿·|sco. !'c A|AO ·cco·os |ts aøø·cc|at|o· o| t'|s
ass|sta·cc.
3
Business Continuity Management
Business Continuity Management
Auditor-General’s foreword
Auditor-General’s foreword
!'c u·|·tc··uøtco ava||ao|||t¸ o| a|| 'c¸ ·csou·ccs to suøøo·t cssc·t|a| ous|·css
ø·occsscs o· s|¬ø|¸, business continuity, 'as occ· ta'|·¿ a co·s|oc·ao|c a¬ou·t
o| ¬a·a¿c·s' t|¬c a·o at tc·t|o· ·ccc·t|¸. |uc' o| t'c |¬øctus to ·cv|c.
ous|·css co·t|·u|t¸ ·csu|tco |·o¬ a ·cco to t·cat ous|·css co·t|·u|t¸ ·|s's
assoc|atco .|t' a·¸ s¸stc¬s |a||u·cs at t'c c'a·¿c to t'c ¸ca· 2000 o·, as |t |s
¬o·c co¬¬o·|¸ '·o.·, t'c `2| ou¿. Co·s|oc·ao|c ·csou·ccs .c·c
c×øc·oco to c·su·c ¬|·|¬a| o|s·uøt|o· |·o¬ t'c a·t|c|øatco ø·oo|c¬s.
!'c cu··c·t |ocus o| ous|·css co·t|·u|t¸ c||o·ts o· `2| ·c¬co|cs a·o
co·t|·¿c·c¸ ø|a··|·¿ .as acccøtao|c |· t'c c|·cu¬sta·ccs. |o.cvc·, oc¸o·o
t'|s, o·¿a·|sat|o·s s'ou|o aoo·css a·o ·c¿u|a·|¸ ·cv|c. all asøccts o| t'c|·
ous|·css co·t|·u|t¸ ¬a·a¿c¬c·t.
!'|s Cu|oc ø·csc·ts a st·uctu·co aøø·oac' to ous|·css co·t|·u|t¸
¬a·a¿c¬c·t. !'c aøø·oac' |·vo|vcs |oc·t||¸|·¿ ø·cvc·tat|vc t·cat¬c·ts |o·
co·t|·u|t¸ ·|s's t'at ca· oc ·out|·c|¸ ¬a·a¿co, a·o ocvc|oø|·¿ a· o·¿a·|sat|o·-
.|oc ous|·css co·t|·u|t¸ ø|a·to oca| .|t' t'c co·scouc·ccs s'ou|o t'c
ø·cvc·tat|vc t·cat¬c·ts |a||. !'c aøø·oac' s'ou|o oc ta||o·co to ¬cct
o·¿a·|sat|o·a| ·ccos .'||c sat|s|¸|·¿ t'c ¬a,o· stcøs |oc·t|| |co |o· ous|·css
co·t|·u|t¸ ¬a·a¿c¬c·t |· t'c co·tc×t o| ovc·a|| ·|s' ¬a·a¿c¬c·t.
|a·a¿c·s s'ou|o 'avc a· o·¿o|·¿ |ocus o· ous|·css co·t|·u|t¸ as a· c|c¬c·t
o| t'c ovc·a|| ·|s' ¬a·a¿c¬c·t |·a¬c.o·' |· t'c|· o·¿a·|sat|o·. \'||c t'c
ø·o| ||c o| ous|·css co·t|·u|t¸ |s st||| '|¿', |t .ou|o oc oøøo·tu·c to ou||o o· t'c
.o·' a·o a·a|¸scs oo·c |· ·c|at|o· to t'c ·|s's assoc|atco .|t' `2|, to c·su·c
ous|·css co·t|·u|t¸ ·|s's a·c |oc·t|| |co, asscssco, a·a|¸sco a·o t·catco, as .c||
as oc|·¿ ¬o·|to·co a·o ·cv|c.co.
!'c Cu|oc |u·t'c· ocvc|oøs t'c aøø·oac' ø·o¬otco o¸ |¬c·¿c·c¸
|a·a¿c¬c·t Aust·a||a |· |ts øuo||cat|o·. Non-stop Ser vice.
!'c |·c·cas|·¿ |cvc| o| ocvo|vco aut'o·|t¸ a·o ¬a·a¿c¬c·t |· t'c øuo||c
sccto·, a ¿·catc· usc o| co·t·actco sc·v|cc oc||vc·¸ a·o t'c øu·su|t o|
|¬ø·ovco c|||c|c·c|cs a·o øc·|o·¬a·cc, ¬ca·s t'at t'c ·cco to ¬a·a¿c
ø·oact|vc|¸ a· o·¿a·|sat|o·'s ovc·a|| ·|s' 'as ·cvc· occ· ¿·catc·. |t .ou|o oc
|||-aov|sco to |¿·o·c ·|s's to ous|·css co·t|·u|t¸ occausc t'c|· ||'c||'ooo |s too
Continuity of public sector business is a critical issue to be considered by Boards,
chief executives and senior management in Australian public sector organisations
and for business activities. Many services delivered by government organisations
are critical to the economic and social well-being of our society—a failure to
deliver these could have very significant consequences for those concerned.
4
Guide to Effective Control
Guide to Effective Control
·c¬otc|· t'c ¬co|u¬ to |o·¿c· tc·¬ t'|s cou|o .c|| ø·ovc cost|¸ |o· oot'
t'c o·¿a·|sat|o·s a·o t'c c||c·ts (c|t|zc·s). !'c·c a·c su|| |c|c·t c×a¬ø|cs |·
t'c øuo||c sccto· to oc¬o·st·atc t'c u·||'c|¸ ca·, a·o oocs, 'aøøc· . usua||¸
.'c· .c |cast c×øcct |t. O|tc· t'csc cvc·ts a·c outs|oc t'c o|·cct co·t·o| o|
t'c o·¿a·|sat|o·, out t'|s oocs ·ot ¬ca· ¸ou s'ou|o ·ot ø|a· |o· t'c|· |¬øact.
!'c |o||o.|·¿ |·c|oc·ts ø·ov|oc co¬øc|||·¿ ·caso·s |o· ous|·css co·t|·u|t¸ to
oc ta'c· sc·|ous|¸.
· severe hailstorms in Sydney, NSW, (1999) oa¬a¿c to ¬a·¸ ¿ovc··¬c·t a·o
ous|·css ou||o|·¿s a·o ¬ca·t c¬c·¿c·c¸ ¬casu·cs 'ao to oc ta'c· to
·c|ocatc oøc·at|o·s .'||c co·t|·u|·¿ to ø·ov|oc a sc·v|cc to t'c|· c||c·ts,
· the Victorian gas crisis (1999) |o||o.|·¿ a· c×ø|os|o· at a ¿as ø·oouct|o·
|ac|||t¸, t'c c·t|·c Statc |acco .cc's .|t'out ¿as suøø||cs a·o t'c costs to
ous|·css a·o ¿ovc··¬c·t .as cst|¬atco |· t'c o||||o·s o| oo||a·s,
· Brisbane, Queensland and Auckland, New Zealand, power outages (1998) –
|o||o.|·¿ ¿c·c·ato· a·o ¿·|o |a||u·cs, t'c c|t|cs .c·c .|t'out c|cct·|c|t¸
¿ovc··¬c·t a·o ous|·css a||'c 'as to oøc·atc |· a c|t¸ .|t'out ·c||ao|c
øo.c· suøø||cs |o· a· c×tc·oco øc·|oo,
· fires at the Bankstown Council, NSW, (1997) and Knox Council, VIC, (1994) |·
.'|c' t'c cou·c|| c'a¬oc·s .c·c ou··t oo.· a·o v|ta| ·cco·os as .c|| as
|! .c·c |ost, a·o
· Jolimont Centre incident, Canberra, ACT (1993) |o||o.|·¿ a s|c¿c a·o | |·c,
t'c t'c· Co¬¬o·.ca|t' |cøa·t¬c·t o| |·oust·|a| |c|at|o·s .as |o·cco to
·c|ocatc aoout -00 sta|| a·o t'c suøøo·t|·¿ |·|·ast·uctu·c.
!'c ·a·¿c, sou·cc a·o |¬øact o| ·|s' to .'|c' a· o·¿a·|sat|o· |s c×øosco |·
tooa¸'s ous|·css .o·|o oc¬a·o t'at ous|·css co·t|·u|t¸ 'as to ·a·' '|¿'|¸ |o·
o·¿o|·¿ ¬a·a¿c¬c·t at tc·t|o·. |·occo, |t s'ou|o oc a· |·tc¿·a| c|c¬c·t o|
t'c o·¿a·|sat|o·'s ·|s' ø|a··|·¿ st·atc¿¸.
|.¦. |a··ct t
Auo|to·-Cc·c·a|
¦a·ua·¸ 2000
5
Business Continuity Management
Business Continuity Management
Contents
Overview of this Guide ´
1. Continuity and risk concepts
|·t·oouct|o· 11
|us|·css co·t|·u|t¸ ¬a·a¿c¬c·t 12
||s' ¬a·a¿c¬c·t 16
2. The business continuity process
Ovc·v|c. o| t'c ous|·css co·t|·u|t¸ ø·occss 29
|·o,cct |·|t|at|o· 31
|c¸ ous|·css ø·occsscs |oc·t|| |cat|o· 32
|us|·css |¬øact a·a|¸s|s (||A) 36
|cs|¿· co·t|·u|t¸ t·cat¬c·ts 39
|¬ø|c¬c·t co·t|·u|t¸ t·cat¬c·ts -5
!cst a·o ¬a|·ta|· t'c ø|a· 62
Appendices 65
Contents
6
Guide to Effective Control
Guide to Effective Control
7
Business Continuity Management
Business Continuity Management
Overview of this Guide
Overview of this Guide
!'|s Cu|oc 'as occ· ø·cøa·co ø·|¬a·||¸ |o· t'c øcoø|c |·vo|vco |· a ous|·css
co·t|·u|t¸ ø·o,cct|·o¬ |·o|v|oua| tca¬ ¬c¬oc·s t'·ou¿' to t'c C'|c|
|×ccut|vc a·o |oa·o. |ac' øa·t|c|øa·t ø|a¸s a· |¬øo·ta·t ·o|c a·o 'as a·
a··a¸ o| ·csøo·s|o|||t|cs |· c·su·|·¿ t'c succcss o| t'c ø·o,cct a·o co·t|·u|·¿
va||o|t¸ o| t'c ø|a·.
Succcss|u| ous|·css co·t|·u|t¸ ¬a·a¿c¬c·t ·c||cs o· t'c c×øc·t|sc |·o¬ .|t'|·
t'c o·¿a·|sat|o·|t |s t'c øcoø|c t'at u·oc·sta·o t'c o·¿a·|sat|o·|ts
ous|·css, ø·occsscs a·o ous|·css ·|s's. |o.cvc·, t'c Cu|oc oocs ·ot assu¬c
cvc·¸o·c |s a· c×øc·t |· t'c | |c|o o| ·|s' ¬a·a¿c¬c·t so ocsc·|ocs cac' ø'asc
o| ous|·css co·t|·u|t¸ a¿a|·st a· acccøtco, ¿c·c·|c ·|s' ¬a·a¿c¬c·t
|·a¬c.o·'.
|ac' ·|s', ocøc·o|·¿ o· |ts ·atu·c, .||| 'avc a ¿·catc· o· |cssc· c'a·cc o|
occu··c·cc (||'c||'ooo) a·o a ¿·catc· o· |cssc· ous|·css |¬øact o· t'c
o·¿a·|sat|o· (co·scouc·cc). !'c ous|·css |¬øact o| cac' ·|s' .||| a|so va·¸
acco·o|·¿ to |ts ·atu·c|o· a·¸ øa·t|cu|a· ·|s' cvc·t t'c·c ¬a¸ oc, |o·
c×a¬ø|c, a | |·a·c|a| co·scouc·cc, a |c¿a| co·scouc·cc, a sta|| sa|ct¸
co·scouc·cc, a·o a ous|·css |·tc··uøt|o· co·scouc·cc.
O·¿a·|sat|o·s, t'·ou¿' a st·uctu·co, s¸stc¬at|c ø·occss at tc¬øt to ¬a·a¿c a||
s|¿·|| |ca·t ous|·css ·|s's ø·o-act|vc|¸, o¸ |¬ø|c¬c·t|·¿ aøø·oø·|atc ø·cvc·tat|vc
co·t·o|s a·o ot'c· ·|s' t·cat¬c·ts. !'|s ·|s' ¬a·a¿c¬c·t ø·occss |s ocs|¿·co
to ·coucc t'c ·cs|oua| ·|s' o| a· cvc·t|· tc·¬s o| |ts ||'c||'ooo o|
occu··c·cc a·o/o· |ts co·scouc·ccs, to a· acccøtao|c |cvc|.
|o.cvc·, ø·cvc·tat|vc co·t·o|s a·o ot'c· ø·o-act|vc t·cat¬c·ts a·c ·o
¿ua·a·tcc t'at ·|s' cvc·ts .||| ·ot occu·, t'at |s, t'c¸ ca··ot c·t|·c|¸ c||¬|·atc
t'c|· ||'c||'ooo o| occu··c·cc. !'c·c|o·c, |o· c||cct|vc ·|s' ¬a·a¿c¬c·t |t |s
coua||¸ |¬øo·ta·t t'at o·¿a·|sat|o·s ocs|¿· co·t·o|s t'at a·c |¬ø|c¬c·tco
o·cc a ·|s' cvc·t 'as occu··co.
Business continuity management is an integral part of the risk management
framework within an organisation. All organisations face a variety of risks.
These may be sourced externally, and therefore largely out of the immediate
control of the organisation, or internally. Internal risks arise both at the strategic
(organisation-wide) level and at the operational (business process) level.
8
Guide to Effective Control
Guide to Effective Control
!'c ocs|¿· (a·o t'c·c|o·c cost) o| suc' co··cct|vc co·t·o|s a·o t·cat¬c·ts
.||| ·cco to ta'c |·to accou·t asscss¬c·ts o| t'c ø·o-act|vc co·t·o|s a·o t'c
·cs|oua| ·|s' |cvc|s. !'c 'c¸ oucst|o· |s 'o. ¬uc' t|¬c, c||o·t a·o ·csou·ccs
·cco to oc |·vcstco |· co··cct|vc co·t·o|s|· ø·cøa·|·¿ |o· a· cvc·tua||t¸
t'at ¬a¸ ·cvc· occu·.
!'|s Cu|oc 'as occ· ocs|¿·co to ass|st o·¿a·|sat|o·s a·s.c· t'|s oucst|o· |o·
t'osc ·|s' cvc·ts t'at 'avc a ous|·css |·tc··uøt|o· co·scouc·cc o| a ·atu·c
a·o |¬øact t'at .a··a·ts c||cct|vc ¬a·a¿c¬c·t act|o·.
!'c u·oc·|¸|·¿ aøø·oac' aooøtco |· t'|s Cu|oc |s to sta·t |·o¬ t'c øo|·t t'at
a ·|s' cvc·t 'as occu··co .'|c' 'as |·tc··uøtco ous|·css oøc·at|o·st'at |s,
assu¬|·¿ a worst case scc·a·|o .'c·c a|| ø·occsscs a·o ·csou·ccs a·c ·ot
ava||ao|c. |· t'|s co·tc×t t'c causc o· ·atu·c o| t'c actua| ·|s' cvc·ts a·c ·ot
co·s|oc·co to oc t'c o·|vc·s |o· ¬a·a¿c¬c·t act|o·. |t |s t'c ous|·css
|·tc··uøt|o· consequence t'at ¬a|·|¸ octc·¬|·cs t'c ø·occss.
!'|s bottom-up aøø·oac' co¬ø|c¬c·ts t'c 'toø oo.·' aøø·oac' |·'c·c·t |·
t'c ovc·-a·c'|·¿ ·|s' ¬a·a¿c¬c·t ø·occss. |t c·su·cs co¬ø|ctc·css o|
co·s|oc·at|o· o| a|| co·scouc·ccs a·|s|·¿ |·o¬ a ous|·css |·tc··uøt|o· ·|s'
cvc·t. |t a|so c·su·cs ø·o-act|vc a·o co··cct|vc co·t·o|s a·c co¬ø|c¬c·ta·¸
a·o s'ou|o a||o. o·¿a·|sat|o·s, |o· c×a¬ø|c, to ac'|cvc a cost-c||cct|vc
co¬ø·o¬|sc oct.cc· ø·cøa·co·css |o· t'c worst case scc·a·|o a·o t'c
||'c||'ooo o| suc' a scc·a·|o cvc· a·|s|·¿.
!'c Cu|oc |s o|v|oco |·to t.o ¬a,o· øa·tst'c ||·st øa·t oca|s .|t' ous|·css
co·t|·u|t¸ ¬a·a¿c¬c·t co·ccøts |· a ·|s' ¬a·a¿c¬c·t co·tc×t, t'c scco·o
øa·t |oc·t|||cs t'c ø·occsscs a·o ø·occou·cs ·cou|·co to oc u·oc·ta'c· to
ø·ooucc a ous|·css co·t|·u|t¸ ø|a·.
A ·u¬oc· o| suøøo·t|·¿ ø·o-|o·¬a sc'cou|cs, .o·'|·¿ øaøc·s a·o
oucst|o··a|·cs 'avc occ· ø·cøa·co to |ac|||tatc t'c ovc·a|| ø·occss ocsc·|oco
|· t'c Cu|oc. !'csc a·c co·ta|·co |· t'c |us|·css Co·t|·u|t¸ \o·'ooo' t'at
acco¬øa·|cs t'|s Cu|oc.
9
Business Continuity Management
Business Continuity Management
Continuity and risk
concepts
Part One
Continuity and risk
concepts
Introduction
Business continuity management
Oo,cct|vc
Outøuts
'·oc·|¸|·¿ aøø·oac'
!c·¬|·o|o¿¸
Risk management
Ovc·v|c. o| t'c ·|s' ¬a·a¿c¬c·t ø·occss
Stcø o·c. cstao||s' co·tc×t
Stcø t.o. |oc·t||¸ a·o asscss ·|s's
· ·|s' |·oc·t|| |cat|o·
· ·|s' a·a|¸s|s
· ·|s' t·cat¬c·t ocs|¿·
Stcø t'·cc. |¬ø|c¬c·t t·cat¬c·ts
Stcø |ou·. ¬o·|to· a·o ·cv|c.
10
Guide to Effective Control
Guide to Effective Control
11
Business Continuity Management
Business Continuity Management
Introduction
A· o·¿a·|sat|o·'s ous|·css st·atc¿|cs a·o occ|s|o·s a·c oasco o· a· assu¬øt|o·
o| t'c ous|·css co·t|·u|·¿. A· cvc·t t'at v|o|atcs t'|s assu¬øt|o· |s a
s|¿·|| |ca·t occu··c·cc |· t'c |||c o| a·¸ o·¿a·|sat|o·, |¬ø|·¿|·¿ o|·cct|¸ o· |ts
ao|||t¸ to |u|| || |ts ous|·css oo,cct|vcs a·o t'c ||vc||'ooo o| t'osc |·vo|vco.
A¬o·¿ ot'c· t'|·¿s, ·|s' ¬a·a¿c¬c·t |s aoout øut t|·¿ |· ø|acc t·cat¬c·ts
t'at scc' to ø·cvc·t ous|·css |·tc··uøt|o· cvc·ts (outa¿cs) |·o¬ occu··|·¿ |·
t'c | |·st ø|acc. |t a|so c·co¬øasscs cstao||s'|·¿ aøø·oø·|atc ·csøo·scs
(t·cat¬c·ts) s'ou|o suc' a· cvc·t occu·.
|us|·css co·t|·u|t¸ ¬a·a¿c¬c·t |s t'c·c|o·c t'at øa·t o| ·|s' ¬a·a¿c¬c·t
t'at cstao||s'cs cost-c||cct|vc t·cat¬c·ts s'ou|o a· outa¿c occu·. As suc', |t
oca|s .|t' actua| cvc·tsa ·|s' cvc·t .'|c' 'as occu··coa·o t'c act|o·
·cou|·co to ·csøo·o to t'c cvc·t. !o t'|s c×tc·t, |t co¬ø|c¬c·ts t'c ovc·a||
·|s' ¬a·a¿c¬c·t ø·occss .'|c' oca|s |o·c¬ost .|t' øoss|o|||t¸ o| occu··c·cc
o| ·|s's cvc·ts (|·c|uo|·¿ outa¿cs) t'at ¬a¸ occu·, a·o t'c a·a|¸s|s a·o
ø·o-act|vc t·cat¬c·t o| suc' cvc·ts.
!'|s scct|o· o| t'c Cu|oc out||·cs t'c ·|s' ¬a·a¿c¬c·t ø·occss a·o o|scusscs
'o. ous|·css co·t|·u|t¸ ¬a·a¿c¬c·t | |ts .|t'|· t'|s ø·occss. |t |s ·ot |·tc·oco
to covc· a|| asøccts o| ·|s' ¬a·a¿c¬c·t. |·stcao, t'c Cu|oc .||| |ocus o·
t'osc øa·ts o| t'c ø·occss .'c·c ous|·css co·t|·u|t¸ ·|s's s'ou|o oc
søcc|| |ca||¸ aoo·cssco.
|o.cvc·, oc|o·c oca||·¿ .|t' t'c ·|s' ¬a·a¿c¬c·t ø·occss, t'c Cu|oc
|·t·oouccs a ·u¬oc· o| 'c¸ ous|·css co·t|·u|t¸ co·ccøts. |t |s |¬øo·ta·t t'at
·caoc·s o| t'c Cu|oc |a¬|||a·|sc t'c¬sc|vcs .|t' t'csc co·ccøts a·o |·
øa·t|cu|a·, t'c tc·¬|·o|o¿¸ usco, oc|o·c c¬oa·'|·¿ o· t'c ous|·css co·t|·u|t¸
¬a·a¿c¬c·t ø·occss.
|a·t !.o o| t'|s Cu|oc ta'cs t'c ·caoc· t'·ou¿' t'c octa||co stcøs |o· t'c
ous|·css co·t|·u|t¸ ¬a·a¿c¬c·t ø·occss.
Introduction
Business continuity means maintaining the uninterrupted availability of all key
business resources required to support essential business activities.
12
Guide to Effective Control
Guide to Effective Control
Business continuity
management
Objective
!'c oo,cct|vc o| ous|·css co·t|·u|t¸ ¬a·a¿c¬c·t |s to ensure the
uninterrupted availability of all key business resources required to
support essential (or critical) business activities.
!'|s 'o||st|c v|c. o| ous|·css co·t|·u|t¸ ¬a·a¿c¬c·t o|||c·s |·o¬ .'at ¬a·¸
¬a·a¿c·s t·ao|t|o·a||¸ tc·¬ Disaster Recover y Planning .'|c' 'as occ· c|osc|¸,
|| ·ot so|c|¸, assoc|atco .|t' |·|o·¬at|o· tcc'·o|o¿¸. |¸ c'a·¿|·¿ t'c |ocus,
t'c c¬ø'as|s |s ø|acco o· t'c .'o|c ous|·css, ·ot ,ust o· tcc'·o|o¿¸ |ssucs
a|o·c. !'|s ·c|·|o·ccs t'c co·ccøt o| co·t|·u|t¸ o| all key processes,
c×tc·o|·¿ oc¸o·o |·|o·¬at|o· tcc'·o|o¿¸ s¸stc¬s, |¬øo·ta·t t'ou¿' t'c¸ a·c
|· ¬ooc·· ous|·css.
Outputs
!'c ø·|¬a·¸ outøut |·o¬ t'c ous|·css co·t|·u|t¸ ¬a·a¿c¬c·t ø·occss |s a
Business Continuity Plan (BCP). !'c |C| co¬ø·|scs ¬a·¸ c|c¬c·ts .'|c',
co||cct|vc|¸, oc| |·c t'c aøø·oac' to oca||·¿ .|t' a o·ca' |· ous|·css co·t|·u|t¸,
a·o .'|c' ø·csc·|ocs t'c stcøs a· o·¿a·|sat|o· s'ou|o ta'c to ·ccovc· |ost
ous|·css |u·ct|o·s.
A¬o·¿st ot'c· ¬at tc·s, t'c |C| .||| o·|·¿ to¿ct'c· t'c.
· sc·v|cc a·ca Co·t|·¿c·c¸ ||a·s,
· ||sastc· |ccovc·¸ ||a· (|||), a·o
· |us|·css |csu¬øt|o· ||a· (|||).
!'c ous|·css co·t|·u|t¸ ¬a·a¿c¬c·t ø·occss a·o t'c |C| ·cco to o·|·¿
to¿ct'c· a|| suc' c|c¬c·ts to c·su·c t'c¸ aocouatc|¸ aoo·css t'c
o·¿a·|sat|o·'s ous|·css |·tc··uøt|o· ·|s's.
!'c·c a·c ø·ooao|¸ a|·cao¸ so¬c øa·ts o| t'c |C| t'c o·¿a·|sat|o· 'as |·
ø|acc as øa·t o| |ts ·o·¬a| ous|·css oøc·at|o·s. !'c¸ |·c|uoc.
· |! o|sastc· ·ccovc·¸ ø|a·s,
· c¬c·¿c·c¸ ·csøo·sc ø·occou·cs,
· o||-s|tc o| ·ccoos,
· oac'uø a·o ·ccovc·¸ ø·occou·cs,
· cvacuat|o· ø|a·s,
· co¬¬u·|cat|o·s st·atc¿|cs, a·o
· ¬co|a ||a|so· st·atc¿|cs.
A|o·c t'csc oo ·ot co·st|tutc a co¬ø|ctc |C|, out a·c |¬øo·ta·t c|c¬c·ts o|
a ·ooust co·t|·u|t¸ ø|a·.
Business continuity
management
The difference between business
continuity and disaster recovery
is not a ‘what’ but a ‘whose’.
Business continuity now appears
on the boardroom agenda, but
there was a time when disaster
recovery was relegated to one
corner of the computer room.
Planning for business continuity
should be a top-level concern for
enterprises, considering the
potentially devastating financial
and organizational impact of a
disaster.
An Introduction to Business
Continuity Planning, InSide
GartnerGroup This Week
(IGG),
C. Gooding, January 8, 1997
© GartnerGroup, 1999.
In the business continuity
management process it is
important to consider what
plans are already in place, so
effort is not wasted.
13
Business Continuity Management
Business Continuity Management
Underlying approach
!'c |C| |s |·|t|atco .'c· a ·|s' cvc·t occu·s t'at 'as a business
interruption co·scouc·cc. !'c ous|·css |·tc··uøt|o·s t'at a·c o| co·cc··
|·o¬ a co·t|·u|t¸ v|c.øo|·t a·c ·c|c··co to as outages. !'csc cvc·ts .|||
causc a s|¿·|| |ca·t o|s·uøt|o· to, o· |oss o|, 'c¸ ous|·css ø·occsscs. |t |o||o.s
t'at suc' cvc·ts .||| 'avc a '|¿' |¬øact o·, a·o scvc·c co·scouc·ccs |o·, t'c
o·¿a·|sat|o·.
Outa¿cs ·cco to oc o|st|·¿u|s'co |·o¬ ot'c· ous|·css |·tc··uøt|o·s suc' as
t'osc a·|s|·¿ |·o¬ s¸stc¬s oo.·t|¬c o· |a||u·cs t'at ¬a¸ occu· as a øa·t o|
·o·¬a| oøc·at|o·ssuc' as a o·|c| |oss o|| a co¬¬u·|cat|o·s ||·' .'|c' ·ccos
to oc ·c-cstao||s'co .|t' a sc·v|cc ø·ov|oc·.
!'c co·ccøt o| a· outa¿c 'as a t|¬c o|¬c·s|o· as .c|| as a ous|·css ø·occss
o|¬c·s|o·. !'c ous|·css co·t|·u|t¸ ¬a·a¿c¬c·t ø·occss |·c|uocs cstao||s'|·¿
t'c ¬a×|¬u¬ øc·|oos |o· .'|c' cac' |u·ct|o· ca· oc o|s·uøtco o· |ost
a|to¿ct'c·, oc|o·c |t t'·catc·s t'c ac'|cvc¬c·t o| o·¿a·|sat|o·a| oo,cct|vcs.
!'c a·a|¸s|s o| t'c |¬øact o| a· outa¿c |ocuscs o· co·scouc·ccs. |t |s ·ot
co·cc··co .|t' t'c ||'c||'ooo o· causc o| occu··c·cc, as t'c¸ a·c ·ot
c|c¬c·ts o| t'c |C|. |at tc·s o| ||'c||'ooo a·o causc s'ou|o a|·cao¸ 'avc
occ· aoo·cssco as øa·t o| t'c top down ·|s' ¬a·a¿c¬c·t ø·occss a·o
ø·cvc·tat|vc co·t·o|s s'ou|o a|·cao¸ 'avc occ· cstao||s'co to ·coucc t'c
||'c||'ooo a·o co·scouc·ccs o| a|| ·|s' cvc·ts (|·c|uo|·¿ ous|·css |·tc··uøt|o·
cvc·ts) to |cvc|s t'at a·c acccøtao|c to ¬a·a¿c¬c·t.
!'c bottom-up aøø·oac' to ous|·css co·t|·u|t¸ ¬a·a¿c¬c·t co¬ø|c¬c·ts t'c
top down aøø·oac' aooøtco |o· ovc·a|| ·|s' ¬a·a¿c¬c·t o¸ as'|·¿ '.'at
'aøøc·s || t'c co·t·o|s |a||'. |t øuts |· ø|acc ø|a··co, coo·o|·atco ·csøo·scs
.'|c' csca|atc acco·o|·¿ to t'c ·atu·c o| t'c outa¿c. !'|s c×tc·os to a
co¬ø|ctc |oss o| a|| ous|·css ø·occsscs a·o ·csou·ccs, ·c|c··co to as a disaster.
\'||c disasters t'a·'|u||¸ a·c a· c×t·c¬c|¸ ·a·c occu··c·cc |· t'c |||c o| ¬ost
o·¿a·|sat|o·s, t'c co·scouc·cc (o· ous|·css |¬øact) a·a|¸s|s assu¬cs t'at a
o|sastc· ca· occu·. !'|s worst case scc·a·|o ¬ooc|||·¿ .||| c·su·c t'at a||
|¬øacts a·|s|·¿ |·o¬ a· outa¿c a·c co·s|oc·co ·c¿a·o|css o| t'c ||'c||'ooo o|
occu··c·cc.
As o|scussco aoovc, co·s|oc·at|o· o| causcs a·o sou·ccs o| t'·cats |s ·ot øa·t
o| t'c |C|. |t |s |¬øo·ta·t t'at co·t|·u|t¸ ø|a·s a·c ·ot ocvc|oøco so|c|¸ |·o¬
t'|s øc·søcct|vc as |t |s u·||'c|¸ o·¿a·|sat|o·s .||| oc ao|c to |oc·t||¸ a|| øoss|o|c
causcs o| outa¿cs o· t'c sou·cc o| a|| t'·cats. |· t'c øast, ¬a·¸ ø|a·s 'avc
|a||co as t'c¸ 'avc co·||·co t'c¬sc|vcs to o·c t¸øc o| outa¿c oasco o· a
||¬|tco t'·cat a·a|¸s|susua||¸ a ø'¸s|ca| o|s·uøt|o·.
What is the maximum time
the business can survive
without key business functions
before the BCP must be
initiated and recovery
procedures must commence?
14
Guide to Effective Control
Guide to Effective Control
Terminology
!'c aoovc o|scuss|o· |·t·ooucco a ·u¬oc· o| 'c¸ tc·¬s a·o co·ccøts.
!'c |o||o.|·¿ tao|c su¬¬a·|scs t'csc tc·¬s a·o t'c|· ¬ca·|·¿s |o· casc o|
·c|c·c·cc a·o u·oc·sta·o|·¿.
Concept Description Examples/Comments
Outage
• c×t·ao·o|·a·¸
cvc·t
• |oss o| 'c¸
ous|·css ø·occsscs
· '|¿' |¬øact
A· outa¿c |s a· c×t·ao·o|·a·¸
cvc·t, caus|·¿ a o|s·uøt|o· to,
o· |oss o|, 'c¸ ous|·css
ø·occsscs, .'|c' 'as a '|¿'
|¬øact o· t'c o·¿a·|sat|o·.
!'|s |s o|st|·ct |·o¬ oo.·t|¬c
o· s¸stc¬s |a||u·cs t'at ¬a¸
occu· as a øa·t o| ·o·¬a|
oøc·at|o·s .'c·c t'c |¬øact
s|¬ø|¸ ·couccs t'c c||cct|vc
ut|||t¸ o| ø·occsscs |· t'c s'o·t
tc·¬.
During an outage parts of the
Business Continuity Plan
(BCP) may be activated in
order to deal with the
situation. The full activation
of a plan (ie. for a total
disaster) must be def ined for
each plan during the plan
development phase.
In a self-funding organisation,
a key business process would
be a billing system as the
organisation depends on cash
f low for its sur vival. In a
budget-funded organisation
that pays benef its, a key
business process may be a
benef its payments system
that is essential to ser vicing
client needs.
Maximum
Acceptable
Outage (MAO)
· t'·cat to ac'|cv|·¿
ous|·css oo,cct|vcs
!'c |AO |s t'c t|¬c |t .|||
ta'c oc|o·c a· outa¿c t'·catc·s
a· o·¿a·|sat|o· ac'|cv|·¿ |ts
ous|·css oo,cct|vcs.
!'c |AO oc| |·cs t'c
¬a×|¬u¬ t|¬c a· o·¿a·|sat|o·
ca· su·v|vc .|t'out 'c¸
ous|·css |u·ct|o·s oc|o·c
ous|·css co·t|·u|t¸ ø|a·s a·o
·ccovc·¸ ø·occou·cs ¬ust
co¬¬c·cc.
A ‘disaster’ is used in this
Guide to mean an event
that leads to a business
interruption that will extend
beyond the period specif ied
for an MAO.
Business Impact
Analysis (BIA)
· 'c¸ ous|·css
ø·occsscs
· ·ccovc·¸ ø·|o·|t¸
!'c ||A |s u·oc·ta'c· |o· a||
'c¸ ous|·css ø·occsscs a·o
cstao||s'cs t'c ·ccovc·¸
ø·|o·|t|cs, s'ou|o t'osc
ø·occsscs oc o|s·uøtco o· |ost.
Key business processes should
have been identified as part
of other business planning or
risk management processes.
If this has not been done, the
BIA will need to do so.
Key business
processes
• ous|·css act|v|t|cs
a·o ·csou·ccs
|c¸ ous|·css ø·occsscs a·c
t'osc ø·occsscs cssc·t|a| to
oc||vc·¸ o| outøuts a·o
ac'|cvc¬c·t o| ous|·css
oo,cct|vcs. |us|·css act|v|t|cs
a·o ·csou·ccs a·c t'c cssc·t|a|
c|c¬c·ts t'at co¬o|·c to ¬a'c
uø cac' 'c¸ ous|·css ø·occss.
|oss o| a 'c¸ ous|·css ø·occss
|· c×ccss o| t'c |AO |s a
ous|·css |·tc··uøt|o· cvc·t
15
Business Continuity Management
Business Continuity Management
Concept Description Examples/Comments
Business activities
A ous|·css act|v|t¸ |s a sc·|cs o|
act|o·s co¬o|·|·¿ to ø·ooucc
a· |oc·t|| |ao|c outøut a·o/o·
·csu|t.
The billing process may require
customer sales information, a
system to record information
and calculate and print
invoices, and registr y or mail
system to send invoices and
receive remittances.
A benef its payments process
may rely on staff to inter view
clients and fill in forms;
entering that information on a
computer system; periodic
payments to bank accounts;
and include an an inquir y
facility to follow-up on
discrepancies.
Resources |csou·ccs a·c t'c ¬ca·s t'at
suøøo·t oc||vc·¸ o| a·
|oc·t|| |ao|c outøut a·o/o·
·csu|t. |csou·ccs ¬a¸ oc
¬o·c¸, ø'¸s|ca| asscts o·, ¬ost
|¬øo·ta·t|¸, øcoø|c. \|t'out
·csou·ccs, act|v|t|cs (a·o
t'c·c|o·c ous|·css ø·occsscs)
.ou|o s|¬ø|¸ ·ot occu·.
The customer billing system
relies on people to undertake
procedures; operate computer
systems; produce information;
off ice supplies for preparing
and mailing the invoices;
buildings and power to house
the people; and computers.
A benef its payments system
relies on people, computers,
off ice supplies, building and
power and also on having
suff icient funds available to
make payments when due.
Procedures |·occou·cs a·c t'c stcøs
u·oc·ta'c· o¸ a· |·o|v|oua| to
ac'|cvc a ·csu|t. |oc·t|| |cat|o·
o| t'csc ø·occou·cs |s
|¬øo·ta·t |· co·t|·u|t¸
ø|a··|·¿ as |t |s t'csc stcøs
.'|c' .||| ·cco to oc
·cc·catco o· ·cocs|¿·co to oc
usco ou·|·¿ a· outa¿c.
Customer billing and benef its
payments may rely on a series
of steps to ensure information
is correct prior to bills being
issued or benef its paid. If an
outage causes the loss of the
computer system supporting
these validations, alternate
processes may need to be
developed to ensure continuity
of that business function.
Risk event A·¸ ·o·-t·|v|a| cvc·t t'at
a||ccts t'c ao|||t¸ o| a·
o·¿a·|sat|o· to ac'|cvc |ts
ous|·css oo,cct|vcs.
Risk events may be considered
in terms of their causes,
likelihood and impacts.
Business
interruption event
A ·|s' cvc·t t'at 'as a ous|·css
|·tc··uøt|o· co·scouc·cc.
Business interruption events
are ‘outages’ and other
operational events that do not
affect business continuity.
16
Guide to Effective Control
Guide to Effective Control
Risk management
Overview of the risk management process
!'c ·|s' ¬a·a¿c¬c·t ø·occss ¿c·c·a||¸ usco |· Aust·a||a tooa¸ a·o as
csøousco |· t'c |A|/||AC Guidelines for Managing Risk in the Australian Public
Sector
1
, |s ¬ooc||co o· t'c Aust·a||a·/|c. Zca|a·o Sta·oa·o AS/|ZS
-360.1999 'Risk Management’.
!'c Sta·oa·o ø·oøoscs a |o¿|ca| a·o s¸stc¬at|c ¬ct'ooo|o¿¸ |o· |oc·t||¸|·¿,
a·a|¸s|·¿, asscss|·¿, t·cat|·¿ a·o ¬o·|to·|·¿ ·|s's. |· t'|s co·tc×t, ·|s's ¬a¸ oc
co·s|oc·co as cvc·ts t'at .|||, s'ou|o t'c¸ occu·, |¬øact o· t'c ac'|cvc¬c·t
o| o·¿a·|sat|o·a| oo,cct|vcs.
\'||c ·|s' |s ¿c·c·a||¸ co·s|oc·co |· a ·c¿at|vc ||¿'t, t'at |s, as 'av|·¿ a·
aovc·sc |¬øact, t'c Sta·oa·o co·tc¬ø|atcs ·ot o·|¸ cvc·ts t'at ¬a¸ |cao to
|oss o· 'a·¬, out a|so t'osc t'at ¬a¸ |cao to ¿a|· o· aova·ta¿c.
A ous|·css co·t|·u|t¸ cvc·t (ocsc·|oco as a· 'outa¿c' |· t'|s Cu|oc) |s a·
adverse ·|s' cvc·t. !'c ø·|¬a·¸ oo,cct|vc o| ¬a·a¿|·¿ suc' cvc·ts |s to
ø·cvc·t t'c¬ |·o¬ occu··|·¿ |· t'c ||·st ø|acc, .'c·c |t |s oot' .|t'|· t'c
co·t·o| o| t'c o·¿a·|sat|o· a·o .'c·c |t |s cost-c||cct|vc to oo so. !·cat¬c·ts
ocs|¿·co to ø·cvc·t ·|s' cvc·ts occu··|·¿ a·c co¬¬o·|¸ ·c|c··co to as
ø·cvc·tat|vc co·t·o|s. |o.cvc·, cvc· t'c ocst-ocs|¿·co co·t·o|s ca·
o·ca'oo.· |· oøc·at|o· a·o a· outa¿c ¬a¸ occu·.
|· aoo|t|o·, cc·ta|· ·|s' cvc·ts ¬a¸ oc outs|oc t'c co·t·o| o| t'c o·¿a·|sat|o·
(·c|c··co to as external risks). !'|s |s øa·t|cu|a·|¸ t'c casc |· ·c|at|o· to ·atu·a|
(c¿. ||·c, ||ooo), øo||t|ca| (c¿. c'a·¿c o| ¿ovc··¬c·t øo||c¸, c'a·¿cs to
|c¿|s|at|o·), a·o cco·o¬|c (c¿. | |·a·c|a| ¬a·'ct co||aøscs, cco·o¬|c oo.·tu··)
cvc·ts.
!'c ø·|¬a·¸ oo,cct|vc, .'c· any ·|s' cvc·t (|·c|uo|·¿ a· outa¿c) occo¬cs a
·ca||t¸, |s to 'avc |· ø|acc t·cat¬c·ts t'at .||| ¬|t|¿atc t'c ous|·css |¬øact o|
t'c cvc·t. |· t'c casc o| a· outa¿c, t'c ø·c|c··co outco¬c |s to ¬a|·ta|· t'c
co·t|·u|t¸ o| sc·v|cc.
A co¬ø·c'c·s|vc aøø·oac' to ·|s' ¬a·a¿c¬c·t .||| t'c·c|o·c co·s|oc· ·|s'
t·cat¬c·ts oot' ø·oact|vc|¸o¸ ocs|¿·|·¿ a·o |¬ø|c¬c·t|·¿ co·t·o|s to
ø·cvc·t ·|s' cvc·ts occu··|·¿a·o ·cact|vc|¸o¸ ¬|t|¿at|·¿ t'c
co·scouc·ccs o| suc' cvc·ts, s'ou|o t'c¸ actua||¸ occu·.
!'|s ø'||osoø'¸ ca· oc ocst su¬¬co uø as plan for the best but be
prepared for the worst. |· ø·act|cc, t'|s ·cou|·cs ·|s' ¬a·a¿c·s to u·oc·ta'c
a· a·a|¸s|s o| ·|s's a·o ·|s' t·cat¬c·ts |·o¬ t'c top downsta·t|·¿ .|t'
øoss|o|c ·|s' cvc·ts a·o ocs|¿·|·¿ co·t·o|sa·o |·o¬ t'c bottom up
assu¬|·¿ a ·|s' cvc·t 'as occu··co a·o ø·cøa·|·¿ aøø·oø·|atc co·t|·¿c·c¸
Risk management
1 |A|/||AC |cøo·t |o. 22 Guidelines for Managing Risk in the Australian Public Ser vice, Octooc· 1996.
17
Business Continuity Management
Business Continuity Management
ø|a·s. !'csc aøø·oac'cs a·c co¬ø|c¬c·ta·¸ a·o s'ou|o oc u·oc·ta'c· |·
øa·a||c|, us|·¿ t'c ø·occss ocsc·|oco |· t'c ||s' |a·a¿c¬c·t Sta·oa·o.
||¿u·c 1 out||·cs a ·|s' ¬a·a¿c¬c·t ø·occss ocvc|oøco |·o¬ t'c Sta·oa·o
.'|c' |s ·c|cva·t to ous|·css co·t|·u|t¸ ¬a·a¿c¬c·t. !'c·c a·c |ou· ¬a,o·
stcøs |· t'|s ø·occss.
· cstao||s' t'c o·¿a·|sat|o·a| co·tc×t,
· |oc·t||¸ a·o asscss ·|s's a·o ocs|¿· t·cat¬c·ts,
· |¬ø|c¬c·t ·|s' t·cat¬c·ts, a·o
· ¬o·|to· a·o ·cv|c. ·|s's a·o t·cat¬c·ts.
Figure 1—Overview of risk management process
|us|·css co·t|·u|t¸ ¬a·a¿c¬c·t |s a· |·tc¿·a| øa·t o| t'|s ø·occss. !'c
·c¬a|·oc· o| t'|s scct|o· oca|s .|t' t'osc asøccts o| t'c ·|s' ¬a·a¿c¬c·t
ø·occss t'at ·c|atc o|·cct|¸ to ous|·css co·t|·u|t¸. |ac' stcø |s c×a¬|·co |·
tu··.
Establish context
Identify and
assess risks
Implement treatments
Monitor and review
Identify, a·a|¸sc, ·atc a·o ø·|o·|t|sc ·|s's
Evaluate ocs|¿· o| c×|st|·¿ co·t·o|s a·o t·cat¬c·ts
Redesign co·t·o|s a·o t·cat¬c·ts || ·cccssa·¸
|ctc·¬|·c 'c¸ ous|·css oo,cct|vcs, ø·occsscs a·o ·csou·ccs
v v v v v
|stao||s' ø|a·
|¬ø|c¬c·t co·t·o|s a·o ot'c· t·cat¬c·ts
v v v v v
|cv|c. oøc·at|o· o| co·t·o|s a·o co·t|·u|·¿ su|tao|||t¸ o| ot'c·
t·cat¬c·ts
|cv|c. ·|s' asscss¬c·ts
v v v v v
18
Guide to Effective Control
Guide to Effective Control
Step one: establish context
||s' ¬a·a¿c¬c·t |s u·oc·ta'c· at oot' t'c st·atc¿|c (o·¿a·|sat|o·.|oc) a·o
oøc·at|o·a| (ous|·css ø·occss) |cvc|s o| a· o·¿a·|sat|o·. !'c ||s'
|a·a¿c¬c·t Sta·oa·o o|scusscs t'c ·cco to ||·st cstao||s' t'c o·¿a·|sat|o·a|
a·o ·|s' ¬a·a¿c¬c·t co·tc×t (||¿u·c 2) |· o·oc· to c·catc a |·a¬c.o·'
.|t'|· .'|c' t'c ø·occss |s ca··|co out.
|· øa·t|cu|a·, t'c o·¿a·|sat|o·a| oo,cct|vcs ¬ust oc c|ca·|¸ oc| |·co, as .c|| as
t'c |u·ct|o·s, act|v|t|cs a·o ·c|atco ·csou·ccs t'at a·c to oc suo,cct to ·|s'
asscss¬c·t. !'|s stcø c·ao|cs o·¿a·|sat|o·s to octc·¬|·c .'|c' a·c t'c 'c¸
ous|·css ø·occsscs so t'at t'c¸ ¬a¸ |ocus a·o ø·|o·|t|sc t'c|· ·|s' ¬a·a¿c¬c·t
c||o·ts.
Figure 2—Establishing the organisational context
Organisational objectives
Output group Output group Output group
O·¿a·|sat|o·s s'ou|o |oc·t||¸ t'c|· 'c¸ ous|·css ø·occsscs a·o ous|·css suøøo·t ø·occsscs o¸ ·c|at|·¿ t'c¬ to t'c|· ovc·a|| oo,cct|vcs,
outco¬cs a·o outøuts. !'c act|v|t|cs a·o ·csou·ccs att·|outao|c to t'csc c·|t|ca| ø·occsscs s'ou|o oc a||o·oco t'c '|¿'cst ø·|o·|t¸ |·
u·oc·ta'|·¿ ·|s' asscss¬c·ts.
v v v v v
v v v v v
v v v v v
v vv vv v vv vv
v vv vv
v vv vv
v vv vv
Link with business continuity management
!'c | |·st stcø to.a·o ocvc|oø|·¿ a ous|·css co·t|·u|t¸ ø|a· |s to u·oc·ta'c
a business impact analysis. !'|s a·a|¸s|s oc||·cs t'c maximum
acceptable outage |o· cac' 'c¸ ous|·css ø·occss a·o scts t'c ·ccovc·¸
ø·|o·|t|cs |o· t'c act|v|t|cs a·o ·csou·ccs u·oc·ø|··|·¿ t'c¬.
Key business
process
Key business
process
Key business
process
Business
process
Business
process
Business
process
v v v vv
v vv vv
v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv v vv vv
Business support
process
Business support
process
Business support
process
19
Business Continuity Management
Business Continuity Management
|c¸ ous|·css ø·occsscs ¬a¸ 'avc occ· |oc·t|| |co ca·||c· ou·|·¿ a· ovc·a|| ·|s'
¬a·a¿c¬c·t ø·o,cct. !'csc occo¬c a· |·øut to t'c ous|·css |¬øact a·a|¸s|s.
Step two: identify and assess risks
!'|s ø'asc o| t'c ·|s' ¬a·a¿c¬c·t ø·occss ·cou|·cs o·¿a·|sat|o·s to.
· |oc·t||¸ a|| ·o·-t·|v|a| ous|·css ·|s's,
· asscss t'osc ·|s's, a·o
· ocs|¿· t·cat¬c·ts t'at ·coucc t'c ·|s's to a· acccøtao|c |cvc|.
!'csc asøccts o| t'c ovc·a|| ·|s' ¬a·a¿c¬c·t ø·occss a·c '|¿'||¿'tco |·
||¿u·c 3.
O·cc ·|s's 'avc occ· |oc·t|| |co, t'c¸ a·c a·a|¸sco |· tc·¬s o| t'c|· ||'c||'ooo a·o co·scouc·ccs. !'c o|a¿·a¬ |||ust·atcs a t.o-stcø
aøø·oac' .'|c' a·a|¸scs ·|s' oc|o·c a·o a|tc· co·s|oc·at|o· o| co·t·o|s.
Figure 3—Outline of the risk assessment phase of the risk management process
Identify
|ctc·¬|·c ||'||'ooo
a·o co·scouc·cc
.|t'out co·t·o|
|ctc·¬|·c øoss|o|c
·|s' cvc·ts us|·¿ ·|s'
|·a¬c.o·'
|ctc·¬|·c ·|s' |cvc|
a·o co¬øa·c .|t'
acccøtao|c ·|s'
|va|uatc ocs|¿· o|
c×|st|·¿ co·t·o|s a·o
t·cat¬c·ts
|ctc·¬|·c ||'||'ooo
a·o co·scouc·ccs
.|t' co·t·o|
|ctc·¬|·c ·|s' |cvc|
a·o co¬øa·c .|t'
acccøtao|c ·|s'
|cocs|¿· co·t·o|s
a·o ot'c·
t·cat¬c·ts
|cco·o |· ·|s'
·c¿|stc·
Acccøtao|c. Acccøtao|c.
v v v v v
v v v v v
v v v v v
v v v v v
v vv vv
v v v v v
v v v v v
v v v v v
v v v v v
v v v v v
v v v v v
Analyse
Evaluate
Treat
Document
|o |o
`cs
`cs
20
Guide to Effective Control
Guide to Effective Control
Risk identification
!¸ø|ca||¸, o·¿a·|sat|o·s usc a ·|s' c|ass|| |cat|o· |·a¬c.o·' to c·su·c t'at a||
||'c|¸ ·|s's a·c |oc·t|||co. A· c×a¬ø|c o| suc' a |·a¬c.o·' |s |||ust·atco |·
||¿u·c -.
Figure 4—Risk classification framework
External risks
External risks
E
x
t
e
r
n
a
l

r
i
s
k
s
E
x
t
e
r
n
a
l

r
i
s
k
s
Co¬øct|t|vc co||us|o·
Cu··c·c¸ ||uctuat|o·s
|co·o¬|c oo.·tu··
|·tc··ct 'søoo| |·¿', 'ac'|·¿
!c|cco¬¬u·|cat|o·s |a||u·c
|-co¬¬c·cc causcs a |oss o| ¬a·'ct s'a·c
Political/regulatory
C'a·¿c o| ¿ovc··¬c·t øo||c¸
|c. |c¿|s|at|o·
C'a·¿cs to ao¬|·|st·at|vc a··a·¿c¬c·ts
Environmental/natural
||·c
||ooo
|a·t'oua'c
C¸c|o·c
Economic/market Technological
Internal risks
Strategic
\·o·¿ o|·cct|o·
St·uctu·a| ¬|s-||t
Sta|| a||¿·¬c·t .|t' v|s|o·
Sta|| caøao|||t¸/s'|||s ¿aøs
|·aocouatc caø|ta| oasc
|·oouct/sc·v|cc ocs|¿·
Operational
|a||u·c to ¬cct outøut ta·¿cts |o· t|¬c, cost, oua·t|t¸ o· oua||t¸
'·aut'o·|sco acccss to/o|sc|osu·c o| sc·s|t|vc |·|o·¬at|o·
|·co··cct |·|o·¬at|o· usco to |o·¬u|atc øo||c¸ aov|cc
O|8S |ssucs-acc|oc·ts, u·sa|c .o·' ø·act|ccs
|c¿||¿c·t ¬|s-·cø·csc·tat|o·
|·cac'cs o| |a./·c¿u|at|o·s
|·|o·¬at|o· s¸stc¬ |a||u·c
|¬ø|o¸cc |·auo
Internal risks
||s's ¬a¸ a·|sc oot' |·o¬ c×tc··a| sou·ccs a·o |·tc··a||¸c¬a·at|·¿ |·o¬ .|t'|· t'c o·¿a·|sat|o· a·o a·|s|·¿ |·o¬ |ts
st·atc¿|c a·o oøc·at|o·a| ø·occsscs.
21
Business Continuity Management
Business Continuity Management
|ac' ·|s' cvc·t ¬a¸ 'avc a ·u¬oc· o| co·scouc·ccs t'at .||| |¬ø|·¿c o· a·
o·¿a·|sat|o·'s ao|||t¸ to ac'|cvc |ts ous|·css oo,cct|vcs. !'c ·c×t stcø |· t'c
·|s' asscss¬c·t ø'asc |s to a·a|¸sc t'csc |¬øacts a·o octc·¬|·c t'c ||'c||'ooo
o| occu··c·cc so t'at a risk level ca· oc cstao||s'co |o· cac' ·|s'.
Risk analysis
!'c oo,cct|vc o| t'|s a·a|¸s|s |s to scøa·atc t'c ·|s's |oc·t|| |co |· t'c ø·cv|ous
stcø |·to ¬|·o· (acccøtao|c) ·|s's a·o ¬a,o· (u·acccøtao|c) ·|s's. !'|s |s
ac'|cvco o¸ co¬øa·|·¿ t'c ·|s' |cvc| to ø·c-octc·¬|·co c·|tc·|a o| acccøtao|||t¸.
!'c·c a·c ·u¬oc· o| aøø·oac'cs to ·|s' a·a|¸s|s t'at ¬a¸ |·vo|vc oua·t|tat|vc,
oua||tat|vc o· sc¬|-oua·t|tat|vc cva|uat|o·. |o· .'atcvc· aøø·oac' |s aooøtco,
t'c ||'c||'ooo a·o co·scouc·ccs o| cac' ·|s' cvc·t a·c octc·¬|·co a·o t'c
co¬o|·at|o· o| t'csc t.o cva|uat|o·s ø·ov|ocs t'c ·|s' |cvc|.
|t |s co¬¬o· ø·act|cc |· t'|s stcø to u·oc·ta'c a first pass ·cv|c. o| a|| ·|s's
ø·|o· to co·s|oc·|·¿ c×|st|·¿ co·t·o|s a·o ot'c· ·|s' t·cat¬c·ts, to c||¬|·atc
t·|v|a| a·o ¬|·o· ·|s's |·o¬ |u·t'c·, octa||co co·s|oc·at|o·.
Links with business continuity management
!'c co·scouc·ccs (ous|·css |¬øacts) |· a ous|·css co·t|·u|t¸ ¬a·a¿c¬c·t co·tc×t
·c|atc to ous|·css |·tc··uøt|o· (outa¿c). |· a·a|¸s|·¿ |oc·t|| |co ·|s' cvc·ts,
¬a·a¿c¬c·t s'ou|o co·s|oc· .'ct'c· cac' cvc·t cou|o |·tc··uøt t'c ·o·¬a|
cou·sc o| ous|·css oøc·at|o·s. |vc·ts .'|c' 'avc a o|·cct, oct·|¬c·ta| c||cct o· a·
o·¿a·|sat|o·'s ·csou·ccs (sta||, |ac|||t|cs, tc|cco¬¬u·|cat|o·s |·|o·¬at|o· s¸stc¬s) suc' as | |·c,
øo.c· suøø|¸ |a||u·c a·o |·auo, a·c ||'c|¸ to 'avc so¬c ous|·css |·tc··uøt|o· co·scouc·ccs.
!'c a·a|¸s|s o| co·scouc·ccs |·vo|vcs cstao||s'|·¿ cva|uat|o· c·|tc·|a to ¿u|oc ¬a·a¿c¬c·t |·
|o·¬|·¿ a v|c. o· 'o. s|¿·|| |ca·t a øa·t|cu|a· cvc·t |s to t'c ous|·css. !'|s |s usua||¸ u·oc·ta'c·
o¸ cstao||s'|·¿ c·|tc·|a o· a· csca|at|·¿ sca|c a¿a|·st |¬øact a·cas. !o a|o |· co¬ø|ctc·css o| t'c
a·a|¸s|s, t'csc |¬øact a·cas ¬a¸ oc catc¿o·|sco as outøuts, ·csou·ccs, ·cøutat|o·, co¬ø||a·cc a·o
ous|·css |·tc··uøt|o·.
|o· a ·|s' cvc·t t'at 'as a ous|·css |·tc··uøt|o· co·scouc·cc, t'c ·c|cva·t cva|uat|o· c·|tc·|o· |s
t'c ou·at|o· o| t'c ous|·css |·tc··uøt|o·.
|· t'c ous|·css co·t|·u|t¸ ¬a·a¿c¬c·t ø·occss, a maximum acceptable outage |s cstao||s'co |o·
cac' 'c¸ ous|·css ø·occss a·o ·csou·cc. \'c·c a ·|s' cvc·t |s ||'c|¸ to causc a ous|·css
|·tc··uøt|o· t'at .||| c×ccco t'c t|¬c ||¬|ts oc||·co |· t'c ¬a×|¬u¬ acccøtao|c outa¿c, t'|s |s a·
extreme co·scouc·cc a·o acco·o|·¿|¸ .ou|o ·ccc|vc t'c '|¿'cst ·at|·¿. ||¿u·c 5 |||ust·atcs t'c ·|s'
a·a|¸s|s ø·occss |o· ·|s' cvc·ts t'at 'avc a ous|·css |·tc··uøt|o· co·scouc·cc.
\'c·cas t'c ||'c||'ooo o| a ·|s' cvc·t occu··|·¿ |s ·ot øa·t o| t'c |us|·css Co·t|·u|t¸ ||a·, |t |s
·c|cva·t at t'|s sta¿c .'c· octc·¬|·|·¿ ø·o-act|vc t·cat¬c·ts a·o co·t·o|s. !'c ¬o·c ||'c|¸ a·
cvc·t |s to occu·, .'|c' .||| a|so 'avc a ¬a,o· o· scvc·c |¬øact, t'c ¬o·c cost-c||cct|vc
ø·cvc·tat|vc co·t·o|s .||| ·cco to oc.
22
Guide to Effective Control
Guide to Effective Control
Figure 5Consequence analysis of events with business interruption impacts
As øa·t o| t'c ·|s' asscss¬c·t ø·occss, a oc·c||ts øa¸¬c·t sc·v|cc o·¿a·|sat|o· |oc·t|||cs t'c u·|·tc·t|o·a| oc|ct|o· o¸ |ts
c¬ø|o¸ccs o| c||c·t |·|o·¬at|o· as a ·|s' cvc·t. \|t'out t'|s |·|o·¬at|o· |t |s u·ao|c to ø·occss ·c. c||c·t aøø||cat|o·s,
va·|at|o·s to c||c·t octa||s, o· øa¸ |ts c||c·ts. |t 'as a |o·t·|¿'t|¸ øa¸¬c·t c¸c|c.
!'|s cvc·t |s ·cco·oco o· a· a·a|¸s|s s'cct (c×t·act oc|o.) a·o t'c va·|ous ous|·css |¬øacts ·otco.
Benef its Payment Business Process (extract)
|us|·css oo,cct|vc. øa¸ oc·c| |ts to oo·a ||oc c||c·ts o·|¸, o· t|¬c a·o |o· t'c co··cct a¬ou·t.
Analyse consequence of risk events (without considering controls)
Business impact of event occurring
Risk events Outøuts |csou·ccs |cøutat|o· Business C||c·ts/
Interruption sta'c'o|oc·s Co¬ø||a·cc |at|·¿
Internal Risks
Operational processes
Incorrect |o |¬øact
classif ication
of client
benef it type
Unintentional |ocs ·ot |×t·a sta|| \||| ·cou|·c ||·|¬u¬ |ou· '·ao|c to |o |¬øact 5 - |×t·c¬c
deletion of ac'|cvc a·o ||·|stc·|a| .cc's to ø·occss c||c·t
Client Master t|¬c||·css co·su|ta·ts c×ø|a·at|o· ·cco·st·uct |||c øa¸¬c·ts
File records ||| o| 99º costs to a·o ||'c|¸ to |·o¬ øaøc·
by staff øa¸¬c·ts ·ccovc· |cao to ·cco·os
o· t|¬c |ost oata oucst|o·s
cst|¬atco |· t'c
to oc |a·||a¬c·t
$500,000
Intentional As aoovc
deletion of
Client Master
File records
Employee fraud |o |¬øact
– bogus client
created
!'c ·|s' cvc·t '|¿'||¿'tco aoovc |o·¬s a øa·t o| t'c |·tc··a| ·|s's to t'c o·¿a·|sat|o· a·o ·c|atcs to |ts oøc·at|o·a| ø·occsscs.
A ·u¬oc· o| ot'c· ous|·css |¬øacts 'avc occ· |oc·t|||co |o· t'|s cvc·t |· aoo|t|o· to t'c ous|·css |·tc··uøt|o· |¬øact.
!'c ovc·a|| |¬øact 'as occ· ·atco as extreme |o· t'|s cvc·t. !'c co·scouc·cc ·at|·¿ .as octc·¬|·co o¸ ·c|c·c·cc to t'c
|o||o.|·¿ cva|uat|o· c·|tc·|a.
Consequence evaluation criteria by impact area
|at|·¿ Outøuts |csou·ccs) |cøutat|o· Business C||c·ts/
Interruption sta'c'o|oc·s Co¬ø||a·cc
5 |×t·c¬c ~10 øc· cc·t |cat' o| |o¸a| ~2 .cc's |cat' o| |·cac' o|
va·|a·cc |·o¬ c¬ø|o¸cc Co¬¬|ss|o· (|c. ~ |AO) c||c·t Co·st|tut|o·
||| ta·¿cts ~$10 ¬||||o·
'|oss'
- |a,o· 1 2 .cc's
3 |ooc·atc · 1 .cc'
2 ||·o· · 1 oa¸
1 |c¿||¿|o|c |o·c
!'c |a×|¬u¬ Acccøtao|c Outa¿c (|AO) |o· t'|s |·|o·¬at|o· ·csou·cc a·o ous|·css ø·occss .as sct at t.o .cc's (|a·t
!.o o| t'c Cu|oc o|scusscs 'o. a· |AO |s sct). !'c cst|¬atco t|¬c to ·cco·st·uct c||c·t ·cco·os c×cccos t'|s ou·at|o·-
acco·o|·¿|¸ |o· t'|s c·|tc·|o· a· Extreme ·at|·¿ aøø||cs. |otc t'at .'||c ot'c· |¬øacts |·o¬ t'c cvc·t ¬a¸ ac'|cvc a |o.c·
·at|·¿, t'c '|¿'cst ·at|·¿ ovc·a|| s'ou|o oc usco |· t'c ·|s' asscss¬c·t ø·occss.
23
Business Continuity Management
Business Continuity Management
Risk treatment design
!'c | |·a| øa·t o| ·|s' asscss¬c·t |s to ocs|¿· aøø·oø·|atc ·|s' t·cat¬c·ts.
!'c t·cat¬c·t oøt|o·s ava||ao|c to a· o·¿a·|sat|o· ·a·¿c |·o¬ acccøt|·¿ t'c
·|s' (.'c·c |t ca··ot ot'c·.|sc oc cost-c||cct|vc|¸ ¬a·a¿co) to co·t·o|||·¿ t'c
·|s', a·o to t·a·s|c··|·¿ t'c ·|s'.
|· a t.o-sta¿c aøø·oac' to ·|s' a·a|¸s|s, t'c ·|s' |cvc| |s ||·st octc·¬|·co |o· a||
·|s's.'|c' a·c t'c· catc¿o·|sco oct.cc· ¬|·o· a·o ¬a,o·oc|o·c
co·s|oc·|·¿ c×|st|·¿ co·t·o|s a·o t·cat¬c·ts. !'c ¬a,o· ·|s's a·c t'c·
cva|uatco |· t'c co·tc×t o| c×|st|·¿ co·t·o|s a·o ot'c· ·|s' t·cat¬c·ts.
\'c·c t'c ·|s' |cvc| ·c¬a|·s u·acccøtao|c, ·ot.|t'sta·o|·¿ c×|st|·¿ co·t·o|s
a·o t·cat¬c·ts, |t |s |·cu¬oc·t o· ¬a·a¿c¬c·t to ocs|¿· ·c. co·t·o|s o· to
co·s|oc· ot'c· t·cat¬c·t oøt|o·s.
Links with business continuity management
Co·t·o|s cstao||s'co o¸ ¬a·a¿c¬c·t to t·cat ·|s's ca· oc oc| |·co c|t'c· as
ø·cvc·tat|vc (stoø t'c ·|s' cvc·t |·o¬ occu··|·¿ |· t'c ||·st ø|acc) o· co··cct|vc
(octcct t'c ·|s' cvc·t .'c· |t occu·s a·o ·csøo·o acco·o|·¿|¸). |·cvc·tat|vc
co·t·o|s oøc·atc ø·|¬a·||¸ to ·coucc t'c ||'c||'ooo o| occu··c·cc o| a ·|s' cvc·t,
.'c·cas co··cct|vc co·t·o|s oøc·atc ø·|¬a·||¸ to ¬|·|¬|sc t'c co·scouc·ccs o·cc a ·|s' cvc·t 'as
occu··co.
A· c×a¬ø|c o| a ø·cvc·tat|vc co·t·o| |s t'c usc o| øass.o·os to ¿a|· acccss to t'c |·|o·¬at|o·
s¸stc¬s o| a· o·¿a·|sat|o·. || co··cct|¸ |¬ø|c¬c·tco, t'|s co·t·o| .||| ø·cvc·t u·aut'o·|sco acccss.
A· c×a¬ø|c o| a co··cct|vc co·t·o| |s t'c ·cv|c. o| a co¬øutc· |o¿ o| acccss at tc¬øts. ||
co··cct|¸ |¬ø|c¬c·tco, t'|s s'ou|o octcct a·¸ u·aut'o·|sco acccss a·o '|¿'||¿'t .'at |·|o·¬at|o·,
|| a·¸, .as a|tc·co.
|· a ous|·css co·t|·u|t¸ ¬a·a¿c¬c·t co·tc×t, t'c o·¿a·|sat|o· sta·ts |·o¬ t'c assu¬øt|o· t'at t'c
ø·cvc·tat|vc co·t·o|s 'avc |a||co, o· t'c·c .c·c ·o ø·cvc·tat|vc co·t·o|s |· ø|acc, a·o a ous|·css
|·tc··uøt|o· occu·s. !'c o·¿a·|sat|o· ·ccos to ·csøo·o to suc' cvc·ts |· ø·oøo·t|o· to t'c|·
s|¿·|| |ca·cc¬at tc·s o| ||'c||'ooo a·o ·oot causc a·c t'c·c|o·c ·o |o·¿c· ·c|cva·t.
!'c o·¿a·|sat|o· .||| ·cco to octc·¬|·c .'at ¬ust oc oo·c, o¸ .'o¬, a·o at .'at t|¬c after a
·|s' cvc·t 'as occu··co t'at .ou|o ot'c·.|sc |cao to t'c o·¿a·|sat|o·'s ·csou·ccs o· ø·occsscs
oc|·¿ aovc·sc|¸ a||cctco |o· a øc·|oo |· c×ccss o| t'c ¬a×|¬u¬ acccøtao|c outa¿c.
|t .||| a|so 'avc to octc·¬|·c .'at ·ccos to oc oo·c |· aova·cc o| a·¸ outa¿c so t'at |ts
co·scouc·ccs ca· oc ¬|t|¿atco. |o· c×a¬ø|c, ¬ost o·¿a·|sat|o·s |·st|tutc oac'-uø a·o ·ccovc·¸
ø·occou·cs |o· t'c |·|o·¬at|o· sto·co o· t'c|· co¬øutc· s¸stc¬s. |· t'c cvc·t t'at t'c·c |s a |oss
o| oata, t'c co·scouc·ccs a·c ·coucco to t'c c×tc·t o| t'c ¿aø oct.cc· t'c oata sct t'at .as |ost
a·o t'c |ast savco vc·s|o· o| t'at oata sct.
24
Guide to Effective Control
Guide to Effective Control
Step three: implement treatments
!'|s stcø o| t'c ·|s' ¬a·a¿c¬c·t ø·occss ·cou|·cs o·¿a·|sat|o·s to cstao||s' a
ø|a· |o· |¬ø|c¬c·t|·¿ a·¸ ·c. t·cat¬c·ts, aoo|t|o·a| co·t·o|s o·
¬oo|||cat|o·s to c×|st|·¿ co·t·o|s a·|s|·¿ |·o¬ t'c ·|s' asscss¬c·t ø'asc.
|t ¬ust t'c· c·su·c t'at t'c |¬ø|c¬c·tat|o· ø|a· |s c×ccutco o¸ cstao||s'|·¿
·csøo·s|o|||t¸ a·o t|¬c|·a¬cs |o· a·¸ act|o·s ·cou|·co a·o accou·tao|||t¸ |o·
outco¬cs.
!'c ||s' |a·a¿c¬c·t Sta·oa·o ·cco¬¬c·os t'c |o||o.|·¿ ¬|·|¬u¬
oocu¬c·tat|o·
2
.
· .'o 'as ovc·a|| ·csøo·s|o|||t¸ |o· t'c |¬ø|c¬c·tat|o· o| t'c ø|a·,
· .'at ·csou·ccs a·c to oc ut|||sco,
· ouo¿ct a||ocat|o·,
· t|¬ctao|c |o· |¬ø|c¬c·tat|o·, a·o
· octa||s o| ¬cc'a·|s¬ a·o |·couc·c¸ o| ·cv|c. o| co¬ø||a·cc .|t'
t·cat¬c·t ø|a·.
2 AS/|Z -360.1999 ||s' |a·a¿c¬c·t, scc Aøøc·o|× |
Links with business continuity management
!'c |us|·css Co·t|·u|t¸ ||a· |s a risk treatment. |t is not t'c |¬ø|c¬c·tat|o·
ø|a· ·c|c··co to aoovc. !'c |¬ø|c¬c·tat|o· ø|a· s'ou|o |·c|uoc t'c ·cco to
cstao||s' a |C| || o·c oocs ·ot a|·cao¸ c×|st.
|| t'c ·|s' asscss¬c·t ø·occss 'as |u·ct|o·co c||cct|vc|¸, |t .||| 'avc |oc·t|||co
co·t·o|s a·o t·cat¬c·ts t'at ·coucc t'c ||'c||'ooo a·o co·scouc·ccs o| a|| ·|s' cvc·ts, |·c|uo|·¿
ous|·css |·tc··uøt|o·s cvc·ts, to a· acccøtao|c |cvc|.
!'c |C| |s a co··cct|vc co·t·o| t'at |s act|vatco o·|¸ a| tc· a ous|·css |·tc··uøt|o· 'as occu··co.
25
Business Continuity Management
Business Continuity Management
Step four: monitor and review
!'c oo,cct|vc o| t'c | |·a| stcø |· t'c ·|s' ¬a·a¿c¬c·t ø·occss |s to ¬o·|to·
·|s's a·o t'c c||cct|vc·css o| co·t·o|s ovc· t|¬c to c·su·c c'a·¿|·¿
c|·cu¬sta·ccs oo ·ot a|tc· ·|s' ø·|o·|t|cs o· .ca'c· t'c oøc·at|o· o| co·t·o|s.
|a·¸ o·¿a·|sat|o·s |·tc¿·atc ·|s' asscss¬c·t |·to t'c|· co·øo·atc a·o a··ua|
ous|·css ø|a··|·¿ ø·occsscs. !'|s c·su·cs ·c¿u|a·, øc·|oo|c ·cv|c. o| oot'
st·atc¿|c a·o oøc·at|o·a| ·|s's.
|cv|c. o| co·t·o|s, to c·su·c t'c¸ oøc·atc as ¬a·a¿c¬c·t |·tc·oco, 'as
t·ao|t|o·a||¸ occ· t'c ¬a,o· ·o|c o| t'c |·tc··a| auo|t |u·ct|o·. |o.cvc·, t'c
¬a,o· o·a.oac' |s t'at |t ¬a¸ |cao oøc·at|o·a| ¬a·a¿c·s to co·c|uoc t'at
|·tc··a| auo|t, ·ot t'c oøc·at|o·a| ¬a·a¿c·, |s ·csøo·s|o|c |o· t'c s¸stc¬ o|
co·t·o|.
!o cou·tc·act t'|s v|c., ¬a·¸ o·¿a·|sat|o·s 'avc |¬ø|c¬c·tco Co·øo·atc
Covc··a·cc ø·o¿·a¬s t'at '|¿'||¿'t ¬a·a¿c·'s ·csøo·s|o|||t|cs |o· co·t·o|s
3
.
!'c usc o| co·t·o| 's|¿·-o||s' a·o t'c |·t·oouct|o· o| co·t·o| sc||-asscss¬c·t
a·c t.o usc|u| |·|t|at|vcs |· t'|s a·ca.
3 !'c A|AO 'as øuo||s'co t.o |ct tc· |·act|cc Cu|ocs o|scuss|·¿ co·øo·atc ¿ovc··a·cc
a·o co·t·o| ·c|cva·t to t'|s |ssuc. Better Practice Guide to Effective Control—Controlling
Performance and Outcomes, 19´´ a·o Corporate Governance in Commonwealth Authorities
and Companies, 1999.
Links with business continuity management
As .|t' a·¸ ot'c· co·t·o|, t'c |C| ·ccos to oc ¬o·|to·co a·o ·cv|c.co |o·
c||cct|vc·css. !'|s ·cou|·cs t'at |t oc tcstco ·c¿u|a·|¸. |t a|so ·cou|·cs t'at t'c
|¬øact o| o·¿a·|sat|o·a| c'a·¿cs o· a·¸ ot'c· c'a·¿cs to c|·cu¬sta·ccs oc
co·s|oc·co to c·su·c t'c ø|a· ¬a|·ta|·s |ts cu··c·c¸.
26
Guide to Effective Control
Guide to Effective Control
27
Business Continuity Management
Business Continuity Management
The business
continuity process
Part Two
The business
continuity process
Overview of the business continuity process
Step one: Project initiation
Step two: Key business processes identification
|stao||s' 'c¸ ous|·css ø·occsscs
|a·' 'c¸ ous|·css ø·occsscs
|ctc·¬|·c act|v|t|cs t'at co·st|tutc cac' ø·occss
|atc' ·csou·ccs to act|v|t|cs
Step three: Business impact analysis (BIA)
A·a|¸s|s o| oøc·at|o·a| a·o ||·a·c|a| |¬øacts
Step four: Design continuity treatments
|oc·t||¸ a·o cva|uatc t·cat¬c·t oøt|o·s
Sc|cct a|tc··atc act|v|t|cs a·o ·csou·ccs
Step five: Implement continuity treatments
|¬ø|c¬c·t ø·cøa·ato·¸ co·t·o|s
|·cøa·c t'c |us|·css Co·t|·u|t¸ ||a· (|C|)
Step six: Test and maintain the plan
!cst t'c ø|a·
|a|·ta|· t'c ø|a·
28
Guide to Effective Control
Guide to Effective Control
29
Business Continuity Management
Business Continuity Management
Overview of the business
continuity process
C|vc· t'c|· c|osc |·tc·-·c|at|o·s'|ø, |t |s ·cco¬¬c·oco t'at a |C| oc
ocvc|oøco |· co·,u·ct|o· .|t' t'c ||s' |a·a¿c¬c·t ||a· |o· t'c o·¿a·|sat|o·.
!'|s |a·t o| t'c Cu|oc oca|s .|t' t'c stcøs ·cou|·co to ø·ooucc t'c |C| a·o
.'at ·ccos to oc oo·c to c·su·c t'at |t |s ø·oøc·|¸ ¬a|·ta|·co. !'c·c |s a
'|¿' oc¿·cc o| co¬¬o·a||t¸ oct.cc· t'c stcøs ocsc·|oco 'c·c|· a·o t'osc
o|scussco |· |a·t O·c|u·t'c· ·c|·|o·c|·¿ t'c ·cco to u·oc·ta'c t'csc stcøs
as øa·t o| a· ovc·a|| ·|s' ¬a·a¿c¬c·t ø·occss. !'c s|¬||a·|t¸ |· stcøs a|so
sc·vcs to '|¿'||¿'t t'at |t |s ·ot t'c ø·occss so ¬uc' t'at o|||c·s |· co·st·uct|·¿
a |C| out t'c u·oc·|¸|·¿ aøø·oac'.
!'c stcøs |· t'c ous|·css co·t|·u|t¸ ¬a·a¿c¬c·t ø·occss a·c.
· |·|t|atc t'c ø·o,cct,
· |oc·t||¸ 'c¸ ous|·css ø·occsscs,
· u·oc·ta'c a ous|·css |¬øact a·a|¸s|s,
· ocs|¿· t·cat¬c·ts,
· |o·¬u|atc a |C|, a·o
· tcst a·o ¬a|·ta|· t'c |C|.
!'csc stcøs a·c |||ust·atco |· ||¿u·c 6 a·o cac' stcø |s o|scussco |· octa|| |· t'c
·c¬a|·oc· o| t'|s |a·t.
Overview of the business
continuity process
As discussed in Part One of this Guide, business continuity management is an
integral part of total risk management. The top down approach to risk
management—which starts with business objectives and identifies risks; is
complemented by the bottom up approach to business continuity—which starts
with identification of resources and processes being affected by an outage.
30
Guide to Effective Control
Guide to Effective Control
Figure 6—Overview of the business continuity management process
Sou·cc. |c|o|ttc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
31
Business Continuity Management
Business Continuity Management
Step one: project initiation
A ø|a· s'ou|o oc ø·cøa·co oocu¬c·t|·¿ t'c oo,cct|vcs, scoøc, a·o oou·oa·|cs
o| t'c ous|·css co·t|·u|t¸ ø|a··|·¿ ø·o,cct. !'c ¬a·a¿c·, o· ¬a·a¿c¬c·t
co¬¬|t tcc, ·csøo·s|o|c |o· t'c ø·o,cct s'ou|o aøø·ovc t'c ø|a·, |·c|uo|·¿ a
ouo¿ct. !'c ø|a· ·cco ·ot oc ovc·|¸ |a·¿c o· octa||co, out ·ccos to ·c||cct
t'c s|zc a·o co¬ø|c×|t¸ o| ous|·css co·t|·u|t¸ |ssucs |· t'c o·¿a·|sat|o·.
!ca¬ ·o|cs a·o ·csøo·s|o|||t|cs s'ou|o a|so oc cstao||s'co, a·o ·c|cva·t
·c|c·c·cc ¬atc·|a| o· c×|st|·¿ oocu¬c·tat|o· co||cctco at t'|s sta¿c.
||'c ¬ost ø|a·s, t'c ous|·css co·t|·u|t¸ ø·o,cct ø|a· s'ou|o.
· co·t|·uc to ocvc|oø ou·|·¿ t'c |||c o| t'c ø·o,cct as ¬o·c aoout t'c
o·¿a·|sat|o· a·o |ts ·|s's |s |ca··co,
· oc ø·cøa·co o¸ ¬a·a¿c·s .'o u·oc·sta·o t'c ous|·css a·o oc aøø·ovco
ø·|o· to t'c co¬¬c·cc¬c·t o| .o·', a·o
· ·c||cct t'c o·¿a·|sat|o·'s aøø·oac' to ·|s' ¬a·a¿c¬c·t.
Checklist for the development of a business continuity project plan
· |ocu¬c·t t'c ø·o,cct's oo,cct|vcs
· |c||·c a·o oocu¬c·t t'c ø·o,cct's scoøc a·o a·¸ ||¬|tat|o·s
· |×ø|a|· a·¸ assu¬øt|o·s ¬aoc
· Ass|¿· ·csøo·s|o|||t¸ |o· ø·o,cct tas's
· |·csc·t t'c ouo¿ct, |·c|uo|·¿ sta|| ·csou·ccs, ·cou|·co |o· t'c ø·o,cct
· Sct ø·o,cct t|¬c|·a¬cs a·o oc||vc·ao|cs |o· tas's
· ||a· |s |o·¬a||¸ aøø·ovco o¸ C'|c| |×ccut|vc a·o/o· aøø·oø·|atc
¬a·a¿c¬c·t co¬¬|t tcc
Case study
|·su·|·¿ t'c ous|·css co·t|·u|t¸ ø|a··|·¿ ø·o,cct .as .c||-|ocussco a·o
u·oc·stooo o¸ a|| øa·t|c|øa·ts, a øuo||c statuto·¸ ooo¸ ocvc|oøco a
·cou|·c¬c·t søcc|| |cat|o· oocu¬c·t to out||·c t'c scoøc, tas's, oc||vc·ao|cs
a·o ass|sta·cc |o· t'c ø·o,cct.
A· c×a¬ø|c o| t'|s ø|a· |s |· t'c \o·'ooo' at Stcø o·c (ø. 6).
• Document objectives,
scope and boundaries
• Establish management
committee
• Establish budget and
timetable
Executive
commitment
and
involvement
Project
plan
v v v v v
v v v v v
Sou·cc. |c|o|ttc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
32
Guide to Effective Control
Guide to Effective Control
• Identify key business
objectives
• Identify key business
outputs
• Align business
processes with outputs
• Understand key
activities, resources and
dependencies
Project
plan
v v v v v
v v v v v
Step two: key business processes
identification
!'c ø·|¬a·¸ |·øut to t'c |us|·css |¬øact A·a|¸s|s (||A) |· stcø t'·cc |s a ||st
.'|c' ·a·'s t'c 'c¸ ous|·css ø·occsscs o| t'c o·¿a·|sat|o·t'at |s, t'osc
ø·occsscs cssc·t|a| to t'c oc||vc·¸ o| outøuts a·o ac'|cv|·¿ ous|·css oo,cct|vcs.
|ac' 'c¸ ø·occss |s oc||·co |· tc·¬s o| t'c act|v|t|cs u·oc·ta'c· a·o t'c
·csou·ccs co·su¬co o¸ t'osc act|v|t|cs. A st·uctu·co aøø·oac' to t'|s stcø
·cou|·cs o·¿a·|sat|o·s to.
· cstao||s' a·o ·a·' 'c¸ ous|·css ø·occsscs,
· ¬aø act|v|t|cs u·oc·ta'c· .|t'|· cac' ø·occss, a·o
· ¬atc' ·csou·ccs to act|v|t|cs.
Establish key business processes
|t |s |¬øo·ta·t, |· ø·cøa·at|o· |o· t'c ||A, t'at ¬a·a¿c¬c·t 'as a c|ca· a·o
a¿·cco u·oc·sta·o|·¿ o| t'c o·¿a·|sat|o·'s ous|·css oo,cct|vcs a·o outøuts,
a·o t'c 'c¸ ous|·css ø·occsscs .'|c' c·su·c t'csc oo,cct|vcs a·c ¬ct a·o
outøuts a·c ac'|cvco.
Cooo sta·t|·¿ øo|·ts to ac'|cvc t'|s u·oc·sta·o|·¿ a·c '|¿'-|cvc| ø|a··|·¿
oocu¬c·ts suc' as co·øo·atc ø|a·s, ous|·css ø|a·s a·o oøc·at|o·a| ø|a·s.
!'csc ø|a·s s'ou|o 'avc a|·cao¸ oocu¬c·tco t'c o·¿a·|sat|o·'s ous|·css
oo,cct|vcs a·o asscss¬c·ts o| st·atc¿|c a·o oøc·at|o·a| ·|s's.
!o ass|st |· ac'|cv|·¿ co·s|stc·c¸ |· tc·¬|·o|o¿¸ a·o co¬¬o· a¿·cc¬c·t |·
ø·occss oc||·|t|o·, o·¿a·|sat|o·s ¬a¸ .|s' to ut|||sc a ous|·css ø·occss
c|ass|||cat|o· sc'c¬c. Suc' sc'c¬cs ø·ov|oc ¿c·c·|c catc¿o·|sat|o·s o|
ous|·css ø·occsscs co¬¬o· to ¬ost o·¿a·|sat|o·s.
A· c×a¬ø|c o| suc' a sc'c¬c, aøø||co to t'c øuo||c sccto·, |s ø·ov|oco |·
||¿u·c ´. !'|s o|a¿·a¬ out||·cs t'c '¬c¿a' ous|·css ø·occsscs catc¿o·|sco
oct.cc· st·atc¿|c, oøc·at|o·a| a·o suøøo·t ø·occsscs. \|t'|· cac' mega
ø·occss a·c a ·u¬oc· o| major ous|·css ø·occsscs.
|o· c×a¬ø|c.
· Strategic processes—Monitor and review .ou|o |·c|uoc |·tc··a| auo|t,
co·t·o| a·o ·|s' sc||-asscss¬c·t, oua||t¸ ¬a·a¿c¬c·t ø·o¿·a¬s, a·o
ø·o¿·a¬ cva|uat|o· ø·occsscs,
· Operational processes—Develop ser vices cou|o |·c|uoc ocs|¿·|·¿ aøø||cat|o·
|o·¬s |o· ¿·a·ts o· cstao||s'|·¿ a ca|| cc·t·c, Sell ser vices cou|o |·c|uoc
ø·occss|·¿ c||c·t aøø||cat|o·s o· c|a|¬s, Deliver ser vices cou|o |·c|uoc
|o·¬u|at|o· a·o ø·ov|s|o· o| øo||c¸ aov|cc, a·o Monitor ser vices cou|o
|·c|uoc ¿·a·t acou|t ta| ø·occss|·¿, a·o
· Support processes—Financial resource management |·c|uocs øu·c'as|·¿ a·o
øa¸¬c·ts, øa¸·o||, cost|·¿, a·o ouo¿ct|·¿ a·o |o·ccast|·¿.
Key activity
and resource
schedule
33
Business Continuity Management
Business Continuity Management
Figure 7—Example of a process classification scheme for Government organisations
Understand stakeholders and clients
Develop objectives, outputs and outcomes
Define structure, processes and resource needs
Monitor and review
Financial resource management
Human resource management
Information resource management
Physical resource management
Design
services
‘Sell’
services
Deliver
services
Monitor
services
Strategic
processes
Operating
processes
Support
processes
!'|s sc'c¬c |s oasco o· t'c ''·|vc·sa| |·occss C|ass|||cat|o· Sc'c¬c' |o· t'c ø·|vatc sccto· ocvc|oøco o¸ t'c A¬c·|ca·
|·oouct|v|t¸ a·o Çua||t¸ Cc·t·c |· co·,u·ct|o· .|t' A·t'u· A·oc·sc·, |||, ||C a·o ×c·o×.
34
Guide to Effective Control
Guide to Effective Control
Rank key business processes
!'c 'c¸ ous|·css ø·occsscs ·cco to oc ·a·'co |· o·oc· o| t'c|· |¬øo·ta·cc to
t'c o·¿a·|sat|o·. !'|s ·a·'|·¿ s'ou|o ·c||cct t'c |¬øo·ta·cc o| t'c ous|·css
ø·occss to ac'|cv|·¿ ous|·css oo,cct|vcs a·o oc||vc·|·¿ outøuts. !'c ·a·'|·¿ o|
'c¸ ous|·css ø·occsscs ¬a¸ co·s|oc· suc' |ssucs as.
· |a||u·c to ¬cct statuto·¸ oo||¿at|o·s |o· sc·v|cc oc||vc·¸,
· |a||u·c to ¬cct 'c¸ sta'c'o|oc· c×øcctat|o·s,
· |oss o| cas' ||o.s cssc·t|a| to ous|·css oøc·at|o·s, a·o
· oc¿·cc o| ocøc·oc·c¸ o· ous|·css ø·occsscs o¸ |·tc··a| ous|·css u·|ts o·
c||c·ts.
!o oota|· t'c ·a·'|·¿, |t |s |¬øo·ta·t t'at t'c co·cc··s o| c×ccut|vc a·o
sc·|o· ¬a·a¿c¬c·t a·c oota|·co ·c¿a·o|·¿ ous|·css ø·|o·|t|cs a·o co·t|·u|t¸
|ssucs. !'c usc o| st·uctu·co |·tc·v|c.s a·o/o· |ac|||tatco ¿·ouø ¬cct|·¿s a·c
·cco¬¬c·oco too|s |o· ¿at'c·|·¿ t'|s |·|o·¬at|o·.
|· a s¬a|| o·¿a·|sat|o· |t ¬a¸ oc øoss|o|c to ¿at'c· t'|s |·|o·¬at|o· |·o¬ o·c
¿·ouø ¬cct|·¿. !'|s 'as t'c aooco aova·ta¿c o| c·su·|·¿ øa·t|c|øa·ts a·c
a.a·c o| a|| o·¿a·|sat|o·a| ø·|o·|t|cs a·o ca· a¿·cc o· t'c ·a·'|·¿ o| 'c¸
ø·occsscs, to¿ct'c· .|t' t'c|· co··csøo·o|·¿ act|v|t|cs a·o ·csou·ccs.
|· a |a·¿c o·¿a·|sat|o· |t .||| ¿c·c·a||¸ oc ·cccssa·¸ to co·ouct a sc·|cs o|
|·tc·v|c.s o· |ac|||tatco ¿·ouø scss|o·s. |· c|t'c· cvc·t, |t |s |¬øo·ta·t t'at t'c
|·|o·¬at|o· co||cctco t'·ou¿' t'csc aøø·oac'cs |s ·cøo·tco oac' to t'c
øa·t|c|øa·ts |o· t'c|· co·||·¬at|o·.
Determine activities that constitute each process
!'c ous|·css act|v|t|cs suøøo·t|·¿ 'c¸ ous|·css ø·occsscs t'c· ·cco to oc
|oc·t|| |co. !'csc a·c t'c act|v|t|cs t'at ø·ooucc a· outøut |·o¬ t'c 'c¸
ous|·css ø·occss.
!'csc ¬a¸ oc t'c act|v|t|cs o| a s|·¿|c oøc·at|o·a| a·ca |· t'c o·¿a·|sat|o·, o·
¬a¸ oc t'c act|v|t|cs o| a ·u¬oc· o| oøc·at|o·a| a·cas, .'|c' co¬o|·c to
ø·ooucc t'c outøut.
A t'o·ou¿' u·oc·sta·o|·¿ o| act|v|t|cs |s cssc·t|a| to |oc·t||¸ suc'
|·tc·-ocøc·oc·c|cs. So¬c act|v|t|cs ¬a¸ ·c|¸ o· t'c outøuts |·o¬ ot'c·
act|v|t|cs |·o¬ .|t'|· t'c o·¿a·|sat|o· (co¬¬o·|¸ ·c|c··co to as enabling
outøuts), o· cvc· |·o¬ outs|oc t'c o·¿a·|sat|o·. |o· c×a¬ø|c, c-ous|·css
so|ut|o·s ·c|¸ ·ot o·|¸ o· t'c |·tc··a| ·ct.o·' out a|so o· t'c |·tc··ct
Sc·v|cc |·ov|oc·.
!o ¿a|· t'c ·cccssa·¸ |cvc| o| u·oc·sta·o|·¿ o| act|v|t|cs a·o
|·tc·-ocøc·oc·c|cs, |t |s |¬øo·ta·t to ¬cct .|t' oøc·at|o·a| a·o suøøo·t
a·ca ¬a·a¿c·s to o|scuss t'c|· o.· u·oc·sta·o|·¿ o| t'c act|v|t|cs. !'|s ¬a¸
oc suøø|c¬c·tco o¸ ·c|c·c·cc to ø·occss ¬aøs a·o ot'c· s¸stc¬s
oocu¬c·tat|o· oota|·co |·o¬ ø·occou·c ¬a·ua|s o· |·tc··a| auo|t.
35
Business Continuity Management
Business Continuity Management
Match resources to activities
!'c ·csou·ccs ·cccssa·¸ |o· oc||vc·¸ o| t'c 'c¸ ous|·css ø·occsscs a|so ·cco
to oc |oc·t|||co. !'csc a·c t'c ·csou·ccs ·cou|·co o¸ t'c oøc·at|o·a| a·cas to
suøøo·t t'c act|v|t|cs t'at oc||vc· t'c outøuts o· ·csu|ts. \|t'out t'csc
·csou·ccs, t'c ous|·css ø·occsscs .ou|o ·ot ac'|cvc t'c|· ¿oa|s. So¬c
·csou·ccs to co·s|oc· a·c.
· peopleoot' t'c o·¿a·|sat|o·'s sta|| a·o øcoø|c c×tc··a| to t'c
o·¿a·|sat|o· .'|c' ¬a¸ oc c·|t|ca| to t'c succcss o| t'c act|v|t¸,
· infrastructureou||o|·¿s a·o ot'c· ø·oøc·t¸ usco o¸ t'c o·¿a·|sat|o· to
oc||vc· |ts sc·v|ccs a·o ø·ooucc |ts outøuts,
· assets and suppliescou|ø¬c·t a·o co·su¬ao|cs .'|c' a·c usco o¸ t'c
øcoø|c a·o t'c ø·occsscs as øa·t o| t'c act|v|t¸, a·o
· financeso¬c act|v|t|cs ·cou|·c ¬o·c¸ to oc ava||ao|c to ¬a'c øa¸¬c·ts
o· t|¬c.
Checklist to ensure all key business processes, activities and resources
are identif ied
· |ocu¬c·t a·o co·| |·¬ o·¿a·|sat|o·a| oo,cct|vcs a·o outøuts
· ||st 'c¸ ous|·css ø·occsscs t'at u·oc·ø|· ac'|cvc¬c·t o| oo,cct|vcs
a·o oc||vc·¸ o| outøuts
· |cv|c. t'c |u·ct|o·a| o·¿a·|sat|o· c'a·t to |oc·t||¸ ¿c·c·a| a·cas o|
oøc·at|o·a| ·csøo·s|o|||t¸
· |·tc·v|c. ¬a·a¿c·s ·csøo·s|o|c |o· 'c¸ ous|·css ø·occsscs to co·| |·¬
u·oc·sta·o|·¿ o| act|v|t|cs (co¬ø|c× o·¿a·|sat|o· o·|¸)
· |ocu¬c·t t'c act|v|t|cs a·o ·csou·ccs cssc·t|a| to cac' 'c¸ ous|·css
ø·occss
· |o·¬a||¸ co¬¬u·|catc t'c ||st o| 'c¸ ous|·css ø·occsscs a·o
suøøo·t|·¿ act|v|t|cs a·o ·csou·ccs to t'c ø·o,cct stcc·|·¿ co¬¬|t tcc
Example: interdependent activities and resources
A custo¬c· |au|t ·cøa|· act|v|t¸ o| a ut|||t¸ 'ao a '|¿' ous|·css ø·|o·|t¸, ¿|vc· |ts |¬øact o· øuo||c |¬a¿c.
!'c act|v|t¸ .as ocøc·oc·t o· a ca|| cc·t·c as a custo¬c· |·tc·|acc a·o o· t'c sto·cs a·ca |o· cou|ø¬c·t.
!'csc a·cas .c·c |· tu·· ocøc·oc·t o· t'c |·|o·¬at|o· tcc'·o|o¿¸ |·|·ast·uctu·c |o· custo¬c· octa||,
|·|o·¬at|o· t·a·s|c·, ø·o¿·css t·ac'|·¿ a·o stoc' |cvc| |·|o·¬at|o·.
|uc to t'csc |·tc·ocøc·oc·c|cs, t'c ·ccovc·¸ t|¬c|·a¬c |o· t'c ca|| cc·t·c, sto·cs a·o |·|o·¬at|o·
tcc'·o|o¿¸ .c·c o|·cct|¸ |·||uc·cco o¸ t'c ·ccovc·¸ ·cou|·c¬c·ts o| t'c |au|t ·cøa|· act|v|t|cs.
|·vcst|¿at|o· o| t'c sto·cs tu··ovc· octc·¬|·co t'at t'c |cvc| o| stoc' ·cta|·co |· t'c cc·t·a| a·o satc|||tc
sto·cs .as su|| |c|c·t to co·t|·uc act|v|t|cs |o· uø to a .cc'. !'|s |·|o·¬at|o· ·csu|tco |· a |o.c· ·ccovc·¸
ø·|o·|t¸ |o· t'c sto·cs act|v|t|cs a·o assoc|atco |·|o·¬at|o· tcc'·o|o¿¸ ø·occsscs.
Sou·cc. |c|o|ttc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
36
Guide to Effective Control
Guide to Effective Control
Step three: business impact analysis (BIA)
|¸ t'|s stcø t'c |·|o·¬at|o· co||atco |·c|uocs.
· oocu¬c·tat|o· o| 'c¸ ous|·css ø·occsscs,
· |oc·t|| |cat|o· o| t'c act|v|t|cs a·o ·csou·ccs c·|t|ca| to t'c 'c¸ ous|·css
ø·occsscs,
· |·tc·ocøc·oc·c|cs .|t'|· a·o oct.cc· act|v|t|cs a·o ·csou·ccs, a·o
· a ø·|o·|t¸ ·a·'|·¿ o| t'c ø·occsscs, act|v|t|cs a·o ·csou·ccs .'|c'
·cø·csc·ts t'c o·¿a·|sat|o·'s a¿·cco v|c..
!'|s |·|o·¬at|o· ¬ust oc a·a|¸sco, a·o t'c oøc·at|o·a| a·o | |·a·c|a| |¬øacts
t'at .ou|o ·csu|t |·o¬ o|s·uøt|o·s to, o· |oss o|, a ous|·css ø·occss asscssco.
|·o¬ t'|s, t'c ¬a×|¬u¬ acccøtao|c outa¿c ca· oc octc·¬|·co |o· t'c c·|t|ca|
ø·occsscs a·o ·csou·ccs. !'at |s, 'o. |o·¿ ca· t'c 'c¸ ous|·css ø·occss
su·v|vc .|t'out t'c c·|t|ca| act|v|t¸ a·o/o· ·csou·cc oc|o·c |t .||| 'avc a
oct·|¬c·ta| c||cct.
Analysis of operational and financial impacts
A sc·|cs o| business impact analysis inter views .|t' t'c ¬a·a¿c·s ·csøo·s|o|c
|o· c·|t|ca| act|v|t|cs a·o ·csou·ccs .||| oc t'c ou|c'cst .a¸ to u·oc·ta'c t'c
a·a|¸s|s.
!'c a·a|¸s|s s'ou|o oc oasco o· a· outa¿c |· .'|c' a|| act|v|t|cs a·o ·csou·ccs
(|·c|uo|·¿ t'c actua| .o·' ø|acc) a·c ·ot ava||ao|c. Assu¬|·¿ t'c .o·st casc
outco¬c (tota| |oss o| t'c ø·occss a·o/o· ·csou·ccs), .||| c·su·c a|| |¬øacts
a·|s|·¿ |·o¬ a· outa¿c a·c co·s|oc·co ·c¿a·o|css o| t'c ·|s' ||'c||'ooo, at |cast
|· t'c | |·st |·sta·cc.
A· aøø·oac' |ou·oco o· ·|s' ||'c||'ooo .||| |a|| to ø·oøosc a t·cat¬c·t |o·
'|¿'|¸ u·||'c|¸ cvc·ts, ocsø|tc t'c|· |¬øact. |o· c×a¬ø|c, ·ot to 'avc a ø|a· |·
ø|acc to ·c|ocatc oøc·at|o·s o· ·ccovc· |·o¬ t'c |oss o| a ou||o|·¿ occausc
…that will never happen… .||| |cavc t'c o·¿a·|sat|o· ||ou·oc·|·¿, øoss|o|¸
|cao|·¿ to |ts oc¬|sc, s'ou|o t'c impossible 'aøøc·.
!'|s asøcct o| ·|s' ¬a·a¿c¬c·t |s aoout coø|·¿ .|t' cvc·ts t'at a·c |css ||'c|¸,
a·o 'avc a ¬a,o· |¬øact. |ost c||o·t |· ·|s' ¬a·a¿c¬c·t, a·o ,ust|| |ao|¸ so,
|s øut |·to aoo·css|·¿ ·|s's .|t' '|¿' ||'c||'ooo a·o '|¿' |¬øact·|s'
¬a·a¿c¬c·t ¬ooc|s a·o ¬ct'ooo|o¿|cs ocv|sc a·o |¬ø|c¬c·t co·t·o|s
(o· t·cat¬c·ts) to c||¬|·atc o· ·coucc t'c c||cct o| t'csc ·|s's.
\'c·c a· cvc·t |s u·||'c|¸, ¸ct |ts |¬øact |s s|¿·|||ca·t, |t ¬a¸ ·ot oc |cas|o|c to
t·cat t'c ·|s', out |t |s |o||¸ to |¿·o·c t'c ·|s'. !·cat¬c·ts |o· cac' cvc·t ·cco
to oc octc·¬|·co.
• Identify key personnel
• Schedule and conduct
interviews
• Document concerns,
priorities and
expectations
• Determine MAO
Maximum
Acceptable
Outage
Schedule
v v v v v
v v v v v
Key activity
and resource
schedule
The real purpose of a business
impact analysis is to identify those
systems that when absent would
create a danger to the enterprise’s
survival and to ensure those
systems reveive the correct priority
in the subsequent business
continuity plan.
Business Continuity Planning:
Creating a Business Impact
Analysis, InSide GartnerGroup
This Week (IGG), January 15,
1997, C. Gooding
© GartnerGroup 1999
37
Business Continuity Management
Business Continuity Management
!'c |o||o.|·¿ c'cc'||st su¬¬a·|scs t'c stcøs to oc u·oc·ta'c· to co¬ø|ctc
t'c a·a|¸s|s a·o octc·¬|·c a ¬a×|¬u¬ acccøtao|c outa¿c |o· cac' 'c¸ act|v|t¸
a·o ·csou·cc. |ac' stcø |· t'c c'cc'||st |s suøøo·tco o¸ ¿u|oa·cc a·o
sc'cou|cs co·ta|·co |· t'c |us|·css |¬øact A·a|¸s|s (||A) oucst|o··a|·c .'|c'
|s |· t'c \o·'ooo' (ø.11)t'at acco¬øa·|cs t'|s Cu|oc.
Checklist for analysing each key business process
· |va|uatc t'c |¬øacts o| a |oss o| t'c ø·occss |·o¬ t'c øc·søcct|vc o|
t'c o·¿a·|sat|o·'s ouo¿ct a·o outco¬cs a·o outøutsco·s|oc·.
- |oss o| ·cvc·uc/|·c·casco c×øc·sc
- sc·v|cc oc||vc·¸ sta·oa·os
- øuo||c o· øo||t|ca| c¬oa··ass¬c·t
- |oss o| c||c·t co·||oc·cc
- |oss o| ¬a·a¿c¬c·t co·t·o|
- ||·a·c|a| ¬|sstatc¬c·t
- ·c¿u|ato·¸, statuto·¸ o· co·t·actua| ||ao|||t¸
- søcc|||c/u·|ouc vu|·c·ao|||t|cs, a·o
- øo||t|ca| ·a¬|||cat|o·s
· |oc·t||¸ t'c c·|t|ca| succcss |acto·s t'at c·su·c t'c ø·occss ¬ccts t'c
o·¿a·|sat|o·'s oo,cct|vcs
· |oc·t||¸ aoo|t|o·a| c×øc·scs |·cu··co || act|v|t|cs a·c øc·|o·¬co
¬a·ua||¸ o· |· a suost|tutc ¬a··c· ou·|·¿ a· outa¿c
· |oc·t||¸ |·tc·|¬ ø·occss|·¿ ø·occou·cs (a|tc··at|vc o· ¬a·ua|
ø·occss|·¿) tcc'·|oucs to oc aooøtco ou·|·¿ t'c ·ccovc·¸ ø'asc
· |st|¬atc t'c t|¬c |t .||| ta'c to ovc·co¬c t'c oac'|o¿ o| .o·'
accu¬u|atco ou·|·¿ t'c outa¿c
· Çua·t||¸ t'c ¬|·|¬u¬ ·csou·cc ·cou|·c¬c·ts ·cccssa·¸ to
øc·|o·¬ t'c act|v|t¸
· |oc·t||¸ t'c ·cco·os v|ta| to t'c ·ccovc·¸ ø·occss
· |va|uatc t'c aocouac¸ o| cu··c·t |C| |· ø|acc
Sou·cc. |c|o|ttc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
38
Guide to Effective Control
Guide to Effective Control
Checkpoint: management sign-off
Case studies
Small organisation
A s¬a|| statuto·¸ ooo¸ .|t' 20 sta|| co·ouctco a s|·¿|c .o·'s'oø to octc·¬|·c t'c |¬øacts o| a
o|s·uøt|o·. !'c ¿c·c·a| ¬a·a¿c· a·o sc·|o· ·cø·csc·tat|vcs |·o¬ cac' act|v|t¸ at tc·oco t'c 2-'ou·
.o·'s'oø.
A 'o|s·uøt|o· scc·a·|o' .as ø·csc·tco .|t' cac' o| t'c øa·t|c|øa·ts ocsc·|o|·¿ t'c |¬øact to t'c|· a·ca at
va·|ous t|¬c|·a¬cs. !'c øa·t|c|øa·ts .c·c ao|c to ou||o o· cac' ot'c·'s a·a|¸s|s a·o a vc·¸ c|ca· ø|ctu·c
o| t'c |¬øacts, |·tc·ocøc·oc·c|cs a·o ·ccovc·¸ ø·|o·|t|cs .as ø·ooucco.
Medium-sized organisation
A statc ¿ovc··¬c·t ooo¸ .|t' a·ou·o 150 c¬ø|o¸ccs co·ouctco a sc·|cs o| .o·'s'oøs. |ou· 2-'ou·
.o·'s'oøs .c·c 'c|o .'|c' |·c|uoco a sc·|o· ·cø·csc·tat|vc |·o¬ cac' act|v|t¸ as .c|| as ¬a·a¿c¬c·t
|·o¬ u·oc·|¸|·¿ ø·occsscs.
C|vc· t'at t'c act|v|t|cs a·o ø·occsscs .c·c co¬ø|c×, |t .as ·cccssa·¸ to søc·o c×t·a t|¬c to octc·¬|·c
t'c |¬øacts, |·tc·ocøc·oc·c|cs a·o ·ccovc·¸ ø·|o·|t|cs. A· |¬øo·ta·t c×t·a stcø .as a|so ·ccoco |· t'|s
ø·occss |· t'at a|| ·csøo·scs 'ao to oc co¬øa·co to ·csøo·scs |·o¬ ot'c· act|v|t|cs |· o·oc· to ||¬|t a·¸
o|as oct.cc· t'c scøa·atc .o·'s'oøs. !'|s o|tc· ¬ca·s ·cv|s|t|·¿ ous|·css u·|ts o· ¿ct t|·¿ |ccooac'
|·o¬ sc·|o· ¬a·a¿c¬c·t.
Large organisation
A sc·|cs o| |us|·css |¬øact A·a|¸s|s |·tc·v|c.s .c·c co·ouctco |o· a |a·¿c a·o co¬ø|c× ||stco co¬øa·¸
.|t' ovc· 2000 c¬ø|o¸ccs. |uc to t'c o·¿a·|sat|o·'s s|zc, cac' ous|·css u·|t .as c×a¬|·co scøa·atc|¸,
a·o |· so¬c cascs ø·occsscs .|t'|· t'at ous|·css u·|t .c·c ·cv|c.co scøa·atc|¸.
!'c | |·st sc·|cs o| |·tc·v|c.s ø·ov|oco a· u·oc·sta·o|·¿ o| t'c |¬øacts |·o¬ a |oss o| 'c¸ act|v|t|cs a·o
t'c |·tc·ocøc·oc·c|cs oct.cc· t'c ous|·css u·|ts. |u·t'c· |·tc·v|c.s .c·c t'c· co·ouctco .|t' sc·|o·
¬a·a¿c¬c·t to co·| |·¬ t'c ·ccovc·¸ ø·|o·|t|cs a·o ¬a×|¬u¬ acccøtao|c outa¿c t|¬c|·a¬cs |·o¬ a·
ovc·a|| o·¿a·|sat|o·a| øc·søcct|vc.
As øc· t'c ¬co|u¬ o·¿a·|sat|o· c×a¬ø|c, t'|s aøø·oac' a|so a|oco |· ||¬|t|·¿ a·¸ o|as t'at ¬a¸ 'avc
a·|sc· oct.cc· ous|·css u·|ts/|·tc·v|c.ccs.
Obtain agreement from project
committee/ project sponsor and chief
executive regarding the MAO for each
key process, critical activity and resource
39
Business Continuity Management
Business Continuity Management
Step four: design continuity treatments
!'|s stcø |oc·t|| |cs t'c t·cat¬c·ts to aoo·css, a·o to ¬|·|¬|sc t'c c||ccts o|,
o|s·uøt|o·s to cac' c·|t|ca| ous|·css ø·occss |o· .'|c' a· |AO 'as occ·
cstao||s'co.
!'c t·cat¬c·t a·a|¸s|s |oc·t|| |cs t'c ·cou|·c¬c·ts to c·su·c t'c co·t|·uco
ava||ao|||t¸ o| c·|t|ca| ø·occsscs a·o ·csou·ccs ou·|·¿ outa¿cs. !'csc
·cou|·c¬c·ts a·c oasco o· t'c ·a·'|·¿s a¿·cco |· t'c ||A a·o ø·ov|oc.
· t'c oas|s |o· søcc||¸|·¿ a·o sc|cct|·¿ a|tc··atc a·o ·cou·oa·t caøac|t¸ to
·coucc ||'c||'ooo o· |¬øact o| a· outa¿c, a·o
· ·ccovc·¸ a·o ·csto·at|o· ·cou|·c¬c·ts to oc usco || a· outa¿c occu·s.
|cco¬¬c·oat|o·s |o· cac' sc·v|cc a·ca a·c ¬aoc oasco o· t'c t·cat¬c·t
oøt|o·s sc|cctco a·o, .'c·c |oc·t|| |co, ·cco¬¬c·oat|o·s |o· |¬ø·ovc¬c·t |·
ous|·css ø·occss to oc |¬ø|c¬c·tco.
As øa·t o| t'|s ø·occss, a ·cv|c. o| v|ta| ·cco·os ¬a·a¿c¬c·t a·o oac'uø a·o
·ccovc·¸ ø·occou·cs ¬ust oc u·oc·ta'c·. !'|s .||| c·su·c ·cco·os a·o oata
ca· oc ·cco·st·uctco |o||o.|·¿ a o|sastc·. Aøøc·o|× 6 o|scusscs t'c aøø·oac'
to oua||t¸ ·cv|c. o| t'c |C|, .'|c' |·c|uocs cva|uat|·¿ oac'uø ø·occss|·¿ a·o
o||-s|tc sto·a¿c. Aøøc·o|× 9 ø·ov|ocs c'cc'||sts |o· ·cv|c. o| o||-s|tc oac'uø
ø·occou·cs
!'c outco¬c o| t'c t·cat¬c·t a·a|¸s|s .||| |o·¬ t'c oas|s o| t'c ous|·css
co·t|·u|t¸ ø|a·.
|ac' ø'asc o| t'c t·cat¬c·t a·a|¸s|s |s o|scussco |· t'c |o||o.|·¿ scct|o·s.
Identify and evaluate treatment options
|o· cac' o| t'c 'c¸ ous|·css ø·occsscs |oc·t|| |co a·o ·a·'co |· t'c ||A, t'c·c
s'ou|o oc t·cat¬c·ts t'at.
· ·coucc t'c c×øosu·c to, a·o |¬øact o|, |oss o| t'c ø·occsscs a·o ·csou·ccs
o· .'|c' t'c |u·ct|o·s ·c|¸, a·o
· |¬ø|c¬c·t a|tc··atc ø·occsscs a·o ·csou·ccs to oc usco |o||o.|·¿ a·
outa¿c a·o ø|a·s to ·ccovc· |·o¬ t'c outa¿c a·o ·csto·c ·o·¬a|
oøc·at|o·s.
|va|uat|·¿ t'c oøt|o·s ava||ao|c to c·su·c t'c co·t|·uat|o· o| ous|·css .|||
|oc·t||¸ t'c a|tc··atc act|v|t|cs a·o ·csou·ccs to oc usco s'ou|o a· outa¿c
occu·.
\a·|at|o·s to, o· ·cocs|¿· o|, c×|st|·¿ act|v|t|cs a·o ·csou·ccs s'ou|o oc
co·s|oc·co as a ¬ca·s o| ·couc|·¿ t'c c×øosu·c to, o· |¬øact o|, |oss o| a 'c¸
ous|·css ø·occss.
|· sc|cct|·¿ a|tc··atc act|v|t|cs a·o/o· ·csou·ccs, |t |s c·|t|ca| t'c |o||o.|·¿ a·cas
a·c aoo·cssco as øa·t o| t'c ous|·css co·t|·u|t¸ ø|a··|·¿ ø·occss |· ·csøcct o|
• Review existing controls
• Identify and evaluate
options
• Select alternate activities
and resources
• Implement treatments
Maximun
Acceptable
Outage
Schedule
Risk
Treatment
Plan
v v v v v
v v v v v
40
Guide to Effective Control
Guide to Effective Control
cac' |oc·t|| |co o|s·uøt|o·, ·c¿a·o|css o| t'c o·¿a·|sat|o·'s, oo,cct|vcs, s|zc o·
co¬ø|c×|t¸.
· øcoø|c,
· |ac|||t|cs (|·c|uo|·¿ ou||o|·¿s a·o cou|ø¬c·t),
· tc|cco¬¬u·|cat|o·s,
· |·|o·¬at|o· s¸stc¬s, a·o
· ous|·css act|v|t|cs.
|o· a|| c·|t|ca| act|v|t|cs a·o ·csou·ccs, |t |s ·cccssa·¸ to |oc·t||¸ ot'c·
a··a·¿c¬c·ts t'at ¬a¸ oc usco |· t'c|· ø|acc, s'ou|o t'c¸ oc |ost. |·o¬ t'osc
|oc·t|| |co, a|tc··atc act|v|t|cs a·o/o· ·csou·ccs a·c c'osc· .'|c' a||o. t'at
øa·t o| t'c ous|·css to co·t|·uc .|t' ¬|·|¬a| o|s·uøt|o·.
A|tc··atc act|v|t|cs a·o ·csou·ccs ¬a¸ oc a co¬o|·at|o· o| o|||c·c·t sc·v|ccs
o· ·cou·oa·t caøac|t¸ ·cta|·co ,ust |· casc (c¿. 'ot, o· co|o, co¬øutc· s|tcs).
Checklist for evaluating activity and resource alternatives
· |ocu¬c·t a o·|c| ocsc·|øt|o· o| cac' v|ao|c oøt|o·
· |ctc·¬|·c ot'c· ·csou·ccs ·cou|·co a·o t'c costs |o· cac' oøt|o·
(t'|s ¬a¸ ·cou|·c |·|o·¬at|o· |·o¬ vc·oo·s)
· Co¬øa·c ·ccovc·¸ oøt|o·s to |AO.
- |ocs t'c oøt|o· ¬cct t'c ·ccovc·¸ ·ccos.
- |ocs t'c oøt|o· c×ccco ou· ·ccos.
People
|coø|c a·c o|tc· ovc·|oo'co as t'c ¬ost c·|t|ca| ·csou·cc |· c·su·|·¿
co·t|·u|t¸ o| ous|·css. !'c |¬øact o| a· u·c×øcctco |oss o| 'c¸ øc·so··c|, o·
a tca¬, ca· 'avc a s|¿·|||ca·t |¬øact o· a· o·¿a·|sat|o·'s ous|·css.
!'c |¬øact o| o|s·uøt|o· o· øcoø|c s'ou|o a|so oc co·s|oc·co |· |so|at|o· a·o
as a ·csou·cc t'at |s |·tc·ocøc·oc·t .|t' cac' o| t'c a·cas oc|o.|ac|||t|cs,
tc|cco¬¬u·|cat|o·s, |·|o·¬at|o· s¸stc¬s a·o ous|·css ø·occsscs.
!'c ous|·css co·t|·u|t¸ ø|a· ·ccos to |·c|uoc t·cat¬c·ts |o· øcoø|c, .'|c'
|·c|uocs.
· aøø·oac'cs to co¬¬u·|cat|o·,
· 'u¬a· ·csou·cc |ssucs, |·c|uo|·¿ s'o·t-tc·¬ ·cø|acc¬c·ts a·o t·a|·|·¿,
· |ssucs ·c|at|·¿ to t'c o|sastc· cvc·t, a·o
· t'c øs¸c'o|o¿|ca| c||ccts o| t'c o|s·uøt|o· o· sta|| ¬o·a|c.
Sou·cc. |c|o|ttc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
41
Business Continuity Management
Business Continuity Management
Example: treatment options for people
Treatment Description
Succcss|o· ø|a·s A ø·csc·|oco ø|a· o| act|o· to ·cø|acc 'c¸ sta||
s'ou|o t'c¸ oc u·ava||ao|c. !'|s ¬a¸ |·c|uoc
|oc·t||¸|·¿ understudies |· t'c o·¿a·|sat|o· o·
a¿·cc¬c·ts .|t' ø·o|css|o·a| co·t·act|·¿ a¿c·c|cs
o· .|t' ot'c· o·¿a·|sat|o·s to sou·cc oua||||co sta||
at s'o·t ·ot|cc.
S'|||s ¬a·a¿c¬c·t ø|a·s |o· |oc·t|| |co u·oc·stuo|cs, c·su·c 'c¸ |·|o·¬at|o·
a·o t'c o·¿a·|sat|o·'s '·o.|co¿c |s s'a·co so t'c¸
ca· assu¬c a ·c. ·o|c .|t' as ||t t|c |cao-t|¬c |o·
|ca··|·¿ as øoss|o|c.
|c¸ øc·so· |·su·a·cc |·su·c a¿a|·st t'c | |·a·c|a| |¬øact o| |oss o| 'c¸ sta||.
!'|s aøø·oac' ¬a¸ ·ccovc· t'c costs assoc|atco
.|t' |oss o| 'c¸ sta|| out |t |s o·|¸ a so|ut|o· to
s¸¬øto¬ o| |oos|·¿ sta||ø·oact|vc sta||
¬a·a¿c¬c·t ø·act|ccs a·c a|.a¸s ø·c|c·ao|c.
Facilities
!'c |C| s'ou|o |·c|uoc t·cat¬c·ts t'at co·cc·t·atc o· t'c ¬ost c·|t|ca|
co¬øo·c·ts o| oøc·at|o·susua||¸ øcoø|c a·o t'c|· .o·' c·v|·o·¬c·t. !'|s
sc¿¬c·t aoo·csscs t'c ø'¸s|ca| c·v|·o·¬c·t (cou|ø¬c·t a·o ou||o|·¿s) o·
.'|c' a ous|·css ø·occss ocøc·os.
!·cat¬c·ts s'ou|o oc ocvc|oøco |o· oa¬a¿c asscss¬c·t, sa|va¿c a·o
·csto·at|o· o| cou|ø¬c·t a·o ou||o|·¿s. !'c¸ s'ou|o aoo·css t'c ou||o|·¿s |·
.'|c' t'c ous|·css ø·occss oøc·atcs a·o t'c cou|ø¬c·t a·o ·csou·ccs
co·ta|·co .|t'|· t'osc ø·c¬|scs. !'c t·cat¬c·ts s'ou|o a|so a|¬ to oc
ocvc|oøco to c·su·c t|¬c|¸ ·csto·at|o· o· ·c|ocat|o· so t'c ous|·css ø·occss
ca· oc ¬ovco oac' to t'c ·csto·co ø·c¬|scs o· oc ·c|ocatco to ·c. ø·c¬|scs
a·o co·t|·uc cssc·t|a| ous|·css act|v|t|cs.
A··a·¿c¬c·ts a·o ø·occou·cs |o· ·c|ocat|·¿ |ac|||t|cs s'ou|o oc aoo·cssco.
Aoo|t|o·a| |ssucs to oc aoo·cssco |·c|uoc.
· ø·ov|s|o· |o· oac'uø ø·occss|·¿ sc·v|ccs,
· a¿·cc¬c·ts a·o act|v|t|cs ·cou|·co to t·a·s|c· |u·ct|o·s, a·o
· oocu¬c·tco ø·occou·cs to suøøo·t ous|·css |ac|||t¸ ·ccovc·¸ a·o
·csto·at|o·.
|o||o.|·¿ a ¬a,o· o|s·uøt|o·, |ac|||t¸ ·ccovc·¸ t·cat¬c·ts a|o t'c o·¿a·|sat|o·
|· suøø|c¬c·ta·¸ sta|| |·¿, ¬ovc¬c·t o· ·c|ocat|o· o| sta||, ø·occou·a| a·o
ao¬|·|st·at|vc c'a·¿cs, a·o s|tc a·o |·|·ast·uctu·c ¬oo|||cat|o·s.
42
Guide to Effective Control
Guide to Effective Control
Telecommunications
Co¬¬u·|cat|o· |s c·|t|ca| to co·t|·u|t¸ o| ous|·css |u·ct|o·s. !'c |C| s'ou|o
t'c·c|o·c |·c|uoc t·cat¬c·ts t'at aoo·css ·ccovc·¸ |·o¬ |oss o· |·tc··uøt|o·
o| vo|cc a·o oata co¬¬u·|cat|o·s, oot' .|t'|· a·o outs|oc t'c o·¿a·|sat|o·.
|· ¬a·¸ o·¿a·|sat|o·s, vo|cc ·ct.o·'s a·c ¬o·c c·|t|ca| t'a· oata ·ct.o·'s.
!·cat¬c·ts t'at oca| .|t' co¬¬u·|cat|o· |oss ca· |·c|uoc.
· t'c 'u¬a· ·csou·cc ø·occou·cs a·o ao¬|·|st·at|o· ·cou|·co to suøøo·t
t'c ous|·css |u·ct|o·,
· vc·oo· a·o ca··|c· ·c¿ot|at|o·s |· .'|c' co·t·actua| o· sc·v|cc |cvc|
a¿·cc¬c·ts a·c ¬aoc .|t' tc|cco¬¬u·|cat|o· vc·oo·s,
· a|tc··atc øat' ocs|¿· a·o s.|tc'|·¿ sc·v|ccs ·cou·oa·c¸ ca· oc ou||t |·to
co¬¬u·|cat|o·s ·ct.o·'s suc' as |A|× a·o ·ct.o·' s¸stc¬s .'|c'
c·ao|c co¬¬u·|cat|o·s to oc o|vc·tco to ot'c· |ocat|o·s ||, a·o .'c·,
·cccssa·¸,
· oac'uø cou|ø¬c·t a·o so|t.a·c .'|c' |·c|uocs oac'|·¿ uø |A|× oata,
·ct.o·' so|t.a·c a·o acou|·|·¿ ·cccssa·¸ ·cou·oa·t cou|ø¬c·t, a·o
· u·|·tc··uøt|o|c øo.c· suøø||cs ('|S) a·o ¬o·|to·|·¿ |ac|||t|cs .'|c' 'c|ø
ø·cvc·t s¸stc¬ |oss ou·|·¿ øo.c· |a||u·cs.
Information systems
|·|o·¬at|o· s¸stc¬s ¬a·a¿c t'c o·¿a·|sat|o·s ø'¸s|ca| ·cco·os
(c¿. co··csøo·oc·cc, ø·o,cct a·o ¬a·a¿c¬c·t |||cs) a·o c|cct·o·|c ·cco·os
o· co¬øut|·¿ |ac|||t|cs (c¿. c¬a||, c|cct·o·|c øo||c¸ a·o ø·occou·c ¬a·ua|s,
|o·¬s a·o |¬a¿cs), .'c·cvc· t'c¸ a·c 'ousco.
!'c |·|o·¬at|o· s¸stc¬s t·cat¬c·ts |·c|uoco |· t'c |C| ·cco to co·s|oc·.
· usc o| sccu·c a·o | |·c-ø·oo| |·-'ousc sto·a¿c |ac|||t|cs,
· a¿·cc¬c·ts a·o act|v|t|cs ·cou|·co to t·a·s|c· ø·occss|·¿ to ot'c·
|ocat|o·s,
· ø·ov|s|o· |o· oac'uø ø·occss|·¿ |ac|||t|cs (c|cct·o·|c a·o ¬a·ua|), a·o
· o||-s|tc sto·a¿c o| c·|t|ca| oata.
|·cvc·tat|vc co·t·o|s suc' as ·ooust s¸stc¬s a·o aøø||cat|o· ocs|¿·, |au|t-
to|c·a·t 'a·o.a·c, u·|·tc··uøt|o|c øo.c· suøø||cs, a·o ¬o·|to·|·¿ |ac|||t|cs
s'ou|o a|so oc co·s|oc·co. !'c ·csu|t s'ou|o oc a co¬ø|ctc a·o .o·'ao|c
st·atc¿¸ |o· cac' øa·t o| t'c |·|o·¬at|o· ø·occss a||cctco o¸ |oc·t|||co
o|s·uøt|o·s.
||st·|outco 'a·o||·¿ a·o ø·occss|·¿ o| |·|o·¬at|o· |·'c·c·t|¸ sø·caos t'c
ous|·css co·t|·u|t¸ ·|s's ac·oss a· o·¿a·|sat|o·. |o.cvc·, as øa·t o| a
co¬ø·c'c·s|vc |C|, ø|a·s s'ou|o oc ocvc|oøco |o· cac' o| t'csc s¸stc¬s,
a·o ·cco¿·|sc a·¸ |·tc·ocøc·oc·c|cs oct.cc· t'c¬ (c¿. s|·¿|c s|tc o| t'c
¬a·a¿c¬c·t s¸stc¬).
43
Business Continuity Management
Business Continuity Management
Example: treatment options for facilities, telecommunications
and systems
Treatments Application
|u·c'asc o· |casc |a¸ |o· c×t·a o|||cc søacc, |! |·|·ast·uctu·c,
·cou·oa·t caøac|t¸ co¬¬u·|cat|o·s, ctc.
Co·t|·¿c·c¸ |·tc· a· a¿·cc¬c·t .|t' a· outs|oc vc·oo· to
a··a·¿c¬c·ts ø·ov|oc sc·v|cc |· t'c cvc·t o| a· outa¿c (|c. 'ot s|tc,
.a·¬ s|tc, a·o co|o s|tc).
|utua||¸ oc·c||c|a| |·tc· |·to a· a¿·cc¬c·t .|t' a·ot'c· o·¿a·|sat|o· to
a¿·cc¬c·ts usc øa·t o| t'c|· |ac|||t|cs |· t'c cvc·t o| a o|sastc·.
!'csc t¸øcs o| a¿·cc¬c·ts ca· oc c·tc·co |·to .|t'
ot'c· o·¿a·|sat|o·s to ac'|cvc t'c ot'c· oøt|o·s
(|c. øu·c'as|·¿ a 'ot-s|tc a¿·cc¬c·t to¿ct'c·).
Business processes
As a· outa¿c ¬a¸ |¬øact ¬o·c t'at o·c ous|·css ø·occss, t'c t·cat¬c·ts
ocvc|oøco |o· cac' ø·occss ·cco to oc co·so||oatco a·o, u|t|¬atc|¸, |·o|v|oua|
ous|·css ø·occss ø|a·s a·c co¬o|·co |·to a· o·¿a·|sat|o·-.|oc ø|a·.
\'||c t'|s |s t'c | |·a| stcø |· octc·¬|·|·¿ t·cat¬c·t oøt|o·s, t'c co·ccøt o|
coo·o|·at|o· s'ou|o o·|vc t'c c·t|·c aøø·oac'. !'|s |s c·uc|a| to a· c||cct|vc
|C| as |t ·cco¿·|scs t'c |·tc·ocøc·oc·c|cs oct.cc· ous|·css ø·occsscs .|t'|·
t'c o·¿a·|sat|o·.
|us|·css ø·occss t·cat¬c·ts |·c|uoco |· t'c |C| s'ou|o aoo·css t'c act|v|t|cs
a·o ·csøo·s|o|||t|cs o| a ous|·css |u·ct|o· to c·su·c co·t|·u|t¸ o| cssc·t|a|
ous|·css |u·ct|o·s |·o¬ t'c øo|·t o| o|s·uøt|o· to t'c ·ctu·· o| ·o·¬a|
oøc·at|o·s.
Example: treatment options for business processes
Treatments Application
A|tc· cu··c·t O| tc· cu··c·t ø·occsscs a·o ·csou·ccs ca· oc
a··a·¿c¬c·ts c'a·¿co as a cost-c||cct|vc so|ut|o·. |o· c×a¬ø|c,
sø||t t|·¿ oata ø·occss|·¿ oct.cc· t.o o|||ccs. |· t'c
cvc·t o| |oss o| o·c s|tc, t'c ot'c· s|tc |s st|||
|u·ct|o·|·¿.
A|tc· cu··c·t O| tc· a cu··c·t (o· cvc· ·o·-cu··c·t) sc·v|cc
ø·occsscs ø·ov|oc· .ou|o oc .||||·¿ to ¿|vc a ¿ua·a·tcco |cvc| o|
sc·v|cc |· a o|sastc· s|tuat|o· to ·csto·c ·csou·ccs at
¬|·|¬a| cost.
44
Guide to Effective Control
Guide to Effective Control
Select alternate activities and resources
A cost-c||cct|vc st·atc¿¸ |o· ·ccovc·¸, sat|s|¸|·¿ t'c ·cou|·c¬c·ts o| t'c
ous|·css s'ou|o oc sc|cctco |·o¬ t'c oøt|o·s |oc·t|| |co. !o c·ao|c t'|s c'o|cc
to oc ¬aoc, |t |s ·cccssa·¸ t'at cac' oøt|o· oc costco.
Costs |·c|uoc.
· o|·cct costs- suc' as øu·c'asc ø·|cc |o· c×t·a cou|ø¬c·t, a·o
· |·o|·cct costs-suc' as cost to cstao||s' a·o ¬a|·ta|· ·c. cou|ø¬c·t.
A|| costs ·cco to oc ca·c|u||¸ co·s|oc·co as |·o|·cct costs suc' as ¬a|·tc·a·cc
ca· o|tc· c×ccco o|·cct øu·c'asc costs.
|· ¬a·¸ cascs |t |s øoss|o|c to oc|c· a||, o· a s|¿·|||ca·t øo·t|o·, o| t'c costs
u·t|| a· cvc·t occu·s a·o t'c co·t|·u|t¸ ø|a· |s act|vatco. |o· c×a¬ø|c,
·csto·at|o· o| cssc·t|a| ø'o·c co¬¬u·|cat|o·s ¬a¸oc 'a·o|co .|t' t'c
øu·c'asc o| su|| |c|c·t ¬oo||c ø'o·cs .'c· ·cou|·co, |· t'c '·o.|co¿c ¬ost
ca··|c·s ca· ø·ov|oc t'c¬ .|t'|· 'ou·s. A¿·cc¬c·ts .|t' vc·oo·s ¬a¸ oc
cstao||s'co to c·su·c t|¬c|¸ oc||vc·¸ o· oc¬a·o at a sct ø·|cc.
!'c sc|cctco a|tc··atc ø·occsscs a·o ·csou·ccs s'ou|o oc oocu¬c·tco a|o·¿
.|t' t'c ·at|o·a|c |o· t'c|· sc|cct|o·.
Case studies: alternate treatments
People
A statuto·¸ ooo¸ 'ao ø·cv|ous|¸ ocvc|oøco a Sta|| Co¬¬u·|cat|o·s St·atc¿¸ out||·|·¿ t'c ¬ct'oos to
|·|o·¬ sta|| o| cvc·ts |· t'c o·¿a·|sat|o·. |o||o.|·¿ a ·cv|c., |t .as octc·¬|·co t'at t'|s st·atc¿¸ .as
su|tao|c |o· a o|sastc· s|tuat|o· a·o .as |·co·øo·atco |· t'c |C|. |¸ us|·¿ øo||c|cs a|·cao¸ |· ø|acc, t'c
·u¬oc· o| |ssucs ·c|at|·¿ to øcoø|c to oc aoo·cssco .as ·coucco.
Facilities
A· o·¿a·|sat|o· .|t' a ·c|at|vc|¸ |a·¿c ¬a×|¬u¬ acccøtao|c outa¿c octc·¬|·co t'c·c .as ·o ·cco to
oota|· |ac|||t|cs |¬¬co|atc|¸ |o||o.|·¿ a o|sastc·. |t co·tactco a |oca| ·ca| cstatc a¿c·t a·o as'co |t to
¬a|·ta|· a ||st o| su|tao|c a|tc··at|vc o|||cc søacc, so t'at |· t'c cvc·t o| a· outa¿c t'|s |·|o·¬at|o· cou|o
oc cas||¸ oota|·co.
Telecommunications
A |a·¿c øuo||c sccto· o·¿a·|sat|o· 'ao a· a¿·cc¬c·t |o· suøø|¸ o| a \|oc A·ca |ct.o·' (\A|) .|t' a
|a·¿c tc|cco¬¬u·|cat|o·s ø·ov|oc·. !'c|· |·|o·¬at|o· s¸stc¬s ·ccovc·¸ st·atc¿¸ su¿¿cstco t'at t'c¸
s'ou|o ¬ovc ø·occss|·¿ to t'c|· scco·o o|| |cc, 'o.cvc·, t'c \A| to t'|s |ocat|o· cou|o ·ot suøøo·t t'c
·ct.o·' t·a|| |c. |o||o.|·¿ co·su|tat|o·, t'c sc·v|cc ø·ov|oc· a¿·cco to ø·ov|oc c×t·a oa·o.|ot' o· a
co·t|·¿c·c¸ oas|s to t'c scco·o |ocat|o· at ·o cost.
|· a·ot'c· c×a¬ø|c, a·o o·¿a·|sat|o· oc||·co |ts c·|t|ca| ø'o·c ·u¬oc·s, a·o t'c tc|cco¬¬u·|cat|o·s
ø·ov|oc· a¿·cco to s.|tc' t'csc ·u¬oc·s to a· a|tc··at|vc |ocat|o· |¬¬co|atc|¸ |o||o.|·¿ a· outa¿c. !'|s
a¿·cc¬c·t .as |·co·øo·atco |·to t'c co·t·act.
45
Business Continuity Management
Business Continuity Management
Case studies: alternate treatments (continued)
Information systems
A· o·¿a·|sat|o· .|t' a ¬a×|¬u¬ acccøtao|c outa¿c |o· |·|o·¬at|o· s¸stc¬s o| | |vc oa¸s, søo'c to t'c|·
cu··c·t sc·v|cc ø·ov|oc· .'o a¿·cco to |·c|uoc as øa·t o| t'c ¬a|·tc·a·cc/sc·v|cc co·t·act a o|sastc·
·ccovc·¸ c|ausc .'|c' statco t'at t'c¸ .ou|o ·cø|acc |·|·ast·uctu·c .|t'|· t'·cc oa¸s. !'|s .as oota|·co
at ·o cost ¿|vc· t'at t'c o·¿a·|sat|o· .as a· |¬øo·ta·t custo¬c· o| t'c sc·v|cc ø·ov|oc·.
Step five: implement continuity treatments
Sc|cct|o· o| co·t|·u|t¸ a·o ·ccovc·¸ t·cat¬c·ts .||| |cao to.
· |¬ø|c¬c·tat|o· o| ø·occou·cs to suøøo·t ·ccovc·¸ |·o¬ a o|s·uøt|o· to
ous|·css, a·o
· oocu¬c·tat|o· o| t'c ·ccovc·¸ a··a·¿c¬c·ts.
|·occou·cs |¬ø|c¬c·tco to suøøo·t ·ccovc·¸ .||| ·cco to oc oot'
ø·cøa·ato·¸ a·o ·cact|vc.
|·cøa·|·¿ |o· ·ccovc·¸ |·vo|vcs øut t|·¿ |· ø|acc co·t·o|s t'at .||| ¬|t|¿atc t'c
co·scouc·ccs o| a ous|·css |·tc··uøt|o· s'ou|o |t occu·. !'·cc o| t'c ¬ost
|¬øo·ta·t suc' co·t·o|s |·c|uoc oac'-uø ø·occsscs, ·cco·os ¬a·a¿c¬c·t, a·o
|o·¬a| co·t|·¿c·c¸ a··a·¿c¬c·ts .|t' c×tc··a| øa·t|cs.
|ocu¬c·tat|o· o| t'c ·ccovc·¸ a··a·¿c¬c·ts to oc |¬ø|c¬c·tco a|tc· a·
outa¿c 'as occu··co |s t'c ·o|c o| t'c |us|·css Co·t|·u|t¸ ||a·.
A sc·|cs o| c'cc'||sts |s |·c|uoco |· t'c aøøc·o|ccs to t'|s Cu|oc to ass|st .|t'
ocvc|oø|·¿ co·t|·u|t¸ t·cat¬c·ts. !'c c'cc'||sts covc·.
· A|tc··atc ø·occss|·¿ co·t·act co·s|oc·at|o·s (Aøøc·o|× 1),
· |o|cs, ·csøo·s|o|||t|cs a·o a c'cc'||st |o· t'c |oa·o a·o auo|t
co¬¬|t tcc (Aøøc·o|× 2),
· |o|cs, ·csøo·s|o|||t|cs a·o a c'cc'||st |o· t'c C'|c| |×ccut|vc O|||cc·
(Aøøc·o|× 3),
· |o|c a·o ·csøo·s|o|||t|cs o| t'c |ccovc·¸ Coo·o|·ato· (Aøøc·o|× -),
· |o|cs a·o ·csøo·s|o|||t|cs o| t'c sc·v|cc a·ca ·ccovc·¸ tca¬s (Aøøc·o|×5),
· C'cc'||sts |o· oua||t¸ assu·a·cc o| |C| ocvc|oø¬c·t (Aøøc·o|× 6), a·o
· ||¬|tat|o·s o| |C|s (Aøøc·o|× ´).
• Establish recovery teams
• Document service area
recovery steps
• Obtain contact and
inventory lists
• Document recovery
management process
Risk
Treatment
Plan
v v v v v
v v v v v
Business
Continuity
Plan
46
Guide to Effective Control
Guide to Effective Control
Implement preparatory controls
Back-up
|asco o· t'c ·csu|ts o| t'c |us|·css |¬øact A·a|¸s|s, t'c ·csou·ccs ·cou|·co to
·ccovc· a·o ·csto·c cssc·t|a| ous|·css ø·occsscs a·c |oc·t|| |co.
!o act|vatc a |C| |t .||| oc ·cccssa·¸ to oota|· acccss to |·|o·¬at|o· a·o
·csou·ccs suøøo·t|·¿ t'c 'c¸ ous|·css |u·ct|o·s. |· t'c cvc·t o| a· outa¿c |t
¬a¸ st||| oc øoss|o|c to oota|· t'csc |·o¬ t'c o·¿a·|sat|o·'s ø·c¬|scs, out t'|s
.||| ·ot a|.a¸s oc t'c casc.
|c||ao|c o||-s|tc sto·a¿c a·o oac'uø ø·occou·cs .||| c·su·c |·|o·¬at|o·
cssc·t|a| to co·t|·uco ous|·css |s ava||ao|c as, a·o .'c·, ·ccoco.
|csou·ccs ·cou|·co |o· ·ccovc·¸ suc' as oocu¬c·tat|o·, |o·¬s, suøø||cs, oata
a·o ø·o¿·a¬s s'ou|o oc oota|·co (coø|cs o· oac'co-uø |· t'c casc o|
c|cct·o·|c oata) a·o oc 'cøt at a sccu·c o||-s|tc |ac|||t¸.
O||-s|tc sto·a¿c |ac|||t|cs s'ou|o 'avc su|tao|c c·v|·o·¬c·ta| a·o sccu·|t¸
co·t·o|s a·o t'c ·csou·ccs a·o |·|o·¬at|o· s'ou|o oc ø·otcctco |·o¬
u·aut'o·|sco acccss ¬oo|| |cat|o·, o|s·uøt|o· o· usc ou·|·¿ sto·a¿c.
!'c |o||o.|·¿ c'cc'||st ocsc·|ocs t'c stcøs |o· cva|uat|·¿ o||-s|tc sto·a¿c a·o
oac'-uø ø·occss|·¿ ·cou|·c¬c·ts.
Checklist for evaluating off-site storage and back-up processing
· |·su·c a|| ·csou·ccs ·cou|·co |o· t'c sc|cctco st·atc¿|cs a·c sto·co
o||s|tc
· |cv|c. oocu¬c·tco o||-s|tc oac'uø ø·occss|·¿ sta·oa·os a·o
ø·occou·cs, || t'c¸ c×|st || sta·oa·os a·o ø·occou·cs oo ·ot c×|st,
c·su·c t'c¸ a·c ocvc|oøco
· |·tc·v|c. øc·so··c| ·csøo·s|o|c |o· |¬ø|c¬c·tat|o· o| oac'uø
ø·occou·cs to scc || t'c·c |s ao'c·a·cc to ø·occou·cs
· |ocu¬c·t 'c¸ c|c¬c·ts o| t'c o||-s|tc oac'uø ø·occou·cs |o·
|·c|us|o· |· t'c aøø·oø·|atc scct|o·s o| t'c co·t|·¿c·c¸ ø|a·
· A·a|¸sc o||-s|tc oac'uø ø·occss|·¿ ø·occou·cs a·o oocu¬c·t
co·cc··s
|otc. A octtc· ø·act|cc c'cc'||st |o· o||-s|tc sto·a¿c |s |·c|uoco |· Aøøc·o|× 9 to t'|s Cu|oc
ca· oc usco as t'c oas|s |o· a·a|¸s|·¿ |ssucs .|t' o||-s|tc oac'uø ø·occss|·¿
· Sc'cou|c ·cv|c. o| o||-s|tc sto·a¿c |ac|||t¸. (co¬ø|c× o·¿a·|sat|o· o·|¸)
· Co·s|oc· tcst|·¿ øa·t|a| ·ccovc·¸ |·o¬ o||-s|tc |ac|||t|cs (co¬ø|c×)
O||-s|tc sto·a¿c ø·occou·cs s'ou|o oc ¬oo|||co to a||¿· ·out|·c oøc·at|o·a|
·cou|·c¬c·ts .|t' t'osc |oc·t|||co |· t'c ·ccovc·¸ st·atc¿|cs to c·su·c
·csou·ccs sto·co o||-s|tc, a·o acccss to t'c¬, |s ava||ao|c to ¬cct oot'
s|tuat|o·s.
Sou·cc. |c|o|t tc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
47
Business Continuity Management
Business Continuity Management
Records management
As øa·t o| t'c ||A, v|ta| ·cco·os suøøo·t|·¿ t'c c·|t|ca| ous|·css ø·occsscs
.c·c |oc·t|||co. |· o·oc· |o· t'csc v|ta| ·cco·os to oc ø·oøc·|¸ ·csto·co |t |s
·cccssa·¸ to c·su·c a su|tao|c ·cco·os ¬a·a¿c¬c·t ø·o¿·a¬ |s |· ø|acc.
!'c |¬øacts o| ·ot 'av|·¿ ø·oøc· oocu¬c·t a·o oata ¬a·a¿c¬c·t
t·cat¬c·ts |· ø|acc a·c ¬a·¸. !'c¸ |·c|uoc t'c ¬a·a¿c¬c·t o| 'a·ocoø¸ a·o
c|cct·o·|c ·cco·os oata as .c|| as a·c'|v|·¿ øo||c|cs |o· oot' |o·¬s o| ·cco·os.
Co·t|·u|t¸ |ssucs |· ·cco·o ¬a·a¿c¬c·t c×tc·o oc¸o·o ,ust 'ccø|·¿ ous|·css
ø·occsscs |· ø|acc. |cco·o ¬a·a¿c¬c·t 'as |o·¿-tc·¬ |¬ø||cat|o·s |o· t'c
o·¿a·|sat|o· a·o st·atc¿|cs s'ou|o co·s|oc·.
· |c¿a| ·cou|·c¬c·ts a·o c×øosu·cs,
· aovc·sc a||ccts o· øuo||c |¬a¿c t'·ou¿' |·ao|||t¸ to oc||vc· |·|o·¬at|o·,
· |·c|||c|c·c¸ ac·oss a|| ø·occsscs |· |ocat|·¿ a·o ut|||s|·¿ |·|o·¬at|o·,
· øo||t|ca| ·a¬|| |cat|o·s o| ·o·-oc||vc·¸ o| a sc·v|cc o· |·|o·¬at|o·,
· sta'c'o|oc· o|ssat|s|act|o·, a·o
· occ|s|o·-¬a'|·¿ ø·occsscs .'|c' .||| oc a||cctco.
|cvc|oø¬c·t a·o |¬ø|c¬c·tat|o· o| oocu¬c·t ¬a·a¿c¬c·t ø·occou·cs
s'ou|o |·c|uoc t'c ø·occou·cs ·cccssa·¸ |o· ¬a·a¿c¬c·t o| oot' ø'¸s|ca| a·o
c|cct·o·|c ·cco·os.
|cvc|oø¬c·t o| oocu¬c·t ¬a·a¿c¬c·t ø·occou·cs |s øa·t o| t'c
o·¿a·|sat|o·'s ovc·a|| |·|o·¬at|o· ¬a·a¿c¬c·t st·atc¿¸. ||s's assoc|atco .|t'
|·|o·¬at|o· ¬a·a¿c¬c·t s'ou|o oc aoo·cssco |· t'c ø|a·s t'at u·oc·ø|· t'c
st·atc¿¸. |·occou·cs ca· oc o·o'c· |·to | |vc øa·ts.
Develop hardcopy document
management guidelines
Develop archiving guidelines
Develop electronic and data
management guidelines
Develop data security and information
guidelines
Implement the guidelines
Figure 8—Records management procedures
48
Guide to Effective Control
Guide to Effective Control
!'c Australian Archives Handbook on Record Management
-
sa¸s a ¿ooo ·cco·os
¬a·a¿c¬c·t s¸stc¬ .||| c·su·c.
· t'c ·|¿'t ·cco·os a·c c·catco,
· |·|o·¬at|o· |s 'cøt o· .'o uscs t'c ·cco·os, .'¸ t'c¸ a·c usco a·o 'o.
t'c¸ a·c ¬a·|øu|atco,
· øcoø|c .'o ·cco t'c ·cco·os ca· |ocatc t'c¬,
· ·cco·os a·c ¬a|·ta|·co |· a uscao|c |o·¬at, a·o
· ·cco·os a·c 'cøt |o· as |o·¿ as t'c¸ a·c ·ccoco a·o |o· ·o |o·¿c·.
!'c |c¿a| ·cou|·c¬c·ts to ¬a|·ta|· ·cco·os va·¸ ac·oss o·¿a·|sat|o·s a·o
s'ou|o oc co·s|oc·co |· |o·¬u|at|·¿ a |C|. A ¿ooo ·cco·os ¬a·a¿c¬c·t
s¸stc¬ .||| |·c|uoc co·s|oc·at|o· o| t'c ¬a·a¿c¬c·t o| ·cco·os v|ta| to
ous|·css co·t|·u|t¸.
- |o· t'|s oocu¬c·t a·o |u·t'c· |·|o·¬at|o· scc t'c |at|o·a| A·c'|vcs o| Aust·a||a .cos|tc
'ttø.//....·aa.¿ov.au
Case study
!'c |a·'sto.· C|t¸ Cou·c|| ||·c .as ·cøo·tco .|oc|¸ |· t'c ø·css |o· t'c |¬øacts t'c o|sastc· 'ao o·
t'c Cou·c|| a·o t'c co¬¬u·|t¸. !'c Cou·c|| o|o ·ot 'avc a |us|·css Co·t|·u|t¸ ||a·.
!'c t'c· |o·o |a¸o· o| |a·'sto.· '|¿'||¿'tco, t'at ·ccovc·¸ o| |·|o·¬at|o· tcc'·o|o¿¸ s¸stc¬s .as
·ot, as so¬c ¬a¸ 'avc c×øcctco, a ø·oo|c¬. !'c·c .c·c su|| |c|c·t oac'uø a·o sto·a¿c ø·occou·cs |·
ø|acc, a·o |t .as ·ot too o||||cu|t to ·cco·st·uct t'c |·|o·¬at|o· s¸stc¬s.
The biggest problem was that the f ire burned a lot of vital records and historical artefacts beyond recover y
and reconstruction. The lack of documented management procedures made recover y of information virtually
impossible.
Checklist for assessing vital records management program Current plan
· |ocs |t ø·ov|oc a |·a¬c.o·' to c·su·c sccu·|t¸ o|
|·|o·¬at|o· ocvc|oøco. `cs t |o t
· |ocs |t cstao||s' a |·a¬c.o·' o¸ c·su·|·¿ |·tc¿·|t¸
a·o co¬ø|ctc·css o| |·|o·¬at|o·. `cs t |o t
· |ocs |t c·su·c o·|¸ aut'o·|sco øc·so··c| 'avc acccss to
|·|o·¬at|o·|·c|uo|·¿ |¬ø|c¬c·t|·¿ a c|ass|||cat|o· s¸stc¬. `cs t |o t
· |ocs |t c·su·c usc·s o| |·|o·¬at|o· a·c a.a·c o| a·o
oosc·vc a|| ·c|cva·t |a.s a·o ·c¿u|at|o·s. `cs t |o t
|| t'c a·s.c· to a·¸ oucst|o· |s '|o', t'at asøcct o| ·cco·os ¬a·a¿c¬c·t ·ccos to oc ·cv|c.co.
49
Business Continuity Management
Business Continuity Management
Arrangements with external parties
|t |s ·cccssa·¸ to |o·¬a||sc aøø·oø·|atc a··a·¿c¬c·ts .|t' vc·oo·(s) sc|cctco
as a|tc··atc suøø||c·s.
!'c |o||o.|·¿ c'cc'||st ca· oc usco to c·su·c suc' co·t|·u|t¸ t·cat¬c·ts a·c
ø·oøc·|¸ |¬ø|c¬c·tco.
Checklist for evaluating implementation of external arrangements
· |·su·c |o· cac' t·cat¬c·t sc|cctco, t'c ||'c|¸ costs a·c t'c ¬ost
co¬¬c·c|a||¸ v|ao|c (|c. |·vcst|¿atc ot'c· vc·oo·s |· t'c ¬a·'ctø|acc)
• |oc·t||¸ ot'c· ·cou|·c¬c·ts o· c'a·¿cs t'at ·cco to oc ¬aoc |·
o·oc· |o· t'c t·cat¬c·ts to oc c||cct|vc
• C'a·¿cs to o||-s|tc sto·a¿c ø·occou·cs s'ou|o oc ¬aoc as |oc·t|| |co
· |cv|c. co·t·acts to c·su·c t'c¸ oc¬o·st·atc oct tc· ø·act|cc |o·
co·t·act ¬a·a¿c¬c·t as .c|| as co¬ø|¸ .|t' |·tc··a| ¿u|oc||·cs |o·
co·t·act ¬a·a¿c¬c·t
· ||·a||sc co·t·acts
Case study
A· o·¿a·|sat|o· 'ao a ¬a|·tc·a·cc a¿·cc¬c·t .|t' a tc|cco¬¬u·|cat|o·s ø·ov|oc·. !'|s o·¿a·|sat|o·
.as o·|¸ ao|c to |·c|uoc a o|sastc· ·ccovc·¸ c|ausc |· t'c|· co·t·act at a |a·¿c aoo|t|o·a| cost. A·ot'c·
sc·v|cc ø·ov|oc· o||c·co to ø·ov|oc sc·v|ccs .|t' ·o aoo|t|o·a| cost |o· t'c o|sastc· ·ccovc·¸ c|ausc. |o·
t'|s ·caso·, t'c o·¿a·|sat|o· o|o ·ot ·c·c. |ts co·t·act .|t' |ts tc|cco¬¬u·|cat|o·s sc·v|cc ø·ov|oc· a·o
c'a·¿co to t'c ¬o·c cost-c||cct|vc ø·ov|oc· t'at ¬ct t'c|· ous|·css co·t|·u|t¸ ·ccos.
A checklist to assist with
consideration of
alternate processing
contract arrangements
can be found at
Appendix 1
Sou·cc. |c|o|ttc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
50
Guide to Effective Control
Guide to Effective Control
Figure 9—Stages in recovery of business operations.
|ac' ø'asc |s oc| |·co as |o||o.s.
· Response: t'c t|¬c |·o¬ disaster occ|a·at|o· u·t|| c·|t|ca| s¸stc¬s a·o
ø·occsscs 'avc occ· ·c-cstao||s'co us|·¿ st·atc¿|cs oocu¬c·tco |· |C|.
· Interim processing: t'c øc·|oo t'c o·¿a·|sat|o· ·c||cs o· a|tc··atc
ø·occsscs a·o ·csou·ccs.
· Restoration: t'c øc·|oo t'c o·¿a·|sat|o· ·ctu··s |·o¬ us|·¿ a|tc··atc
ø·occsscs a·o ·csou·ccs oac' to usc o| |ts usual cstao||s'co s¸stc¬s a·o
business as usual.
!'c ous|·css co·t|·u|t¸ ø|a·s ø·ooucco s'ou|o co·s|st o| octa||co stcø-o¸-stcø
ø·occou·cs. !'c¸ s'ou|o co·ta|· act|o·-o·|c·tco ø·occou·cs to oc usco o¸
·ccovc·¸ tca¬s. !'csc ø·occou·cs a·c oasco o· t'c aøø·ovco ·ccovc·¸
t·cat¬c·ts a·o a|tc··atc act|v|t|cs a·o ·csou·ccs |oc·t|| |co a·o ta'c |·to
accou·t t'c ·ccovc·¸ ·cao|·css ø·occou·cs a·o a··a·¿c¬c·ts.
Act|v|t|cs ·cccssa·¸ to ·csto·c ø·|¬a·¸ |ac|||t|cs a·o ·ctu·· to ·o·¬a|
oøc·at|o·s s'ou|o oc aoo·cssco ¬o·c |· t'c |o·¬ o| ¿u|oa·cc t'a· o¸ octa||co
act|o· stcøs .'|c' ca· ou|c'|¸ occo¬c oatco a· |ac' co·tc×t.
Prepare the Business Continuity Plan (BCP)
|us|·css co·t|·u|t¸ ø|a·s a·c a co¬ø||at|o· o| |·o|v|oua| ·ccovc·¸ o·
co·t|·¿c·c¸ ø|a·s, o·ou¿'t to¿ct'c· .|t' a· ovc·a·c'|·¿ ¬a·a¿c¬c·t ø|a· to
coo·o|·atc t'c |o.c· ø|a·s.
!'c |C| aoo·csscs ous|·css o|s·uøt|o· |·o¬ t'c |·|t|a| o|sastc· ·csøo·sc to
t'c øo|·t at .'|c' ·o·¬a| ous|·css oøc·at|o·s a·c ·csu¬co. !'c¸ ¬a¸ |·c|uoc
o|sastc· ·csøo·sc ø|a·s t'at a·c sc·v|cc a·ca søcc|||c, oøc·at|o·a| ·ccovc·¸
ø|a·s, as .c|| as ·csto·at|o· a·o t·a·s|c· o| oøc·at|o·s ø|a·s a·o ¿u|oc||·cs as
aøø·oø·|atc.
!'c t·cat¬c·ts to ovc·co¬c |oc·t|||co o|s·uøt|o·s ·cco to aoo·css t'c sta¿cs
·cccssa·¸ to co¬ø|ctc ·ccovc·¸.
51
Business Continuity Management
Business Continuity Management
!o ø·ooucc a co¬ø·c'c·s|vc |C| t'c |o||o.|·¿ stcøs a·c ·cco¬¬c·oco.
· oc||·c t'c ·ccovc·¸ o·¿a·|sat|o·,
· oc||·c t'c ·ccovc·¸ tca¬,
· ocvc|oø a·o |·tc¿·atc ser vice area ·ccovc·¸ ø|a·s,
· ocvc|oø t'c ovc·-a·c'|·¿ management ·ccovc·¸ ø|a·, a·o
· co||atc co·tact ||sts, |·vc·to·¸ ||sts a·o ot'c· ·c|c·c·ccs.
The recovery organisation
||¿u·c 10 ø·ov|ocs a ¿c·c·|c st·uctu·c |o· t'c ·ccovc·¸ o·¿a·|sat|o·. !'c
va·|ous |a¸c·s |· t'|s st·uctu·c a·c.
· |ccovc·¸ coo·o|·ato·coo·o|·atcs t'c va·|ous tca¬s oc|o. a·o
·cøo·ts o|·cct|¸ to t'c C|O a·o |×ccut|vc.
· |ccovc·¸ a·o ¬a·a¿c¬c·t tca¬ssc·v|cc a·ca tca¬s ·csøo·s|o|c |o·
|¬ø|c¬c·tat|o· o| |C| a·o ·ccovc·¸ o| s¸stc¬s |o||o.|·¿ a· |·c|oc·t.
· |ccovc·¸ ø|a· suøøo·t ø·occsscsø·occsscs ·cccssa·¸ to suøøo·t t'c
¬a·a¿c¬c·t a·o tcc'·|ca| ·ccovc·¸ ø|a·s |·c|uo|·¿ 'u¬a· ·csou·cc
¬a·a¿c¬c·t a·o co¬¬u·|cat|o·.
Checklists to
assist in defining
the roles and
responsibilities
of the Board
and CEO, can
be found at
Appendix 2 and
Appendix 3,
respectively
The roles and
responsibilities of
the Recovery
Coordinator and
the service area
recovery teams,
can be found at
Appendix 4 and
Appendix 5,
respectively
Figure 10—A generic structure for the recovery organisation
CEO and Board
Recovery
Coordinator
|o· cac' ·ccovc·¸ a·ca, a tca¬ |caoc· s'ou|o oc |oc·t|||co |· t'c ø|a· as oc|·¿
·csøo·s|o|c |o· t'at a·ca.
|· a s¬a||c· o·¿a·|sat|o· |· ¬a¸ oc øoss|o|c to 'avc o·|¸ o·c øc·so·
·csøo·s|o|c |o· a|| co¬¬u·|cat|o·s, .'c·cas |· a |a·¿c· o·¿a·|sat|o· |t ¬a¸
·cco to oc sø||t |·to |ts co¬øo·c·t øa·ts.
Management
recovery plan
Service area recovery teams
People
recovery team
Facilities
recovery team
Telecommunications
recovery team
Information systems
recovery team
Communication
plan
Accommodation
plan
Telephone, Fax
ect plan
Mainframe
recovery plan
Human
resources plan
Equipment
plan
Network
recovery plan
PC recovery
plan
52
Guide to Effective Control
Guide to Effective Control
|t ¬a¸ a|so oc t'c casc t'at t'c c×ccut|vc .|s'cs to ta'c t'c ¬|·|stc·|a| a·o
¬co|a co¬¬u·|cat|o·/||a|so· ·o|c. |t |s |¬øo·ta·t to c·su·c a|| sc·v|cc a·cas
a·c su|||c|c·t|¸ covc·co to c·su·c t'at ·csøo·s|o|||t|cs a·o .o·'|oao a·c cvc·|¸
sø·cao.
Example: roles and responsibilities of key continuity players
Chief executive
· |·|c| ||·|stc· (a·o |oa·o) o· s|tuat|o·, c×øcctco |¬øact a·o ·ccovc·¸ t|¬c|·a¬c
· |·ov|oc |oca| øo|·t |o· t'c o·¿a·|sat|o· to c·su·c t'c ¬co|a a·o øuo||c ·ccc|vc t'c
co··cct, a·o ·o·-co·t·ao|cto·¸ |·|o·¬at|o·
· |·su·c sta|| a·o sta'c'o|oc·s a·c ¬aoc a.a·c o| t'c ø·oo|c¬s a·o t'c ·c¬co|a|
act|o· ta'c·
· |·su·c |ccovc·¸ Coo·o|·ato· a·o |ccovc·¸ !ca¬s 'avc t'c ·csou·ccs a·o suøøo·t
·cccssa·¸ to oo t'c|· ,oos
Recovery coordinator
· |cc|s|o· to act|vatc t'c |C|
· |ctc·¬|·c t'c ·ccovc·¸ st·atc¿¸ |o· t'c ¿|vc· s|tuat|o·
· Asscss t'c c×tc·t o| oa¬a¿c to ou||o|·¿, |ac|||t|cs a·o cou|ø¬c·t a·o ·cøo·t to t'c
C|O a·o/o· |oa·o, || ·cccssa·¸
· Co·tact t'c ·cccssa·¸ sta|| ·cou|·co |o· t'c o|sastc· (|· t'c ||·st |·sta·cc)
· Ass|st |· cstao||s'|·¿ o| t'c ·ccovc·¸ s|tc, || aøø||cao|c
· Coo·o|·atc ¬co|a act|v|t|cs
· ||·cct, coo·o|·atc a·o ¬o·|to· a|| ·ccovc·¸ oøc·at|o·s
· Co·vc·c ·ccovc·¸ status ¬cct|·¿s .|t' t'c C|O
· Sc'cou|c suoscouc·t ·ccovc·¸ status ¬cct|·¿s
· ||a|sc .|t' ·ca| cstatc a¿c·t, || aøø||cao|c
· Co·tact |·su·a·cc Asscsso·s to octc·¬|·c t'c|· ·cou|·c¬c·ts a·o coo·o|·atc t'c|·
o·-¿o|·¿ ||a|so· .|t' a|| ·ccovc·¸ tca¬s
· ||·|¬|sc |u·t'c· |osscs a·o sa|va¿c ·ccovc·ao|c ·csou·ccs
· |·ov|oc assu·a·cc a·o |·|o·¬at|o· uøoatcs to sta|| ·ot |·vo|vco |· t'c ·ccovc·¸
c||o·t
· |·cøa·c t'c ·ccovc·¸ s|tc
Sou·cc. |c|o|t tc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
53
Business Continuity Management
Business Continuity Management
Example: roles and responsibilities of key continuity players (continued)
Human resource team
|o||o.|·¿ ·ot|||cat|o· |·o¬ |ccovc·¸ Coo·o|·ato· o| o|sastc· csca|at|o·.
· co·tact t'c sta|| ·cou|·co |o· t'c 'u¬a· ·csou·cc ·ccovc·¸ tca¬
· co·vc·c status ¬cct|·¿ .|t' tca¬ ¬c¬oc·s
· co·t|·ua||¸ asscss a·o aoo·css 'u¬a· ·csou·cc ·ccos, ||a|s|·¿ .|t' ot'c· sc·v|cc
a·cas, a·o
· ø·ov|oc ·c¿u|a· uøoatcs to t'c |ccovc·¸ Coo·o|·ato·.
Communication teams
|o||o.|·¿ ·ot|||cat|o· |·o¬ |ccovc·¸ Coo·o|·ato· o| o|sastc· csca|at|o·.
· |ac|||tatc co¬¬u·|cat|o· oct.cc· ·ccovc·¸ coo·o|·ato· a·o t'c tca¬s ocs|¿·atco
|ocus ¿·ouø
· co·vc·c status ¬cct|·¿ .|t' tca¬ ¬c¬oc·s
· ø·ov|oc ·c¿u|a· uøoatcs to |ccovc·¸ Coo·o|·ato·
· o·|c| ocs|¿·atco |ocus ¿·ouø o· t'c o|sastc·
· co·t|·ua||¸ 'ccø ocs|¿·atco |ocus ¿·ouø |·|o·¬co o| c'a·¿cs to .'at t'c¸ 'avc
occ· |·|o·¬co, a·o
· ·csøo·o to ouc·|cs |·o¬ ocs|¿·atco |ocus ¿·ouø.
Other service areas
|o||o.|·¿ ·ot|||cat|o· |·o¬ |ccovc·¸ Coo·o|·ato· o| o|sastc· csca|at|o·.
· co·tact t'c ·cccssa·¸ sta|| ·cou|·co to t'c|· øa·t|cu|a· sc·v|cc a·ca
· co·vc·c o|sastc· status ¬cct|·¿ .|t' tca¬ ¬c¬oc·s
· ass|st .|t' o|sastc· asscss¬c·t as ·cou|·co
· ø·ov|oc ·c¿u|a· uøoatcs to |ccovc·¸ Coo·o|·ato·
· co¬ø|ctc ·ccovc·¸ ø|a· |o· t'c|· sc·v|cc a·ca
· octc·¬|·c ·cou|·c¬c·ts a·o coo·o|·atc acou|s|t|o· o| cou|ø¬c·t, |u··|tu·c,
stat|o·c·¸ a·o co¬¬u·|cat|o·s ·csou·ccs ·cccssa·¸ |o· ·ccovc·¸, a·o
· ||a|sc .|t' ot'c· ·ccovc·¸ tca¬s.
54
Guide to Effective Control
Guide to Effective Control
The recovery teams
|u·|·¿ ·ccovc·¸, a søcc|a||sco o·¿a·|sat|o·a| st·uctu·c |s cstao||s'co .'|c'
va·|cs |·o¬ t'c o·¿a·|sat|o·'s st·uctu·c ou·|·¿ øc·|oos o| ·o·¬a| oøc·at|o·.
!'c ·o|cs |· t'c recover y organisation ·cco to c·su·c ·cøo·t|·¿ ||·cs a·o
·csøo·s|o|||t|cs a·c c|ca· .'c· t'c |C| |s act|vatco.
S¬a|| a·o ·o·-co¬ø|c× o·¿a·|sat|o·s .ou|o o·|¸ ·cco o·c ·ccovc·¸ tca¬.
|a·¿c· a·o co¬ø|c× o·¿a·|sat|o·s ¬a¸ ·cco to co·s|oc· a ·u¬oc· o| tca¬s
(co·st|tutco, |o· c×a¬ø|c, o· a |u·ct|o·a| o· ¿co¿·aø'|ca| oas|s) .'|c' .ou|o
oc coo·o|·atco o¸ a s¬a|| ¬a·a¿c¬c·t tca¬.
|c·so··c| ·cco to oc |oc·t|| |co |o· t'c tca¬s oc||·co |· t'c ·ccovc·¸ st·atc¿¸.
!'c tca¬ ¬c¬oc·s øa·t|c|øatc |· custo¬|s|·¿ t'c|· ·csøo·s|o|||t|cs a·o
ø·occou·cs a·o tcst|·¿ t'c|· ·ccovc·¸ ø|a·.
!'c ¬a'c-uø o| t'c tca¬ ¬a¸ oc oasco o· co·s|oc·at|o· o| a· |·o|v|oua|'s
øc·so·a| c'a·actc·|st|cs as ¬uc' as o| t'c|· øos|t|o· .|t'|· t'c o·¿a·|sat|o·.
|caoc·s a·o ¬c¬oc·s o| a ·ccovc·¸ tca¬ ·cco t'c |o||o.|·¿ øc·so·a|
at t·|outcs.
· a ¿ooo u·oc·sta·o|·¿ o| t'c o·¿a·|sat|o·,
· a· ao|||t¸ to .o·' .c|| |· tca¬s,
· ¿ooo øcoø|c a·o co¬¬u·|cat|o· s'|||s,
· ·csøcct .|t'|· t'c o·¿a·|sat|o·, a·o
· t'c ao|||t¸ to .o·' .c|| u·oc· st·css a·o oa|a·cc co¬øct|·¿ ø·|o·|t|cs.
|a·t o| cac' |C| ø·o,cct s'ou|o |·c|uoc a c|ca· u·oc·sta·o|·¿ o| t'c 'u¬a·
·csou·cc |¬øacts a·o t'c |ssucs to ta'c |·to accou·t |· ø|a··|·¿, |¬ø|c¬c·t|·¿
a·o tcst|·¿.
|a·a¿c¬c·t a·o c¬ø|o¸ccs ¬ust u·oc·sta·o, a·o oc caøao|c o| ca··¸|·¿ out,
.'at |s ·cou|·co o| t'c¬ |· a co·t|·¿c·c¸ s|tuat|o·. As .c||, oot' ¿·ouøs ¬ust
oc a.a·c o| t'c øoss|o|c o|s·uøt|vc co·scouc·ccs o| so¬c o| t'c|· act|o·s a·o
|·act|o·. !'|s ·cou|·cs c×ø||c|t co¬¬u·|cat|o· a·o coo·o|·at|o· t'·ou¿' ,oo
ocsc·|øt|o·s, a.a·c·css ø·o¿·a¬s, søcc|a| t·a|·|·¿ a·o tcst|·¿ o| ø|a·s.
|coø|c ·cco to oc t'c ¬a,o· |ocus o| a· outa¿c. |ou|ø¬c·t, |·|·ast·uctu·c
a·o |ac|||t|cs ¬a¸ a|| oc oøc·at|o·a| out || øcoø|c ca··ot ·cac' t'c|· .o·'
ø|acc, o· øc·|o·¬ t'c|· ,oos, 'c¸ ous|·css ø·occsscs .||| ccasc.
|coø|c ca· oc a ¬a,o· |ssuc |· succcss|u||¸ act|vat|·¿ t'c co·t|·¿c·c¸ ø|a·. |o·
c×a¬ø|c, || t'c |C| ca||s |o· sta|| to ø|c' uø a·o ¬ovc to a·ot'c· |ocat|o·,
¸ou ¬a¸ ||·o t'at s|·¿|c øa·c·ts a·o t'osc |·caøac|tatco ocøc·oc·ts, øa·t-t|¬c
stuoc·ts, øcoø|c .|t' scco·o ,oos, ¬c¬oc·s o| vo|u·tcc· o· øa|o øuo||c
o·¿a·|sat|o·s, suc' as ||·c o· c¬c·¿c·c¸ sc·v|ccs, ¬a¸ ·ot oc ava||ao|c.
55
Business Continuity Management
Business Continuity Management
Service area recovery plans
A· out||·c o| t'c ·ccovc·¸ ø|a· s'ou|o oc ocvc|oøco |o· cac' sc·v|cc a·ca
|oc·t|| |co |· t'c ·ccovc·¸ st·atc¿¸. !'c ø|a· s'ou|o co·s|oc· t'c øcoø|c |· t'c
·ccovc·¸ tca¬s a·o oc¿|· ass|¿·|·¿ |·o|v|oua| ·csøo·s|o|||t¸ |o· cac' act|o· (|c.
oct.cc· tca¬ |caoc·s, tca¬ ¬c¬oc·s a·o ot'c· tca¬s) as .c|| as t|¬|·¿ a·o
c×øcctco outco¬cs |o· cac' act|o·.
A|| t'c stcøs ·cou|·co |o· ·ccovc·¸ o| a ous|·css ø·occss ¬ust oc oocu¬c·tco
|· o·oc· o| ø·|o·|t¸. !'c o·oc· o| t'csc stcøs s'ou|o ·c||cct t'c ø·|o·|t¸
·a·'|·¿ |o· ·ccovc·¸ a·o ta'c |·to co·s|oc·at|o· a·¸ |·tc·ocøc·oc·c|cs
oct.cc· stcøs.
!'c ·ccovc·¸ stcøs a|so ·cco to co·s|oc· |ssucs ·c||cct|·¿ |·tc·act|o· .|t'
ot'c· sc·v|cc a·cas a·o ·ccovc·¸ tca¬s.
Example: service area recovery plans
|| t'c | |·a·cc a·ca ·ccovc·¸ tca¬ ·c||cs o· ·ccovc·¸ o| t'c |·|o·¬at|o· s¸stc¬s, a·o
·ccovc·¸ o| t'c |·|o·¬at|o· s¸stc¬s |s t'c ·csøo·s|o|||t¸ o| a·ot'c· tca¬sa¸, t'c
|·|o·¬at|o· s¸stc¬s ·ccovc·¸ tca¬t'c stcøs |o· ·ccovc·¸ o| t'c |·|o·¬at|o· s¸stc¬s
a·c ·ot øa·t o| t'c ||·a·cc a·ca ·ccovc·¸ tca¬'s ·ccovc·¸ ø|a·.
!'c stcøs to ·ccovc· t'c |·|o·¬at|o· s¸stc¬s a·c |·c|uoco |· t'c |·|o·¬at|o· s¸stc¬s
·ccovc·¸ tca¬'s ·ccovc·¸ ø|a·. !'c | |·a·cc a·ca ·ccovc·¸ tca¬'s ø|a· .ou|o ¬c·c|¸
¬a'c ·c|c·c·cc to t'c |act t'at t'c |·|o·¬at|o· s¸stc¬s ¬ust oc ·ccovc·co a·o t'at |s
t'c ·csøo·s|o|||t¸ o| t'c |·|o·¬at|o· s¸stc¬s ·ccovc·¸ tca¬.
|otc. t'c øc·so· .|t' ·csøo·s|o|||t¸ |o· co¬ø|ct|o· o| a stcø |· t'c ·ccovc·¸ ø|a· oocs ·ot ·cccssa·||¸ 'avc to oc
t'c øc·so· .'o u·oc·ta'cs t'at stcø. \'||c t'c ·ccovc·¸ tca¬ |caoc· |s ·csøo·s|o|c |o· c·su·|·¿ a tas' |s
co¬ø|ctco, t'c¸ ¬a¸ ass|¿· t'c stcø to t'c ·ccovc·¸ tca¬ ¬c¬oc·s.
A usc|u| |o·¬at |o· out||·|·¿ sc·v|cc a·ca ·ccovc·¸ stcøs |s.
No. Action Responsibility Timing
1. <Action Title> <Team Member <Due Date>
name>
<Short description of <Resource
action including estimate>
references>
2.
3.
56
Guide to Effective Control
Guide to Effective Control
As ·otco ø·cv|ous|¸, t'c act|o· stcøs s'ou|o oc co·s|oc·co |· t'·cc øa·ts.
|t |s usua| to o·ca' cac' sc·v|cc a·ca's ·ccovc·¸ ø|a· |·to t'csc stcøs as a
¬ca·s o| coo·o|·at|·¿ a|| ø|a·s.
|otc. at t'c c·o o| cac' stcø |· a· actua| ·ccovc·¸ s|tuat|o· |t |s cssc·t|a| t'c |ccovc·¸ Coo·o|·ato· oc
o·|c|co o· t'c ø·o¿·css o| t'c ·ccovc·¸ c||o·t. !'c ·c×t stcø s'ou|o ·ot co¬¬c·cc u·t|| t'c ø·cv|ous
stcø 'as occ· co¬ø|ctco.
|· cstao||s'|·¿ t'c ·ccovc·¸ stcøs |o· cac' sc·v|cc a·ca |t |s |¬øo·ta·t t'at
co¬¬u·|cat|o·s, |·c|uo|·¿ |·|o·¬at|o· ||o.s, a·c |u||¸ c||cct|vc. !'c |o||o.|·¿
c'cc'||st out||·cs so¬c 'c¸ øo|·ts to co·s|oc·.
Checklist: adequacy of communication and information flows Current plan
• |s t'c |ccovc·¸ Coo·o|·ato· 'cøt aocouatc|¸ |·|o·¬co t'·ou¿'out t'c
·ccovc·¸ ø·occss. `cs t |o t
• A·c t'c tca¬ ¬c¬oc·s 'cøt aocouatc|¸ |·|o·¬co o| t'c
·ccovc·¸ ø·occss. `cs t |o t
• A·c ot'c· |·tc··c|atco tca¬s 'cøt ø·oøc·|¸ |·|o·¬co o| t'c
·ccovc·¸ ø·occss. `cs t |o t
• A·c aøø·oø·|atc c×tc··a| øa·t|cs/sta'c'o|oc·s 'cøt |·|o·¬co
(c×c|uo|·¿ t'osc 'cøt |·|o·¬co as øa·t o| t'c ¬a·a¿c¬c·t ø|a·)
o| t'c ·ccovc·¸ ø·occss. `cs t |o t
• A·c c×tc··a| a·o |·tc··a| øa·t|cs t'at a·c øa·t o| t'c ø·occss |·|o·¬co
uø-|·o·t t'at t'c|· ass|sta·cc ¬a¸ oc ca||co uøo·. `cs t |o t
• A·c 'u¬a· ·csou·cc ·ccos ø·oøc·|¸ aoo·cssco. `cs t |o t
• |s øa·t o| t'c ·ccovc·¸ ø·occss t'c ·c-|¬ø|c¬c·tat|o· o| co·t·o|s
(ø'¸s|ca|, |o¿|ca| a·o c·v|·o·¬c·ta|). `cs t |o t
|| t'c a·s.c· to a·¸ o| t'c aoovc oucst|o·s |s '|o', t'c ·ccovc·¸ ø|a·(s) s'ou|o oc ·cv|c.co a·o a¬c·oco to c·su·c t'c·c .||| oc
aocouatc co¬¬u·|cat|o· |o||o.|·¿ a· outa¿c a·o ou·|·¿ ·ccovc·¸ o| oøc·at|o·s.
Figure 11—Action steps in recovery plan
Sou·cc. |c|o|t tc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
57
Business Continuity Management
Business Continuity Management
|o||o.|·¿ co¬ø|ct|o·, |t o|tc· occo¬cs aøøa·c·t t'at ¬a·¸ o| t'c ·ccovc·¸
ø|a·s 'avc so¬c ·ccovc·¸ stcøs |· co¬¬o·. !'csc stcøs s'ou|o oc
|·tc¿·atco a·o ass|¿·co to o·c ·ccovc·¸ tca¬ (usua||¸ t'at tca¬ .'|c' ·ccos
to co¬ø|ctc t'at ·ccovc·¸ stcø ||·st). !'c ot'c· ·ccovc·¸ tca¬s s'ou|o st|||
|·c|uoc t'c ·ccovc·¸ stcøs |· t'c|· ø|a·, ·ot|·¿ t'at t'c ·csøo·s|o|||t¸ |o·
co¬ø|ct|·¿ t'c stcø 'as occ· ass|¿·co to a·ot'c· ·ccovc·¸ tca¬.
The management recovery plan
!'c ¬a·a¿c¬c·t ·ccovc·¸ ø|a· co¬o|·cs |·o|v|oua| sc·v|cc a·ca ·ccovc·¸
ø|a·s |·to o·c coo·o|·atco c||o·t. !'c ·ccovc·¸ stcøs co¬¬o· to sc·v|cc
a·cas s'ou|o oc co¬o|·co |·to t'|s ø|a· (|c. |·|o·¬ sta|| o| outa¿c).
As .c|| as co¬o|·|·¿ t'c |·o|v|oua| sc·v|cc a·ca ø|a·s, t'c ¬a·a¿c¬c·t
·ccovc·¸ ø|a· co·ta|·s t'c c·|tc·|a |o· act|vat|·¿ t'c ø|a·. |c·cc, t'c
¬a·a¿c¬c·t ·ccovc·¸ ø|a· 'as a· aoo|t|o·a| ø'ascdisaster escalation.
As s'o.· |· ||¿u·c 12, disaster declaration ø·cccocs t'c ·csøo·sc
to a· outa¿c.
!'c ¬a·a¿c¬c·t ·ccovc·¸ ø|a· s'ou|o a|so aoo·css t'c |ssucs to .'|c' t'c
o·¿a·|sat|o·, as a .'o|c, ¬ust ·csøo·o |o||o.|·¿ t'c disaster declaration.
|cc|a·at|o· o| a o|sastc· |s a ¿c·c·|c occ|s|o·, oasco o· o·¿a·|sat|o·-søcc|||c
|·|o·¬at|o·t'c occ|s|o· ø·occss |s s'o.· |· ||¿u·c 13.
Figure 13—Decision process for declaration of a disaster
|o·|to·
ø·o¿·css
||sastc·
occ|a·at|o·
w
w
w
w
|s
·csto·at|o·
t|¬c|·a¬c ¿·catc·
t'a· ¬a×|¬u¬
acccøtao|c
outa¿c.
|ctc·¬|·c 'o. |o·¿
oc|o·c oøc·at|o·s
a·c c×øcctco to
oc ·csto·co
Yes
No
Figure 12—Disaster escalation
w
|vc·t caus|·¿ outa¿c
o| 'c¸ ous|·css
ø·occss
58
Guide to Effective Control
Guide to Effective Control
Discussion: what constitutes a disaster?
As ·otco |· |a·t O·c o| t'|s Cu|oc a· outa¿c |s ·ot ,ust a· cvc·t t'at ·couccs t'c c||cct|vc·css o|
s¸stc¬s, out a· cvc·t t'at |s c×t·ao·o|·a·¸, causcs a |oss o| 'c¸ ous|·css ø·occsscs a·o 'as a '|¿'
|¬øact o· t'c o·¿a·|sat|o·. A disaster is an outage that exceeds the MAO.
A· c×a¬ø|c o| .'at |s |O! a o|sastc· .ou|o oc t'c casc o| a |a·¿c |c¿a| act|o· |· ø·o¿·css o· a
·csu|ta·t occ|s|o·. \'||c t'c·c ¬a¸ oc a ·csou·cc, ||·a·c|a| a·o øuo||c |¬a¿c |¬øact (.'|c' ¬a¸
oc ·c¿a·oco as a o|sastc· to ¬a·a¿c¬c·t), |t |s a ous|·css |ssuc ·ot a co·t|·u|t¸ |ssuc ouc to t'c
|act t'at ous|·css ø·occsscs a·c ·ot a||cctco.
|t |s øoss|o|c |o· a ¬a·a¿c¬c·t |ssuc to tu·· |·to a co·t|·u|t¸ |ssuc, || t'c |ssuc oc¿|·s to a||cct
ous|·css ø·occsscs. Co·t|·u|·¿ t'c cou·t casc c×a¬ø|c, || t'c øa¸-out c·catco cas' ||o. ø·oo|c¬s,
t'|s ¬|¿'t |·tc··uøt ous|·css ø·occsscs a·o |cao to ous|·css co·t|·u|t¸ |ssucs.
|·o|v|oua| co¬øo·c·ts o| t'c ø|a· ca· oc c||cct|vc|¸ ut|||sco |· ·o·-o|sastc· cascs. |o· c×a¬ø|c,
t'c co¬¬u·|cat|o·s ø|a· ¬|¿'t oc c||cct|vc |· co¬¬u·|cat|·¿ a· cvc·t to sta|| o· t'c øuo||c, as
¬a¸ t'c |·|o·¬at|o· tcc'·o|o¿¸ ·ccovc·¸ ø|a· ¬a¸ oc c||cct|vc |· ·ccovc·|·¿ a co¬øutc· sc·vc·
t'at 'as |a||co.
!'c | |·st stcø |· t'c o|sastc· occ|a·at|o· ø·occss |s to octc·¬|·c 'o. |o·¿ |t |s
oc|o·c ·csto·at|o· o| t'c ous|·css |u·ct|o· ca· oc c×øcctco. Cu|oc||·cs to
cst|¬atc t'c ou·at|o· o| a· outa¿c ·cco to oc cstao||s'co.
!'c |o||o.|·¿ c'cc'||st ¬a¸ ass|st |· cstao||s'|·¿ ¿u|oc||·cs to cst|¬atc t'c
ou·at|o· o| a· outa¿c.
Checklist: guidelines for estimating duration of an outage Current plan
• A·c t'c øcoø|c |·vo|vco |· t'c o|sastc· asscss¬c·t ø·occss c|ca·|¸ |oc·t|||co. `cs t |o t
• A·c ·ot|| |cat|o· ø·occou·cs |o· t'osc |·vo|vco |· t'c o|sastc· asscss¬c·t
ø·occss c|ca·|¸ |oc·t|| |co. `cs t |o t
• A·c t|¬c|·a¬cs |o· t'c o|sastc· asscss¬c·t c|ca·|¸ |oc·t|||co. `cs t |o t
• A·c sa|ct¸ ø·occou·cs |o· o|sastc· asscss¬c·t |oc·t|||co |· ||·c .|t'
Occuøat|o·a| |ca|t' a·o Sa|ct¸ Sta·oa·os. `cs t |o t
• |o outs|oc øa·t|cs ·cco to oc øa·t o| t'c o|sastc· asscss¬c·t. `cs t |o t
• || ¸cs, a·c t'c¸ a|| |oc·t|||co. `cs t |o t
• A·c a|| ·c|cva·t |·su·a·cc co¬øa·|cs aøø·oø·|atc|¸ |·|o·¬co o| t'c |·c|oc·t
oc|o·c o|sastc· asscss¬c·t ta'cs ø|acc (so¬c |·su·a·cc |s vo|o || cc·ta|· o|sastc·
asscss¬c·ts a·c ca··|co out .|t'out t'c |·su·a·cc co¬øa·¸ ø·csc·t o· .|t'out
t'c|· '·o.|co¿c). `cs t |o t
Sou·cc. |c|o|t tc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
59
Business Continuity Management
Business Continuity Management
Other details
!'c·c .||| oc a· a··a¸ o| ot'c· octa||s to oc |·c|uoco |· t'c |C|. |ac'
o·¿a·|sat|o· s'ou|o a·a|¸sc t'c|· ·ccos (|c. .'at |·|o·¬at|o· ca·'t .c oo
.|t'out.). !'c ¬|·|¬u¬ ·cco¬¬c·oco ·cou|·c¬c·ts a·c o|scussco oc|o..
Event log
!'c ¬a·a¿c¬c·t ·ccovc·¸ ø|a· s'ou|o a|so |o¿ t'c cvc·ts |o· |atc· oco·|c||·¿
a·o ·cv|c.. A· cvc·t |o¿ s'ou|o oc |·c|uoco .'|c' a||o.s t'c ·ccovc·¸
coo·o|·ato· to ·cco·o octa||s o| t'c cvc·t. !'|s ca· oc usco to o·|c| ot'c·
·ccovc·¸ tca¬s, c×ccut|vc ¬a·a¿c¬c·t a·o t'c ¬co|a so t'c·c |s a co·s|stc·t
ocsc·|øt|o· o| t'c cvc·t. |o· a· c×a¬ø|c cvc·t |o¿, scc Aøøc·o|× 8.
Contact lists
!'·ou¿'out t'c ·ccovc·¸ ø·occss |t .||| oc ·cccssa·¸ to co·tact a ·a·¿c o|
øcoø|c a·o o·¿a·|sat|o·s. Co¬ø·c'c·s|vc co·tact ||sts s'ou|o oc cstao||s'co
a·o ¬a|·ta|·co. Co·tact ||sts to oc cstao||s'co |·c|uoc.
· c¬c·¿c·c¸ co·tact ||sts,
· ·ccovc·¸ tca¬ co·tact ||sts,
· sta'c'o|oc· co·tact ||sts,
· ·ccovc·¸ øa·t|c|øa·t co·tact ||sts, a·o
· co¬ø|ctc sta|| ||sts .|t' a|tc· 'ou·s co·tact octa||s (|| too |a·¿c, octa||s o|
.'c·c to |ocatc a coø¸).
|t |s cssc·t|a| t'csc ||sts oc 'cøt uø to oatc. |o·¬a| oøc·at|·¿ ø·occou·cs
·cco to ass|¿· ·csøo·s|o|||t¸ |o· ¬a|·ta|·|·¿ ||sts |·c|uo|·¿ uøoat|·¿ t'c
·ccovc·¸ vc·s|o·s. Co·s|oc· ¬oo||¸|·¿ t'c c×|st|·¿ |·tc··a| o|·ccto·¸ to
acco¬¬ooatc t'c c×t·a octa||s ·cou|·co. !'|s .||| ass|st |· 'ccø|·¿ t'c octa||s
uø to oatc a·o s|¬ø|||¸ t'c ¬a|·tc·a·cc o| ||sts.
Inventory list
A· |·vc·to·¸ o| a|| ¬atc·|a|s ·ccoco |o· t'c |C| to oc c||cct|vc s'ou|o oc
|·c|uoco as øa·t o| t'c ø|a·, a·o t'c |tc¬s sto·co o||s|tc.
|| |·vc·to·¸ |tc¬s 'avc a ||¬|tco |||c, ·o·¬a| oøc·at|·¿ ø·occou·cs s'ou|o
|·c|uoc ·csøo·s|o|||t¸ |o· ·cv|c. o| sto·co |·vc·to·¸ a·o ·cø|acc¬c·t .|t'
|·cs' sto·cs. |· t'c casc o| co·su¬ao|cs, t'|s ¬a¸ occo¬c øa·t o| ·o·¬a|
sto·cs a·o o|st·|out|o· |· t'c o·¿a·|sat|o·.
Other references
A·¸ ot'c· octa||co ·c|c·c·ccs s'ou|o oc |·c|uoco. || t'|s |s ·ot aøø·oø·|atc o·
ø·act|ca|, t'c¸ s'ou|o oc |·c|uoco as øa·t o| t'c |·vc·to·¸ a·o sto·co o||s|tc.
|t ¬a¸ oc øoss|o|c to oota|· a·o sto·c ¬uc' o| t'|s ¬atc·|a| c|cct·o·|ca||¸ to
savc o· søacc a·o øoss|o|c oc¿·aoat|o·. |o.cvc·, ·ccovc·¸ a··a·¿c¬c·ts
·cco to |·c|uoc a··a·¿c¬c·ts to ·cø·|·t øaøc· vc·s|o·s .'c· ·ccoco.
60
Guide to Effective Control
Guide to Effective Control
Format and contents of the BCP
!'c |o·¬at a·o co·tc·t o| t'c |C| |s c×t·c¬c|¸ |¬øo·ta·t. |· a o|sastc·
s|tuat|o·, t'c ·caoc· s'ou|o oc ao|c to ø|c' uø t'c oocu¬c·t 'av|·¿ ·ot ·cao
|t (a|t'ou¿' |t |s ø·c|c·ao|c t'at t'c¸ 'avc), a·o oc ø·csc·tco .|t' act|o·-
o·|c·tatco øo|·ts t'c¸ ca· |o||o., .|t' ·c|c·c·ccs co·ta|·co |· t'c oac'.
!'c·c s'ou|o a|so oc su|| |c|c·t ·oo¬ |o· t'c øc·so· ca··¸|·¿ out t'c ·ccovc·¸
ø·occss to ø|acc co¬¬c·ts o· t|¬|·¿, o· |ssucs at cac' stcø. !'|s .||| a||o.
t'c ·ccovc·¸ ø·occss to oc c·|t|ca||¸ ·cv|c.co as .c|| as usco as a sou·cc |o·
oco·|c| |·¿ sta|| o· t'c |ssucs t'at a·osc.
!'c |C| oocs ·ot ·cco to co·ta|· co·tc×tua| |·|o·¬at|o· (c¿. oac'¿·ou·o,
c×ccut|vc su¬¬a·|cs, ctc) as t'|s .as øa·t o| t'c ocvc|oø¬c·t a·o aøø·ova|
ø·occss a·o s'ou|o oc sto·co o· o|| |c|a| |||cs. !'c ø|a· s'ou|o s|¬ø|¸ sta·t at
t'c øo|·t t'c ø|a· 'as occ· |·st|¿atco a·o ¿u|oc t'c ·caoc· t'·ou¿' cac' stcø
|· t'c ·csøo·sc a·o ·ccovc·¸ ø·occss.
!'c c×a¬ø|c oøøos|tc |||ust·atcs a su¿¿cstco st·uctu·c |o· t'c |C|.
Quality assurance
Çua||t¸ assu·a·cc ·cv|c.s o| t'c |C| ou·|·¿ |ts ø·cøa·at|o· a·o t'·ou¿'out
|ts |||c a·c ·cco¬¬c·oco to c·su·c |ts co·tc·t ·c¬a|·s ·c|cva·t. |t |s
·cco¬¬c·oco t'c |ccovc·¸ Coo·o|·ato· a·o ¬a·a¿c¬c·t co¬¬|t tcc
·csøo·s|o|c |o· t'c |C| c·su·c t'|s |s u·oc·ta'c·, |· co·,u·ct|o· .|t' ·out|·c
tcst|·¿.
Checkpoint
A series of checklists is
included at Appendix 6
to assist in the quality
assurance of the BCP
development
Upon completion of the plan it must be
reviewed and signed-off. A suggested list
for review and signoff might include:
• internal audit
• audit committee
• BCP steering committee
• senior executives, and
• CEO
61
Business Continuity Management
Business Continuity Management
Example: suggested structure for a business continuity plan
Part Information contained
1 Cover page t !|t|c
t Co·c|sc statc¬c·t o| oo,cct|vc o| co·t|·u|t¸ ø|a·
t O·¿a·|sat|o·a| s|¿·o||
2 Table of contents t Co·tc·ts o| oocu¬c·t
3 Event log t |vc·t |o¿ øa¿c to oc | |||co |· o¸ |ccovc·¸ Coo·o|·ato·
a| tc· a· outa¿c
4 Management recovery plan t ||sastc· csca|at|o· ø·occss
t !ca¬ assc¬o|¸ a··a·¿c¬c·ts
t |ccovc·¸ ø'asc stcøs
t |·tc·|¬ ø·occss|·¿ ø'asc stcøs
t |csto·at|o· ø'asc stcøs
5 Service area recovery plans t |ccovc·¸ ø'asc stcøs
t !ca¬ assc¬o|¸ a··a·¿c¬c·ts
t |·tc·|¬ ø·occss|·¿ ø'asc stcøs
t |csto·at|o· ø'asc stcøs
6 Referenced procedures t !c|cø'o·c ·c-o|·cct|o· ø·occou·cs
t Outsou·cco vc·oo· a¿·cc¬c·ts
7 Technical recovery items t Sc·vc· co·| |¿u·at|o·s
t Co¬¬u·|cat|o· co·| |¿u·at|o·s
t |·c-.·|t tc· ø·o¿·a¬s |o· |! ·ccovc·¸
8 Contact lists t |·tc··a| co·tact ||sts
t |¬c·¿c·c¸ sc·v|ccs co·tact ||sts
t |×tc··a|/sta'c'o|oc· co·tact ||sts
t Sta|| co·tact ||sts
9 Inventory t Suøø|¸ |·vc·to·¸
t Aoo|t|o·a| ·csou·ccs/ouo¿ct ·cou|·co
10 Limitations t ||¬|tat|o·s u·oc· .'|c' t'c ø|a· .as ocvc|oøco
(·c|c· Aøøc·o|× ´ |o· a· c×a¬ø|c sct o| ||¬|tat|o·s)
11 Testing and maintenance t Sc'cou|c o| tcst|·¿ to oc øc·|o·¬co
t |cv|c./uøoatc t|¬ctao|cs a·o ocao||·cs (·c|c· to stcø 6
|o· |·|o·¬at|o· o· tcst|·¿ a·o ¬a|·tc·a·cc)
62
Guide to Effective Control
Guide to Effective Control
Step six: test and maintain the plan
|cv|c. o| t'c |C| |s cssc·t|a| to c·su·c |t ·c||ccts t'c o·¿a·|sat|o·'s
oo,cct|vcs, |ts 'c¸ ous|·css |u·ct|o·s, t'c co··csøo·o|·¿ ø·occsscs a·o
·csou·ccs a·o a· a¿·cco ø·|o·|t¸ |o· ·ccovc·¸. !cst|·¿ a·o ¬a|·tc·a·cc o| t'c
·ccovc·¸ ø·occss oocu¬c·tco |· t'c |C| .||| ø·ov|oc ¬a·a¿c¬c·t assu·a·cc
t'at t'c ø|a· |s c||cct|vct'at |s, |t .||| c·su·c co·t|·u|t¸ o| ous|·css s'ou|o
'c¸ |u·ct|o·s oc |ost.
Test the plan
|o ¬at tc· 'o. .c|| ocs|¿·co a·o t'ou¿'t-out t'c |C| ¬a¸ scc¬, ·ca||st|c
a·o ·ooust tcst|·¿ .||| ·cvca| a·cas ·cou|·|·¿ at tc·t|o·. || tcst ·csu|ts a·c
||a.|css, ¸ou s'ou|o c×a¬|·c t'c aocouac¸ a·o ·ca||s¬ o| ¸ou· tcsts.
!'c ¬a,o· co¬øo·c·ts o| t'c |C| s'ou|o oc tcstco a··ua||¸ a·o uøoatco
oasco o· t'c ·csu|ts o| cac' tcst. |t |s |¬øo·ta·t cac' co¬øo·c·t oc
|·o|v|oua||¸ tcstco. !cst|·¿ ca· oc o|s·uøt|vc|t ·cou|·cs co¬¬|t¬c·t |·o¬
¬a·a¿c¬c·t to c·su·c su|| |c|c·t ·csou·ccs a·c ava||ao|c.
|t |s ·ot ·cco¬¬c·oco t'c |C| oc tcstco as a .'o|c as t'|s .ou|o oc
·csou·cc |·tc·s|vc a·o ¬a¸ a||cct ·o·¬a| oøc·at|o·s. |t 'as occ· t'c casc
t'at tcst|·¿ t'c .'o|c |C| at o·cc, 'as |tsc|| c·catco a· outa¿c a·o ¬a,o·
o|s·uøt|o· to ous|·css.
!'c sc·v|cc a·ca ·ccovc·¸ a·o ¬a·a¿c¬c·t ·ccovc·¸ øa·ts o| t'c |C| s'ou|o
oc tcstco to¿ct'c·. A· aøø·oac' ¬a¸ oc to sct t'c scc·c at t'c ||·st 'ou·,
t'c | |·st oa¸, to t'c øo|·t o| acccss to a tc¬øo·a·¸ s|tc. |ac' ·ccovc·¸ tca¬
c×ø|a|·s t'c ø·occss t'c¸ .ou|o ¿o t'·ou¿' |· ·ccovc·|·¿ t'c|· oøc·at|o·s.
!'c ot'c· tca¬s c'a||c·¿c t'c aøø·oac' a·o øo|·t out a·¸ .ca'·csscs
octcctco |· t'c ø|a·. |o· c×a¬ø|c, as'|·¿.
· '\'c·c .ou|o ¸ou oota|· t'at |·|o·¬at|o·.', o·
· '|s·'t t'at ø·occss ocøc·oc·t o· t'c co¬ø|ct|o· o| a·ot'c· act|v|t¸.'
!'c·c a·c scvc·a| aøø·oac'cs t'at ¬a¸ oc aooøtco to tcst t'c ø|a·.
Paperc·su·cs t'c·c |s aocouatc caøac|t¸ a·o ava||ao|||t¸ o| ·csou·ccs .'c·
t'c |C| |s act|vatco.
!'c tcst ·cou|·cs ca|cu|at|·¿ ·cou|·c¬c·ts suc' as ||oo· søacc, a|· co·o|t|o·|·¿
a·o øo.c· ·cou|·c¬c·ts |o· t'c cou|ø¬c·t to oc usco .'c· t'c |C| |s
act|vatco.
Manual verificationc·su·cs t'c ·cou|·co ·ccovc·¸ ¬atc·|a| |s ava||ao|c as
statco |· t'c |C|.
!'|s tcst ·cou|·cs c'cc'|·¿ a|| ·cou|·co oata, suøø||cs a·o/o· ot'c· 'a·ocoø¸
oocu¬c·ts (as oocu¬c·tco |· t'c |C|) a·c actua||¸ oac'co uø a·o co··cct|¸
sto·co o||-s|tc.
• Establish recovery teams
• Document service area
recovery steps
• Obtain contact and
inventory lists
• Document recovery
management process
Busines
Continuity
Plan
v v v v v
v v v v v
Test
Plan
Regular testing is necessary to
maximize the chances of a
successful plan in the event of a
disaster and should familiarize
the [Information System]
organization with an unexpected
interruption of critical
applications — A business
continuity plan is only as useful
as effective testing proves it to
be.
Business Continuity Planning:
Maintaining Good Testing
Practices, InSide GartnerGroup
This Week (IGG), January 22,
1997, C. Gooding.
© GartnerGroup, 1999
63
Business Continuity Management
Business Continuity Management
Supply validationva||oatcs a|| suøø||cs ·cou|·co .||| oc ava||ao|c |· t'c cvc·t
o| a o|sastc·.
!'c tcst co¬øa·cs t'c ||st o| |o·¬s a·o suøø||cs usco ou·|·¿ a tcst to t'c
|tc¬s oocu¬c·tco |· t'c |C| to c·su·c t'c ||st |s co¬ø|ctc a·o t'at a·
aocouatc suøø|¸ .||| oc ava||ao|c.
Supplies, equipment and services availability testc·su·cs |·|o·¬at|o·
a·o ||sts o| t'c |o·¬s, suøø||cs, cou|ø¬c·t, |·vc·to·|cs a·o assoc|atco vc·oo·
co·tact octa||s a·c accu·atc.
!o co·ouct t'|s tcst, o·c o· ¬o·c tca¬s .|t' c·|t|ca| suøøo·t vc·oo·s .ou|o
co·tact cac' vc·oo· o· t'c|· ||st to c·su·c t'at a|| |·|o·¬at|o· |s accu·atc
|·c|uo|·¿ ø'o·c ·u¬oc·, aoo·css a·o 'c¸ vc·oo· co·t·acts. !'c¸ .ou|o
vc·||¸ .'ct'c· t'c ||stco suøø||cs, cou|ø¬c·t o· sc·v|ccs a·c ava||ao|c |o·
oc||vc·¸ o· .'at t'c cu··c·t |cao t|¬c |s. !'|s |cao t|¬c s'ou|o oc co¬øa·co
to t'c c×øcctco |cao t|¬c |· t'c |C|.
Structured walk-throughc·su·cs t'c |C| ø·occou·cs a·c aocouatc.
!'c tcst ·cou|·cs t'c |ccovc·¸ Coo·o|·ato· to ocvc|oø a o|sastc· scc·a·|o
a·o |cao t'c sc·v|cc tca¬s t'·ou¿' a ¬oc' ·ccovc·¸.
!'c tcst |s co·ouctco as |o||o.s.
· a|| tca¬ |caoc·s ¬cct |· a ·oo¬ to oc ¿|vc· t'c scc·a·|o,
· t'c¸ cac' .o·' t'·ou¿' t'c|· ·ccovc·¸ tca¬ ø|a·s øa¸|·¿ øa·t|cu|a·
at tc·t|o· to t'c |·tc·act|o· .|t' ot'c· tca¬s, a·o
· |ssucs |oc·t|||co s'ou|o oc |¬¬co|atc|¸ ·otco o¸ t'c |ccovc·¸
Coo·o|·ato·.
Unannounced recovery team assemblyc·su·cs t'c ||sts |o· ¬oo|||s|·¿
·ccovc·¸ tca¬s a·c uø to oatc a·o t'c tca¬s ca· oc ¬oo|||sco |· t'c ·cou|·co
t|¬c.
!'c tcst |s co·ouctco as |o||o.s.
· !'c |ccovc·¸ Coo·o|·ato· co·tacts ·u¬oc· o| tca¬ ¬c¬oc·s o· t'c
·ot|| |cat|o· co·t·act ||st.
· !'c tcsts s'ou|o oc co·ouctco, o· a ·otat|·¿ oas|s, at t'c |o||o.|·¿ t|¬cs.
- ou·|·¿ ·o·¬a| .o·' 'ou·s,
- ou·|·¿ |u·c' t|¬c,
- a| tc· ·o·¬a| .o·' 'ou·s o· a .cc'oa¸, a·o
- ou·|·¿ t'c .cc'c·o.
· !'c |ccovc·¸ Coo·o|·ato· ·otcs t'c t|¬c t'c ca|||·¿ ø·occss sta·ts a·o
t'c t|¬c at .'|c' cac' tca¬ ¬c¬oc· .as co·tactco.
· !ca¬ ¬c¬oc·s oo ·ot actua||¸ ·cco to assc¬o|c.
· !'c |ccovc·¸ Coo·o|·ato· .||| ·cøo·t o· t'c tcst ·csu|ts.
64
Guide to Effective Control
Guide to Effective Control
Maintain the plan
|·o|v|oua| ·ccovc·¸ tca¬ ø|a·s ¬ust oc continually ¬a|·ta|·co to ø·ov|oc
suøøo·t |o· ous|·css co·t|·u|t¸. Ao¬|·|st·at|vc ø·occou·cs a·o ¿u|oc||·cs
s'ou|o oc ocvc|oøco to ø·ov|oc |o· øc·|oo|c tcst|·¿ a·o oocu¬c·tat|o·
¬a|·tc·a·cc o| t'c sc·v|cc a·ca ·ccovc· ø|a·(s) a·o o·¿o|·¿ t·a|·|·¿.
|csøo·s|o|||t|cs |o· va·|ous asøccts o| |C| ¬a|·tc·a·cc a·c a|so cstao||s'co.
O·¿o|·¿ ·csøo·s|o|||t|cs s'ou|o oc oc| |·co to c·su·c aøø·oø·|atc |C|
¬a|·tc·a·cc. !'c |o||o.|·¿ ¿·ouøs 'avc søcc|||c |C| ¬a|·tc·a·cc
·csøo·s|o|||t|cs.
Role Responsibilities
Recovery Coordinator At ·c¿u|a· |·tc·va|s (c¿ at |cast s|× ¬o·t'|¸).
¬a·a¿cs t'c |C|, · |a|·ta|· a|tc··atc ø·occss|·¿ s|tc co·t·acts/a¿·cc¬c·ts
coo·o|·atcs t'c ·ccovc·¸ · Coo·o|·atc ·c¿u|a· ·cv|c. o| t'c |C| oocu¬c·tat|o·, a··ua||¸
tca¬s a·o ||a|scs .|t' t'c at a ¬|·|¬u¬
C|O a·o |×ccut|vc · Coo·o|·atc ·cv|c. a·o aøø·ova| o| c'a·¿cs to t'c |C|
· Coo·o|·atc |C| t·a|·|·¿
· |c·|o·¬ ao¬|·|st·at|vc asøccts o| uøoatcs to t'c |C|
(|c. ·cø·oouct|o· a·o ·co|st·|out|o·)
· |a|·ta|· t'c |C| o|st·|out|o· ||sts
· Sc'cou|c a·o coo·o|·atc t'c |C| tcsts
Recovery teams At ·c¿u|a· |·tc·va|s (c¿ at |cast a··ua||¸).
·csøo·s|o|c |o· u·oc·ta'|·¿ · |a|·ta|· ·csøcct|vc sc·v|cc a·ca tca¬ ø·occou·cs
stcøs oocu¬c·tco |· t'c · |a|·ta|· t'c ·c|c·c·cc |·|o·¬at|o· t'at |s øa·t o| t'c sc·v|cc
|C| to ·ccovc· |oc·t|| |co a·cas' |C| ø·occou·cs
s¸stc¬s · |a·t|c|øatc |· |C| tcst|·¿
End Users |·o usc·s s'ou|o.
·cco to c·su·c t'c¸ a·c · c·su·c |·|o·¬at|o· ·cccssa·¸ to co·t|·uc c·|t|ca|
a.a·c o| t'c co·tc·ts o| |u·ct|o·s, |o· .'|c' t'c¸ a·c ·csøo·s|o|c, |s sto·co o||s|tc as
|C| a·o 'o. |t a||ccts t'c¬ øa·t o| t'c |C|
· øa·t|c|øatc |· co·t|·¿c·c¸ ø|a· t·a|·|·¿
· øa·t|c|øatc |· co·t|·¿c·c¸ ø|a· tcst|·¿
A |C| |s cas||¸ ¬a|·ta|·co || c'a·¿cs |· t'c ous|·css a·o/o· oata ø·occss|·¿
c·v|·o·¬c·t |·|t|atc ·cv|c.s a·o uøoatc t'c |C|.
\'c· a·¸ co¬øo·c·t o| t'c |C| |s a||cctco, t'c |o||o.|·¿ stcøs s'ou|o oc
ta'c·.
· t'c |ccovc·¸ Coo·o|·ato· s'ou|o oc ·ot|| |co o| t'c c'a·¿c,
· t'c c||cct o| t'c c'a·¿c s'ou|o oc cva|uatco us|·¿ a ||A |ocuss|·¿ o· t'c
·c. co¬øo·c·t(s) a·o a·¸ ·c. |·tc··c|at|o·s'|øs .'|c' occu·,
· t'c |C| s'ou|o oc ¬oo|||co o¸ t'c aøø·oø·|atc sc·v|cc a·ca to ·c||cct t'c
c'a·¿c, a·o
· t'c |ccovc·¸ Coo·o|·ato· s'ou|o octc·¬|·c tcst|·¿ ·cou|·c¬c·ts a·o
sc'cou|c a tcst, || ·cccssa·¸.
Sou·cc. |c|o|t tc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
65
Business Continuity Management
Business Continuity Management
Appendices
Appendices
1. Alternate processing service
contract considerations 66
2. Roles, responsibilities and a checklist for the
Board and audit committee 68
3. Roles, responsibilities and a checklist for the
Chief Executive Officer 69
4. Role and responsibilities of the Recovery
Coordinator 71
5. Roles and responsibilities of the service area
recovery teams 72
6. Checklists for quality assurance of BCP
development 73
7. Limitations of BCPs 82
8. Event log 84
9. Checklists for review of off-site backup
procedures 85
66
Guide to Effective Control
Guide to Effective Control
Task Completed
General Issues
!'c ocsc·|øt|o· o| t'c a|tc··atc ø·occss|·¿ |ac|||t|cs s'ou|o |·o|catc aocouatc
ø'¸s|ca| sccu·|t¸ a·o aøø·oø·|atc c·v|·o·¬c·ta| co·t·o|s `cs t |o t
Ava||ao|||t¸ o| a|tc··atc vc·oo· s|tcs a·o t'c ·|¿'ts o| |·o|v|oua| suosc·|oc·s |·
t'c cvc·t o| ¬u|t|ø|c o|sastc· occ|a·at|o·s s'ou|o oc søcc|| |co `cs t |o t
A¬ou·t o| ·atu·c o| suøøo·t sc·v|ccs t'c vc·oo· .||| ø·ov|oc s'ou|o oc
oc||·co ·c|at|vc to.
· |¬ø|c¬c·tat|o· ass|sta·cc
· suøøo·t |o· tcst|·¿
· |o¿|st|ca| suøøo·t, a·o
· a| tc· 'ou·s suøøo·t `cs t |o t
!'c vc·oo· s'ou|o 'avc ||¬|ts ·c|at|vc to t'c tota| ·u¬oc· o| c||c·ts t'at ¬a¸
suosc·|oc to a·¸ ¿|vc· |ac|||t¸ `cs t |o t
!'c vc·oo· ca··ot ·c·c. (c×ccøt o¸ auto¬at|c ·c·c.a| c|ausc) o· ·c·c¿ot|atc
t'c co·t·act .'||c t'c suosc·|oc· |s c×øc·|c·c|·¿ a o|sastc· o· |· ·ccovc·¸ ø'asc `cs t |o t
!'c a¬ou·t a·o sc'cou||·¿ o| tcst t|¬c s'ou|o oc oc| |·co `cs t |o t
Suosc·|oc· s'ou|o 'avc t'c ·|¿'t to øc·|oo|ca||¸ auo|t t'c |·sta||at|o· to c·su·c
t'at t'c søcc|||co co·||¿u·at|o· |s ¬a|·ta|·co `cs t |o t
A· cscaøc c|ausc s'ou|o a||o. t'c suosc·|oc· to tc·¬|·atc t'c co·t·act .|t'out
øc·a|t¸ |o· a·¸ o| t'c |o||o.|·¿ ·caso·s.
· |a||u·c to ¬a|·ta|· tcc'·|ca| co¬øat|o|||t¸
· |a||u·c to ø·ov|oc a¿·cco suøøo·t sc·v|ccs
· |a||u·c to ¬a|·ta|· su|tao|c c·v|·o·¬c·ta| suøøo·t, a·o
· a·¸ o·cac' o| co·t·act `cs t |o t
!'c co·t·act s'ou|o ø·ov|oc a· a··ua| .|·oo. o| oøøo·tu·|t¸ to tc·¬|·atc
.|t'out øc·a|t¸ `cs t |o t
!'c ¬o·t'|¸ |ccs s'ou|o ·ot oc suo,cct to c'a·¿c .|t'out t'c .·|t tc· co·sc·t
o| t'c suosc·|oc· `cs t |o t
!'c co·t·act s'ou|o ·ot oc ass|¿·ao|c .|t'out .·|t tc· co·sc·t `cs t |o t
!'c vc·oo· s'ou|o oc suo,cct to aøø·oø·|atc co·s|oc· ·o·-o|sc|osu·c co·o|t|o·s `cs t |o t
Appendix 1
Alternate processing service contract considerations
Checklist: alternate processing service contract considerations
67
Business Continuity Management
Business Continuity Management
Checklist: alternate processing service contract considerations (continued)
Task Completed
IT Recovery Specific Issues
|c| |·|t|o· o| t'c oac'uø caøao|||t¸ o| t'c vc·oo· s|tc s'ou|o oc c|ca· a·o
co·s|stc·t t'·ou¿'out t'c co·t·act `cs t |o t
Occuøat|o· o| t'c 'ot s|tc |o· a ¬|·|¬u¬ o| s|× .cc's `cs t |o t
Co·o|t|o·s u·oc· .'|c' t'c suosc·|oc· ca· co·t|·uc to occuø¸ 'ot s|tc |ac|||t|cs
a| tc· t'c s|× .cc' øc·|oo s'ou|o oc oc| |·co `cs t |o t
!'c ·u¬oc· a·o ocsc·|øt|o·/t¸øc o| |oca||¸ at tac'co tc·¬|·a|s a·o/o· ot'c·
ocv|ccs ava||ao|c .'||c o·-s|tc s'ou|o oc oc||·co, t'|s |s øa·t|cu|a·|¸ |¬øo·ta·t
|o· oata c·t·¸ ·cou|·c¬c·ts `cs t |o t
Co·t|·u|·¿ tcc'·|ca| co¬øat|o|||t¸ s'ou|o oc assu·co t'·ou¿'out t'c |||c
o| t'c co·t·act `cs t |o t
!'c co·t·act s'ou|o søcc||¸ a ¿ua·a·tcc o| acccss to t'c 'ot s|tc (|·c|uo|·¿ a|tc·
'ou·s acccss) ou·|·¿ øc·|oo o| o|sastc· a·o ·ccovc·¸ `cs t |o t
!'c ·atu·c a·o c×tc·t o| |! suøøo·t sc·v|ccs to oc ø·ov|oco o¸ t'c vc·oo·
'as occ· oc| |·co ·c|at|vc to.
· ·ct.o·' o|a¿·ost|c caøao|||t|cs a·o |¬ø|c¬c·tat|o· ass|sta·cc
· suøøo·t |o· tcst|·¿ act|v|t|cs
· ass|sta·cc |· co·||¿u·|·¿ |ac|||t|cs (|c. cou|ø¬c·t acou|s|t|o·, t·a·søo·tat|o·,
sto·a¿c, ·c¬ova| a·o ·ctu··)
· acccss a·o usc o| vc·oo· so| t.a·c, oocu¬c·tat|o·, a·c|||a·¸ |ac|||t|cs
(|c. ø'otocoø¸|·¿, |ooo sc·v|ccs), a·o
· |o¿|st|ca| suøøo·t. `cs t |o t
Sou·cc. |c|o|ttc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
68
Guide to Effective Control
Guide to Effective Control
Appendix 2
Roles, responsibilities and a checklist for the Board and audit committee
Task Completed
|s t'c scoøc o| t'c ous|·css co·t|·u|t¸ ø·occss aøø·oø·|atc ¿|vc· t'c
o·¿a·|sat|o·'s c|·cu¬sta·ccs a·o ·|s' ¬a·a¿c¬c·t st·atc¿¸. `cs t |o t
|s |C| ø·oøc·|¸ coo·o|·atco to ta'c |·to co·s|oc·at|o· ot'c· ·|s'
¬a·a¿c¬c·t |·|t|at|vcs. `cs t |o t
A·c s¸·c·¿|cs oct.cc· ot'c· ·|s' ¬a·a¿c¬c·t |·|t|at|vcs (|c. `2| ø·o,ccts)
a·o ous|·css co·t|·u|t¸ |u||¸ usco. `cs t |o t
A·c |·tc··a| a·o c×tc··a| auo|t ·cco¬¬c·oat|o·s ·c¿a·o|·¿ |C| ø·oøc·|¸
|o||o.co uø. `cs t |o t
A·c t'c ¬a×|¬u¬ acccøtao|c outa¿cs (|AO) octc·¬|·co as øa·t o| t'c
ous|·css |¬øact a·a|¸s|s |· ||·c .|t' t'c auo|t co¬¬|t tcc's u·oc·sta·o|·¿
o| t'c ous|·css. `cs t |o t
A·c t'c ·ccovc·¸ st·atc¿|cs ·cco¬¬c·oco aøø·oø·|atc ¿|vc· ot'c·
ous|·css |·|t|at|vcs. `cs t |o t
As øa·t o| t'c ·cv|c. o| t'c |·tc··a| auo|t st·atc¿|c a·o a··ua| .o·' ø|a·s |s
ous|·css co·t|·u|t¸ a·o ¬o·c søcc|||ca||¸, ous|·css co·t|·u|t¸ tcst|·¿ a·o
¬a|·tc·a·cc ø·oøc·|¸ aoo·cssco. `cs t |o t
A·c ous|·css co·t|·u|t¸ |·|t|at|vcs ø·oøc·|¸ co¬¬u·|catco to a|| |cvc|s o|
¬a·a¿c¬c·t a·o ac·oss t'c o·¿a·|sat|o· (t'|s |s a· |¬øo·ta·t øa·t o| a·¸
succcss|u| ous|·css co·t|·u|t¸ ø·o,cct). `cs t |o t
Roles and responsibilities
· |·su·c ¿ovc··a·cc |·a¬c.o·' suøøo·ts ous|·css co·t|·u|t¸
· |·su·c aøø·oac' to ·|s' ¬a·a¿c¬c·t suøøo·t st·atc¿|c ¿oa|s o| o·¿a·|sat|o·
Sou·cc. |c|o|t tc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
69
Business Continuity Management
Business Continuity Management
Appendix 3
Roles, responsibilities and a checklist for the Chief Executive Officer
Roles and responsibilities
· |·|c| ||·|stc· a·o |×ccut|vc |oa·o o· ous|·css |·tc··uøt|o· cvc·t, c×øcctco |¬øact a·o ·ccovc·¸
t|¬c|·a¬c
· |·ov|oc a |oca| øo|·t |o· t'c o·¿a·|sat|o· to c·su·c t'c øuo||c a·o ¬co|a ·ccc|vc t'c co··cct, a·o
·o·-co·t·ao|cto·¸ |·|o·¬at|o·
· |·su·c sta|| a·o sta'c'o|oc·s a·c ¬aoc a.a·c o| t'c ø·oo|c¬s
· |·su·c |ccovc·¸ Coo·o|·ato· a·o |ccovc·¸ !ca¬s 'avc t'c ·csou·ccs a·o suøøo·t ·cccssa·¸ to oo
t'c|· ,oo
Task Completed
|avc ¬a·a¿c¬c·t a·o sta|| aooøtco a· at t|tuoc o| co·t|·u|t¸ ¬a·a¿c¬c·t
ø|a··|·¿ .'|c' c·su·cs t'at a øos|t|vc co·t·o| c·v|·o·¬c·t |s ¬a|·ta|·co. `cs t |o t
|ocs t'c o·¿a·|sat|o· ·c¿u|a·|¸ co¬¬u·|catc t'c o·¿a·|sat|o·'s v|s|o·, ¿oa|s a·o
oo,cct|vcs to sta|| ¬c¬oc·s. `cs t |o t
|ocs ¬a·a¿c¬c·t ta'c a oa|a·cco aøø·oac' to ·|s' ta'|·¿, ca·c|u||¸ a·a|¸s|·¿
a·o asscss|·¿ ·|s's a·o øotc·t|a| oc·c| |ts oc|o·c aut'o·|s|·¿ ·c. vc·tu·cs
o· s|¿·|| |ca·t c'a·¿cs. `cs t |o t
|ocs t'c |C| co¬ø|c¬c·t t'c o·¿a·|sat|o·'s co·øo·atc ¿ovc··a·cc a·o
·|s' ¬a·a¿c¬c·t |·a¬c.o·'. `cs t |o t
|s t'c o·¿a·|sat|o· ·csøo·s|o|c |o· ø·ov|o|·¿ a u·|ouc sc·v|cc to t'c øuo||c o·
t'c Covc··¬c·t. `cs t |o t
|| ¸cs, .'at .ou|o t'c |¬ø||cat|o·s oc || t'c sc·v|cc .c·c u·ava||ao|c |o· a·
c×tc·oco øc·|oo o| t|¬c. `cs t |o t
A·c |C| ø·act|ccs a·o ø·occou·cs |· ø|acc to c·su·c t|¬c|¸ occ|s|o· ¬a'|·¿
ou·|·¿ a o|sastc· a·o to |·st|| accou·tao|||t¸ |·to sta||. `cs t |o t
|ocs a ous|·css |¬øact a·a|¸s|s c×|st t'at |oc·t|||cs t'c ·ccovc·¸ t|¬c|·a¬cs
o| t'c c·|t|ca| ous|·css ø·occsscs. `cs t |o t
|ocs t'c o·¿a·|sat|o· 'avc a øc·so· |oc·t|| |co t'at |s ·csøo·s|o|c |o· |C|. `cs t |o t
|| so, 'as t'c øc·so· occ· ø·ov|oco .|t' aocouatc t·a|·|·¿ a·o ·csou·ccs to
øc·|o·¬ t'c ·o|c. `cs t |o t
|as t'c o·¿a·|sat|o·'s |C| occ· suo,cct to |·ocøc·oc·t ·cv|c.
(c¿. o¸ |·tc··a| auo|t). `cs t |o t
A·c t'c |C|s ||·'co to t'c c¬c·¿c·c¸ ¬a·a¿c¬c·t ø|a·s |o· t'c o·¿a·|sat|o·. `cs t |o t
70
Guide to Effective Control
Guide to Effective Control
Task (continued) Completed
|s t'c·c a ø·occss |· ø|acc |o· |C| ·cv|c.. `cs t |o t
|| t'c o·¿a·|sat|o· 'as a |C|, oocs |t ·c||cct t'c cu··c·t a·o |utu·c ·ccos o|
t'c o·¿a·|sat|o·. `cs t |o t
|avc t'c cu··c·t a·o |utu·c |C| ·ccos occ· |o·¬a||¸ cva|uatco as øa·t o| t'c
o·¿a·|sat|o·'s ovc·a|| co·øo·atc ¿ovc··a·cc a··a·¿c¬c·ts. `cs t |o t
|as t'c o·¿a·|sat|o· u·oc·¿o·c co·s|oc·ao|c o·¿a·|sat|o·a| c'a·¿c, o· c'a·¿cs
|· o·¿a·|sat|o·a| |ocus a·o o|·cct|o· o· c'a·¿cs to ous|·css ·csou·ccs
(øc·so··c|, |ac|||t|cs, |·|o·¬at|o· tcc'·o|o¿¸, a·o co¬¬u·|cat|o·). `cs t |o t
\'c· .c·c t'c co·t|·u|t¸ ø|a·s |ast tcstco. |atc. ¸¸/¸¸/¸¸
\'at .c·c t'c ·csu|ts o| t'c tcsts.
\c·c ·cco¬¬c·oat|o·s |o· c'a·¿c o· |¬ø·ovc¬c·t ta'c· uø a·o tcstco. `cs t |o t
Sou·cc. |c|o|ttc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
71
Business Continuity Management
Business Continuity Management
Appendix 4
Role and responsibilities of the Recovery Coordinator
· |cc|s|o· to act|vatc t'c |C|
· |ctc·¬|·c t'c ·ccovc·¸ st·atc¿¸ |o· t'c ¿|vc· s|tuat|o·
· Asscss t'c c×tc·t o| oa¬a¿c to ou||o|·¿, |ac|||t|cs a·o cou|ø¬c·t a·o ·cøo·t to t'c C|O, |×ccut|vc
a·o/o· |oa·o, || ·cccssa·¸
· Co·tact t'c ·cccssa·¸ sta|| ·cou|·co |o· t'c o|sastc· (|· t'c ||·st |·sta·cc)
· Ass|st |· cstao||s'|·¿ o| t'c ·ccovc·¸ s|tc, || aøø||cao|c
· Coo·o|·atc ¬co|a act|v|t|cs
· ||·cct, coo·o|·atc a·o ¬o·|to· a|| ·ccovc·¸ oøc·at|o·s
· Co·vc·c ·ccovc·¸ status ¬cct|·¿s .|t' t'c |×ccut|vc
· Sc'cou|c suoscouc·t ·ccovc·¸ status ¬cct|·¿s
· ||a|sc .|t' ·ca| cstatc a¿c·t, || aøø||cao|c
· Co·tact |·su·a·cc Asscsso·s to octc·¬|·c t'c|· ·cou|·c¬c·ts a·o coo·o|·atc t'c|· o·-¿o|·¿ ||a|so·
.|t' a|| ·ccovc·¸ tca¬s
· ||·|¬|sc |u·t'c· |osscs a·o sa|va¿c ·ccovc·ao|c ·csou·ccs
· |·ov|oc assu·a·cc a·o |·|o·¬at|o· uøoatcs to sta|| ·ot |·vo|vco |· t'c ·ccovc·¸ c||o·t
· |·cøa·c t'c ·ccovc·¸ s|tc
· Sc'cou|c a·o co·ouct tcst o| t'c |C|
72
Guide to Effective Control
Guide to Effective Control
Appendix 5
Roles and responsibilities of the service area recovery teams
|o||o.|·¿ ·ot|||cat|o· |·o¬ |ccovc·¸ Coo·o|·ato· o| o|sastc· csca|at|o·.
· co·tact t'c sta|| ·cou|·co |o· t'c 'u¬a· ·csou·cc ·ccovc·¸ tca¬
· co·vc·c status ¬cct|·¿ .|t' tca¬ ¬c¬oc·s
· co·t|·ua||¸ asscss a·o aoo·css 'u¬a· ·csou·cc ·ccos, ||a|s|·¿ .|t' ot'c·
sc·v|cc a·cas, a·o
· ø·ov|oc ·c¿u|a· uøoatcs to t'c |ccovc·¸ Coo·o|·ato·.
Communications team |o||o.|·¿ ·ot|||cat|o· |·o¬ |ccovc·¸ Coo·o|·ato· o| o|sastc· csca|at|o·.
· |ac|||tatc co¬¬u·|cat|o· oct.cc· ·ccovc·¸ coo·o|·ato· a·o t'c tca¬s
ocs|¿·atco |ocus ¿·ouø
· co·vc·c status ¬cct|·¿ .|t' tca¬ ¬c¬oc·s
· ø·ov|oc ·c¿u|a· uøoatcs to |ccovc·¸ Coo·o|·ato·
· o·|c| ocs|¿·atco |ocus ¿·ouø o· t'c o|sastc·
· co·t|·ua||¸ 'ccø ocs|¿·atco |ocus ¿·ouø |·|o·¬co o| c'a·¿cs to .'at
t'c¸ 'avc occ· |·|o·¬co, a·o
· ·csøo·o to ouc·|cs |·o¬ ocs|¿·atco |ocus ¿·ouø.
Other service areas |o||o.|·¿ ·ot|||cat|o· |·o¬ |ccovc·¸ Coo·o|·ato· o| o|sastc· csca|at|o·.
· co·tact t'c ·cccssa·¸ sta|| ·cou|·co |o· t'c|· øa·t|cu|a· sc·v|cc a·ca
· co·vc·c o|sastc· status ¬cct|·¿ .|t' tca¬ ¬c¬oc·s
· ass|st .|t' o|sastc· asscss¬c·t as ·cou|·co
· ø·ov|oc ·c¿u|a· uøoatcs to |ccovc·¸ Coo·o|·ato·
· co¬ø|ctc ·ccovc·¸ ø|a· |o· t'c|· sc·v|cc a·ca
· octc·¬|·c ·cou|·c¬c·ts a·o coo·o|·atc acou|s|t|o· o| cou|ø¬c·t,
|u··|tu·c, stat|o·c·¸ a·o co¬¬u·|cat|o·s ·csou·ccs ·cccssa·¸ |o·
·ccovc·¸, a·o
· ||a|sc .|t' ot'c· ·ccovc·¸ tca¬s.
Human resource
management team
73
Business Continuity Management
Business Continuity Management
Appendix 6
Checklists for quality assurance of BCP development
The BCP plan proposal
!'c ous|·css co·t|·u|t¸ ø·o,cct ø|a· s'ou|o aocouatc|¸ ocsc·|oc t'c ø·o,cct, |ts
oo,cct|vc a·o scoøc, t'c ø·o,cct tca¬ a·o |ts ·csøo·s|o|||t|cs, a·o t'c
·csou·ccs ·cou|·co. !'c C'|c| |×ccut|vc o· ¬a·a¿c¬c·t co¬¬|t tcc
·csøo·s|o|c s'ou|o |o·¬a||¸ aøø·ovc t'c ø|a·. !'c c'cc'||st oc|o., ø·ov|ocs a
ou|c' ·c|c·c·cc øo|·t |o· c·su·|·¿ t'c ø|a· 'as su|| |c|c·t octa||. |· aoo|t|o·, a
su¿¿cstco |o·¬at |o· a ø·o,cct ø|a· |s ocsc·|oco at Stcø o·c o| t'c \o·'ooo'.
Checklist: developing the business continuity project plan
Task Completed
|ocu¬c·t t'c ø·o,cct's oo,cct|vcs `cs t |o t
|c||·c a·o oocu¬c·t t'c ø·o,cct's scoøc a·o a·¸ ||¬|tat|o·s `cs t |o t
|×ø|a|· a·¸ assu¬øt|o·s ¬aoc `cs t |o t
|cta|| ¬c¬oc·s o| ø·o,cct tca¬ `cs t |o t
Ass|¿· ·csøo·s|o|||t¸ |o· ø·o,cct tas's `cs t |o t
|·csc·t t'c ouo¿ct, |·c|uo|·¿ sta|| ·csou·ccs, ·cou|·co |o· t'c ø·o,cct `cs t |o t
Sct ø·o,cct t|¬c|·a¬cs a·o oc||vc·ao|cs |o· tas's `cs t |o t
||a· |s |o·¬a||¸ aøø·ovco o¸ aøø·oø·|atc ¬a·a¿c¬c·t co¬¬|t tcc `cs t |o t
Sou·cc. |c|o|t tc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
74
Guide to Effective Control
Guide to Effective Control
Identifying key business processes, activities and resources
!'c ||A ·ccos to asscss t'c |¬øact o| a· outa¿c to a|| 'c¸ ous|·css ø·occsscs.
|t ·a·'s t'csc ø·occsscs |· o·oc·, to octc·¬|·c ·ccovc·¸ ø·|o·|t|cs a·o
|oc·t|| |cs t'c act|v|t|cs a·o ·csou·ccs .'|c' co¬ø·|sc cac' ø·occss, a¿a|·,
·a·'co |· o·oc· o| ø·|o·|t¸ to octc·¬|·c ·ccovc·¸ ø·|o·|t|cs.
!o c·su·c t'c ||A |s co¬ø|ctc cac' ous|·css u·|t o· sc·v|cc a·ca ·ccos to
|oc·t||¸ t'c ø·occsscs |o· .'|c' t'c¸ a·c ·csøo·s|o|c a·o t'c· octc·¬|·c
.'|c' o| t'csc a·c c·|t|ca| to t'c o·¿a·|sat|o· ac'|cv|·¿ |ts oo,cct|vcs. !'csc
'c¸ ous|·css ø·occsscs s'ou|o t'c· oc ·a·'co |· o·oc· ø·|o·|t¸ to t'c ous|·css
(t'us |·o|cat|·¿ t'c|· ·ccovc·¸ ø·|o·|t¸) a·o t'c act|v|t|cs a·o ·csou·ccs o| cac'
ø·occss s'ou|o oc s|¬||a·|¸ ·a·'co.
Checklist: ensuring all key business functions, processes and resources are identified and
included in the BIA
Task Completed
|ocu¬c·t a·o co·||·¬ o·¿a·|sat|o·a| oo,cct|vcs, outøuts a·o øc·|o·¬a·cc
c·|tc·|a `cs t |o t
||st a|| ous|·css ø·occsscs .'|c' u·oc·ø|· ac'|cvc¬c·t o| oo,cct|vcs a·o oc||vc·¸
o| outøuts `cs t |o t
|a·' t'c ø·occsscs |· o·oc· o| |¬øo·ta·cc to t'c o·¿a·|sat|o·'s oo,cct|vcs a·o
c×c|uoc t'osc ø·occsscs co·s|oc·co ·ot 'c¸ to ac'|cv|·¿ t'c oo,cct|vcs `cs t |o t
|cv|c. t'c |u·ct|o·a| o·¿a·|sat|o· c'a·t to |oc·t||¸ ¿c·c·a| a·cas o| oøc·at|o·a|
·csøo·s|o|||t¸ `cs t |o t
|·tc·v|c. ¬a·a¿c·s ·csøo·s|o|c |o· 'c¸ ous|·css |u·ct|o·s to co·| |·¬
u·oc·sta·o|·¿ o| ous|·css ø·occsscs `cs t |o t
|cct .|t' sc·v|cc a·ca ¬a·a¿c¬c·t a·o suøøo·t øc·so··c| to ¿a|· a·
u·oc·sta·o|·¿ o| cac' |u·ct|o· |·c|uoco |· t'c scoøc `cs t |o t
Oota|· a·¸ suøøo·t|·¿ oocu¬c·tat|o· t'at |s ava||ao|c .'|c' .ou|o ø·ov|oc
a su¬¬a·¸ o| 'c¸ ous|·css |u·ct|o·s `cs t |o t
|ocu¬c·t t'c act|v|t|cs a·o ·csou·ccs cssc·t|a| to cac' 'c¸ ous|·css ø·occss. `cs t |o t
|·su·c a|| ·csou·ccs ¿·ouøs a·c |oc·t|||co (|c. øcoø|c, |ac|||t|cs,
tc|cco¬¬u·|cat|o·s, |·|o·¬at|o· s¸stc¬s, ous|·css suøøo·t ø·occsscs) `cs t |o t
|o·¬a||¸ co¬¬u·|catc t'c ||st o| 'c¸ ous|·css ø·occsscs a·o suøøo·t|·¿ ø·occsscs
a·o ·csou·ccs, .|t' t'c|· ·csøcct|vc ·a·'|·¿, to t'c ø·o,cct stcc·|·¿ co¬¬|t tcc `cs t |o t
Co·s|oc· |·tc·ocøc·oc·c|cs t'at c×|st oct.cc· a·cas `cs t |o t
Sou·cc. |c|o|ttc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
75
Business Continuity Management
Business Continuity Management
The BIA
!'c ||A octc·¬|·cs t'c |c·¿t' o| t|¬c t'c o·¿a·|sat|o· ca· oc .|t'out 'c¸
ous|·css ø·occsscs oc|o·c ·c¬co|a| act|o· ¬ust oc ta'c·. As t'c 'c¸ ous|·css
ø·occsscs a·c ¬aoc uø o| act|v|t|cs a·o ·csou·ccs, |t |s actua||¸ aoout ¬a'|·¿
a· asscss¬c·t aoout t'c t|¬c ¸ou ca· oc .|t'out t'c act|v|t|cs o· ·csou·ccs
oc|o·c t'c 'c¸ ous|·css ø·occss .ou|o |a||. !'c ||A cstao||s'cs t'c |a×|¬u¬
Acccøtao|c Outa¿c |o· cac' act|v|t¸ a·o ·csou·cc t'at suøøo·ts t'c 'c¸
ous|·css ø·occsst'c |AO s'ou|o ·c||cct a·o co·| |·¬ t'c ø·|o·|t¸ ·a·'|·¿
¬aoc |· t'c ca·||c· stcø.
Checklist: analysing each key business function for a BIA
Task Completed
|va|uatc t'c |¬øacts o| a |oss o| t'c |u·ct|o· |·o¬ t'c øc·søcct|vc o| t'c
o·¿a·|sat|o·'s ouo¿ct a·o outco¬cs a·o outøutsco·s|oc·.
· |oss o| ·cvc·uc/|·c·casco c×øc·sc
· sc·v|cc oc||vc·¸ sta·oa·os
· øuo||c o· øo||t|ca| c¬oa··ass¬c·t
· |oss o| c||c·t co·| |oc·cc
· |oss o| ¬a·a¿c¬c·t co·t·o|
· ||·a·c|a| ¬|sstatc¬c·t
· ·c¿u|ato·¸, statuto·¸ o· co·t·actua| ||ao|||t¸
· søcc|||c/u·|ouc vu|·c·ao|||t|cs, a·o
· øo||t|ca| ·a¬|||cat|o·s `cs t |o t
|oc·t||¸ t'c c·|t|ca| succcss |acto·s t'at c·su·c t'c |u·ct|o· ¬ccts t'c
o·¿a·|sat|o·s oo,cct|vcs `cs t |o t
|oc·t||¸ t'c ø·occsscs a·o ·csou·ccs .'|c' u·oc·ø|· t'c 'c¸ ous|·css |u·ct|o·s `cs t |o t
|oc·t||¸ aoo|t|o·a| c×øc·scs |·cu··co || ø·occss(cs) a·c øc·|o·¬co
¬a·ua||¸ o· |· a suost|tutc ¬a··c· ou·|·¿ a· outa¿c `cs t |o t
|oc·t||¸ |·tc·|¬ ø·occss|·¿ ø·occou·cs (a|tc··at|vc o· ¬a·ua| ø·occss|·¿)
tcc'·|oucs to oc aooøtco ou·|·¿ t'c ·ccovc·¸ ø'asc `cs t |o t
|st|¬atc t'c t|¬c |t .||| ta'c to ovc·co¬c t'c oac'|o¿ o| .o·' accu¬u|atco
ou·|·¿ t'c outa¿c `cs t |o t
Çua·t||¸ t'c ¬|·|¬u¬ ·csou·cc ·cou|·c¬c·ts ·cccssa·¸ to øc·|o·¬ t'c |u·ct|o· `cs t |o t
|oc·t||¸ t'c ·cco·os v|ta| to t'c ·ccovc·¸ ø·occss `cs t |o t
|va|uatc t'c aocouac¸ o| cu··c·t |C| |· ø|acc `cs t |o t
Sou·cc. |c|o|ttc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
76
Guide to Effective Control
Guide to Effective Control
Selecting alternate activities and resources
!o sc|cct a|tc··atc act|v|t|cs a·o ·csou·ccs to oc usco ou·|·¿ a· outa¿c,
co·s|oc·at|o· o| a|| v|ao|c oøt|o·s |s øa·a¬ou·t. !'|s co·s|oc·at|o·
c·co¬øass cac' oøt|o·s ao|||t¸ to suost|tutc |o· t'c |ost act|v|t|cs a·o
·csou·ccs |· tc·¬s o| cost, oua||t¸ a·o, ¬ost |¬øo·ta·t|¸ (co·s|oc·|·¿ t'c
|AO) t|¬c||·css. A· aooco oc·c||t o| t'|s ø·occss |t t'at |t ¬a¸ |oc·t||¸
oct tc· act|v|t|cs a·o ·csou·ccs t'a· t'osc cu··c·t|¸ |· ø|acc, ø·ov|o|·¿ o·-
¿o|·¿ cost sav|·¿s as a· outco¬c o| t'|s ø·occss.
Checklist: selecting process and resources alternatives
Task Completed
|ocu¬c·t a o·|c| ocsc·|øt|o· o| cac' v|ao|c oøt|o· `cs t |o t
|ctc·¬|·c ot'c· ·csou·ccs ·cou|·co a·o t'c costs |o· cac' oøt|o· (t'|s ¬a¸ ·cou|·c
|·|o·¬at|o· |·o¬ vc·oo·s) `cs t |o t
Co¬øa·c ·ccovc·¸ oøt|o·s, |·c|uo|·¿ cost, .|t' ·ccovc·¸ ø·|o·|t|cs a·o t'c |AO.
Co·s|oc·.
· |ocs t'c oøt|o· ¬cct t'c ·ccovc·¸ ·ccos. `cs t |o t
· |ocs t'c oøt|o· c×ccco ou· ·ccos. `cs t |o t
Sou·cc. |c|o|ttc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
77
Business Continuity Management
Business Continuity Management
Evaluating backup processing and of f-site storage
|o· a |C| to .o·', a·o .o·' ·c||ao|¸, so¬c ø·oact|vc ¬casu·cs .||| ·cco to
oc cstao||s'co to c·su·c ·c|cva·t ·csou·ccs a·c ava||ao|c || t'c |C| |s
act|vatco. |u·oa¬c·ta| to ·ccovc·¸ |·o¬ a· outa¿c |s acccss to ·cco·o a·o
|·|o·¬at|o·oot' c|cct·o·|c a·o ø'¸s|ca|. |ac'uø ø·occss|·¿ a·o o||-s|tc
sto·a¿c a·c |u·oa¬c·ta| to ¬ost ous|·css ø·occsscs tooa¸t'c c'cc'||st
oc|o. ø·ov|ocs a ||st o| |ssucs to co·s|oc· .'c· ·cv|c.|·¿ t'c ·cou|·c¬c·ts
|o· t'c |C|
Checklist: evaluating backup processing and of f-site storage
Task Completed
|·su·c a|| ·csou·ccs ·cou|·co |o· t'c sc|cctco st·atc¿|cs a·c sto·co o||s|tc `cs t |o t
|cv|c. oocu¬c·tco o||-s|tc oac'uø ø·occss|·¿ sta·oa·os a·o ø·occou·cs, ||
t'c¸ c×|st. || sta·oa·os a·o ø·occou·cs oo ·ot c×|st, c·su·c t'c¸ a·c ocvc|oøco `cs t |o t
|·tc·v|c. øc·so··c| ·csøo·s|o|c |o· |¬ø|c¬c·tat|o· o| oac'uø ø·occou·cs to scc
|| ø·occou·cs a·c oc|·¿ ao'c·co to `cs t |o t
|ocu¬c·t 'c¸ c|c¬c·ts o| t'c o||-s|tc oac'uø ø·occou·cs |o· |·c|us|o· |· t'c
aøø·oø·|atc scct|o·s o| t'c co·t|·¿c·c¸ ø|a· `cs t |o t
A·a|¸sc o||-s|tc oac'uø ø·occss|·¿ ø·occou·cs a·o oocu¬c·t co·cc··s `cs t |o t
Sc'cou|c ·cv|c. o| o||-s|tc sto·a¿c |ac|||t¸ `cs t |o t
|a·t|a| ·ccovc·¸ |·o¬ o||-s|tc |ac|||t|cs 'as occ· tcstco `cs t |o t
|otc. A octtc· ø·act|cc c'cc'||st |o· o||-s|tc sto·a¿c |s |·c|uoco |· Aøøc·o|× 9. !'|s ca· oc usco as t'c oas|s |o· a·a|¸s|·¿ |ssucs .|t'
o||-s|tc oac'uø ø·occss|·¿.
Sou·cc. |c|o|t tc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
78
Guide to Effective Control
Guide to Effective Control
Implementing continuity strategies
|t |s cssc·t|a| t'at t'c sc|cctco co·t|·u|t¸ st·atc¿|cs a·c |¬ø|c¬c·tco ø·oøc·|¸
a·o tcstco. !'c |C| .||| ·c|¸ o· t'c sc|cctco co·t|·u|t¸ st·atc¿|cs oc|·¿ |·
ø|acc ø·|o· to ||·a||sat|o· o| t'c |C|. !'c c'cc'||st oc|o. .||| ø·ov|oco
ass|sta·cc |· c·su·|·¿ t'c |oc·t|||co co·t|·u|t¸ st·atc¿|cs 'avc occ·
|¬ø|c¬c·tco.
Checklist: ensuring continuity strategies are properly implemented
Task Completed
|·su·c |o· cac' st·atc¿¸ sc|cctco, t'c ||'c|¸ costs a·c t'c ¬ost co¬¬c·c|a||¸ v|ao|c
(|c. |·vcst|¿atc ot'c· vc·oo·s |· t'c ¬a·'ctø|acc) `cs t |o t
|oc·t||¸ ot'c· ·cou|·c¬c·ts o· c'a·¿cs t'at ·cco to oc ¬aoc |· o·oc· |o· t'c
st·atc¿|cs to oc c||cct|vc `cs t |o t
C'a·¿cs to o||-s|tc sto·a¿c ø·occou·cs s'ou|o oc ¬aoc as |oc·t|||co `cs t |o t
|cv|c. co·t·acts to c·su·c t'c¸ oc¬o·st·atc oct tc· ø·act|cc |o· co·t·act
¬a·a¿c¬c·t as .c|| as co¬ø|¸ .|t' |·tc··a| ¿u|oc||·cs |o· co·t·act ¬a·a¿c¬c·t `cs t |o t
||·a||sc co·t·acts `cs t |o t
Sou·cc. |c|o|t tc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
79
Business Continuity Management
Business Continuity Management
Evaluating the level of communication in the BCP
\'c· act|vatco, t'c succcss o| a |C| .||| ·c|¸ 'cav||¸ o· oøc· co¬¬u·|cat|o·
a·o s'a·|·¿ o| ·c|cva·t |·|o·¬at|o·. |o||o.|·¿ occ|a·at|o· o| a o|sastc·,
|·|o·¬at|o· o· |¬ø|c¬c·tat|o· o| a|tc··atc act|v|t|cs a·o ·csou·ccs, ·ccovc·¸
o| |ost s¸stc¬s a·o t'c ·c×t sta¿c o| t'c ø|a· to oc |¬ø|c¬c·tco, ·ccos to oc
co·cu··c·t|¸ ava||ao|c to a|| ·ccovc·¸ tca¬s, sc·|o· ¬a·a¿c¬c·t a·o a||cctco
sta||. !'c |o||o.|·¿ c'cc'||st ca· oc usco to c·su·c t'c co¬¬u·|cat|o· |· t'c
sc·v|cc a·ca ø|a·s a·o t'c ¬a·a¿c¬c·t ø|a· |s aocouatc.
Checklist: ensuring communications and information flows in service area recovery plans are
adequate
Task Completed
|·su·c t'c |C| 'as co¬¬u·|cat|o· ||o.s .'|c' t'c c·ao|c t'c |ccovc·¸
Coo·o|·ato· to oc 'cøt aocouatc|¸ |·|o·¬co o¸ t'c sc·v|cc a·ca ·ccovc·¸ tca¬s
t'·ou¿'out t'c ·ccovc·¸ ø·occss `cs t |o t
!'c |C| c·su·cs sc·v|cc a·ca ·ccovc·¸ tca¬ ¬c¬oc·s a·c 'cøt aocouatc|¸
|·|o·¬co o| .'c·c t'c o·¿a·|sat|o·s |s |· t'c ·ccovc·¸ ø·occss `cs t |o t
|·su·c sc·v|cc a·ca ·ccovc· tca¬ .o·'|·¿ to ·ccovc· |·tc··c|atco ous|·css
ø·occsscs a·c 'cøt ø·oøc·|¸ |·|o·¬co o| t'c ·ccovc·¸ ø·occss a·o 'ccø ot'c·
tca¬ |·|o·¬co o| t'c|· ø·o¿·css `cs t |o t
|·su·c sc·v|cc a·cas 'ccø aøø·oø·|atc c×tc··a| øa·t|cs a·o sta'c'o|oc·s |·|o·¬co
(·ot |·c|uo|·¿ øa·t|cs/sta'c'o|oc·s t'at .ou|o oc 'cøt |·|o·¬co as øa·t o| t'c
¬a·a¿c¬c·t ø|a·) o| t'c ·ccovc·¸ ø·occss `cs t |o t
|·su·c c×tc··a| a·o |·tc··a| øa·t|cs |·c|uoco |· |C| a·c |·|o·¬co |¬¬co|atc|¸ t'at
t'c|· ass|sta·cc ¬a¸ oc ca||co uøo· `cs t |o t
|·su·c a|| 'u¬a· ·csou·cc ·ccos a·c ø·oøc·|¸ aoo·cssco. Co·s|oc·. O|S,
cou·sc|||·¿ a·o ot'c· suøøo·t ||·cs o| co¬¬u·|cat|o·, ctc `cs t |o t
|·su·c t'c ·ccovc·¸ ø·occss aoo·csscs ·c-|¬ø|c¬c·tat|o· o| ·out|·c co·t·o|s
(ø'¸s|ca|, |o¿|ca| a·o c·v|·o·¬c·ta|) `cs t |o t
Sou·cc. |c|o|t tc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
80
Guide to Effective Control
Guide to Effective Control
Checklist: ensuring communications and information flows in the management plan is
adequate
Task Completed
|·su·c t'c |C| co¬¬u·|cat|o· ||o.s 'ccø u·oc·|¸|·¿ sc·v|cc a·ca ·ccovc·¸ tca¬s
|·|o·¬co t'·ou¿'out t'c ø·occss `cs t |o t
|·su·c t'c c×ccut|vc |s 'cøt ø·oøc·|¸ |·|o·¬co t'·ou¿'out t'c ø·occss `cs t |o t
|·su·c a·c aøø·oø·|atc c×tc··a| øa·t|cs/sta'c'o|oc·s a·c 'cøt ø·oøc·|¸ |·|o·¬co
t'·ou¿'out t'c ø·occss `cs t |o t
|·su·c t'c |C| ø·ov|ocs søcc|||c ø·otoco|s |o· ¬co|a ||a|so· a·o ¬a·a¿c¬c·t `cs t |o t
|·su·c c×tc··a| a·o |·tc··a| øa·t|cs |·c|uoco |· |C| a·c |·|o·¬co |¬¬co|atc|¸ t'at
t'c|· ass|sta·cc ¬a¸ oc ca||co uøo· `cs t |o t
|·su·c a|| 'u¬a· ·csou·cc ·ccos ø·oøc·|¸ aoo·cssco. Co·s|oc·. O|S, cou·sc|||·¿
a·o ot'c· suøøo·t, ||·cs o| co¬¬u·|cat|o·, ctc `cs t |o t
|·su·c t'c ·ccovc·¸ ø·occss aoo·csscs ·c-|¬ø|c¬c·tat|o· o| ·out|·c co·t·o|s
(ø'¸s|ca|, |o¿|ca| a·o c·v|·o·¬c·ta|) `cs t |o t
Sou·cc. |c|o|ttc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
81
Business Continuity Management
Business Continuity Management
Disaster assessment
!'c |C| ·cco to out||·c t'c stcøs a·o |ssucs t'at ·cco to oc co·s|oc·co
.'c· asscss|·¿ t'c |¬øact o| a o|sastc·. !'c |ccovc·¸ Coo·o|·ato· ¬ust oc
ao|c to aov|sc t'c C'|c| |×ccut|vc a·o sc·|o· ¬a·a¿c¬c·t o· t'c |¬øact o|
a· outa¿c a·o asscss t'c t|¬c t'c ous|·css ø·occss ¬a¸ oc a||cctcoif the
MAO is exceeded, a disaster is declared and the BCP is activated.
Checklist: developing the disaster assessment guidelines
Task Completed
!'c |C| c|ca·|¸ |oc·t|||cs t'c øcoø|c |·vo|vco |· t'c o|sastc· asscss¬c·t `cs t |o t
!'c ·ot|||cat|o· ø·occss |o· t'osc |·vo|vco |· t'c o|sastc· asscss¬c·t |s c|ca·|¸
|oc·t|||co |· t'c |C| `cs t |o t
!'c t|¬c|·a¬cs |o· t'c o|sastc· asscss¬c·t a·c c|ca·|¸ |oc·t|| |co |· t'c |C| `cs t |o t
Sa|ct¸ ø·occou·cs |o· o|sastc· asscss¬c·t |oc·t|||co |· t'c |C| a·c |· ||·c .|t'
Occuøat|o·a| |ca|t' a·o Sa|ct¸ ·cou|·c¬c·ts `cs t |o t
!'c outs|oc øa·t|cs .'|c' a·c øa·t o| t'c o|sastc· asscss¬c·t ø·occss a·c
|oc·t|||co |· t'c |C| a|o·¿ .|t' t'c|· co·tact octa||s `cs t |o t
Stcøs a·c |· ø|acc to |·|o·¬ a|| ·c|cva·t |·su·a·cc co¬øa·|cs a·c aøø·oø·|atc|¸
|·|o·¬co o| t'c |·c|oc·t oc|o·c o· ou·|·¿ t'c o|sastc· asscss¬c·t ta'|·¿ ø|acc
(so¬c |·su·a·cc |s vo|o || cc·ta|· o|sastc· asscss¬c·ts a·c ca··|co out .|t'out
t'c |·su·a·cc co¬øa·¸ ø·csc·t o· .|t'out t'c|· '·o.|co¿c) `cs t |o t
Sou·cc. |c|o|ttc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
82
Guide to Effective Control
Guide to Effective Control
Appendix 7
Limitations of BCPs
!'c |C| s'ou|o ·cco¿·|sc t'c |acto·s t'at ¬a¸ ||¬|t ·ccovc·¸ |·o¬ a ous|·css
|·tc··uøt|o· cvc·t. !'csc |acto·s s'ou|o oc oocu¬c·tco |· t'c |C| to
c·su·c t'c¸ a·c o·ou¿'t to at tc·t|o· o| ¬a·a¿c¬c·t.
Example: factors which may limit recovery from a business interruption event
Resource Possible limiting factors
People · |·su|| |c|c·t ·u¬oc· o| øc·so··c| øosscss|·¿ t'c aøø·oø·|atc s'|||s ava||ao|c to
|¬ø|c¬c·t ous|·css co·t|·u|t¸ oøc·at|o·s
· C·|t|ca| oøc·at|o·s a·o s¸stc¬s oocu¬c·tat|o· |o· cac' ø|at|o·¬ a·c ·ot sto·co
o||-s|tc
· |·su|| |c|c·t ·u¬oc· o| oua||||co øc·so··c| .||| oc ava||ao|c to øc·|o·¬ usc· tas's
ou·|·¿ t'c ·ccovc·¸ ø'asc
· |c·so··c| .'o ø|a¸ a ·o|c |· ·ccovc·¸ a·c u·a.a·c o| t'c|· ·csøo·s|o|||t|cs a·o 'avc
·ot occ· aocouatc|¸ t·a|·co to øc·|o·¬ t'c ·ccovc·¸ tas's
· Sta|| suøøo·t a·cas a·c ·ot ø·cøa·co to suøøo·t t'c ·ccovc·¸ oøc·at|o·
Facilities · !'c |ccovc·¸ ||a· .||| |O! covc· a·¸ cvc·t .'|c' s|¬u|ta·cous|¸ ·c·oc·s oot' t'c
ø·|¬a·¸ a·o a|| a|tc··atc oata cc·t·c |ac|||t|cs |·oøc·ao|c
· !'c |ccovc·¸ ||a· .||| |O! covc· a·¸ cvc·t .'|c' s|¬u|ta·cous|¸ ·c·oc·s t'c oata
cc·t·c |·oøc·ao|c a·o t'c cssc·t|a| o||-s|tc sto·a¿c |·acccss|o|c
· !'c o|sastc· t'at ·c·oc·s t'c oata cc·t·c |·oøc·ao|c ¬a¸ |¬øact |a·¿c ¿co¿·aø'|c
a·cas, øuo||c ut|||t|cs, t'c t·a·søo·tat|o· |·|·ast·uctu·c o· ot'c· |ac|||t|cs a·o/o·
sc·v|ccs o·o|·a·||¸ ava||ao|c (|otc t'at t'|s c×c|uocs a· c|cct·|ca| o|st·|out|o· |a||u·c)
· !·a·sact|o·s |ost oct.cc· t'c øo|·t o| t'c ¬ost ·ccc·t oac'uø a·o t'c o|sastc·
cvc·t ca··ot oc ·cco·st·uctco a·o ·c-c·tc·co to co¬øutc· s¸stc¬s .|t'|· t'c
¬a×|¬u¬ a||o.ao|c outa¿c øc·|oo
· |c·|oo|c tcst|·¿ o| t'c |C| ·ot |s co·ouctco
· C·|t|ca| s¸stc¬s a·c ·ot øc·|oo|ca||¸ cva|uatco a·o t'c|· ¬|·|¬u¬ cssc·t|a| |catu·cs
ca· ·ot oc ø·ov|oco |o· a o|sastc·
· A co¬ø|ctc ||st|·¿ o| ø·oouct|o· | ||cs a·o t'c|· |ocat|o· o· oac'uø taøcs |s ·otatco
o||-s|tc .|t' aocouatc |·couc·c¸
· !'c o·¿a·|sat|o· ¬a¸ c×øc·|c·cc vo|u·ta·¸ o· |·vo|u·ta·¸ scøa·at|o·s o|
c¬ø|o¸¬c·t o· ·c|at|o·s'|ø .|t' a·¸ c¬ø|o¸ccs, suøø||c·s, o· ot'c· vc·oo·s
oct.cc· t'c occu··c·cc o| t'c o|sastc· cvc·t a·o co¬ø|ctc ·ccovc·¸
· O||-s|tc sto·a¿c |ocat|o·s a·c ·ot |·tact a·o acccss|o|c
· O||-s|tc |·|o·¬at|o· oac'uø a·o ·otat|o· ø·occou·cs a·c |·aocouatc to |¬ø|c¬c·t
|u|| ·ccovc·¸ .|t'|· ¬a×|¬u¬ a||o.ao|c outa¿c t|¬c |·a¬cs
· |a||¸ t·a·sact|o·s ·ccoco to ·cco·st·uct c·|t|ca| oata a·c ·ot ·otatco o||-s|tc .|t'
aocouatc |·couc·c¸
83
Business Continuity Management
Business Continuity Management
Example: factors which may limit recovery from a business interruption event (continued)
Resource Possible limiting factors
Telecommunications · |cao¸ acccss to øuo||c ·ct.o·'
· '·t|¬c|¸ acccss to ·cø|acc¬c·t ¬oo||c ø'o·cs
· |c|a¸ |· ·c-·out|·¿ c·|t|ca| ø'o·cs ·u¬oc· to ·c. |ocat|o·
· |ac' o| acccss to ot'c· co¬¬u·|cat|o·s 'a·o.a·c (c¿. øa¿c·s, |a×, c¬a||
co··cct|o·s, ctc.)
Information Systems · |ac' o| a|tc··atc ø·occss|·¿ |ac|||t|cs ava||ao|c as a·o .'c·, ·cou|·co
· !'c o·¿a·|sat|o· |ac's acccss to a |u||¸ co·| |¿u·co scco·o ø·occss|·¿ s|tc
su|| |c|c·t |· caøac|t¸ to suøøo·t oata ø·occss|·¿ |o· cssc·t|a| ous|·css
|u·ct|o·s .|t' c·|t|ca| aøø||cat|o· suøøo·t ·ccos
· C·|t|ca| usc·s oo ·ot 'avc t'c ao|||t¸ to ·cco·st·uct a·¸ |ost .o·'-|·-
ø·o¿·css
· C·|t|ca| usc·s oo ·ot 'avc ·ccovc·¸ ø|a·s ocvc|oøco to oc ao|c to ø·occss
at t'c a|tc··atc ø·occss|·¿ |ac|||t¸
Business Processes · !'c o·¿a·|sat|o· 'as aocouatc | |·a·c|a| ·csou·ccs to |¬ø|c¬c·t t'c
and Resources co·t|·¿c·c¸ ø|a· acco·o|·¿ to t'c t|¬c |·a¬cs cstao||s'co o¸ t'c ous|·css
|¬øact a·a|¸s|s
· |·aocouatc ¬a|·tc·a·cc o| a|| ous|·css co·t|·u|t¸ ø·occou·cs |s øc·|o·¬co
· |o o·¿o|·¿ c||o·t to ¬|·|¬|sc c×øosu·cs to o|sastc·s .||| co·t|·uc a·o
oøc·at|o·s/ s¸stc¬s vu|·c·ao|||t|cs
· |cs|¿·atco usc· ·cø·csc·tat|vcs a·c ·ot ø·o¬øt|¸ ·ot|| |co || a o|sastc·
occu·s
84
Guide to Effective Control
Guide to Effective Control
Appendix 8
Event log
|u·|·¿ a ous|·css |·tc··uøt|o· cvc·t |t |s |¬øo·ta·t to ·cco·o |¬øo·ta·t
|·|o·¬at|o· a·o occ|s|o·s .'|c' .c·c ¬aoc ou·|·¿ t'c outa¿c. !'|s
|·|o·¬at|o· ø·ov|ocs a· |¬øo·ta·t |·øut to ·cv|s|·¿ t'c |C| o¸ |·co·øo·at|·¿
actua| cvc·t c×øc·|c·ccs |· t'c ø|a·. !'c cvc·t |o¿ ¬a¸ a|so oc a usc|u| too|
|o· t'c |ccovc·¸ Coo·o|·ato· to usc ou·|·¿ |C| tcsts to ·cco·o t'c scc·a·|o
sct a·o t'c outco¬cs o| t'c tcst ·csu|ts.
!'c |ccovc·¸ Coo·o|·ato· s'ou|o co¬ø|ctc t'|s |vc·t |csc·|øt|o· s'o·t|¸
a| tc· ·ot|| |cat|o· o| a o|sastc·. !'c |o·¬ |s usco to ·cco·o t'c |acts a·o
.o·o|·¿ o| t'c o|sastc· occ|a·at|o· statc¬c·t to a||o. t'c |ccovc·¸
Coo·o|·ato· to ·c|a¸ accu·atc |·|o·¬at|o· to ot'c· ¬c¬oc·s o| t'c tca¬ a·o
as a ¬ca·s o| ·cv|c. a|tc· t'c cvc·t.
!'c |o||o.|·¿ c×a¬ø|c s'o.s t'c |·|o·¬at|o· t'c |ccovc·¸ Coo·o|·ato·
s'ou|o co||cct |· t'c casc o| a ous|·css |·tc··uøt|o· cvc·t.
!'|s |o·¬ s'ou|o oc aoaøtco to su|t t'c søcc|||c ·cou|·c¬c·ts a·o st·uctu·c o|
t'c o·¿a·|sat|o·.
Example: a business interruption event log
Event Log:
Initial Notif ication. Briefly describe the event:
||sastc· |cc|a·co t o·
Sta·oo¸ |coucstco t .
(||casc !|c')
|atc.
!|¬c.
Notif ied by. |st|¬atco !|¬c to |vc·t |cso|ut|o·
|a¸s. |·s.
Disaster Declared:
|atc. Recovery Site
!|¬c.
·||CO\||` S|!| A||||SS~
Authorised by
85
Business Continuity Management
Business Continuity Management
Appendix 9
Checklists for review of off-site backup procedures
Checklist for review of non-IT off-site backup procedures
Area for Review Completed
|oc·t||¸ a|| catc¿o·|cs o| o||-s|tc oac'uø aoo·cssco o¸ t'c ø·occou·cs. Co·s|oc·.
· 'a·o coø¸ oocu¬c·tat|o·
· |o·¬s (aøø||cat|o· |o·¬s, ¬a·ua| ·ccc|øts, c'couc o|a·'s
¬,
ctc)
· suøø||cs, a·o
· cou|ø¬c·t `cs t |o t
¬ |t ¬a¸ oc øoss|o|c to ¬a'c søcc|a| a··a·¿c¬c·ts .|t' ¸ou· oa·', |·c|uo|·¿ ¿ua·a·tcco oc||vc·¸ t|¬c, .'|c'
.||| c·'a·cc sccu·|t¸ o| t'csc |o·¬s
|o· cac' o| t'c catc¿o·|cs o| |tc¬s |oc·t|| |co as oc|·¿ oac'co uø, |oc·t||¸ t'c
t·|¿¿c·s |o· aoo|·¿/·cø|ac|·¿/oc|ct|·¿ o||-s|tc oac'uø |tc¬s `cs t |o t
|oc·t||¸ øc·so·s ·csøo·s|o|c |o· octc·¬|·|·¿ .'at |s to oc oac'co uø `cs t |o t
|oc·t||¸ øc·so·s ·csøo·s|o|c |o· ·cv|c. a·o aøø·ova| o| c'a·¿cs/tc·¬|·at|o·s `cs t |o t
o| o||-s|tc oac'uø |tc¬s
|ctc·¬|·c || a· |·vc·to·¸ o| |tc¬s |s ava||ao|c a·o 'o. t'c |·vc·to·¸ |s
¬a|·ta|·co `cs t |o t
|ctc·¬|·c .'ct'c· a 'a·ocoø¸ o| t'c o||-s|tc oac'uø |·vc·to·¸ |s sto·co o||-s|tc `cs t |o t
Sou·cc. |c|o|t tc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
86
Guide to Effective Control
Guide to Effective Control
Checklist for review of IT off-site backup procedures
Area for Review
|oc·t||¸ a|| t¸øcs o| |||cs oc|·¿ oac'co uø o|| s|tc. Co·s|oc·.
· s¸stc¬ so| t.a·c.
- oøc·at|·¿ s¸stc¬s
- suøøo·t so|t.a·c
- ut|||t¸ øac'a¿cs
- co¬¬u·|cat|o·s so|t.a·c, a·o
- ¦oo Co·t·o| |a·¿ua¿c (¦C|), ctc. `cs t |o t
· aøø||cat|o· so| t.a·c.
- sou·cc ||o·a·|cs
- ø·oouct|o· ||o·a·|cs (|×ccutao|c Cooc)
- oata o|ct|o·a·¸ |||cs
- ¦oo Co·t·o| |a·¿ua¿c, ctc, a·o
- ø·oouct|o· oata o|s' |||cs a·o oataoascs `cs t |o t
· usc· | ||cs.
- o·-||·c oocu¬c·tat|o·
- |·oouct|o· Sc'cou||·¿
- co¬øutc· oøc·at|o·s oocu¬c·tat|o· (c¿. ·ccovc·¸/·csta·t), a·o
- aøø||cat|o· s¸stc¬/ø·o¿·a¬ oocu¬c·tat|o· `cs t |o t
· a·c'|va| |||cs `cs t |o t
|o· cac' o| t'c catc¿o·|cs o| |tc¬s |oc·t|||co as oc|·¿ oac'co uø, |oc·t||¸ t'c
¬ct'oo(s) o| oac'uø. Co·s|oc·.
· |u|| savcs (c·t|·c |||c o· oataoasc oac'co uø)
· |·c·c¬c·ta| savcs
· ø·oouct|o· ,oo st·ca¬
· o· ·coucst o¸ usc·
· aøø||cat|o· ·|¿'t|¸ oac'uø oatc' ·u·, a·o
· søcc|a| ,oo st·ca¬ `cs t |o t
87
Business Continuity Management
Business Continuity Management
Checklist for review of IT off-site backup procedures (continued)
Area for Review Completed
|ctc·¬|·c t'c oac'uø |·couc·c¸ a·o ·u¬oc· o| c¸c|cs ·cta|·co o||-s|tc |o·
cac' catc¿o·¸ o| oac'uø `cs t |o t
|oc·t||¸ øc·so·s ·csøo·s|o|c |o· octc·¬|·|·¿ .'at |s to oc oac'co uø `cs t |o t
|oc·t||¸ øc·so·s ·csøo·s|o|c |o· ·cv|c. a·o aøø·ova| o| c'a·¿cs/tc·¬|·at|o·s
o| o||-s|tc oac'uø c¸c||·¿ `cs t |o t
|otc t'c ·caso·(s) .'¸ a·¸ t¸øcs o| | ||cs a·c ·ot oc|·¿ oac'co uø o|| s|tc `cs t |o t
|ctc·¬|·c || oac'uø ø·occou·cs a·c aøø||co aøø||cat|o· o¸ aøø||cat|o· o· to
a· c·t|·c catc¿o·¸ o| aøø||cat|o·s suc' as t'osc ocs|¿·atco critical `cs t |o t
|O!|. \'c· t'c tc·¬ 'aøø||cat|o·(s)' |s usco aoovc, |t ·c|c·s to oøc·at|·¿ s¸stc¬ so|t.a·c, suøøo·t
so|t.a·c, ut|||t|cs, a·o co¬¬u·|cat|o· so|t.a·c |· aoo|t|o· to c·o usc· ous|·css aøø||cat|o·s.
|oc·t||¸ t'c too|(s) usco |o· |oc·t||¸|·¿ a·o ·cco·o|·¿ o||-s|tc oac'uøs. Co·s|oc·.
· taøc ||o·a·¸ ¬a·a¿c¬c·t so| t.a·c øac'a¿cs
· ¬a·ua| |o¿s
· søcc|a| ø·o¿·a¬/s¸stc¬ .|t' ¬a·ua| |·øut, a·o
· søcc|a| ø·o¿·a¬/s¸stc¬ .|t' auto¬atco |·øut `cs t |o t
|ctc·¬|·c || vc·oo· ø·ov|oco so| t.a·c ø·ooucts a·c usco to øc·|o·¬ oac'uøs `cs t |o t.
|| a t'|·o øa·t¸ ø·ov|ocs o||-s|tc sto·a¿c, oocs t'c c×|st|·¿ co·t·act |o· ·ct·|cva|
a·o ·ccovc·¸ o| sto·a¿c ¬co|a ¬atc' t'c ·cou|·c¬c·ts o| t'c |C|. `cs t |o t
Sou·cc. |c|o|ttc !ouc'c !o'¬atsu |·otcc'/||S |ct'ooo|o¿¸, 1999
88
Guide to Effective Control
Guide to Effective Control
1
Business Continuity Management
Business Continuity Management
Business
Continuity
Management
Business
Continuity
Management
Workbook
Guide to Effective Control—January 2000
2
Guide to Effective Control
Guide to Effective Control
Better practice
Better practice
!'c Aust·a||a· |at|o·a| Auo|t O|||cc ø·oouccs oct tc· ø·act|cc ¿u|ocs as øa·t
o| |ts |·tc¿·atco auo|t aøø·oac' .'|c' |·c|uocs |·|o·¬at|o· sc·v|ccs to auo|t
c||c·ts.
A |ct tc· |·act|cc sc·|cs 'as occ· cstao||s'co to oca| .|t' 'c¸ asøccts o| t'c
co·t·o| st·uctu·cs o| c·t|t|csa· |·tc¿·a| øa·t o| ¿ooo co·øo·atc ¿ovc··a·cc.
!'|s \o·'ooo' |o·¬s øa·t o| t'at sc·|cs. !'c acco¬øa·¸|·¿ Cu|oc oca|s .|t'
ous|·css co·t|·u|t¸ ¬a·a¿c¬c·t .|t'|· a ·|s' ¬a·a¿c¬c·t |·a¬c.o·'.
|S|| 0 6-- 39018 2
© Co¬¬o·.ca|t' o| Aust·a||a, 2000
!'|s .o·' |s coø¸·|¿'t. Aøa·t |·o¬ a·¸ usc as øc·¬|ttco u·oc· t'c Coø¸·|¿'t Act 1968, ·o
øa·t ¬a¸ oc ·cø·ooucco o¸ a·¸ øu·øosc .|t'out ø·|o· .·|ttc· øc·¬|ss|o· |·o¬ t'c
Aust·a||a· |at|o·a| Auo|t O|| |cc.
|coucsts a·o |·ou|·|cs co·cc··|·¿ ·cø·oouct|o· a·o ·|¿'ts s'ou|o oc aoo·cssco to.
!'c |uo||cat|o·s |a·a¿c·
Aust·a||a· |at|o·a| Auo|t O|| |cc
C|O |o× ´0´
Ca·oc··a AC! 2601
|·|o·¬at|o· o· Aust·a||a· |at|o·a| Auo|t O|||cc
øuo||cat|o·s a·o act|v|t|cs |s ava||ao|c o· t'c |o||o.|·¿ |·tc··ct aoo·css.
't tø.//....a·ao.¿ov.au
Disclaimer
!'c Auo|to·-Cc·c·a|, t'c A|AO, |ts o|||cc·s a·o c¬ø|o¸ccs a·c ·ot ||ao|c, .|t'out
||¬|tat|o·, |o· a·¸ co·scouc·ccs |·cu··co, o· a·¸ |oss o· oa¬a¿c su||c·co o¸ a·
o·¿a·|sat|o· o· o¸ a·¸ ot'c· øc·so· as a ·csu|t o| t'c|· ·c||a·cc o· t'c |·|o·¬at|o·
co·ta|·co |· t'|s \o·'ooo' o· ·csu|t|·¿ |·o¬ t'c|· |¬ø|c¬c·tat|o· o· usc o| t'c
acco¬øa·¸|·¿ Cu|oc, a·o to t'c ¬a×|¬u¬ c×tc·t øc·¬|ttco o¸ |a., c×c|uoc a|| ||ao|||t¸
(|·c|uo|·¿ |· ·c¿||¿c·cc) |· ·csøcct o| t'c Cu|oc a·o t'c acco¬øa·¸|·¿ \o·'ooo'.
|cs|¿·co o¸ A·t Attac' |t¸ |to Ca·oc··a
|·|·tco o¸ ||·|c |·|·tc·s Ca·oc··a
3
Business Continuity Management
Business Continuity Management
Introduction 5
Step one: Project initiation 6
Step two: Key business processes identification 8
Step three: Business impact analysis (BIA) 11
Step four: Design continuity treatments 15
Appendices
1. Worksheet for key business processes
identification and business impact analysis 18
2. Worksheet for evaluation of recovery
treatment options 20
Contents
Contents
4
Guide to Effective Control
Guide to Effective Control
5
Business Continuity Management
Business Continuity Management
Introduction
Introduction
|t |s ocs|¿·co to |cao oøc·at|o·a| a·o sc·v|cc a·ca sta|| t'·ou¿' t'c ø·occss o|.
· |oc·t||¸|·¿ 'c¸ ous|·css ø·occsscs,
· cstao||s'|·¿ a ¬a×|¬u¬ acccøtao|c outa¿c |o· cac' 'c¸ ous|·css ø·occss,
a·o
· ocs|¿·|·¿ aøø·oø·|atc cost-c||cct|vc t·cat¬c·ts |· t'c cvc·t o| a· outa¿c.
!'c ·csu|ts |·o¬ t'|s \o·'ooo' ca· oc usco o¸ t'c |us|·css Co·t|·u|t¸
|·o,cct |a·a¿c· to ocvc|oø a |us|·css Co·t|·u|t¸ ||a·.
!'c st·uctu·c o| t'c \o·'ooo' |s oasco o· t'c stcøs octa||co |· t'c Business
Continuity Management |ct tc· |·act|cc Cu|oc øuo||s'co o¸ t'c Aust·a||a·
|at|o·a| Auo|t O|||cc. |t |s ·cco¬¬c·oco t'at usc·s o| t'|s \o·'ooo' ||·st
|a¬|||a·|sc t'c¬sc|vcs .|t' t'c co·ccøts a·o ø·occsscs o|scussco |· t'c Cu|oc.
!'c co·tc·t o| t'c \o·'ooo' co¬ø·|scs o| ¿c·c·a| ¿u|oa·cc, c×a¬ø|cs a·o
.o·'s'ccts. !'csc s'ou|o oc aoaøtco as ·cou|·co to c·su·c t'at 'c¸
|·|o·¬at|o· a·o occ|s|o·s a·c |u||¸ oocu¬c·tco.
|t |s |·tc·oco t'at t'c stcøs |· t'c \o·'ooo' oc |o||o.co scouc·t|a||¸. !'c
\o·'ooo' ¬a¸ oc co¬ø|ctco |·o|v|oua||¸ o· oc usco as t'c oas|s to |ac|||tatc
¿·ouø scss|o·s.
This Workbook is designed to assist organisations in the development of a
comprehensive business continuity plan.
6
Guide to Effective Control
Guide to Effective Control
Step one: Project initiation
Step one: Project initiation
A plan should be prepared to manage the business continuity project.
The following outline is a suggested structure for this plan. If a plan has
been completed, insert it in this section.
1. Introduction
1.1 |ac'¿·ou·o/|·t·oouct|o·s \'¸ |s t'c ø·o,cct oc|·¿
co·ouctco.
2. Business objectives
2.1 Oo,cct|vc o| t'c ø·o,cct |cta||co oo,cct|vcs a·o outco¬cs
o| t'c ¬a,o· stcøs oc|o.
3. Requirements specification
3.1 Cc·c·a| ·cou|·c¬c·ts |·o,cct søo·so·
|·o,cct ¬a·a¿c·
|us|·css u·|t |·vo|vc¬c·t
3.2 Co·t·act|·¿ co·s|oc·at|o·s |·|¬a·¸ co·t·acto·
(|| c×øc·t co·t·acto·s |·tc||cctua| ø·oøc·t¸
a·c c·¿a¿co) |·o,cct ·cøo·t|·¿
\a·|at|o·s to cost
\a··a·t¸
||¿'ts
3.x Phase Oo,cct|vc o| t'c ø'asc
(for each phase of the project) !'c stcøs |·vo|vco
!'c outco¬cs |o· t'c ø'asc
O·¿a·|sat|o·a| ·csou·ccs t'at .|||
oc a||ocatco to t'c ø·o,cct tca¬
!'c ø·o,cct tca¬'s ·o|cs a·o
·csøo·s|o|||t|cs
|cøo·t|·¿ ·cou|·c¬c·ts |o· t'c
ø'asc
7
Business Continuity Management
Business Continuity Management
4. Project deliverables and milestones
-.1 |·o,cct ·cøo·t|·¿ |o. .||| t'c ø·o,cct tca¬ ·cøo·t
to t'c O·¿a·|sat|o·.
\'at |·|o·¬at|o· t'c ø·o,cct
tca¬ .||| ø·ov|oc.
Status o| t'c ø·o,cct
|c·cc·ta¿c co¬ø|ctco
|×øcctco oc||vc·ao|cs
|ssucs |o· ·otc o· act|o·
-.2 |c||vc·ao|cs a·o ¬||csto·cs !ao|cs ||st|·¿ t'c oc||vc·ao|cs a·o
·ccc|vao|cs t'at a·c ·cou|·co
to ¬cct t'c oo,cct|vcs o| t'c
ø·o,cct
5. Project budget and administration
5.1 |uo¿ct Sta|| ·csou·ccs
Co·t·act ·csou·ccs
Sou·ccs o| |u·os
5.2 Ao¬|·|st·at|o· C'a·¿c co·t·o|
|csou·ccs a·o øa¸¬c·t ø|a·
||·'co to oc||vc·ao|cs
|csou·ccs co·st·a|·ts
C·|t|ca| succcss |acto·s
6. Roles and responsibilities
6.1 |csøo·s|o|||t|cs Aøø·ova|s |o· ouo¿ct, s|¿·-o||
ø'ascs, acccøta·cc a·o
|¬ø|c¬c·tat|o· o|
·cco¬¬c·oat|o·s
6.2 |·o,cct '|c·a·c'¸ C'|c| |×ccut|vc, |·o,cct Stcc·|·¿
Co¬¬|t tcc, |·o,cct |a·a¿c·,
|·o,cct !ca¬(s) ·cøo·t|·¿ to
|·o,cct |a·a¿c·
6.3 Sc·v|cc ø·ov|oc·/co·t·acto· |×øcctat|o·s a·o oc||vc·ao|cs
·csøo·s|o|||t|cs o| t'c sc·v|cc ø·ov|oc·
8
Guide to Effective Control
Guide to Effective Control
Step two: Key business
processes
identification
Step two: Key business
processes
identification
Introduction
Business processes are made up of the activities undertaken within each process
and the resources consumed by, or applied to, each activity.
!'c oo,cct|vc o| t'|s stcø |s to |oc·t||¸, a·o ·a·' |· ø·|o·|t¸ o·oc·, t'osc
st·atc¿|c, oøc·at|o·a| a·o suøøo·t ous|·css ø·occsscs t'at a·c c·|t|ca| to t'c
ø·oouct|o· o| o·¿a·|sat|o·a| outøuts a·o 'c·cc |u||||¬c·t o| ous|·css
oo,cct|vcs.
!'c |oc·t|| |cat|o· o| 'c¸ ous|·css ø·occsscs ¬a¸ a|·cao¸ 'avc occ· co¬ø|ctco
|· ot'c· ·|s' ¬a·a¿c¬c·t a·o ous|·css ø|a··|·¿ act|v|t|cs u·oc·ta'c· |· t'c
o·¿a·|sat|o·. !'c O·¿a·|sat|o·'s Co·øo·atc ||a·, |us|·css ||a·s a·o ||s'
|a·a¿c¬c·t ||a· a·c ¿ooo sta·t|·¿ øo|·ts. || t'|s |s t'c casc, t'|s stcø |·
|us|·css Co·t|·u|t¸ |a·a¿c¬c·t s'ou|o co·| |·¬ t'at t'c ø·occss ocsc·|øt|o·s
a·c st||| va||o a·o ·a·' t'c ø·occsscs |· tc·¬s o| t'c|· ·c|at|vc |¬øo·ta·cc to
ac'|cv|·¿ o·¿a·|sat|o·a| oo,cct|vcs.
!'c |o||o.|·¿ |·st·uct|o·s .||| ass|st o·¿a·|sat|o·s |oc·t||¸ a·o ·a·' t'c|·
ous|·css ø·occsscs. !'c ·csu|ts o| t'|s act|v|t¸ s'ou|o oc c·tc·co o· t'c
.o·'s'cct at Aøøc·o|× 1.
Instructions for completing the worksheet (Appendix 1)
1. Determine and document overall business objectives
Oota|· o· cstao||s' t'c ous|·css oo,cct|vcs |o· t'c ous|·css u·|t. !'c
oo,cct|vcs |o· cac' ous|·css u·|t s'ou|o suøøo·t, a·o oc co·s|stc·t .|t', t'c
ovc·a|| o·¿a·|sat|o·a| oo,cct|vcs, v|s|o· a·o ¬|ss|o· cstao||s'co |· t'c
Co·øo·atc ||a·.
Oo,cct|vcs a·c usua||¸ |·a¬co |· tc·¬s o| t'c c||cct|vc·css o| outøuts a·o ¬a¸
'avc a t|¬c, cost, oua·t|t¸ a·o/o· oua||t¸ o|¬c·s|o·.
|ocu¬c·t t'c ous|·css u·|t oo,cct|vcs o· t'c .o·'s'cct.
2. Identify business processes
|o· cac' ous|·css oo,cct|vc, ¬aø a|| o| t'c ous|·css ø·occsscs u·oc·ta'c·
.|t'|· t'c ous|·css u·|t o· sc·v|cc a·ca.
!'c st·uctu·c o| ¬a·¸ o·¿a·|sat|o·s ¬|··o·s t'c st·atc¿|c, oøc·at|o·a| a·o
suøøo·t ous|·css ø·occss catc¿o·|sat|o·s o|scussco |· t'c acco¬øa·¸|·¿ Cu|oc.
9
Business Continuity Management
Business Continuity Management
|a¿c 32 o| t'c Cu|oc ø·ov|ocs a· out||·c o| ¿c·c·|c mega a·o major ous|·css
ø·occsscs t'at aøø|¸ to ¬ost øuo||c sccto· o·¿a·|sat|o·s, u·oc· cac' o| t'csc
catc¿o·|cs. !'|s st·uctu·c ¬a¸ oc a usc|u| sta·t|·¿ øo|·t |o· cstao||s'|·¿ a
co¬¬o· |a·¿ua¿c a·o u·oc·sta·o|·¿ o| .'at a ous|·css ø·occss |s.
3. Determine and rank key business processes
O·cc a· |·vc·to·¸ o| a|| ous|·css ø·occsscs 'as occ· cstao||s'co |o· t'c
ous|·css u·|t o· sc·v|cc a·ca |t |s ·cccssa·¸ to octc·¬|·c .'|c' o| t'csc a·c
c·|t|ca| to ac'|cv|·¿ o·¿a·|sat|o·a| oo,cct|vcs.
A|| ous|·css ø·occsscs .||| co·t·|outc |· so¬c |o·¬ to o·¿a·|sat|o·a| oo,cct|vcs.
O·c aøø·oac' |s to ||·st octc·¬|·c .'|c' oo,cct|vcs a·c t'c ¬ost |¬øo·ta·t
a·o to ¬atc' t'c ous|·css ø·occsscs to t'osc oo,cct|vcs. |t |s t'c· ·cccssa·¸
to octc·¬|·c |·o¬ .|t'|· t'csc ø·occsscs t'osc t'at a·c |·tc¿·a| to
ac'|cvc¬c·t o| t'c 'c¸ oo,cct|vcs.
Cc·c·a||¸, a|| oøc·at|o·a| ø·occsscs ca· oc co·s|oc·co to oc 'c¸. |t |s ¬o·c
||'c|¸ t'at so¬c suøøo·t ø·occsscssuc' as øuo||s'|·¿ a·o øuo||c ·c|at|o·s
a·o so¬c st·atc¿|c ø·occsscssuc' as t'osc assoc|atco .|t' ø·occss
|¬ø·ovc¬c·t a·o oua||t¸ assu·a·cc (out ·ot oua||t¸ co·t·o|).||| ·ot oc
¬|ss|o· c·|t|ca|.
|t |s su¿¿cstco t'|s ·a·'|·¿ o| ø·occsscs |s u·oc·ta'c· as a |ac|||tatco ¿·ouø
scss|o· us|·¿ a vc·t|ca| s||cc o| c¬ø|o¸ccs |·o¬ .|t' t'c ous|·css u·|t o·
sc·v|cc a·ca.
4. Analyse key business processes into activities and resources
and rank in priority order for recovery
|ac' 'c¸ ous|·css ø·occss s'ou|o oc o|sscctco |·to t'c act|v|t|cs u·oc·ta'c·
|o· t'at ø·occss a·o t'c ·csou·ccs co·su¬co o· aøø||co to t'c act|v|t|cs. !'|s
ca· oc ac'|cvco o¸ | |·st co·s|oc·|·¿ t'c c·|t|ca| succcss |acto·s ·cou|·co |o· t'c
ø·occss to ¬ct |ts ous|·css oo,cct|vcs.
|csou·ccs aøø||co to act|v|t|cs s'ou|o oc co·s|oc·co |· tc·¬s o| øcoø|c,
|ac|||t|cs, tc|cco¬¬u·|cat|o· |·|o·¬at|o· s¸stc¬s a·o ous|·css ø·occsscs.
Oøc·at|o·a| a·cas s'ou|o co·s|oc· o·|¸ t'c oøc·at|o·a| act|v|t|cs a·o ·csou·ccs
t'at øc·ta|· to t'c|· ø·occsscs. !'c suøøo·t act|v|t|cs a·o ·csou·ccs .||| oc
a·a|¸sco o¸ t'c suøøo·t a·cas.
!'c ¬ost c·|t|ca| act|v|t|cs a·o ·csou·ccs |o· cac' 'c¸ ous|·css ø·occss .||| oc
a||o·oco t'c '|¿'cst ø·|o·|t¸ |· ·ccovc·¸. !'c·c|o·c |t |s ·cccssa·¸ to ·a·'
t'csc a|so .|t'|· cac' ø·occss.
O·cc a ·a·'|·¿ 'as occ· a¿·cco |o· cac' act|v|t¸ a·o ·csou·cc t'csc s'ou|o
oc c·tc·co o· t'c .o·'s'cct. !'c C'|c| |×ccut|vc O|| |cc· a·o/o· a·
aøø·oø·|atc ¬a·a¿c¬c·t co¬¬|t tcc s'ou|o a¿·cc t'c ·a·'|·¿ o| act|v|t|cs a·o
·csou·ccs.
!'c |o||o.|·¿ c×a¬ø|c s'o.s .o·'s'ccts |o· a· oøc·at|o·a| ø·occss a·o a
suøøo·t ø·occss co¬ø|ctco to t'|s stcø.
10
Guide to Effective Control
Guide to Effective Control
Priority listing of key business processes, activities and resources
Example: business support process
Oo,cct|vc. suøøo·t t'c o·¿a·|sat|o· o¸ ø·ov|o|·¿ t|¬c|¸, accu·atc, ·c||ao|c oua||t¸ sc·v|ccs
|a·' |·occss C·|t|ca| succcss |acto·s Act|v|t|cs a·o ·csou·ccs |AO
1 |a¸·o|| |a¸¬c·t o| |o·t·|¿'t|¸ 1. |a¸·o|| tca¬
sa|a·|cs a·o a||o.a·ccs to 2. ||| s¸stc¬
a|| sta|| o· t|¬c 3. |a¸·o|| s¸stc¬
-. Co¬¬u·|cat|o·s ||·' to oa·'
2 |||||·¿
3 |a¸|·¿ Accou·ts
Example: operational process
Oo,cct|vc. ø·occss a·o øa¸ oc·c| |ts to oo·a ||oc ·cc|ø|c·ts o· t|¬c, |o· t'c co··cct a¬ou·t
|a·' |·occss C·|t|ca| succcss |acto·s Act|v|t|cs a·o ·csou·ccs |AO
1 |a¸ oc·c| |ts |a¸¬c·t o· t|¬c 1. |c·c||ts øa¸¬c·t tca¬s
2. |c·c| |ts øa¸¬c·t s¸stc¬
3. Co¬¬u·|cat|o·s ||·' to oa·'
-. C'couc ø·oouct|o· s¸stc¬
A|so ·otc ·c||a·cc o· ¬a|| ·oo¬
|o· t|¬c|¸ o|søatc' o| c'coucs
2 |·occss ·c.
aøø||cat|o·s
3 |oo||¸ øa¸cc
octa||s
|otcs.
1. !'c |AO (¬a×|¬u¬ acccøtao|c outa¿c) 'as ·ot occ· co¬ø|ctco at t'|s sta¿ct'at |s t'c ·c×t stcø |·
t'c ø·occss.
2. !'c oc·c| |ts øa¸¬c·t ø·occss 'as ·otco |ts ·c||a·cc o· a ous|·css suøøo·t ø·occsst'at |s, t'c ¬a||
·oo¬ (|c¿|st·¸). A scøa·atc a·a|¸s|s s'ou|o oc co·ouctco |o· |c¿|st·¸.
3. !'c ·csu|ts o| a|| a·a|¸scs a·c co¬o|·co to octc·¬|·c ·c||a·cc o· co¬¬o· ·csou·ccs a·o act|v|t|cs a·o
|·tc·-ocøc·oc·c|cs oct.cc· ·csou·ccs a·o act|v|t|cs.
11
Business Continuity Management
Business Continuity Management
Step three: Business impact
analysis (BIA)
Step three: Business impact
analysis (BIA)
!'c ||A |s u·oc·ta'c· |o· a|| 'c¸ ous|·css ø·occsscs a·o scts t'c ·ccovc·¸
ø·|o·|t|cs, s'ou|o t'osc ø·occsscs oc o|s·uøtco o· |ost.
!'c |o||o.|·¿ co·ccøts a·c ·c|cva·t.
Business continuity concepts relevant to the BIA
Concept Description
Outage
• extraordinar y event
• loss of key business processes
• high impact
Maximum Acceptable
Outage (MAO)
• threat to achieving business
objectives
Business impact analysis scenario
|t |s usc|u| to cstao||s' a scc·a·|o |· .'|c' t'c o·¿a·|sat|o· 'as su||c·co a·
outa¿c. !'|s ass|sts t'c øcoø|c u·oc·ta'|·¿ t'|s c×c·c|sc to co·s|oc· t'c|·
ous|·css ø·occsscs |· t'at co·tc×t.
!'c |o||o.|·¿ scc·a·|o |s ·cco¬¬c·oco as a sta·t|·¿ øo|·t.
· a ||ooo o· ||·c 'as occu··co a·o t'c ou||o|·¿ |s |·acccss|o|ca|| co¬øutc·
s¸stc¬s a·o suøøo·t|·¿ sc·v|ccs a·c u·ava||ao|c |o· a øc·|oo o| at |cast 30
oa¸s,
· assu¬c a .o·st casc, t'at |s, t'c tota| ocst·uct|o· o| .o·'ø|acc ·csou·ccs
a·o |·|o·¬at|o· tcc'·o|o¿¸ s¸stc¬s at t'c .o·st øoss|o|c t|¬c, a·o
· aut'o·|sat|o· 'as occ· ¿|vc· |o· aoo|t|o·a| sta||, ovc·t|¬c, c¬ø|o¸cc |ooo,
t·avc| a·o acco¬¬ooat|o· c×øc·scs ctc, |o· ass|sta·cc |· ·csto·|·¿
cssc·t|a| ous|·css act|v|t|cs.
A· outa¿c |s a· c×t·ao·o|·a·¸ cvc·t, caus|·¿ a o|s·uøt|o· to, o·
|oss o|, 'c¸ ous|·css ø·occsscs, .'|c' 'as a '|¿' |¬øact o· t'c
o·¿a·|sat|o·
!'|s |s o|st|·ct |·o¬ oo.·t|¬c o· s¸stc¬s |a||u·cs t'at ¬a¸
occu· as a øa·t o| ·o·¬a| oøc·at|o·s .'c·c t'c |¬øact s|¬ø|¸
·couccs t'c c||cct|vc ut|||t¸ o| ø·occsscs |· t'c s'o·t tc·¬
!'c |AO |s t'c t|¬c |t .||| ta'c oc|o·c a· outa¿c t'·catc·s a·
o·¿a·|sat|o· ac'|cv|·¿ |ts ous|·css oo,cct|vcs
!'c |AO oc||·cs t'c ¬a×|¬u¬ t|¬c a· o·¿a·|sat|o· ca·
su·v|vc .|t'out 'c¸ ous|·css |u·ct|o·s oc|o·c ·ccovc·¸
ø·occou·cs ¬ust co¬¬c·cc
The objective of this step is to determine a maximum acceptable outage (MAO)
for each critical activity and resource identified in step two.
12
Guide to Effective Control
Guide to Effective Control
|o ·ot co·s|oc· a·¸ cu··c·t co·t|·u|t¸ ø|a·s .'c· octc·¬|·|·¿ |¬øacts
·csu|t|·¿ |·o¬ |oss o| sc·v|ccs.
A|| oa¸s ·c|c·c·cco a·c ca|c·oa· oa¸s, ·ot ous|·css oa¸s.
Establishing a framework for assessing the impact of a
business interruption
\c a·c ¬a'|·¿ a· asscss¬c·t |·o¬ t'c øo|·t o| v|c. a· outa¿c 'as occu··co.
!'|s outa¿c 'as a||cctco t'c øc·|o·¬a·cc o| 'c¸ ø·occsscs |· t'at c·|t|ca|
act|v|t|cs 'avc ccasco a·o c·|t|ca| ·csou·ccs a·c ·ot ava||ao|c. \c ·cco to
¬a'c a ,uo¿c¬c·t o· 'o. |o·¿ t'c o·¿a·|sat|o· ca· su·v|vc .|t'out t'csc 'c¸
ø·occsscs oc|o·c |t t'·catc·s t'c ao|||t¸ o| t'c o·¿a·|sat|o· ac'|cv|·¿ |ts
oo,cct|vcs.
O·cc |ts occu·s, a·o outa¿c ¬a¸ 'avc ¬a·¸ ·a¬|| |cat|o·s. \c ·cco to asscss
t'c |¬øact o| t'c outa¿c a¿a|·st a· a¿·cco |·a¬c.o·' to octc·¬|·c a·o
cstao||s' t'c ¬a×|¬u¬ acccøtao|c outa¿c (|AO) |o· cac' ous|·css ø·occss.
!'|s ·ccos oc co·s|oc·co at t.o |cvc|s.
· asscss|·¿ t'c ovc·a|| |¬øact o| |oss o| a ø·occsst'|s 'as ø·ooao|¸ occ·
ac'|cvco (at |cast |· øa·t) o¸ ·a·'|·¿ t'c ø·occss|·¿ |· o·oc· o| ø·|o·|t¸ to
t'c o·¿a·|sat|o·, a·o
· asscss|·¿ t'c |¬øact o| t'c |oss o| t'c co··csøo·o|·¿ act|v|t|cs a·o
·csou·ccs to octc·¬|·c 'o. |o·¿ t'c ø·occss ca· oc .|t'out t'at act|v|t¸
o· ·csou·ccs u·t|| |ts o.· succcss |s t'·catc·co.
The framework
A· oo,cct|vc a·o co·s|stc·t oas|s o· .'|c' to asscss t'c |¬øact o| a· outa¿c
·ccos to oc cstao||s'co. !'|s .||| c·su·c t'c o·¿a·|sat|o· |s co·s|oc·|·¿ t'c
sa¬c |acto·s .'c· octc·¬|·|·¿ t'c |AO. !'c |cvc| o| |¬øact ca· oc
asscssco |o· cac' act|v|t¸ a·o ø·occssco us|·¿ a sca|c s|¬||a· to t'c tao|c
oc|o..
Example: scoring level of impact of business disruption
Level of Impact Assessment Score
|×t·c¬c !'·catc·s øo||t|ca| a·o ous|·css v|ao|||t¸ 5
|a,o· S|¿·|| |ca·t |¬øact o· ous|·css o·|vc·s -
|ooc·atc |a,o· |¬øact o· s'o·t tc·¬ ous|·css oøc·at|o·s 3
||·o· |·co·vc·|c·t out ·o ·ca| o·¿o|·¿ ous|·css |¬øact 2
||| |cco·s|oc· t'c |·c|us|o· o| t'|s as a c·|t|ca| ·csou·cc 1
!'c |AO |s sct at t'at øo|·t .'c·c t'c·c .ou|o oc a ¬a,o· |¬øact
(Sco·c-) o· t'c ao|||t¸ o| t'c act|v|t¸ o· ·csou·ccs a·o t'c·c|o·c t'c ø·occss
.ou|o |a||. |· c||cct, .c a·c sa¸|·¿ t'c ous|·css ø·occss ca· oo .|t'out t'|s
act|v|t¸ o· ·csou·cc |o· a·¸ t|¬c u·oc· t'at øo|·t .'c·c t'c·c |s
a ¬a,o· |¬øact a·o |t .||| ·ot a||cct t'c o·¿a·|sat|o· ac'|cv|·¿ |ts oo,cct|vcs.
13
Business Continuity Management
Business Continuity Management
C·catc· t'a· tc·
øc· cc·t |¬øact
o· ac'|cvc¬c·t
o| 'c¸
øc·|o·¬a·cc
ta·¿cts
Example: detailed evaluation criteria for assessing business impact
5
(|×t·c¬c)
|cat' o| sta||
||·a·c|a| |oss |·
c×ccss o| $1
¬||||o·
|cst·uct|o· o·
sc·|ous oa¬a¿c
to ¬ost asscts
|o¸a|
Co¬¬|ss|o·
O·¿a·|sat|o·
|ou·o ||ao|c |·
|c¿a| act|o·
|cat' o· sc·|ous
|·,u·¸ to c||c·ts
||·a·c|a| |oss to
c||c·ts |· c×ccss
o| $1 ¬||||o·
'ø to tc· øc·
cc·t |¬øact o·
ta·¿cts
-
(|a,o·)
|·,u·¸ to sta||,
|oss o| c·|t|ca|
¬ass o| sta||
||·a·c|a| |oss o|
uø to $1 ¬||||o·
|cst·uct|o· o·
sc·|ous oa¬a¿c
to 'c¸ ø'¸s|ca| o·
|·|o·¬at|o·
asscts
|a·||a¬c·ta·¸
|·ou|·¸
O·¿a·|sat|o·,
C|O a·o t'c
|oa·o t'c
suo,cct o| |c¿a|
act|o·
S|¿·|| |ca·t |oss o|
acccss to sc·v|cc
c.¿. |·ao|||t¸ to
ø·ov|oc
¬a·oato·¸
oø|·|o·s .|t'|·
|c¿|s|at|vc
t|¬c|·a¬c
|·cac' o|
Co¬¬o·.ca|t'
|a. a·o
·c¿u|at|o·s
'ø to ||vc øc·
cc·t |¬øact
3
(|ooc·atc)
|c·¬a·c·t |oss
o| 'c¸ sta||
||·a·c|a| |os o|
uø to $100,000
|a¬a¿c to
ø'¸s|ca| o·
|·|o·¬at|o·
asscts
||·|stc·|a|
oucst|o· |· t'c
|a·||a¬c·t
|a,o· o|s·uøt|o·
o| acccss to
sc·v|cc
|a||u·c to co¬ø|¸
.|t' ||·a·c|a|
||·ccto·s a·o
C'|c| |×ccut|vc
|·st·uct|o·s
'ø to o·c øc·
cc·t |¬øact
2
(||·o·)
!c¬øo·a·¸ |oss
o| 'c¸ sta||
||·a·c|a| |oss o|
uø to $10,000
asscts |· va|uc
Aovc·sc
co¬¬c·ts |·
ø·css
||·o· o|s·uøt|o·
o| acccss to
sc·v|cc
|a||u·c to co¬ø|¸
.|t' |·tc··a|
¿u|oc||·cs
|o |¬øact o·
ac'|cvc¬c·t o|
outøut ta·¿cts
1
(|c¿||¿|o|c)
|c¸ sta|| ava||ao|c
|o· a |c. 'ou·s
|·tc··a| |¬øact
o·|¸
|o |¬øact o·
c||c·ts/
sta'c'o|oc·s
|a||u·c to co¬ø|¸
.|t' |·tc··a|
|·st·uct|o·s
Rating Outputs Resources Reputation Clients/ Compliance
(time, cost, (staf f, information, stakeholders
quality) financial assets)
|·cac' o|
Co·st|tut|o·
Area of impact
|c|o. |s a· c×a¬ø|c o| octa||co c·|tc·|a .|t' .'|c' to octc·¬|·c t'c |cvc| o|
|¬øact o| a· outa¿c |o· a øa·t|cu|a· act|v|t¸ o· ·csou·cc. !'csc c·|tc·|a s'ou|o
oc co·s|stc·t .|t' a·¸ suc' c·|tc·|a cstao||s'co |o· t'c top down ·|s'
¬a·a¿c¬c·t ø·occss.
14
Guide to Effective Control
Guide to Effective Control
oc·c||ts
Example: assessing MAO for activities and resources
Key Activities and resources required Impact of Interruption MAO
business
process 1-2 3-5 6-15 16-30 ~ 30
oa¸s oa¸s oa¸s oa¸s oa¸s
|a¸·o|| 1. |||sa|a·|cs tca¬ 1 - - - 5 2 oa¸s
2. Sa|a·|cs s¸stc¬ 1 2 - - 5 15 oa¸s
3. || s¸stc¬ 1 1 1 2 - 30 oa¸s
-. Co¬¬u·|cat|o·s ||·' to oa·' 1 1 2 3 - 30 oa¸s
|a¸¬c·t o| 1. |c·c||ts øa¸¬c·t tca¬ 1 2 - - 5 5 oa¸s
2. |c·c| |ts øa¸¬c·t s¸stc¬ 1 1 2 - - 15 oa¸s
3. Co¬¬u·|cat|o·s ||·' to oa·' 1 1 - 5 5 15 oa¸s
-. C'couc ø·oouct|o· 1 1 2 3 - 30 oa¸s
Notes:
1. !'c |AO |o· cac' act|v|t¸/·csou·cc |s sct at t'c øo|·t .'c·c a - ·at|·¿ a·o aoovc |s asscssco.
2. !'c |AOs cstao||s'co s'ou|o oc a¿·cco to o¸ t'c C'|c| |×ccut|vc a·o t'c |us|·css Co·t|·u|t¸ |a·a¿c¬c·t Stcc·|·¿ Co¬¬|t tcc.
|cta||s o| t'c a¿·cco |AOs s'ou|o oc c·tc·co o· t'c .o·'s'cct |· Aøøc·o|× 1.
The assessment of the MAO practice
's|·¿ t'c ca·||c· c×a¬ø|c, t'c |AO |o· cac' act|v|t¸ a·o ·csou·cc |s sco·co
t'c sco·c |s oasco o· co·s|oc·at|o· o| t'c |¬øact o| |ts |oss. !'c asscss¬c·t
|· t'c |o||o.|·¿ tao|c |s oasco o· t'c |¬øact c·|tc·|a octa||co o· t'c ø·cv|ous
øa¿c.
Consolidation of MAOs by resource
!'c aoovc c×a¬ø|c oc¬o·st·atcs a co¬¬o· ·csou·cc t'at |s usco |· oot'
ø·occsscs. !o ass|st |· octc·¬|·|·¿ |·tc·-ocøc·oc·c|cs a·o to cstao||s'|·¿ t'c
|AO |o· co¬¬o· ·csou·ccs t'c o·¿a·|sat|o· ¬a¸ .|s' to co·so||oatc t'c
|AO sc'cou|c o· a ·csou·cc oas|s. !'c |o||o.|·¿ tao|c ca· oc usco |o· t'|s
øu·øosc.
Example: consolidation of common resources
Resources Impact of interruption MAO
1-2 3-5 6-15 16-30 ~ 30
oa¸s oa¸s oa¸s oa¸s oa¸s
Oøc·at|o·a| sta|| (o¸ ous|·css u·|t)
Suøøo·t sta|| (o¸ sc·v|cc a·ca)
Oøc·at|o·a| |! s¸stc¬s (o¸ s¸stc¬)
Suøøo·t |! s¸stc¬s (o¸ s¸stc¬)
Co¬¬u·|cat|o·svo|cc
Co¬¬u·|cat|o·soata
|ac|||t|csou||o|·¿s (o¸ |ocat|o·)
|ac|||t|csø|a·t a·o cou|ø¬c·t (o¸ catc¿o·¸)
|·|o·¬at|o·ø'¸s|ca| ·cco·os
|·|o·¬at|o·c|cct·o·|c oata
15
Business Continuity Management
Business Continuity Management
Step four: Design continuity
treatments
!'c acco¬øa·¸|·¿ Cu|oc (at øa¿c 39) o|scusscs a ·a·¿c o| øoss|o|c t·cat¬c·t
oøt|o·s |o· va·|ous ·csou·ccs. |ac' oøt|o· ·ccos to oc cva|uatco | |·st |·
tc·¬s o| |ts t|¬c to |¬ø|c¬c·t a·o t'c· |· tc·¬s o| |ts cost.
!'c t|¬c to |¬ø|c¬c·t cac' oøt|o· |s co¬øa·co to t'c |AO |o· t'c
·csou·cc/act|v|t¸. O·|¸ t'osc oøt|o·s t'at ca· oc |¬ø|c¬c·tco .|t'|· t'c
|AO ·cco to oc co·s|oc·co |u·t'c·. !'c ·c|at|vc cost o| t'csc oøt|o·s |s
t'c· co¬øa·co to octc·¬|·c t'c ¬ost cost-c||cct|vc so|ut|o·.
A s|¬ø|c c×a¬ø|c |·vo|vcs t'c c'o|cc oct.cc· a 'ot s|tc a·o a co|o s|tc |o·
oac'-uø co¬øutc· ø·occss|·¿. || oot' oøt|o·s ca· oc |¬ø|c¬c·tco .|t'|· t'c
|AO |o· t'c act|v|t|cs a·o ·csou·ccs t'c¸ ·cø|acc, |t .||| ¿c·c·a||¸ oc |css
c×øc·s|vc to ¬a|·ta|· a 'co|o' s|tc. |o.cvc·, || ¬a|·ta|·|·¿ a 'ot s|tc |s t'c
o·|¸ ¬ca·s o| ·c-cstao||s'|·¿ t'c act|v|t¸ o· ·csou·cc .|t'|· t'c |AO, t'c·
cost |s ·ot so ¬uc' t'c |ssucout 'o. to ac'|cvc |t at t'c ocst cost.
!'c |o||o.|·¿ costs ¬a¸ oc ·c|cva·t |· t'c ·ccovc·¸ øc·|oo |o· |·tc·|¬
ø·occss|·¿ a··a·¿c¬c·ts.
· outs|oc sc·v|ccs,
· tc¬øo·a·¸ c¬ø|o¸ccs,
· c¬c·¿c·c¸ øu·c'ascs,
· ·c·ta|/|casc o| cou|ø¬c·t,
· .a¿cs øa|o to |o|c sta||, a·o
· tc¬øo·a·¸ ·c|ocat|o· o| c¬ø|o¸ccs.
!'c .o·'s'cct at Aøøc·o|× 2 ca· oc usco to oocu¬c·t t'|s ø·occss a·o as a
·at|o·a|c to suøøo·t t'c t·cat¬c·ts oøt|o·s sc|cctco.
Step four: Design continuity
treatments
The objective of this step is to determine cost-effective treatments for responding
to an outage, establishing interim processing arrangements and restoring the
lost activity(ies) and resource(s).
16
Guide to Effective Control
Guide to Effective Control
17
Business Continuity Management
Business Continuity Management
Appendices
Appendices
1. Worksheet for key business
processes identification and
business impact analysis
2. Worksheet for evaluation of
treatment recovery options
18
Guide to Effective Control
Guide to Effective Control
Appendix 1. Worksheet for key business processes identification and business
impact analysis
1.1 Business unit/service area details
|us|·css u·|t/sc·v|cc a·ca
Co·tact ·a¬c
!|t|c
|'o·c ·u¬oc·
|ocat|o·
|¬a||
1.2 Business unit key objectives, outputs, and performance indicators
|us|·css u·|t oo,cct|vcs Outøuts o· sc·v|ccs |o· cac' |c·|o·¬a·cc |·o|cato·s
(|· ø·|o·|t¸ o·oc·) oo,cct|vc
1
2
3
19
Business Continuity Management
Business Continuity Management
1.3 Identification of key business processes and business impact analysis
Business objective:
Column 1 Column 2 Column 3 Column 4
Key business process Critical success factors Activities and resources required MAO
1 1
2
3
2 1
2
3
3 1
2
3
- 1
2
3
20
Guide to Effective Control
Guide to Effective Control
Appendix 2. Worksheet for evaluation of recovery treatment options
|csou·cc(s).
Options Time to Within MAO Full cost Cost-ef fective
implement (days) Yes/No (list components) Yes/No
|csøo·sc
1
2
3
|·tc·|¬ ø·occss|·¿
1
2
3
|csto·at|o·
1
2
3
Ot'c· |ssucs
1
2
3

ISBN 0 644 39018 2 © Commonwealth of Australia, 2000 This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any purpose without prior written permission from the Australian National Audit Office. Requests and inquiries concerning reproduction and rights should be addressed to: The Publications Manager Australian National Audit Office GPO Box 707 Canberra ACT 2601 Information on Australian National Audit Office publications and activities is available on the following Internet address: http://www.anao.gov.au Disclaimer The Auditor-General, the ANAO, its officers and employees are not liable, without limitation, for any consequences incurred, or any loss or damage suffered by an organisation or by any other person as a result of their reliance on the information contained in this Guide or resulting from their implementation or use of the accompanying Workbook, and to the maximum extent permitted by law, exclude all liability (including in negligence) in respect of the Guide and the accompanying Workbook. Designed by Art Attack Pty Ltd Canberra Printed by Pirie Printers Canberra

Business Continuity Management

Business Continuity Business Continuity Management Management
Keeping the wheels in motion

Guide to Effective Control—January 2000
1

Guide to Effective Control Better practice The Australian National Audit Office produces better practice guides as part of its integrated audit approach which includes information services to audit clients. Input from Standards Australia and Emergency Management Australia has also been invaluable in refining the approach developed for this Guide so that it fully integrates into the risk management framework within an organisation. Finally. The ANAO records its appreciation of this assistance. and Therapeutic Goods Administration. It deals with business continuity management within a risk management framework. A Better Practice series has been established to deal with key aspects of the control structures of entities—an integral part of good corporate governance. primarily: • • • • Air Services Australia. 2 . Australian Nuclear Science and Technology Organisation. A cknowledgments The Guide has been prepared with the valuable assistance and insights from a number of Commonwealth organisations. Australian Maritime Safety Authority. This Guide forms part of that series. the valuable assistance of Deloitte Touche Tohmatsu in developing the business continuity plan (BCP) project steps discussed in Part Two is also recognised. The accompanying Workbook is designed to assist organisations in the development of a comprehensive business continuity plan.

However. as it is more commonly known. Many services delivered by government organisations are critical to the economic and social well-being of our society—a failure to deliver these could have very significant consequences for those concerned. This Guide presents a structured approach to business continuity management. The increasing level of devolved authority and management in the public sector. Managers should have an ongoing focus on business continuity as an element of the overall risk management framework in their organisation. The approach should be tailored to meet organisational needs while satisfying the major steps identified for business continuity management in the context of overall risk management. beyond this. The approach involves identifying preventative treatments for continuity risks that can be routinely managed. The uninterrupted availability of all key resources to support essential business processes or simply. Much of the impetus to review business continuity resulted from a need to treat business continuity risks associated with any systems failures at the change to the year 2000 or. The Guide further develops the approach promoted by Emergency Management Australia in its publication: Non-stop Service. business continuity.Business Continuity Management Auditor-General’s foreword Auditor-General’s foreword Continuity of public sector business is a critical issue to be considered by Boards. The current focus of business continuity efforts on Y2K remedies and contingency planning was acceptable in the circumstances. to ensure business continuity risks are identified. analysed and treated. assessed. While the profile of business continuity is still high. a greater use of contracted service delivery and the pursuit of improved efficiencies and performance. means that the need to manage proactively an organisation’s overall risk has never been greater. and developing an organisationwide business continuity plan—to deal with the consequences should the preventative treatments fail. Considerable resources were expended to ensure minimal disruption from the anticipated problems. chief executives and senior management in Australian public sector organisations and for business activities. the Y2K bug. organisations should address and regularly review all aspects of their business continuity management. it would be opportune to build on the work and analyses done in relation to the risks associated with Y2K. as well as being monitored and reviewed. has been taking a considerable amount of managers’ time and attention recently. It would be ill-advised to ignore risks to business continuity because their likelihood is too 3 .

J. New Zealand. and does. power outages (1998) – following generator and grid failures. There are sufficient examples in the public sector to demonstrate the unlikely can. P. (1997) and Knox Council. the entire State faced weeks without gas supplies and the costs to business and government was estimated in the billions of dollars. happen … usually when we least expect it. • fires at the Bankstown Council.Guide to Effective Control remote—in the medium to longer term this could well prove costly for both the organisations and the clients (citizens). Canberra. The following incidents provide compelling reasons for business continuity to be taken seriously: • severe hailstorms in Sydney. Barrett Auditor-General January 2000 4 . NSW. The range. (1999) – damage to many government and business buildings and meant emergency measures had to be taken to relocate operations while continuing to provide a service to their clients. and • Jolimont Centre incident. Often these events are outside the direct control of the organisation. it should be an integral element of the organisation’s risk planning strategy. Queensland and Auckland. VIC. ACT (1993) – following a siege and fire. source and impact of risk to which an organisation is exposed in today’s business world demand that business continuity has to rank highly for ongoing management attention. Indeed. the cities were without electricity— government and business alike has to operate in a city without reliable power supplies for an extended period. • Brisbane. the then Commonwealth Department of Industrial Relations was forced to relocate about 400 staff and the supporting infrastructure. • the Victorian gas crisis (1999) – following an explosion at a gas production facility. but this does not mean you should not plan for their impact. NSW. (1994) – in which the council chambers were burnt down and vital records as well as IT were lost.

Business Continuity Management Contents Contents Overview of this Guide 1. Continuity and risk concepts 7 Introduction Business continuity management Risk management 2. The business continuity process 1 1 12 16 Overview of the business continuity process Project initiation Key business processes identification Business impact analysis (BIA) Design continuity treatments Implement continuity treatments Test and maintain the plan Appendices 29 31 32 36 39 45 62 65 5 .

Guide to Effective Control 6 .

Each risk. a legal consequence. However. All organisations face a variety of risks. However. 7 . The business impact of each risk will also vary according to its nature—for any particular risk event there may be. and therefore largely out of the immediate control of the organisation. will have a greater or lesser chance of occurrence (likelihood) and a greater or lesser business impact on the organisation (consequence). This Guide has been prepared primarily for the people involved in a business continuity project—from individual team members through to the Chief Executive and Board. and a business interruption consequence. for example. through a structured. systematic process attempt to manage all significant business risks pro-actively. by implementing appropriate preventative controls and other risk treatments. that is. processes and business risks. This risk management process is designed to reduce the residual risk of an event—in terms of its likelihood of occurrence and/or its consequences. depending on its nature. or internally. Successful business continuity management relies on the expertise from within the organisation—it is the people that understand the organisation—its business. preventative controls and other pro-active treatments are no guarantee that risk events will not occur. for effective risk management it is equally important that organisations design controls that are implemented once a risk event has occurred. a financial consequence. Each participant plays an important role and has an array of responsibilities in ensuring the success of the project and continuing validity of the plan. Internal risks arise both at the strategic (organisation-wide) level and at the operational (business process) level. the Guide does not assume everyone is an expert in the field of risk management so describes each phase of business continuity against an accepted. generic risk management framework. a staff safety consequence. Organisations. Therefore. they cannot entirely eliminate their likelihood of occurrence.Business Continuity Management Overview of this Guide Overview of this Guide Business continuity management is an integral part of the risk management framework within an organisation. to an acceptable level. These may be sourced externally.

assuming a worst case scenario where all processes and resources are not available. The key question is how much time. to achieve a cost-effective compromise between preparedness for the worst case scenario and the likelihood of such a scenario ever arising. 8 . effort and resources need to be invested in corrective controls—in preparing for an eventuality that may never occur. In this context the cause or nature of the actual risk events are not considered to be the drivers for management action. It is the business interruption consequence that mainly determines the process. The Guide is divided into two major parts—the first part deals with business continuity management concepts in a risk management context. A number of supporting pro-forma schedules. The underlying approach adopted in this Guide is to start from the point that a risk event has occurred which has interrupted business operations—that is.Guide to Effective Control The design (and therefore cost) of such corrective controls and treatments will need to take into account assessments of the pro-active controls and the residual risk levels. This bottom-up approach complements the ‘top down’ approach inherent in the over-arching risk management process. This Guide has been designed to assist organisations answer this question for those risk events that have a business interruption consequence of a nature and impact that warrants effective management action. It ensures completeness of consideration of all consequences arising from a business interruption risk event. for example. the second part identifies the processes and procedures required to be undertaken to produce a business continuity plan. It also ensures pro-active and corrective controls are complementary and should allow organisations. These are contained in the Business Continuity Workbook that accompanies this Guide. working papers and questionnaires have been prepared to facilitate the overall process described in the Guide.

Business Continuity Management Part One Continuity and risk Continuity and risk concepts concepts Introduction Business continuity management Objective Outputs Underlying approach Terminology Risk management Overview of the risk management process Step one: establish context Step two: identify and assess risks • risk indentification • risk analysis • risk treatment design Step three: implement treatments Step four: monitor and review 9 .

Guide to Effective Control 10 .

An organisation’s business strategies and decisions are based on an assumption of the business continuing. Among other things. before embarking on the business continuity management process. the Guide introduces a number of key business continuity concepts. However. Instead. risk management is about putting in place treatments that seek to prevent business interruption events (outages) from occurring in the first place. This section of the Guide outlines the risk management process and discusses how business continuity management fits within this process.Business Continuity Management Introduction Introduction Business continuity means maintaining the uninterrupted availability of all key business resources required to support essential business activities. 11 . Part Two of this Guide takes the reader through the detailed steps for the business continuity management process. Business continuity management is therefore that part of risk management that establishes cost-effective treatments should an outage occur. impinging directly on its ability to fulfil its business objectives and the livelihood of those involved. It is not intended to cover all aspects of risk management. it deals with actual events—a risk event which has occurred—and the action required to respond to the event. before dealing with the risk management process. It is important that readers of the Guide familiarise themselves with these concepts and in particular. the terminology used. To this extent. An event that violates this assumption is a significant occurrence in the life of any organisation. it complements the overall risk management process which deals foremost with possibility of occurrence of risks events (including outages) that may occur. and the analysis and pro-active treatment of such events. As such. the Guide will focus on those parts of the process where business continuity risks should be specifically addressed. It also encompasses establishing appropriate responses (treatments) should such an event occur.

12 . Outputs The primary output from the business continuity management process is a Business Continuity Plan (BCP). • emergency response procedures. Alone these do not constitute a complete BCP. January 8. so effort is not wasted. They include: • IT disaster recovery plans. Planning for business continuity should be a top-level concern for enterprises. 1997 © GartnerGroup. and • Business Resumption Plan (BRP). 1999. and • media liaison strategies. The BCP comprises many elements which. By changing the focus. but there was a time when disaster recovery was relegated to one corner of the computer room. extending beyond information technology systems. the emphasis is placed on the whole business. InSide GartnerGroup This Week (IGG). • evacuation plans.Guide to Effective Control Business continuity Business continuity management management Objective The difference between business continuity and disaster recovery is not a ‘what’ but a ‘whose’. important though they are in modern business. associated with information technology. • Disaster Recovery Plan (DRP). Amongst other matters. but are important elements of a robust continuity plan. not just on technology issues alone. • backup and recovery procedures. The objective of business continuity management is to ensure the uninterrupted availability of all key business resources required to support essential (or critical) business activities. In the business continuity management process it is important to consider what plans are already in place. considering the potentially devastating financial and organizational impact of a disaster. This reinforces the concept of continuity of all key processes. Business continuity now appears on the boardroom agenda. and which prescribes the steps an organisation should take to recover lost business functions. • communications strategies. collectively. define the approach to dealing with a break in business continuity. the BCP will bring together the: • service area Contingency Plans. Gooding. An Introduction to Business Continuity Planning. This holistic view of business continuity management differs from what many managers traditionally term Disaster Recovery Planning which has been closely. if not solely. C. The business continuity management process and the BCP need to bring together all such elements to ensure they adequately address the organisation’s business interruption risks. • off-site of recods. There are probably already some parts of the BCP the organisation has in place as part of its normal business operations.

The concept of an outage has a time dimension as well as a business process dimension. as they are not elements of the BCP. Matters of likelihood and cause should already have been addressed as part of the top down risk management process and preventative controls should already have been established to reduce the likelihood and consequences of all risk events (including business interruption events) to levels that are acceptable to management.Business Continuity Management Underlying approach The BCP is initiated when a risk event occurs that has a business interruption consequence. Outages need to be distinguished from other business interruptions such as those arising from systems downtime or failures that may occur as a part of normal operations—such as a brief loss off a communications link which needs to be re-established with a service provider. As discussed above. This worst case scenario modelling will ensure that all impacts arising from an outage are considered regardless of the likelihood of occurrence. consideration of causes and sources of threats is not part of the BCP. It is important that continuity plans are not developed solely from this perspective as it is unlikely organisations will be able to identify all possible causes of outages or the source of all threats. In the past. While disasters thankfully are an extremely rare occurrence in the life of most organisations. What is the maximum time the business can survive without key business functions before the BCP must be initiated and recovery procedures must commence? 13 . many plans have failed as they have confined themselves to one type of outage based on a limited threat analysis—usually a physical disruption. key business processes. referred to as a disaster. The analysis of the impact of an outage focuses on consequences. This extends to a complete loss of all business processes and resources. or loss of. It is not concerned with the likelihood or cause of occurrence. These events will cause a significant disruption to. the consequence (or business impact) analysis assumes that a disaster can occur. The business interruptions that are of concern from a continuity viewpoint are referred to as outages. the organisation. coordinated responses which escalate according to the nature of the outage. The business continuity management process includes establishing the maximum periods for which each function can be disrupted or lost altogether. The bottom-up approach to business continuity management complements the top down approach adopted for overall risk management by asking “what happens if the controls fail”? It puts in place planned. It follows that such events will have a high impact on. and severe consequences for. before it threatens the achievement of organisational objectives.

In a budget-funded organisation that pays benefits. Key business processes are those processes essential to delivery of outputs and achievement of business objectives. In a self-funding organisation. The full activation of a plan (ie. A ‘disaster’ is used in this Guide to mean an event that leads to a business interruption that will extend beyond the period specified for an MAO. If this has not been done. The MAO is the time it will take before an outage threatens an organisation achieving its business objectives. which has a high impact on the organisation. for a total disaster) must be defined for each plan during the plan development phase. Business activities and resources are the essential elements that combine to make up each key business process. Concept Outage • extraordinary event • loss of key business processes • high impact Description An outage is an extraordinary event.Guide to Effective Control Terminology The above discussion introduced a number of key terms and concepts. key business processes. a key business process may be a benefits payments system that is essential to ser vicing client needs. The following table summarises these terms and their meanings for ease of reference and understanding. Maximum A cceptable Outage (MAO) • threat to achieving business objectives The MAO defines the maximum time an organisation can survive without key business functions before business continuity plans and recovery procedures must commence. causing a disruption to. the BIA will need to do so. Examples/Comments During an outage parts of the Business Continuity Plan (BCP) may be activated in order to deal with the situation. Key business processes should have been identified as part of other business planning or risk management processes. a key business process would be a billing system as the organisation depends on cash flow for its survival. or loss of. This is distinct from downtime or systems failures that may occur as a part of normal operations where the impact simply reduces the effective utility of processes in the short term. Loss of a key business process in excess of the MAO is a business interruption event 14 . Business Impact Analysis (BIA) • key business processes • recovery priority Key business processes • business activities and resources The BIA is undertaken for all key business processes and establishes the recovery priorities. should those processes be disrupted or lost.

Identification of these procedures is important in continuity planning as it is these steps which will need to be recreated or redesigned to be used during an outage. likelihood and impacts. most importantly. Resources may be money. physical assets or. Risk events may be considered in terms of their causes. and include an an inquiry facility to follow-up on discrepancies. Procedures Procedures are the steps undertaken by an individual to achieve a result. If an outage causes the loss of the computer system supporting these validations. A benefits payments system relies on people. a system to record information and calculate and print invoices. entering that information on a computer system. Business interruption events are ‘outages’ and other operational events that do not affect business continuity. and registry or mail system to send invoices and receive remittances. Examples/Comments The billing process may require customer sales information.Business Continuity Management Concept Business activities Description A business activity is a series of actions combining to produce an identifiable output and/or result. Risk event Any non-trivial event that affects the ability of an organisation to achieve its business objectives. Without resources. A benefits payments process may rely on staff to inter view clients and fill in forms. office supplies for preparing and mailing the invoices. A risk event that has a business interruption consequence. operate computer systems. The customer billing system relies on people to undertake procedures. and computers. Customer billing and benefits payments may rely on a series of steps to ensure information is correct prior to bills being issued or benefits paid. Business interruption event 15 . periodic payments to bank accounts. people. office supplies. computers. activities (and therefore business processes) would simply not occur. buildings and power to house the people. building and power and also on having sufficient funds available to make payments when due. alternate processes may need to be developed to ensure continuity of that business function. Resources Resources are the means that support delivery of an identifiable output and/or result. produce information.

is to have in place treatments that will mitigate the business impact of the event. While risk is generally considered in a negative light. as having an adverse impact. In addition. political (eg. where it is both within the control of the organisation and where it is cost-effective to do so. is modelled on the Australian/New Zealand Standard AS/NZS 4360:1999 ‘Risk Management’. and economic (eg. even the best-designed controls can breakdown in operation and an outage may occur. The primary objective of managing such events is to prevent them from occurring in the first place. fire. should they occur. However. analysing. change of government policy. In the case of an outage. A business continuity event (described as an ‘outage’ in this Guide) is an adverse risk event. this requires risk managers to undertake an analysis of risks and risk treatments from the top down—starting with possible risk events and designing controls—and from the bottom up— assuming a risk event has occurred and preparing appropriate contingency 1 MAB/MIAC Report No. In practice. impact on the achievement of organisational objectives. should they actually occur. A comprehensive approach to risk management will therefore consider risk treatments both proactively—by designing and implementing controls to prevent risk events occurring—and reactively—by mitigating the consequences of such events. that is. 16 . treating and monitoring risks. The primary objective. risks may be considered as events that will. changes to legislation). 22 Guidelines for Managing Risk in the Australian Public Ser vice. the preferred outcome is to maintain the continuity of service. but also those that may lead to gain or advantage. October 1996.Guide to Effective Control Risk management Risk management Overview of the risk management process The risk management process generally used in Australia today and as espoused in the MAB/MIAC Guidelines for Managing Risk in the Australian Public Sector1 . the Standard contemplates not only events that may lead to loss or harm. flood). financial market collapses. economic downturn) events. In this context. Treatments designed to prevent risk events occurring are commonly referred to as preventative controls. when any risk event (including an outage) becomes a reality. This is particularly the case in relation to natural (eg. This philosophy can be best summed up as plan for the best but be prepared for the worst. certain risk events may be outside the control of the organisation (referred to as external risks). The Standard proposes a logical and systematic methodology for identifying. assessing.

The remainder of this section deals with those aspects of the risk management process that relate directly to business continuity. These approaches are complementary and should be undertaken in parallel. analyse. using the process described in the Risk Management Standard. • identify and assess risks and design treatments. and • monitor and review risks and treatments.Business Continuity Management plans. Figure 1—Overview of risk management process Establish context Determine key business objectives. • implement risk treatments. 17 v v v v v v . Figure 1 outlines a risk management process developed from the Standard which is relevant to business continuity management. There are four major steps in this process: • establish the organisational context. processes and resources Identify. Each step is examined in turn. rate and prioritise risks Identify and assess risks Evaluate design of existing controls and treatments Redesign controls and treatments if necessary v Implement treatments Establish plan Implement controls and other treatments Monitor and review Review operation of controls and continuing suitability of other treatments Review risk assessments Business continuity management is an integral part of this process.

The activities and resources attributable to these critical processes should be afforded the highest priority in undertaking risk assessments. outcomes and outputs. 18 v v v v v v Output group v v v Business process Business process v v v v Business support process . In particular. Figure 2—Establishing the organisational context Organisational objectives v v v v v Output group v v v Output group v Key business process Key business process Key business process Business process v v v v v v v v v v Business support process Business support process Organisations should identify their key business processes and business support processes by relating them to their overall objectives. This analysis defines the maximum acceptable outage for each key business process and sets the recovery priorities for the activities and resources underpinning them. the organisational objectives must be clearly defined.Guide to Effective Control Step one: establish context Risk management is undertaken at both the strategic (organisation–wide) and operational (business process) levels of an organisation. The Risk Management Standard discusses the need to first establish the organisational and risk management context (Figure 2) in order to create a framework within which the process is carried out. Link with business continuity management The first step toward developing a business continuity plan is to undertake a business impact analysis. This step enables organisations to determine which are the key business processes so that they may focus and prioritise their risk management efforts. activities and related resources that are to be subject to risk assessment. as well as the functions.

they are analysed in terms of their likelihood and consequences. These aspects of the overall risk management process are highlighted in Figure 3. Step two: identify and assess risks This phase of the risk management process requires organisations to: • identify all non-trivial business risks. Figure 3—Outline of the risk assessment phase of the risk management process Identify Determine possible risk events using risk framework v v v v v Analyse Determine liklihood and consequence without control v v v v v Determine risk level and compare with acceptable risk v v Acceptable? No No Acceptable? Yes Treat Redesign controls and other treatments v Document Record in risk register Once risks have been identified. The diagram illustrates a two-step approach which analyses risk before and after consideration of controls. and • design treatments that reduce the risks to an acceptable level. v v Evaluate Determine risk level and compare with acceptable risk v v v v v Evaluate design of existing controls and treatments Determine liklihood and consequences with control v v v v v v Yes v v v v 19 .Business Continuity Management Key business processes may have been identified earlier during an overall risk management project. These become an input to the business impact analysis. • assess those risks.

unsafe work practices Negligent mis-representation Breaches of law/regulations Information system failure Employee fraud Strategic External risks External risks Operational Internal risks Competitive collusion Currency fluctuations Economic downturn Economic/market Internet ‘spoofing’. An example of such a framework is illustrated in Figure 4. cost.Guide to Effective Control Risk identification Typically. hacking Telecommunications failure E-commerce causes a loss of market share Technological External risks Risks may arise both from external sources and internally—emanating from within the organisation and arising from its strategic and operational processes. Figure 4—Risk classification framework External risks Political/regulatory Environmental/natural Change of government policy New legislation Changes to administrative arrangements Fire Flood Earthquake Cyclone Internal risks Wrong direction Structural mis-fit Staff alignment with vision Staff capability/skills gaps Inadequate capital base Product/service design Failure to meet output targets for time. 20 . organisations use a risk classification framework to ensure that all likely risks are identified. quantity or quality Unauthorised access to/disclosure of sensitive information Incorrect information used to formulate policy advice OH&S issues-accidents.

telecommunications information systems) such as fire. management should consider whether each event could interrupt the normal course of business operations. The more likely an event is to occur. Risk analysis The objective of this analysis is to separate the risks identified in the previous step into minor (acceptable) risks and major (unacceptable) risks. Links with business continuity management The consequences (business impacts) in a business continuity management context relate to business interruption (outage). To aid in completeness of the analysis. 21 . detailed consideration. For a risk event that has a business interruption consequence. the more cost-effective preventative controls will need to be. resources. these impact areas may be categorised as outputs. qualitative or semi-quantitative evaluation. reputation. This is usually undertaken by establishing criteria on an escalating scale against impact areas. It is common practice in this step to undertake a first pass review of all risks prior to considering existing controls and other risk treatments. detrimental effect on an organisation’s resources (staff. Whereas the likelihood of a risk event occurring is not part of the Business Continuity Plan. this is an extreme consequence and accordingly would receive the highest rating. The analysis of consequences involves establishing evaluation criteria to guide management in forming a view on how significant a particular event is to the business. Events which have a direct. the relevant evaluation criterion is the duration of the business interruption. This is achieved by comparing the risk level to pre-determined criteria of acceptability. facilities. In the business continuity management process. Where a risk event is likely to cause a business interruption that will exceed the time limits defined in the maximum acceptable outage. For whatever approach is adopted. the likelihood and consequences of each risk event are determined and the combination of these two evaluations provides the risk level. a maximum acceptable outage is established for each key business process and resource. power supply failure and fraud. compliance and business interruption. Figure 5 illustrates the risk analysis process for risk events that have a business interruption consequence. it is relevant at this stage when determining pro-active treatments and controls.Business Continuity Management Each risk event may have a number of consequences that will impinge on an organisation’s ability to achieve its business objectives. are likely to have some business interruption consequences. In analysing identified risk events. which will also have a major or severe impact. The next step in the risk assessment phase is to analyse these impacts and determine the likelihood of occurrence so that a risk level can be established for each risk. There are number of approaches to risk analysis that may involve quantitative. to eliminate trivial and minor risks from further.

It has a fortnightly payment cycle. the highest rating overall should be used in the risk assessment process. The overall impact has been rated as extreme for this event. variations to client details. This event is recorded on an analysis sheet (extract below) and the various business impacts noted. or pay its clients. > MAO) Clients/ stakeholders Death of client Compliance Breach of Constitution 4 – Major 3 – Moderate 2 – Minor 1 – Negligible 1 – 2 weeks < 1 week < 1 day None The Maximum Acceptable Outage (MAO) for this information resource and business process was set at two weeks (Part Two of the Guide discusses how an MAO is set). a benefits payment service organisation identifies the unintentional deletion by its employees of client information as a risk event. Without this information it is unable to process new client applications. The consequence rating was determined by reference to the following evaluation criteria. 22 . on time and for the correct amount. The estimated time to reconstruct client records exceeds this durationaccordingly for this criterion an Extreme rating applies.Extreme Intentional deletion of Client Master File records Employee fraud – bogus client created As above No impact The risk event highlighted above forms a part of the internal risks to the organisation and relates to its operational processes. Analyse consequence of risk events (without considering controls) Business impact of event occurring Risk events Internal Risks Operational processes Incorrect classif ication of client benef it type Unintentional deletion of Client Master File records by staff Does not achieve timeliness KPI of 99% payments on time Extra staff and consultants costs to recover lost data estimated to be $500.Guide to Effective Control Figure 5—Consequence analysis of events with business interruption impacts As part of the risk assessment process. A number of other business impacts have been identified for this event in addition to the business interruption impact. Benefits Payment Business Process (extract) Business objective: pay benefits to bona fide clients only. Note that while other impacts from the event may achieve a lower rating.000 Will require Ministerial explanation and likely to lead to questions in the Parliament No impact Outputs Resources Reputation Business Interruption Clients/ stakeholders Compliance Rating Minimum four weeks to reconstruct file from paper records Unable to No impact process client payments 5 . Consequence evaluation criteria by impact area Rating 5 – Extreme Outputs >10 per cent variance from KPI targets Resources) Death of employee >$10 million ‘loss’ Reputation Royal Commission Business Interruption >2 weeks (ie.

this should detect any unauthorised access and highlight what information. For example. whereas corrective controls operate primarily to minimise the consequences once a risk event has occurred. Preventative controls operate primarily to reduce the likelihood of occurrence of a risk event. and at what time after a risk event has occurred that would otherwise lead to the organisation’s resources or processes being adversely affected for a period in excess of the maximum acceptable outage. and to transferring the risk. the risk level is first determined for all risks—which are then categorised between minor and major—before considering existing controls and treatments. was altered. most organisations institute back-up and recovery procedures for the information stored on their computer systems. The organisation needs to respond to such events in proportion to their significance—matters of likelihood and root cause are therefore no longer relevant. In the event that there is a loss of data. The treatment options available to an organisation range from accepting the risk (where it cannot otherwise be cost-effectively managed) to controlling the risk. by whom. The organisation will need to determine what must be done. if any. If correctly implemented. notwithstanding existing controls and treatments. An example of a corrective control is the review of a computer log of access attempts. If correctly implemented. the organisation starts from the assumption that the preventative controls have failed. Links with business continuity management Controls established by management to treat risks can be defined either as preventative (stop the risk event from occurring in the first place) or corrective (detect the risk event when it occurs and respond accordingly). An example of a preventative control is the use of passwords to gain access to the information systems of an organisation. the consequences are reduced to the extent of the gap between the data set that was lost and the last saved version of that data set. In a two-stage approach to risk analysis. In a business continuity management context. It will also have to determine what needs to be done in advance of any outage so that its consequences can be mitigated. 23 . Where the risk level remains unacceptable.Business Continuity Management Risk treatment design The final part of risk assessment is to design appropriate risk treatments. and a business interruption occurs. it is incumbent on management to design new controls or to consider other treatment options. The major risks are then evaluated in the context of existing controls and other risk treatments. or there were no preventative controls in place. this control will prevent unauthorised access.

It must then ensure that the implementation plan is executed by establishing responsibility and timeframes for any actions required and accountability for outcomes. The Risk Management Standard recommends the following minimum documentation2: • who has overall responsibility for the implementation of the plan. it will have identified controls and treatments that reduce the likelihood and consequences of all risk events.Guide to Effective Control Step three: implement treatments This step of the risk management process requires organisations to establish a plan for implementing any new treatments. The BCP is a corrective control that is activated only after a business interruption has occurred. 2 AS/NZ 4360:1999 Risk Management. see Appendix H 24 . • budget allocation. If the risk assessment process has functioned effectively. to an acceptable level. The implementation plan should include the need to establish a BCP if one does not already exist. additional controls or modifications to existing controls arising from the risk assessment phase. It is not the implementation plan referred to above. Links with business continuity management The Business Continuity Plan is a risk treatment. • timetable for implementation. • what resources are to be utilised. and • details of mechanism and frequency of review of compliance with treatment plan. including business interruptions events.

Business Continuity Management Step four: monitor and review The objective of the final step in the risk management process is to monitor risks and the effectiveness of controls over time to ensure changing circumstances do not alter risk priorities or weaken the operation of controls. many organisations have implemented Corporate Governance programs that highlight manager’s responsibilities for controls3. Review of controls. 3 The ANAO has published two Better Practice Guides discussing corporate governance and control relevant to this issue: Better Practice Guide to Effective Control—Controlling Performance and Outcomes. to ensure they operate as management intended. It also requires that the impact of organisational changes or any other changes to circumstances be considered to ensure the plan maintains its currency. 25 . the BCP needs to be monitored and reviewed for effectiveness. periodic review of both strategic and operational risks. Links with business continuity management As with any other control. the major drawback is that it may lead operational managers to conclude that internal audit. However. This ensures regular. This requires that it be tested regularly. Many organisations integrate risk assessment into their corporate and annual business planning processes. To counteract this view. 1999. The use of control ‘sign-offs’ and the introduction of control self-assessment are two useful initiatives in this area. has traditionally been the major role of the internal audit function. 1977 and Corporate Governance in Commonwealth Authorities and Companies. is responsible for the system of control. not the operational manager.

Guide to Effective Control 26 .

Business Continuity Management Part Two The business The business continuity process continuity process Overview of the business continuity process Step one: Step two: Project initiation Key business processes identification Establish key business processes Rank key business processes Determine activities that constitute each process Match resources to activities Step three: Step four: Business impact analysis (BIA) Analysis of operational and financial impacts Design continuity treatments Identify and evaluate treatment options Select alternate activities and resources Step five: Implement continuity treatments Implement preparatory controls Prepare the Business Continuity Plan (BCP) Step six: Test and maintain the plan Test the plan Maintain the plan 27 .

Guide to Effective Control 28 .

• identify key business processes. Given their close inter-relationship. There is a high degree of commonality between the steps described herein and those discussed in Part One—further reinforcing the need to undertake these steps as part of an overall risk management process. • design treatments. These steps are illustrated in Figure 6 and each step is discussed in detail in the remainder of this Part. The steps in the business continuity management process are: • initiate the project. it is recommended that a BCP be developed in conjunction with the Risk Management Plan for the organisation.Business Continuity Management Overview of the business Overview of the business continuity process continuity process As discussed in Part One of this Guide. The top down approach to risk management—which starts with business objectives and identifies risks. This Part of the Guide deals with the steps required to produce the BCP and what needs to be done to ensure that it is properly maintained. The similarity in steps also serves to highlight that it is not the process so much that differs in constructing a BCP but the underlying approach. • undertake a business impact analysis. 29 . business continuity management is an integral part of total risk management. • formulate a BCP. is complemented by the bottom up approach to business continuity—which starts with identification of resources and processes being affected by an outage. and • test and maintain the BCP.

1999 30 .Guide to Effective Control Figure 6—Overview of the business continuity management process Source: Deloitte Touche Tohmatsu Protech/IPS Methodology.

Business Continuity Management Step one: project initiation A plan should be prepared documenting the objectives. • be prepared by managers who understand the business and be approved prior to the commencement of work. Checklist for the development of a business continuity project plan • Document the project’s objectives • Define and document the project’s scope and any limitations • Explain any assumptions made • Assign responsibility for project tasks • Present the budget. tasks. or management committee. The plan need not be overly large or detailed. and boundaries of the business continuity planning project. required for the project • Set project timeframes and deliverables for tasks • Plan is formally approved by Chief Executive and/or appropriate management committee Source: Deloitte Touche Tohmatsu Protech/IPS Methodology. responsible for the project should approve the plan. scope and boundaries • Establish management committee • Establish budget and timetable v Project plan Case study Ensuring the business continuity planning project was well-focussed and understood by all participants. Team roles and responsibilities should also be established. including a budget. deliverables and assistance for the project. Like most plans. and • reflect the organisation’s approach to risk management. 1999 Executive commitment and involvement v • Document objectives. An example of this plan is in the Workbook at Step one (p. and relevant reference material or existing documentation collected at this stage. including staff resources. scope. The manager. 6). the business continuity project plan should: • continue to develop during the life of the project as more about the organisation and its risks is learned. 31 . but needs to reflect the size and complexity of business continuity issues in the organisation. a public statutory body developed a requirement specification document to outline the scope.

and Monitor services could include grant acquittal processing. costing. those processes essential to the delivery of outputs and achieving business objectives. An example of such a scheme. payroll.Guide to Effective Control Step two: key business processes identification Project plan The primary input to the Business Impact Analysis (BIA) in step three is a list which ranks the key business processes of the organisation—that is. and program evaluation processes. and the key business processes which ensure these objectives are met and outputs are achieved. • Operational processes—Develop services could include designing application forms for grants or establishing a call centre. A structured approach to this step requires organisations to: • establish and rank key business processes. • map activities undertaken within each process. operational and support processes. Deliver ser vices could include formulation and provision of policy advice. Such schemes provide generic categorisations of business processes common to most organisations. applied to the public sector. in preparation for the BIA. control and risk self-assessment. For example: • Strategic processes—Monitor and review would include internal audit. quality management programs. This diagram outlines the ‘mega’ business processes categorised between strategic. and • match resources to activities. Good starting points to achieve this understanding are high-level planning documents such as corporate plans. . organisations may wish to utilise a business process classification scheme. and • Support processes—Financial resource management includes purchasing and payments. is provided in Figure 7. and budgeting and forecasting. Each key process is defined in terms of the activities undertaken and the resources consumed by those activities. Within each mega process are a number of major business processes. Establish key business processes • Identify key business objectives • Identify key business outputs • Align business processes with outputs • Understand key activities. business plans and operational plans. that management has a clear and agreed understanding of the organisation’s business objectives and outputs. These plans should have already documented the organisation’s business objectives and assessments of strategic and operational risks. resources and dependencies v v v v v Key activity and resource schedule 32 v It is important. Sell services could include processing client applications or claims. To assist in achieving consistency in terminology and common agreement in process definition.

processes and resource needs Monitor and review Operating processes Design services ‘Sell’ services Deliver services Monitor services Financial resource management Support processes Human resource management Information resource management Physical resource management This scheme is based on the ‘Universal Process Classification Scheme’ for the private sector developed by the American Productivity and Quality Centre in conjunction with Arthur Andersen. IBM.Business Continuity Management Figure 7—Example of a process classification scheme for Government organisations Understand stakeholders and clients Strategic processes Develop objectives. outputs and outcomes Define structure. 33 . DEC and Xerox.

it is important that the concerns of executive and senior management are obtained regarding business priorities and continuity issues.Guide to Effective Control Rank key business processes The key business processes need to be ranked in order of their importance to the organisation. A thorough understanding of activities is essential to identify such inter-dependencies. 34 . it is important to meet with operational and support area managers to discuss their own understanding of the activities. • loss of cash flows essential to business operations. which combine to produce the output. These may be the activities of a single operational area in the organisation. To obtain the ranking. This may be supplemented by reference to process maps and other systems documentation obtained from procedure manuals or internal audit. together with their corresponding activities and resources. • failure to meet key stakeholder expectations. e-business solutions rely not only on the internal network but also on the Internet Service Provider. In a large organisation it will generally be necessary to conduct a series of interviews or facilitated group sessions. or may be the activities of a number of operational areas. In either event. The ranking of key business processes may consider such issues as: • failure to meet statutory obligations for service delivery. Some activities may rely on the outputs from other activities from within the organisation (commonly referred to as enabling outputs). Determine activities that constitute each process The business activities supporting key business processes then need to be identified. and • degree of dependency on business processes by internal business units or clients. The use of structured interviews and/or facilitated group meetings are recommended tools for gathering this information. To gain the necessary level of understanding of activities and inter-dependencies. it is important that the information collected through these approaches is reported back to the participants for their confirmation. or even from outside the organisation. These are the activities that produce an output from the key business process. This ranking should reflect the importance of the business process to achieving business objectives and delivering outputs. In a small organisation it may be possible to gather this information from one group meeting. This has the added advantage of ensuring participants are aware of all organisational priorities and can agree on the ranking of key processes. For example.

The activity was dependent on a call centre as a customer interface and on the stores area for equipment. Some resources to consider are: • people—both the organisation’s staff and people external to the organisation which may be critical to the success of the activity. • assets and supplies—equipment and consumables which are used by the people and the processes as part of the activity. activities and resources are identified • Document and confirm organisational objectives and outputs • List key business processes that underpin achievement of objectives and delivery of outputs • Review the functional organisation chart to identify general areas of operational responsibility • Interview managers responsible for key business processes to confirm understanding of activities (complex organisation only) • Document the activities and resources essential to each key business process • Formally communicate the list of key business processes and supporting activities and resources to the project steering committee Source: Deloitte Touche Tohmatsu Protech/IPS Methodology. 35 . This information resulted in a lower recovery priority for the stores activities and associated information technology processes. Investigation of the stores turnover determined that the level of stock retained in the central and satellite stores was sufficient to continue activities for up to a week.Business Continuity Management Match resources to activities The resources necessary for delivery of the key business processes also need to be identified. given its impact on public image. progress tracking and stock level information. These areas were in turn dependent on the information technology infrastructure for customer detail. These are the resources required by the operational areas to support the activities that deliver the outputs or results. Checklist to ensure all key business processes. Due to these interdependencies. the business processes would not achieve their goals. 1999 Example: interdependent activities and resources A customer fault repair activity of a utility had a high business priority. information transfer. stores and information technology were directly influenced by the recovery requirements of the fault repair activities. the recovery timeframe for the call centre. Without these resources. • infrastructure—buildings and other property used by the organisation to deliver its services and produce its outputs. and • finance—some activities require money to be available to make payments on time.

a business process assessed. The real purpose of a business impact analysis is to identify those systems that when absent would create a danger to the enterprise’s survival and to ensure those systems reveive the correct priority in the subsequent business continuity plan. Treatments for each event need to be determined. Most effort in risk management. despite their impact. not to have a plan in place to relocate operations or recover from the loss of a building because …that will never happen… will leave the organisation floundering. From this. is put into addressing risks with high likelihood and high impact—risk management models and methodologies devise and implement controls (or treatments) to eliminate or reduce the effect of these risks. January 15. This information must be analysed. priorities and expectations • Determine MAO v v v v v Maximum Acceptable Outage Schedule A series of business impact analysis interviews with the managers responsible for critical activities and resources will be the quickest way to undertake the analysis. C. Gooding © GartnerGroup 1999 36 . how long can the key business process survive without the critical activity and/or resource before it will have a detrimental effect? Analysis of operational and financial impacts • Identify key personnel • Schedule and conduct interviews • Document concerns. The analysis should be based on an outage in which all activities and resources (including the actual work place) are not available. at least in the first instance.Guide to Effective Control Step three: business impact analysis (BIA) By this step the information collated includes: • documentation of key business processes. and have a major impact. yet its impact is significant. For example. InSide GartnerGroup This Week (IGG). Business Continuity Planning: Creating a Business Impact Analysis. and the operational and financial impacts that would result from disruptions to. and justifiably so. and • a priority ranking of the processes. possibly leading to its demise. will ensure all impacts arising from an outage are considered regardless of the risk likelihood. • interdependencies within and between activities and resources. Key activity and resource schedule v • identification of the activities and resources critical to the key business processes. the maximum acceptable outage can be determined for the critical processes and resources. This aspect of risk management is about coping with events that are less likely. but it is folly to ignore the risk. should the impossible happen. An approach founded on risk likelihood will fail to propose a treatment for highly unlikely events. Where an event is unlikely. or loss of. Assuming the worst case outcome (total loss of the process and/or resources). That is. activities and resources which represents the organisation’s agreed view. it may not be feasible to treat the risk. 1997.

1999 37 . Checklist for analysing each key business process • Evaluate the impacts of a loss of the process from the perspective of the organisation’s budget and outcomes and outputs—consider: loss of revenue/increased expense service delivery standards public or political embarrassment loss of client confidence loss of management control financial misstatement regulatory. and political ramifications • Identify the critical success factors that ensure the process meets the organisation’s objectives • Identify additional expenses incurred if activities are performed manually or in a substitute manner during an outage • Identify interim processing procedures (alternative or manual processing) techniques to be adopted during the recovery phase • Estimate the time it will take to overcome the backlog of work accumulated during the outage • Quantify the minimum resource requirements necessary to perform the activity • Identify the records vital to the recovery process • Evaluate the adequacy of current BCP in place Source: Deloitte Touche Tohmatsu Protech/IPS Methodology. Each step in the checklist is supported by guidance and schedules contained in the Business Impact Analysis (BIA) questionnaire which is in the Workbook (p.Business Continuity Management The following checklist summarises the steps to be undertaken to complete the analysis and determine a maximum acceptable outage for each key activity and resource. statutory or contractual liability specific/unique vulnerabilities.1 1)that accompanies this Guide.

Four 2-hour workshops were held which included a senior representative from each activity as well as management from underlying processes. The first series of interviews provided an understanding of the impacts from a loss of key activities and the interdependencies between the business units. 38 . interdependencies and recovery priorities was produced. Large organisation A series of Business Impact Analysis interviews were conducted for a large and complex listed company with over 2000 employees. interdependencies and recovery priorities. The participants were able to build on each other’s analysis and a very clear picture of the impacts. The general manager and senior representatives from each activity attended the 2-hour workshop. this approach also aided in limiting any bias that may have arisen between business units/interviewees. each business unit was examined separately. This often means revisiting business units or getting feedback from senior management. Medium-sized organisation A state government body with around 150 employees conducted a series of workshops. it was necessary to spend extra time to determine the impacts. Given that the activities and processes were complex. Further interviews were then conducted with senior management to confirm the recovery priorities and maximum acceptable outage timeframes from an overall organisational perspective. and in some cases processes within that business unit were reviewed separately. Due to the organisation’s size. A ‘disruption scenario’ was presented with each of the participants describing the impact to their area at various timeframes. critical activity and resource Case studies Small organisation A small statutory body with 20 staff conducted a single workshop to determine the impacts of a disruption. As per the medium organisation example. An important extra step was also needed in this process in that all responses had to be compared to responses from other activities in order to limit any bias between the separate workshops.Guide to Effective Control Checkpoint: management sign-off Obtain agreement from project committee/ project sponsor and chief executive regarding the MAO for each key process.

These requirements are based on the rankings agreed in the BIA and provide: • the basis for specifying and selecting alternate and redundant capacity to reduce likelihood or impact of an outage. and • recovery and restoration requirements to be used if an outage occurs. The treatment analysis identifies the requirements to ensure the continued availability of critical processes and resources during outages. loss of a key business process. where identified. As part of this process. or redesign of. recommendations for improvement in business process to be implemented. there should be treatments that: • reduce the exposure to. a review of vital records management and backup and recovery procedures must be undertaken. Recommendations for each service area are made based on the treatment options selected and. Appendix 9 provides checklists for review of off-site backup procedures The outcome of the treatment analysis will form the basis of the business continuity plan.Business Continuity Management Step four: design continuity treatments This step identifies the treatments to address. Appendix 6 discusses the approach to quality review of the BCP. or impact of. loss of the processes and resources on which the functions rely. which includes evaluating backup processing and off-site storage. Variations to. it is critical the following areas are addressed as part of the business continuity planning process in respect of 39 . and to minimise the effects of. existing activities and resources should be considered as a means of reducing the exposure to. This will ensure records and data can be reconstructed following a disaster. Identify and evaluate treatment options Maximun Acceptable Outage Schedule v • Review existing controls • Identify and evaluate options • Select alternate activities and resources • Implement treatments v Risk Treatment Plan For each of the key business processes identified and ranked in the BIA. disruptions to each critical business process for which an MAO has been established. Each phase of the treatment analysis is discussed in the following sections. In selecting alternate activities and/or resources. and impact of. Evaluating the options available to ensure the continuation of business will identify the alternate activities and resources to be used should an outage occur. and • implement alternate processes and resources to be used following an outage and plans to recover from the outage and restore normal operations.

can have a significant impact on an organisation’s business. information systems and business processes. it is necessary to identify other arrangements that may be used in their place. The impact of disruption on people should also be considered in isolation and as a resource that is interdependent with each of the areas below—facilities. Checklist for evaluating activity and resource alternatives • Document a brief description of each viable option • Determine other resources required and the costs for each option (this may require information from vendors) • Compare recovery options to MAO: . or a team.Guide to Effective Control each identified disruption. • issues relating to the disaster event. 1999 People People are often overlooked as the most critical resource in ensuring continuity of business.Does the option meet the recovery needs? . For all critical activities and resources. The business continuity plan needs to include treatments for people. The impact of an unexpected loss of key personnel. and • the psychological effects of the disruption on staff morale. and • business activities. including short-term replacements and training. telecommunications. • telecommunications. • human resource issues. computer sites). objectives. should they be lost. or cold. • information systems. hot. which includes: • approaches to communication. regardless of the organisation’s. size or complexity: • people. From those identified. Alternate activities and resources may be a combination of different services or redundant capacity retained just in case (eg. alternate activities and/or resources are chosen which allow that part of the business to continue with minimal disruption. • facilities (including buildings and equipment). 40 .Does the option exceed our needs? Source: Deloitte Touche Tohmatsu Protech/IPS Methodology.

procedural and administrative changes. • agreements and activities required to transfer functions. movement or relocation of staff. Following a major disruption. and • documented procedures to support business facility recovery and restoration. This approach may recover the costs associated with loss of key staff but it is only a solution to symptom of loosing staff—proactive staff management practices are always preferable. The treatments should also aim to be developed to ensure timely restoration or relocation so the business process can be moved back to the restored premises or be relocated to new premises and continue essential business activities. salvage and restoration of equipment and buildings. ensure key information and the organisation’s knowledge is shared so they can assume a new role with as little lead-time for learning as possible. Treatments should be developed for damage assessment. Skills management plans For identified understudies.Business Continuity Management Example: treatment options for people Treatment Succession plans Description A prescribed plan of action to replace key staff should they be unavailable. Additional issues to be addressed include: • provision for backup processing services. Arrangements and procedures for relocating facilities should be addressed. They should address the buildings in which the business process operates and the equipment and resources contained within those premises. This segment addresses the physical environment (equipment and buildings) on which a business process depends. facility recovery treatments aid the organisation in supplementary staffing. 41 . Key person insurance Insure against the financial impact of loss of key staff. Facilities The BCP should include treatments that concentrate on the most critical components of operations—usually people and their work environment. and site and infrastructure modifications. This may include identifying understudies in the organisation or agreements with professional contracting agencies or with other organisations to source qualified staff at short notice.

• vendor and carrier negotiations in which contractual or service level agreements are made with telecommunication vendors. as part of a comprehensive BCP.Guide to Effective Control Telecommunications Communication is critical to continuity of business functions. The information systems treatments included in the BCP need to consider: • use of secure and fire-proof in-house storage facilities. and • off-site storage of critical data. However. necessary. The BCP should therefore include treatments that address recovery from loss or interruption of voice and data communications. project and management files) and electronic records on computing facilities (eg. network software and acquiring necessary redundant equipment. The result should be a complete and workable strategy for each part of the information process affected by identified disruptions. • agreements and activities required to transfer processing to other locations. • backup equipment and software which includes backing up PABX data. Preventative controls such as robust systems and application design. 42 . Information systems Information systems manage the organisations physical records (eg. correspondence. forms and images). • provision for backup processing facilities (electronic and manual). faulttolerant hardware. and when. plans should be developed for each of these systems. In many organisations. and • uninterruptible power supplies (UPS) and monitoring facilities which help prevent system loss during power failures. wherever they are housed. and recognise any interdependencies between them (eg. uninterruptible power supplies. voice networks are more critical than data networks. both within and outside the organisation. single site of the management system). • alternate path design and switching services redundancy can be built into communications networks such as PABX and network systems which enable communications to be diverted to other locations if. and monitoring facilities should also be considered. Distributed handling and processing of information inherently spreads the business continuity risks across an organisation. email. Treatments that deal with communication loss can include: • the human resource procedures and administration required to support the business function. electronic policy and procedure manuals.

warm site.Business Continuity Management Example: treatment options for facilities. Business processes As an outage may impact more that one business process. communications. Example: treatment options for business processes Treatments Alter current arrangements A pplication Often current processes and resources can be changed as a cost-effective solution. Alter current processes 43 . the concept of coordination should drive the entire approach. While this is the final step in determining treatment options. ultimately. Business process treatments included in the BCP should address the activities and responsibilities of a business function to ensure continuity of essential business functions from the point of disruption to the return of normal operations. etc. hot site. Often a current (or even non-current) service provider would be willing to give a guaranteed level of service in a disaster situation to restore resources at minimal cost. In the event of loss of one site. These types of agreements can be entered into with other organisations to achieve the other options (ie. Enter an agreement with an outside vendor to provide service in the event of an outage (ie. Enter into an agreement with another organisation to use part of their facilities in the event of a disaster. splitting data processing between two offices. the treatments developed for each process need to be consolidated and. This is crucial to an effective BCP as it recognises the interdependencies between business processes within the organisation. purchasing a hot-site agreement together). telecommunications and systems Treatments Purchase or lease redundant capacity Contingency arrangements Mutually beneficial agreements A pplication Pay for extra office space. IT infrastructure. For example. and cold site). individual business process plans are combined into an organisation-wide plan. the other site is still functioning.

Agreements with vendors may be established to ensure timely delivery on demand at a set price. it was determined that this strategy was suitable for a disaster situation and was incorporated in the BCP. and • indirect costs-such as cost to establish and maintain new equipment. the number of issues relating to people to be addressed was reduced. it is necessary that each option be costed. restoration of essential phone communications maybe handled with the purchase of sufficient mobile phones when required. Facilities An organisation with a relatively large maximum acceptable outage determined there was no need to obtain facilities immediately following a disaster. of the costs until an event occurs and the continuity plan is activated. so that in the event of an outage this information could be easily obtained. It contacted a local real estate agent and asked it to maintain a list of suitable alternative office space. Case studies: alternate treatments People A statutory body had previously developed a Staff Communications Strategy outlining the methods to inform staff of events in the organisation. Costs include: • direct costs. or a significant portion.Guide to Effective Control Select alternate activities and resources A cost-effective strategy for recovery. and the telecommunications provider agreed to switch these numbers to an alternative location immediately following an outage. however. The selected alternate processes and resources should be documented along with the rationale for their selection. All costs need to be carefully considered as indirect costs such as maintenance can often exceed direct purchase costs. Following consultation. In another example. the service provider agreed to provide extra bandwidth on a contingency basis to the second location at no cost. the WAN to this location could not support the network traffic. satisfying the requirements of the business should be selected from the options identified. For example. In many cases it is possible to defer all. Telecommunications A large public sector organisation had an agreement for supply of a Wide Area Network (WAN) with a large telecommunications provider. 44 . and organisation defined its critical phone numbers. in the knowledge most carriers can provide them within hours. By using policies already in place. To enable this choice to be made. This agreement was incorporated into the contract. Their information systems recovery strategy suggested that they should move processing to their second office. Following a review.such as purchase price for extra equipment.

Business Continuity Management Case studies: alternate treatments (continued) Information systems An organisation with a maximum acceptable outage for information systems of five days. A series of checklists is included in the appendices to this Guide to assist with developing continuity treatments. and • documentation of the recovery arrangements. and • Limitations of BCPs (Appendix 7). responsibilities and a checklist for the Board and audit committee (Appendix 2). The checklists cover: • Alternate processing contract considerations (Appendix 1). and formal contingency arrangements with external parties. • Roles. • Roles and responsibilities of the service area recovery teams (Appendix 5). Step five: implement continuity treatments Selection of continuity and recovery treatments will lead to: • implementation of procedures to support recovery from a disruption to business. responsibilities and a checklist for the Chief Executive Officer (Appendix 3). Procedures implemented to support recovery will need to be both preparatory and reactive. • Checklists for quality assurance of BCP development (Appendix 6). spoke to their current service provider who agreed to include as part of the maintenance/service contract a disaster recovery clause which stated that they would replace infrastructure within three days. This was obtained at no cost given that the organisation was an important customer of the service provider. Three of the most important such controls include back-up processes. • Roles. Documentation of the recovery arrangements to be implemented after an outage has occurred is the role of the Business Continuity Plan. Risk Treatment Plan v • Establish recovery teams • Document service area recovery steps • Obtain contact and inventory lists • Document recovery management process v Business Continuity Plan 45 . records management. Preparing for recovery involves putting in place controls that will mitigate the consequences of a business interruption should it occur. • Role and responsibilities of the Recovery Coordinator (Appendix 4).

the resources required to recover and restore essential business processes are identified. supplies. Resources required for recovery such as documentation.Guide to Effective Control Implement preparatory controls Back-up Based on the results of the Business Impact Analysis. data and programs should be obtained (copies or backed-up in the case of electronic data) and be kept at a secure off-site facility. is available to meet both situations. 46 . To activate a BCP it will be necessary to obtain access to information and resources supporting the key business functions. In the event of an outage it may still be possible to obtain these from the organisation’s premises. if they exist if standards and procedures do not exist. (complex organisation only) • Consider testing partial recovery from off-site facilities (complex) Source: Deloitte Touche Tohmatsu Protech/IPS Methodology. Checklist for evaluating off-site storage and back-up processing • Ensure all resources required for the selected strategies are stored offsite • Review documented off-site backup processing standards and procedures. forms. but this will not always be the case. ensure they are developed • Interview personnel responsible for implementation of backup procedures to see if there is adherance to procedures • Document key elements of the off-site backup procedures for inclusion in the appropriate sections of the contingency plan • Analyse off-site backup processing procedures and document concerns Note: A better practice checklist for off-site storage is included in Appendix 9 to this Guide can be used as the basis for analysing issues with off-site backup processing • Schedule review of off-site storage facility. Reliable off-site storage and backup procedures will ensure information essential to continued business is available as. Off-site storage facilities should have suitable environmental and security controls and the resources and information should be protected from unauthorised access modification. 1999 Off-site storage procedures should be modified to align routine operational requirements with those identified in the recovery strategies to ensure resources stored off-site. and access to them. needed. and when. The following checklist describes the steps for evaluating off-site storage and back-up processing requirements. disruption or use during storage.

They include the management of hardcopy and electronic records data as well as archiving policies for both forms of records.Business Continuity Management Records management As part of the BIA. • political ramifications of non-delivery of a service or information. vital records supporting the critical business processes were identified. Record management has long-term implications for the organisation and strategies should consider: • legal requirements and exposures. and • decision-making processes which will be affected. • stakeholder dissatisfaction. • inefficiency across all processes in locating and utilising information. Development and implementation of document management procedures should include the procedures necessary for management of both physical and electronic records. Risks associated with information management should be addressed in the plans that underpin the strategy. Development of document management procedures is part of the organisation’s overall information management strategy. Procedures can be broken into five parts: Figure 8—Records management procedures Develop hardcopy document management guidelines Develop electronic and data management guidelines Develop archiving guidelines Develop data security and information guidelines Implement the guidelines 47 . The impacts of not having proper document and data management treatments in place are many. In order for these vital records to be properly restored it is necessary to ensure a suitable records management program is in place. • adverse affects on public image through inability to deliver information. Continuity issues in record management extend beyond just keeping business processes in place.

The lack of documented management procedures made recovery of information virtually impossible. A good records management system will include consideration of the management of records vital to business continuity.Guide to Effective Control The Australian Archives Handbook on Record Management4 says a good records management system will ensure: • the right records are created. The legal requirements to maintain records vary across organisations and should be considered in formulating a BCP. • people who need the records can locate them. • information is kept on who uses the records. that aspect of records management needs to be reviewed. that recovery of information technology systems was not. Current plan Yes t Yes t Yes t Yes t No t No t No t No t Case study The Bankstown City Council fire was reported widely in the press for the impacts the disaster had on the Council and the community. a problem. There were sufficient backup and storage procedures in place. The then Lord Mayor of Bankstown highlighted. why they are used and how they are manipulated. Checklist for assessing vital records management program • Does it provide a framework to ensure security of information developed? • Does it establish a framework by ensuring integrity and completeness of information? • Does it ensure only authorised personnel have access to information—including implementing a classification system? • Does it ensure users of information are aware of and observe all relevant laws and regulations? If the answer to any question is “No”.au 48 . • records are maintained in a useable format. as some may have expected. and it was not too difficult to reconstruct the information systems.gov. 4 For this document and further information see the National Archives of Australia website http://www.naa. The Council did not have a Business Continuity Plan. and • records are kept for as long as they are needed and for no longer. The biggest problem was that the fire burned a lot of vital records and historical artefacts beyond recovery and reconstruction.

For this reason. 1999 A checklist to assist with consideration of alternate processing contract arrangements can be found at Appendix 1 Case study An organisation had a maintenance agreement with a telecommunications provider. This organisation was only able to include a disaster recovery clause in their contract at a large additional cost. The following checklist can be used to ensure such continuity treatments are properly implemented.Business Continuity Management Arrangements with external parties It is necessary to formalise appropriate arrangements with vendor(s) selected as alternate suppliers. Checklist for evaluating implementation of external arrangements • Ensure for each treatment selected. the likely costs are the most commercially viable (ie. investigate other vendors in the marketplace) • Identify other requirements or changes that need to be made in order for the treatments to be effective • Changes to off-site storage procedures should be made as identified • Review contracts to ensure they demonstrate better practice for contract management as well as comply with internal guidelines for contract management • Finalise contracts Source: Deloitte Touche Tohmatsu Protech/IPS Methodology. the organisation did not renew its contract with its telecommunications service provider and changed to the more cost-effective provider that met their business continuity needs. 49 . Another service provider offered to provide services with no additional cost for the disaster recovery clause.

These procedures are based on the approved recovery treatments and alternate activities and resources identified and take into account the recovery readiness procedures and arrangements. Figure 9—Stages in recovery of business operations. as well as restoration and transfer of operations plans and guidelines as appropriate. The treatments to overcome identified disruptions need to address the stages necessary to complete recovery. The BCP addresses business disruption from the initial disaster response to the point at which normal business operations are resumed. operational recovery plans. 50 . • Interim processing: the period the organisation relies on alternate processes and resources. The business continuity plans produced should consist of detailed step-by-step procedures.Guide to Effective Control Prepare the Business Continuity Plan (BCP) Business continuity plans are a compilation of individual recovery or contingency plans. brought together with an overarching management plan to coordinate the lower plans. Each phase is defined as follows: • Response: the time from disaster declaration until critical systems and processes have been re-established using strategies documented in BCP. They may include disaster response plans that are service area specific. They should contain action-oriented procedures to be used by recovery teams. • Restoration: the period the organisation returns from using alternate processes and resources back to use of its usual established systems and business as usual. Activities necessary to restore primary facilities and return to normal operations should be addressed more in the form of guidance than by detailed action steps which can quickly become dated an lack context.

51 . can be found at Appendix 4 and Appendix 5. • Recovery plan support processes—processes necessary to support the management and technical recovery plans including human resource management and communication. respectively The roles and responsibilities of the Recovery Coordinator and the service area recovery teams. a team leader should be identified in the plan as being responsible for that area. The various layers in this structure are: • Recovery coordinator—coordinates the various teams below and reports directly to the CEO and Executive. • develop and integrate service area recovery plans. Figure 10—A generic structure for the recovery organisation CEO and Board Recovery Coordinator Management recovery plan Service area recovery teams People recovery team Communication plan Human resources plan Facilities recovery team A ccommodation plan Equipment plan Telecommunications recovery team Telephone. respectively For each recovery area.Business Continuity Management To produce a comprehensive BCP the following steps are recommended: • define the recovery organisation. Fax ect plan Network recovery plan Information systems recovery team Mainframe recovery plan PC recovery plan Checklists to assist in defining the roles and responsibilities of the Board and CEO. • Recovery and management teams—service area teams responsible for implementation of BCP and recovery of systems following an incident. can be found at Appendix 2 and Appendix 3. • define the recovery team. The recovery organisation Figure 10 provides a generic structure for the recovery organisation. whereas in a larger organisation it may need to be split into its component parts. In a smaller organisation in may be possible to have only one person responsible for all communications. • develop the over-arching management recovery plan. inventory lists and other references. and • collate contact lists.

if applicable • Contact Insurance Assessors to determine their requirements and coordinate their on-going liaison with all recovery teams • Minimise further losses and salvage recoverable resources • Provide assurance and information updates to staff not involved in the recovery effort • Prepare the recovery site Source: Deloitte Touche Tohmatsu Protech/IPS Methodology. Example: roles and responsibilities of key continuity players Chief executive • Brief Minister (and Board) on situation. if necessary • Contact the necessary staff required for the disaster (in the first instance) • Assist in establishing of the recovery site. facilities and equipment and report to the CEO and/or Board. and non-contradictory information • Ensure staff and stakeholders are made aware of the problems and the remedial action taken • Ensure Recovery Coordinator and Recovery Teams have the resources and support necessary to do their jobs Recovery coordinator • Decision to activate the BCP • Determine the recovery strategy for the given situation • Assess the extent of damage to building.Guide to Effective Control It may also be the case that the executive wishes to take the ministerial and media communication/liaison role. expected impact and recovery timeframe • Provide focal point for the organisation to ensure the media and public receive the correct. It is important to ensure all service areas are sufficiently covered to ensure that responsibilities and workload are evenly spread. if applicable • Coordinate media activities • Direct. 1999 52 . coordinate and monitor all recovery operations • Convene recovery status meetings with the CEO • Schedule subsequent recovery status meetings • Liaise with real estate agent.

furniture. Communication teams Following notification from Recovery Coordinator of disaster escalation: • facilitate communication between recovery coordinator and the teams designated focus group • convene status meeting with team members • provide regular updates to Recovery Coordinator • brief designated focus group on the disaster • continually keep designated focus group informed of changes to what they have been informed. and • provide regular updates to the Recovery Coordinator. liaising with other service areas. and • liaise with other recovery teams. 53 . and • respond to queries from designated focus group. Other service areas Following notification from Recovery Coordinator of disaster escalation: • contact the necessary staff required to their particular service area • convene disaster status meeting with team members • assist with disaster assessment as required • provide regular updates to Recovery Coordinator • complete recovery plan for their service area • determine requirements and coordinate acquisition of equipment. stationery and communications resources necessary for recovery.Business Continuity Management Example: roles and responsibilities of key continuity players (continued) Human resource team Following notification from Recovery Coordinator of disaster escalation: • contact the staff required for the human resource recovery team • convene status meeting with team members • continually assess and address human resource needs.

Leaders and members of a recovery team need the following personal attributes: • a good understanding of the organisation. People need to be the major focus of an outage. such as fire or emergency services. key business processes will cease. both groups must be aware of the possible disruptive consequences of some of their actions and inaction. for example. The make-up of the team may be based on consideration of an individual’s personal characteristics as much as of their position within the organisation. infrastructure and facilities may all be operational but if people cannot reach their work place. special training and testing of plans. Equipment. members of volunteer or paid public organisations. or perform their jobs. implementing and testing. people with second jobs. Personnel need to be identified for the teams defined in the recovery strategy. what is required of them in a contingency situation. • an ability to work well in teams. Part of each BCP project should include a clear understanding of the human resource impacts and the issues to take into account in planning. Larger and complex organisations may need to consider a number of teams (constituted. The roles in the recovery organisation need to ensure reporting lines and responsibilities are clear when the BCP is activated. a specialised organisational structure is established which varies from the organisation’s structure during periods of normal operation. • good people and communication skills. The team members participate in customising their responsibilities and procedures and testing their recovery plan. Management and employees must understand. and • the ability to work well under stress and balance competing priorities. For example. if the BCP calls for staff to pick up and move to another location. 54 . • respect within the organisation. People can be a major issue in successfully activating the contingency plan. part-time students.Guide to Effective Control The recovery teams During recovery. awareness programs. you may find that single parents and those incapacitated dependents. As well. This requires explicit communication and coordination through job descriptions. and be capable of carrying out. Small and non-complex organisations would only need one recovery team. on a functional or geographical basis) which would be coordinated by a small management team. may not be available.

they may assign the step to the recovery team members. All the steps required for recovery of a business process must be documented in order of priority.Business Continuity Management Service area recovery plans An outline of the recovery plan should be developed for each service area identified in the recovery strategy. The finance area recovery team’s plan would merely make reference to the fact that the information systems must be recovered and that is the responsibility of the information systems recovery team. the information systems recovery team—the steps for recovery of the information systems are not part of the finance area recovery team’s recovery plan. between team leaders. The steps to recover the information systems are included in the information systems recovery team’s recovery plan. team members and other teams) as well as timing and expected outcomes for each action. and recovery of the information systems is the responsibility of another team—say. A useful format for outlining service area recovery steps is: No. The plan should consider the people in the recovery teams and begin assigning individual responsibility for each action (ie. While the recovery team leader is responsible for ensuring a task is completed. The recovery steps also need to consider issues reflecting interaction with other service areas and recovery teams. 55 . A ction <Action Title> <Short description of action including references> Responsibility <Team Member name> Timing <Due Date> <Resource estimate> 2. Example: service area recovery plans If the finance area recovery team relies on recovery of the information systems. 3. The order of these steps should reflect the priority ranking for recovery and take into consideration any interdependencies between steps. Note: the person with responsibility for completion of a step in the recovery plan does not necessarily have to be the person who undertakes that step. 1.

It is usual to break each service area’s recovery plan into these steps as a means of coordinating all plans. In establishing the recovery steps for each service area it is important that communications. logical and environmental)? If the answer to any of the above questions is “No”. Source: Deloitte Touche Tohmatsu Protech/IPS Methodology. the action steps should be considered in three parts. the recovery plan(s) should be reviewed and amended to ensure there will be adequate communication following an outage and during recovery of operations. The next step should not commence until the previous step has been completed. are fully effective. 1999 56 .Guide to Effective Control As noted previously. Checklist: adequacy of communication and information flows Current plan Yes t No t Yes t No t Yes t No t • Is the Recovery Coordinator kept adequately informed throughout the recovery process? recovery process? recovery process? • Are the team members kept adequately informed of the • Are other interrelated teams kept properly informed of the • Are appropriate external parties/stakeholders kept informed (excluding those kept informed as part of the management plan) of the recovery process? up-front that their assistance may be called upon? Yes t No t Yes t No t Yes t No t Yes t No t • Are external and internal parties that are part of the process informed • Are human resource needs properly addressed? • Is part of the recovery process the re-implementation of controls (physical. including information flows. The following checklist outlines some key points to consider. Figure 1 1—A ction steps in recovery plan Note: at the end of each step in an actual recovery situation it is essential the Recovery Coordinator be briefed on the progress of the recovery effort.

As shown in Figure 12. it often becomes apparent that many of the recovery plans have some recovery steps in common. These steps should be integrated and assigned to one recovery team (usually that team which needs to complete that recovery step first). The other recovery teams should still include the recovery steps in their plan. as a whole. Hence. disaster declaration precedes the response to an outage. As well as combining the individual service area plans.Business Continuity Management Following completion. Figure 12—Disaster escalation The management recovery plan should also address the issues to which the organisation. based on organisation-specific information—the decision process is shown in Figure 13. The management recovery plan The management recovery plan combines individual service area recovery plans into one coordinated effort. noting that the responsibility for completing the step has been assigned to another recovery team. the management recovery plan contains the criteria for activating the plan. inform staff of outage). Declaration of a disaster is a generic decision. Figure 13—Decision process for declaration of a disaster Monitor progress w Event causing outage of key business process Determine how long before operations are expected to be restored Is restoration timeframe greater than maximum acceptable outage? w w w w No Yes Disaster declaration 57 . The recovery steps common to service areas should be combined into this plan (ie. the management recovery plan has an additional phase—disaster escalation. must respond following the disaster declaration.

The first step in the disaster declaration process is to determine how long it is before restoration of the business function can be expected.Guide to Effective Control Discussion: what constitutes a disaster? As noted in Part One of this Guide an outage is not just an event that reduces the effectiveness of systems. the communications plan might be effective in communicating an event to staff or the public. Continuing the court case example. It is possible for a management issue to turn into a continuity issue. but an event that is extraordinary. if the pay-out created cash flow problems. An example of what is NOT a disaster would be the case of a large legal action in progress or a resultant decision. it is a business issue not a continuity issue due to the fact that business processes are not affected. are they all identified? • Are all relevant insurance companies appropriately informed of the incident before disaster assessment takes place (some insurance is void if certain disaster assessments are carried out without the insurance company present or without their knowledge)? Yes t No t Source: Deloitte Touche Tohmatsu Protech/IPS Methodology. While there may be a resource. Guidelines to estimate the duration of an outage need to be established. if the issue begins to affect business processes. For example. Checklist: guidelines for estimating duration of an outage Current plan Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t • Are the people involved in the disaster assessment process clearly identified? • Are notification procedures for those involved in the disaster assessment process clearly identified? • Are timeframes for the disaster assessment clearly identified? • Are safety procedures for disaster assessment identified in line with Occupational Health and Safety Standards? • Do outside parties need to be part of the disaster assessment? • If yes. The following checklist may assist in establishing guidelines to estimate the duration of an outage. 1999 58 . financial and public image impact (which may be regarded as a disaster to management). causes a loss of key business processes and has a high impact on the organisation. A disaster is an outage that exceeds the MAO. as may the information technology recovery plan may be effective in recovering a computer server that has failed. this might interrupt business processes and lead to business continuity issues. Individual components of the plan can be effectively utilised in non-disaster cases.

If inventory items have a limited life. This can be used to brief other recovery teams. and • complete staff lists with after hours contact details (if too large. It is essential these lists be kept up to date. This will assist in keeping the details up to date and simplify the maintenance of lists. 59 . this may become part of normal stores and distribution in the organisation. In the case of consumables. what information can’t we do without?). If this is not appropriate or practical. Inventory list An inventory of all materials needed for the BCP to be effective should be included as part of the plan.Business Continuity Management Other details There will be an array of other details to be included in the BCP. Contact lists to be established include: • emergency contact lists. Consider modifying the existing internal directory to accommodate the extra details required. It may be possible to obtain and store much of this material electronically to save on space and possible degradation. normal operating procedures should include responsibility for review of stored inventory and replacement with fresh stores. Other references Any other detailed references should be included. see Appendix 8. For an example event log. and the items stored offsite. • stakeholder contact lists. executive management and the media so there is a consistent description of the event. The minimum recommended requirements are discussed below. Comprehensive contact lists should be established and maintained. Contact lists Throughout the recovery process it will be necessary to contact a range of people and organisations. details of where to locate a copy). • recovery participant contact lists. recovery arrangements need to include arrangements to reprint paper versions when needed. An event log should be included which allows the recovery coordinator to record details of the event. Each organisation should analyse their needs (ie. Normal operating procedures need to assign responsibility for maintaining lists including updating the recovery versions. Event log The management recovery plan should also log the events for later debriefing and review. they should be included as part of the inventory and stored offsite. • recovery team contact lists. However.

The plan should simply start at the point the plan has been instigated and guide the reader through each step in the response and recovery process. and be presented with actionorientated points they can follow. the reader should be able to pick up the document having not read it (although it is preferable that they have). etc) as this was part of the development and approval process and should be stored on official files. or issues at each step. and • CEO 60 . There should also be sufficient room for the person carrying out the recovery process to place comments on timing. in conjunction with routine testing. It is recommended the Recovery Coordinator and management committee responsible for the BCP ensure this is undertaken. Checkpoint Upon completion of the plan it must be reviewed and signed-off. A suggested list for review and signoff might include: • internal audit • audit committee • BCP steering committee • senior executives. The example opposite illustrates a suggested structure for the BCP.Guide to Effective Control Format and contents of the BCP The format and content of the BCP is extremely important. The BCP does not need to contain contextual information (eg. background. with references contained in the back. In a disaster situation. executive summaries. Quality assurance A series of checklists is included at Appendix 6 to assist in the quality assurance of the BCP development Quality assurance reviews of the BCP during its preparation and throughout its life are recommended to ensure its content remains relevant. This will allow the recovery process to be critically reviewed as well as used as a source for debriefing staff on the issues that arose.

Business Continuity Management Example: suggested structure for a business continuity plan Part 1 Cover page Information contained t Title t Concise statement of objective of continuity plan t Organisational signoff 2 3 4 Table of contents Event log Management recovery plan t Contents of document t Event log page to be filled in by Recovery Coordinator after an outage t Disaster escalation process t Team assembly arrangements t Recovery phase steps t Interim processing phase steps t Restoration phase steps 5 Service area recovery plans t Recovery phase steps t Team assembly arrangements t Interim processing phase steps t Restoration phase steps 6 7 Referenced procedures Technical recovery items t Telephone re-direction procedures t Outsourced vendor agreements t Server configurations t Communication configurations t Pre-written programs for IT recovery 8 Contact lists t Internal contact lists t Emergency services contact lists t External/stakeholder contact lists t Staff contact lists 9 10 11 Inventory Limitations Testing and maintenance t Supply inventory t Additional resources/budget required t Limitations under which the plan was developed (refer Appendix 7 for an example set of limitations) t Schedule of testing to be performed t Review/update timetables and deadlines (refer to step 6 for information on testing and maintenance) 61 .

An approach may be to set the scene at the first hour. Each recovery team explains the process they would go through in recovering their operations. For example. 1997. has itself created an outage and major disruption to business. Test the plan Busines Continuity Plan v • Establish recovery teams • Document service area recovery steps • Obtain contact and inventory lists • Document recovery management process v No matter how well designed and thought-out the BCP may seem. It is important each component be individually tested. asking: • “Where would you obtain that information?”. January 22. This test requires checking all required data. It is not recommended the BCP be tested as a whole as this would be resource intensive and may affect normal operations. Business Continuity Planning: Maintaining Good Testing Practices. the first day. the corresponding processes and resources and an agreed priority for recovery. or • “Isn’t that process dependent on the completion of another activity?” There are several approaches that may be adopted to test the plan. © GartnerGroup.Guide to Effective Control Step six: test and maintain the plan Review of the BCP is essential to ensure it reflects the organisation’s objectives. Testing and maintenance of the recovery process documented in the BCP will provide management assurance that the plan is effective—that is. C. Paper—ensures there is adequate capacity and availability of resources when the BCP is activated. to the point of access to a temporary site. The service area recovery and management recovery parts of the BCP should be tested together. InSide GartnerGroup This Week (IGG). it will ensure continuity of business should key functions be lost. supplies and/or other hardcopy documents (as documented in the BCP) are actually backed up and correctly stored off-site. Gooding. realistic and robust testing will reveal areas requiring attention. The test requires calculating requirements such as floor space. The other teams challenge the approach and point out any weaknesses detected in the plan. air conditioning and power requirements for the equipment to be used when the BCP is activated. its key business functions. you should examine the adequacy and realism of your tests. If test results are flawless. The major components of the BCP should be tested annually and updated based on the results of each test. Test Plan Regular testing is necessary to maximize the chances of a successful plan in the event of a disaster and should familiarize the [Information System] organization with an unexpected interruption of critical applications — A business continuity plan is only as useful as effective testing proves it to be. Manual verification—ensures the required recovery material is available as stated in the BCP. Testing can be disruptive—it requires commitment from management to ensure sufficient resources are available. 1999 62 . It has been the case that testing the whole BCP at once.

To conduct this test.Business Continuity Management Supply validation—validates all supplies required will be available in the event of a disaster. equipment and services availability test—ensures information and lists of the forms. • The tests should be conducted. on a rotating basis. • The Recovery Coordinator notes the time the calling process starts and the time at which each team member was contacted. address and key vendor contracts. at the following times: during normal work hours. and during the weekend. They would verify whether the listed supplies. The test compares the list of forms and supplies used during a test to the items documented in the BCP to ensure the list is complete and that an adequate supply will be available. Unannounced recovery team assembly—ensures the lists for mobilising recovery teams are up to date and the teams can be mobilised in the required time. • they each work through their recovery team plans paying particular attention to the interaction with other teams. equipment. inventories and associated vendor contact details are accurate. • The Recovery Coordinator will report on the test results. • Team members do not actually need to assemble. Supplies. Structured walk-through—ensures the BCP procedures are adequate. This lead time should be compared to the expected lead time in the BCP. The test requires the Recovery Coordinator to develop a disaster scenario and lead the service teams through a mock recovery. The test is conducted as follows: • all team leaders meet in a room to be given the scenario. supplies. one or more teams with critical support vendors would contact each vendor on their list to ensure that all information is accurate including phone number. and • issues identified should be immediately noted by the Recovery Coordinator. during lunch time. equipment or services are available for delivery or what the current lead time is. after normal work hours on a weekday. 63 . The test is conducted as follows: • The Recovery Coordinator contacts number of team members on the notification contract list.

reproduction and redistribution) • Maintain the BCP distribution lists • Schedule and coordinate the BCP tests At regular intervals (eg at least annually): • Maintain respective service area team procedures • Maintain the reference information that is part of the service areas’ BCP procedures • Participate in BCP testing End users should: • ensure information necessary to continue critical functions. is stored offsite as part of the BCP • participate in contingency plan training • participate in contingency plan testing Source: Deloitte Touche Tohmatsu Protech/IPS Methodology. annually at a minimum • Coordinate review and approval of changes to the BCP • Coordinate BCP training • Perform administrative aspects of updates to the BCP (ie. and • the Recovery Coordinator should determine testing requirements and schedule a test. When any component of the BCP is affected. • the BCP should be modified by the appropriate service area to reflect the change. Ongoing responsibilities should be defined to ensure appropriate BCP maintenance. 64 . Responsibilities for various aspects of BCP maintenance are also established. if necessary. 1999 Recovery teams responsible for undertaking steps documented in the BCP to recover identified systems End Users need to ensure they are aware of the contents of BCP and how it affects them A BCP is easily maintained if changes in the business and/or data processing environment initiate reviews and update the BCP. • the effect of the change should be evaluated using a BIA focussing on the new component(s) and any new interrelationships which occur. for which they are responsible.Guide to Effective Control Maintain the plan Individual recovery team plans must be continually maintained to provide support for business continuity. the following steps should be taken: • the Recovery Coordinator should be notified of the change. Administrative procedures and guidelines should be developed to provide for periodic testing and documentation maintenance of the service area recover plan(s) and ongoing training. coordinates the recovery teams and liaises with the CEO and Executive Responsibilities At regular intervals (eg at least six monthly): • Maintain alternate processing site contracts/agreements • Coordinate regular review of the BCP documentation. The following groups have specific BCP maintenance responsibilities: Role Recovery Coordinator manages the BCP.

8. 68 3. 71 5. Alternate processing service contract considerations Roles. responsibilities and a checklist for the Chief Executive Officer Role and responsibilities of the Recovery Coordinator Roles and responsibilities of the service area recovery teams Checklists for quality assurance of BCP development Limitations of BCPs Event log Checklists for review of off-site backup procedures 66 2.Business Continuity Management Appendices Appendices 1. 9. 85 65 . responsibilities and a checklist for the Board and audit committee Roles. 73 82 84 7. 72 6. 69 4.

Guide to Effective Control Appendix 1 Alternate processing service contract considerations Checklist: alternate processing service contract considerations Task General Issues The description of the alternate processing facilities should indicate adequate physical security and appropriate environmental controls Availability of alternate vendor sites and the rights of individual subscribers in the event of multiple disaster declarations should be specified Amount of nature of support services the vendor will provide should be defined relative to: • implementation assistance • support for testing • logistical support. and • after hours support The vendor should have limits relative to the total number of clients that may subscribe to any given facility The vendor cannot renew (except by automatic renewal clause) or renegotiate the contract while the subscriber is experiencing a disaster or in recovery phase The amount and scheduling of test time should be defined Subscriber should have the right to periodically audit the installation to ensure that the specified configuration is maintained An escape clause should allow the subscriber to terminate the contract without penalty for any of the following reasons: • failure to maintain technical compatibility • failure to provide agreed support services • failure to maintain suitable environmental support. and • any breach of contract The contract should provide an annual window of opportunity to terminate without penalty The monthly fees should not be subject to change without the written consent of the subscriber The contract should not be assignable without written consent The vendor should be subject to appropriate consider non-disclosure conditions Yes t No t Yes t No t Completed Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t 66 .

and • logistical support. equipment acquisition. 1999 67 .Business Continuity Management Checklist: alternate processing service contract considerations (continued) Task IT Recovery Specific Issues Definition of the backup capability of the vendor site should be clear and consistent throughout the contract Occupation of the hot site for a minimum of six weeks Conditions under which the subscriber can continue to occupy hot site facilities after the six week period should be defined The number and description/type of locally attached terminals and/or other devices available while on-site should be defined. this is particularly important for data entry requirements Continuing technical compatibility should be assured throughout the life of the contract The contract should specify a guarantee of access to the hot site (including after hours access) during period of disaster and recovery The nature and extent of IT support services to be provided by the vendor has been defined relative to: • network diagnostic capabilities and implementation assistance • support for testing activities • assistance in configuring facilities (ie. food services). documentation. ancillary facilities (ie. removal and return) • access and use of vendor software. transportation. photocopying. storage. Yes t No t Yes t No t Yes t No t Completed Yes t No t Yes t No t Yes t No t Yes t No t Source: Deloitte Touche Tohmatsu Protech/IPS Methodology.

Guide to Effective Control Appendix 2 Roles. Y2K projects) and business continuity fully used? Are internal and external audit recommendations regarding BCP properly followed up? Are the maximum acceptable outages (MAO) determined as part of the business impact analysis in line with the audit committee’s understanding of the business? Are the recovery strategies recommended appropriate given other business initiatives? As part of the review of the internal audit strategic and annual work plans is business continuity and more specifically. 1999 68 . responsibilities and a checklist for the Board and audit committee Roles and responsibilities • Ensure governance framework supports business continuity • Ensure approach to risk management support strategic goals of organisation Task Is the scope of the business continuity process appropriate given the organisation’s circumstances and risk management strategy? Is BCP properly coordinated to take into consideration other risk management initiatives? Are synergies between other risk management initiatives (ie. business continuity testing and maintenance properly addressed? Are business continuity initiatives properly communicated to all levels of management and across the organisation (this is an important part of any successful business continuity project)? Completed Yes t Yes t Yes t Yes t No t No t No t No t Yes t Yes t No t No t Yes t No t Yes t No t Source: Deloitte Touche Tohmatsu Protech/IPS Methodology.

by internal audit)? Are the BCPs linked to the emergency management plans for the organisation? Completed Yes t Yes t No t No t Yes t Yes t Yes t Yes t Yes t Yes t Yes t Yes t Yes t Yes t No t No t No t No t No t No t No t No t No t No t 69 . has the person been provided with adequate training and resources to perform the role? Has the organisation’s BCP been subject to independent review (eg. expected impact and recovery timeframe • Provide a focal point for the organisation to ensure the public and media receive the correct. carefully analysing and assessing risks and potential benefits before authorising new ventures or significant changes? Does the BCP complement the organisation’s corporate governance and risk management framework? Is the organisation responsible for providing a unique service to the public or the Government? If yes. and non-contradictory information • Ensure staff and stakeholders are made aware of the problems • Ensure Recovery Coordinator and Recovery Teams have the resources and support necessary to do their job Task Have management and staff adopted an attitude of continuity management planning which ensures that a positive control environment is maintained? Does the organisation regularly communicate the organisation’s vision. responsibilities and a checklist for the Chief Executive Officer Roles and responsibilities • Brief Minister and Executive Board on business interruption event.Business Continuity Management Appendix 3 Roles. what would the implications be if the service were unavailable for an extended period of time? Are BCP practices and procedures in place to ensure timely decision making during a disaster and to instil accountability into staff? Does a business impact analysis exist that identifies the recovery timeframes of the critical business processes? Does the organisation have a person identified that is responsible for BCP? If so. goals and objectives to staff members? Does management take a balanced approach to risk taking.

or changes in organisational focus and direction or changes to business resources (personnel. does it reflect the current and future needs of the organisation? Have the current and future BCP needs been formally evaluated as part of the organisation’s overall corporate governance arrangements? Has the organisation undergone considerable organisational change. 1999 70 . and communication)? When were the continuity plans last tested? What were the results of the tests? Completed Yes t Yes t Yes t No t No t No t Yes t No t Date: __/__/__ Were recommendations for change or improvement taken up and tested? Yes t No t Source: Deloitte Touche Tohmatsu Protech/IPS Methodology.Guide to Effective Control Task (continued) Is there a process in place for BCP review? If the organisation has a BCP. information technology. facilities.

coordinate and monitor all recovery operations • Convene recovery status meetings with the Executive • Schedule subsequent recovery status meetings • Liaise with real estate agent.Business Continuity Management Appendix 4 Role and responsibilities of the Recovery Coordinator • Decision to activate the BCP • Determine the recovery strategy for the given situation • Assess the extent of damage to building. if applicable • Contact Insurance Assessors to determine their requirements and coordinate their on-going liaison with all recovery teams • Minimise further losses and salvage recoverable resources • Provide assurance and information updates to staff not involved in the recovery effort • Prepare the recovery site • Schedule and conduct test of the BCP 71 . facilities and equipment and report to the CEO. if necessary • Contact the necessary staff required for the disaster (in the first instance) • Assist in establishing of the recovery site. Executive and/or Board. if applicable • Coordinate media activities • Direct.

stationery and communications resources necessary for recovery. Communications team Following notification from Recovery Coordinator of disaster escalation: • facilitate communication between recovery coordinator and the teams designated focus group • convene status meeting with team members • provide regular updates to Recovery Coordinator • brief designated focus group on the disaster • continually keep designated focus group informed of changes to what they have been informed. Other service areas Following notification from Recovery Coordinator of disaster escalation: • contact the necessary staff required for their particular service area • convene disaster status meeting with team members • assist with disaster assessment as required • provide regular updates to Recovery Coordinator • complete recovery plan for their service area • determine requirements and coordinate acquisition of equipment. and • respond to queries from designated focus group. 72 . and • liaise with other recovery teams. and • provide regular updates to the Recovery Coordinator. liaising with other service areas.Guide to Effective Control Appendix 5 Roles and responsibilities of the service area recovery teams Human resource management team Following notification from Recovery Coordinator of disaster escalation: • contact the staff required for the human resource recovery team • convene status meeting with team members • continually assess and address human resource needs. furniture.

provides a quick reference point for ensuring the plan has sufficient detail. including staff resources. The Chief Executive or management committee responsible should formally approve the plan.Business Continuity Management Appendix 6 Checklists for quality assurance of BCP development The BCP plan proposal The business continuity project plan should adequately describe the project. In addition. and the resources required. a suggested format for a project plan is described at Step one of the Workbook. 1999 73 . required for the project Set project timeframes and deliverables for tasks Plan is formally approved by appropriate management committee Completed Yes t Yes t Yes t Yes t Yes t Yes t Yes t Yes t No t No t No t No t No t No t No t No t Source: Deloitte Touche Tohmatsu Protech/IPS Methodology. the project team and its responsibilities. Checklist: developing the business continuity project plan Task Document the project’s objectives Define and document the project’s scope and any limitations Explain any assumptions made Detail members of project team Assign responsibility for project tasks Present the budget. The checklist below. its objective and scope.

Checklist: ensuring all key business functions. To ensure the BIA is complete each business unit or service area needs to identify the processes for which they are responsible and then determine which of these are critical to the organisation achieving its objectives. to the project steering committee Yes t No t Consider interdependencies that exist between areas Yes t No t Source: Deloitte Touche Tohmatsu Protech/IPS Methodology. ranked in order of priority to determine recovery priorities. activities and resources The BIA needs to assess the impact of an outage to all key business processes. again. It ranks these processes in order. Ensure all resources groups are identified (ie. These key business processes should then be ranked in order priority to the business (thus indicating their recovery priority) and the activities and resources of each process should be similarly ranked. with their respective ranking. business support processes) Completed Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Formally communicate the list of key business processes and supporting processes and resources. people. telecommunications. processes and resources are identified and included in the BIA Task Document and confirm organisational objectives. information systems. to determine recovery priorities and identifies the activities and resources which comprise each process. facilities. 1999 74 . outputs and performance criteria List all business processes which underpin achievement of objectives and delivery of outputs Rank the processes in order of importance to the organisation’s objectives and exclude those processes considered not key to achieving the objectives Review the functional organisation chart to identify general areas of operational responsibility Interview managers responsible for key business functions to confirm understanding of business processes Meet with service area management and support personnel to gain an understanding of each function included in the scope Obtain any supporting documentation that is available which would provide a summary of key business functions Document the activities and resources essential to each key business process.Guide to Effective Control Identifying key business processes.

As the key business processes are made up of activities and resources. it is actually about making an assessment about the time you can be without the activities or resources before the key business process would fail. The BIA establishes the Maximum Acceptable Outage for each activity and resource that supports the key business process—the MAO should reflect and confirm the priority ranking made in the earlier step. 1999 Completed 75 .Business Continuity Management The BIA The BIA determines the length of time the organisation can be without key business processes before remedial action must be taken. Checklist: analysing each key business function for a BIA Task Evaluate the impacts of a loss of the function from the perspective of the organisation’s budget and outcomes and outputs—consider: • loss of revenue/increased expense • service delivery standards • public or political embarrassment • loss of client confidence • loss of management control • financial misstatement • regulatory. and • political ramifications Identify the critical success factors that ensure the function meets the organisations objectives Identify the processes and resources which underpin the key business functions Identify additional expenses incurred if process(es) are performed manually or in a substitute manner during an outage Identify interim processing procedures (alternative or manual processing) techniques to be adopted during the recovery phase Estimate the time it will take to overcome the backlog of work accumulated during the outage Quantify the minimum resource requirements necessary to perform the function Identify the records vital to the recovery process Evaluate the adequacy of current BCP in place Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Source: Deloitte Touche Tohmatsu Protech/IPS Methodology. statutory or contractual liability • specific/unique vulnerabilities.

providing ongoing cost savings as an outcome of this process. with recovery priorities and the MAO. 1999 Completed Yes t No t Yes t No t 76 . quality and.Guide to Effective Control Selecting alternate activities and resources To select alternate activities and resources to be used during an outage. most importantly (considering the MAO) timeliness. An added benefit of this process it that it may identify better activities and resources than those currently in place. Consider: • Does the option meet the recovery needs? • Does the option exceed our needs? Yes t No t Yes t No t Source: Deloitte Touche Tohmatsu Protech/IPS Methodology. consideration of all viable options is paramount. Checklist: selecting process and resources alternatives Task Document a brief description of each viable option Determine other resources required and the costs for each option (this may require information from vendors) Compare recovery options. including cost. This consideration encompass each options ability to substitute for the lost activities and resources in terms of cost.

some proactive measures will need to be established to ensure relevant resources are available if the BCP is activated. ensure they are developed Interview personnel responsible for implementation of backup procedures to see if procedures are being adhered to Document key elements of the off-site backup procedures for inclusion in the appropriate sections of the contingency plan Analyse off-site backup processing procedures and document concerns Schedule review of off-site storage facility Partial recovery from off-site facilities has been tested Completed Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Note: A better practice checklist for off-site storage is included in Appendix 9. This can be used as the basis for analysing issues with off-site backup processing.Business Continuity Management Evaluating backup processing and off-site storage For a BCP to work. Source: Deloitte Touche Tohmatsu Protech/IPS Methodology. if they exist. 1999 77 . Backup processing and off-site storage are fundamental to most business processes today—the checklist below provides a list of issues to consider when reviewing the requirements for the BCP Checklist: evaluating backup processing and off-site storage Task Ensure all resources required for the selected strategies are stored offsite Review documented off-site backup processing standards and procedures. If standards and procedures do not exist. and work reliably. Fundamental to recovery from an outage is access to record and information—both electronic and physical.

1999 78 . the likely costs are the most commercially viable (ie. The BCP will rely on the selected continuity strategies being in place prior to finalisation of the BCP. The checklist below will provided assistance in ensuring the identified continuity strategies have been implemented. Checklist: ensuring continuity strategies are properly implemented Task Ensure for each strategy selected. investigate other vendors in the marketplace) Identify other requirements or changes that need to be made in order for the strategies to be effective Changes to off-site storage procedures should be made as identified Review contracts to ensure they demonstrate better practice for contract management as well as comply with internal guidelines for contract management Finalise contracts Completed Yes t Yes t Yes t Yes t Yes t No t No t No t No t No t Source: Deloitte Touche Tohmatsu Protech/IPS Methodology.Guide to Effective Control Implementing continuity strategies It is essential that the selected continuity strategies are implemented properly and tested.

Following declaration of a disaster. information on implementation of alternate activities and resources. recovery of lost systems and the next stage of the plan to be implemented.Business Continuity Management Evaluating the level of communication in the BCP When activated. The following checklist can be used to ensure the communication in the service area plans and the management plan is adequate. etc Ensure the recovery process addresses re-implementation of routine controls (physical. Checklist: ensuring communications and information flows in service area recovery plans are adequate Task Ensure the BCP has communication flows which the enable the Recovery Coordinator to be kept adequately informed by the service area recovery teams throughout the recovery process The BCP ensures service area recovery team members are kept adequately informed of where the organisations is in the recovery process Ensure service area recover team working to recover interrelated business processes are kept properly informed of the recovery process and keep other team informed of their progress Ensure service areas keep appropriate external parties and stakeholders informed (not including parties/stakeholders that would be kept informed as part of the management plan) of the recovery process Ensure external and internal parties included in BCP are informed immediately that their assistance may be called upon Ensure all human resource needs are properly addressed. needs to be concurrently available to all recovery teams. the success of a BCP will rely heavily on open communication and sharing of relevant information. 1999 79 . Consider: OHS. counselling and other support lines of communication. logical and environmental) Completed Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Source: Deloitte Touche Tohmatsu Protech/IPS Methodology. senior management and affected staff.

1999 80 . Consider: OHS. etc Ensure the recovery process addresses re-implementation of routine controls (physical.Guide to Effective Control Checklist: ensuring communications and information flows in the management plan is adequate Task Ensure the BCP communication flows keep underlying service area recovery teams informed throughout the process Ensure the executive is kept properly informed throughout the process Ensure are appropriate external parties/stakeholders are kept properly informed throughout the process Ensure the BCP provides specific protocols for media liaison and management Ensure external and internal parties included in BCP are informed immediately that their assistance may be called upon Ensure all human resource needs properly addressed. lines of communication. logical and environmental) Completed Yes t Yes t Yes t Yes t Yes t Yes t Yes t No t No t No t No t No t No t No t Source: Deloitte Touche Tohmatsu Protech/IPS Methodology. counselling and other support.

1999 81 . a disaster is declared and the BCP is activated.Business Continuity Management Disaster assessment The BCP need to outline the steps and issues that need to be considered when assessing the impact of a disaster. The Recovery Coordinator must be able to advise the Chief Executive and senior management on the impact of an outage and assess the time the business process may be affected—if the MAO is exceeded. Checklist: developing the disaster assessment guidelines Task The BCP clearly identifies the people involved in the disaster assessment The notification process for those involved in the disaster assessment is clearly identified in the BCP The timeframes for the disaster assessment are clearly identified in the BCP Safety procedures for disaster assessment identified in the BCP are in line with Occupational Health and Safety requirements The outside parties which are part of the disaster assessment process are identified in the BCP along with their contact details Steps are in place to inform all relevant insurance companies are appropriately informed of the incident before or during the disaster assessment taking place (some insurance is void if certain disaster assessments are carried out without the insurance company present or without their knowledge) Completed Yes t Yes t Yes t Yes t Yes t No t No t No t No t No t Yes t No t Source: Deloitte Touche Tohmatsu Protech/IPS Methodology.

public utilities. the transportation infrastructure or other facilities and/or services ordinarily available (Note that this excludes an electrical distribution failure) • Transactions lost between the point of the most recent backup and the disaster event cannot be reconstructed and re-entered to computer systems within the maximum allowable outage period • Periodic testing of the BCP not is conducted • Critical systems are not periodically evaluated and their minimum essential features can not be provided for a disaster • A complete listing of production files and their location on backup tapes is rotated off-site with adequate frequency • The organisation may experience voluntary or involuntary separations of employment or relationship with any employees.Guide to Effective Control Appendix 7 Limitations of BCPs The BCP should recognise the factors that may limit recovery from a business interruption event. or other vendors between the occurrence of the disaster event and complete recovery • Off-site storage locations are not intact and accessible • Off-site information backup and rotation procedures are inadequate to implement full recovery within maximum allowable outage time frames • Daily transactions needed to reconstruct critical data are not rotated off-site with adequate frequency Facilities 82 . These factors should be documented in the BCP to ensure they are brought to attention of management. Example: factors which may limit recovery from a business interruption event Resource People Possible limiting factors • Insufficient number of personnel possessing the appropriate skills available to implement business continuity operations • Critical operations and systems documentation for each platform are not stored off-site • Insufficient number of qualified personnel will be available to perform user tasks during the recovery phase • Personnel who play a role in recovery are unaware of their responsibilities and have not been adequately trained to perform the recovery tasks • Staff support areas are not prepared to support the recovery operation • The Recovery Plan will NOT cover any event which simultaneously renders both the primary and all alternate data centre facilities inoperable • The Recovery Plan will NOT cover any event which simultaneously renders the data centre inoperable and the essential off-site storage inaccessible • The disaster that renders the data centre inoperable may impact large geographic areas. suppliers.

required • The organisation lacks access to a fully configured second processing site sufficient in capacity to support data processing for essential business functions with critical application support needs • Critical users do not have the ability to reconstruct any lost work-inprogress • Critical users do not have recovery plans developed to be able to process at the alternate processing facility Business Processes and Resources • The organisation has adequate financial resources to implement the contingency plan according to the time frames established by the business impact analysis • Inadequate maintenance of all business continuity procedures is performed • No ongoing effort to minimise exposures to disasters will continue and operations/ systems vulnerabilities • Designated user representatives are not promptly notified if a disaster occurs 83 . fax. etc.Business Continuity Management Example: factors which may limit recovery from a business interruption event (continued) Resource Possible limiting factors Ready access to public network Untimely access to replacement mobile phones Delay in re-routing critical phones number to new location Lack of access to other communications hardware (eg. pagers. email connections.) Telecommunications • • • • Information Systems • Lack of alternate processing facilities available as and when.

This form should be adapted to suit the specific requirements and structure of the organisation. Example: a business interruption event log Event Log: Initial Notification: Disaster Declared (Please Tick) Date: Time: Notified by: Estimated Time to Event Resolution Days: Disaster Declared: Date: Time: <RECOVERY SITE ADDRESS> A uthorised by Recovery Site Hrs: Briefly describe the event: t or Standby Requested t ? 84 . The Recovery Coordinator should complete this Event Description shortly after notification of a disaster. The event log may also be a useful tool for the Recovery Coordinator to use during BCP tests to record the scenario set and the outcomes of the test results.Guide to Effective Control Appendix 8 Event log During a business interruption event it is important to record important information and decisions which were made during the outage. The form is used to record the facts and wording of the disaster declaration statement to allow the Recovery Coordinator to relay accurate information to other members of the team and as a means of review after the event. The following example shows the information the Recovery Coordinator should collect in the case of a business interruption event. This information provides an important input to revising the BCP by incorporating actual event experiences in the plan.

1999 85 . manual receipts. cheque blanks#. identify the triggers for adding/replacing/deleting off-site backup items Identify persons responsible for determining what is to be backed up Identify persons responsible for review and approval of changes/terminations of off-site backup items Determine if an inventory of items is available and how the inventory is maintained Determine whether a hardcopy of the off-site backup inventory is stored off-site Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t Source: Deloitte Touche Tohmatsu Protech/IPS Methodology. which will enhance security of these forms Completed Yes t No t For each of the categories of items identified as being backed up. and • equipment # It may be possible to make special arrangements with your bank. etc) • supplies. including guaranteed delivery time.Business Continuity Management Appendix 9 Checklists for review of off-site backup procedures Checklist for review of non-IT off-site backup procedures Area for Review Identify all categories of off-site backup addressed by the procedures. Consider: • hard copy documentation • forms (application forms.

Guide to Effective Control

Checklist for review of IT off-site backup procedures Area for Review Identify all types of files being backed up off site. Consider: • system software: - operating systems - support software - utility packages - communications software, and - Job Control Language (JCL), etc. • application software: - source libraries - production libraries (Executable Code) - data dictionary files - Job Control Language, etc, and - production data disk files and databases • user files: - on-line documentation - Production Scheduling - computer operations documentation (eg. recovery/restart), and - application system/program documentation • archival files For each of the categories of items identified as being backed up, identify the method(s) of backup. Consider: • full saves (entire file or database backed up) • incremental saves • production job stream • on request by user • application nightly backup batch run, and • special job stream Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t

86

Business Continuity Management

Checklist for review of IT off-site backup procedures (continued) Area for Review Determine the backup frequency and number of cycles retained off-site for each category of backup Identify persons responsible for determining what is to be backed up Identify persons responsible for review and approval of changes/terminations of off-site backup cycling Note the reason(s) why any types of files are not being backed up off site Determine if backup procedures are applied application by application or to an entire category of applications such as those designated critical Completed Yes t No t Yes t No t Yes t No t Yes t No t Yes t No t

NOTE: When the term “application(s)” is used above, it refers to operating system software, support software, utilities, and communication software in addition to end user business applications.

Identify the tool(s) used for identifying and recording off-site backups. Consider: • tape library management software packages • manual logs • special program/system with manual input, and • special program/system with automated input Determine if vendor provided software products are used to perform backups If a third party provides off-site storage, does the existing contract for retrieval and recovery of storage media match the requirements of the BCP? Yes t No t Yes t No t. Yes t No t

Source: Deloitte Touche Tohmatsu Protech/IPS Methodology, 1999

87

Guide to Effective Control

88

.

Business Continuity Management Business Business Continuity Continuity Management Management Workbook Guide to Effective Control—January 2000 1 .

gov. Requests and inquiries concerning reproduction and rights should be addressed to: The Publications Manager Australian National Audit Office GPO Box 707 Canberra ACT 2601 Information on Australian National Audit Office publications and activities is available on the following Internet address: http://www. for any consequences incurred. and to the maximum extent permitted by law. 2000 This work is copyright. its officers and employees are not liable. exclude all liability (including in negligence) in respect of the Guide and the accompanying Workbook. The accompanying Guide deals with business continuity management within a risk management framework. Apart from any use as permitted under the Copyright Act 1968. without limitation.Guide to Effective Control Better practice The Australian National Audit Office produces better practice guides as part of its integrated audit approach which includes information services to audit clients. A Better Practice series has been established to deal with key aspects of the control structures of entities—an integral part of good corporate governance.au Disclaimer The Auditor-General. This Workbook forms part of that series. or any loss or damage suffered by an organisation or by any other person as a result of their reliance on the information contained in this Workbook or resulting from their implementation or use of the accompanying Guide. Designed by Art Attack Pty Ltd Canberra Printed by Pirie Printers Canberra 2 .anao. ISBN 0 644 39018 2 © Commonwealth of Australia. the ANAO. no part may be reproduced by any purpose without prior written permission from the Australian National Audit Office.

Worksheet for key business processes identification and business impact analysis 2. Worksheet for evaluation of recovery treatment options Project initiation Key business processes identification Business impact analysis (BIA) Design continuity treatments 5 6 8 11 15 18 20 3 .Business Continuity Management Contents Contents Introduction Step one: Step two: Step three: Step four: Appendices 1.

Guide to Effective Control 4 .

The Workbook may be completed individually or be used as the basis to facilitate group sessions. 5 .Business Continuity Management Introduction Introduction This Workbook is designed to assist organisations in the development of a comprehensive business continuity plan. It is recommended that users of this Workbook first familiarise themselves with the concepts and processes discussed in the Guide. The results from this Workbook can be used by the Business Continuity Project Manager to develop a Business Continuity Plan. The content of the Workbook comprises of general guidance. • establishing a maximum acceptable outage for each key business process. It is intended that the steps in the Workbook be followed sequentially. It is designed to lead operational and service area staff through the process of: • identifying key business processes. The structure of the Workbook is based on the steps detailed in the Business Continuity Management Better Practice Guide published by the Australian National Audit Office. These should be adapted as required to ensure that key information and decisions are fully documented. and • designing appropriate cost-effective treatments in the event of an outage. examples and worksheets.

1 Objective of the project Detailed objectives and outcomes of the major steps below 3.2 Contracting considerations (if expert contractors are engaged) 3. The following outline is a suggested structure for this plan.1 Background/Introductions Why is the project being conducted? 2. If a plan has been completed.x Phase (for each phase of the project) 6 . Business objectives 2. Introduction 1.Guide to Effective Control Step one: Project initiation A plan should be prepared to manage the business continuity project.1 General requirements Project sponsor Project manager Business unit involvement Primary contractor Intellectual property Project reporting Variations to cost Warranty Rights Objective of the phase The steps involved The outcomes for the phase Organisational resources that will be allocated to the project team The project team’s roles and responsibilities Reporting requirements for the phase 3. 1. Requirements specification 3. insert it in this section.

acceptance and implementation of recommendations Chief Executive. Project Steering Committee.3 Service provider/contractor responsibilities 7 . Project Manager. sign-off phases. Project budget and administration 5.1 Project reporting How will the project team report to the Organisation? What information the project team will provide? Status of the project Percentage completed Expected deliverables Issues for note or action Tables listing the deliverables and receivables that are required to meet the objectives of the project Staff resources Contract resources Sources of funds Change control Resources and payment plan linked to deliverables Resources constraints Critical success factors Approvals for budget.2 Administration 6.Business Continuity Management 4. Project deliverables and milestones 4.1 Budget 5.1 Responsibilities 6.2 Deliverables and milestones 5.2 Project hierarchy 6. Roles and responsibilities 6. Project Team(s) reporting to Project Manager Expectations and deliverables of the service provider 4.

The identification of key business processes may already have been completed in other risk management and business planning activities undertaken in the organisation. The Organisation’s Corporate Plan. If this is the case. map all of the business processes undertaken within the business unit or service area. the overall organisational objectives. Identify business processes For each business objective.Guide to Effective Control Step two: Key business Step two: Key business processes processes identification identification Introduction Business processes are made up of the activities undertaken within each process and the resources consumed by. The objectives for each business unit should support. quantity and/or quality dimension. The structure of many organisations mirrors the strategic. cost. Instructions for completing the worksheet (Appendix 1) 1. and be consistent with. 8 . operational and support business processes that are critical to the production of organisational outputs and hence fulfilment of business objectives. Objectives are usually framed in terms of the effectiveness of outputs and may have a time. operational and support business process categorisations discussed in the accompanying Guide. vision and mission established in the Corporate Plan. those strategic. each activity. The results of this activity should be entered on the worksheet at Appendix 1. Determine and document overall business objectives Obtain or establish the business objectives for the business unit. 2. Business Plans and Risk Management Plan are good starting points. or applied to. The objective of this step is to identify. Document the business unit objectives on the worksheet. The following instructions will assist organisations identify and rank their business processes. this step in Business Continuity Management should confirm that the process descriptions are still valid and rank the processes in terms of their relative importance to achieving organisational objectives. and rank in priority order.

One approach is to first determine which objectives are the most important and to match the business processes to those objectives. under each of these categories. Operational areas should consider only the operational activities and resources that pertain to their processes. This can be achieved by first considering the critical success factors required for the process to met its business objectives. Therefore it is necessary to rank these also within each process. All business processes will contribute in some form to organisational objectives. The support activities and resources will be analysed by the support areas. Resources applied to activities should be considered in terms of people. Determine and rank key business processes Once an inventory of all business processes has been established for the business unit or service area it is necessary to determine which of these are critical to achieving organisational objectives.Business Continuity Management Page 32 of the Guide provides an outline of generic mega and major business processes that apply to most public sector organisations. It is more likely that some support processes—such as publishing and public relations— and some strategic processes—such as those associated with process improvement and quality assurance (but not quality control)—will not be mission critical. 9 . It is then necessary to determine from within these processes those that are integral to achievement of the key objectives. telecommunication information systems and business processes. Once a ranking has been agreed for each activity and resource these should be entered on the worksheet. Analyse key business processes into activities and resources and rank in priority order for recovery Each key business process should be dissected into the activities undertaken for that process and the resources consumed or applied to the activities. The most critical activities and resources for each key business process will be afforded the highest priority in recovery. The Chief Executive Officer and/or an appropriate management committee should agree the ranking of activities and resources. The following example shows worksheets for an operational process and a support process completed to this step. all operational processes can be considered to be key. facilities. It is suggested this ranking of processes is undertaken as a facilitated group session using a vertical slice of employees from with the business unit or service area. 3. This structure may be a useful starting point for establishing a common language and understanding of what a business process is. Generally. 4.

The MAO (maximum acceptable outage) has not been completed at this stage—that is the next step in the process. reliable quality services Rank 1 Process Payroll Critical success factors Payment of fortnightly salaries and allowances to all staff on time Activities and resources 1. 2. activities and resources Example: business support process Objective: support the organisation by providing timely. 3. The results of all analyses are combined to determine reliance on common resources and activities and inter-dependencies between resources and activities. Cheque production system Also note reliance on mail room for timely dispatch of cheques MAO 2 3 Process new applications Modify payee details Notes: 1. accurate. 3. 4. Payroll team HRM system Payroll system Communications link to bank MAO 2 3 Billing Paying Accounts Example: operational process Objective: process and pay benefits to bona fide recipients on time. A separate analysis should be conducted for Registry. for the correct amount Rank 1 Process Pay benefits Critical success factors Payment on time Activities and resources 1. Benefits payment teams 2. the mail room (Registry).Guide to Effective Control Priority listing of key business processes. 2. 10 . Benefits payment system 3. Communications link to bank 4. The benefits payment process has noted its reliance on a business support process—that is.

The following scenario is recommended as a starting point: • a flood or fire has occurred and the building is inaccessible—all computer systems and supporting services are unavailable for a period of at least 30 days. the total destruction of workplace resources and information technology systems at the worst possible time. or loss of. for assistance in restoring essential business activities. The following concepts are relevant. The BIA is undertaken for all key business processes and sets the recovery priorities. causing a disruption to. key business processes. 11 . travel and accommodation expenses etc. employee food. Business continuity concepts relevant to the BIA Concept Outage • extraordinary event • loss of key business processes • high impact Description An outage is an extraordinary event.Business Continuity Management Step three: Business impact Business impact analysis (BIA) analysis (BIA) The objective of this step is to determine a maximum acceptable outage (MAO) for each critical activity and resource identified in step two. This assists the people undertaking this exercise to consider their business processes in that context. overtime. and • authorisation has been given for additional staff. which has a high impact on the organisation This is distinct from downtime or systems failures that may occur as a part of normal operations where the impact simply reduces the effective utility of processes in the short term The MAO is the time it will take before an outage threatens an organisation achieving its business objectives The MAO defines the maximum time an organisation can survive without key business functions before recovery procedures must commence Maximum Acceptable Outage (MAO) • threat to achieving business objectives Business impact analysis scenario It is useful to establish a scenario in which the organisation has suffered an outage. that is. should those processes be disrupted or lost. • assume a worst case.

We need to assess the impact of the outage against an agreed framework to determine and establish the maximum acceptable outage (MAO) for each business process.Guide to Effective Control Do not consider any current continuity plans when determining impacts resulting from loss of services. All days referenced are calendar days. We need to make a judgement on how long the organisation can survive without these key processes before it threatens the ability of the organisation achieving its objectives. Establishing a framework for assessing the impact of a business interruption We are making an assessment from the point of view an outage has occurred. we are saying the business process can do without this activity or resource for any time under that point where there is a major impact and it will not affect the organisation achieving its objectives. and outage may have many ramifications. This needs be considered at two levels: • assessing the overall impact of loss of a process—this has probably been achieved (at least in part) by ranking the processing in order of priority to the organisation. and • assessing the impact of the loss of the corresponding activities and resources to determine how long the process can be without that activity or resources until its own success is threatened. not business days. This outage has affected the performance of key processes in that critical activities have ceased and critical resources are not available. This will ensure the organisation is considering the same factors when determining the MAO. In effect. Once its occurs. 12 . The level of impact can be assessed for each activity and processed using a scale similar to the table below. The framework An objective and consistent basis on which to assess the impact of an outage needs to be established. Example: scoring level of impact of business disruption Level of Impact Extreme Major Moderate Minor Nil Assessment Threatens political and business viability Significant impact on business drivers Major impact on short term business operations Inconvenient but no real ongoing business impact Reconsider the inclusion of this as a critical resource Score 5 4 3 2 1 The MAO is set at that point where there would be a major impact (Score–4) on the ability of the activity or resources and therefore the process would fail.

cost. Example: detailed evaluation criteria for assessing business impact Area of impact Rating Outputs (time. quality) Greater than ten per cent impact on achievement of key performance targets Up to ten per cent impact on targets Resources (staff. inability to provide mandatory opinions within legislative timeframe Breach of Commonwealth law and regulations Ministerial question in the Parliament Major disruption of access to service Failure to comply with Financial Directors and Chief Executive instructions Failure to comply with internal guidelines Internal impact only No impact on clients/ stakeholders Failure to comply with internal instructions 13 . information. These criteria should be consistent with any such criteria established for the top down risk management process. CEO and the Board the subject of legal action Significant loss of access to service e.000 assets in value 1 (Negligible) No impact on achievement of output targets Key staff available for a few hours Adverse comments in press Minor disruption of access to service Reputation Clients/ stakeholders Death or serious injury to clients Financial loss to clients in excess of $1 million Compliance 5 (Extreme) Royal Commission Organisation found liable in legal action Breach of Constitution 4 (Major) Parliamentary inquiry Organisation. financial assets) Death of staff Financial loss in excess of $1 million Destruction or serious damage to most assets Injury to staff.000 Damage to physical or information assets 2 (Minor) Up to one per cent impact Temporary loss of key staff Financial loss of up to $10.Business Continuity Management Below is an example of detailed criteria with which to determine the level of impact of an outage for a particular activity or resource.g. loss of critical mass of staff Financial loss of up to $1 million Destruction or serious damage to key physical or information assets 3 (Moderate) Up to five per cent impact Permanent loss of key staff Financial los of up to $100.

2. The MAO for each activity/resource is set at the point where a 4 rating and above is assessed. The following table can be used for this purpose.Guide to Effective Control The assessment of the MAO practice Using the earlier example. 4. 4. Example: consolidation of common resources Resources 1-2 days Operational staff (by business unit) Support staff (by service area) Operational IT systems (by system) Support IT systems (by system) Communications—voice Communications—data Facilities—buildings (by location) Facilities—plant and equipment (by category) Information—physical records Information—electronic data Impact of interruption 3-5 days 6-15 days 16-30 days > 30 days MAO 14 . Details of the agreed MAOs should be entered on the worksheet in Appendix 1. 2. 3. the MAO for each activity and resource is scored— the score is based on consideration of the impact of its loss. 2. 3. The MAOs established should be agreed to by the Chief Executive and the Business Continuity Management Steering Committee. To assist in determining inter-dependencies and to establishing the MAO for common resources the organisation may wish to consolidate the MAO schedule on a resource basis. Consolidation of MAOs by resource The above example demonstrates a common resource that is used in both processes. The assessment in the following table is based on the impact criteria detailed on the previous page. Example: assessing MAO for activities and resources Key business process Payroll Activities and resources required Impact of Interruption 1-2 days 1. HRM—salaries team Salaries system HR system Communications link to bank Benefits payment team Benefits payment system Communications link to bank Cheque production 1 1 1 1 1 1 1 1 3-5 days 4 2 1 1 2 1 1 1 6-15 days 4 4 1 2 4 2 4 2 16-30 days 4 4 2 3 4 4 5 3 MAO > 30 days 5 5 4 4 5 4 5 4 2 days 15 days 30 days 30 days 5 days 15 days 15 days 30 days Payment of benefits Notes: 1. 1.

establishing interim processing arrangements and restoring the lost activity(ies) and resource(s). The relative cost of these options is then compared to determine the most cost-effective solution. Each option needs to be evaluated first in terms of its time to implement and then in terms of its cost. The following costs may be relevant in the recovery period for interim processing arrangements: • outside services. then cost is not so much the issue—but how to achieve it at the best cost. • wages paid to idle staff. it will generally be less expensive to maintain a ‘cold’ site. The accompanying Guide (at page 39) discusses a range of possible treatment options for various resources. The time to implement each option is compared to the MAO for the resource/activity.Business Continuity Management Step four: Design continuity Step four: Design continuity treatments treatments The objective of this step is to determine cost-effective treatments for responding to an outage. if maintaining a hot site is the only means of re-establishing the activity or resource within the MAO. 15 . A simple example involves the choice between a hot site and a cold site for back-up computer processing. • emergency purchases. and • temporary relocation of employees. Only those options that can be implemented within the MAO need to be considered further. • temporary employees. The worksheet at Appendix 2 can be used to document this process and as a rationale to support the treatments options selected. If both options can be implemented within the MAO for the activities and resources they replace. • rental/lease of equipment. However.

Guide to Effective Control 16 .

Business Continuity Management Appendices 1. Worksheet for key business processes identification and business impact analysis Worksheet for evaluation of treatment recovery options 2. 17 .

2 Business unit key objectives.Guide to Effective Control Appendix 1.1 Business unit/service area details Business unit/service area Contact name Title Phone number Location Email 1. Worksheet for key business processes identification and business impact analysis 1. outputs. and performance indicators Outputs or services for each objective Performance indicators Business unit objectives (in priority order) 1 2 3 18 .

Business Continuity Management 1.3 Identification of key business processes and business impact analysis Business objective: Column 1 Column 2 Key business process Critical success factors 1 Column 3 A ctivities and resources required 1 2 3 2 1 2 3 3 1 2 3 4 1 2 3 Column 4 MAO 19 .

Worksheet for evaluation of recovery treatment options Resource(s): Options Time to implement (days) Within MAO Full cost Yes/No (list components) Cost-effective Yes/No Response 1 2 3 Interim processing 1 2 3 Restoration 1 2 3 Other issues 1 2 3 20 .Guide to Effective Control Appendix 2.

Sign up to vote on this title
UsefulNot useful