Gap

Generally Accepted Practices
For
Business Continuity Practitioners

Drafted by:
Disaster Recovery Journal

And
DRI International
1
I. PREFACE ...................................................................................................................................................... 3
I. INTRODUCTION ......................................................................................................................................... 4
A. MISSION STATEMENT .................................................................................................................................. 4
B. SCOPE .......................................................................................................................................................... 4
II. PROFESSIONAL PRACTICES................................................................................................................. 5
A. BACKGROUND ............................................................................................................................................. 5
B. DETAIL ........................................................................................................................................................ 6
1. Project Initiation and Management......................................................................................................... 8
2. Risk Evaluation and Control ................................................................................................................. 15
3. Business Impact Analysis ...................................................................................................................... 36
4. Developing Business Continuity Strategies ........................................................................................... 42
5. Emergency Response and Operations ................................................................................................ 48
6. Developing Business Continuity Plans............................................................................................... 53
7. Training and Awareness..................................................................................................................... 78
8. Maintaining and Exercising Business Continuity Plans..................................................................... 82
9. Public Relations and Crisis Communications .................................................................................... 85
10. Coordination with Public Authorities............................................................................................. 91
VII. APPENDICES .................................................................................................................................... 112
A. DEVELOPING BUSINESS CONTINUITY STRATEGIES ............................................................................ 112
B. TRAINING AND AWARENESS ................................................................................................................. 112
Generally Accepted Practices Page 2 of 113

CONFIDENTIAL
08/20/07
I. Preface
The Business Continuity focus will become a standard discipline and established profession when
Business Continuity professionals put their minds together to create Generally Accepted Business
Continuity Practices.
The DRJ Editorial Advisory Board Generally Accepted BC Practices Committee in concert with DRI
International is continuing its effort to create universally accepted Business Continuity Practice
guidelines.
The Generally Accepted Business Continuity Practices subject areas align with the ten DRII
Professional Practices:
1. Project Initiation and Management

2. Risk Evaluation and Control
3. Business Impact Analysis
4. Developing Business Continuity Strategies
5. Emergency Response and Operations
6. Developing and Implementing Business Continuity Plans
7. Awareness and Training Programs
8. Maintaining and Exercising Business Continuity Plans
9. Public Relations and Crisis Coordination
10. Coordination with Public Authorities
The Professional Practices tell you what you need to do and the Generally Accepted BC Practices
will tell you how to do it.
The DRJ has also partnered with the following organizations to assist in the creation of the Generally
Accepted BC Practices:
• Association of Records Management Administration (ARMA)

• DRI International (DRII)
• Financial Services Technology Consortium (FSTC)
• Standards Australia/Standards New Zealand
• National Fire Protection Association (NFPA)
Please review the document and consider assisting in this effort as it is an opportunity to make an
impact in the Business Continuity industry.

CONFIDENTIAL
08/20/07
I. Introduction
A. Mission Statement
To be recognized as a leading source of “sound” Generally Accepted Practices by providing a
depository of knowledge and recommendations offered by skilled Business Continuity Professionals.
B. Scope
Best Practices will be compiled from submittals by experienced Business Continuity Professionals
from the public and private sectors, as well as user groups and/or related organizations, in regards to
the industry standard Professional Practices. The Best Practice Committee will review the submittals
quarterly for approval. The approved submittals will reside on the Disaster Recovery Journal website
for all practitioners to access and implement within their respective organizations.
The process of developing the matrix consisted of contacting all associations and better
understanding what processes they had in place either via direct input or via web sites
The DRJ EAB Best Practice effort is not attempting to replace the vertical space, they are trying to
build an abstract of the work that the organizations are doing and then pull the detail together for a
view of the overall. This process is not to re-create the wheel it is to provide the input for all
professionals to use
o This is a two step approach:
Phase I: Initially address the high level
Phase II: Initiate a Drill down process to flesh out the details based on
industry

CONFIDENTIAL
08/20/07
II. Professional Practices
A. Background
In order to set the precedent, the definition of DRII/BCI Professional Practices will be noted prior to
each Generally Accepted Practice.
The Professional Practices in whole will not be identified within this document however, the link
below can be reviewed for full detail on these joint Practices:
http://www.drii.org/DRII/ProfessionalPractices/Introduction.aspx
This information will allow for the practitioner to identify the background or the “what” (Professional
Practice) to be associated with the “how” (Generally Accepted Practice).

CONFIDENTIAL
08/20/07
B. Detail

CONFIDENTIAL
08/20/07
CONFIDENTIAL
08/20/07
1. Project Initiation and Management
DRII PROFESSIONAL PRACTICE:
Establish the need for a Business Continuity Plan (BCP), including obtaining management support and organizing and managing the BCP
project to completion. (This includes defining the problem; communicating the need for a BCP; developing budget requirements; identifying
Planning Team(s) and Action Plans; and developing project management and documentation requirements.)
Sub-Topic # What How Points of Reference
Define the need for Business Research and compile facts showing possible risks Past Audit Comments
Continuity. to the enterprise. Regulatory and legal
environment
Past disasters
Best practices publications
Initiate 1 (white papers, banking
circulars, etc…)
Relevant regulatory Industry
trade bodies
Consulting
recommendations
Identify the purpose and goals Determine the BC focus by building a business Best practices publications
for the BC initiative. case to identify readiness requirements (such as those used within
Define high level roles and responsibilities across the Information Security and
the business units impacted by the BC initiative. or Project Management
Obtain a high level understanding of corporate best practices)
environment including products and services Cost Benefit Analysis Doc
If available, review existing BC materials to (including actual cost of past
leverage previous work outages as well as the
2 impact of brand damage and
other concerns discovered
in defining the need).
Organization Charts
Mission Statements
Key documents such as:
evacuation procedures,
medical emergency, crisis
mgmt and Y2K docs
8
Gain buy-in and commitment Guide leadership (sponsors) in defining objectives, Project proposals
for meeting goals. policies and critical success factors Statements of work
Communicate the purpose and goals with Cost benefit analysis docs
3
stakeholders and receive initial approval. Business Case
Identify and communicate project risks
Establish a governance Identify Steering committee roles and Mission Statement

structure responsibilities Critical Success Factor doc
Develop supporting documentation required for the Conflicting priorities
initiative Portfolio / program
Receive funding and approval to move forward management standards
4 Establish / review BC policy
Identify need for BC Standards and definition of
terminology
Set decision-making protocol and issue escalation
policies relative to continuity issues
Gain agreement on overall timescales
Provide awareness Establish Project Communications plan BC website
5 Debriefings
Brownbag lunches

Establish a steering Identify and engage a team of affected managers Project Status report
committee. to oversee project progress and to resolve issues. template
Plan 1 Establish project milestone review and approval Project Issues and risk logs
protocol Project schedules
Establish the framework required to measure Project plan template
project success
Generally Accepted Practices Page 9 of 113 CONFIDENTIAL

08/20/07
Refine the project plan. Adjust project documentation to reflect final Work breakdown structure
decisions and approvals doc
Define project deliverables and related activities Project proposals
List tasks and estimate effort and duration Statements of work
2 Assign project team members to tasks Cost benefit analyzes
Set milestones High-level project plan
Document project scope control Work plans
Document project risks Scope control processes
Develop project risk mitigation Change Control Procedures
Determine project cost Establish methods to track project assets and Budget reports, Inventory
3 tracking expenses, and acquisition logs
Establish resource tracking and reporting Time sheets
procedures.
4 Determine the project Determine the need for additions or changes to Version control procedures
environment. tools and supplies, such as acquiring or upgrading Security environment
planning software Confidentiality policies
Establish documentation storage and access Change Control Procedures
procedures Documentation
Management
Information Handling
Standards
5 Determine training Schedule training on the use of new software (as Personnel skills inventory
requirements required) Documentation standards
Provide BC training and guidelines
Plan Templates
6 Develop project success Refine the critical success factors Critical success factors
metrics Develop and implement measurements Project health
measurements
Checklist for Project
Documentation
Project Score Card
PM Standards Compliance
Audit Guide

08/20/07
7 Develop the awareness Establish and validate components and delivery
program methods SUBJECT AREA 7: Awareness
and Training Programs

Conduct a Project Kick-off. Facilitate a meeting with the team members to Status reports
communicate the project mission and plan. Issues and risk logs
Review assignments, work schedules and Escalation procedures
milestones. Documentation Standards
Set guidelines for rules of operations and and Guidelines
progress review Information Handling
Execute 1 Standards
Change Control Procedures
Documentation
Management
Implement Interim Plan Ensure the existence of an emergency only plan SUBJECT AREA 5:
2 and develop one if needed Emergency Response and
Ensure emergency management awareness Operations
across enterprise
Assign representatives from in-scope
organizational areas
Manage Risk Assessment SUBJECT AREA 2: Risk
3 Use project controls to ensure success
Evaluation and Control

08/20/07
Conduct a Risk Awareness Work with governance body to implement policy
Campaign changes
4 SUBJECT AREA 7:
Educate personnel on purpose and importance of
ok Awareness and Training
updated preventative measures
Programs

Assign representatives from in-scope
5 Manage Business Impact SUBJECT AREA 3: Business
Use project controls to ensure success
Analysis Impact Analysis
Develop BC Strategy and SUBJECT AREA 4:

Standards Assign representatives from in-scope Developing Business
organizational areas Continuity Management
Use project controls to ensure success Strategies
6

08/20/07
Implement BC Solutions Assign representatives from in-scope
SUBJECT AREA 6:
Use project controls to ensure success
Developing and Implementing
Business Continuity and
Crisis Management Plans
SUBJECT AREA 9:
Crisis Communications
7
SUBJECT AREA 10:

Coordination with External
Agencies
SUBJECT AREA 5:
Emergency Response and
Operations
• Assign representatives from in-scope SUBJECT AREA 7:

organizational areas Awareness and Training
8 Develop and execute a BC
awareness program • Use project controls to ensure success Programs

08/20/07
Manage project scope Document additional BC risks and needs not Change control procedures
included in the original purpose and goals. Project mission, success
Control 1 Manage changes to areas of focus factors and other planning
Escalate project scope concerns to the steering materials
committee
Manage project risks Identify and track risks to the successful Risk logs
completion of the project. Budget reports
Develop resolutions to risks by adjusting project Project mission, success
2 plans and assignments factors and other planning
Manage project issues materials
Escalate project risk concerns to the steering Issue logs
committee
Manage deliverable quality Ensure documentation standards and guidelines Documentation standards
are followed and guidelines
3
Manage acceptance of deliverables Acceptance and sign-off
Conduct PM Standards Audit Evaluate actual project plans as they compare to Project schedule
original deliverable definitions and estimates Project success metrics
Develop recommendations for project Critical success factors
improvements to meet critical success factors Project health
4 measurements
Standards for project
documentation
Project Score Card
Audit Guide

08/20/07
5 Measure progress Evaluate actual project plans as they compare to Project metrics
original deliverable definitions and estimates Project score card
Develop recommendations for project Status reports
improvements
Document and communicate progress

Evaluate project manager Conduct PM Standards Audit Project schedule
performance Project success metrics
Critical success factors
Project health
1 measurements
Standards for project
documentation
Close Project Score Card
Audit Guide
Conduct Project lessons Collect steering committee feedback Issues logs
2 learned Facilitate project team session Project schedules
Recommend improvements to project Project metrics, score cards
management methodology and status reports
3 Close Project Archive project deliverables
Announce project success
2. Risk Evaluation and Control

Determine the events and environmental surroundings that can adversely affect an organization, the damage that such events can cause, and the
controls needed to prevent or minimize the effects of potential loss. (This includes understanding loss potentials; determining the organization’s
vulnerability to loss potentials; identifying controls and safeguards to prevent or minimize the effect of the loss potential; and evaluating the
effectiveness of controls and safeguards.)

08/20/07
Identify exposures from both internal and • Research past disasters in • Federal Emergency
external sources, which may include: geographical area Management Agency
Identify
• Research past disasters in industry (FEMA) website
Potential Risks • Natural, man-made, technological, or
to the • Research past disasters in related • State Emergency
political
industries Management
Organization / • Accidental vs. intentional
• Research past disasters internally Organization websites
Loss • Internal vs. external
within organization • Local Police and Fire
Potentials • Controllable risks vs. those beyond the
• Utilize Business Impact Analysis Departments
organization’s control
(BIA) discussion / development for • Business Continuity
• Events with prior warnings vs. those with Publications
internal functions
1 no prior warnings
• Identify interdependencies to other • Newspapers
organizations, systems, etc. • Internal Company
• Research past disasters within your Records
interdependent organizations • Internal Interview
(geographical, industry, related Sessions (leading to
industries, and internal) BIA development)
• Prepare analysis grid showing the • Third-Party
threats, risks, controllable factors Disclosures (leading to
(internal/external, BIA development)
accidental/intentional, with/without • Analysis Grid Example
warning, controllable/uncontrollable) (Develop)

08/20/07
Determine the probability of the above • Validate credibility of information • Federal Emergency
events sources Management Agency
• Determine impacts to the organization (FEMA) website
• Research available historical • State Emergency
probability factors Management
• Analyze historical probability against Organizations
degree of environmental change (e.g. • Local Police and Fire
increased threat of terrorism today Departments
may require adjustment to historical • Business Continuity
2 probability) Publications
• Analyze mitigating controls in place • Newspapers
• Determine additional controls that • Internal Company
could be implemented Records
• Analyze probability that each identified • Internal Interview
threat could occur Sessions (leading to
• Analyze probability of impact occurring BIA development)
as a result of each of the identified • Third-Party Disclosures
threats (leading to BIA
• Analyze effectiveness of current and development)
potential mitigating controls

08/20/07
Develop methods of information gathering • Partner with internal auditor(s) to learn • FEMA
of existing risks Website/newsletters
• Partner with local emergency • State Emergency
management agency for a historical Management
impact to business addresses website/newsletters
• Network with local Business Continuity • Networking meetings
Planners • Seminars/presentations
• Research the FEMA website for • Local Business
declared disasters in the area Continuity
• Research the “neighbors” in the Organizations
general vicinity (may be indirectly • Business Continuity
impacted by potential chemical publications
3 hazards, political targets, etc.) • Local Police / Fire
• Map nearest “transportation highways” Department / Utility
to business location (e.g. auto, train, Companies
flight paths) • Highway Departments
• Identify single points of failure (e.g.
gas, water, electricity, fiber cable,
critical vendors)
• Subscribe to Business Continuity
publications
• Sign-up for FEMA and State
Emergency Management newsletters
• Arrange for visiting speakers from
local organizations
• Attend Business Continuity seminars

08/20/07
Develop a method to evaluate probability vs. Assess and incorporate the following • Probability formula
severity elements into a method customized for the from DRII training
organization involved: materials
• Internal Cost/Benefit
• Determine current annual loss
guidelines and
potential associated with each
practices
identified risk
• Actual cost figures
• Determine frequency factor (no. times
per year) for each risk • Subject Matter Expert
(SME) Estimations
• Multiply annual loss potential by the
frequency factor to determine annual • ISO 7799 Standards
loss exposure (ALE) Methodology
• Determine likelihood of simultaneous • Auditor Organization
risks occurring Standards & Process
• Determine total simultaneous loss • Federal (e.g. FFIEC)
exposure
4
• Determine effectiveness of mitigating
controls with reducing or eliminating
risk (recalculate ALE as if controls
were all in place)
• Determine costs of mitigating controls
• Determine recovery requirements
• Determine expected recovery time
using actual test experience
(preferred), industry experiences, or
expert estimations
• Adjust ALE to show loss for expected
recovery time with and without
suggested controls in place

08/20/07
Establish ongoing support of evaluation • Prepare costs/benefit statement • Internal Cost/Benefit
process • Prepare qualitative loss statement, guidelines and
e.g. potential for loss of life practices
• Prepare executive presentation • Internal Presentation
summarizing analysis results and guidelines and
source information practices
• Demonstrate validity of presented • Subject Matter Expert
5 information with test results, industry (SME) Estimations
experiences, etc. and Support
• Obtain upper management • Certification as
championship of effort Business Continuity
Planner
• Knowledge of industry
standards/best
practices
Identify relevant regulatory and/or legislative • Consult Legal department and/or • Internal/external Legal
issues outside counsel Council
• Consult internal Compliance officers • Internal Compliance
• Consult internal Business Area Officers
6 management • Federal and State
• Research federal rules and websites
regulations for industry
• Research state rules and regulations
for industry

08/20/07
Establish process to assess identified loss Develop method to estimate loss potential • Internal Accounting /
potential that considers: Finance Department
Determine the
• Internal Risk
Organization’s • Value of assets
Management
Specific • Value of labor and opportunity costs
Department
Exposures to • Frequency and duration estimates of
Loss Potentials • Insurance Contacts /
1 each threat category
Information
• Mitigation effects of existing safeguards
• Local / County
Emergency
Review exposure information Management
• FEMA
• Local Police / Fire,
Homeland Security
Categorize exposures: Create an exposure categorization table • Internal Accounting /
with two sections – primary exposures and Finance Department
• Primary exposures the organization may secondary / collateral events that lists: • Internal Risk
2 face (e.g. hurricane)
Management
• Secondary / collateral events that could • Exposure Name and / or Cause
Department
materialize because of such exposures • Loss Potential – Single Occurrence
• Insurance Contacts /
(e.g. wind damage, roof collapse) • Loss Potential – Annual Exposure
Information
Rank exposures Prioritize exposure categorization table by • Internal Accounting /
ranking and sorting by: Finance Department
• Internal Risk
3 • Exposures most likely to occur
Management
• Exposures with greatest impact (worst
Department
case)
• Insurance Contacts /
Information

08/20/07
Environmental Controls Identify: • FFIEC Guidelines –
Federal Financial
Identify • Physical Access (buildings, rooms,
Institutions
Controls and grounds)
Examination Council
Safeguards to • Geographic Location (incidents)
• Auditors Organizations
Prevent and/or • Utilities (Auditnet.org)
Mitigate the 1
Effect of the • Internal Audit
Loss Potential • National Institute of
Standards and
Technology
• Risk Management
Organizations
Technical Controls Identify: • Information Systems
Audit and Control
• Data Security
Association
• Network Security
• National Institute of
2 • Quality Assurance (ongoing controls) Standards and
• Data & Media Administration Technology
• Assets (physical inventory) • Auditor Organizations
(Auditnet.org)
• Internal Audit

08/20/07
Operational Controls Identify: • FFIEC Guidelines –
Federal Financial
• Strategic Business Objectives
Institutions
• Policies Examination Council
• Procedures • Auditors Organizations
• Administration (Auditnet.org)
3 • Legal / Regulatory Requirements • Internal Audit
• Key Personnel (personnel roles) • Risk Management
• Supply Chain (Vendors) Organizations
• Federal Authorities • National Institute of
• State Authorities Standards and
• Local Authorities Technology
• Industry Standards (audit methods)
Reputation Controls Identify: • DisasterCenter.com
• Risk Management
• Media Sources
4 Organizations
• Internal Communications
• Internal Audit
• External Communications
• Internal PR / HR
Departments
Effectiveness Identify: • National Institute of
Standards and
• Impacts of recommended mitigation
Technology
options:
• Internal Audit
5 − Testing Options
− Risk Assumption
− Risk Avoidance
− Risk Limitations
− Risk Transference

08/20/07
Identify alternative risk analysis Type of measurement: • NIST SP 800-30 Risk
methodologies, tools, and sources of Management Guide for
Identify,
internal and external expertise • Qualitative methodologies / tools
Information Technology
Evaluate, • Quantitative methodologies / tools Systems
Select, and Use
Appropriate • FISCAM, PP. 16, 17, 18
Risk Analysis Type of process: • ISO 17799 – Assessing
Security Risks, p. IX.
Methodologies • Manual Process
and Tools, and 1 • www/better,management.com/
• Interview
Expertise riskanalysis
- In person
Needed • RiskWatch
- Videoconference
• RiskPac
- Teleconference
• Identify existing data/analysis
Automated Process - Email

Combination of manual and automated
Evaluate alternative risk analysis Evaluate advantages and disadvantages • Product/service references
methodologies, tools, and sources of of options: • Industry publications
internal and external expertise
• Reliability / confidence factor • External expertise / actuarial
2 guidance
• Basis of mathematical formulas
used
Select appropriate methodology, tool(s), • Identify target population for data • Internal legal counsel
3 and external expertise needed for collection • Internal / external audit
organization-wide implementation • Identify any specific requirements,
e.g. regulatory, financial, etc.

08/20/07
Use appropriate methodology, tool(s), Conduct analysis of data collection Utilize and enhance risk
and outside expertise to develop risk based on methodology chosen assessment performed in prior
analysis steps (see above)
4

Develop a strategy consistent with business
1
issues and organizational policy
Identify and
Implement Develop a strategy that can be managed
Information- 2 across business divisions and organizational
Gathering locations
Activities
3 Develop risk assessment form
Create organization-wide methods of • Forms and questionnaires
information collection and distribution • Interviews
• Meetings
• Documentation review
• Analysis
Conduct formal risk assessment • Forms and questionnaires
• Interviews
3 • Meetings
• Documentation review
• Analysis

08/20/07
Develop communications flow with other
1 internal departments / divisions and external
Evaluate the
service providers
Effectiveness
of Controls and Establish business continuity service level
Safeguards agreements for both supplier and customer
2
organizations and groups within and external
to the organization
Develop preventive and pre-planning options • Cost / benefit
• Implementation priorities, procedures,
3 and control
• Testing
• Audit functions and responsibilities
Understand options for risk management and • Risk avoidance
4 selection of appropriate or cost-effective • Risk transfer
response • Acceptance of risk

Establish disaster scenarios based on risks Develop disaster scenarios based on the
to which the organization is exposed following criteria:
Identify and
Evaluate Risks, 1 • Severe in magnitude
Controls, and • Occurring at the worst possible time
Mitigation • Resulting in severe impairment to the
organization’s ability to conduct business

08/20/07
Alternatives Evaluate risks Classify risks according to relevant criteria,
including:
• Risks under the organization’s control
2 • Risks beyond the organization’s control
• Exposures with prior warnings (e.g.
tornadoes, hurricanes)
• Exposures with no prior warnings (e.g.
earthquakes, terrorist attacks)
Evaluate impact of risks and exposures on • Availability of personnel
those factors essential for conducting • Availability of information technology
3 business operations • Availability of communications technology
• Status of infrastructure (transportation,
etc.)

08/20/07
Evaluate controls and recommend changes, • Preventive controls to inhibit impact
if necessary, to reduce impact due to risks exposures (e.g. passwords, smoke
and exposures detectors, and firewalls)
• Reactive controls to compensate for
impact of exposures (e.g. hot sites)
• Incorporate business continuity / disaster
recovery procedures in all change
management requests within the IT / IS
environment
• During plan implementation, implement
4 such formats as checklists, etc., so that
business continuity teams can operate
efficiently and effectively. (Avoid thick
procedures that would be viewed as
overwhelming during an event, and,
possibly, discarded when needed most
• Partner with internal auditor(s) to highlight
the need-to-resolve issues
• Recommend implementation of an
oversight committee to approve and
review an on-going business continuity
program

08/20/07
Identify the organization’s possible security Identify the specific categories of risk which
exposures may affect the organization:
Security
• Physical security of all premises
• Information security, including computer
1 room and media storage area
• Communications security, including voice
and data communications
• Network security, including Intranet and
Internet
• Personnel security
Evaluate existing security controls and
2
procedures
Develop recommendations for improved Partner with the Risk Management
security controls and procedures Department and internal auditor(s) to
3
conduct on-going security reviews to
prevent potential situations from arising

08/20/07
Identify vital record needs in the • Agree on definition of vital records • Business process
organization, including paper and electronic (e.g. those records required by a owners
records business to stay in business) • Business process staff
• Review the organization’s Records • Legal counsel
Retention Schedule to identify • Internal Risk
administrative and operational vital Management
records • Records management
• Identify special issues and needs vendor
concerning electronic vital records
(e.g. email-related vital records)
Vital Records
• Calculate retention periods and
Management 1 disposition timeframes
• Identify timeframes for retention
• Consider the potential need for long-
term preservation
• Identify records retrieval / recovery
needs
• Identify the right media for storage
• Identify the optimal storage
environment
• Identify technologies / equipment
needed to retrieve records (e.g. tape /
microfilm)

08/20/07
Evaluate existing backup and restoration • Evaluate the existence and viability of • Legal counsel
procedures for vital records the organization’s Records Retention • Internal risk
Program and Records Retention management
Schedule • Internal audit
• Review the current vital records • Legal / regulatory
management program and requirements
documentation • Industry sources
− Completeness • Records management
− Accuracy vendor
− Maintenance • NFPA
− Appropriate and effective • NARA (National
distribution Archives and Records
2 − Periodic training Administration)
− Periodic exercise of procedures
− Offsite storage of current vital
records inventory and procedures,
including emergency operating
information and procedures
• Assess the level of adherence to the
vital records management program and
its overall effectiveness
• Evaluate potential threats to vital
records
• Evaluate strategies for protecting vital
records

08/20/07
Develop recommendations for improved • Develop a recommendations document • Legal counsel
backup and restoration procedures based on the above information • Internal Risk
• Partner with internal and external Management
resources to validate and refine the • Internal audit
recommendations document • Legal / regulatory
3 requirements
• Industry sources
• Records management
vendor
• Business process
owners
• Business process staff

Document and Document findings • Consolidate findings into a single • Internal risk
Present document management
Findings 1 • Prepare an high-level summary report • Internal audit
for presentation to executive • Legal counsel
management

08/20/07
Present findings and advise management on • Develop a presentation that clearly • Internal risk
feasible, cost-effective security measures summarizes the results and the management
required to prevent / reduce vital records and information in the high-level summary • Internal audit
security-related risks and exposures report • Legal counsel
• Consider meeting with each senior
manager individually before presenting
the final results to the executives as a
group.
2 • Schedule and present findings
recommended security measures to
prevent / reduce vital records and
security-related risks and exposures
• Be prepared to answer detailed BIA
questions from the senior managers
(take the detailed results to the meeting
as a backup)
• Obtain formal sign-off and approval to
move to the next phase of planning

08/20/07
Determine, and agree on, the cost of • Identify the business process • Business process
Document Risk
downtime • Identify the method used to measure owners
Acceptance cost of interruption. • Business process staff
− Is human life at risk? • Recovery staff
− Is revenue lost? • Legal Counsel
− Is revenue delayed? • Contracting Office
− Is there a cost for additional • Internal Finance /
1 resources needed to recover? Accounting
− Are there legal or regulatory
issues?
− Are there contract requirements?
− Could penalties be assessed?
Ensure that service level agreements are • Identify relationships to other • Service Level
documented and considered, in terms of processes, business units, etc. Agreements
interdependencies (e.g. clients, vendors, key • Determine the level of criticality for • Customers of business
business units) each interdependent relationship. process
• Verify the presence or absence of • Technical Staff
service level agreements for each • Contracting Office
relationship.
2 • Determine if the service level
agreements are adequate to meet the
time requirements for the business
process.
• Determine if there are contract
provisions affecting the conduct of the
business process.

08/20/07
Develop a risk prioritization grid that maps • Identify the risk to the business • NIST SP 800-30 Risk
out the business risk and technical risks process Management Guide for
• Associate the technical risks to the Information Technology
business process. Systems
• Rate the technical risks for likelihood • Test results, when
and criticality. available
• Rate the recommendations for ease
of fix.
• Identify the level of cost for each fix.
3 • Rank the risks according to criticality,
then ease of fix under each business
risk.
• Rate recommendations for
comparative cost: low, moderate;
high.
• Set priorities based on level of risk
and cost.
• Develop a corrective action plan.
Discuss with executives and ensure that they • Document the risk to the business • Business Process
document accepted risks process and the cost/time to Owners
remediate. • Technical Staff
• Review the each documented risk and • Operating/processing
determine if it will be addressed or staff.
accepted. • Executive
4 • If action is to be taken, develop a management
corrective action plan.
• If no action is to be taken, document
the decision by
− Email
− Signature

08/20/07
Implement, or assist with implementation of, • Review Corrective Action Plan • Gap analysis authors
security measures approved by management • Identify key contacts • Internal experts
• Verify your role in the implementation • Technical staff
− Level of authority • Legal Counsel
1
Implement − Watchdog
Backup, − Reporting
Restoration, − Vendor liaison
and Security-
related Implement, or assist with implementation of, • Review gap analysis • Gap analysis authors
Measures and backup and restoration procedures for the • Identify areas requiring improvement • Internal experts
Procedures organization’s vital records approved by • Verify that recommendations will meet • Technical staff
management the identified need. • Records Management
2 • Verify your role in implementation Team
− Level of authority • External Records
− Watchdog Management Advisor
− Reporting • Legal Counsel
− Vendor liaison
3. Business Impact Analysis

Identify the impacts that result from disruptions that can affect the organization and the techniques that can be used to quantify and qualify such
impacts. (This includes assessing effects of disruptions; defining criticality and prioritizing the business functions and records; and determining
recovery timeframes and minimum resource requirements.)
Item # What How

08/20/07
Item # What How
Corporate 1 Gain senior • Dialog with management on communication process within the organization an
Sponsorship (Obtain management buy-in expectations.
Management • Develop appropriate senior management reporting avenues to report status,
Approval activities, risks, constraints and bottlenecks.
2 Request executive level • Consider writing a sample memo for senior management explaining the BIA
support be initiative and their support of it. Emphasize that the BIA is the cornerstone, the
communicated for the foundation that all recovery strategies will be based on and the importance to g
BIA initiative it right the first time.
• Recommend to senior management the audience and the appropriate level to
distribute the BIA support memo.
• Offer to attend staff meetings to explain the BIA initiative if appropriate.
• Consider using the organization’s intranet website and other communication
vehicles in support of the BIA initiative.
Understand the 1 Identify business • For each line of business, request updated organizational charts (if in existence
Organization processes / functions workflow diagrams, basically any documentation that may assist in
understanding the organizational structure.
• The term process is often used synonymously with the word function. In
general, a BIA is completed for each business process/function. Where
processes/functions provide distinctly different products, services, or outputs,
separate BIAs may be appropriate especially if operational and financial impact
of a loss will be significantly different for each process. For example, a separat
BIA should be completed for Revenue Billing, Remittance Processing,
Telemarketing, etc.
• Consider the appropriateness of polling senior management for a list of time
critical processes/functions to focus on if there is little time to complete a detaile
BIA process. Determine what management wants covered if time is of the
essence.

08/20/07
Item # What How
BIA Tools 1 Design a custom • Spend time upfront to customize the BIA for the organization. Design a
tailored business questionnaire that is written specifically for the organization keeping in mind its
impact assessment business language and culture. Update a prior BIA for the organization based o
template previous learnings.
• Consistently use the same timeframes to measure impacts over time for both
financial and operational impacts. By using the same time measurements, it
allows BIA results to be consistently compared across the organization.
• Be consistent with the scale used to measure impacts to the organization.
• It is important to capture both the tangible and intangible impacts to the
organization.
• Lobby not to add questions to the BIA questionnaire that supports another
management initiative if it is inappropriate to do so (avoid scope creep).
1-2 Determine the financial • Financial impacts to the organization as a result of process unavailability can b
impact over time of a directly or indirectly applied to each process/function. The BIA seeks to identify
disruption to each both direct and indirect financial impacts.
process/function • Choose impact levels using the most significant peak period for each business
process/function. This may be at the end of a month, quarter or year, or
according to seasonal trends in the business process.
• A scale for quantifying the financial impact over each time period must be
established based on the organization’s size and the specific industry.
• Determine the cumulative financial impact for each category of financial impact
• Consider the many types of revenue loss for the organization as some revenue
may not truly be a loss. Consider revenue loss measurements versus revenue
that is truly deferred income.
• Make sure that financial impacts to downstream processes are not recorded an
double counted in the financial cost to the organization.

08/20/07
Item # What How
1-3 Determine the • It is important to quantify the operational impacts to an organization resulting
operational impact over from a business process/function being unavailable. Often, the significance of
time of a disruption to business process/function is overlooked because there may be no direct
each process/function financial impact. However, the operational impact to the organization may be
just as or even more significant to the organization.
• A detailed definition of each of the impact levels must be established based on
the specific industry.
• A scale for quantifying the operational impacts must be established in order to
ensure all process/functions are measured the same. For example, a scale of
– 4 could be used with the following definitions: 1 = some impact, 2 = moderate
impact, 3= serious impact and 4 = severe impact. Another scale example to
consider would be using a Low (L), Medium (M) or High (H) Impact scale for
quantifying the impacts over each time period.
• Where possible, contracted service level agreements and any associated
penalties should be identified, along with legal or regulatory penalties.
1-3 • Identify the intangible impacts that make up the significant risks and exposures
to the organization. One intangible impact may be that the organization will lose
employees and jeopardize recovery efforts if employees aren’t paid in a timely
manner.
• A contract may state penalties for missed deadlines or deliverables, or it may
not be specific to the exact recourse the organization has.
• Some operational impacts are intangible. If data is lost that cannot be restored
it may be an intangible impact as it can’t be attached to a direct sum of money.

08/20/07
Item # What How
1-4 Determine recovery • Based upon the financial and operational impacts, determine the RTO. The
time objectives (RTOs) RTO is the point in time where this process/function must be recovered becaus
beyond that time, the specific process/function disruption is unacceptable to the
organization.
• Evaluate what the minimum acceptable level of operations that are required for
this business process/function within the RTO. For example, if the RTO is 4-7
days, does this business process/function need to be restored at 100% of
production capability? Could the business process/function be recovered in
stages? Could 50% of the production capability be recovered in 4-7 days and th
remaining 50% be recovered in 31+ days? Remember also that in a disaster
situation, it is not a working in a business as usual environment.
• A BIA tool should never force and/or calculate an RTO for a business
process/function. Forced recovery time objectives do not take into consideratio
changes of roles at time of disaster and impacts to downstream business
processes and/or dependencies. If a BIA tool is used that assigns an RTO, ther
must be a process in place to override an RTO upon management review.
• The RTO is used by corporate support teams to assess possible recovery
strategies for the business process/function.
1-5 Determine the recovery • Will the process/function be recovered to the time of disaster at the RTO, or
point objective (RPO) some previous time, such as the time of the last full offsite backup? The RTO
that the may be 24 hours, but if a system is being restored from week-old back-ups,
process/function will be there will be a week of transactions that have to be re-entered or recreated. If
recovered to at the there would be no backlog of work that had to be recreated, the RPO would be
RTO. the same as the RTO.
1-6 Determine both internal • Identify supply chain links to other internal departments, processes, or other thi
and external business parties. Examples of third parties could be vendors, business partners,
dependencies customers, etc.
• What are the inflows? From whom does the process/function receive
information, data, requests, etc.? Who does the process/function depend on fo
the information or resources to perform the process/function?
• Whom does the business process/function provide information to? What are th
outflows of this process?
• Break out dependencies between internal and external resources.

08/20/07
Item # What How
2 Determine central • Determine how BIA data will be used ongoing.
repository for BIA data • Determine where to house BIA data and how to update data ongoing (i.e. a
database, an excel spreadsheet, etc.).
• Determine audit trail for updates.
BIA Interviews 1 Conduct BIA interviews • It is important to gather BIA information from each business process/function
owner using an individual interview. Forms that are sent out and completed
without the assistance of a Business Continuity Professional will yield results
that cannot be reasonably compiled and compared. Individual managers may
not know the impact they have on the organization as a whole. Additionally, BI
questions will be interpreted differently by each interviewee.
• Schedule a meeting with the business/function manager to collaboratively
complete the BIA questionnaire. Send out BIA template in advance so that the
recipients can review it with others and get complete answers.
• Explain the purpose of the BIA initiative to the interviewees. Make it clear that
management has no hidden agenda such as having interviewees justify their
jobs via the BIA process. It is helpful to explain that every department/ employe
is mission critical. One of the objectives is for senior management to learn who
is time critical should a disaster occur.
• Conduct interview and complete the questionnaire. Ensure consistency in
interviewee(s) understanding of questions.
• Design and conduct follow-up interviews. If information is still missing after the
interview, follow-up with the interviewee and request it be provided.
BIA Findings 1 Obtain approval for • It is recommended that at least two levels of approval be obtained for the BIA
individual BIA results results. Consider the most appropriate sign-off levels for the organization. It is
recommended that both the business process owner/manager and the next
highest level of management, if appropriate, review and approve the BIA result
• A sign off form of some kind is used to formally indicate next level managemen
has reviewed and approved the BIA answers. It is important to note that
information contained in the approved BIA will be communicated to others with
supporting roles in the recovery of the process such as Facilities, Telecom, IT,
etc.

08/20/07
Item # What How
2 Prepare analysis of BIA • Consolidate the individual BIA information to determine the organizational
results priorities for recovery over time. The recovery time objectives should drive the
priorities for recovery.
• Define recovery objectives and timeframes.
• Determine priorities for recovery (the order of recovery).
• Define report format.
3 Prepare senior • A summary report is prepared and presented to senior management.
management • The presentation should be a formality at this point. There should be no
presentation surprises on the summary presentation for senior management.
• Senior management should clearly be able to understand the impacts to the
organization should processes/functions be unavailable; this data will support
the recovery time objectives required by the process/function.
Gain Management 1 Obtain senior • Consider meeting with each senior manager individually to present results
Approval of BIA management approval before presenting the final results to the executives as a group.
results of BIA summary and • Develop a presentation that easily shows the priorities for recovery and the
recovery prioritizations RTOs to management.
• Determine what type of formal sign-off is required to move to the next phase of
planning.
• Be prepared to answer detailed BIA questions from the senior managers (take
the detailed results to the meeting as a backup)
2 Be prepared to discuss • BIA data can quickly become staledated. Once the BIA results and priorities for
next steps recovery are approved, it is extremely important to act quickly and begin work f
Professional Practice Area #4, Developing Recovery Strategies.
BIA Life Cycle 1 Determine BIA review • Determine how often BIA results need to be reviewed for the organization (i.e.
and update annually, semi-annually, etc). There may be legal and/or regulatory
requirements. requirements that dictate how often a BIA must be reviewed and updated.
• Create a tickler system to ensure updates occur as planned.
• Communicate BIA review cycle with senior management.
4. Developing Business Continuity Strategies

DRII PROFESSIONAL PRACTICE:
Determine and guide the selection of alternative business recovery operating strategies to be used to maintain the organization’s critical

08/20/07
functions. (This includes identifying recovery strategy requirements; assessing suitability of alternative strategies; preparing cost/benefit
analysis of recovery strategies; and selecting alternate site(s) and off-site storage.)
Item # What How Points of Reference

#
1 Develop communication processes to ensure • Dialog with Management on

management is provided with frequent status communication process within the
reports throughout the strategy development organization and expectations.
process. • Develop a reporting format that is
meaningful to direct management
including status, next period activities,
risks, constraints and potential problems.
2 Senior management (particularly chief Summarize risks and continuity timelines and
executive, financial and operational officers) present to Senior Management with project
Corporate should make thoughtful decisions about timelines for approval of strategies that are
Sponsorship acceptable exposure (risks) to their business developed.
(Obtaining and the recovery and continuity timelines that
Management must be ensured by the organization.
Approval)
3 Obtain Senior Managements approval for • Request approval of strategy from direct
strategies. manager.
• Seek advice on content for next approval
level.
• Put together appropriate content change
for next approval level.
• Repeat until final approval is achieved at
the Senior Management Level.

08/20/07
Item What How Points of Reference
#
1 Identify all critical business processes and/or Utilize the information in the BIA.
systems, RTO, RPO, dependencies (vendors,
internal/external suppliers) and financial impact
for prolonged outages.
2 Continuity Planners and Business Managers • Determine responsibility for maintaining
need to understand potential impact of all current knowledge of laws, regulations
relevant laws, industry regulations and etc. within the various organizational
government codes. functions within the company such as:
Fire Safety, Risk Managements, Legal
(General Counsel), Audit etc.
Pre-Planning • Establish a structure for cross-pollination
of information with the various
organizational functions.
3 Continuity Planners and Business Managers • Determine who has responsibility for
must ensure that they are aware of the kinds of Audit and Information
audits to which they might be required to Technology/Security within the
submit. organization.
• Understand from these departments the
types of audits that they/the organization
is subject to.
• Build bridge with these departments to
maintain currency of information.

08/20/07
#
1 Identify and incorporate risk mitigation • Have a full understanding of Risk

strategies from the output of Subject Area 2 Acceptance identified in Subject Area 2
Risk Evaluation and Control. and how it may affect this strategy.
2 Ensure that a strategy exists for protecting vital • Identify Vital Records throughout the
records including electronic and paper organization
• Understand retention periods for vital
records including electronic and paper.
• Determine appropriate backup and/or
Planning & storage for vital records.
Development
• Ensure that senior management accepts
the program for vital records retention.
• Develop system and data back up
strategies that will meet the RPO from
the BIA requirements for each critical
system identified.
3 Identify the internal and/or external continuity • Review internal resources (ie: Multiple •
resources and solutions that meet the business locations with like business functions &
requirements. technology)
• Search out external business resources
using processes such as RFI, Queries,
Professional Organizations, etc.

08/20/07
#
4 Identify and understand the spectrum of all Review the following types of recovery • Appendix 4.4 - Planning &
available recovery alternatives available for alternatives and be prepared to make Development Recovery
each critical business function. recommendations: Alternative Definitions
• Alternative site or business facility
• Cold Site • Appendix 4.4 - Planning &
• Drop Ship/Quick ship agreements Development Recovery
Planning & • Hot-Site Third party service Alternate Strategy Matrix
Development providers
(Cont’d) • Manual Procedures
• Mitigation
• Mobile Trailer
• Reciprocal agreements
• Warm Site
• Work from Home
Note: List may not be all inclusive

08/20/07
5 Assess the feasibility of available resources and • Compare the cost ranges along with the • Appendix 4.5 - Planning &
solutions for the continuity/recovery of business advantages and disadvantages to Development – Hot Site RFP
processes. implement each strategy.
• Develop a cost benefit analysis and an
implementation timeline for each
strategy.
• Present concise and specific
recommendations to management. (The
cost benefit analysis should be used to
justify all recommendations
• Develop a Request for Proposal
(RFP) for disaster recovery third
party providers to complete for each
Planning &
alternative strategy
Development Include:
(Cont’d) • All Minimum hardware
requirements to support the
Critical System for a period of 6-
8 weeks
• Networking requirements (from
alternative location to home site)
• See sample RFP for additional
information that should be
included
• Prepare a RFP (based on findings from
the BIA) and send to all available Off-
Site Storage providers in your area to
obtain ongoing costs for the provided
services.

08/20/07
• Review and present recommendations,
based on the vendor RFP responses, to
management.
• Implement back up and off-site storage
practices
5. Emergency Response and Operations

Develop and implement procedures to respond to and stabilize the situation following an incident or event. (This includes identifying and
developing emergency response procedures; identifying command and control requirements and procedures; and defining strategy for
salvage and restoration.)
Sub-Topic # What Point of

How
Reference
Corporate 1 Identify stakeholders / decision makers. • Brainstorm with management team.
Sponsorship
(obtaining
Acquire a Senior Management Sponsor to • Schedule a meeting with the CxO to ‘sell’ the
support the program and is willing to business continuity management program concept
Management 2 periodically attend meetings and support and obtain commitment
Commitment)
related recommendations. • Management Team to identify the critical areas to
approach .
Identify risks (natural, neighbors, human, • Conduct a formal threat assessment for the
environmental, political, etc.) as well as the facility.
3 likelihood of risk so the plan addresses the • Work with local Emergency Management
appropriate level. Agencies to identify risks.
• Research the Internet for historical data.
Identify preventative measures that can • Review the threats and categorize by priority.
4 minimize the potential disaster from occurring. Then indicate the various mitigation options for
each threat.
Develop Emergency Response planning • Partner with Security and Facilities to develop
5
phases. these phases as well as external agencies.

08/20/07
Develop the strategy: • Schedule a meeting with Senior Management /
Sponsor to present the pros/cons, including
- Present for approval cost benefits including
financial information, related to implementing an
the advantages / disadvantages of
6 Emergency Response Program.
implementing an Emergency Response
Program.
- Obtain formal approval for the program
strategy As well as the budget
Educate Senior Management on their Roles • Partner with Senior Management / Sponsor to - Provide
and Responsibilities. document their roles and responsibilities. Senior
Management
a review of
7 the BC
process as
well as their
roles and
responsibiliti
es

08/20/07
Sub-Topic Item What How Examples
#
Partner with the local municipalities to be included - Prior to an event, identify, notify and exchange
in all proposed modifications to the local contact data with the various municipal
emergency management process and to be representatives (i.e. EMA director, fire chief,
notified of any federal notification received. mayor, etc.)
Planning – - Conduct periodic meetings with the
Emergency 1 representatives.
Response - Obtain management approval to conduct on-
site tours so local reps can become familiar
with office location. NOTE: Make prior
request with officials to not ‘write-up’ any
infractions if they are noted during the tour.
Partner with the local emergency management - Contact key representatives from the
agencies to develop response plans for various following areas: Police, Fire and Rescue,
scenarios initially targeting those identified in the Health Department, Local Emergency
Risk Assessment. Planning Committees, etc.
2 - Schedule a meeting to discuss the top five,
initially, identified risks. Discuss/confirm the
company’s response plans and how to
mitigate the impact of such an event.
- Present the findings to the management.

08/20/07
#
Develop an Emergency Response Team to include 1. Establish structure for Incident Command.
representation from areas such as Security, Real 2. Develop roles and responsibilities.
Estate, Business Continuity, Human Resources, 3. Develop tasks.
Safety, Public Relations / Communications, 4. Populate teams with primary, secondary,
Insurance, Internal Audit, Legal, and Business etc. designation. NOTE: Team members are
Representation. to obtain management approval prior to
3
acceptance of responsibilities.
5. Develop escalation procedures.
NOTE: This team’s major objective would be to 6. Develop communication flow.
respond to the immediate emergency, making the 7. Develop call trees.
appropriate decisions and directing supporting
groups such as security personnel.
Partner with the Security and Facilities Develop a procedure that outlines the roles and
Departments to ensure efficient and coordinated responsibilities of staff and management during
4
emergency response and communications an event.
throughout the response phase.
5 Establish a Command Center - Determine location and resources.
6 Learn the company’s safety measures, conduct
inventory, and assess current risk to plan
accordingly.
7 Establish procedures for evacuation (both internal
and external) and sheltering in place and train the
appropriate teams and employees in their roles.
Consider special evacuation needs and visitors.
8 Consider additional safety training opportunities in
such areas as fire extinguisher training, CPR/First
Aid/AED training, etc. Ensure training provided is
in alignment with your municipalities and legal
requirements. May need to consult with the Legal
Department.

08/20/07
#
9 Identify and acquire emergency supplies –
everyday and disaster specific based upon the
risks identified in Risk Assessment.
10 Equip the Emergency Response Team with vests,
walkie-talkies, clipboards, etc.
Sub-Topic # What How Examples

Establish Crisis Command Centers (primary,
1
secondary, on-site, off-site, virtual, etc.)
Document the requirements of the Command
2 Center (i.e., supplies, telecommunications, food,
etc.).
Document the process for activation and the
Documenting 3
triggers that would result in activation or alert.
an Emergency
Response Plan Develop and document methodology for Consider implementing an automated notification
communicating to employees during an incident. system.
4
Include processes for when employees are at work
as well as after hours.
5 Establish a communications plan to address regular
updates to the emergency response plan and to all
concerned parties.
Sub-Topic # What How Examples

08/20/07
Identify the appropriate exercise type to implement
1 (i.e., orientation, drills, tabletop, intra-departmental,
etc.)
Conduct emergency response exercises utilizing
2
realistic scenarios.
When developing a full-scale exercise, ensure to
3 involve external participants (i.e. local officials,
vendors, customers, etc.).
Exercising the Increase the level of simulation over time (i.e.,
Emergency 4 orientation, drills, tabletop, intra-departmental, etc.)
Response Plan and exercise various plans annually.
5 Ensure primaries and alternates are involved within
the exercises.
6 Document key findings from the exercise.
7 Periodically distribute key findings report to
business owners until resolutions are complete.
8 Incorporate any significant changes resulting from
the exercise and update the plan accordingly.
6. Developing Business Continuity Plans

Design, develop, and implement the Business Continuity Plan.
(This includes defining recovery management and control requirements; identifying and defining the format and structure of major plan
components; developing the business operations plan; developing the information technology recovery plan; developing the communication
systems plan; and developing end-user plans.)
#

08/20/07
#
1 Ensure that an executive sponsor is assigned • Identify the highest level management • NFPA 1600:2004. Standard on
as oversight and authority for the plan for the process, business function, or Disaster/Emergency
development and implementation process. If technology that is being targeted for the Management and Business
this was accomplished as part of the Initiate planning effort and request that level of Continuity Programs. Chapter 4
Project phase, this will be a validation step. management’s support either directly or Program Management.
by appointed designee. (Preferred
sponsor is executive level management,
e.g. CFO, CIO, market • PAS 56:2003. Guide to
Presidents/Executives) Business Continuity
Management. Introduction and
• Meet with designated executive sponsor.
Figure 2: BCM Relationships.
Review the planning process, the
expected deliverables, resource
Pre-Planning requirements, and communication flow • HB 221:2004, Standards
Activities for for status reporting and review of issues Australia/Standards New
Developing a as the plan development effort proceeds. Zealand, Business Continuity
Plan • If the organization does not have a Management. Introduction and
reporting format established, develop Chapter 2.1-Developing the
one that management agrees will meet BCM Program, Step 1:
its need for information on status, Commencement.
planned activities, risks, constraints and
potential problems.
• Practitioners Guide to Business
• If sponsor has not reviewed the project Continuity Management.
plan details for plan creation, review the Chapter 2, Commencement of
approach to be taken for the plan BCM; and Section 2.05, Gaining
development phase and when specific the Commitment of Others.
scope, schedule and cost information will
be provided.

08/20/07
#
2 Ensure that a business continuity policy is • Ideally, there should be a policy for the • NFPA 1600:2004. Standard on
defined. organization as a whole but if one does Disaster/Emergency
not exist, then request the executive Management and Business
sponsor to issue a general policy Continuity Programs. Chapter 4
statement for the process and functional (Program Management).
areas being covered by this planning
effort. (THE Policy should be an
enterprise Policy with attached executive • PAS 56:2003. Guide to
directive and the next level organizations Business Continuity
clarifying implementation and directive Management. Section 5.2
as required.) (Policy)
• HB 221:2004, Standards
Australia/Standards New
Zealand. Business Continuity
Management. Introduction and
Chapter 2.1 (Developing the
BCM Program, Step 1:
Commencement)

Continuity Management.
Chapter 2 (Commencement of
BCM)
• Federal Preparedness Circular

65: Federal Executive Continuity
of Operations (COP), June 15,
2005

08/20/07
#
3 Define, clarify, and develop sponsor • Request approval of strategy from
communication. executive sponsor and senior leadership
team(s).
• Seek advice on content from process or Section 2.05, Gaining the
functional leaders for each organizational Commitment of Others; and
tier that is in scope and establish Section 2.12, The Establishment
appropriate QA reviews/approvals for Checklist.
planning effort and content.
• Communication should include BCP
implementation stages and status for
clarification and support potential
assurance.
• Communication/report requirements
should identify and track function by
who’s responsible, who’s accountable,
who’s consulted and who’s informed.
• Communication/report requirements can
be mapped out using a RACI table
identifying function (responsible /
accountable / consulted / informed) per
#5 below.

08/20/07
#
4 Develop, present, and obtain approval for • Prepare a formal scope statement that • HB 221:2004, Standards
preliminary planning assumptions and outlines the assumptions and constraints Australia/Standards New
exclusions. for the BCP. Zealand, Business Continuity
• Obtain assumptions and exclusions from Management. Introduction, and
executive management and verify with Chapter 2.1-Developing the
Plan development interviewees BCM Program, Step 1:
• Review any additional assumptions and Commencement.
exclusions obtained from interviewees
with executive management prior to • Practitioners Guide to Business
inclusion, Continuity Management.
• The planning effort should address all Chapter 2, Commencement of
plans required to ensure overall BCM; and Section 2.06,
integrated continuity/disaster recovery. Establishing the Infrastructure of
• Present scope statement for formal BCM.
signoff.
5 Review the organizational structure and • Identify functional leaders • PAS 56:2003. Guide to
document the management hierarchy that will • Identify process owners Business Continuity
be in scope of the planning effort. Management. Annex A, RACI
• Verify organizational/structural analysis
with executive sponsor and/or senior Participants in the BCM Cycle.
leadership team(s)
Chapter 8, Section 8.04, Table
15a, The IRACI Tool.

08/20/07
#
6 Ensure that contact information, availability to • The professional practitioner should be • Practitioners Guide to Business
the project, and supervisory approval have been sufficiently familiar with the organization Continuity Management.
obtained for those who will be involved in BC to build a preliminary list of contacts for Chapter 2, Section 2.09,
Plan development. the team that is needed to support the Resource Allocation.
plan development process.
• The team members may be process
leaders or functional area managers.
(Clients and/or suppliers of functional
areas should be interviewed as
required.)
• Review/confirm team members with
executive sponsor and/or senior
leadership team(s) to ensure that those
resources will be authorized and
responsive to work on the planning
effort.
7 Define project scope, schedule and reporting • Refer to assumptions and exclusions • HB 221:2004, Standards
points and obtain management approval. above. Australia/Standards New
• Develop a succinct Power Point project Zealand, Business Continuity
outline presentation for management to Management. Template 11, The
review, discuss and approve. BCM Checklist.
• Ensure that all supporting components of
critical processes are included in the
Plan, including but not limited to IT,
business processes, workplace, staff,
suppliers, etc.

08/20/07
#
1 Complete a risk assessment for the processes • Identify and define all potential risks to • NFPA 1600:2004. Standard on
and/or areas to be included in the Plan. the process/functions to include Disaster/Emergency
regulatory, legal, operational, Management and Business
technological, financial, informational Continuity Programs. Chapter 5
and physical security. Geographic Program Elements, Risk
characteristics may also need to be Assessment.
factored in.
• Define applicable treats to the enterprise: • PAS 56:2003. Guide to
these could include such factors as Business Continuity
areas subject to hurricanes, tornados, Management. Section 6.3, Risk
floods, wild fires, civil unrest, acts of Assessment.
terrorism, mass transportation
breakdowns, utility failures, and so forth.
Gathering Data • Assess the probability of the threat • HB 221:2004, Standards
To Use for occurring Australia/Standards New
Further • Assess the impact from the threat Zealand, Business Continuity
Analysis and occurring Management. Chapter 2.1-
Consolidation Developing the BCM Program,
• Quantify/qualify the treat into a risk
Step 2 Risk and Vulnerability
matrix.
Analysis.
• Identify potential mitigations to reduce,
eliminate or transfer the risk.
Chapter 3, Section 3.05,
Identifying Risks; Section 3.13,
The Risk Assessment Checklist;
and Appendix B, Sources of
Risk.

08/20/07
#
2 Utilize the completed Business Impact Analysis • Review/confirm with the executive • PAS 56:2003. Guide to
(BIA) to confirm all critical business processes sponsor and/or senior leadership team(s) Business Continuity
and/or systems, Recovery Time Objectives as a part of the Plan development scope. Management. Section 6.2,
(RTOs), Recovery Point Objectives (RPOs), • Ensure all input is documented for use Business Impact Analysis.
dependencies (vendors, internal/external later on in writing the plan and ensure
suppliers) and financial impact for prolonged any new or modified information is
outages. • HB 221:2004, Standards
included with the BIA documentation. Australia/Standards New
• Outline planning assumptions to give to Zealand, Business Continuity
the process owners on the scope and Management. Chapter 2.1-
parameters of the planning effort. Developing the BCM Program,
Step 3 Business Impact
Analysis.

Confirming Critical Business
Functions; 4.06, Identify
Maximum Acceptable Outage
Times and Recovery Objectives;
and Template 4.3, Determining
the Minimum Acceptable Outage
Time.

08/20/07
#
3 Validate and/or clarify statements from senior • Document mission, vision, and goals of •
management about the mission, vision, and the organization’s process and functions
goals of the process/functions being covered by as determined by validation process.
the planning effort. • Confirm with business unit or process
owners, or their senior managers.
4 Identify mission critical processes and any other • Write executive summary covering the •
processes that support the mission critical ones mission critical processes and their
and may have potential impacts on them. dependencies on other processes,
internal or external.
• Review/confirm with management.
• Document process flow for use in Plan
validation recommendations.

08/20/07
#
5 Gather additional information from management • Review/confirm RTO’s and RPO’s with • Practitioners Guide to Business
about recovery goals, preliminary Recovery management. Continuity Management.
Time Objectives (RTO’s) and Recovery Point • Review/confirm recovery strategies are Chapter 4, Section
Objectives (RPO’s) to ensure that the scope aligned with the RTO’s and RPO’s, and if 4.01,Developing
and size of the plan development effort will meet not, clarify and confirm the risk level Communications for the BIA and
the organization’s information requirements. exposure management is willing to take. Table 5, Communication and the
BIA.
6 Establish requirements for resources and • Resources will be needed to review and • HB 221:2004, Standards
organizational commitment to complete the plan evaluate all data gathered prior to Australia/Standards New
development and implementation effort. initiating the plan documentation Zealand, Business Continuity
process. Management. Chapter 2.1-
• Resources will be needed to complete Developing the BCM Program,
and verify the plan components. Step 5 Developing Resource
• Resources will be needed to review the and Interdependency
finished plan. Requirements; Template 5,
Minimum Resource
• Resources will be needed to implement
Requirements Worksheet.
the finished plan.
• Resources will be needed to exercise the
plan as part of implementation. • Practitioners Guide to Business
• Resources will be needed to maintain Continuity Management.
the plan. Chapter 4, Section 4.03, Identify
Resource Requirements;
Template 4.7, Determining IT
Application Dependencies.

08/20/07
#
7 Make sure that all impacts have been analyzed • Financial impacts • HB 221:2004, Standards
and recorded if not captured by the BIA. • Operational impacts Australia/Standards New
• Legal impacts Zealand, Business Continuity
Management. Chapter 2.1-
• Regulatory impacts
Developing the BCM Program,
• Customer impacts Table 1, Examples of Disruption
• Regulatory compliance impacts Impacts on the Organization.

Analyzing Risk.

08/20/07
#
8 Identify and itemize vital records critical to the o Identify policy for vital records. If policy • ANSI/ARMA 5-2003, Vital
organization to include any critical tools or does not exist, work with executive Records: Identifying, Managing,
processes used in the retention process. sponsor to develop one. and Recovering Business-
o Identify Vital Records throughout the Critical Records.
organization
o Understand retention periods for vital
records including electronic and paper. •
o Review/confirm appropriate backup
and/or storage for vital records.
o Review/confirm system and data back up
strategies will meet the RPO from the
BIA requirements for each critical system
identified.
o Review vital records list to ensure that all
records needed for mission critical
processes are covered in the back up
and retention adequately to meet the
RPO.
o Compliance with record keeping
standards needs to be maintained at
time of business interruption or disaster.
o Review/confirm list with management.
o Keep list to use later

08/20/07
#
9 Identify and itemize vendors critical to the • Review/confirm list with management to •
organization’s mission, core business processes include name, location, contact
and/or functions as validated in Step 3 above. information and alternates to each.
• Keep list to use later
10 Identify key customers for whom notification will • Review/confirm list of key customers with •
be required at time of disaster or for whom a management.
business work-around will be essential. Include • Document your key customer interfaces.
required escalation procedures and parameters.
• Keep list to use later.

08/20/07
#
1 Confirm that overall recovery time objectives • Ensure total RTO meets Plan and
are achievable with recovery performance customer objectives.
• PAS 56:2003. Guide to
capabilities. • Validate information received with Business Continuity
exercise times. Management. Section 6.2,
• Ensure that up and downstream Business Impact Analysis. ·
processes and components align with
provided RTO’s
Complete Data Zealand, Business Continuity
Analysis and Management. Chapter 2.1-
Consolidation Developing the BCM Program,
for Use in Plan Step 3 Business Impact
Content Analysis

Confirming Critical Business
Functions; 4.06, Identify
Maximum Acceptable Outage
Times and Recovery Objectives
and Template 4.3, Determining
the Minimum Acceptable
Outage Time.

08/20/07
#
2 Confirm that overall recovery point objectives • Ensure total RPO meets Plan and •
are achievable with recovery performance customer objectives.
capabilities. • Validate information received with
exercise times.
• Ensure that up and downstream
processes and components align with
provided RPO’s
3 Finalize personnel and resource requirements • Develop contact list for plan • HB 221:2004, Standards
to develop and implement the plan. development/implementation team(s). Australia/Standards New
• Develop action plan such as a project Zealand, Business Continuity
plan or a Team Action Record to track Management. Chapter 2.1-
and monitor status of the plan Developing the BCM Program,
development and implementation Step 5 Developing Resource
activities, target dates, responsibility, and Interdependency
issues, progress, and comments. Requirements; Chapter 2.2-The
BCM Workbook, Template 5,
Minimum Resource
Requirements Worksheet.

Chapter 4, Section 4.03, Identify
Resource Requirements;
Chapter 6, Assessing and
Collating Resource
Requirements; and Appendix D,
Example of Consolidated
Resource Mapping.

08/20/07
#
4 Review, clarify and understand the recovery Review/confirm selected recovery solutions • PAS 56:2003. Guide to
alternatives available for each critical business such as: Business Continuity
function as well as cost analysis. Management. Section 7, BCM
• Alternative site or business facility Strategies. ·
• Warm site
• Cold Site
• Drop Ship/Quick ship agreements
• Hot-Site Third party service Zealand, Business Continuity
providers Management. (Chapter 2.2-The
• Manual Procedures BCM Workbook, Template 3,
• Mitigation Strategy Development
• Mobile Trailer Worksheet.·
• Reciprocal agreements
• Warm Site • Practitioners Guide to Business
• Work from Home Continuity Management.
(telecommuting) Chapter 4, Template 4.6,
Determining Alternate
Workarounds.
Note: See Strategies Best Practices

08/20/07
#
5 Consider various approaches to developing the • Vertical integrated planning is based • Practitioners Guide to Business
BCP documentation and effort. upon hierarchical or functional tiers with Continuity Management.
each tier mapped to the tier above and Chapter 7, The Framework of
below it. Plans.
• Tiers may also require to be horizontally
integrated as co-processes or
interdependencies.
• Tiers should incorporate references to
other plans relevant to the plan you are
working on, such as IT, third party
service providers, work area, network,
etc.
• Consider the operational and response
issues for Plan implementation.
• Include confidentiality and Plan
distribution considerations in the Plan
format.
6 Make sure a business case analysis for the • This is part of the Strategies phase but
recovery plan strategy has been completed and should be verified as part of the Plan
documented. development and validation phases. The
final strategy of mitigation or recovery
should have this analysis as input and
used in the strategy decision.
• Make sure that the proposed solution
costs are consistent with the risk
adjusted loss from an event. (See Risk
Assessment section above)

08/20/07
#
7 Review/confirm recovery site selection and o Use this information to document the
build-out requirements. component recovery phase processes.
Also impacts RTO.
o It is possible that this particular step may
require a sub-team to gather and
document detailed specifications.
8 Define key parameters that the Plan MUST Key parameter may include but not limited • NFPA 1600:2004. Standard on
address. to: Disaster/Emergency
Management and Business
• Legal & regulatory Continuity Programs. Section
• Contractual & Agreements 5.7.2, Plans.
• Compliance
• Plan format
• Plans should draw distinction between Business Continuity
recovering workplace and personnel vs. Management. Section 8,
technology Developing and Implementing
• Workplace BCM Plans.
• Staffing
• Recovery Procedures
• Disaster analysis, definition, notification Australia/Standards New
and escalation procedures. Zealand, Business Continuity
Management. Chapter 2.2-The
BCM Workbook, Template 6,
Continuity Plan Worksheet.

Contents of a BCP; and Table
17, Assurance Issues and
Evidence.

08/20/07
#
Plan 1 Overview and Scope • Include confidentiality statement and •
Documentation associated authority
Components • Plans MUST honor all required
“Confidentiality”
And • Plans should define activities for each
Applying phase of the Recovery (response,
Finalized Data decision process, post event & pre-
to Plan Content recovery, DR production and “back to
normal”)
2 Assumptions • Document the assumptions that went • If a subscription recovery facility
into the planning effort. is used, the assumption is that
• These items should clarify and define the facility will be available in the
any issues related to, but not limited to, event of an event requiring
RTO, RPO, notification and recovery or relocation of services.
mitigation ‘environment’, limitations or
support expected.
• Include any references that support the
Plan implementation such as vendor
BCP parameters, etc.
• Identify any impact they may have on
the Plan implementation.
3 Exclusions • Clearly outline what the plan is not •
intended to cover.
• Specifically identify, with explanation of
exclusion, what is excluded or
supporting processes or resources not
included.
• Identify any potential impact they may
have.

08/20/07
#
4 Compliance Statements • Document Plan components that • PAS 56:2003. Guide to
address specific key legal and/or Business Continuity
regulatory issues. This aids audit, Management. Section 10.3,
reporting and compliance requirements. Audit.

Chapter 9, Maintenance of a
BCM, Table 17, Assurance
Issues and Evidence.
5 Teams Document the following team information: •
• Key contacts
• Reporting structure
• Roles & responsibilities
• Contact information including but not
limited to name, address (with zip code)
phones numbers, emergency contacts
and alternates.
• For clarity, team names should match up
and downstream Plan parameters.
6 Declaration & Escalation process • Document the disaster identification and •
declaration process including but not
limited to Declaration authorities and the
initial Notification Procedure and/or
checklist
7 Supporting resources • These will normally be call back lists •
showing personnel and contact
information.
• Document the up and downstream
resources for each process to ensure

08/20/07
#
requirements are met
• Document the interface requirements for
each supporting resource
• Identify critical metrics (physical, timing,
etc.) for each resource
• Reference detailed documentation as
required to minimize Plan size,
especially resources with frequent
changes or time constrained. Use
known terminology and add a glossary
as necessary
• Identify each external supporting
resource
8 Controls • Document each Plan component •
requiring a control point, give a brief
explanation of the objective and purpose
of the control, the metrics and team
responsible for the control
• Identify the control authority (policy,
regulatory, compliance, etc., and
person) as appropriate
• Identify incident management (reporting,
audit, budget, etc.) and tracking
(inventory control, reporting, etc)
controls and the associated authority
and policy or regulation.
9 Recovery flow • If the sequencing of events can be •
displayed graphically, it can help to
understand when different part of the
plan is executed and also when
resources are needed.

08/20/07
#
• Develop the Plan structure to support
the Process Operational and Recovery
flow
• Document the Plan for each sub-
component and functional area to allow
appropriate distribution and support
required Confidentiality.
• Identify up and downstream
requirements and dependencies
• Document any component assumptions
• Use graphics as appropriate for
clarification and for inclusion in the Plan
validation process
• Identify each external supporting
resource (to include supply chain).
10 Plan Overviews Provide an overview of each sub-component • NFPA 1600:2004. Standard on
of the overall Plan, including but not limited Disaster/Emergency
to: Management and Business
Continuity Programs. Section
• Command and Control 5.7.2, Plans.
• Communication plan (internal and
external)
• Media Interface plan (pre-scripted and • PAS 56:2003. Guide to
approved messages) Business Continuity
Management. Section 8,
• Technology & tools plan
Developing and Implementing
• Workplace plan BCM Plans; and Annex B.5,
• Staffing plan Developing and Implementing
• Operational procedures plan for each BCM Plans.
phase of the recovery, such as interim
work-arounds
• Supply chain plan dependencies and

08/20/07
#
work-arounds Zealand, Business Continuity
Management. Chapter 2.2-The
BCM Workbook, Step 6:
Developing Continuity
Plans;·Template 6, Continuity
Plan Worksheet; and Template
9: Minimum Standard for
Content of BCM Plan.·

Contents of a BCP; and Table
17, Assurance Issues and
Evidence.
11 Appendices • Validation schedule •
• Key internal contacts detailed
information
• Vendor & suppliers detailed information
• Off-site resource information (vital
records, hot-site, workplace relocation,
etc.)
• Graphics (maps, floor & site layouts,
photos, organization charts, process and
recovery flow, etc)
• Inventories
• Sub-plan details as applicable
• Reporting requirements
• Event tracking requirements
• Compliance requirements and
references

08/20/07
08/20/07
#
1 Plan status report • Document a summary of the current •
state of the Business Continuity Program
Follow-up including processes included, excluded,
Activities and any open items (or planning gaps).
Emphasis should be given to potential
issues and the results expected with
Plans as developed.
2 Plan recommendations report to include but not • This report should be guidelines for each • NFPA 1600:2004. Standard on
limited to: of the aforementioned items and/or Disaster/Emergency
issues. Management and Business
• Confidentiality
• Validate issues with appropriate teams Continuity Programs. Chapter
• Plan Maintenance & distribution 13, Exercises, Evaluations and
and review with and obtain approval from
• Validation process the executive sponsor for this plan Corrective Actions.
• Audit process development effort.
• Training requirements
• Awareness program Business Continuity
• Command and control Management. Annex b, Section
7 – Exercising, Maintenance and
Audit.
Zealand, Business Continuity
Management. Section 2.1, Step
8, Training, Maintaining and
Testing Plans; and Template 10:
Training and Testing
Development Worksheet.

08/20/07
#

Chapter 9, Maintenance of BCM
Section 9.02, Performance and
9.05, The Maintenance
Checklist.
3 Post-Incident Documentation • Once teams have been deactivated, •
debrief Emergency Response, Crisis
Management and Business Recovery
teams.
• Identify and prioritize key learnings.
• Gather cost accounting detail.
• Gather visual records of event, e.g.
digital or hardcopy photos, newspaper
reports, internal and external
communications.
7. Training and Awareness

Prepare a program to create an organizational awareness and enhance the skills required to develop, implement, maintain, and execute the
Business Continuity Plan. (This includes defining the objectives of training; developing the types of training programs; developing awareness
programs; and identifying other opportunities for education.)

08/20/07
Establish objectives and components of • Obtain upper management support
Corporate BCM Awareness and Training and ask them to distribute memos
HB 221:2004, Standards
Program outlining awareness and training
objectives
Zealand, Business
• Promote employee and management Continuity Management.
awareness about emergency
procedures to enhance the
significance of business continuity
ASIS Guidelines
• Ensure employees with tasks within
the plans are fully aware of their
Training and responsibilities.
1 Network Reliability
Awareness • Define desired outcomes from the Interoperability Council
conduct of a plan test and choose an (NRIC) Standard
appropriate testing strategy
• Ensure relevant employees,
customers, suppliers and other
stakeholders are aware of the
business continuity initiatives
• Establish and use metrics to identify
key areas of focus, and measure
progress in improving quality,
reliability, and security

08/20/07
Identify Functional Awareness and Training • Test the level of readiness through Network Reliability
requirements planned drills or simulated Interoperability Council
exercises (NRIC) Standard
• Establish, implement and test
emergency response and crisis
management programs to include
external first responders and civic
authorities in mutual emergency
preparedness planning
• Ensure that guard service provider
implements on-the-job training for on-
site security personnel
2 • Provide periodic, at least annually,
security awareness briefings to all
personnel
• Provide awareness briefings to all key
relevant employees or contractors on
mail screening procedures
• Provide periodic training to appropriate
personnel to ensure understanding of
and compliance to hazardous
materials
• Establish and train on policies and
procedures that mitigate workplace
violence
Develop Awareness and Training HB 221:2004, Standards
Methodology Australia/Standards New
• Conduct a debrief with all of those Zealand, Business
involved in the test, and those with Continuity Management.
3 responsibility for plan maintenance or
future activation and assign
responsibilities for plan improvement
activities

08/20/07
Acquire or develop Awareness and Training • Create templates internally
4
Tools
Identify external Awareness and Training • Attend regular meetings of
Opportunities organizations that include business
continuity in the scope of their activities
(i.e. ASIS, BOMA, RIMS, ISSA, ISACA)
• Complete FEMA Independent Study
5 courses
• Attend training opportunities offered by
State, County or local emergency
management office
• Attend CERT Training and promote
employees to attend
Identify alternative options for Corporate • Lessons learned from previous tests HB 221:2004, Standards
Awareness and Training and actual incidents should be built into Australia/Standards New
6
the testing cycle Zealand, Business
Develop Awareness and Training Objectives • Establish a test schedule and timeline Refer to Appendix with
as to how often the plan and its sample test schedule
components will be tested
7 • Ensure participants understand their
roles in an exercise; encourage
participants to interact and discuss
issues and document lessons learned
Develop and Deliver various types of • Use a combination of walk through,
Training live and simulation training methods
8 Programs (i.e. Computer based, classroom,
test-based and instructional guides and
templates

08/20/07
Develop Awareness Programs (i.e. • Distribute key contact information to
Management, Team Members, New new employees on wallet cards (ie.
Employee Orientation and current employee Hotline number for status during
refresher program) outage)
• Provide management with monthly
status updates on all training and
9 awareness activities
• Provide yearly training for current
employees
• Schedule Awareness training to
coincide with National Business
Continuity week
Identify Other Opportunities for Education • Attend yearly Business Continuity Refer to Appendix listing all
Conferences and local Business Business Continuity groups
Continuity group meetings to network in the US
with other professionals and learn
10 what other companies are doing in the
BC/DR Programs
• Enroll in Business Continuity/Disaster
Recovery college courses
8. Maintaining and Exercising Business Continuity Plans

Pre-plan, coordinate, evaluate, test and exercise the Plan, and document the results. Develop processes to maintain the currency of the Plan
in accordance with the strategic direction of the organization. (This includes determining exercise requirements; developing scenarios;
establishing evaluation criteria; defining exercising objectives; preparing post-exercise reporting; defining a plan maintenance schedule;
maintaining the plan; and developing change control procedures.)

08/20/07
Sub-Topic Item What How Points of Reference
#
Identify Requirements as per • Review existing BC plan • DR Checklists
environment • Review BC controls
• Script for exercise
• Develop framework and governing
structure as per the above • Agreed upon exercise
• Develop Methodology including types schedule
of exercises to be used (desktop,
procedural, actual operations,
simulation) as well as frequency of
Establish
1 testing
exercise program
• Develop Communications plan from a
Mgmt and Executive Mgmt
perspective
• Identify plan maintenance cycles
required to support overall corporate
or business unit goal
• Develop Change Control procedures
noting the committee required to
approve plan changes and criteria

#

08/20/07
#
Coordinate next steps with team involved • Schedule kickoff with identified
in exercise resources required for testing (end
users, Internal Audit, business unit
team members, Compliance and BC
Directors)
Tactical exercise 1 • Provide overview and receive
activities
agreement on expectations, goals and
critical success factors
• Document components to be tested
as well as timeframe required as per
RTO and RPO

#
Based on scenarios most appropriate to - Develop a realistic scenario based on
the exercise focus noted above, develop items noted as key within the Risk
steps supporting the completion of either Evaluation and Control area
data or required functional processes - Identify a situation which would impact
listed (either negatively or positively) the
department or companies ability to
continue normal operations
Exercise 1 - Identify within the scenario, the
Development
personnel required to accomplish the
restoration of business or data tasks
impacted
- Identify touchpoints and
interdependencies with various
business units

08/20/07
#
Write report based on exercise • Complete exercise audit process by
reviewing results with stated
expectations, goals and critical
success factors
• Identify opportunities for improvement
Exercise Follow- 1 • Develop draft report to team members
up
involved and ask for feedback based
on their population of test scripts
noted in the initial phase
• Combine all test script data and
submit to Mgmt for review

#
Incorporate agreed upon Changes in • Based on coordinated test script detail
1 plan and Mgmt agreement, update plan
and exercise archive as appropriate
Distribute data as required • Based on methodology and team
Plan Maintenance 2 members identified, distribute plan as
per noted cycle
3 Change Control • Execute next steps as per change
control methodology
9. Public Relations and Crisis Communications

Develop, coordinate, evaluate, implement, and exercise public relations and crisis communication plans. (This includes identifying components
of a public relations program and identifying external agencies with whom prior relationships need to be established.)

08/20/07
#
Ensure the company’s Communications - Obtain Senior Management approval
Department has identified key internal and sponsorship for designated internal
resources designated to initiate crisis resources.
1
communications with employees, - Have Senior Management identify any
Planning - Media business partners, vendors, government additions or deletions of key resources.
and Public and external media.
Relations Ensure the company’s Communications - Obtain approval from business
Communications Department has identified key external partners, vendors, government and
contacts for the various business media organizations for designated
2
partners, vendors, government and external resources.
media organizations, including after-hour
contact information.

#

08/20/07
#
Develop Crisis Communication Plans - Obtain contact (during and after
with internal personnel (management, business hours) information for internal
staff, response teams, etc.) personnel.
- Establish call trees for Senior
Management.
Develop – - Establish call tree for Crisis
Proactive Crisis Management teams.
1
Communication - Establish call trees for internal
Program departments.
- Establish call trees for other response
teams.
- Develop ongoing procedures / tools to
manage relationships and
communications process.
Develop Crisis Communication Plans - Obtain contact (during and after
with business partners, vendors, business hours) information for
government and media organizations customers /clients, external vendors,
2 to ensure they are kept informed suppliers, government authorities etc.
manage relationships and
communications process.

08/20/07
#
Develop Crisis Communication Plans - Identify and obtain contact (during and
with the media after business hours) information for
media .representatives (radio, print,
television, etc.)
- Establish credentials for key media
representatives for future events; also
3 identify access levels for credentials.
- Establish relationships in advance of
emergency events.
manage relationships with the
stakeholders.
- Establish designated internal / external
locations for media briefings.
Develop an Awareness and Education - Partner with Security and Facilities to
Program for Staff and Management identify methods for integration with
4 existing programs.
- Identify the media type, frequency,
methods of distribution, etc. regarding
the program.

#

08/20/07
#
Establish communication methods (i.e., - Partner with the Human Resources and
800 number, website, pager distribution Telecommunications Dept., etc. to
lists, conference lines, etc.) establish an 800 # that can be activated
at time of an event to communicate
1 status information to employees as well
800 numbers for crisis communication
teams, etc.
- Develop distribution lists for various
management teams, response teams,
Implement -
etc.
Media and Public
Contain media personnel during an - Work with physical security and
Relations 2 event. management to direct media personnel
Communications
to designated location(s).
Educate employees to direct media - Print and distribute memo instructing
inquiries to the PR Department. employees to direct any media inquires
to the PR Department.
3 - Post memo on intranet.
- Print labels to put on employee badges
stating the PR contact name and
number.
4

08/20/07
#
Develop Exercise - Develop exercise process including
scenarios, types of exercises (table
1 top, walkthroughs, partial, etc.), post
exercise reviews.
- Determine participants.
Exercise – Crisis - Schedule times and locations.
Communications 2 Facilitate Exercise - Monitor the progress and keep
everyone on a time schedule.
Involve appropriate external parties - Extend invitations to department
during exercise events. representatives to participate in the
3 exercise.
- Carefully select the time during the
event to involve the media, if at all.
Sub-Topic Item What How Point Of Reference

#
Maintain - Media Conduct periodic updates to the media - Ensure the corporate
and Public during and after an event to avoid spokesperson provides factual
Relations 1 reports from their perspective. communications.
Communications - Schedule and post times for
updates.
Facilitate the company’s post-mortem - Develop a format for lessons
meeting and share ‘Lessons Learned’ learned so that everyone is using
among all departments. a common form.
2
- Distribute the form at the beginning of the
exercise or the event.
- Schedule to the post mortem event within
one week of the event.

08/20/07
Conduct a post-mortem with the media Schedule a meeting and discuss how the
3
contacts. process can be improved for both parties.
10. Coordination with Public Authorities

Establish applicable procedures and policies for coordinating response, continuity, and restoration activities with local authorities while ensuring
compliance with applicable statutes or regulations. (This includes identifying applicable laws and regulations governing emergency response;
identifying agencies supporting disaster recovery and business continuity; and developing plans to meet statutory requirements.)

#
Preparedness 1 Determine who your local and - Determine who is responsible for liaison with Examples of groups and
regional public authorities are and each area of expertise individuals to know:
their potential impact on your plans - Meet regularly with each authority internally
- Local emergency management
including, but not limited to, and/or externally
offices (city, county, region, etc.)
emergency management, fire, - Participate in joint activities
- Elected & appointed officials
police, public utilities and elected - Support authority initiatives, especially those
including but not limited to,
officials. affecting your business and area.
mayor, county judge, council
- Communicate regularly with internal staff
members, etc.
who are members of or volunteers for public
- Fire chief, police chief, (EMS)
authorities.
Emergency Medical Services
head, public (or service
provider) utility head and
designated interface, etc
Preparedness 2 Understand potential impact of laws, - Determine responsibility for maintaining Examples of when this
regulations, codes, zoning, current knowledge of laws, regulations, etc. knowledge may be important:
standards or practices concerning to include assignments for public meeting
- Hazardous material response,
emergency procedures specific to attendance, press release and other release
movement and receipt may
reading, and meeting with public officials.

08/20/07
#
your location and industry - Hold regular meetings to discuss changes require specific notification and
for or impact to current response, coordination.
emergency and recovery procedures. - Understanding OCEA
- Participate in local emergency planning regulations.
committee meetings. - Heavy or “large” equipment or
- Partner with other organizations with interest objects moves may require
in similar or the same laws, regulations, permits and coordination.
zoning, etc. for information sharing and - Radio frequency may be
“encouragement” support. regulated
- Leverage your internal legal department. - Response supply access may
- Assign lobbying responsibility to “encourage” be limited (local & vendor site)
laws, regulations, zoning, etc - Expected resources may not be
available if preempted by higher
authorities
Examples of organizations:
- EHMA-East Harris County
Manufacturers Association
- LEPC-Local Emergency
Planning Committee
- Industry associations
- Area support groups
o Building & “block”
associations
- Neighborhood Associations
Lobbying points of reference:

- Direct and association lobbying
efforts
- Zoning commissions
- Appraisal District Boards

08/20/07
#
- Water supply boards

Preparedness 3 Determine organizational interface - Assign an internal liaison responsibility for Match expertise with requirement
protocol, identification and training each area of expertise
- PIO (Public Information Officer)
requirements and assign - Include information in the regular validation
- PR (Public Relations Officer)
appropriate internal staff or support process
- Technical staff interface
representative(s). - Reinforce interface protocol at all levels
- Fire team
during training exercise, etc.
- Hazmat team
- Develop Policy and operational procedures
- Facilities support
to support and define the activity.
- Hold joint meetings to discuss and establish
expectations for internal and external Example groups include:
response, emergency and recovery
- Area councils
procedures
- Resolve any conflicting issues and - Local Emergency Planning
coordinate and document resolutions for Committee (LEPC)
- Volunteers Active During
implementation.
Disaster (VOAD)
- Citizen Emergency Response
Team (CERT)
Note: These lists are not all

inclusive
Preparedness 4 Document the forms and processes - Include this responsibility to the persons - ICS (Incident Command
to be used before or during an event assigned liaison responsibility for each area System) forms
or exercise to ensure activities and of expertise - Process flow charts
participants, etc. are captured for - Include information gathered in internal - Communication interface forms
review and Plan response and procedures - Staffing forms
recovery improvements. - Validate information on a regular basis - Contact lists
- Include information gathered in internal - Chemical descriptions & affects
procedure validation exercises.
- Hold joint information sharing meetings and
exercises to review results of information

08/20/07
#
gathered during an event.

- Include this process in future updates of your
plan and training and awareness program.
- Determine if permits are required specific
(public authority provided) request and/or
reporting forms
Preparedness 5 Document the public authority - Determine who is responsible for liaison - Contact lists with details
groups and individual contacts, their each area of expertise - Interface methods
communication protocol required - Validate information gathered on a regular documentation & forms
and status reporting process. basis to ensure information is current on a - Insurance confirmation forms,
quarterly basis. etc.
- Develop or obtain forms/reports to be used - Permit reporting forms
at time of incident.
- Develop Post Incident Review (PIR) process
Public authority groups examples:
and timelines.
- Work with local Public Information Officers o Fire
(PIO) to understand and follow protocol. o Police or Deputy Police
- Ensure that any permit required activities, o National Guard
which may require several stages of
interface throughout the process such as
pre-approval, coordination or monitoring, Volunteer and non-Profit group
and post event reporting and review, are examples:
completed as required. o Volunteer fire
- Participate with public authorities during an o CERT-Citizen Emergency
event or exercise to and validate any Response Team
coordination specifically required expertise, o LEPC-Local Emergency
equipment, training and protocols. Planning Committee
o Salvation Army
o Baptist men
Preparedness 6 Document each public authority - Determine who is responsible for liaison Examples of sources to monitor
group’s information sources that each area of expertise include:
apply to your full Business - Maintain source locations and include in
- NWS (National Weather
internal documentation.

08/20/07
#
Continuity Management processes. - Validate information on a regular basis Service) email service
(quarterly recommended). - Website “Alert” pages
- Incorporate information in internal disaster
- Court (legal system)
scenarios and procedure validation
notifications through business
exercises.
journals, website, etc.
http://www.tropicalstormrisk.com/
http://www.noaa.gov/
http://neic.usgs.gov/neis/bulletin/
http://www.nws.noaa.gov/
http://www.nhc.noaa.gov/
http://www.prh.noaa.gov/ptwc/
http://www.emsc-
csem.org/Html/ALERT_email.html
Local Metro traffic cameras
(Houston)
http://www.houstontranstar.org/
Preparedness 7 Ensure information that may be - Assign an internal liaison responsibility for Examples of information required:
required immediately by public each area of expertise
- Electrical and telecomm
authorities during an incident is - Include in the planning a liaison to work with
sources,
readily available. the local officials on site at the time of an
- Floor plans
incident. Ensure they understand the role
- Hazardous Waster Storage
and the information that would be required of
facilities (ie: PCB’s)
them.
- Chemical storage & supplies
- Provide regular information and resource
- Laboratories,
tours for public authorities and internal
- Organizations site layout
liaisons to ensure appropriate information
information
sharing.
- Secure areas,

08/20/07
#
- Document and provide, appropriate, type - Water

and location information (maps, graphs, - Foam for fire suppression
spreadsheets, etc.) being certain to maintain
appropriate confidentiality.
Note: This list is not all inclusive
Preparedness 8 Document the levels of support - Assign an internal liaison responsibility for - Public authority policy
available to your organization’s each area of expertise - Hazardous material clean-up
response and recovery Plan. - Hold joint meetings or exercises to discuss (may need EPA approval,
internal and external response, emergency reporting etc.)
and recovery procedures and the overall - Non-profit charter policy (Red
support that will be provided based upon Cross, United Way, Baptist Men,
different scenarios. Salvation Army, etc.)
- Resolve any conflicting issues and - Citizen group policies (CERT,
coordinate and document resolutions for etc.)
implementation.
- Include information gathered in future
updates of your plan.
- Include the information gathered as part of
the Plan and response validation process.
- Evaluate support during critical time periods
such as days 1 through 5 of your
requirements and procedures as they relate
to public authority interface.

08/20/07
#
Preparedness 9 Obtain and review your facility(s) - Assign an internal liaison responsibility for Examples of access issues:
and regional access issues. each area of expertise
- “All clear” parameters
- Include information gathered in internal
- Evacuation and return routes
procedures
- Official escape and return routes
- Validate information on a regular basis
of personal and commercial
roadways, waterways and
procedure validation exercises.
airway
- Obtain maps and identify alternate routes
- Special transport routes

(chemical, size, etc.)

Preparedness 10 Identify and document - Assign an internal liaison responsibility for Examples of local and regional
organizational and other coordinating with external liaisons and public authorities locations:
resources potentially available in evaluating possible mutual aid assistance.
- Banks
support of public authorities and - Include information gathered in internal
- Churches,
other organizations. procedures and documentation.
- Fire stations,
- Infrastructure terminals and
- Include information gathered in disaster
storage locations,
validation scenarios.
- Parking lots
- Include information gathered in internal risk
- Police
assessment and mitigation processes
- Public buildings such as city
- Provide regular information and resource
halls, courthouses, Justice of
tours for public authorities and internal
the Peace
liaisons to ensure appropriate information
- Historical monuments &
sharing.
statues
- Document and provide, appropriate, type
and location information (maps, graphs,
spreadsheets, etc.) being certain to maintain Examples of supporting
appropriate confidentiality. resources:

08/20/07
#
- CERT-Citizen Emergency
Response Team
- Sea ports
- EOC Centers -Emergency (or
Joint) Operation Centers
- Evacuation support centers
- Fire facilities
- Hospitals,
- Key vendors,
Planning Committee resources
- Television & Radio stations
- National Guard
- Police
- Red Cross
- Supply warehouses
- United Way
- Salvation Army
- Baptist Men

inclusive
Share item examples:

- Hazardous materials
- Chemicals
- Fuel supplies
- Water & foam (fire
suppression) sources
- Communication devices &
support equipment

08/20/07
#
- Ham radio
- Equipment (trucks, back hoes,
ships, etc.)
- Organizational contacts
- Locations
- Skills and Training parameters
- Shelter capability
- Ability to provide food to
emergency
workers/community
Preparedness 11 Acquire public authority reports of - Assign an internal liaison responsibility for Examples studies, assessments
area vulnerabilities and risks and each area of expertise etc.:
include complimentary and - Maintain current public and internal studies
- Flood plain maps
appropriate mitigation and response and assessments and include in future
- Risk assessments
procedures in your organizations updates of your plan.
- Monitoring systems
Business Continuity Plan and risk - Include applicable information in the risk
- Road extensions
assessment process. assessment, BCP development, internal
- Bridge capacities
change control process and validation
- Land use studies
processes
- Debris Management
- Partner with local authorities on
assessments.
- Contact local authorities to obtain Examples of where to obtain
information. information:
- Department of Transportation
(DOT)
- Environmental Protection
Agency (EPA)
- Regional Councils (HGAC
Houston Galveston Area
Council)

08/20/07
#

Preparedness 12 Document organizations staff - Require each internal team to maintain and Public authority
members that may be a member of communicate this information to the groups
a public authority or support group. appropriate internal team (BCP, Emergency examples:
management, etc.) for consolidation and
- Fire
distribution.
- Police or Deputy Police
- Work with legal to ensure all liability issues
- National Guard or any military
have been addressed.
affiliation
- Compare the list to internal response lists to
ensure that internal readiness and response
are not affected Volunteer and non-Profit group
- During training, ensure all participants are examples:
aware of their organizational responsibilities
and identify any conflict with responsibilities - Volunteer fire
within the community. - CERT-Citizen Emergency
Response Team
Planning Committee
- Salvation Army
- Baptist men
- Defense Force -
Note This is not an all inclusive

list

08/20/07
#
Preparedness 13 Document local and regional - Assign an internal liaison responsibility for Infrastructure examples:
supporting infrastructure resources. each area of expertise
- Roadmaps
- Contour maps
procedures and documentation.
- Pipelines
- Waterlines
- Include information gathered in disaster
- Power plants and grids
validation scenarios.
- Communication lines & hubs
- Include information gathered in internal risk
- Railroads
assessment and mitigation processes
- Bridges
- - Visit each location on a regular basis and
- Water and fuel supplies
include in internal operational and response,
emergency and recovery procedures.
Preparedness 14 Obtain a copy of and review the - Assign an internal liaison responsibility Public authority
Emergency Operations Procedures - Require appropriate review and analysis policy &
of the Local Authorities, against internal procedures, documentation procedure
and validation exercises. manuals:
Note: Information sources are staff who are
- Fire
members of these groups and direct from
- Police
the public authority & volunteer groups
- Transportation department
- HAZMAT

08/20/07
#
Preparedness 15 Participate in local Emergency - Assign the responsibility of coordination of Types of organizations:
Management, Business Continuity an appropriate interface to executive
- CERT-Citizen Emergency
and other organizations that support management.
Response Team
your industry. - Include responsibility to internal Public
- Sea ports support
Relations (PR) and/or Public Information
- EOC Centers -Emergency (or
Officer (PIO).
Joint) Operation Centers
- Work with Legal Dept. to ensure liability
- Fire departments
issues are addressed.
- Hospitals,
Planning Committee resources
- National Guard
- Police
- Red Cross Disaster services
- United Way
- Salvation Army
- Baptist Men
Preparedness 16 Utilize an accepted standard of - Train and validate training for ICS - National Incident Management
incident command format that - Use the ICS format in all response, System (NIMS)
interfaces with local/regional/etc. emergency and recovery procedures as well - Incident Command System
authorities and their implementation. as operational procedures where applicable. (ICS) forms
- Hold regular meeting with and participate in
or observe public authority ICS
implementations and activities.
- Review information gathered for possible
changes to internal procedures.

08/20/07
Response & 1 Monitor documented status - Assign maintenance of monitoring status Examples of sources to monitor:
Recovery information sources included on local, information.
http://www.tropicalstormrisk.com/
regional and national Warning - Include gathered documentation in the
Systems, Press Releases, radio and internal response, emergency and recovery http://www.noaa.gov/
television reports, etc. procedures and operational procedures.
- Ensure resources are available for person http://neic.usgs.gov/neis/bulletin/
monitoring status to have internet access, http://www.nws.noaa.gov/
weather radios and cable TV and radio
availability minimum for monitoring. If http://www.nhc.noaa.gov/
necessary include satellite phones. http://www.prh.noaa.gov/ptwc/
http://www.emsc-
csem.org/Html/ALERT_email.html
- Pacific Disaster Center

http://www.pdc.org/core_rva.php
- Houston area Metro
http://www.houstontranstar.org/
Response & 2 Document the actual events including - Assign event documentation responsibility - ICS (Incident Command
Recovery all incoming information and - Maintain effective documentation forms and System) forms
recommendations and comments by process - Process flow charts (RTO, RPO,
participants, clients and observers to - Include gathered documentation in the etc.)
facilitate post event analysis. internal response, emergency and recovery - Communication interface forms
procedures and operational procedures. - Staffing forms
- Contact and contacted lists
- Procedure changes & issues
occurring

08/20/07
Response & 3 Communicate availability and - Obtain executive approval Share item examples:
Recovery document use of resources for public - Assign an internal liaison responsibility for
- Hazardous materials
authorities. coordinating with external liaisons the
- Chemicals
availability of possible mutual aid resource
- Fuel supplies
assistance.
- Water & foam (fire suppression)
- Assign the mutual aid documentation and
sources
reporting responsibility
- Communication devices &
- Maintain currency of mutual aid resources
support equipment
- Work with legal to ensure liability issues are
- Ham radio
addressed
- Equipment (trucks, back hoes,
graders, ships, etc.)
- Organizational contacts
Other items may also be

considered depending on need,
availability and industry

08/20/07
Training/Exercise 1 Participate in local and regional - Document available public authority offered Training examples to consider:
& Awareness training and exercises as appropriate training possibilities
- Emergency Management
to support organizations - Use public training as appropriate to support
training
requirements internal requirements
- HR-Human Resource training
- Obtain internal executive approval
- Joint support training (VOAD,
- Assign executive management responsibility
CERT. etc.)
for the exercise participation decision
- Security (police) and fire
- Document appropriate participation roles and
training
responsibility
- Handling of hazardous
- Assign internal staff specific participation
materials
responsibility
- Evacuation training
- Document and review activities and results
addressed Exercise examples to consider:
- Fire drills
- Terrorist drills
- Hazardous material drills
- Evacuation drills
- Emergency Operations
Center (EOC).

inclusive

08/20/07
Training/Exercise 2 Share internal training for the - Document available shared training Training to consider sharing
& Awareness response and recovery Plans possibilities includes:
developed including documentation - Obtain internal executive approval
o Documentation validations
validations and certification process, - Assign an internal liaison to coordinate
o Certification process
table-tops, walk-through’s, including public authorities in internal
o Table-tops
component validations, etc. approved training
o Walk-throughs
o Component validations
addressed
o Equipment maintenance
procedures
- Note: This list is not all

inclusive
Training/Exercise 3 Monitor public authority exercises - Assign a liaison to monitor public authority Example sources to monitor
& Awareness and event response and review their activities include:
on-going recovery status and Plan - Review the information gathered and
- Newspapers
implementations. integrate into internal appropriate procedure
- Trade and association
documentation
newsletters
- Participate in events and review public
- Television and radio
releases related to the event.
announcements
- Inquire about up-coming events., through
- Websites of the public
regular conversations with local authorities,
authority and participating
organizations
Note: This list is not all

inclusive

08/20/07
Training/Exercise 4 Notify and include authorities of - Assign executive management responsibility - Up coming exercise
& Awareness organizational exercises where for the decision of including public authorities - Fire Drills
applicable. in internal activities.
- Assign a liaison to communicate and
coordinate the internal event schedule and
any on-going event status
- Provide an event overview to the authority to
aid their review and “follow along”
- Maintain currency of event public authority
inclusion
- Document roles and authorities
- Review all resulting activities and
participation.
addressed.

08/20/07
# What How Points of Reference
Post Event or 1 Review public authority event or - Assign a reporting process and a person Examples of information sources
Exercise exercise documentation; plan responsibility for the information gathering include:
objectives, participants and final - Document an appropriate reporting format for
- Local Emergency Managers
reports for lessons learned and Plan the information
- Board of Supervisors
and training modifications and - Assign information review responsibility
Minutes/Meetings
procedures improvements. - Include reviewed information into the internal
- LEPC Coordinator
change control process
- Websites of the public
- Use any available public information your staff
authority and participating
members who are members of the public
organization
authority have concerning the event.
- Obtain information from the
exercise or event source.
Post Event or 2 Communicate internal event or - Obtain executive authorization for information - Exercises
Exercise exercise results to public authorities to be shared with public authority and the - Fire Drills
when their support was utilized, could associated confidentiality. - Actual events
have been utilized or had an effect on - Assign a high level communication liaison
your recovery. - Review to be reported information for
inclusion into the internal change control
process and
- Communicate public authority response to
information received.
- Assign a liaison to “encourage” public
authority participation if their assistance
“could have been utilized” and adjust internal
procedures to cover requirements until their
participation or resources are available.
Post Event or 3 Participate in post event public - Assign an executive management and/or PR - Forums
Exercise discussions and round-tables. person to determine the participation role
- Assign a post public authority event liaison
- Document a reporting, and evaluation
process and a procedure for post event
information integration.

08/20/07
# What How Points of Reference
addressed
- Prepare by reviewing released event
information
Post Event or 4 Coordinate future internal - Define and document possible future events
Exercise exercises and objectives with local to coordinate
authorities. - Receive approval by executive management
of events and roles and responsibilities
- Meet with public authority to review event
possibilities and the roles and responsibilities
and obtain their recommendations and
approval
- Report final coordination plans with executive
management for approval.
- Document coordination reporting format and
assign documentation responsibility
addressed

08/20/07
08/20/07
111
VII. Appendices
a. Developing Business Continuity Strategies
APPENDIX 4.5 APPENDIX 4.4 APPENDIX 4.4

Planning & DevelopmePlanning & DevelopmePlanning & Developme
b. Training and Awareness
Exercise Roles.doc Exercise

Schedule.doc
112
COMPANY Corporation Page 113 of 113 CONFIDENTIAL
08/20/07

Gap

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Gap

Uploaded by

Copyright:

Available Formats

Generally Accepted Practices

Business Continuity Practitioners

Disaster Recovery Journal

Generally Accepted Practices Page 2 of 113

1. Project Initiation and Management

• Association of Records Management Administration (ARMA)

Generally Accepted Practices Page 3 of 113

Generally Accepted Practices Page 4 of 113

Generally Accepted Practices Page 5 of 113

Generally Accepted Practices Page 6 of 113

Establish a governance  Identify Steering committee roles and  Mission Statement

Sub-Topic # What How Points of Reference

Generally Accepted Practices Page 9 of 113 CONFIDENTIAL

Generally Accepted Practices Page 10 of 113 CONFIDENTIAL

Sub-Topic # What How Points of Reference

Generally Accepted Practices Page 11 of 113 CONFIDENTIAL

Develop BC Strategy and  SUBJECT AREA 4:

Generally Accepted Practices Page 12 of 113 CONFIDENTIAL

SUBJECT AREA 10:

• Assign representatives from in-scope SUBJECT AREA 7:

Generally Accepted Practices Page 13 of 113 CONFIDENTIAL

Generally Accepted Practices Page 14 of 113 CONFIDENTIAL

Sub-Topic # What How Points of Reference

2. Risk Evaluation and Control

Generally Accepted Practices Page 15 of 113 CONFIDENTIAL

Generally Accepted Practices Page 16 of 113 CONFIDENTIAL

Generally Accepted Practices Page 17 of 113 CONFIDENTIAL

Generally Accepted Practices Page 18 of 113 CONFIDENTIAL

Generally Accepted Practices Page 19 of 113 CONFIDENTIAL

Sub-Topic # What How Points of Reference

Generally Accepted Practices Page 20 of 113 CONFIDENTIAL

Sub-Topic # What How Points of Reference

Generally Accepted Practices Page 21 of 113 CONFIDENTIAL

Generally Accepted Practices Page 22 of 113 CONFIDENTIAL

Sub-Topic # What How Points of Reference

Generally Accepted Practices Page 23 of 113 CONFIDENTIAL

Automated Process - Email

Generally Accepted Practices Page 24 of 113 CONFIDENTIAL

Sub-Topic # What How Points of Reference

Sub-Topic # What How Points of Reference

Generally Accepted Practices Page 25 of 113 CONFIDENTIAL

Sub-Topic # What How Points of Reference

Generally Accepted Practices Page 26 of 113 CONFIDENTIAL

Generally Accepted Practices Page 27 of 113 CONFIDENTIAL

Sub-Topic # What How Points of Reference

Generally Accepted Practices Page 28 of 113 CONFIDENTIAL

Sub-Topic # What How Points of Reference

Generally Accepted Practices Page 29 of 113 CONFIDENTIAL

Generally Accepted Practices Page 30 of 113 CONFIDENTIAL

Generally Accepted Practices Page 31 of 113 CONFIDENTIAL

Sub-Topic # What How Points of Reference

Generally Accepted Practices Page 32 of 113 CONFIDENTIAL

Sub-Topic # What How Points of Reference

Generally Accepted Practices Page 33 of 113 CONFIDENTIAL

Generally Accepted Practices Page 34 of 113 CONFIDENTIAL

Generally Accepted Practices Page 35 of 113 CONFIDENTIAL

3. Business Impact Analysis

Item # What How

Generally Accepted Practices Page 36 of 113 CONFIDENTIAL

Generally Accepted Practices Page 37 of 113 CONFIDENTIAL

Generally Accepted Practices Page 38 of 113 CONFIDENTIAL

Generally Accepted Practices Page 39 of 113 CONFIDENTIAL

Generally Accepted Practices Page 40 of 113 CONFIDENTIAL

Generally Accepted Practices Page 41 of 113 CONFIDENTIAL

Establish a governance Identify Steering committee roles and Mission Statement

Develop BC Strategy and SUBJECT AREA 4: