Professional Documents
Culture Documents
For
1
Generally Accepted Practices
I. PREFACE ...................................................................................................................................................... 3
I. INTRODUCTION ......................................................................................................................................... 4
A. MISSION STATEMENT .................................................................................................................................. 4
B. SCOPE .......................................................................................................................................................... 4
II. PROFESSIONAL PRACTICES................................................................................................................. 5
A. BACKGROUND ............................................................................................................................................. 5
B. DETAIL ........................................................................................................................................................ 6
1. Project Initiation and Management......................................................................................................... 8
2. Risk Evaluation and Control ................................................................................................................. 15
3. Business Impact Analysis ...................................................................................................................... 36
4. Developing Business Continuity Strategies ........................................................................................... 42
5. Emergency Response and Operations ................................................................................................ 48
6. Developing Business Continuity Plans............................................................................................... 53
7. Training and Awareness..................................................................................................................... 78
8. Maintaining and Exercising Business Continuity Plans..................................................................... 82
9. Public Relations and Crisis Communications .................................................................................... 85
10. Coordination with Public Authorities............................................................................................. 91
VII. APPENDICES .................................................................................................................................... 112
A. DEVELOPING BUSINESS CONTINUITY STRATEGIES ............................................................................ 112
B. TRAINING AND AWARENESS ................................................................................................................. 112
The Generally Accepted Business Continuity Practices subject areas align with the ten DRII
Professional Practices:
The Professional Practices tell you what you need to do and the Generally Accepted BC Practices
will tell you how to do it.
The DRJ has also partnered with the following organizations to assist in the creation of the Generally
Accepted BC Practices:
Please review the document and consider assisting in this effort as it is an opportunity to make an
impact in the Business Continuity industry.
A. Mission Statement
To be recognized as a leading source of “sound” Generally Accepted Practices by providing a
depository of knowledge and recommendations offered by skilled Business Continuity Professionals.
B. Scope
Best Practices will be compiled from submittals by experienced Business Continuity Professionals
from the public and private sectors, as well as user groups and/or related organizations, in regards to
the industry standard Professional Practices. The Best Practice Committee will review the submittals
quarterly for approval. The approved submittals will reside on the Disaster Recovery Journal website
for all practitioners to access and implement within their respective organizations.
The process of developing the matrix consisted of contacting all associations and better
understanding what processes they had in place either via direct input or via web sites
The DRJ EAB Best Practice effort is not attempting to replace the vertical space, they are trying to
build an abstract of the work that the organizations are doing and then pull the detail together for a
view of the overall. This process is not to re-create the wheel it is to provide the input for all
professionals to use
o This is a two step approach:
Phase I: Initially address the high level
Phase II: Initiate a Drill down process to flesh out the details based on
industry
8
Generally Accepted Practices
Sub-Topic # What How Points of Reference
Gain buy-in and commitment Guide leadership (sponsors) in defining objectives, Project proposals
for meeting goals. policies and critical success factors Statements of work
Communicate the purpose and goals with Cost benefit analysis docs
3
stakeholders and receive initial approval. Business Case
Identify and communicate project risks
Implement Interim Plan Ensure the existence of an emergency only plan SUBJECT AREA 5:
2 and develop one if needed Emergency Response and
Ensure emergency management awareness Operations
across enterprise
Assign representatives from in-scope
organizational areas
Manage Risk Assessment SUBJECT AREA 2: Risk
3 Use project controls to ensure success
Evaluation and Control
SUBJECT AREA 9:
Crisis Communications
7
SUBJECT AREA 5:
Emergency Response and
Operations
Conduct PM Standards Audit Evaluate actual project plans as they compare to Project schedule
original deliverable definitions and estimates Project success metrics
Develop recommendations for project Critical success factors
improvements to meet critical success factors Project health
4 measurements
Standards for project
documentation
Project Score Card
PM Standards Compliance
Audit Guide
Select appropriate methodology, tool(s), • Identify target population for data • Internal legal counsel
3 and external expertise needed for collection • Internal / external audit
organization-wide implementation • Identify any specific requirements,
e.g. regulatory, financial, etc.
Ensure that service level agreements are • Identify relationships to other • Service Level
documented and considered, in terms of processes, business units, etc. Agreements
interdependencies (e.g. clients, vendors, key • Determine the level of criticality for • Customers of business
business units) each interdependent relationship. process
• Verify the presence or absence of • Technical Staff
service level agreements for each • Contracting Office
relationship.
2 • Determine if the service level
agreements are adequate to meet the
time requirements for the business
process.
• Determine if there are contract
provisions affecting the conduct of the
business process.
Discuss with executives and ensure that they • Document the risk to the business • Business Process
document accepted risks process and the cost/time to Owners
remediate. • Technical Staff
• Review the each documented risk and • Operating/processing
determine if it will be addressed or staff.
accepted. • Executive
4 • If action is to be taken, develop a management
corrective action plan.
• If no action is to be taken, document
the decision by
− Email
− Signature
1 Identify all critical business processes and/or Utilize the information in the BIA.
systems, RTO, RPO, dependencies (vendors,
internal/external suppliers) and financial impact
for prolonged outages.
2 Continuity Planners and Business Managers • Determine responsibility for maintaining
need to understand potential impact of all current knowledge of laws, regulations
relevant laws, industry regulations and etc. within the various organizational
government codes. functions within the company such as:
Fire Safety, Risk Managements, Legal
(General Counsel), Audit etc.
Pre-Planning • Establish a structure for cross-pollination
of information with the various
organizational functions.
3 Continuity Planners and Business Managers • Determine who has responsibility for
must ensure that they are aware of the kinds of Audit and Information
audits to which they might be required to Technology/Security within the
submit. organization.
• Understand from these departments the
types of audits that they/the organization
is subject to.
• Build bridge with these departments to
maintain currency of information.
2 Ensure that a strategy exists for protecting vital • Identify Vital Records throughout the
records including electronic and paper organization
• Understand retention periods for vital
records including electronic and paper.
• Determine appropriate backup and/or
Planning & storage for vital records.
Development
• Ensure that senior management accepts
the program for vital records retention.
• Develop system and data back up
strategies that will meet the RPO from
the BIA requirements for each critical
system identified.
3 Identify the internal and/or external continuity • Review internal resources (ie: Multiple •
resources and solutions that meet the business locations with like business functions &
requirements. technology)
• Search out external business resources
using processes such as RFI, Queries,
Professional Organizations, etc.
4 Identify and understand the spectrum of all Review the following types of recovery • Appendix 4.4 - Planning &
available recovery alternatives available for alternatives and be prepared to make Development Recovery
each critical business function. recommendations: Alternative Definitions
• Alternative site or business facility
• Cold Site • Appendix 4.4 - Planning &
• Drop Ship/Quick ship agreements Development Recovery
Planning & • Hot-Site Third party service Alternate Strategy Matrix
Development providers
(Cont’d) • Manual Procedures
• Mitigation
• Mobile Trailer
• Reciprocal agreements
• Warm Site
• Work from Home
Note: List may not be all inclusive
• HB 221:2004, Standards
Australia/Standards New
Zealand. Business Continuity
Management. Introduction and
Chapter 2.1 (Developing the
BCM Program, Step 1:
Commencement)
7 Define project scope, schedule and reporting • Refer to assumptions and exclusions • HB 221:2004, Standards
points and obtain management approval. above. Australia/Standards New
• Develop a succinct Power Point project Zealand, Business Continuity
outline presentation for management to Management. Template 11, The
review, discuss and approve. BCM Checklist.
• Ensure that all supporting components of
critical processes are included in the
Plan, including but not limited to IT,
business processes, workplace, staff,
suppliers, etc.
4 Identify mission critical processes and any other • Write executive summary covering the •
processes that support the mission critical ones mission critical processes and their
and may have potential impacts on them. dependencies on other processes,
internal or external.
• Review/confirm with management.
• Document process flow for use in Plan
validation recommendations.
10 Identify key customers for whom notification will • Review/confirm list of key customers with •
be required at time of disaster or for whom a management.
business work-around will be essential. Include • Document your key customer interfaces.
required escalation procedures and parameters.
• Keep list to use later.
• HB 221:2004, Standards
Australia/Standards New
Zealand, Business Continuity
Management. Section 2.1, Step
8, Training, Maintaining and
Testing Plans; and Template 10:
Training and Testing
Development Worksheet.
Identify Other Opportunities for Education • Attend yearly Business Continuity Refer to Appendix listing all
Conferences and local Business Business Continuity groups
Continuity group meetings to network in the US
with other professionals and learn
10 what other companies are doing in the
BC/DR Programs
• Enroll in Business Continuity/Disaster
Recovery college courses
Preparedness 1 Determine who your local and - Determine who is responsible for liaison with Examples of groups and
regional public authorities are and each area of expertise individuals to know:
their potential impact on your plans - Meet regularly with each authority internally
- Local emergency management
including, but not limited to, and/or externally
offices (city, county, region, etc.)
emergency management, fire, - Participate in joint activities
- Elected & appointed officials
police, public utilities and elected - Support authority initiatives, especially those
including but not limited to,
officials. affecting your business and area.
mayor, county judge, council
- Communicate regularly with internal staff
members, etc.
who are members of or volunteers for public
- Fire chief, police chief, (EMS)
authorities.
Emergency Medical Services
head, public (or service
provider) utility head and
designated interface, etc
Preparedness 2 Understand potential impact of laws, - Determine responsibility for maintaining Examples of when this
regulations, codes, zoning, current knowledge of laws, regulations, etc. knowledge may be important:
standards or practices concerning to include assignments for public meeting
- Hazardous material response,
emergency procedures specific to attendance, press release and other release
movement and receipt may
reading, and meeting with public officials.
your location and industry - Hold regular meetings to discuss changes require specific notification and
for or impact to current response, coordination.
emergency and recovery procedures. - Understanding OCEA
- Participate in local emergency planning regulations.
committee meetings. - Heavy or “large” equipment or
- Partner with other organizations with interest objects moves may require
in similar or the same laws, regulations, permits and coordination.
zoning, etc. for information sharing and - Radio frequency may be
“encouragement” support. regulated
- Leverage your internal legal department. - Response supply access may
- Assign lobbying responsibility to “encourage” be limited (local & vendor site)
laws, regulations, zoning, etc - Expected resources may not be
available if preempted by higher
authorities
Examples of organizations:
- EHMA-East Harris County
Manufacturers Association
- LEPC-Local Emergency
Planning Committee
- Industry associations
- Area support groups
o Building & “block”
associations
- Neighborhood Associations
Continuity Management processes. - Validate information on a regular basis Service) email service
(quarterly recommended). - Website “Alert” pages
- Incorporate information in internal disaster
- Court (legal system)
scenarios and procedure validation
notifications through business
exercises.
journals, website, etc.
http://www.tropicalstormrisk.com/
http://www.noaa.gov/
http://neic.usgs.gov/neis/bulletin/
http://www.nws.noaa.gov/
http://www.nhc.noaa.gov/
http://www.prh.noaa.gov/ptwc/
http://www.emsc-
csem.org/Html/ALERT_email.html
Local Metro traffic cameras
(Houston)
http://www.houstontranstar.org/
Preparedness 7 Ensure information that may be - Assign an internal liaison responsibility for Examples of information required:
required immediately by public each area of expertise
- Electrical and telecomm
authorities during an incident is - Include in the planning a liaison to work with
sources,
readily available. the local officials on site at the time of an
- Floor plans
incident. Ensure they understand the role
- Hazardous Waster Storage
and the information that would be required of
facilities (ie: PCB’s)
them.
- Chemical storage & supplies
- Provide regular information and resource
- Laboratories,
tours for public authorities and internal
- Organizations site layout
liaisons to ensure appropriate information
information
sharing.
- Secure areas,
Preparedness 9 Obtain and review your facility(s) - Assign an internal liaison responsibility for Examples of access issues:
and regional access issues. each area of expertise
- “All clear” parameters
- Include information gathered in internal
- Evacuation and return routes
procedures
- Official escape and return routes
- Validate information on a regular basis
of personal and commercial
- Include information gathered in internal
roadways, waterways and
procedure validation exercises.
airway
- Obtain maps and identify alternate routes
- CERT-Citizen Emergency
Response Team
- Sea ports
- EOC Centers -Emergency (or
Joint) Operation Centers
- Evacuation support centers
- Fire facilities
- Hospitals,
- Key vendors,
- LEPC-Local Emergency
Planning Committee resources
- Television & Radio stations
- National Guard
- Police
- Red Cross
- Supply warehouses
- United Way
- Salvation Army
- Baptist Men
- Ham radio
- Equipment (trucks, back hoes,
ships, etc.)
- Organizational contacts
- Locations
- Skills and Training parameters
- Shelter capability
- Ability to provide food to
emergency
workers/community
Preparedness 11 Acquire public authority reports of - Assign an internal liaison responsibility for Examples studies, assessments
area vulnerabilities and risks and each area of expertise etc.:
include complimentary and - Maintain current public and internal studies
- Flood plain maps
appropriate mitigation and response and assessments and include in future
- Risk assessments
procedures in your organizations updates of your plan.
- Monitoring systems
Business Continuity Plan and risk - Include applicable information in the risk
- Road extensions
assessment process. assessment, BCP development, internal
- Bridge capacities
change control process and validation
- Land use studies
processes
- Debris Management
- Partner with local authorities on
assessments.
- Contact local authorities to obtain Examples of where to obtain
information. information:
- Department of Transportation
(DOT)
- Environmental Protection
Agency (EPA)
- Regional Councils (HGAC
Houston Galveston Area
Council)
Preparedness 13 Document local and regional - Assign an internal liaison responsibility for Infrastructure examples:
supporting infrastructure resources. each area of expertise
- Roadmaps
- Include information gathered in internal
- Contour maps
procedures and documentation.
- Pipelines
- Validate information on a regular basis
- Waterlines
- Include information gathered in disaster
- Power plants and grids
validation scenarios.
- Communication lines & hubs
- Include information gathered in internal risk
- Railroads
assessment and mitigation processes
- Bridges
- - Visit each location on a regular basis and
- Water and fuel supplies
include in internal operational and response,
emergency and recovery procedures.
Preparedness 14 Obtain a copy of and review the - Assign an internal liaison responsibility Public authority
Emergency Operations Procedures - Require appropriate review and analysis policy &
of the Local Authorities, against internal procedures, documentation procedure
and validation exercises. manuals:
Note: Information sources are staff who are
- Fire
members of these groups and direct from
- Police
the public authority & volunteer groups
- Transportation department
- HAZMAT
Preparedness 15 Participate in local Emergency - Assign the responsibility of coordination of Types of organizations:
Management, Business Continuity an appropriate interface to executive
- CERT-Citizen Emergency
and other organizations that support management.
Response Team
your industry. - Include responsibility to internal Public
- Sea ports support
Relations (PR) and/or Public Information
- EOC Centers -Emergency (or
Officer (PIO).
Joint) Operation Centers
- Work with Legal Dept. to ensure liability
- Fire departments
issues are addressed.
- Hospitals,
- LEPC-Local Emergency
Planning Committee resources
- National Guard
- Police
- Red Cross Disaster services
- United Way
- Salvation Army
- Baptist Men
Preparedness 16 Utilize an accepted standard of - Train and validate training for ICS - National Incident Management
incident command format that - Use the ICS format in all response, System (NIMS)
interfaces with local/regional/etc. emergency and recovery procedures as well - Incident Command System
authorities and their implementation. as operational procedures where applicable. (ICS) forms
- Hold regular meeting with and participate in
or observe public authority ICS
implementations and activities.
- Review information gathered for possible
changes to internal procedures.
Response & 2 Document the actual events including - Assign event documentation responsibility - ICS (Incident Command
Recovery all incoming information and - Maintain effective documentation forms and System) forms
recommendations and comments by process - Process flow charts (RTO, RPO,
participants, clients and observers to - Include gathered documentation in the etc.)
facilitate post event analysis. internal response, emergency and recovery - Communication interface forms
procedures and operational procedures. - Staffing forms
- Contact and contacted lists
- Procedure changes & issues
occurring
112
Generally Accepted Practices
COMPANY Corporation Page 113 of 113 CONFIDENTIAL
08/20/07