You are on page 1of 113

Generally Accepted Practices

For

Business Continuity Practitioners


Drafted by:

Disaster Recovery Journal


And
DRI International

1
Generally Accepted Practices
I. PREFACE ...................................................................................................................................................... 3

I. INTRODUCTION ......................................................................................................................................... 4
A. MISSION STATEMENT .................................................................................................................................. 4
B. SCOPE .......................................................................................................................................................... 4
II. PROFESSIONAL PRACTICES................................................................................................................. 5
A. BACKGROUND ............................................................................................................................................. 5
B. DETAIL ........................................................................................................................................................ 6
1. Project Initiation and Management......................................................................................................... 8
2. Risk Evaluation and Control ................................................................................................................. 15
3. Business Impact Analysis ...................................................................................................................... 36
4. Developing Business Continuity Strategies ........................................................................................... 42
5. Emergency Response and Operations ................................................................................................ 48
6. Developing Business Continuity Plans............................................................................................... 53
7. Training and Awareness..................................................................................................................... 78
8. Maintaining and Exercising Business Continuity Plans..................................................................... 82
9. Public Relations and Crisis Communications .................................................................................... 85
10. Coordination with Public Authorities............................................................................................. 91
VII. APPENDICES .................................................................................................................................... 112
A. DEVELOPING BUSINESS CONTINUITY STRATEGIES ............................................................................ 112
B. TRAINING AND AWARENESS ................................................................................................................. 112

Generally Accepted Practices Page 2 of 113


CONFIDENTIAL
08/20/07
I. Preface
The Business Continuity focus will become a standard discipline and established profession when
Business Continuity professionals put their minds together to create Generally Accepted Business
Continuity Practices.
The DRJ Editorial Advisory Board Generally Accepted BC Practices Committee in concert with DRI
International is continuing its effort to create universally accepted Business Continuity Practice
guidelines.

The Generally Accepted Business Continuity Practices subject areas align with the ten DRII
Professional Practices:

1. Project Initiation and Management


2. Risk Evaluation and Control
3. Business Impact Analysis
4. Developing Business Continuity Strategies
5. Emergency Response and Operations
6. Developing and Implementing Business Continuity Plans
7. Awareness and Training Programs
8. Maintaining and Exercising Business Continuity Plans
9. Public Relations and Crisis Coordination
10. Coordination with Public Authorities

The Professional Practices tell you what you need to do and the Generally Accepted BC Practices
will tell you how to do it.

The DRJ has also partnered with the following organizations to assist in the creation of the Generally
Accepted BC Practices:

• Association of Records Management Administration (ARMA)


• DRI International (DRII)
• Financial Services Technology Consortium (FSTC)
• Standards Australia/Standards New Zealand
• National Fire Protection Association (NFPA)

Please review the document and consider assisting in this effort as it is an opportunity to make an
impact in the Business Continuity industry.

Generally Accepted Practices Page 3 of 113


CONFIDENTIAL
08/20/07
I. Introduction

A. Mission Statement
To be recognized as a leading source of “sound” Generally Accepted Practices by providing a
depository of knowledge and recommendations offered by skilled Business Continuity Professionals.

B. Scope
Best Practices will be compiled from submittals by experienced Business Continuity Professionals
from the public and private sectors, as well as user groups and/or related organizations, in regards to
the industry standard Professional Practices. The Best Practice Committee will review the submittals
quarterly for approval. The approved submittals will reside on the Disaster Recovery Journal website
for all practitioners to access and implement within their respective organizations.

The process of developing the matrix consisted of contacting all associations and better
understanding what processes they had in place either via direct input or via web sites

The DRJ EAB Best Practice effort is not attempting to replace the vertical space, they are trying to
build an abstract of the work that the organizations are doing and then pull the detail together for a
view of the overall. This process is not to re-create the wheel it is to provide the input for all
professionals to use
o This is a two step approach:
ƒ Phase I: Initially address the high level
ƒ Phase II: Initiate a Drill down process to flesh out the details based on
industry

Generally Accepted Practices Page 4 of 113


CONFIDENTIAL
08/20/07
II. Professional Practices
A. Background
In order to set the precedent, the definition of DRII/BCI Professional Practices will be noted prior to
each Generally Accepted Practice.
The Professional Practices in whole will not be identified within this document however, the link
below can be reviewed for full detail on these joint Practices:
http://www.drii.org/DRII/ProfessionalPractices/Introduction.aspx
This information will allow for the practitioner to identify the background or the “what” (Professional
Practice) to be associated with the “how” (Generally Accepted Practice).

Generally Accepted Practices Page 5 of 113


CONFIDENTIAL
08/20/07
B. Detail

Generally Accepted Practices Page 6 of 113


CONFIDENTIAL
08/20/07
Generally Accepted Practices Page 7 of 113
CONFIDENTIAL
08/20/07
1. Project Initiation and Management
DRII PROFESSIONAL PRACTICE:
Establish the need for a Business Continuity Plan (BCP), including obtaining management support and organizing and managing the BCP
project to completion. (This includes defining the problem; communicating the need for a BCP; developing budget requirements; identifying
Planning Team(s) and Action Plans; and developing project management and documentation requirements.)
Sub-Topic # What How Points of Reference
Define the need for Business ƒ Research and compile facts showing possible risks ƒ Past Audit Comments
Continuity. to the enterprise. ƒ Regulatory and legal
environment
ƒ Past disasters
ƒ Best practices publications
Initiate 1 (white papers, banking
circulars, etc…)
ƒ Relevant regulatory Industry
trade bodies
ƒ Consulting
recommendations
Identify the purpose and goals ƒ Determine the BC focus by building a business ƒ Best practices publications
for the BC initiative. case to identify readiness requirements (such as those used within
ƒ Define high level roles and responsibilities across the Information Security and
the business units impacted by the BC initiative. or Project Management
ƒ Obtain a high level understanding of corporate best practices)
environment including products and services ƒ Cost Benefit Analysis Doc
ƒ If available, review existing BC materials to (including actual cost of past
leverage previous work outages as well as the
2 impact of brand damage and
other concerns discovered
in defining the need).
ƒ Organization Charts
ƒ Mission Statements
ƒ Key documents such as:
evacuation procedures,
medical emergency, crisis
mgmt and Y2K docs

8
Generally Accepted Practices
Sub-Topic # What How Points of Reference
Gain buy-in and commitment ƒ Guide leadership (sponsors) in defining objectives, ƒ Project proposals
for meeting goals. policies and critical success factors ƒ Statements of work
ƒ Communicate the purpose and goals with ƒ Cost benefit analysis docs
3
stakeholders and receive initial approval. ƒ Business Case
ƒ Identify and communicate project risks

Establish a governance ƒ Identify Steering committee roles and ƒ Mission Statement


structure responsibilities ƒ Critical Success Factor doc
ƒ Develop supporting documentation required for the ƒ Conflicting priorities
initiative ƒ Portfolio / program
ƒ Receive funding and approval to move forward management standards
4 ƒ Establish / review BC policy
ƒ Identify need for BC Standards and definition of
terminology
ƒ Set decision-making protocol and issue escalation
policies relative to continuity issues
ƒ Gain agreement on overall timescales
Provide awareness ƒ Establish Project Communications plan ƒ BC website
5 ƒ Debriefings
ƒ Brownbag lunches

Sub-Topic # What How Points of Reference


Establish a steering ƒ Identify and engage a team of affected managers ƒ Project Status report
committee. to oversee project progress and to resolve issues. template
Plan 1 ƒ Establish project milestone review and approval ƒ Project Issues and risk logs
protocol ƒ Project schedules
ƒ Establish the framework required to measure ƒ Project plan template
project success

Generally Accepted Practices Page 9 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Refine the project plan. ƒ Adjust project documentation to reflect final ƒ Work breakdown structure
decisions and approvals doc
ƒ Define project deliverables and related activities ƒ Project proposals
ƒ List tasks and estimate effort and duration ƒ Statements of work
2 ƒ Assign project team members to tasks ƒ Cost benefit analyzes
ƒ Set milestones ƒ High-level project plan
ƒ Document project scope control ƒ Work plans
ƒ Document project risks ƒ Scope control processes
ƒ Develop project risk mitigation ƒ Change Control Procedures
Determine project cost ƒ Establish methods to track project assets and ƒ Budget reports, Inventory
3 tracking expenses, and acquisition logs
ƒ Establish resource tracking and reporting ƒ Time sheets
procedures.
4 Determine the project ƒ Determine the need for additions or changes to ƒ Version control procedures
environment. tools and supplies, such as acquiring or upgrading ƒ Security environment
planning software ƒ Confidentiality policies
ƒ Establish documentation storage and access ƒ Change Control Procedures
procedures ƒ Documentation
Management
ƒ Information Handling
Standards
5 Determine training ƒ Schedule training on the use of new software (as ƒ Personnel skills inventory
requirements required) ƒ Documentation standards
ƒ Provide BC training and guidelines
ƒ ƒ Plan Templates
6 Develop project success ƒ Refine the critical success factors ƒ Critical success factors
metrics ƒ Develop and implement measurements ƒ Project health
measurements
ƒ Checklist for Project
Documentation
ƒ Project Score Card
ƒ PM Standards Compliance
Audit Guide

Generally Accepted Practices Page 10 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
7 Develop the awareness ƒ Establish and validate components and delivery
program methods SUBJECT AREA 7: Awareness
and Training Programs

Sub-Topic # What How Points of Reference


Conduct a Project Kick-off. ƒ Facilitate a meeting with the team members to ƒ Status reports
communicate the project mission and plan. ƒ Issues and risk logs
ƒ Review assignments, work schedules and ƒ Escalation procedures
milestones. ƒ Documentation Standards
ƒ Set guidelines for rules of operations and and Guidelines
progress review ƒ Information Handling
Execute 1 Standards
ƒ Change Control Procedures
ƒ Documentation
Management

Implement Interim Plan ƒ Ensure the existence of an emergency only plan SUBJECT AREA 5:
2 and develop one if needed Emergency Response and
ƒ Ensure emergency management awareness Operations
across enterprise
ƒ Assign representatives from in-scope
organizational areas
Manage Risk Assessment SUBJECT AREA 2: Risk
3 ƒ Use project controls to ensure success
Evaluation and Control

Generally Accepted Practices Page 11 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Conduct a Risk Awareness ƒ Work with governance body to implement policy
Campaign changes
4 SUBJECT AREA 7:
ƒ Educate personnel on purpose and importance of
ok Awareness and Training
updated preventative measures
Programs
ƒ
ƒ Assign representatives from in-scope
organizational areas
5 Manage Business Impact SUBJECT AREA 3: Business
ƒ Use project controls to ensure success
Analysis Impact Analysis

Develop BC Strategy and ƒ SUBJECT AREA 4:


Standards ƒ Assign representatives from in-scope Developing Business
organizational areas Continuity Management
ƒ Use project controls to ensure success Strategies
6

Generally Accepted Practices Page 12 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Implement BC Solutions ƒ Assign representatives from in-scope
organizational areas
SUBJECT AREA 6:
ƒ Use project controls to ensure success
Developing and Implementing
Business Continuity and
Crisis Management Plans

SUBJECT AREA 9:
Crisis Communications
7

SUBJECT AREA 10:


Coordination with External
Agencies

SUBJECT AREA 5:
Emergency Response and
Operations

• Assign representatives from in-scope SUBJECT AREA 7:


organizational areas Awareness and Training
8 Develop and execute a BC
awareness program • Use project controls to ensure success Programs

Generally Accepted Practices Page 13 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Manage project scope ƒ Document additional BC risks and needs not ƒ Change control procedures
included in the original purpose and goals. ƒ Project mission, success
Control 1 ƒ Manage changes to areas of focus factors and other planning
ƒ Escalate project scope concerns to the steering materials
committee
Manage project risks ƒ Identify and track risks to the successful ƒ Risk logs
completion of the project. ƒ Budget reports
ƒ Develop resolutions to risks by adjusting project ƒ Project mission, success
2 plans and assignments factors and other planning
ƒ Manage project issues materials
ƒ Escalate project risk concerns to the steering ƒ Issue logs
committee
Manage deliverable quality ƒ Ensure documentation standards and guidelines ƒ Documentation standards
are followed and guidelines
3 ƒ
ƒ Manage acceptance of deliverables Acceptance and sign-off

Conduct PM Standards Audit ƒ Evaluate actual project plans as they compare to ƒ Project schedule
original deliverable definitions and estimates ƒ Project success metrics
ƒ Develop recommendations for project ƒ Critical success factors
improvements to meet critical success factors ƒ Project health
4 measurements
ƒ Standards for project
documentation
ƒ Project Score Card
ƒ PM Standards Compliance
Audit Guide

Generally Accepted Practices Page 14 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
5 Measure progress ƒ Evaluate actual project plans as they compare to ƒ Project metrics
original deliverable definitions and estimates ƒ Project score card
ƒ Develop recommendations for project ƒ Status reports
improvements
ƒ Document and communicate progress

Sub-Topic # What How Points of Reference


Evaluate project manager Conduct PM Standards Audit ƒ Project schedule
performance ƒ Project success metrics
ƒ Critical success factors
ƒ Project health
1 measurements
ƒ Standards for project
documentation
Close ƒ Project Score Card
ƒ PM Standards Compliance
Audit Guide
Conduct Project lessons ƒ Collect steering committee feedback ƒ Issues logs
2 learned ƒ Facilitate project team session ƒ Project schedules
ƒ Recommend improvements to project ƒ Project metrics, score cards
management methodology and status reports
3 Close Project ƒ Archive project deliverables
ƒ Announce project success

2. Risk Evaluation and Control


Determine the events and environmental surroundings that can adversely affect an organization, the damage that such events can cause, and the
controls needed to prevent or minimize the effects of potential loss. (This includes understanding loss potentials; determining the organization’s
vulnerability to loss potentials; identifying controls and safeguards to prevent or minimize the effect of the loss potential; and evaluating the
effectiveness of controls and safeguards.)

Generally Accepted Practices Page 15 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Identify exposures from both internal and • Research past disasters in • Federal Emergency
external sources, which may include: geographical area Management Agency
Identify
• Research past disasters in industry (FEMA) website
Potential Risks • Natural, man-made, technological, or
to the • Research past disasters in related • State Emergency
political
industries Management
Organization / • Accidental vs. intentional
• Research past disasters internally Organization websites
Loss • Internal vs. external
within organization • Local Police and Fire
Potentials • Controllable risks vs. those beyond the
• Utilize Business Impact Analysis Departments
organization’s control
(BIA) discussion / development for • Business Continuity
• Events with prior warnings vs. those with Publications
internal functions
1 no prior warnings
• Identify interdependencies to other • Newspapers
organizations, systems, etc. • Internal Company
• Research past disasters within your Records
interdependent organizations • Internal Interview
(geographical, industry, related Sessions (leading to
industries, and internal) BIA development)
• Prepare analysis grid showing the • Third-Party
threats, risks, controllable factors Disclosures (leading to
(internal/external, BIA development)
accidental/intentional, with/without • Analysis Grid Example
warning, controllable/uncontrollable) (Develop)

Generally Accepted Practices Page 16 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Determine the probability of the above • Validate credibility of information • Federal Emergency
events sources Management Agency
• Determine impacts to the organization (FEMA) website
• Research available historical • State Emergency
probability factors Management
• Analyze historical probability against Organizations
degree of environmental change (e.g. • Local Police and Fire
increased threat of terrorism today Departments
may require adjustment to historical • Business Continuity
2 probability) Publications
• Analyze mitigating controls in place • Newspapers
• Determine additional controls that • Internal Company
could be implemented Records
• Analyze probability that each identified • Internal Interview
threat could occur Sessions (leading to
• Analyze probability of impact occurring BIA development)
as a result of each of the identified • Third-Party Disclosures
threats (leading to BIA
• Analyze effectiveness of current and development)
potential mitigating controls

Generally Accepted Practices Page 17 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Develop methods of information gathering • Partner with internal auditor(s) to learn • FEMA
of existing risks Website/newsletters
• Partner with local emergency • State Emergency
management agency for a historical Management
impact to business addresses website/newsletters
• Network with local Business Continuity • Networking meetings
Planners • Seminars/presentations
• Research the FEMA website for • Local Business
declared disasters in the area Continuity
• Research the “neighbors” in the Organizations
general vicinity (may be indirectly • Business Continuity
impacted by potential chemical publications
3 hazards, political targets, etc.) • Local Police / Fire
• Map nearest “transportation highways” Department / Utility
to business location (e.g. auto, train, Companies
flight paths) • Highway Departments
• Identify single points of failure (e.g.
gas, water, electricity, fiber cable,
critical vendors)
• Subscribe to Business Continuity
publications
• Sign-up for FEMA and State
Emergency Management newsletters
• Arrange for visiting speakers from
local organizations
• Attend Business Continuity seminars

Generally Accepted Practices Page 18 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Develop a method to evaluate probability vs. Assess and incorporate the following • Probability formula
severity elements into a method customized for the from DRII training
organization involved: materials
• Internal Cost/Benefit
• Determine current annual loss
guidelines and
potential associated with each
practices
identified risk
• Actual cost figures
• Determine frequency factor (no. times
per year) for each risk • Subject Matter Expert
(SME) Estimations
• Multiply annual loss potential by the
frequency factor to determine annual • ISO 7799 Standards
loss exposure (ALE) Methodology
• Determine likelihood of simultaneous • Auditor Organization
risks occurring Standards & Process
• Determine total simultaneous loss • Federal (e.g. FFIEC)
exposure
4
• Determine effectiveness of mitigating
controls with reducing or eliminating
risk (recalculate ALE as if controls
were all in place)
• Determine costs of mitigating controls
• Determine recovery requirements
• Determine expected recovery time
using actual test experience
(preferred), industry experiences, or
expert estimations
• Adjust ALE to show loss for expected
recovery time with and without
suggested controls in place

Generally Accepted Practices Page 19 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Establish ongoing support of evaluation • Prepare costs/benefit statement • Internal Cost/Benefit
process • Prepare qualitative loss statement, guidelines and
e.g. potential for loss of life practices
• Prepare executive presentation • Internal Presentation
summarizing analysis results and guidelines and
source information practices
• Demonstrate validity of presented • Subject Matter Expert
5 information with test results, industry (SME) Estimations
experiences, etc. and Support
• Obtain upper management • Certification as
championship of effort Business Continuity
Planner
• Knowledge of industry
standards/best
practices
Identify relevant regulatory and/or legislative • Consult Legal department and/or • Internal/external Legal
issues outside counsel Council
• Consult internal Compliance officers • Internal Compliance
• Consult internal Business Area Officers
6 management • Federal and State
• Research federal rules and websites
regulations for industry
• Research state rules and regulations
for industry

Sub-Topic # What How Points of Reference

Generally Accepted Practices Page 20 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Establish process to assess identified loss Develop method to estimate loss potential • Internal Accounting /
potential that considers: Finance Department
Determine the
• Internal Risk
Organization’s • Value of assets
Management
Specific • Value of labor and opportunity costs
Department
Exposures to • Frequency and duration estimates of
Loss Potentials • Insurance Contacts /
1 each threat category
Information
• Mitigation effects of existing safeguards
• Local / County
Emergency
Review exposure information Management
• FEMA
• Local Police / Fire,
Homeland Security
Categorize exposures: Create an exposure categorization table • Internal Accounting /
with two sections – primary exposures and Finance Department
• Primary exposures the organization may secondary / collateral events that lists: • Internal Risk
2 face (e.g. hurricane)
Management
• Secondary / collateral events that could • Exposure Name and / or Cause
Department
materialize because of such exposures • Loss Potential – Single Occurrence
• Insurance Contacts /
(e.g. wind damage, roof collapse) • Loss Potential – Annual Exposure
Information
Rank exposures Prioritize exposure categorization table by • Internal Accounting /
ranking and sorting by: Finance Department
• Internal Risk
3 • Exposures most likely to occur
Management
• Exposures with greatest impact (worst
Department
case)
• Insurance Contacts /
Information

Sub-Topic # What How Points of Reference

Generally Accepted Practices Page 21 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Environmental Controls Identify: • FFIEC Guidelines –
Federal Financial
Identify • Physical Access (buildings, rooms,
Institutions
Controls and grounds)
Examination Council
Safeguards to • Geographic Location (incidents)
• Auditors Organizations
Prevent and/or • Utilities (Auditnet.org)
Mitigate the 1
Effect of the • Internal Audit
Loss Potential • National Institute of
Standards and
Technology
• Risk Management
Organizations
Technical Controls Identify: • Information Systems
Audit and Control
• Data Security
Association
• Network Security
• National Institute of
2 • Quality Assurance (ongoing controls) Standards and
• Data & Media Administration Technology
• Assets (physical inventory) • Auditor Organizations
(Auditnet.org)
• Internal Audit

Generally Accepted Practices Page 22 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Operational Controls Identify: • FFIEC Guidelines –
Federal Financial
• Strategic Business Objectives
Institutions
• Policies Examination Council
• Procedures • Auditors Organizations
• Administration (Auditnet.org)
3 • Legal / Regulatory Requirements • Internal Audit
• Key Personnel (personnel roles) • Risk Management
• Supply Chain (Vendors) Organizations
• Federal Authorities • National Institute of
• State Authorities Standards and
• Local Authorities Technology
• Industry Standards (audit methods)
Reputation Controls Identify: • DisasterCenter.com
• Risk Management
• Media Sources
4 Organizations
• Internal Communications
• Internal Audit
• External Communications
• Internal PR / HR
Departments
Effectiveness Identify: • National Institute of
Standards and
• Impacts of recommended mitigation
Technology
options:
• Internal Audit
5 − Testing Options
− Risk Assumption
− Risk Avoidance
− Risk Limitations
− Risk Transference

Sub-Topic # What How Points of Reference

Generally Accepted Practices Page 23 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Identify alternative risk analysis Type of measurement: • NIST SP 800-30 Risk
methodologies, tools, and sources of Management Guide for
Identify,
internal and external expertise • Qualitative methodologies / tools
Information Technology
Evaluate, • Quantitative methodologies / tools Systems
Select, and Use
Appropriate • FISCAM, PP. 16, 17, 18
Risk Analysis Type of process: • ISO 17799 – Assessing
Security Risks, p. IX.
Methodologies • Manual Process
and Tools, and 1 • www/better,management.com/
• Interview
Expertise riskanalysis
- In person
Needed • RiskWatch
- Videoconference
• RiskPac
- Teleconference
• Identify existing data/analysis

Automated Process - Email


Combination of manual and automated
Evaluate alternative risk analysis Evaluate advantages and disadvantages • Product/service references
methodologies, tools, and sources of of options: • Industry publications
internal and external expertise
• Reliability / confidence factor • External expertise / actuarial
2 guidance
• Basis of mathematical formulas
used

Select appropriate methodology, tool(s), • Identify target population for data • Internal legal counsel
3 and external expertise needed for collection • Internal / external audit
organization-wide implementation • Identify any specific requirements,
e.g. regulatory, financial, etc.

Generally Accepted Practices Page 24 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Use appropriate methodology, tool(s), Conduct analysis of data collection Utilize and enhance risk
and outside expertise to develop risk based on methodology chosen assessment performed in prior
analysis steps (see above)
4

Sub-Topic # What How Points of Reference


Develop a strategy consistent with business
1
issues and organizational policy
Identify and
Implement Develop a strategy that can be managed
Information- 2 across business divisions and organizational
Gathering locations
Activities
3 Develop risk assessment form
Create organization-wide methods of • Forms and questionnaires
information collection and distribution • Interviews
• Meetings
• Documentation review
• Analysis
Conduct formal risk assessment • Forms and questionnaires
• Interviews
3 • Meetings
• Documentation review
• Analysis

Sub-Topic # What How Points of Reference

Generally Accepted Practices Page 25 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Develop communications flow with other
1 internal departments / divisions and external
Evaluate the
service providers
Effectiveness
of Controls and Establish business continuity service level
Safeguards agreements for both supplier and customer
2
organizations and groups within and external
to the organization
Develop preventive and pre-planning options • Cost / benefit
• Implementation priorities, procedures,
3 and control
• Testing
• Audit functions and responsibilities
Understand options for risk management and • Risk avoidance
4 selection of appropriate or cost-effective • Risk transfer
response • Acceptance of risk

Sub-Topic # What How Points of Reference


Establish disaster scenarios based on risks Develop disaster scenarios based on the
to which the organization is exposed following criteria:
Identify and
Evaluate Risks, 1 • Severe in magnitude
Controls, and • Occurring at the worst possible time
Mitigation • Resulting in severe impairment to the
organization’s ability to conduct business

Generally Accepted Practices Page 26 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Alternatives Evaluate risks Classify risks according to relevant criteria,
including:
• Risks under the organization’s control
2 • Risks beyond the organization’s control
• Exposures with prior warnings (e.g.
tornadoes, hurricanes)
• Exposures with no prior warnings (e.g.
earthquakes, terrorist attacks)
Evaluate impact of risks and exposures on • Availability of personnel
those factors essential for conducting • Availability of information technology
3 business operations • Availability of communications technology
• Status of infrastructure (transportation,
etc.)

Generally Accepted Practices Page 27 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Evaluate controls and recommend changes, • Preventive controls to inhibit impact
if necessary, to reduce impact due to risks exposures (e.g. passwords, smoke
and exposures detectors, and firewalls)
• Reactive controls to compensate for
impact of exposures (e.g. hot sites)
• Incorporate business continuity / disaster
recovery procedures in all change
management requests within the IT / IS
environment
• During plan implementation, implement
4 such formats as checklists, etc., so that
business continuity teams can operate
efficiently and effectively. (Avoid thick
procedures that would be viewed as
overwhelming during an event, and,
possibly, discarded when needed most
• Partner with internal auditor(s) to highlight
the need-to-resolve issues
• Recommend implementation of an
oversight committee to approve and
review an on-going business continuity
program

Sub-Topic # What How Points of Reference

Generally Accepted Practices Page 28 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Identify the organization’s possible security Identify the specific categories of risk which
exposures may affect the organization:
Security
• Physical security of all premises
• Information security, including computer
1 room and media storage area
• Communications security, including voice
and data communications
• Network security, including Intranet and
Internet
• Personnel security
Evaluate existing security controls and
2
procedures
Develop recommendations for improved Partner with the Risk Management
security controls and procedures Department and internal auditor(s) to
3
conduct on-going security reviews to
prevent potential situations from arising

Sub-Topic # What How Points of Reference

Generally Accepted Practices Page 29 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Identify vital record needs in the • Agree on definition of vital records • Business process
organization, including paper and electronic (e.g. those records required by a owners
records business to stay in business) • Business process staff
• Review the organization’s Records • Legal counsel
Retention Schedule to identify • Internal Risk
administrative and operational vital Management
records • Records management
• Identify special issues and needs vendor
concerning electronic vital records
(e.g. email-related vital records)
Vital Records
• Calculate retention periods and
Management 1 disposition timeframes
• Identify timeframes for retention
• Consider the potential need for long-
term preservation
• Identify records retrieval / recovery
needs
• Identify the right media for storage
• Identify the optimal storage
environment
• Identify technologies / equipment
needed to retrieve records (e.g. tape /
microfilm)

Generally Accepted Practices Page 30 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Evaluate existing backup and restoration • Evaluate the existence and viability of • Legal counsel
procedures for vital records the organization’s Records Retention • Internal risk
Program and Records Retention management
Schedule • Internal audit
• Review the current vital records • Legal / regulatory
management program and requirements
documentation • Industry sources
− Completeness • Records management
− Accuracy vendor
− Maintenance • NFPA
− Appropriate and effective • NARA (National
distribution Archives and Records
2 − Periodic training Administration)
− Periodic exercise of procedures
− Offsite storage of current vital
records inventory and procedures,
including emergency operating
information and procedures
• Assess the level of adherence to the
vital records management program and
its overall effectiveness
• Evaluate potential threats to vital
records
• Evaluate strategies for protecting vital
records

Generally Accepted Practices Page 31 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Develop recommendations for improved • Develop a recommendations document • Legal counsel
backup and restoration procedures based on the above information • Internal Risk
• Partner with internal and external Management
resources to validate and refine the • Internal audit
recommendations document • Legal / regulatory
3 requirements
• Industry sources
• Records management
vendor
• Business process
owners
• Business process staff

Sub-Topic # What How Points of Reference


Document and Document findings • Consolidate findings into a single • Internal risk
Present document management
Findings 1 • Prepare an high-level summary report • Internal audit
for presentation to executive • Legal counsel
management

Generally Accepted Practices Page 32 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Present findings and advise management on • Develop a presentation that clearly • Internal risk
feasible, cost-effective security measures summarizes the results and the management
required to prevent / reduce vital records and information in the high-level summary • Internal audit
security-related risks and exposures report • Legal counsel
• Consider meeting with each senior
manager individually before presenting
the final results to the executives as a
group.
2 • Schedule and present findings
recommended security measures to
prevent / reduce vital records and
security-related risks and exposures
• Be prepared to answer detailed BIA
questions from the senior managers
(take the detailed results to the meeting
as a backup)
• Obtain formal sign-off and approval to
move to the next phase of planning

Sub-Topic # What How Points of Reference

Generally Accepted Practices Page 33 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Determine, and agree on, the cost of • Identify the business process • Business process
Document Risk
downtime • Identify the method used to measure owners
Acceptance cost of interruption. • Business process staff
− Is human life at risk? • Recovery staff
− Is revenue lost? • Legal Counsel
− Is revenue delayed? • Contracting Office
− Is there a cost for additional • Internal Finance /
1 resources needed to recover? Accounting
− Are there legal or regulatory
issues?
− Are there contract requirements?
− Could penalties be assessed?

Ensure that service level agreements are • Identify relationships to other • Service Level
documented and considered, in terms of processes, business units, etc. Agreements
interdependencies (e.g. clients, vendors, key • Determine the level of criticality for • Customers of business
business units) each interdependent relationship. process
• Verify the presence or absence of • Technical Staff
service level agreements for each • Contracting Office
relationship.
2 • Determine if the service level
agreements are adequate to meet the
time requirements for the business
process.
• Determine if there are contract
provisions affecting the conduct of the
business process.

Generally Accepted Practices Page 34 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Develop a risk prioritization grid that maps • Identify the risk to the business • NIST SP 800-30 Risk
out the business risk and technical risks process Management Guide for
• Associate the technical risks to the Information Technology
business process. Systems
• Rate the technical risks for likelihood • Test results, when
and criticality. available
• Rate the recommendations for ease
of fix.
• Identify the level of cost for each fix.
3 • Rank the risks according to criticality,
then ease of fix under each business
risk.
• Rate recommendations for
comparative cost: low, moderate;
high.
• Set priorities based on level of risk
and cost.
• Develop a corrective action plan.

Discuss with executives and ensure that they • Document the risk to the business • Business Process
document accepted risks process and the cost/time to Owners
remediate. • Technical Staff
• Review the each documented risk and • Operating/processing
determine if it will be addressed or staff.
accepted. • Executive
4 • If action is to be taken, develop a management
corrective action plan.
• If no action is to be taken, document
the decision by
− Email
− Signature

Generally Accepted Practices Page 35 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Implement, or assist with implementation of, • Review Corrective Action Plan • Gap analysis authors
security measures approved by management • Identify key contacts • Internal experts
• Verify your role in the implementation • Technical staff
− Level of authority • Legal Counsel
1
Implement − Watchdog
Backup, − Reporting
Restoration, − Vendor liaison
and Security-
related Implement, or assist with implementation of, • Review gap analysis • Gap analysis authors
Measures and backup and restoration procedures for the • Identify areas requiring improvement • Internal experts
Procedures organization’s vital records approved by • Verify that recommendations will meet • Technical staff
management the identified need. • Records Management
2 • Verify your role in implementation Team
− Level of authority • External Records
− Watchdog Management Advisor
− Reporting • Legal Counsel
− Vendor liaison

3. Business Impact Analysis


Identify the impacts that result from disruptions that can affect the organization and the techniques that can be used to quantify and qualify such
impacts. (This includes assessing effects of disruptions; defining criticality and prioritizing the business functions and records; and determining
recovery timeframes and minimum resource requirements.)

Item # What How

Generally Accepted Practices Page 36 of 113 CONFIDENTIAL


08/20/07
Item # What How
Corporate 1 Gain senior • Dialog with management on communication process within the organization an
Sponsorship (Obtain management buy-in expectations.
Management • Develop appropriate senior management reporting avenues to report status,
Approval activities, risks, constraints and bottlenecks.
2 Request executive level • Consider writing a sample memo for senior management explaining the BIA
support be initiative and their support of it. Emphasize that the BIA is the cornerstone, the
communicated for the foundation that all recovery strategies will be based on and the importance to g
BIA initiative it right the first time.
• Recommend to senior management the audience and the appropriate level to
distribute the BIA support memo.
• Offer to attend staff meetings to explain the BIA initiative if appropriate.
• Consider using the organization’s intranet website and other communication
vehicles in support of the BIA initiative.
Understand the 1 Identify business • For each line of business, request updated organizational charts (if in existence
Organization processes / functions workflow diagrams, basically any documentation that may assist in
understanding the organizational structure.
• The term process is often used synonymously with the word function. In
general, a BIA is completed for each business process/function. Where
processes/functions provide distinctly different products, services, or outputs,
separate BIAs may be appropriate especially if operational and financial impact
of a loss will be significantly different for each process. For example, a separat
BIA should be completed for Revenue Billing, Remittance Processing,
Telemarketing, etc.
• Consider the appropriateness of polling senior management for a list of time
critical processes/functions to focus on if there is little time to complete a detaile
BIA process. Determine what management wants covered if time is of the
essence.

Generally Accepted Practices Page 37 of 113 CONFIDENTIAL


08/20/07
Item # What How
BIA Tools 1 Design a custom • Spend time upfront to customize the BIA for the organization. Design a
tailored business questionnaire that is written specifically for the organization keeping in mind its
impact assessment business language and culture. Update a prior BIA for the organization based o
template previous learnings.
• Consistently use the same timeframes to measure impacts over time for both
financial and operational impacts. By using the same time measurements, it
allows BIA results to be consistently compared across the organization.
• Be consistent with the scale used to measure impacts to the organization.
• It is important to capture both the tangible and intangible impacts to the
organization.
• Lobby not to add questions to the BIA questionnaire that supports another
management initiative if it is inappropriate to do so (avoid scope creep).
1-2 Determine the financial • Financial impacts to the organization as a result of process unavailability can b
impact over time of a directly or indirectly applied to each process/function. The BIA seeks to identify
disruption to each both direct and indirect financial impacts.
process/function • Choose impact levels using the most significant peak period for each business
process/function. This may be at the end of a month, quarter or year, or
according to seasonal trends in the business process.
• A scale for quantifying the financial impact over each time period must be
established based on the organization’s size and the specific industry.
• Determine the cumulative financial impact for each category of financial impact
• Consider the many types of revenue loss for the organization as some revenue
may not truly be a loss. Consider revenue loss measurements versus revenue
that is truly deferred income.
• Make sure that financial impacts to downstream processes are not recorded an
double counted in the financial cost to the organization.

Generally Accepted Practices Page 38 of 113 CONFIDENTIAL


08/20/07
Item # What How
1-3 Determine the • It is important to quantify the operational impacts to an organization resulting
operational impact over from a business process/function being unavailable. Often, the significance of
time of a disruption to business process/function is overlooked because there may be no direct
each process/function financial impact. However, the operational impact to the organization may be
just as or even more significant to the organization.
• A detailed definition of each of the impact levels must be established based on
the specific industry.
• A scale for quantifying the operational impacts must be established in order to
ensure all process/functions are measured the same. For example, a scale of
– 4 could be used with the following definitions: 1 = some impact, 2 = moderate
impact, 3= serious impact and 4 = severe impact. Another scale example to
consider would be using a Low (L), Medium (M) or High (H) Impact scale for
quantifying the impacts over each time period.
• Where possible, contracted service level agreements and any associated
penalties should be identified, along with legal or regulatory penalties.
1-3 • Identify the intangible impacts that make up the significant risks and exposures
to the organization. One intangible impact may be that the organization will lose
employees and jeopardize recovery efforts if employees aren’t paid in a timely
manner.
• A contract may state penalties for missed deadlines or deliverables, or it may
not be specific to the exact recourse the organization has.
• Some operational impacts are intangible. If data is lost that cannot be restored
it may be an intangible impact as it can’t be attached to a direct sum of money.

Generally Accepted Practices Page 39 of 113 CONFIDENTIAL


08/20/07
Item # What How
1-4 Determine recovery • Based upon the financial and operational impacts, determine the RTO. The
time objectives (RTOs) RTO is the point in time where this process/function must be recovered becaus
beyond that time, the specific process/function disruption is unacceptable to the
organization.
• Evaluate what the minimum acceptable level of operations that are required for
this business process/function within the RTO. For example, if the RTO is 4-7
days, does this business process/function need to be restored at 100% of
production capability? Could the business process/function be recovered in
stages? Could 50% of the production capability be recovered in 4-7 days and th
remaining 50% be recovered in 31+ days? Remember also that in a disaster
situation, it is not a working in a business as usual environment.
• A BIA tool should never force and/or calculate an RTO for a business
process/function. Forced recovery time objectives do not take into consideratio
changes of roles at time of disaster and impacts to downstream business
processes and/or dependencies. If a BIA tool is used that assigns an RTO, ther
must be a process in place to override an RTO upon management review.
• The RTO is used by corporate support teams to assess possible recovery
strategies for the business process/function.
1-5 Determine the recovery • Will the process/function be recovered to the time of disaster at the RTO, or
point objective (RPO) some previous time, such as the time of the last full offsite backup? The RTO
that the may be 24 hours, but if a system is being restored from week-old back-ups,
process/function will be there will be a week of transactions that have to be re-entered or recreated. If
recovered to at the there would be no backlog of work that had to be recreated, the RPO would be
RTO. the same as the RTO.
1-6 Determine both internal • Identify supply chain links to other internal departments, processes, or other thi
and external business parties. Examples of third parties could be vendors, business partners,
dependencies customers, etc.
• What are the inflows? From whom does the process/function receive
information, data, requests, etc.? Who does the process/function depend on fo
the information or resources to perform the process/function?
• Whom does the business process/function provide information to? What are th
outflows of this process?
• Break out dependencies between internal and external resources.

Generally Accepted Practices Page 40 of 113 CONFIDENTIAL


08/20/07
Item # What How
2 Determine central • Determine how BIA data will be used ongoing.
repository for BIA data • Determine where to house BIA data and how to update data ongoing (i.e. a
database, an excel spreadsheet, etc.).
• Determine audit trail for updates.
BIA Interviews 1 Conduct BIA interviews • It is important to gather BIA information from each business process/function
owner using an individual interview. Forms that are sent out and completed
without the assistance of a Business Continuity Professional will yield results
that cannot be reasonably compiled and compared. Individual managers may
not know the impact they have on the organization as a whole. Additionally, BI
questions will be interpreted differently by each interviewee.
• Schedule a meeting with the business/function manager to collaboratively
complete the BIA questionnaire. Send out BIA template in advance so that the
recipients can review it with others and get complete answers.
• Explain the purpose of the BIA initiative to the interviewees. Make it clear that
management has no hidden agenda such as having interviewees justify their
jobs via the BIA process. It is helpful to explain that every department/ employe
is mission critical. One of the objectives is for senior management to learn who
is time critical should a disaster occur.
• Conduct interview and complete the questionnaire. Ensure consistency in
interviewee(s) understanding of questions.
• Design and conduct follow-up interviews. If information is still missing after the
interview, follow-up with the interviewee and request it be provided.
BIA Findings 1 Obtain approval for • It is recommended that at least two levels of approval be obtained for the BIA
individual BIA results results. Consider the most appropriate sign-off levels for the organization. It is
recommended that both the business process owner/manager and the next
highest level of management, if appropriate, review and approve the BIA result
• A sign off form of some kind is used to formally indicate next level managemen
has reviewed and approved the BIA answers. It is important to note that
information contained in the approved BIA will be communicated to others with
supporting roles in the recovery of the process such as Facilities, Telecom, IT,
etc.

Generally Accepted Practices Page 41 of 113 CONFIDENTIAL


08/20/07
Item # What How
2 Prepare analysis of BIA • Consolidate the individual BIA information to determine the organizational
results priorities for recovery over time. The recovery time objectives should drive the
priorities for recovery.
• Define recovery objectives and timeframes.
• Determine priorities for recovery (the order of recovery).
• Define report format.
3 Prepare senior • A summary report is prepared and presented to senior management.
management • The presentation should be a formality at this point. There should be no
presentation surprises on the summary presentation for senior management.
• Senior management should clearly be able to understand the impacts to the
organization should processes/functions be unavailable; this data will support
the recovery time objectives required by the process/function.
Gain Management 1 Obtain senior • Consider meeting with each senior manager individually to present results
Approval of BIA management approval before presenting the final results to the executives as a group.
results of BIA summary and • Develop a presentation that easily shows the priorities for recovery and the
recovery prioritizations RTOs to management.
• Determine what type of formal sign-off is required to move to the next phase of
planning.
• Be prepared to answer detailed BIA questions from the senior managers (take
the detailed results to the meeting as a backup)
2 Be prepared to discuss • BIA data can quickly become staledated. Once the BIA results and priorities for
next steps recovery are approved, it is extremely important to act quickly and begin work f
Professional Practice Area #4, Developing Recovery Strategies.
BIA Life Cycle 1 Determine BIA review • Determine how often BIA results need to be reviewed for the organization (i.e.
and update annually, semi-annually, etc). There may be legal and/or regulatory
requirements. requirements that dictate how often a BIA must be reviewed and updated.
• Create a tickler system to ensure updates occur as planned.
• Communicate BIA review cycle with senior management.

4. Developing Business Continuity Strategies


DRII PROFESSIONAL PRACTICE:
Determine and guide the selection of alternative business recovery operating strategies to be used to maintain the organization’s critical

Generally Accepted Practices Page 42 of 113 CONFIDENTIAL


08/20/07
functions. (This includes identifying recovery strategy requirements; assessing suitability of alternative strategies; preparing cost/benefit
analysis of recovery strategies; and selecting alternate site(s) and off-site storage.)

Item # What How Points of Reference


#

1 Develop communication processes to ensure • Dialog with Management on


management is provided with frequent status communication process within the
reports throughout the strategy development organization and expectations.
process. • Develop a reporting format that is
meaningful to direct management
including status, next period activities,
risks, constraints and potential problems.
2 Senior management (particularly chief Summarize risks and continuity timelines and
executive, financial and operational officers) present to Senior Management with project
Corporate should make thoughtful decisions about timelines for approval of strategies that are
Sponsorship acceptable exposure (risks) to their business developed.
(Obtaining and the recovery and continuity timelines that
Management must be ensured by the organization.
Approval)
3 Obtain Senior Managements approval for • Request approval of strategy from direct
strategies. manager.
• Seek advice on content for next approval
level.
• Put together appropriate content change
for next approval level.
• Repeat until final approval is achieved at
the Senior Management Level.

Generally Accepted Practices Page 43 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#

1 Identify all critical business processes and/or Utilize the information in the BIA.
systems, RTO, RPO, dependencies (vendors,
internal/external suppliers) and financial impact
for prolonged outages.
2 Continuity Planners and Business Managers • Determine responsibility for maintaining
need to understand potential impact of all current knowledge of laws, regulations
relevant laws, industry regulations and etc. within the various organizational
government codes. functions within the company such as:
Fire Safety, Risk Managements, Legal
(General Counsel), Audit etc.
Pre-Planning • Establish a structure for cross-pollination
of information with the various
organizational functions.
3 Continuity Planners and Business Managers • Determine who has responsibility for
must ensure that they are aware of the kinds of Audit and Information
audits to which they might be required to Technology/Security within the
submit. organization.
• Understand from these departments the
types of audits that they/the organization
is subject to.
• Build bridge with these departments to
maintain currency of information.

Generally Accepted Practices Page 44 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#

1 Identify and incorporate risk mitigation • Have a full understanding of Risk


strategies from the output of Subject Area 2 Acceptance identified in Subject Area 2
Risk Evaluation and Control. and how it may affect this strategy.

2 Ensure that a strategy exists for protecting vital • Identify Vital Records throughout the
records including electronic and paper organization
• Understand retention periods for vital
records including electronic and paper.
• Determine appropriate backup and/or
Planning & storage for vital records.
Development
• Ensure that senior management accepts
the program for vital records retention.
• Develop system and data back up
strategies that will meet the RPO from
the BIA requirements for each critical
system identified.
3 Identify the internal and/or external continuity • Review internal resources (ie: Multiple •
resources and solutions that meet the business locations with like business functions &
requirements. technology)
• Search out external business resources
using processes such as RFI, Queries,
Professional Organizations, etc.

Generally Accepted Practices Page 45 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#

4 Identify and understand the spectrum of all Review the following types of recovery • Appendix 4.4 - Planning &
available recovery alternatives available for alternatives and be prepared to make Development Recovery
each critical business function. recommendations: Alternative Definitions
• Alternative site or business facility
• Cold Site • Appendix 4.4 - Planning &
• Drop Ship/Quick ship agreements Development Recovery
Planning & • Hot-Site Third party service Alternate Strategy Matrix
Development providers
(Cont’d) • Manual Procedures
• Mitigation
• Mobile Trailer
• Reciprocal agreements
• Warm Site
• Work from Home
Note: List may not be all inclusive

Generally Accepted Practices Page 46 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
5 Assess the feasibility of available resources and • Compare the cost ranges along with the • Appendix 4.5 - Planning &
solutions for the continuity/recovery of business advantages and disadvantages to Development – Hot Site RFP
processes. implement each strategy.
• Develop a cost benefit analysis and an
implementation timeline for each
strategy.
• Present concise and specific
recommendations to management. (The
cost benefit analysis should be used to
justify all recommendations
• Develop a Request for Proposal
(RFP) for disaster recovery third
party providers to complete for each
Planning &
alternative strategy
Development Include:
(Cont’d) • All Minimum hardware
requirements to support the
Critical System for a period of 6-
8 weeks
• Networking requirements (from
alternative location to home site)
• See sample RFP for additional
information that should be
included
• Prepare a RFP (based on findings from
the BIA) and send to all available Off-
Site Storage providers in your area to
obtain ongoing costs for the provided
services.

Generally Accepted Practices Page 47 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
• Review and present recommendations,
based on the vendor RFP responses, to
management.
• Implement back up and off-site storage
practices

5. Emergency Response and Operations


Develop and implement procedures to respond to and stabilize the situation following an incident or event. (This includes identifying and
developing emergency response procedures; identifying command and control requirements and procedures; and defining strategy for
salvage and restoration.)

Sub-Topic # What Point of


How
Reference
Corporate 1 Identify stakeholders / decision makers. • Brainstorm with management team.
Sponsorship
(obtaining
Acquire a Senior Management Sponsor to • Schedule a meeting with the CxO to ‘sell’ the
support the program and is willing to business continuity management program concept
Management 2 periodically attend meetings and support and obtain commitment
Commitment)
related recommendations. • Management Team to identify the critical areas to
approach .
Identify risks (natural, neighbors, human, • Conduct a formal threat assessment for the
environmental, political, etc.) as well as the facility.
3 likelihood of risk so the plan addresses the • Work with local Emergency Management
appropriate level. Agencies to identify risks.
• Research the Internet for historical data.
Identify preventative measures that can • Review the threats and categorize by priority.
4 minimize the potential disaster from occurring. Then indicate the various mitigation options for
each threat.
Develop Emergency Response planning • Partner with Security and Facilities to develop
5
phases. these phases as well as external agencies.

Generally Accepted Practices Page 48 of 113 CONFIDENTIAL


08/20/07
Develop the strategy: • Schedule a meeting with Senior Management /
Sponsor to present the pros/cons, including
- Present for approval cost benefits including
financial information, related to implementing an
the advantages / disadvantages of
6 Emergency Response Program.
implementing an Emergency Response
Program.
- Obtain formal approval for the program
strategy As well as the budget
Educate Senior Management on their Roles • Partner with Senior Management / Sponsor to - Provide
and Responsibilities. document their roles and responsibilities. Senior
Management
a review of
7 the BC
process as
well as their
roles and
responsibiliti
es

Generally Accepted Practices Page 49 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Examples
#
Partner with the local municipalities to be included - Prior to an event, identify, notify and exchange
in all proposed modifications to the local contact data with the various municipal
emergency management process and to be representatives (i.e. EMA director, fire chief,
notified of any federal notification received. mayor, etc.)
Planning – - Conduct periodic meetings with the
Emergency 1 representatives.
Response - Obtain management approval to conduct on-
site tours so local reps can become familiar
with office location. NOTE: Make prior
request with officials to not ‘write-up’ any
infractions if they are noted during the tour.
Partner with the local emergency management - Contact key representatives from the
agencies to develop response plans for various following areas: Police, Fire and Rescue,
scenarios initially targeting those identified in the Health Department, Local Emergency
Risk Assessment. Planning Committees, etc.
2 - Schedule a meeting to discuss the top five,
initially, identified risks. Discuss/confirm the
company’s response plans and how to
mitigate the impact of such an event.
- Present the findings to the management.

Generally Accepted Practices Page 50 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Examples
#
Develop an Emergency Response Team to include 1. Establish structure for Incident Command.
representation from areas such as Security, Real 2. Develop roles and responsibilities.
Estate, Business Continuity, Human Resources, 3. Develop tasks.
Safety, Public Relations / Communications, 4. Populate teams with primary, secondary,
Insurance, Internal Audit, Legal, and Business etc. designation. NOTE: Team members are
Representation. to obtain management approval prior to
3
acceptance of responsibilities.
5. Develop escalation procedures.
NOTE: This team’s major objective would be to 6. Develop communication flow.
respond to the immediate emergency, making the 7. Develop call trees.
appropriate decisions and directing supporting
groups such as security personnel.
Partner with the Security and Facilities Develop a procedure that outlines the roles and
Departments to ensure efficient and coordinated responsibilities of staff and management during
4
emergency response and communications an event.
throughout the response phase.
5 Establish a Command Center - Determine location and resources.
6 Learn the company’s safety measures, conduct
inventory, and assess current risk to plan
accordingly.
7 Establish procedures for evacuation (both internal
and external) and sheltering in place and train the
appropriate teams and employees in their roles.
Consider special evacuation needs and visitors.
8 Consider additional safety training opportunities in
such areas as fire extinguisher training, CPR/First
Aid/AED training, etc. Ensure training provided is
in alignment with your municipalities and legal
requirements. May need to consult with the Legal
Department.

Generally Accepted Practices Page 51 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Examples
#
9 Identify and acquire emergency supplies –
everyday and disaster specific based upon the
risks identified in Risk Assessment.
10 Equip the Emergency Response Team with vests,
walkie-talkies, clipboards, etc.

Sub-Topic # What How Examples


Establish Crisis Command Centers (primary,
1
secondary, on-site, off-site, virtual, etc.)
Document the requirements of the Command
2 Center (i.e., supplies, telecommunications, food,
etc.).
Document the process for activation and the
Documenting 3
triggers that would result in activation or alert.
an Emergency
Response Plan Develop and document methodology for Consider implementing an automated notification
communicating to employees during an incident. system.
4
Include processes for when employees are at work
as well as after hours.
5 Establish a communications plan to address regular
updates to the emergency response plan and to all
concerned parties.

Sub-Topic # What How Examples

Generally Accepted Practices Page 52 of 113 CONFIDENTIAL


08/20/07
Identify the appropriate exercise type to implement
1 (i.e., orientation, drills, tabletop, intra-departmental,
etc.)
Conduct emergency response exercises utilizing
2
realistic scenarios.
When developing a full-scale exercise, ensure to
3 involve external participants (i.e. local officials,
vendors, customers, etc.).
Exercising the Increase the level of simulation over time (i.e.,
Emergency 4 orientation, drills, tabletop, intra-departmental, etc.)
Response Plan and exercise various plans annually.
5 Ensure primaries and alternates are involved within
the exercises.
6 Document key findings from the exercise.
7 Periodically distribute key findings report to
business owners until resolutions are complete.
8 Incorporate any significant changes resulting from
the exercise and update the plan accordingly.

6. Developing Business Continuity Plans


Design, develop, and implement the Business Continuity Plan.
(This includes defining recovery management and control requirements; identifying and defining the format and structure of major plan
components; developing the business operations plan; developing the information technology recovery plan; developing the communication
systems plan; and developing end-user plans.)
Item What How Points of Reference
#

Generally Accepted Practices Page 53 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
1 Ensure that an executive sponsor is assigned • Identify the highest level management • NFPA 1600:2004. Standard on
as oversight and authority for the plan for the process, business function, or Disaster/Emergency
development and implementation process. If technology that is being targeted for the Management and Business
this was accomplished as part of the Initiate planning effort and request that level of Continuity Programs. Chapter 4
Project phase, this will be a validation step. management’s support either directly or Program Management.
by appointed designee. (Preferred
sponsor is executive level management,
e.g. CFO, CIO, market • PAS 56:2003. Guide to
Presidents/Executives) Business Continuity
Management. Introduction and
• Meet with designated executive sponsor.
Figure 2: BCM Relationships.
Review the planning process, the
expected deliverables, resource
Pre-Planning requirements, and communication flow • HB 221:2004, Standards
Activities for for status reporting and review of issues Australia/Standards New
Developing a as the plan development effort proceeds. Zealand, Business Continuity
Plan • If the organization does not have a Management. Introduction and
reporting format established, develop Chapter 2.1-Developing the
one that management agrees will meet BCM Program, Step 1:
its need for information on status, Commencement.
planned activities, risks, constraints and
potential problems.
• Practitioners Guide to Business
• If sponsor has not reviewed the project Continuity Management.
plan details for plan creation, review the Chapter 2, Commencement of
approach to be taken for the plan BCM; and Section 2.05, Gaining
development phase and when specific the Commitment of Others.
scope, schedule and cost information will
be provided.

Generally Accepted Practices Page 54 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
2 Ensure that a business continuity policy is • Ideally, there should be a policy for the • NFPA 1600:2004. Standard on
defined. organization as a whole but if one does Disaster/Emergency
not exist, then request the executive Management and Business
sponsor to issue a general policy Continuity Programs. Chapter 4
statement for the process and functional (Program Management).
areas being covered by this planning
effort. (THE Policy should be an
enterprise Policy with attached executive • PAS 56:2003. Guide to
directive and the next level organizations Business Continuity
clarifying implementation and directive Management. Section 5.2
as required.) (Policy)

• HB 221:2004, Standards
Australia/Standards New
Zealand. Business Continuity
Management. Introduction and
Chapter 2.1 (Developing the
BCM Program, Step 1:
Commencement)

• Practitioners Guide to Business


Continuity Management.
Chapter 2 (Commencement of
BCM)

• Federal Preparedness Circular


65: Federal Executive Continuity
of Operations (COP), June 15,
2005

Generally Accepted Practices Page 55 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
3 Define, clarify, and develop sponsor • Request approval of strategy from
communication. executive sponsor and senior leadership
• Practitioners Guide to Business
team(s).
Continuity Management.
• Seek advice on content from process or Section 2.05, Gaining the
functional leaders for each organizational Commitment of Others; and
tier that is in scope and establish Section 2.12, The Establishment
appropriate QA reviews/approvals for Checklist.
planning effort and content.
• Communication should include BCP
implementation stages and status for
clarification and support potential
assurance.
• Communication/report requirements
should identify and track function by
who’s responsible, who’s accountable,
who’s consulted and who’s informed.
• Communication/report requirements can
be mapped out using a RACI table
identifying function (responsible /
accountable / consulted / informed) per
#5 below.

Generally Accepted Practices Page 56 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
4 Develop, present, and obtain approval for • Prepare a formal scope statement that • HB 221:2004, Standards
preliminary planning assumptions and outlines the assumptions and constraints Australia/Standards New
exclusions. for the BCP. Zealand, Business Continuity
• Obtain assumptions and exclusions from Management. Introduction, and
executive management and verify with Chapter 2.1-Developing the
Plan development interviewees BCM Program, Step 1:
• Review any additional assumptions and Commencement.
exclusions obtained from interviewees
with executive management prior to • Practitioners Guide to Business
inclusion, Continuity Management.
• The planning effort should address all Chapter 2, Commencement of
plans required to ensure overall BCM; and Section 2.06,
integrated continuity/disaster recovery. Establishing the Infrastructure of
• Present scope statement for formal BCM.
signoff.
5 Review the organizational structure and • Identify functional leaders • PAS 56:2003. Guide to
document the management hierarchy that will • Identify process owners Business Continuity
be in scope of the planning effort. Management. Annex A, RACI
• Verify organizational/structural analysis
with executive sponsor and/or senior Participants in the BCM Cycle.
leadership team(s)
• Practitioners Guide to Business
Continuity Management.
Chapter 8, Section 8.04, Table
15a, The IRACI Tool.

Generally Accepted Practices Page 57 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
6 Ensure that contact information, availability to • The professional practitioner should be • Practitioners Guide to Business
the project, and supervisory approval have been sufficiently familiar with the organization Continuity Management.
obtained for those who will be involved in BC to build a preliminary list of contacts for Chapter 2, Section 2.09,
Plan development. the team that is needed to support the Resource Allocation.
plan development process.
• The team members may be process
leaders or functional area managers.
(Clients and/or suppliers of functional
areas should be interviewed as
required.)
• Review/confirm team members with
executive sponsor and/or senior
leadership team(s) to ensure that those
resources will be authorized and
responsive to work on the planning
effort.

7 Define project scope, schedule and reporting • Refer to assumptions and exclusions • HB 221:2004, Standards
points and obtain management approval. above. Australia/Standards New
• Develop a succinct Power Point project Zealand, Business Continuity
outline presentation for management to Management. Template 11, The
review, discuss and approve. BCM Checklist.
• Ensure that all supporting components of
critical processes are included in the
Plan, including but not limited to IT,
business processes, workplace, staff,
suppliers, etc.

Generally Accepted Practices Page 58 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
1 Complete a risk assessment for the processes • Identify and define all potential risks to • NFPA 1600:2004. Standard on
and/or areas to be included in the Plan. the process/functions to include Disaster/Emergency
regulatory, legal, operational, Management and Business
technological, financial, informational Continuity Programs. Chapter 5
and physical security. Geographic Program Elements, Risk
characteristics may also need to be Assessment.
factored in.
• Define applicable treats to the enterprise: • PAS 56:2003. Guide to
these could include such factors as Business Continuity
areas subject to hurricanes, tornados, Management. Section 6.3, Risk
floods, wild fires, civil unrest, acts of Assessment.
terrorism, mass transportation
breakdowns, utility failures, and so forth.
Gathering Data • Assess the probability of the threat • HB 221:2004, Standards
To Use for occurring Australia/Standards New
Further • Assess the impact from the threat Zealand, Business Continuity
Analysis and occurring Management. Chapter 2.1-
Consolidation Developing the BCM Program,
• Quantify/qualify the treat into a risk
Step 2 Risk and Vulnerability
matrix.
Analysis.
• Identify potential mitigations to reduce,
eliminate or transfer the risk.
• Practitioners Guide to Business
Continuity Management.
Chapter 3, Section 3.05,
Identifying Risks; Section 3.13,
The Risk Assessment Checklist;
and Appendix B, Sources of
Risk.

Generally Accepted Practices Page 59 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
2 Utilize the completed Business Impact Analysis • Review/confirm with the executive • PAS 56:2003. Guide to
(BIA) to confirm all critical business processes sponsor and/or senior leadership team(s) Business Continuity
and/or systems, Recovery Time Objectives as a part of the Plan development scope. Management. Section 6.2,
(RTOs), Recovery Point Objectives (RPOs), • Ensure all input is documented for use Business Impact Analysis.
dependencies (vendors, internal/external later on in writing the plan and ensure
suppliers) and financial impact for prolonged any new or modified information is
outages. • HB 221:2004, Standards
included with the BIA documentation. Australia/Standards New
• Outline planning assumptions to give to Zealand, Business Continuity
the process owners on the scope and Management. Chapter 2.1-
parameters of the planning effort. Developing the BCM Program,
Step 3 Business Impact
Analysis.

• Practitioners Guide to Business


Continuity Management.
Chapter 4, Section 4.02,
Confirming Critical Business
Functions; 4.06, Identify
Maximum Acceptable Outage
Times and Recovery Objectives;
and Template 4.3, Determining
the Minimum Acceptable Outage
Time.

Generally Accepted Practices Page 60 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
3 Validate and/or clarify statements from senior • Document mission, vision, and goals of •
management about the mission, vision, and the organization’s process and functions
goals of the process/functions being covered by as determined by validation process.
the planning effort. • Confirm with business unit or process
owners, or their senior managers.

4 Identify mission critical processes and any other • Write executive summary covering the •
processes that support the mission critical ones mission critical processes and their
and may have potential impacts on them. dependencies on other processes,
internal or external.
• Review/confirm with management.
• Document process flow for use in Plan
validation recommendations.

Generally Accepted Practices Page 61 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
5 Gather additional information from management • Review/confirm RTO’s and RPO’s with • Practitioners Guide to Business
about recovery goals, preliminary Recovery management. Continuity Management.
Time Objectives (RTO’s) and Recovery Point • Review/confirm recovery strategies are Chapter 4, Section
Objectives (RPO’s) to ensure that the scope aligned with the RTO’s and RPO’s, and if 4.01,Developing
and size of the plan development effort will meet not, clarify and confirm the risk level Communications for the BIA and
the organization’s information requirements. exposure management is willing to take. Table 5, Communication and the
BIA.
6 Establish requirements for resources and • Resources will be needed to review and • HB 221:2004, Standards
organizational commitment to complete the plan evaluate all data gathered prior to Australia/Standards New
development and implementation effort. initiating the plan documentation Zealand, Business Continuity
process. Management. Chapter 2.1-
• Resources will be needed to complete Developing the BCM Program,
and verify the plan components. Step 5 Developing Resource
• Resources will be needed to review the and Interdependency
finished plan. Requirements; Template 5,
Minimum Resource
• Resources will be needed to implement
Requirements Worksheet.
the finished plan.
• Resources will be needed to exercise the
plan as part of implementation. • Practitioners Guide to Business
• Resources will be needed to maintain Continuity Management.
the plan. Chapter 4, Section 4.03, Identify
Resource Requirements;
Template 4.7, Determining IT
Application Dependencies.

Generally Accepted Practices Page 62 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
7 Make sure that all impacts have been analyzed • Financial impacts • HB 221:2004, Standards
and recorded if not captured by the BIA. • Operational impacts Australia/Standards New
• Legal impacts Zealand, Business Continuity
Management. Chapter 2.1-
• Regulatory impacts
Developing the BCM Program,
• Customer impacts Table 1, Examples of Disruption
• Regulatory compliance impacts Impacts on the Organization.

• Practitioners Guide to Business


Continuity Management.
Chapter 3, Section 3.06,
Analyzing Risk.

Generally Accepted Practices Page 63 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
8 Identify and itemize vital records critical to the o Identify policy for vital records. If policy • ANSI/ARMA 5-2003, Vital
organization to include any critical tools or does not exist, work with executive Records: Identifying, Managing,
processes used in the retention process. sponsor to develop one. and Recovering Business-
o Identify Vital Records throughout the Critical Records.
organization
o Understand retention periods for vital
records including electronic and paper. •
o Review/confirm appropriate backup
and/or storage for vital records.
o Review/confirm system and data back up
strategies will meet the RPO from the
BIA requirements for each critical system
identified.
o Review vital records list to ensure that all
records needed for mission critical
processes are covered in the back up
and retention adequately to meet the
RPO.
o Compliance with record keeping
standards needs to be maintained at
time of business interruption or disaster.
o Review/confirm list with management.
o Keep list to use later

Generally Accepted Practices Page 64 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
9 Identify and itemize vendors critical to the • Review/confirm list with management to •
organization’s mission, core business processes include name, location, contact
and/or functions as validated in Step 3 above. information and alternates to each.
• Keep list to use later

10 Identify key customers for whom notification will • Review/confirm list of key customers with •
be required at time of disaster or for whom a management.
business work-around will be essential. Include • Document your key customer interfaces.
required escalation procedures and parameters.
• Keep list to use later.

Generally Accepted Practices Page 65 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
1 Confirm that overall recovery time objectives • Ensure total RTO meets Plan and
are achievable with recovery performance customer objectives.
• PAS 56:2003. Guide to
capabilities. • Validate information received with Business Continuity
exercise times. Management. Section 6.2,
• Ensure that up and downstream Business Impact Analysis. ·
processes and components align with
provided RTO’s
• HB 221:2004, Standards
Australia/Standards New
Complete Data Zealand, Business Continuity
Analysis and Management. Chapter 2.1-
Consolidation Developing the BCM Program,
for Use in Plan Step 3 Business Impact
Content Analysis

• Practitioners Guide to Business


Continuity Management.
Chapter 4, Section 4.02,
Confirming Critical Business
Functions; 4.06, Identify
Maximum Acceptable Outage
Times and Recovery Objectives
and Template 4.3, Determining
the Minimum Acceptable
Outage Time.

Generally Accepted Practices Page 66 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
2 Confirm that overall recovery point objectives • Ensure total RPO meets Plan and •
are achievable with recovery performance customer objectives.
capabilities. • Validate information received with
exercise times.
• Ensure that up and downstream
processes and components align with
provided RPO’s
3 Finalize personnel and resource requirements • Develop contact list for plan • HB 221:2004, Standards
to develop and implement the plan. development/implementation team(s). Australia/Standards New
• Develop action plan such as a project Zealand, Business Continuity
plan or a Team Action Record to track Management. Chapter 2.1-
and monitor status of the plan Developing the BCM Program,
development and implementation Step 5 Developing Resource
activities, target dates, responsibility, and Interdependency
issues, progress, and comments. Requirements; Chapter 2.2-The
BCM Workbook, Template 5,
Minimum Resource
Requirements Worksheet.

• Practitioners Guide to Business


Continuity Management.
Chapter 4, Section 4.03, Identify
Resource Requirements;
Chapter 6, Assessing and
Collating Resource
Requirements; and Appendix D,
Example of Consolidated
Resource Mapping.

Generally Accepted Practices Page 67 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
4 Review, clarify and understand the recovery Review/confirm selected recovery solutions • PAS 56:2003. Guide to
alternatives available for each critical business such as: Business Continuity
function as well as cost analysis. Management. Section 7, BCM
• Alternative site or business facility Strategies. ·
• Warm site
• Cold Site
• HB 221:2004, Standards
• Drop Ship/Quick ship agreements
Australia/Standards New
• Hot-Site Third party service Zealand, Business Continuity
providers Management. (Chapter 2.2-The
• Manual Procedures BCM Workbook, Template 3,
• Mitigation Strategy Development
• Mobile Trailer Worksheet.·
• Reciprocal agreements
• Warm Site • Practitioners Guide to Business
• Work from Home Continuity Management.
(telecommuting) Chapter 4, Template 4.6,
Determining Alternate
Workarounds.
Note: See Strategies Best Practices

Generally Accepted Practices Page 68 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
5 Consider various approaches to developing the • Vertical integrated planning is based • Practitioners Guide to Business
BCP documentation and effort. upon hierarchical or functional tiers with Continuity Management.
each tier mapped to the tier above and Chapter 7, The Framework of
below it. Plans.
• Tiers may also require to be horizontally
integrated as co-processes or
interdependencies.
• Tiers should incorporate references to
other plans relevant to the plan you are
working on, such as IT, third party
service providers, work area, network,
etc.
• Consider the operational and response
issues for Plan implementation.
• Include confidentiality and Plan
distribution considerations in the Plan
format.
6 Make sure a business case analysis for the • This is part of the Strategies phase but
recovery plan strategy has been completed and should be verified as part of the Plan
documented. development and validation phases. The
final strategy of mitigation or recovery
should have this analysis as input and
used in the strategy decision.
• Make sure that the proposed solution
costs are consistent with the risk
adjusted loss from an event. (See Risk
Assessment section above)

Generally Accepted Practices Page 69 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
7 Review/confirm recovery site selection and o Use this information to document the
build-out requirements. component recovery phase processes.
Also impacts RTO.
o It is possible that this particular step may
require a sub-team to gather and
document detailed specifications.
8 Define key parameters that the Plan MUST Key parameter may include but not limited • NFPA 1600:2004. Standard on
address. to: Disaster/Emergency
Management and Business
• Legal & regulatory Continuity Programs. Section
• Contractual & Agreements 5.7.2, Plans.
• Compliance
• Plan format
• PAS 56:2003. Guide to
• Plans should draw distinction between Business Continuity
recovering workplace and personnel vs. Management. Section 8,
technology Developing and Implementing
• Workplace BCM Plans.
• Staffing
• Recovery Procedures
• HB 221:2004, Standards
• Disaster analysis, definition, notification Australia/Standards New
and escalation procedures. Zealand, Business Continuity
Management. Chapter 2.2-The
BCM Workbook, Template 6,
Continuity Plan Worksheet.

• Practitioners Guide to Business


Continuity Management.
Chapter 7, Section 7.03,
Contents of a BCP; and Table
17, Assurance Issues and
Evidence.

Generally Accepted Practices Page 70 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
Plan 1 Overview and Scope • Include confidentiality statement and •
Documentation associated authority
Components • Plans MUST honor all required
“Confidentiality”
And • Plans should define activities for each
Applying phase of the Recovery (response,
Finalized Data decision process, post event & pre-
to Plan Content recovery, DR production and “back to
normal”)
2 Assumptions • Document the assumptions that went • If a subscription recovery facility
into the planning effort. is used, the assumption is that
• These items should clarify and define the facility will be available in the
any issues related to, but not limited to, event of an event requiring
RTO, RPO, notification and recovery or relocation of services.
mitigation ‘environment’, limitations or
support expected.
• Include any references that support the
Plan implementation such as vendor
BCP parameters, etc.
• Identify any impact they may have on
the Plan implementation.
3 Exclusions • Clearly outline what the plan is not •
intended to cover.
• Specifically identify, with explanation of
exclusion, what is excluded or
supporting processes or resources not
included.
• Identify any potential impact they may
have.

Generally Accepted Practices Page 71 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
4 Compliance Statements • Document Plan components that • PAS 56:2003. Guide to
address specific key legal and/or Business Continuity
regulatory issues. This aids audit, Management. Section 10.3,
reporting and compliance requirements. Audit.

• Practitioners Guide to Business


Continuity Management.
Chapter 9, Maintenance of a
BCM, Table 17, Assurance
Issues and Evidence.
5 Teams Document the following team information: •
• Key contacts
• Reporting structure
• Roles & responsibilities
• Contact information including but not
limited to name, address (with zip code)
phones numbers, emergency contacts
and alternates.
• For clarity, team names should match up
and downstream Plan parameters.
6 Declaration & Escalation process • Document the disaster identification and •
declaration process including but not
limited to Declaration authorities and the
initial Notification Procedure and/or
checklist
7 Supporting resources • These will normally be call back lists •
showing personnel and contact
information.
• Document the up and downstream
resources for each process to ensure

Generally Accepted Practices Page 72 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
requirements are met
• Document the interface requirements for
each supporting resource
• Identify critical metrics (physical, timing,
etc.) for each resource
• Reference detailed documentation as
required to minimize Plan size,
especially resources with frequent
changes or time constrained. Use
known terminology and add a glossary
as necessary
• Identify each external supporting
resource
8 Controls • Document each Plan component •
requiring a control point, give a brief
explanation of the objective and purpose
of the control, the metrics and team
responsible for the control
• Identify the control authority (policy,
regulatory, compliance, etc., and
person) as appropriate
• Identify incident management (reporting,
audit, budget, etc.) and tracking
(inventory control, reporting, etc)
controls and the associated authority
and policy or regulation.
9 Recovery flow • If the sequencing of events can be •
displayed graphically, it can help to
understand when different part of the
plan is executed and also when
resources are needed.

Generally Accepted Practices Page 73 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
• Develop the Plan structure to support
the Process Operational and Recovery
flow
• Document the Plan for each sub-
component and functional area to allow
appropriate distribution and support
required Confidentiality.
• Identify up and downstream
requirements and dependencies
• Document any component assumptions
• Use graphics as appropriate for
clarification and for inclusion in the Plan
validation process
• Identify each external supporting
resource (to include supply chain).
10 Plan Overviews Provide an overview of each sub-component • NFPA 1600:2004. Standard on
of the overall Plan, including but not limited Disaster/Emergency
to: Management and Business
Continuity Programs. Section
• Command and Control 5.7.2, Plans.
• Communication plan (internal and
external)
• Media Interface plan (pre-scripted and • PAS 56:2003. Guide to
approved messages) Business Continuity
Management. Section 8,
• Technology & tools plan
Developing and Implementing
• Workplace plan BCM Plans; and Annex B.5,
• Staffing plan Developing and Implementing
• Operational procedures plan for each BCM Plans.
phase of the recovery, such as interim
work-arounds
• HB 221:2004, Standards
• Supply chain plan dependencies and
Australia/Standards New

Generally Accepted Practices Page 74 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#
work-arounds Zealand, Business Continuity
Management. Chapter 2.2-The
BCM Workbook, Step 6:
Developing Continuity
Plans;·Template 6, Continuity
Plan Worksheet; and Template
9: Minimum Standard for
Content of BCM Plan.·

• Practitioners Guide to Business


Continuity Management.
Chapter 7, Section 7.03,
Contents of a BCP; and Table
17, Assurance Issues and
Evidence.
11 Appendices • Validation schedule •
• Key internal contacts detailed
information
• Vendor & suppliers detailed information
• Off-site resource information (vital
records, hot-site, workplace relocation,
etc.)
• Graphics (maps, floor & site layouts,
photos, organization charts, process and
recovery flow, etc)
• Inventories
• Sub-plan details as applicable
• Reporting requirements
• Event tracking requirements
• Compliance requirements and
references

Generally Accepted Practices Page 75 of 113 CONFIDENTIAL


08/20/07
Generally Accepted Practices Page 76 of 113 CONFIDENTIAL
08/20/07
Item What How Points of Reference
#
1 Plan status report • Document a summary of the current •
state of the Business Continuity Program
Follow-up including processes included, excluded,
Activities and any open items (or planning gaps).
Emphasis should be given to potential
issues and the results expected with
Plans as developed.
2 Plan recommendations report to include but not • This report should be guidelines for each • NFPA 1600:2004. Standard on
limited to: of the aforementioned items and/or Disaster/Emergency
issues. Management and Business
• Confidentiality
• Validate issues with appropriate teams Continuity Programs. Chapter
• Plan Maintenance & distribution 13, Exercises, Evaluations and
and review with and obtain approval from
• Validation process the executive sponsor for this plan Corrective Actions.
• Audit process development effort.
• Training requirements
• PAS 56:2003. Guide to
• Awareness program Business Continuity
• Command and control Management. Annex b, Section
7 – Exercising, Maintenance and
Audit.

• HB 221:2004, Standards
Australia/Standards New
Zealand, Business Continuity
Management. Section 2.1, Step
8, Training, Maintaining and
Testing Plans; and Template 10:
Training and Testing
Development Worksheet.

Generally Accepted Practices Page 77 of 113 CONFIDENTIAL


08/20/07
Item What How Points of Reference
#

• Practitioners Guide to Business


Continuity Management.
Chapter 9, Maintenance of BCM
Section 9.02, Performance and
9.05, The Maintenance
Checklist.
3 Post-Incident Documentation • Once teams have been deactivated, •
debrief Emergency Response, Crisis
Management and Business Recovery
teams.
• Identify and prioritize key learnings.
• Gather cost accounting detail.
• Gather visual records of event, e.g.
digital or hardcopy photos, newspaper
reports, internal and external
communications.

7. Training and Awareness


Prepare a program to create an organizational awareness and enhance the skills required to develop, implement, maintain, and execute the
Business Continuity Plan. (This includes defining the objectives of training; developing the types of training programs; developing awareness
programs; and identifying other opportunities for education.)

Generally Accepted Practices Page 78 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Establish objectives and components of • Obtain upper management support
Corporate BCM Awareness and Training and ask them to distribute memos
HB 221:2004, Standards
Program outlining awareness and training
Australia/Standards New
objectives
Zealand, Business
• Promote employee and management Continuity Management.
awareness about emergency
procedures to enhance the
significance of business continuity
ASIS Guidelines
• Ensure employees with tasks within
the plans are fully aware of their
Training and responsibilities.
1 Network Reliability
Awareness • Define desired outcomes from the Interoperability Council
conduct of a plan test and choose an (NRIC) Standard
appropriate testing strategy
• Ensure relevant employees,
customers, suppliers and other
stakeholders are aware of the
business continuity initiatives
• Establish and use metrics to identify
key areas of focus, and measure
progress in improving quality,
reliability, and security

Generally Accepted Practices Page 79 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Identify Functional Awareness and Training • Test the level of readiness through Network Reliability
requirements planned drills or simulated Interoperability Council
exercises (NRIC) Standard
• Establish, implement and test
emergency response and crisis
management programs to include
external first responders and civic
authorities in mutual emergency
preparedness planning
• Ensure that guard service provider
implements on-the-job training for on-
site security personnel
2 • Provide periodic, at least annually,
security awareness briefings to all
personnel
• Provide awareness briefings to all key
relevant employees or contractors on
mail screening procedures
• Provide periodic training to appropriate
personnel to ensure understanding of
and compliance to hazardous
materials
• Establish and train on policies and
procedures that mitigate workplace
violence
Develop Awareness and Training HB 221:2004, Standards
Methodology Australia/Standards New
• Conduct a debrief with all of those Zealand, Business
involved in the test, and those with Continuity Management.
3 responsibility for plan maintenance or
future activation and assign
responsibilities for plan improvement
activities

Generally Accepted Practices Page 80 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Acquire or develop Awareness and Training • Create templates internally
4
Tools
Identify external Awareness and Training • Attend regular meetings of
Opportunities organizations that include business
continuity in the scope of their activities
(i.e. ASIS, BOMA, RIMS, ISSA, ISACA)
• Complete FEMA Independent Study
5 courses
• Attend training opportunities offered by
State, County or local emergency
management office
• Attend CERT Training and promote
employees to attend
Identify alternative options for Corporate • Lessons learned from previous tests HB 221:2004, Standards
Awareness and Training and actual incidents should be built into Australia/Standards New
6
the testing cycle Zealand, Business
Continuity Management.
Develop Awareness and Training Objectives • Establish a test schedule and timeline Refer to Appendix with
as to how often the plan and its sample test schedule
components will be tested
7 • Ensure participants understand their
roles in an exercise; encourage
participants to interact and discuss
issues and document lessons learned
Develop and Deliver various types of • Use a combination of walk through,
Training live and simulation training methods
8 Programs (i.e. Computer based, classroom,
test-based and instructional guides and
templates

Generally Accepted Practices Page 81 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Develop Awareness Programs (i.e. • Distribute key contact information to
Management, Team Members, New new employees on wallet cards (ie.
Employee Orientation and current employee Hotline number for status during
refresher program) outage)
• Provide management with monthly
status updates on all training and
9 awareness activities
• Provide yearly training for current
employees
• Schedule Awareness training to
coincide with National Business
Continuity week

Identify Other Opportunities for Education • Attend yearly Business Continuity Refer to Appendix listing all
Conferences and local Business Business Continuity groups
Continuity group meetings to network in the US
with other professionals and learn
10 what other companies are doing in the
BC/DR Programs
• Enroll in Business Continuity/Disaster
Recovery college courses

8. Maintaining and Exercising Business Continuity Plans


Pre-plan, coordinate, evaluate, test and exercise the Plan, and document the results. Develop processes to maintain the currency of the Plan
in accordance with the strategic direction of the organization. (This includes determining exercise requirements; developing scenarios;
establishing evaluation criteria; defining exercising objectives; preparing post-exercise reporting; defining a plan maintenance schedule;
maintaining the plan; and developing change control procedures.)

Generally Accepted Practices Page 82 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#
Identify Requirements as per • Review existing BC plan • DR Checklists
environment • Review BC controls
• Script for exercise
• Develop framework and governing
structure as per the above • Agreed upon exercise
• Develop Methodology including types schedule
of exercises to be used (desktop,
procedural, actual operations,
simulation) as well as frequency of
Establish
1 testing
exercise program
• Develop Communications plan from a
Mgmt and Executive Mgmt
perspective
• Identify plan maintenance cycles
required to support overall corporate
or business unit goal
• Develop Change Control procedures
noting the committee required to
approve plan changes and criteria

Sub-Topic Item What How Points of Reference


#

Generally Accepted Practices Page 83 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#
Coordinate next steps with team involved • Schedule kickoff with identified
in exercise resources required for testing (end
users, Internal Audit, business unit
team members, Compliance and BC
Directors)
Tactical exercise 1 • Provide overview and receive
activities
agreement on expectations, goals and
critical success factors
• Document components to be tested
as well as timeframe required as per
RTO and RPO

Sub-Topic Item What How Points of Reference


#
Based on scenarios most appropriate to - Develop a realistic scenario based on
the exercise focus noted above, develop items noted as key within the Risk
steps supporting the completion of either Evaluation and Control area
data or required functional processes - Identify a situation which would impact
listed (either negatively or positively) the
department or companies ability to
continue normal operations
Exercise 1 - Identify within the scenario, the
Development
personnel required to accomplish the
restoration of business or data tasks
impacted
- Identify touchpoints and
interdependencies with various
business units

Generally Accepted Practices Page 84 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#
Write report based on exercise • Complete exercise audit process by
reviewing results with stated
expectations, goals and critical
success factors
• Identify opportunities for improvement
Exercise Follow- 1 • Develop draft report to team members
up
involved and ask for feedback based
on their population of test scripts
noted in the initial phase
• Combine all test script data and
submit to Mgmt for review

Sub-Topic Item What How Points of Reference


#
Incorporate agreed upon Changes in • Based on coordinated test script detail
1 plan and Mgmt agreement, update plan
and exercise archive as appropriate
Distribute data as required • Based on methodology and team
Plan Maintenance 2 members identified, distribute plan as
per noted cycle
3 Change Control • Execute next steps as per change
control methodology

9. Public Relations and Crisis Communications


Develop, coordinate, evaluate, implement, and exercise public relations and crisis communication plans. (This includes identifying components
of a public relations program and identifying external agencies with whom prior relationships need to be established.)

Generally Accepted Practices Page 85 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#
Ensure the company’s Communications - Obtain Senior Management approval
Department has identified key internal and sponsorship for designated internal
resources designated to initiate crisis resources.
1
communications with employees, - Have Senior Management identify any
Planning - Media business partners, vendors, government additions or deletions of key resources.
and Public and external media.
Relations Ensure the company’s Communications - Obtain approval from business
Communications Department has identified key external partners, vendors, government and
contacts for the various business media organizations for designated
2
partners, vendors, government and external resources.
media organizations, including after-hour
contact information.

Sub-Topic Item What How Points of Reference


#

Generally Accepted Practices Page 86 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#
Develop Crisis Communication Plans - Obtain contact (during and after
with internal personnel (management, business hours) information for internal
staff, response teams, etc.) personnel.
- Establish call trees for Senior
Management.
Develop – - Establish call tree for Crisis
Proactive Crisis Management teams.
1
Communication - Establish call trees for internal
Program departments.
- Establish call trees for other response
teams.
- Develop ongoing procedures / tools to
manage relationships and
communications process.
Develop Crisis Communication Plans - Obtain contact (during and after
with business partners, vendors, business hours) information for
government and media organizations customers /clients, external vendors,
2 to ensure they are kept informed suppliers, government authorities etc.
- Develop ongoing procedures / tools to
manage relationships and
communications process.

Generally Accepted Practices Page 87 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#
Develop Crisis Communication Plans - Identify and obtain contact (during and
with the media after business hours) information for
media .representatives (radio, print,
television, etc.)
- Establish credentials for key media
representatives for future events; also
3 identify access levels for credentials.
- Establish relationships in advance of
emergency events.
- Develop ongoing procedures / tools to
manage relationships with the
stakeholders.
- Establish designated internal / external
locations for media briefings.
Develop an Awareness and Education - Partner with Security and Facilities to
Program for Staff and Management identify methods for integration with
4 existing programs.
- Identify the media type, frequency,
methods of distribution, etc. regarding
the program.

Sub-Topic Item What How Points of Reference


#

Generally Accepted Practices Page 88 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#
Establish communication methods (i.e., - Partner with the Human Resources and
800 number, website, pager distribution Telecommunications Dept., etc. to
lists, conference lines, etc.) establish an 800 # that can be activated
at time of an event to communicate
1 status information to employees as well
800 numbers for crisis communication
teams, etc.
- Develop distribution lists for various
management teams, response teams,
Implement -
etc.
Media and Public
Contain media personnel during an - Work with physical security and
Relations 2 event. management to direct media personnel
Communications
to designated location(s).
Educate employees to direct media - Print and distribute memo instructing
inquiries to the PR Department. employees to direct any media inquires
to the PR Department.
3 - Post memo on intranet.
- Print labels to put on employee badges
stating the PR contact name and
number.
4

Generally Accepted Practices Page 89 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#
Develop Exercise - Develop exercise process including
scenarios, types of exercises (table
1 top, walkthroughs, partial, etc.), post
exercise reviews.
- Determine participants.
Exercise – Crisis - Schedule times and locations.
Communications 2 Facilitate Exercise - Monitor the progress and keep
everyone on a time schedule.
Involve appropriate external parties - Extend invitations to department
during exercise events. representatives to participate in the
3 exercise.
- Carefully select the time during the
event to involve the media, if at all.

Sub-Topic Item What How Point Of Reference


#
Maintain - Media Conduct periodic updates to the media - Ensure the corporate
and Public during and after an event to avoid spokesperson provides factual
Relations 1 reports from their perspective. communications.
Communications - Schedule and post times for
updates.
Facilitate the company’s post-mortem - Develop a format for lessons
meeting and share ‘Lessons Learned’ learned so that everyone is using
among all departments. a common form.
2
- Distribute the form at the beginning of the
exercise or the event.
- Schedule to the post mortem event within
one week of the event.

Generally Accepted Practices Page 90 of 113 CONFIDENTIAL


08/20/07
Conduct a post-mortem with the media Schedule a meeting and discuss how the
3
contacts. process can be improved for both parties.

10. Coordination with Public Authorities


Establish applicable procedures and policies for coordinating response, continuity, and restoration activities with local authorities while ensuring
compliance with applicable statutes or regulations. (This includes identifying applicable laws and regulations governing emergency response;
identifying agencies supporting disaster recovery and business continuity; and developing plans to meet statutory requirements.)

Sub-Topic Item What How Points of Reference


#

Preparedness 1 Determine who your local and - Determine who is responsible for liaison with Examples of groups and
regional public authorities are and each area of expertise individuals to know:
their potential impact on your plans - Meet regularly with each authority internally
- Local emergency management
including, but not limited to, and/or externally
offices (city, county, region, etc.)
emergency management, fire, - Participate in joint activities
- Elected & appointed officials
police, public utilities and elected - Support authority initiatives, especially those
including but not limited to,
officials. affecting your business and area.
mayor, county judge, council
- Communicate regularly with internal staff
members, etc.
who are members of or volunteers for public
- Fire chief, police chief, (EMS)
authorities.
Emergency Medical Services
head, public (or service
provider) utility head and
designated interface, etc
Preparedness 2 Understand potential impact of laws, - Determine responsibility for maintaining Examples of when this
regulations, codes, zoning, current knowledge of laws, regulations, etc. knowledge may be important:
standards or practices concerning to include assignments for public meeting
- Hazardous material response,
emergency procedures specific to attendance, press release and other release
movement and receipt may
reading, and meeting with public officials.

Generally Accepted Practices Page 91 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#

your location and industry - Hold regular meetings to discuss changes require specific notification and
for or impact to current response, coordination.
emergency and recovery procedures. - Understanding OCEA
- Participate in local emergency planning regulations.
committee meetings. - Heavy or “large” equipment or
- Partner with other organizations with interest objects moves may require
in similar or the same laws, regulations, permits and coordination.
zoning, etc. for information sharing and - Radio frequency may be
“encouragement” support. regulated
- Leverage your internal legal department. - Response supply access may
- Assign lobbying responsibility to “encourage” be limited (local & vendor site)
laws, regulations, zoning, etc - Expected resources may not be
available if preempted by higher
authorities

Examples of organizations:
- EHMA-East Harris County
Manufacturers Association
- LEPC-Local Emergency
Planning Committee
- Industry associations
- Area support groups
o Building & “block”
associations
- Neighborhood Associations

Lobbying points of reference:


- Direct and association lobbying
efforts
- Zoning commissions
- Appraisal District Boards

Generally Accepted Practices Page 92 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#

- Water supply boards


Preparedness 3 Determine organizational interface - Assign an internal liaison responsibility for Match expertise with requirement
protocol, identification and training each area of expertise
- PIO (Public Information Officer)
requirements and assign - Include information in the regular validation
- PR (Public Relations Officer)
appropriate internal staff or support process
- Technical staff interface
representative(s). - Reinforce interface protocol at all levels
- Fire team
during training exercise, etc.
- Hazmat team
- Develop Policy and operational procedures
- Facilities support
to support and define the activity.
- Hold joint meetings to discuss and establish
expectations for internal and external Example groups include:
response, emergency and recovery
- Area councils
procedures
- Resolve any conflicting issues and - Local Emergency Planning
coordinate and document resolutions for Committee (LEPC)
- Volunteers Active During
implementation.
Disaster (VOAD)
- Citizen Emergency Response
Team (CERT)

Note: These lists are not all


inclusive
Preparedness 4 Document the forms and processes - Include this responsibility to the persons - ICS (Incident Command
to be used before or during an event assigned liaison responsibility for each area System) forms
or exercise to ensure activities and of expertise - Process flow charts
participants, etc. are captured for - Include information gathered in internal - Communication interface forms
review and Plan response and procedures - Staffing forms
recovery improvements. - Validate information on a regular basis - Contact lists
- Include information gathered in internal - Chemical descriptions & affects
procedure validation exercises.
- Hold joint information sharing meetings and
exercises to review results of information

Generally Accepted Practices Page 93 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#

gathered during an event.


- Include this process in future updates of your
plan and training and awareness program.
- Determine if permits are required specific
(public authority provided) request and/or
reporting forms
Preparedness 5 Document the public authority - Determine who is responsible for liaison - Contact lists with details
groups and individual contacts, their each area of expertise - Interface methods
communication protocol required - Validate information gathered on a regular documentation & forms
and status reporting process. basis to ensure information is current on a - Insurance confirmation forms,
quarterly basis. etc.
- Develop or obtain forms/reports to be used - Permit reporting forms
at time of incident.
- Develop Post Incident Review (PIR) process
Public authority groups examples:
and timelines.
- Work with local Public Information Officers o Fire
(PIO) to understand and follow protocol. o Police or Deputy Police
- Ensure that any permit required activities, o National Guard
which may require several stages of
interface throughout the process such as
pre-approval, coordination or monitoring, Volunteer and non-Profit group
and post event reporting and review, are examples:
completed as required. o Volunteer fire
- Participate with public authorities during an o CERT-Citizen Emergency
event or exercise to and validate any Response Team
coordination specifically required expertise, o LEPC-Local Emergency
equipment, training and protocols. Planning Committee
o Salvation Army
o Baptist men
Preparedness 6 Document each public authority - Determine who is responsible for liaison Examples of sources to monitor
group’s information sources that each area of expertise include:
apply to your full Business - Maintain source locations and include in
- NWS (National Weather
internal documentation.

Generally Accepted Practices Page 94 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#

Continuity Management processes. - Validate information on a regular basis Service) email service
(quarterly recommended). - Website “Alert” pages
- Incorporate information in internal disaster
- Court (legal system)
scenarios and procedure validation
notifications through business
exercises.
journals, website, etc.
http://www.tropicalstormrisk.com/
http://www.noaa.gov/
http://neic.usgs.gov/neis/bulletin/
http://www.nws.noaa.gov/
http://www.nhc.noaa.gov/
http://www.prh.noaa.gov/ptwc/
http://www.emsc-
csem.org/Html/ALERT_email.html
Local Metro traffic cameras
(Houston)
http://www.houstontranstar.org/
Preparedness 7 Ensure information that may be - Assign an internal liaison responsibility for Examples of information required:
required immediately by public each area of expertise
- Electrical and telecomm
authorities during an incident is - Include in the planning a liaison to work with
sources,
readily available. the local officials on site at the time of an
- Floor plans
incident. Ensure they understand the role
- Hazardous Waster Storage
and the information that would be required of
facilities (ie: PCB’s)
them.
- Chemical storage & supplies
- Provide regular information and resource
- Laboratories,
tours for public authorities and internal
- Organizations site layout
liaisons to ensure appropriate information
information
sharing.
- Secure areas,

Generally Accepted Practices Page 95 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#

- Document and provide, appropriate, type - Water


and location information (maps, graphs, - Foam for fire suppression
spreadsheets, etc.) being certain to maintain
appropriate confidentiality.
Note: This list is not all inclusive
Preparedness 8 Document the levels of support - Assign an internal liaison responsibility for - Public authority policy
available to your organization’s each area of expertise - Hazardous material clean-up
response and recovery Plan. - Hold joint meetings or exercises to discuss (may need EPA approval,
internal and external response, emergency reporting etc.)
and recovery procedures and the overall - Non-profit charter policy (Red
support that will be provided based upon Cross, United Way, Baptist Men,
different scenarios. Salvation Army, etc.)
- Resolve any conflicting issues and - Citizen group policies (CERT,
coordinate and document resolutions for etc.)
implementation.
- Include information gathered in future
updates of your plan.
- Include the information gathered as part of
the Plan and response validation process.
- Evaluate support during critical time periods
such as days 1 through 5 of your
requirements and procedures as they relate
to public authority interface.

Generally Accepted Practices Page 96 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#

Preparedness 9 Obtain and review your facility(s) - Assign an internal liaison responsibility for Examples of access issues:
and regional access issues. each area of expertise
- “All clear” parameters
- Include information gathered in internal
- Evacuation and return routes
procedures
- Official escape and return routes
- Validate information on a regular basis
of personal and commercial
- Include information gathered in internal
roadways, waterways and
procedure validation exercises.
airway
- Obtain maps and identify alternate routes

- Special transport routes


(chemical, size, etc.)

Note: This list is not all inclusive


Preparedness 10 Identify and document - Assign an internal liaison responsibility for Examples of local and regional
organizational and other coordinating with external liaisons and public authorities locations:
resources potentially available in evaluating possible mutual aid assistance.
- Banks
support of public authorities and - Include information gathered in internal
- Churches,
other organizations. procedures and documentation.
- Fire stations,
- Validate information on a regular basis
- Infrastructure terminals and
- Include information gathered in disaster
storage locations,
validation scenarios.
- Parking lots
- Include information gathered in internal risk
- Police
assessment and mitigation processes
- Public buildings such as city
- Provide regular information and resource
halls, courthouses, Justice of
tours for public authorities and internal
the Peace
liaisons to ensure appropriate information
- Historical monuments &
sharing.
statues
- Document and provide, appropriate, type
and location information (maps, graphs,
spreadsheets, etc.) being certain to maintain Examples of supporting
appropriate confidentiality. resources:

Generally Accepted Practices Page 97 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#

- CERT-Citizen Emergency
Response Team
- Sea ports
- EOC Centers -Emergency (or
Joint) Operation Centers
- Evacuation support centers
- Fire facilities
- Hospitals,
- Key vendors,
- LEPC-Local Emergency
Planning Committee resources
- Television & Radio stations
- National Guard
- Police
- Red Cross
- Supply warehouses
- United Way
- Salvation Army
- Baptist Men

Note: These lists are not all


inclusive

Share item examples:


- Hazardous materials
- Chemicals
- Fuel supplies
- Water & foam (fire
suppression) sources
- Communication devices &
support equipment

Generally Accepted Practices Page 98 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#

- Ham radio
- Equipment (trucks, back hoes,
ships, etc.)
- Organizational contacts
- Locations
- Skills and Training parameters
- Shelter capability
- Ability to provide food to
emergency
workers/community
Preparedness 11 Acquire public authority reports of - Assign an internal liaison responsibility for Examples studies, assessments
area vulnerabilities and risks and each area of expertise etc.:
include complimentary and - Maintain current public and internal studies
- Flood plain maps
appropriate mitigation and response and assessments and include in future
- Risk assessments
procedures in your organizations updates of your plan.
- Monitoring systems
Business Continuity Plan and risk - Include applicable information in the risk
- Road extensions
assessment process. assessment, BCP development, internal
- Bridge capacities
change control process and validation
- Land use studies
processes
- Debris Management
- Partner with local authorities on
assessments.
- Contact local authorities to obtain Examples of where to obtain
information. information:
- Department of Transportation
(DOT)
- Environmental Protection
Agency (EPA)
- Regional Councils (HGAC
Houston Galveston Area
Council)

Generally Accepted Practices Page 99 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#

Note: This list is not all inclusive


Preparedness 12 Document organizations staff - Require each internal team to maintain and Public authority
members that may be a member of communicate this information to the groups
a public authority or support group. appropriate internal team (BCP, Emergency examples:
management, etc.) for consolidation and
- Fire
distribution.
- Police or Deputy Police
- Work with legal to ensure all liability issues
- National Guard or any military
have been addressed.
affiliation
- Compare the list to internal response lists to
ensure that internal readiness and response
are not affected Volunteer and non-Profit group
- During training, ensure all participants are examples:
aware of their organizational responsibilities
and identify any conflict with responsibilities - Volunteer fire
within the community. - CERT-Citizen Emergency
Response Team
- LEPC-Local Emergency
Planning Committee
- Salvation Army
- Baptist men
- Defense Force -

Note This is not an all inclusive


list

Generally Accepted Practices Page 100 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#

Preparedness 13 Document local and regional - Assign an internal liaison responsibility for Infrastructure examples:
supporting infrastructure resources. each area of expertise
- Roadmaps
- Include information gathered in internal
- Contour maps
procedures and documentation.
- Pipelines
- Validate information on a regular basis
- Waterlines
- Include information gathered in disaster
- Power plants and grids
validation scenarios.
- Communication lines & hubs
- Include information gathered in internal risk
- Railroads
assessment and mitigation processes
- Bridges
- - Visit each location on a regular basis and
- Water and fuel supplies
include in internal operational and response,
emergency and recovery procedures.
Preparedness 14 Obtain a copy of and review the - Assign an internal liaison responsibility Public authority
Emergency Operations Procedures - Require appropriate review and analysis policy &
of the Local Authorities, against internal procedures, documentation procedure
and validation exercises. manuals:
Note: Information sources are staff who are
- Fire
members of these groups and direct from
- Police
the public authority & volunteer groups
- Transportation department
- HAZMAT

Generally Accepted Practices Page 101 of 113 CONFIDENTIAL


08/20/07
Sub-Topic Item What How Points of Reference
#

Preparedness 15 Participate in local Emergency - Assign the responsibility of coordination of Types of organizations:
Management, Business Continuity an appropriate interface to executive
- CERT-Citizen Emergency
and other organizations that support management.
Response Team
your industry. - Include responsibility to internal Public
- Sea ports support
Relations (PR) and/or Public Information
- EOC Centers -Emergency (or
Officer (PIO).
Joint) Operation Centers
- Work with Legal Dept. to ensure liability
- Fire departments
issues are addressed.
- Hospitals,
- LEPC-Local Emergency
Planning Committee resources
- National Guard
- Police
- Red Cross Disaster services
- United Way
- Salvation Army
- Baptist Men
Preparedness 16 Utilize an accepted standard of - Train and validate training for ICS - National Incident Management
incident command format that - Use the ICS format in all response, System (NIMS)
interfaces with local/regional/etc. emergency and recovery procedures as well - Incident Command System
authorities and their implementation. as operational procedures where applicable. (ICS) forms
- Hold regular meeting with and participate in
or observe public authority ICS
implementations and activities.
- Review information gathered for possible
changes to internal procedures.

Generally Accepted Practices Page 102 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Response & 1 Monitor documented status - Assign maintenance of monitoring status Examples of sources to monitor:
Recovery information sources included on local, information.
http://www.tropicalstormrisk.com/
regional and national Warning - Include gathered documentation in the
Systems, Press Releases, radio and internal response, emergency and recovery http://www.noaa.gov/
television reports, etc. procedures and operational procedures.
- Ensure resources are available for person http://neic.usgs.gov/neis/bulletin/
monitoring status to have internet access, http://www.nws.noaa.gov/
weather radios and cable TV and radio
availability minimum for monitoring. If http://www.nhc.noaa.gov/
necessary include satellite phones. http://www.prh.noaa.gov/ptwc/
http://www.emsc-
csem.org/Html/ALERT_email.html

- Pacific Disaster Center


http://www.pdc.org/core_rva.php
- Houston area Metro
http://www.houstontranstar.org/

Response & 2 Document the actual events including - Assign event documentation responsibility - ICS (Incident Command
Recovery all incoming information and - Maintain effective documentation forms and System) forms
recommendations and comments by process - Process flow charts (RTO, RPO,
participants, clients and observers to - Include gathered documentation in the etc.)
facilitate post event analysis. internal response, emergency and recovery - Communication interface forms
procedures and operational procedures. - Staffing forms
- Contact and contacted lists
- Procedure changes & issues
occurring

Generally Accepted Practices Page 103 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Response & 3 Communicate availability and - Obtain executive approval Share item examples:
Recovery document use of resources for public - Assign an internal liaison responsibility for
- Hazardous materials
authorities. coordinating with external liaisons the
- Chemicals
availability of possible mutual aid resource
- Fuel supplies
assistance.
- Water & foam (fire suppression)
- Assign the mutual aid documentation and
sources
reporting responsibility
- Communication devices &
- Maintain currency of mutual aid resources
support equipment
- Work with legal to ensure liability issues are
- Ham radio
addressed
- Equipment (trucks, back hoes,
graders, ships, etc.)
- Organizational contacts

Other items may also be


considered depending on need,
availability and industry

Generally Accepted Practices Page 104 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Training/Exercise 1 Participate in local and regional - Document available public authority offered Training examples to consider:
& Awareness training and exercises as appropriate training possibilities
- Emergency Management
to support organizations - Use public training as appropriate to support
training
requirements internal requirements
- HR-Human Resource training
- Obtain internal executive approval
- Joint support training (VOAD,
- Assign executive management responsibility
CERT. etc.)
for the exercise participation decision
- Security (police) and fire
- Document appropriate participation roles and
training
responsibility
- Handling of hazardous
- Assign internal staff specific participation
materials
responsibility
- Evacuation training
- Document and review activities and results
- Work with legal to ensure liability issues are
addressed Exercise examples to consider:
- Fire drills
- Terrorist drills
- Hazardous material drills
- Evacuation drills
- Emergency Operations
Center (EOC).

Note: These lists are not all


inclusive

Generally Accepted Practices Page 105 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Training/Exercise 2 Share internal training for the - Document available shared training Training to consider sharing
& Awareness response and recovery Plans possibilities includes:
developed including documentation - Obtain internal executive approval
o Documentation validations
validations and certification process, - Assign an internal liaison to coordinate
o Certification process
table-tops, walk-through’s, including public authorities in internal
o Table-tops
component validations, etc. approved training
o Walk-throughs
- Work with legal to ensure liability issues are
o Component validations
addressed
o Equipment maintenance
procedures

- Note: This list is not all


inclusive
Training/Exercise 3 Monitor public authority exercises - Assign a liaison to monitor public authority Example sources to monitor
& Awareness and event response and review their activities include:
on-going recovery status and Plan - Review the information gathered and
- Newspapers
implementations. integrate into internal appropriate procedure
- Trade and association
documentation
newsletters
- Participate in events and review public
- Television and radio
releases related to the event.
announcements
- Inquire about up-coming events., through
- Websites of the public
regular conversations with local authorities,
authority and participating
organizations

Note: This list is not all


inclusive

Generally Accepted Practices Page 106 of 113 CONFIDENTIAL


08/20/07
Sub-Topic # What How Points of Reference
Training/Exercise 4 Notify and include authorities of - Assign executive management responsibility - Up coming exercise
& Awareness organizational exercises where for the decision of including public authorities - Fire Drills
applicable. in internal activities.
- Assign a liaison to communicate and
coordinate the internal event schedule and
any on-going event status
- Provide an event overview to the authority to
aid their review and “follow along”
- Maintain currency of event public authority
inclusion
- Document roles and authorities
- Review all resulting activities and
participation.
- Work with legal to ensure liability issues are
addressed.

Generally Accepted Practices Page 107 of 113 CONFIDENTIAL


08/20/07
# What How Points of Reference
Post Event or 1 Review public authority event or - Assign a reporting process and a person Examples of information sources
Exercise exercise documentation; plan responsibility for the information gathering include:
objectives, participants and final - Document an appropriate reporting format for
- Local Emergency Managers
reports for lessons learned and Plan the information
- Board of Supervisors
and training modifications and - Assign information review responsibility
Minutes/Meetings
procedures improvements. - Include reviewed information into the internal
- LEPC Coordinator
change control process
- Websites of the public
- Use any available public information your staff
authority and participating
members who are members of the public
organization
authority have concerning the event.
- Obtain information from the
exercise or event source.
Post Event or 2 Communicate internal event or - Obtain executive authorization for information - Exercises
Exercise exercise results to public authorities to be shared with public authority and the - Fire Drills
when their support was utilized, could associated confidentiality. - Actual events
have been utilized or had an effect on - Assign a high level communication liaison
your recovery. - Review to be reported information for
inclusion into the internal change control
process and
- Communicate public authority response to
information received.
- Assign a liaison to “encourage” public
authority participation if their assistance
“could have been utilized” and adjust internal
procedures to cover requirements until their
participation or resources are available.
Post Event or 3 Participate in post event public - Assign an executive management and/or PR - Forums
Exercise discussions and round-tables. person to determine the participation role
- Assign a post public authority event liaison
- Document a reporting, and evaluation
process and a procedure for post event
information integration.
- Work with legal to ensure liability issues are

Generally Accepted Practices Page 108 of 113 CONFIDENTIAL


08/20/07
# What How Points of Reference
addressed
- Prepare by reviewing released event
information
Post Event or 4 Coordinate future internal - Define and document possible future events
Exercise exercises and objectives with local to coordinate
authorities. - Receive approval by executive management
of events and roles and responsibilities
- Meet with public authority to review event
possibilities and the roles and responsibilities
and obtain their recommendations and
approval
- Report final coordination plans with executive
management for approval.
- Document coordination reporting format and
assign documentation responsibility
- Work with legal to ensure liability issues are
addressed

Generally Accepted Practices Page 109 of 113 CONFIDENTIAL


08/20/07
Generally Accepted Practices Page 110 of 113 CONFIDENTIAL
08/20/07
111
Generally Accepted Practices
VII. Appendices
a. Developing Business Continuity Strategies

APPENDIX 4.5 APPENDIX 4.4 APPENDIX 4.4


Planning & DevelopmePlanning & DevelopmePlanning & Developme

b. Training and Awareness

Exercise Roles.doc Exercise


Schedule.doc

112
Generally Accepted Practices
COMPANY Corporation Page 113 of 113 CONFIDENTIAL
08/20/07