Developing & Implementing the BCP
Business continuity management [BCM] is the process by which your organisation will begin to function normally again after a disruptive incident. The length of time this takes is crucial to a successful recovery. A well-formulated business continuity plan [BCP] will identify all the key actions, personnel and services needed to manage the incident and the recovery process. How much of the plan you will need at the time clearly depends upon the nature of the incident and the size and complexity of your business.
There is no such thing as a standard BCP. Each plan will vary according to the size of the organisation, the nature of its business, its location and the complexity of its operations and premises. However, with the exception of very small entities, the BCP is likely to include the following:
Each department or business area should have its own recovery management procedures that together form the interlocking BCP supporting your organisation’s recovery objectives, strategy and timeframes.
One of the benefits of separate ‘sub-plans’ for each business area is that these may be used by each to restart its operations, should it alone be subject to disruption. These sub-plans in turn, need to be provided with planned support from central resource suppliers such as facilities management [FM] and information & communication technology [IT].
There is a benefit in the use of a standardised BCP format. It will simplify development, implementation, maintenance, audit and change management. To this end, this section should be read in conjunction with the following.
Foresight includes a structure upon which to build your BCP. This model (Section 7.1) is populated in italics to demonstrate the content of a typical BCP. It is not suggested that you merely fill in the blanks. Please feel free to adapt the model to reflect the culture and needs of your organisation.
In addition to the model BCP, there are appendices that provide examples of all the necessary supporting information you will need to complete the planning process. (Section 7.2). As with the model BCP, these are not intended to be completed verbatim, but to provide you with guidance on information that would be required. In many instances, the data you would need are already in existence; the critically important factor is the need to link this to your BCP in a way that ensures availability when required, regardless of time or circumstances.
As previously described (Section 3.0), the departmental business continuity sub-plans should be developed using data directly drawn from each department / business area’s completed and validated BIA. These sub-plans are where much of the information referred to in the model BCP appendices will be needed. Detailed guidance is provided elsewhere. (Sections 2.0 and 8.0).
Recovery management is concerned with the aftermath of the incident, once the immediate danger is past. As is illustrated (Section 6.0), the recovery phase may well overlap with the acute phase of the incident and this possibility must be considered, particularly when individuals have duties within the incident management plan [IMP] as well as for business recovery within the wider BCP.
Larger organisations will need to appoint specialist co-ordinators to deal with delivery of facilities, technology and process recovery. The BCP must enable the timely recovery of pre-identified business-critical processes to be achieved by ensuring that the necessary physical and logistical resources are available. Whatever the options selected as being the right strategies for your organisation, it is vital that they be ‘sense-tested’ as part of the outline planning process, before detailed planning is undertaken. Recovery management has three main components:
Disruptive incidents such as fire or flood are likely to have affected part or all of your working space, facilities, equipment and materials. For this reason, it is vital to have a plan that takes into account the potential need for alternative accommodation where facilities and equipment may readily be installed and / or alternative means of achieving your required deliverables can be applied.
Facilities Management (FM, and / or its equivalent, such as engineering department) is a supplier of service to the wider organisation. Responsibilities should include damage limitation measures and logistics for the recovery phase. The impact of incidents that result in partial damage can be mitigated by prompt actions such as the use of weatherproofing, drying and cleaning. The facilities recovery plan may need to contain details of availability of materials (plastic sheeting, de-humidifiers etc.) and of specialist suppliers of cleaning and drying services. For some organisations it may be necessary to arrange a contract to guarantee rapid response.
The facilities recovery plan should address repair or replacement, ensuring that pre-arranged external assistance is brought into action, preparing alternative accommodation and acquiring and installing utilities and facilities such as machinery, equipment, furniture. The plan must be capable of delivering the process level recovery priorities and recovery timeframe objectives [RTO]. FM / engineering department will be responsible for delivering, either directly or via third parties, a high proportion of the elements identified as being required to support resource level strategy.
The need for guaranteed access to vital information (drawings, schematics etc.) must be addressed in this key component of the BCP.
Many organisations that are reliant upon IT have disaster recovery plans [DRP] in place. As has been described previously, such plans do not constitute the totality of BCM. The IT department will have an understanding of business needs. However, the only sure way of delivering the true priorities of the organisation - to meet the overall & process level strategy - is for the IT user-departments to stipulate their requirements, priorities and timeframes and for this (validated) requirement to underpin the IT recovery strategy.
The IT department or equivalent will be concerned with the restoration of information technology and telecommunications. Many organisations out-source IT services to a lesser or greater extent and, in these circumstances, the management of third party input to business recovery, will need to be incorporated into the IT recovery plan. Depending upon areas of responsibility, the IT plan may need to include the provision of environmental controls, physical & systems security, hard wiring, hardware & software as well as relationships with external IT suppliers.
There are many options open to you to cater for loss of telecommunications, datalinks etc.. The size and sophistication of your system and the immediacy of need will dictate which is the most appropriate. The options include: ‘Yellow Pages’ – merely having the contact details of suppliers and installers; a maintenance and/or recovery contract; dedicated stand-by facilities at another location; pre-arranged / ‘on the day’ call transfer to another location; third party-contract call handling. Whatever is put into place, ensure that all relevant information - (programs, reloading details and the like) is backed up securely and safely and would be available.
The IT department is likely to be the largest and most complex support service within many organisations. The recovery of critically dependent applications is commensurate with the complexity of configuration, type and spread of dependent and critical IT systems. As with telecommunications, the recovery arrangements will need to reflect your business needs. Such arrangements could range from buying off-shelf replacements from a computer supermarket to having mirrored facilities ready for immediate use.
There are many suppliers of IT disaster recovery [DR] facilities and, for organisations that are heavily reliant upon IT, the choice includes delivered servers and ancillaries, mobile units, work area recovery facilities – and more. The strategy for recovering IT systems will be based on the analysis of all critical processes and their RTO.
Embodied within your selected IT recovery strategy will be a myriad of logistical requirements that will need careful planning and organising. It is best to implement the strategy on a project management basis, and start by agreeing the tasks that would need to be completed before the recovery plan can be exercised. The time required to acquire, install, load and test equipment should not be under-estimated.
Physical IT facilities are only part of the issue. The required level of technical resource is likely to be beyond that available in-house – certainly in the early stages of recovery from a major loss of hardware, software and peripherals. It is, therefore, important to pre-plan and devise ways of obtaining those resources within the required timeframe.
It makes sense to ensure that systems knowledge is not uniquely in the head of a single person or in those of a very small team. Ensure that the information is captured, recorded and held within the appropriate battle box. (IT specialists have been known to resign from organisations immediately post-disaster).
The content of the plan should contain both guidance and sources of information to deal with key issues such as communication with stakeholders, customers, suppliers and other interested parties as well as reinstating business processes. The amount of information in the plan will vary from entity to entity and, within these, from area to area. The key requirement is that the content would be ‘useable and useful’, in the event of the BCP being activated.
Process recovery consists of the practices and procedures needed to mitigate risk, protect reputation and recover the business. It should ensure the reinstatement / recovery of pre-identified business-critical activities, within the required RTO. The following criteria are the core requirements needed to develop & implement your plan fully:
During the development of the strategy, the process owner will have identified all the business support services that enable the process to operate. These support services will have co-operated to ensure that they would be able to respond to the needs of each recovery plan without compromise.
No two businesses are the same - but most have certain elements in common including:
The BCP should prioritise each of these elements in turn. Every organisation includes certain essentials, people for instance. The plan should therefore include comprehensive contact procedures - and legislate for the delegation of responsibility in the event of these people being unavailable. Similarly, equipment, materials, and documentation should be divided into essential and non-essential items - with provision made for back-up copies of essential items off-site.
When developing your recovery plan, build and expand upon the agreed strategy and determine what support resources are needed. Start by considering the basis upon which the process operates and its elements then utilise this information for the development of the plan.
Just as under ‘peacetime’ conditions, business processes do not happen in a vacuum. They rely upon the provision of facilities, including accommodation, furniture, equipment, technology and systems. The recovery plans of the various process owners will rely upon others to provide them with the essential support services.
As will be recognised, the aftermath of an incident may well fall into a series of, often overlapping, phases. These are illustrated by the following graphic:
As this illustration shows, phases may overlap. The significance of this is that your BCP - and most particularly the roles and responsibilities that are placed upon individuals - must allow for such circumstances.
This has particular relevance to smaller or flat organisations where a limited number of people would be given a variety of duties, perhaps as members of the different teams, namely the control management team [CMT], the incident management team [IMT] and the business recovery team(s) [BRT]. Workloads should be spread as widely as possible and the ability to deal with the differing requirements of these phases must be planned for, in terms of strategy, process and resources. Clear examples of teams - and individuals - that have duties across various phases include FM & IT.
Depending upon the nature, complexity and size of your organisation, you will need to identify personnel who will take responsibility for specific tasks, possibly across a number of BRT. Large organisations (or large sites) may require a separate BRT to manage each of the business continuity elements listed above.
Smaller businesses may require fewer teams. Very small operations may require only a single BRT. The need for deputies or alternates to cover for absence or other non-availability should be addressed when setting up the BRT. Suggested roles and responsibilities that should be addressed in the planning process are set out below. Further detailed advice on roles and responsibilities is provided. (Section 7.1).
Business continuity co-ordinator
In addition to responsibilities within the IMT (Section 6.0), the co-ordinator should have ‘peace time’ responsibilities across the BCP for:
Control management team
Many organisations assume the CMT will consist of the most senior decision-makers, including the like of the chief executive, finance director and operations director. It is not always the case that these individuals would be suitable for team membership.
The hierarchical structure applied by the majority of organisations has a proven track record of working - under business as usual circumstances. However, there is considerable difference between dealing with intensely stressful situations such as may be the case in the ‘response’ and ‘acute’ phases of BCM and the day-to-day running of a business. Different skill sets may be needed. Leaders who recognise that others may be better suited to deal with such unusual circumstances are not displaying weakness; they are demonstrating true leadership.
Whomever is selected for CMT membership, it is essential that all parts of the organisation be represented and that administrative & secretarial support is included to ensure that mundane, but nonetheless essential aspects such as provisioning are addressed, and the records are kept of decisions, actions and costs. There should be a sufficient number of members always to permit a quorum for decision-making.
As with all other teams (and their component individuals), the CMT has responsibilities for plan content, maintenance and implementation. The team’s ‘peace time’ activities include overall strategy and content of the BCP, including team numbers and composition and the need to ensure plan currency and suitability, by means of review and exercise programmes.
At the time of an incident, CMT responsibilities should include
One of the most crucial CMT responsibilities is that of ensuring the integration and smooth transfer of activities between other teams (IMT & BRT) and it is therefore vital that communications between the teams are clear, unambiguous, rapid and continual.
Incident management team
Membership and responsibilities of the IMT are set out elsewhere (Section 6.0).
Business recovery team
Typically, the areas to be covered by this team, or teams, are facilities (including the like of premises, utilities, engineering and technology) and process recovery. FM and IT also will have duties within the IMT.
Overall post-invocation responsibilities will include:
Business recovery team leaders
As business continuity co-ordinator, you should (with the overt support of the BCM sponsor) identify the key areas of the business that must provide the resource to enable the recovery strategies and plan development to proceed.
Team leaders should be nominated from within identified key business areas (and trained) to assist in plan development, as well as to have continuing roles & responsibilities within the BCP, once it has been implemented.
As will have been seen, some areas will need representation on more than one team. Consider also the need for deputising to cater for absence and to provide essential breaks and support. Smaller organisations may choose to amalgamate the teams and roles. In this case it is essential that each team member recognises and understands the different requirements of the post-incident and recovery phases.
The scale or implications of incidents cannot be predicted. Whilst it is possible that the CMT may be able to meet in their usual workplace, this should not be presumed as, following an incident, it is possible that the premises / site / locality would be within an exclusion zone due to damage, safety, pollution, or for forensic reasons. Therefore, alternative incident control centres [ICC] need to be available.
An ICC is a location at which the CMT would assemble to fulfil their role of strategic command and decision-making. It follows, therefore, that the facility must have a level of resource to permit this to happen, regardless of time or circumstances.
The space required for an ICC may not need to be large, merely a room in which the CMT could convene and from which it would manage the strategic elements of the incident. However, bear in mind that an ICC may be occupied for extended periods, therefore it should also provide (or be in close proximity to) catering, and washroom facilities. Depending upon your organisations needs, other requirements are likely, including technology access, and facilities for communication.
Consider the use of conference centres such as may be provided at major hotels - but be aware of the possibility of non-availability. Access must be 24 hours a day, every day of the year, and should provide security and privacy. Ideally, at least two off-site facilities, one within relatively close proximity and one outside any likely exclusion zone, should be considered to supplement the on-site ICC.
Incident control centre requirements
This list contains the more commonly required facilities needed in an ICC
In addition, desktop services and parking facilities are highly desirable.
All members of the CMT must know of these arrangements - and the site selected at the time of any invocation. The continuing availability and suitability of each ICC and any pre-prepared material kept there should be made subject to regular review.
Each primary and secondary ICC should be used alternately during plan exercises to ensure CMT familiarisation and to determine whether resources have been forgotten or have not been considered.
Reference has been made, (Section 2.0), for the need for Janus, or ‘double-headed’ plans. Such requirements may well apply to organisations that have more than one site and/or where the strategy for recovery from loss of part or all of one facility is to transfer to another. It would almost certainly be necessary for the sites or elements that could be so called upon to shed certain non-critical activities in order to ‘clear the decks’ to assist and they therefore would be implementing – at least part – of their own BCP, to achieve this.
Regardless of the above, support services (e.g. FM and IT) will always need to create two plans, the first to focus upon the recovery of the support service itself; the second to deal with the need for additional help from those parts of the organisation that rely upon this service.
Other parts of the organisation may need to have a recovery plan that requires them to provide a very different service than under business as usual conditions. An example would be a personnel department whose more usual role of provision of training, recruitment and administration services relating to employment management would need to be put to one side. Post-disaster tasks could involve the like of employee welfare and financial assistance, provision of trauma counselling, liaison with emergency services, hospitals, relatives and so on. All such considerations must be pre-planned, to the greatest possible extent.
The full BCP needs to be available, no matter the circumstances or timing. There are many platforms available on which to develop and hold the BCP, its associated appendices and other relevant material. At the most basic level, this would be a paper document but, in this age, it would be a very rare bird if it were not to be produced electronically, enabling the original material to be held, up-dated, copied and secured.
However your organisation decides to hold original material, whether centrally, or as distributed material, the mantra (quoted from IS0/IEC Standard 27002 & 27001, Managing information security http://www.bsigroup.co.uk) of ‘confidentiality, integrity & security’ [CIA] should apply.
Whilst electronic versions of plans should be used as ‘master’ originals, it is advisable, for most organisations, to have paper copies printed. If you are sure that you would be able – regardless of circumstances – to gain access to (and print?) the electronic version – it may be necessary only to have hard copies of material required for ‘immediate’ purposes. Consider keeping a copy in each battle bag and / or at each off-site ICC (subject to CIA).
At the very least, copies of the plan should be kept by the business continuity co-ordinator, the IMT and CMT members (including all alternates). The size of your organisation will dictate how many other people will need a copy – but you should bear in mind that the more copies in circulation, the more difficult it will be to ensure that they are up to date.
It may well be appropriate to hold centrally, non-operational elements, such as the BCM policy, or perhaps on your organisation’s intranet site with suitable access controls in place, and distribute only those parts of the BCP that are relevant to the areas concerned.
Third party suppliers who would play a part in the recovery process should hold all the necessary documentation relating to their role.
A battle bag is a catch-all description for an assemblage of information and materials that would be required during the response phase of an incident. For ease of accessibility, one should be kept at the like of the reception desk or at a 24 hours manned security lodge and becomes the responsibility of the receptionist, security guard or other designated person to pick up and bring to the assembly area on evacuation. Given that many incidents occur outside operational hours, and may result in denial of access, it is advisable to have a further battle bag secured and readily accessible, off-site.
The list of contents will vary from one organisation to another. There are core common requirements such a copy of the BCP, contact details, building lay-out plans with critical areas marked e.g. services isolation points, hazardous materials and areas, IT (including communications) rooms etc. Other contents to consider include site-specific (release / spillage) emergency response plans and material items such as torches, cameras, mobile / satellite telephones, USB stick, spare Blackberries & batteries and solar chargers.
A battle bag is little more than a facility containing the items mentioned above plus other specialised equipment that may be needed in an emergency. Different battle bags can be constructed for different response personnel and should be tailored to meet discrete requirements.
Consider, when assembling contents, the need for maintenance, immediate use-ability and update. The contents of each battle bag should be made subject to a programme of update and replacement of consumables, where necessary.
This ensures that the supplies do not deteriorate over time. It also ensures that any changes to telephone numbers, personnel, stationery etc. can be introduced into the battle bag system as they occur. Such pre-planning ensures that you have the right supplies as and when you need them. Being portable, the battle bags also ensure that the correct information and equipment can be brought, without delay, to where it is needed.
Example health, safety & security contents
Other departments’ bags could contain the like of headed stationery, pre-printed business expenditure authorisation and incident pro forma.
1 Business Continuity Institute provides, via certification, internationally recognised status to its practitioner-members (that) demonstrates...competence to carry out BCM to a consistently high standard
 Those processes / activities that have to be performed in order to deliver the products and /or services that ensures that the organisation meets its most important and quality / time sensitive objectives.