Doing business in an increasingly uncertain world is becoming riskier. The rate of digital attacks and environmental disasters, alongside general political unrest, continues to grow, creating constant uncertainty for businesses of every size. Whilst uncertainty creates opportunity, it also creates the chance of business disruption. It is now, more than ever, essential for businesses to implement measures to allow them to survive despite operational disruption – namely Business Continuity measures.
Consider the following scenario. A cyberattack takes down your server – do you know what the next steps are? Disruptions are, of course, not limited to cyberattacks and the havoc wreaked on unprepared businesses, even from the smallest disruptions, can be devastating. Without procedures detailing actions to be undertaken by teams right across the business at times of disruption, businesses are unable to continue the delivery of priority products and services, resulting in the loss of income and reputation.
Business Continuity and Disaster Recovery Plans should be unique to every business since they must deal with the specificities of different companies and industries, but it's nevertheless possible to follow a general template when considering creating them. Interested to learn what a Business Continuity Plan template might look like? Sungard AS are going to outline all the steps and information to include in your plans to help protect your business.
Continuity Plan Template - General Principles
Business Continuity Plans are the documented procedures designed to guide an organization to respond, recover, resume, and restore to a pre-defined level of operation following disruption. They are an integral part of any Business Continuity Management capability and can be created to address the strategic, operational and tactical requirements of the business. The number and type of plans an organization needs depends on a number of factors including: the size and scope of the organization; its organizational culture; the nature of the risks that the organization faces; the regulatory and legislative environment etc.
You typically have a single strategic plan that provides information on what to do if there is a threat to the strategic objectives of the organization. This is often called a Crisis Management Plan. Disruptions to operational activities are dealt with operational plans that are aimed at individual departments or teams. In many organizations these lower level plans become unwieldy if all the continuity procedures are contained within a single document insufficient detail to guide an effective response. Most organizations therefore have multiple operational plans that contain information and response procedures for specific locations, systems or equipment together with a small number of tactical plans aimed at ensuring activity within a disrupted site or functional area are coordinated.
However, all plans should abide by the following guiding principles:
- Direct: Providing clear, action orientated and time-based direction together with quick access to vital information.
- Adaptable: Enable the organization to respond to a wide range of incidents, including those that have not been anticipated.
- Concise: Contain only guidance, information and tools that are likely to be used by the team during an incident.
- Relevant: Provide information that is current and useful to the team using the plan.
A typical BCP contains 5 sections, the size, content and level of detail of which will depend on the audience that the plan is intended for. The 5 main sections are: Purpose, objectives and scope: This section should clearly identify what the plan sets out to achieve, who it is for, any assumptions together with how it fits within the response structure of the organization.
Activation criteria, roles & responsibilities and immediate actions: Plan activation criteria should be included in this section together with any continuity solutions, such as back-ups or work area recovery facilities that are available to be used. Response team roles (and alternates) should be listed together prompts for immediate action and decisions.
Communications, dependencies and prioritised activities: This section should include the requirements and procedures for communicating with interested parties such as staff, vendors, customers, shareholders, regulators, the media etc. This is also the section that contains the organizations prioritised activities. At a time of disruption an organization needs to focus all efforts on the main value-creating activities. These will have been previously identified and agreed through a Business Impact Analysis (BIA) and the activities to support them identified when the Business Continuity Strategy options were determined.
Assumptions, limitations, decision support and information flow; It is impossible to plan for every eventuality and therefore decisions need will need to be made. This section should clearly identify any limitations relating to extent, duration and impact together with escalation procedures. Checklist should be included to aid decision making and information flow.
Standing down procedures and appendices with relevant information: It is very important to stand down as soon as the incident is resolved. Failure to do so signals to staff, clients and other stakeholders that the organization is still in trouble and this can have a negative effect on reputation. This section should therefore clearly identify the criteria that need to be met to close the incident and procedures to learn from the experience. This section should also be used for information that teams may find useful during an incident together templates such as action logs and meeting agendas.
All plans need to support actions and decisions from the beginning of the incident, through to the recovery of agreed levels of service and return to business as usual. Many organizations like to keep the plans for immediate emergency actions separate from those related to continuity activity management – but this is a personal choice.
Finally, it is very likely that plans will be used by people when they are under stress and beautifully crafted verbose plans with multiple procedures and graphic descriptions of scenarios are more likely to be used as door stops than aide memoirs. You should consider the use of timelines, flowcharts, decision trees and checklists to help simplify complex concepts and keep the response moving in the right direction.
Recovery Strategies and Activities
This section is specific to the strategies your business will undertake should a disruption occur, explored through different disaster scenarios, following a thorough risk assessment. Include the steps that must be taken and the resources available to implement the recovery strategy. A visualized timeline is a helpful tool in this section as it will aid everyone in understanding the process's workflow, from initial detection through to recovery.
Individuals responsible for implementing each recovery strategy should be detailed in this section, ensuring that all contact information is up to date and reviewed regularly. Use your Business Impact Analysis (BIA) to prioritize the order of service recovery.
The appendices section is reserved for the finer details of each recovery strategy stage and is dependent on the content of the previous section. Provide all the important paperwork needed by users and any further information required to implement procedures correctly. Think of including maps of meeting points, incident report forms, declaration procedures and instructions on contacting vendors and customers.
Finish the document with an easy to use checklist outlining key action steps to guarantee that no vital stages are overlooked.
The Building Blocks for A Successful Recovery Program
If you're already familiar with the broad principles of a BCP and have been tasked with creating a BC/DR plan for your organization then you will require a more detailed template than the one above. While it's always best to employ expert knowledge and extensive testing when creating and implementing a BC/DR plan, it's still possible to get the plan close to 80% viability. Sungard AS are going to share insights, gained over the last 30 years, and a detailed template that can be customized for almost any business. It will follow the same basic structure as above whilst diving deeper into the individual elements that need to be included in each section.
The introductory section should provide a general overview of all the things that can be found in the plan and any details about the entity creating the plan (i.e., the particular company, business unit, or functional area), maintenance history of the plan (i.e., when the plan was last revised and tested), the purpose of the plan, the scenarios being targeted, and any assumptions underlying the plan.
Look to cover the following points for a comprehensive introduction to the plan:
- Plan purpose
- Plan objective
- Plan scope
- Plan scenarios addressed
- Plan assumptions
Recovery Strategies and Activities
Following a comprehensive introduction are, typically, a number of segments covering the strategies outlined in the plan, any personnel involved in recovery and the recovery activities themselves. Following sections are some of the points you may wish to cover in your own BC/DR plan, though these must be tailored to specific industries and risks.
- Recovery Strategy Summary: outline the broad strategies to follow in each disruption/disaster scenario identified in the introduction section.
- Recovery Tasks: provide a list of specific recovery activities required to support the strategies outlined above; these may be things like supporting equipment or emergency transportation.
- Recovery Personnel: a good BC/DR will identify specific people involved in continuity and recovery efforts, detailing contact information that's updated regularly.
- Plan Timeline: successful BC/DR plans usually need to be activated promptly. A flow chart/timeline hybrid might start at the incident, go into personnel response, highlight any decision points, before ending with recovery time objectives.
- Critical Vendors and Their RTOs: list all vendors, daily operations, recovery strategies, and any required time objectives that vendors must meet for the BC/DR plan to be successful.
- Critical Equipment / Resource Requirement: consider detailing resource quantity requirements that must be in place following plan activation and their timeframes. This may cover workstations, laptops, phones, and more.
Beyond the BC/DR Template
BC/DR templates are a great starting point for many businesses looking to protect their work and companies from operational disruption. However, it is the process of determining the information that needs to be put in the plans that is important. Plans are simply the audit trail that 'planning' has taken place and the real value to the organization is in the process of putting them together.
Examples of value-add include:
Agreement on the top-level priorities: Before a Business Continuity Manager can work out which operational functions need plans, they must first get the organization to define and agree the top level priorities of the organization when disrupted. The health and safety of people and the protection of assets and the environment are clearly primary. But, having agreement on the next three or four business-related priorities will mean that all measures to absorb or adapt that are put in place across the organization can be implemented with those priorities in mind.
Appreciation of each other's roles and responsibilities: Before any plans can be written the business processes and related dependencies, such as IT applications, suppliers etc., that support the operational functions that need to be maintained and the impact that would ensue if they were lost need to be ascertained. Appropriate Business Continuity strategies, such as replication, post incident acquisition or diversification of activity also need to be designed.
Whilst, such information is necessary for the BC plans, it also graphically illustrates how disparate roles and responsibilities in an organization mesh together to create a common output. Such illustrations can be used extremely effectively to cut through corporate politics.
Developing cross-organizational supportive relationships: One of the biggest blockers to resilience at the organizational level is individual people, teams or departments just looking after themselves. For example, an IT Department that focusses solely on achieving uptime targets or an operational team concentrating on meeting their output targets when they know that the teams' they are delivering to are struggling to keep pace. Business Continuity examines the internal relationships for priority activities in detail and can therefore provide a basis for greater understanding and empathy between people, teams and departments.
Successful BC/DR plans aren't simply about compliance. Their creation can add real value to a business, not just in the case of a disruption, but during business as usual.