The BIFM Good Practice Guide to...
business continuity good practice guide no.15 revised Nov 2010 retail price ÂŁ10
The BIFM Good Practice Guide to Customer Care British Institute of Facilities Management Number One Building The Causeway Bishop’s Stortford Hertfordshire CM23 2ER Tel: 0845 0581356 Email: email@example.com Web: www.bifm.org.uk Publications Committee Chair: Dr Bob Anderson CBIFM Members: Stephen Bennett, Graham Briscoe, Cathy Hayward and Carolyn Knight
Authors: Anne Lennox-Martin, Msc, CBIFM, FBIFM, independent FM consultant and a BIFM Training trainer; and Ivan Newman, founder and director, Living inside the Brand® Reviewer: Lucy Jeynes, MBIFM, managing director, Larch Consulting Ltd Series editor: Dr Bob Anderson, CBIFM, chairman, BIFM Publications Committee This guide is available in different formats – for details call 020 7880 6226
Redactive Publishing Limited
17 Britton Street, London EC1M 5TP Editorial Tel: 020 7880 6229 Email: firstname.lastname@example.org Editor: Cathy Hayward; Deputy editor: Gareth Price; Sub-editor: Kathryn Manning; Art editor: Dan Swainsbury; Picture editor: Sam Kesteven Advertising Tel: 020 7880 6209 Email: email@example.com Production Production manager: Jane Easterman Publishing Publishing director: Cathy Hayward © The British Institute of Facilities Management (BIFM) series of Good Practice Guides is published on behalf of the BIFM by Redactive Publishing Ltd (RPL), 17 Britton St, London EC1M 5TP. The guides do not necessarily reflect the views of BIFM nor should such opinions be relied upon as statements of fact. All rights reserved. This publication may not be reproduced, transmitted or stored in any print or electronic format, including but not limited to any online service, any database or any part of the internet, or in any other format in whole or in part in any media whatsoever, without the prior written permission of the publisher. While all due care is taken in writing and producing this Good Practice Guide, neither BIFM nor RPL accept any liability for the accuracy of the contents or any opinions expressed herein.
First published September 2010
Welcome to the Good Practice Guide to…Business Continuity
Contents 01 Introduction 02 The BCM life cycle 04 Understanding the organisation 09 Determining strategy 14 Developing a response 20 Exercise, maintain, review 23 Embedding BCM 24 Appendix 1: Incident Response 26 Appendix 2: Glossary 28 Further Information
usiness continuity is the ability to continue essential business functions at all times, under all circumstances, and as far as humanly possible. Business Continuity Management (BCM) is an amalgam of the associated disciplines, processes and techniques. The purpose of this Guide is to describe the general principles and the practical application of BCM, to enable facilities managers to develop an understanding of the issues. The Guide is aimed at those with little or no previous knowledge of business continuity, although familiarity with the working environment and the culture in which business continuity is to be implemented is assumed. The British Standard, BS 25999-1:2006 Business continuity management code of practice, is followed with input from the Business Continuity
Institute’s Good Practice Guidelines 2010 (BCI GPG 2010), in which further, more detailed, information can be found: www.thebci.org/gpg.htm BCM and its skills and disciplines should be seen as “common sense applied in a structured manner”.
The Good Practice Guide to Business Continuity 1
Understanding the Organisation
tu l u
Exercising, BCM Determining Maintaining PROGRAMME BCM Stratergy and Reviewing MANAGEMENT
Developing and Implementing BCM Response
o n’ s
BCM needs to be embedded in the corporate culture or it becomes overlooked, forgotten or taken for granted 2 The Good Practice Guide to Business Continuity
on a formal policy with defined responsibilities and processes, all documented as auditable evidence. Subsequently it will provide the impetus to promote, maintain and assure the implemented programme.
BCM programme management is first concerned with managing the introduction and maintenance of business continuity principles into the organisation. It should be based
Managing the Programme
in d d
The British Standard, BS 25999-1, introduced a life cycle model of a Business Continuity Management (BCM) programme. The model begins with a setting-up procedure and then becomes an iterative process in four areas. BCM needs to be embedded in the corporate culture or it becomes overlooked, forgotten or taken for granted. If this happens, it will lack buy-in and essential support from senior management in terms of funding, resources, exercises, etc. The table (right) gives a more detailed overview of the key stages of the life cycle.
re Emb e
The BCM life cycle
BCM programme management requires: ■ A team to manage the programme with the authority to define and implement policies and standards, and influence the prioritisation of business continuity activities. The team must operate with the board’s support and endorsement, otherwise essential support is unlikely to be available. ■ Policies, standards and guidelines that define the framework of the programme. The BCM policy is a document, issued by senior management, that communicates the organisation’s
BCM life cycle – the key stages Life cycle stage
BCM programme management
Establish management organisation
• Committee structure and project staffing • BCM policy • Standards and guidelines
Understanding the organisation
Business impact analysis Risk assessment Continuity requirements analysis
• Product and service exposure map showing types of exposure causing operational disruption (see, for example, Table 1) • Maximum tolerable period of disruption and recovery time objective for each operation • Prioritised risks that could cause operational disruption, (see, for example, Table 2) • Recovery point objective and matrix showing minimum resources to maintain each operation (see, for example, Table 3)
Determining BC strategy
Identify countermeasures in order to achieve resumption of operations
Recovery strategies for each operation (see, for example, Table 4)
Developing and implementing a BCM response
Identify detailed actions necessary and resources required to manage an interruption and maintain effective communications with all affected parties
• Incident management plan for notification, escalation and management of an incident (see, for example, Table 5) • BCP to resume operations within a predefined timescale (see, for example, Table 6) • Activity resumption plan to resume individual activities (see, for example, Table 7)
Exercising, maintaining and reviewing
Establish a framework and organisation to support oversight, evaluation maintenance and testing of BC arrangements
BCP testing document (see, for example, Table 8)
Embedding BCM in the organisation’s culture
Ongoing initiatives to: • provide access to details of BC arrangements, • create quick reference resources and materials, • implement an enforceable policy, and • measure levels of awareness
Regular communication programme
BCM framework, together with the responsibilities and expectations of those involved with managing and maintaining the organisation’s business continuity arrangements. The policy sets out what needs to be done and by whom. Typically it would cover: ■ Corporate business continuity organisation and
responsibilities: – Senior management team – Steering committee – Business continuity co-ordinators ■ Criteria to determine which parts of the organisation will need plans ■ Requirements for review and exercising ■ Requirements for awareness
and training ■ Audit review and reporting ■ Requirements for record
keeping. Standards and guidelines would include: ■ Templates to provide a consistent format ■ Guidelines on key activities and template completion. The Good Practice Guide to Business Continuity 3
Understanding the organisation To begin the BCM life cycle you must understand the organisation within which the strategy is to be implemented. Three principal tools are used in this context: Business Impact Analysis (BIA) Is a means of identifying, quantifying and qualifying the consequences of a loss, interruption or disruption of business activities over time. A BIA can be used at any level on any activity in the organisation. Risk Assessment (RA) Estimates the likelihood of loss, interruption or disruption from known threats. Continuity Requirements Analysis (CRA) Assesses the resources required for a resumption of activities.
maximum extent over which a disruption is considered. This could be determined by geographical considerations, regulations or statutes, products, markets or specific customer requirements.
Business Impact Analysis (BIA)
BIA methods Collecting information from staff responsible for core business activities and their dependencies aids the choice of continuity strategies. Collection methods include: ■ Workshops Provide rapid results and engagement with the BCM programme ■ Questionnaires Give a lot of data although the quality varies ■ Interviews Offer good information but are timeconsuming.
Deciding the scope of the analysis may limit the
Combinations of the above can give excellent results. A standard reporting format will improve the consistency of recording and analysing information across multiple functions. The types of questions and the objectives are the same whichever approach is chosen. They include: ■ Location of activities ■ The impact of losing the activity ■ How long the organisation
A BIA needs the following information: ■ What resources and services are critical to the core business activities ■ The potential impact of a disruption to the provision of those resources and services ■ The stage at which, in terms of the duration of the disruption, the impact on the business would become unacceptable.
4 The Good Practice Guide to Business Continuity
can last without the activity ■ Timeframes for activity
resumption ■ Influences, such as peak
periods or regulatory reporting ■ What the alternatives are. Factors to consider include: ■ Volumes, eg calls per hour,
output on production line ■ Contractual, regulatory or
legal requirements ■ Key tools to achieving
continuity of the activity: buildings, processes, suppliers (how many, where and when) ■ People; staff (skill set), customers ■ Equipment; IT, telecommunications, manufacturing/industrial, plant ■ Data; paper and electronic ■ Dependencies; internal and external to the organisation ■ Public/media/brand implications The main outputs from a BIA are: ■ The Maximum Tolerable
period of Disruption (MTPD), leading to the recovery time objective (RTO) – the timescale within which a function must be restored to enable continuity of the business to be maintained or resumed.
Table 1 Product and services exposure map Financial MTPD
Vision Opticals – Direct to customer
Vision Opticals – Wholesale
Opticals – Export
Solar Opticals – Techstrap
Solar Opticals – OneVision
Legal contract MTPD
None 3 months
■ Recovery Point Objective
(RPO) – the condition to which the situation is to be restored to enable business activities to resume effectively. The output from the first stage
14 days ETC
of the BIA process would look similar to the information shown in Table 1. The main products of the company have been listed vertically; below each are broad sub-headings
of their required resources and services. For each, the MTPD has been defined before exposure to a variety of business continuity concerns such as financial and reputation. The The Good Practice Guide to Business Continuity 5
person responsible for recovery management is also identified. Several products have a MTPD of 14 days before there is a risk to the company’s reputation. Therefore the company must focus on RTOs for these which provide a minimum level of acceptable service, and the RPO within this timeframe to avoid damaging its customer relationships. The RTO in Table 1 is 12 days in order to give some margin.
Risk Assessment (RA)
In the BCM context, RA highlights specific threats that could cause a significant business interruption to the broad categories of resources and services identified as most crucial. In large or complex organisations it is desirable to carry out the exercise in manageable sections. The RA can be used to inform the decision about where to concentrate BIA efforts. The objective is to: ■ identify internal and external threats that could cause disruption and to assess their probability and impact, ■ prioritise those threats according to an agreed formula, and; ■ supply input to a risk management action plan The key stages in an RA are: ■ Agree a scoring system for 6 The Good Practice Guide to Business Continuity
impacts and probabilities with the project sponsor ■ Calculate a risk from each threat using the list of vulnerabilities from the BIA ■ Prioritise these risks, taking account of the ability to control them ■ Obtain the sponsor’s approval and sign-off on these risk priorities ■ Review existing control strategies, noting where the risk level is out of step with the current strategies for that threat ■ Consider appropriate measures to: – avoid the risk, eg, remove the cause of the threat, – reduce the risk, eg, introduce further controls, – transfer the risk, eg, through insurance (but note that although insurance can provide financial compensation, it may not provide cover for the full expense of the incident or damage), and – accept the risk, eg, low impact or probability. Ensure planned risk measures do not increase other risks. For example, outsourcing may decrease some types of risk but increase others. The outcomes from an RA include the identification and documentation of: ■ single points of failure,
DOs and DON’Ts o ensure that business D interruption risks are expressed in categories such as reputation, contractual/ legal obligations, regulatory compliance and financial impact Do ensure that the MTPD and RTO thresholds have been considered for all of the above risk categories Do ensure that interruption threats at different stages in the business cycle have been fully enumerated Do ensure you have documented the outcome of the “Understand the Organisation” activities Don’t get bogged down in unnecessary detail
■ prioritised list of threats to
the organisation or specific business processes, ■ input to the risk control management strategy and action plan to address the risks, and ■ documented acceptance of identified risks that are not to be addressed. This activity should result in an understanding of: ■ how and why an incident could have an adverse impact on your business, ■ time thresholds for key activities that must be re-established, and ■ the internal and external dependencies they rely on.
Table 2 Suggested prioritised risks
Maintain good staff links
Robust HR policy
Install backup systems
Lack of spares
Stock essential spares
Install physical access controls
IT Disaster Recovery plan
Virus infected IT equipment
Install security software
Contract private transport
Quality control procedures
Pandemic among staff
Loss of utilities
It should be remembered that: ■ It is impossible to identify all threats ■ estimates of probability are only estimates ■ impacts increase over time at different rates ■ numeric scales may distort the perceived impact of minor events. Unacceptable concentrations of risk or “single points of
failure” should be brought to the attention of the business continuity sponsor with options for addressing the issue. The decision to avoid, reduce, transfer or accept the risk should be formally documented and signed off (see Table 2).
Continuity Requirements Analysis (CRA)
The next step is the CRA. The aim is to quantify the resources (eg, people, technology, telephony) that are required over time to resume and continue business activities to a satisfactory level. In other words, to operate at an acceptable level, the RPO, within an acceptable time, RTO. This The Good Practice Guide to Business Continuity 7
is usually done simultaneously with the BIA. Its purpose is to: ■ provide resource information to develop the recovery strategy to support agreed service levels, and ■ identify resource requirements resulting from dependencies between internal activities and external suppliers. It is important to explore whether systems must be recovered to the status they had when the failure occurred. The RPO for IT systems will be derived from the information restoration needs. The RPO is sometimes seen as “the amount of data we could afford to lose”. It is also necessary to take account of additional activities
generated by the interruption and clearing of backlogs. For example, a call centre may have to cope with extra calls following an interruption. This information feeds into the business continuity strategy. Resource requirements help us to evaluate alternative recovery solutions in terms of capacity and performance. The dependencies would generally be mapped on a separate matrix (see Table 3), showing the product or service and the services, processes and resources that support it. Typically, there are six main areas of dependence: ■ People, including partners, customers and contractors, to provide skills, knowledge
and manpower ■ Premises, to provide a working
environment, accommodating equipment and stock ■ Equipment to perform specialised tasks ■ Technology to communicate and to store, manipulate and present data ■ Supplies for manufacturing processes ■ Stock to fulfil orders. All activities depend on such “enablers” and will require them to be available within a given timeframe to avoid the associated risk exposures. In Table 3, one of the products identified on the BIA has been analysed to reveal its dependencies.
Table 3 Matrix of resource requirements RTO: Activity/Product
Vision Opticals – Direct to customer, third party products RPO: Dependencies People
1,000 m2 office 10,000 m2 warehouse
Racking Packing Fork lifts
ERP Email File server
5,000 units on hand
5,000 m2 warehouse
Shrink wrapping equipment to process 2,000 units per day
Five users with server access within 24 hours
2,000 units to handle pending delivery
8 The Good Practice Guide to Business Continuity
Determining strategy In the BIA, the MTPD for key activities will have been determined, together with an RTO and RPO for each of those activities. The BCM strategy sets out an appropriate approach to recovering each activity. It is the selection of a goal (eg, “If we lose access to building XX, we will relocate staff to YY”) that needs to identify, in general terms, how many staff, what skills and what resources we might need to have available at the chosen locations, as well as any necessary travel arrangements. The BCM strategy describes what has to be done, not how it has to be done. It is therefore the selection of a high-level response such as: ■ Replicate and restore Keep copies in case the originals are lost or damaged (most IT recovery plans are based on this concept) ■ Repair Remedial work may be the quickest method of recovering key resources ■ Replace If supply is plentiful then key resources can be replaced quickly ■ Reciprocity Arrange to borrow another organisation’s facilities ■ Relocate Move the workforce and workload temporarily to another location ■ Workaround Temporarily
adopt an alternative approach to a process ■ Suspend Adjourn the activity until normal service is restored. Different activities require different solutions. Strategy selection is influenced by practicalities such as the cost of implementation and maintenance. Transferring staff and operations takes time and effort. Normally, a fast and seamless recovery entails a more costly solution. Therefore, it is important to ensure that realistic RTOs and RPOs are set. Is it essential to recover systems to the status they had when the failure occurred or, for example, will restoring yesterday’s back-ups be sufficient? There are three main aspects to setting the BCM strategy to achieve the agreed RTO: ■ Selecting the tactics for continuing the delivery of products and services ■ Consolidating the resource requirements ■ Sourcing these requirements. The various options must be fully understood before selecting the appropriate tactics.
Activity continuity strategies For each activity, the most
appropriate tactics to meet the RTO must be selected based on cost, guarantees, additional benefits and other factors. Agreements may vary from verbal promises through to contractually committed service levels. The shorter the RTO, the more important the reliability of the delivery becomes. People Some of the following techniques should be considered: ■ Process mapping Allowing staff to undertake unfamiliar roles ■ Multi-skill training Of individuals ■ Cross-training of skills Across a number of individuals ■ Succession planning. Additional skills may arise from permanent or occasional use of third-party support. Alternatively, an inventory can be made of staff skills not used in existing roles. This might include previous experience in other roles – first-aid training, salvage or rescue experience or emergency management skills. Many stakeholders (including customers, partners and contractors) may be affected by an incident. In a major fire at your site contractors may be injured, local residents evacuated and local businesses The Good Practice Guide to Business Continuity 9
closed for safety reasons or because of reduced trade. The organisation’s level of responsibility (both legal and moral) for these groups should be understood. You should ensure various stakeholders’ needs are satisfied or they may impede the recovery effort. For example, the local residents could press the local authorities to refuse you permission to rebuild on the site following a fire. For civil emergencies dialogue with local emergency responders may provide useful information, such as: ■ Recommendations for assembly points and evacuation routes ■ Notice of specific hazards in the vicinity ■ Likely position of any traffic cordons ■ Special access arrangements ■ Participation in exercises. The BC manager should be aware of threat reduction techniques, including:
■ Physical security where advice
can be sought from security professionals ■ Information security. ISO 27001, Information Security Management and ISO 17799, Code of Practice for information security management, provide useful guidelines. Premises The RTO is the principal determinant of worksite continuity tactics. Once the RTO parameter has been satisfied, cost and availability will guide the choice of tactics. Premises tactics include: ■ Do nothing This may be acceptable for the least urgent activities identified in the BIA. Where the RTO exceeds a few months it allows time for buildings to be found and utilities installed post incident, all with minimal planning and preparation. ■ Relocate your staff Move up Use existing accommodation such as a training facility or
The Business Continuity Manager should be aware of threat reduction techniques 10 The Good Practice Guide to Business Continuity
canteen to provide recovery space, or increase office density. This needs planning and preparation. Displacement High priority activity personnel could temporarily displace some of those who are performing less urgent business processes. But beware of unmanageable backlogs. Remote working This includes “working from home” and from other non-corporate locations such as hotels. Reciprocal agreements Great care must be taken when establishing this type of agreement. It requires contracted regular testing. ■ Use third-party premises Third-party alternative site arrangements may be considered if they meet the RTO. Commercial services include fixed, mobile and prefabricated premises. Dedicated work areas provide exclusive use of the accommodation. “Syndicated” or “Subscription” options offer access, provided the accommodation is not already in use. This can be on a first come, first served or an equitable share basis whereby resources are allocated in proportion to the subscription. ■ Use diverse location tactics This option moves the activity
and not the staff via dual-site operations or continuous availability solutions. In the event of an interruption at one site the business activities are transferred to alternative locations where staff and facilities are already prepared to handle it. Equipment With uninterruptible power supply (UPS) or back-up generators, some risks are acceptable. Risk reduction can use monitoring systems to warn against utility or equipment failures and destructive threats, eg, sprinkler and fire suppression systems in buildings with a high loading of flammable materials or expensive equipment. Possible recovery techniques to consider are: ■ Maintenance contracts, preferably with local firms ■ Salvage engineers can often restore equipment after damage by fire or water ■ Asset restoration specialists can often minimise damage after fire and flood to equipment, buildings and papers, and they may offer useful advice, as well as being available on request ■ Use of local subcontractors or competitors with similar equipment.
Technology The loss of a data centre can have a major financial impact on a business. There are several options, including in-house resilience, recovery or third-party support. It is a complex and costly area in which technical expertise and a sound working knowledge of the critical systems are invaluable. The IT department, or the equivalent service provider, should investigate and recommend appropriate recovery options which include: ■ Ship-in contracts for IT and specialist equipment, including telephone systems. Terms of contract vary from ‘best efforts’ to guaranteed delivery. ■ Call redirection for telephony Most telecommunications operators offer solutions for redirecting calls from one site to another. The logistics of handling redirected calls must be addressed. ■ Convergence of telephony and data networks, VoIP (Voice over IP): This creates new opportunities and issues, since telephones and email are often used as alternatives if one fails; these issues need to be assessed and the risks and impacts thoroughly analysed. Since business continuity
incidents often involve denial of access, back-up copies of records should be kept at another location. There is no ‘correct’ separation distance, but one must consider denial of access factors such as loss of power or transport disruption. There may also be limits on the distances staff would be prepared to travel at short notice. Note that after an incident the regulatory, statutory or business standards for information management still apply. Key issues to address are: – Confidentiality – Integrity – Availability – Currency Supplies One must determine what supplies (including equipment) are needed, and how quickly, to meet the RTO of each activity. Replacement strategies include: ■ Storing additional supplies at another location. If the supplies degrade over time they should be rotated with regular stock ■ Changes in the core process may require stored supplies to be changed (eg, headed stationery may need new address or contact details) ■ Delivery of stock at short notice The Good Practice Guide to Business Continuity 11
Table 4 Recovery strategy for third party products Activity/Product
Vision Opticals – Direct to customer, third party products
1,000 m2 office
10,000 m2 warehouse
Five users with
equipment to process
access to servers
2,000 units per day
in 24 hours
5,000 m2 warehouse
2,000 units to
Recovery strategy Replicate/restore
■ Diversion of just-in-time
■ Holding older equipment as
deliveries to other locations ■ Holding materials at warehouses or shipping sites ■ Transferring sub-assembly operations to new locations
emergency replacements or for spares ■ Specific risk mitigation strategies are needed for unique or long lead time
12 The Good Practice Guide to Business Continuity
equipment: replacing outdated equipment with long lead time updated versions may impede recovery ■ Geographical diversity of processes. Make sure that
You should ensure that various stakeholders’ needs are satisfied or they may impede recovery the RTO can be met by the alternative location. Techniques for reducing the impact of supply interruptions include: ■ Dual or multi-sourcing ■ Inspection of supplier’s business continuity arrangements. This may include a requirement for certification to BS 25999 ■ Holding inventories off-site, at another site or at the supplier’s site ■ Penalty clauses on supply contracts (no protection against bankruptcy) ■ Pre-acceptance of alternative suppliers.
Resource level consolidation
The objective of resource level consolidation is to understand and locate the resources necessary to achieve the RTO and RPO. It is necessary for two reasons: ■ Co-ordinating the acquisition and utilisation of resources
can prevent conflicts, such as when more than one operation expects to use the same alternative workspace ■ Bulk purchasing may be more efficient and cost-effective. Resource consolidation includes the following stages: ■ Aggregating resource requirements from the CRA ■ Evaluating each option against the RTO and RPO and providing executive management with a strategic evaluation ■ Obtaining sign-off for financial and resource provision ■ Creating project and action plans ■ Applying the agreed strategy.
resource provisions. In Table 4 we have addressed recovery strategies for the thirdparty products, part of a direct to customer business. The following issues were considered: ■ We are going to relocate 10 staff. What skills are required, where will they go, how will they get there and what resources will they need? ■ We will need to find alternative warehousing facilities. Who will do that and what information will they need to source this? ■ We are going to replace any damaged equipment. Who will do that and identify potential suppliers in advance? ■ We will need to identify alternative suppliers. Who are they and who will contact them? ■ We may need to replace lost stock, so we are looking at a reciprocal fulfilment arrangement with another firm to supply products while we recover our operation.
The result is a set of recovery resources and services for the restoration of business systems within their RTO and RPO. Executive management must make a strategic evaluation and sign off the strategy, together with the requisite financial and The Good Practice Guide to Business Continuity 13
Developing a response This part of the process concerns the most detailed planning documents, which are also likely to be the most fluid. The aim is to identify the actions and resources required to manage an interruption, whatever its cause. Key requirements for an effective response are: ■ A clear procedure for escalation and incident control ■ Communication with stakeholders ■ Business continuity plans (BCPs) to resume interrupted activities. A BCP is a set of guidelines that require interpretation by the business continuity team (BCT) according to circumstances. It is not possible – or even desirable – to predict what might occur. The Incident Management Plan (IMP) defines how strategic issues would be addressed and managed by the executive. This may include incidents where there is no physical disruption, right up to a national emergency. Media response to any incident is usually managed through an IMP. At a tactical level the BCPs address business disruption from the initial response through to the point at which normal business operations 14 The Good Practice Guide to Business Continuity
are resumed. Based on the BCM strategy, they provide procedures and processes for the BCT, allocating roles and responsibilities. They must also give details regarding liaison with external agencies such as recovery services’ suppliers and emergency services. If the event falls outside the scope of the BCP, the situation should be escalated to the senior incident management team (IMT). Operationally, Activity Resumption Plans (ARPs) provide detailed guidelines for the recovery teams to implement the resumption of normal business functions and support services.
Incident Management Plan (IMP)
The IMP provides a framework for managing any incident. The plan should contain initial prompts for action, such as a list of stakeholders to be contacted. The BIA will offer useful pointers to potential impacts which may need to be managed. Wherever a BCM response is required the IMT should be alerted. If no IMP exists it may be useful to run an exercise with the senior management team so that the many requirements become apparent (such as the
need for a plan). All incidents differ and so the IMP is a framework of components and resources that may be useful, rather than a rigid procedure. The roles of the team and specific individuals should be documented. Deputies should be identified for each role. Responsibilities may include: ■ Managing communications (see section below) ■ Ensuring IMTs and BCTs are properly staffed ■ Liaising with the BCT to agree the resumption timetable ■ Approving significant expenditure ■ Monitoring recovery progress and personnel performance ■ Identifying and maximising opportunities or advantages arising from the incident ■ Looking at the strategic impact, which may require significant changes in direction or open up new opportunities ■ Maintaining a decision log throughout the incident. Clear invocation criteria should be set out, and the persons able to initiate the call-out decided. This should encourage action where there is doubt; it is easier to stand down a team than to activate them once the incident is out of control.
The activation procedure should be documented so decisions are not delayed. A number of alternative meeting locations should be identified and, on invocation, the first person notified should select the most suitable, based on current information. At least two locations should be predefined to act as an incident management centre (control room or command centre). One is likely to be on-site where the senior management team are based but the other should be off-site. The off-site location does not have to be owned by the organisation. By prior arrangement, a 24-hour hotel may provide all the facilities required. Consideration should be given to: ■ Communication: inbound and outbound ■ Recording events, actions and issues ■ Monitoring the media ■ Access control. The following resources should be considered: ■ Whiteboards or flip charts (and pens that work) ■ Telephones, including an outgoing line and a recording facility ■ Hotline/helpline facility ■ TV and radio
All BCM strategies should take into account welfare issues in an incident. Staff are more likely to co-operate if their needs are met ■S tationery ■ A means of logging all actions ■ Refreshments and nearby or
on-site sleeping facilities ■ A locked trunk (often called
a ‘battle-box’ or ‘recovery box’), in which hardware and information can be kept offsite at the alternative location. All BCM strategies should take into account welfare issues during an incident and the recovery. Staff are more likely to co-operate if their welfare needs are met. Issues to consider include individual special needs during prolonged stay-in periods. An IMP should be succinct and clear because it will be used under pressure in stressful circumstances. The outcomes of the process include: ■ An IMP ■ An incident communications plan
■ Demonstration of
preparedness ■ Compliance with statutory,
regulatory and ethical requirements. The IMP should be documented. The template in Table 5 gives an example of a suitable format. Major incidents requiring an IMP can vary from those which threaten the continued existence of an organisation but have little impact outside of it, to those which, like the Buncefield oil depot explosion, can become a national emergency. The principles to be applied to the latter are exactly the same but there is increased emphasis on health and safety and liaison with emergency services. These are features which may have little or no prominence in a purely internal issue such as the failure in a supply chain. The Good Practice Guide to Business Continuity 15
Table 5 Incident Management Plan ■ BCPs cover the management
Incident management framework Team members and responsibilities Role
Site evacuation Personnel accountancy Communication (staff & others)
of common resources such as facilities, information technology, finance and personnel – in essence the organisation’s infrastructure ■ ARPs focus on the recovery of specific activities, often customer facing, such as order taking, customer helpdesks or claims handling.
Emergency services liaison
Both types of plan have similar considerations and structure dealing with what has to be done by whom, when, where and how.
Telephone reception for next of kin Media & external communication Transport assistance
Business Continuity Plans (BCPs)
Incident management centre locations:
Incident management centre access arrangements: Incident management centre resources Location
Appendix 1 describes the incident response structure employed by the UK emergency services. The model is suitable for organisations with the 16 The Good Practice Guide to Business Continuity
Other Office Materials/Equipment
potential for major health and safety incidents. The BCPs and the ARPs, are similar in structure, but focus on different aspects of recovery:
All BCPs should be ‘action orientated’, easy to reference at speed and exclude superfluous information. The BCP should document assumptions about the maximum scale of the incident. If these are exceeded then this should be escalated to the IMT. Key steps in developing a BCP are: ■ Appoint an owner for the BCP(s) ■ Define objectives and scope based on the BCM policy and strategy ■ Decide the structure, format, components and content ■ Gather information to populate the plan and prepare a draft plan
Table 6 Business Continuity Plan (BCP) Business Continuity Plan Location:
Recovery management centre:
Alternative Location: Contact list Name
■ Circulate the draft plan for
consultation and review ■ Test/exercise the plan ■ Gather feedback from consultation and amend the plan as appropriate. All BCPs should be modular in design so that separate sections can be supplied to teams on a need-to-know basis. Each section could be printed on different coloured paper to provide ease of use and reference. Dynamic information, such as contact details, should be in appendices which can be amended easily, with job titles rather than names in the main body of the document. Software products are available to help you build and maintain a BCP. However, normal office software may well suffice and does not require
special training. Customised software, though, may prove helpful in plan maintenance. Business Continuity Plan – the contents ■ Basic information • Document owner and maintainer • Team members and their roles along with named deputies Responsibilities may include: – Liaising with emergency services – Obtaining information from response teams – Reporting to the IMT – Mobilising suppliers of salvage and recovery services – Allocating available resources to recovery teams – Invocation/mobilisation instructions. There should be a number of
possible meeting locations, favouring those with the required resources. On invocation the first person notified should identify the most suitable meeting place, plus a fallback based on current information. ■ Actions – Responding to an invocation – Decision making – Mobilising resources – Initiating activity recovery – Receiving information from other teams – Reporting status to the IMT. ■ Resource requirements – Personnel – Facilities and supplies – Technology, communications and data – Security – Transportation and logistics – Welfare requirements The Good Practice Guide to Business Continuity 17
– Emergency cash and payments – Any additional resource requirements for specific activities – Contact information to access required resources. ■ Vital information – Customer information – Contact details – Legal documents, such as contracts and insurance policies – Service Level Agreements. ■ Forms and annexes – Checklists to assist recovery. A function-specific BCP generally has two main sections: – A list of key contacts and team members identifying the roles and responsibilities of each – An outline of the specific actions necessary for recovery. Examples in Table 6 provide a framework within which ARPs can operate. The BCP should be signed off by the executive.
Activity Resumption Plans (ARPs) Introduction ARPs cover the response by a department or business unit to an incident. Examples are: ■ Procedures to assist the IMT, led by the facilities department, to deal with
18 The Good Practice Guide to Business Continuity
DOs and DON’Ts o remember that the BC D response is a framework for a stressful situation Do ensure key roles and responsibilities are clearly defined Do check that staff holding BC response roles have been appropriately trained Do have a “quick reference” guide readily available summarising key information
the incident and its physical impact ■ An HR response to welfare issues ■ A business department (eg, finance department) plan to resume its functions within a predefined timescale ■ An IT department plan for the resumption of IT services to the business. The complexity and urgency of the business processes may determine whether one plan covers a single activity or a department with several activities. Process Key steps in ARP development and planning include: ■ Making someone responsible for overall plan development with representatives from each operational unit
■ Providing a template to
encourage standardisation but allow individual variations where appropriate ■ Ensuring that business units nominate individuals to fulfil roles within their plans ■ Circulating the draft plan for consultation, review and challenge within and, where necessary, outside the department ■ Validating and amending the plan as appropriate through a unit test ■ Consolidating the various business unit plans and reviewing for consistency ■ Documenting connections with the BCP and between the ARPs for each business unit ■ Conducting a resource requirements analysis across all plans to define the resource requirements for support functions. Methods Development of an ARP is similar to that for other plans. Specific ARPs may include the following: ■ Facilities ■ Staff welfare plans ■ Business unit resumption ■ IT disaster recovery. The above plans may include information on: ■ Evacuation and stay-in plans
Table 7 Activity Resumption Plan (ARP) Business Recovery – Finance department responsibilities Action
Outline here the actions that will need to be performed to put the chosen recovery plan into effect
Who will be responsible for performing these actions
Who will deputise if the primary responsibility holder is unavailable?
Support team Identify the support team(s) who will be responsible for these particular actions
Assess financial exposures related to legal and financial issues
1. Potential civil liabilities 2. Compliance with industry-specific regulations 3. Extent of financial penalties under Service Level Agreements
1. Establish alternate means of accessing bank account balances and movements 2. Establish alternate means of making payments: • Smart cards, ‘dongles’, passwords • Authentication software/devices installed on alternate PCs 3. Payroll 4. Activating company credit cards 5. Emergency limits for company credit cards 6. Emergency overdraft/funding considerations
Emergency credit lines, renegotiating supplier payment terms
Liaison with insurers and loss adjusters
■E mergency services liaison ■ Dispersal of staff and
visitors ■ Salvage resources and
contracted assistance ■H R and welfare issues ■ Procedures for contacting and
accounting for staff ■ Counselling and rehabilitation
resources ■ Escalation criteria and
procedures ■C ontacting team members ■ Resumption plans for each
process: – Staff numbers – Key contacts –P rocedure for activity resumption – Activity priorities – Special procedures – Work in progress issues – Consumables required Outcomes and deliverables Outcomes of planning include: ■ An ARP for each business activity or department ■ Criteria for escalating issues
to the BCT ■ Clearly defined BCM roles
within each department. Table 7 is a simple example of some of the activities needed to recover financial management after a major incident.
The Good Practice Guide to Customer Care 19
Exercise, maintain, review All BC documents should be reviewed and the plans exercised at least annually. Reviews and exercises should also be carried out whenever there is a significant change to the business processes or environment. No plan is reliable if it has not been exercised, nor can the personnel involved be relied upon until they have had some form of practice. BC exercises are crucial because they develop the necessary competence, confidence and knowledge to act. Five stages of exercise are recognised, as detailed in Table 8. The normal progression would be to start at the bottom
DOs and DON’Ts o include requirements for D exercising, maintaining and reviewing in the BC policy Do ensure compliance is subject to independent assessment Do ensure there is regular confirmation of roles, contact details and availability of BC response resources Do ensure plans are subject to regular exercising, at least annually Do ensure a formal issues log is created, maintained and reviewed
with a desktop exercise and work up towards the full-scale exercise at the top. (Most organisations limit themselves
Table 8 Types of exercise Stage
Style and focus
Develop the capability Demonstrate competence
Simulation and realism Scenario based
Command post exercise
Acquire the skills Develop the techniques
Co-ordination and communication Scenario based
Practical experience Test the components
Participation and interpretation Consequence based
Challenge the assumptions Verify the dependencies
Review and discussion Effect based
Validate the logic Spot the weaknesses
Introduction and familiarisation Plan based
20 The Good Practice Guide to Business Continuity
to stages 1-4.) Concepts and assumptions For any test to be ‘useful’, it needs to meet the following criteria: Stringency, realism and minimal exposure to additional risk. This may require some degree of compromise. ■ Stringency Ideally, tests should be as realistic as possible, however, it may not be practical to run certain tests without altering ‘live’ procedures. This applies especially to technical testing. ■ Realism This ensures that the audience engages in the event and ultimately gains more from it. ■ Minimal exposure Testing may increase exposure to risk. The designer of the test should ensure that the risk and impact of disruption is minimised. The business must understand and accept the risk. Process All tests must be planned, the results captured and any remedial work monitored for successful implementation. A technical test may include the following steps: ■ Agree the scope, objectives and budget ■ Devise a simple scenario and a set of assumptions to put the test in context
Table 9 Business Continuity Plan testing document Incident discovery and notification
Remedial action requried
The right people were notified/alerted effectively The required emergency services were identified and notified in a timely manner Effectiveness of assembling the Incident Management Team Effectiveness of locating and communicating with staff Business recovery Recovery management organisation Working accommodation: relocated staff Staff working from home Insurance and disaster restoration services liaison Customer management activities established Handling and prioritisation of customer commitments performed effectively Telephony/voice communications successfully re-established IT systems fully and effectively restored Locating replacements for damaged or destroyed equipment/stock/raw materials Capacity and resources available at alternative working location Arrangements for relocating staff Order management/fulfilment resumption
■ Conduct the test and record
the results ■ Assess and report the results ■ Address any issues raised. A scenario exercise will require similar steps, with some additional ones, such as: ■ Prepare a realistic and suitably detailed scenario ■ Brief observers and prepare questionnaires to capture lessons learned ■ Pre-exercise information and
briefing of participants ■ Debrief participants after the
exercise ■ Evaluate results and
prepare a report with recommendations. ■ Circulate report to participants and senior management.
scenario exercises include: – Facilitators – Suppliers of specialist resources, services or products – Communications and PR – Subject experts – Outsourced activity providers ■ Outcomes and deliverables
Methods ■ Participants Possible participants, in addition to staff, in desktop or
The outcomes of the BC exercising process include: – Validation of the BC strategies – Familiarisation of participants The Good Practice Guide to Business Continuity 21
No plan is reliable if it has not been exercised, nor can the personnel involved be relied upon until they have had practice in responding to an incident – Testing of the plan(s) and the supporting infrastructure – A post exercise report – Increased awareness of BC – An opportunity to improve preparedness. Table 9 gives an example of part of a BCP testing document outlining the assurances required, whether they were
22 The Good Practice Guide to Business Continuity
tested and where remedial work is required. This would normally form part of a wider report and follow-up process where the results of the test were communicated and responsibilities for remedial work identified. Maintenance A BCM programme must
be established to ensure all relevant stakeholders have the current and relevant parts of the BCP. Review There are several ways to review a BCM programme including: ■ Internal audit ■ External audit ■ Self-assessment
DOs and DON’Ts o make sure staff can easily D find information relating to the plan and the structure of the supporting BCM organisation Do remind staff regularly about BCM arrangements Do ensure BC arrangements are on board meeting agendas at least once a year
Embedding BCM BCM is a holistic management process which identifies risks that may threaten an organisation. It provides a framework for building resilience and the capability for an effective response to safeguard the interests of its key stakeholders, reputation, brand and value creating activities. To be successful it has to be seen as a part of normal business management, regardless of the organisation’s size or sector. At all points in the BCM process, opportunities exist to introduce and enhance an organisation’s BCM culture. Precisely how everybody is made aware of BC and its implications will depend to a large extent on the existing culture and ways of communicating ideas. Three stages can be envisaged:
(i) Assessing BCM awareness and training needs Before planning and designing the components of an awareness campaign, it is critical to understand what level of awareness currently exists. Assessing awareness is just another aspect of “Understanding the Organisation” (see page 04) and the same techniques re: workshops, questionnaires and interviews can be used. These will identify the level of
training required. Is it in just the practicalities of your organisation or is an explanation of the basic concept required?
(ii) Developing BCM in the organisation’s culture This will build on the training needs identified above and lead to the design and delivery of a programme of education, training and awareness, which must:
– explain the need for business continuity plans within the organisation, – provide access to details of the organisation’s specific business continuity arrangements, – create quick reference resources and materials, and – implement an enforceable policy. (iii) Monitoring cultural change The awareness assessment, stage (i), should be maintained as an ongoing task to identify any further requirements for education and training. The importance of a common understanding of the value of BCP should not be underestimated. It ranges from boardlevel support to staff commitment to exercises. The value will be clearly demonstrated in an incident.
The Good Practice Guide to Business Continuity 23
Appendix 1: Incident Response
All BCM strategies should 24 The Good Practice Guide to Business Continuity
Senior (incident) Management
Business Continuity Team
UK emergency services use a three-tier incident response structure (see Figure 1) with responsibilities and relationships. In an incident the three levels of involvement address different issues during the various phases of the event, as the following diagram (Figure 2) shows. Smaller organisations may elect for a single hands-on management group with both tactical and strategic responsibilities. However, it is still important that they address the strategic issues despite the pressing issues of a tactical response. For geographically diverse organisations a variety of models may be appropriate, perhaps with additional tiers beyond the three named above. For example: ■ A response team at each site backed up by a central BC team ■ A BC team at major sites with a central IMT ■ BCM at a national level with limited involvement from the international board unless global reputation is threatened.
UK emergency services incident response structure
Incident Response & Business Unit Resumption Teams
Figure 1. Three-tier incident response structure
Overall Objective: Back-to-Normal as soon as possible
Timeline Within minutes to days: Contact staff, customers, suppliers etc. Recover critical processes; Rebuild lost work-in-progress
Business Continuity Within minutes to hours: Account for people; Deal with casualties; Contain damage; Assess damage; Invoke Business Continuity
Recovery / Resumption
Figure 2. Phases of an incident
Within weeks to months: Repair/replace damage; Relocate to permanent site Recover costs from insurers
recognise people issues but in major health and safety incidents they can be the dominating issue. During such an incident someone should assume responsibility for the activities listed in Table 5 (see page 16). Subsequently there may be additional needs, including: ■ Temporary accommodation ■ Counselling and rehabilitation services, perhaps within an employee health package ■ Welfare needs at alternative locations: – Refreshments – Personal safety and security – Transport and accessibility – Appropriate training on replacement equipment Someone should be appointed to liaise with the emergency services as they arrive on site and subsequently as required. The emergency services need to be advised of the whereabouts of any casualties, the status of the situation and any hazards they may encounter. While on site, the emergency services’ instructions take precedence over all others. When they depart, the organisation resumes responsibility for the site. The incident communications plan addresses communication with all stakeholders including:
When an incident gets into the public domain, effective communication plays a key role in protecting an organisation’s reputation ■ Staff, relatives, friends and
emergency contacts ■ Customers and suppliers ■ Shareholders, partners or owners ■ Informing and liaising with regulatory authorities (legal and compliance functions) ■ Issues relating to serious injuries or fatalities (with the emergency services) ■ Media: local and national newspapers, radio, TV, internet and other media Answers to the following questions need to be considered: ■ What are the messages? ■ Who will form the IMT? ■ What resources and facilities are available? ■ Are the IMT and spokespeople properly trained?
discontinuity gets into the public domain, effective communication plays a key role in protecting an organisation’s reputation. It is necessary to consider: ■ Ownership of the plan Everybody involved should agree beforehand about the who, how and what of communication. ■ Perception is reality Reputation is affected by perceptions ■ Act fast Reticence ruins reputations ■ Be as open as you legally and practically can Show you have nothing to hide ■ Show you care See it from your audiences’ point of view.
When an incident or business The Good Practice Guide to Business Continuity 25
Appendix 2: Glossary Glossary of Terms
Activity Resumption Plan (ARP)
Detailed guidelines for operational recovery teams to implement the resumption of normal business functions and services.
A reserve copy of information which is deemed to be ‘Essential for Recovery’, including data and documentation.
Business Continuity (BC)
The capability to continue essential business functions under all circumstances.
Business Continuity Institute (BCI)
The world’s leading membership organisation for BC practitioners.
Business Continuity Management (BCM)
Those management disciplines, processes and techniques which seek to provide the means for continuous operation of the essential business functions.
Business Continuity Plan (BCP)
A set of procedures and processes to guide the Business Continuity Team in the tactical management of an incident.
Business Continuity Team (BCT)
Staff responsible for the tactical management of an incident.
Business Impact Analysis (BIA)
The process of identifying, and quantifying, the impacts on an enterprise of the effect of a incident, in both financial and non-financial terms.
Continuity Requirements Analysis (CRA)
An assessment of the resources required for a resumption of activities.
Any event which threatens or disrupts normal operations, or services, for sufficient time to affect significantly, or to cause failure of, the enterprise.
26 The Good Practice Guide to Business Continuity
Disaster Recovery (DR)
A term normally used to describe the process for restoration and recovery of IT equipment, functions and applications. Any event which may be, or may lead to, a disaster.
Incident Management Plan (IMP)
A framework document to guide the Incident Management Team in the strategic management any incident.
Incident Management Team (IMT)
Staff responsible for the strategic management of an incident.
Maximum Tolerable Period of Disruption (MTPD)
The maximum period of time for which the business can afford to be without a critical function or process.
Risk Assessment (RA)
An estimate of the likelihood of loss, interruption or disruption from known threats.
Recovery Point Objective (RPO)
The point in a process or function which must be restored to enable continuity of the business operation to be maintained, or achieved.
Recovery Time Objective (RTO)
The time scale within which a function or business unit must be restored, usually determined by means of a Business Impact Analysis.
The Good Practice Guide to Business Continuity 27
Further Information Further information can be found on the following websites: ■ The Business Continuity Institute (BCI) www.thebci.org The world’s leading membership organisation for BC practitioners. The BCI’s Good Practice Guidelines are available from its website. ■ Continuity Central www.continuitycentral.com A free source of news and information ■ NOAA (National Oceanic & Atmospheric Administration) www.noaa.gov Covers climate and weather patterns, including storm and hurricane forecasts ■ www.financialsector continuity.gov.uk Bank of England, HM Treasury and the FSA offer advice on BC in the financial sector ■ The Civil Contingencies Secretariat www.ukresilience.info The UK government body providing advice on BC and emergency management ■ See also: J Burtles, Principles and Practice of Business Continuity (ISBN 978-1-931332-39-8). Connecticut: Rothstein Associates, 2007 (www.rothstein.com/data/dr800.htm)
28 The Good Practice Guide to Business Continuity
The BIFM Good Practice Guide to Business Continuity British Institute of Facilities Management Number One Building, The Causeway Bishop’s Stortford, Hertfordshire CM23 2ER Tel: 0845 058 1356 Email: firstname.lastname@example.org Web: www.bifm.org.uk Publications Committee Chair: Dr Bob Anderson CBIFM Members: Stephen Bennett, Graham Briscoe, Cathy Hayward and Carolyn Knight Author: Jim Burtles, principal, Total Continuity Management and Steve Dance, managing partner, SDPL Solutions Reviewer: Jim Grafton on behalf of the Business Continuity Institute Series editor: Dr Bob Anderson CBIFM, chairman, BIFM Publications Committee This guide is available in different formats – for details call 020 7880 6229
Redactive Publishing Limited
17 Britton Street, London EC1M 5TP 020 7880 6200 Editorial Tel: 020 7880 6229 Email: email@example.com Editor: Cathy Hayward; Sub-editor: Annie Cree; Art editor: Dan Swainsbury; Picture editor: Sam Kesteven Advertising Tel: 020 7880 6209 Email: firstname.lastname@example.org Production Production manager: Jane Easterman Publishing Publishing director: Cathy Hayward © The British Institute of Facilities Management (BIFM) series of Good Practice Guides is published on behalf of the BIFM by Redactive Publishing Ltd (RPL), 17 Britton St, London EC1M 5TP. The guides do not necessarily reflect the views of BIFM nor should such opinions be relied upon as statements of fact. All rights reserved. This publication may not be reproduced, transmitted or stored in any print or electronic format, including but not limited to any online service, any database or any part of the internet, or in any other format in whole or in part in any media whatsoever, without the prior written permission of the publisher. While all due care is taken in writing and producing this Good Practice Guide, neither BIFM nor RPL accept any liability for the accuracy of the contents or any opinions expressed herein.
First published October 2010
Published on Nov 22, 2010
Published on Nov 22, 2010
The BIFM Good Practice Guide to... good practice guide no.15 revised nov 2010 retail price £10 Advertising Tel: 020 7880 6209 Email: sales@f...