by Galye Mitcham, Assistant Vice President, Marsh Consulting.

Phase 1 – Preparedness Review
The first phase is planning and preparedness. This is a review of what you currently have in place and what the scope and objectives for the project will be including which departments and locations need to be involved. Depending on the geographic diversity of your organization you may be better positioned to approach the project one location at a time. Conversely if all of the locations perform the same services, you may be able to complete the planning for one location and use it as a starting base for plans for the other locations. Defining criticality is also an important part of this phase. Executive Management should be engaged in this task to provide the basis and guidance as to what constitutes a critical service or process as you progress through the subsequent project phases. Involving Executive Management early in the project allows them to communicate their views on criticality and recovery priorities up front. It is also important to establish a Steering Committee to oversee and provide direction to the project team. Typically the Steering Committee is made up of 3-4 senior level people who have overall knowledge of the organization’s recovery objectives. This group should also have a direct link to the Executive Management Team. Other tasks in this phase include a number of Project Management activities, such as developing a project plan and schedule.

Phase 2 – Business Impact Analysis
The Business Impact Analysis (BIA) determines the impact on the organization if it experiences an outage impacting critical processes and services. The gathering of impact data can be done in a number of different ways with the output used to identify and prioritize the critical services and processes of the organization. The recommended approach is to hold a workshop with the department / functional / business unit leaders to review the criticality criteria and the data collection process. Each unit leader is then asked to complete a BIA questionnaire. The questionnaire is used to gather info about critical staffing, application software required, vital records and workspace and equipment requirements. The questionnaire also determines how long the process or service can be down without severely impacting the organization. This information is used to determine the Recovery Time Objective (RTO) for the process or service. The data collected is also reviewed and assessed to ensure that linkages between processes are in place and that recovery requirements reflect the needs of the organization. Once all this data has been gathered and summarized you are ready to move on to the Strategy Development Phase.

Phase 3 – Strategy Development
Using the output from the Business Impact Analysis, strategy workshops are held to determine a recovery solution that will meet the needs of the organization and its critical services and processes. Possible solutions include the identification of recovery sites within the organization, redirecting the critical process or service to another internal location or the identification of an external recovery location using the services of a third party service provider. Each of the potential solutions are evaluated and costed in order to determine the most appropriate solution for the organization. Information Technology requirements are also addressed during the strategy phase. Critical business processes often rely on technology being available and IT is responsible for ensuring that critical applications can be recovered to meet the business needs. If the business requires a systems application to be available immediately it may be necessary for IT to recommend a more robust recovery plan for that application. Selected strategies for business recovery solutions and technology recovery are then presented to Executive Management for approval. A cost benefit analysis should accompany the strategy recommendations.

Phase 4 – Plan Development
Once a recovery solution has been agreed upon, you are ready to develop the plan. The plan should include the following:

• Invocation criteria – when will the plan be invoked
• Decision making criteria – who has the authority to invoke the plan
• Business Continuity Team – who would be responsible for managing the recovery effort
• Recovery Teams – identification of the teams responsible for the technical recovery of the critical process or service
• Contact lists and call trees – who to call and how to call them
• Recovery Procedures – step by step tasklist of what needs to be done to recover the critical process or service, including work around procedures for critical applications
• Recovery resource requirements -staffing, equipment, applications, vital records, dependencies etc.

Once the plan is completed it is important to ensure that a plan maintenance schedule is developed and implemented to ensure
that it remains current and up to date.

Phase 5 – Exercise
One way of ensuring that the plan is executable is to test it on a regular basis. This can be done by developing and documenting a typical scenario that may cause an outage for your critical services and processes. The plan is then walked through with the plan owner and key stakeholders, identifying how they would respond to the scenario as it evolves. The focus of the exercise should be on the communication elements, interaction between groups, assumptions used in procedural documentation, and the structure/usability of the documentation. Gaps and deficiencies are identified and documented, and following the exercise the plan is updated. Plan tests or exercises should be held at least annually.

Completed Business Continuity Plan
The completion of these project steps should ensure the development of an effective Business Continuity Plan for your organization. Going forward plan maintenance should include the annual updating of the Business Impact Analysis to ensure that planning requirements have not changed.

This article has been produced from the CURIE Risk Management Newsletter with the permission of Gayle Mitcham, Assistant Vice President, Marsh Consulting.