Policies and Guidelines

Developing a Business Continuity Plan

Last Updated: April 15, 2011
Reviewed: January 11, 2010

Purpose

To achieve optimal efficiency and effective use of the technology in the workplace, a department must have a detailed Business Continuity Plan (BCP) to reestablish essential business functions in the event of a disaster. Thorough planning can potentially minimize:

  • Liability
  • Financial loss
  • Disruptions to the workplace
  • Loss of information resources (systems, networks, data)
  • Loss of access to facilities
  • Outage downtime
  • Loss of personnel

Scope

Departmental management, technology staff, and users.

Process Overview

A Business Continuity Plan (BCP) is a detailed manual with procedures, responsibilities, and critical information needed to execute a recovery from the loss of facilities and information resources due to a disaster.

Developing a BCP is a complex process involving detailed, comprehensive analysis that can essentially be broken down into three phases:

  • Phase I - Developing a Risk & Business Impact Analysis
  • Phase II - Developing the Recovery Plan
  • Phase III - Developing Strategies for Testing and Maintaining the Business Continuity and Recovery Plans

PHASE I - Developing a Risk & Business Impact Analysis

  1. Complete a Risk Assessment
  2. Complete a Business Impact Analysis (BIA) Questionnaire
    1. Answer questions
    2. Format report
    3. Identify priorities
    4. Determine resource dependencies
    5. Organize, tabulate and summarize data
    6. Read and understand the elements of the recovery strategy
      • Definitions and how they might apply
      • Concepts involved
      • Types of business recovery strategies
      • Comparisons of various types of strategies

PHASE II - Developing a Recovery Plan

  1. Consider the elements of a Recovery Plan
  2. Document incident response procedures
  3. Identify support function procedures
  4. Build appendices (attachments, activity, reports and logs, etc.)
  5. Build a glossary and footnotes

PHASE III - Developing Strategies for Testing and Maintaining the Business Continuity and Recovery Plans

  1. Identify applications/business functions or other aspects of the BCP that require testing and maintenance
    1. Define the goals and objectives of the test
      • Identify goals to achieve as a result of testing the plan.
      • For tests to be beneficial, develop objectives.
    2. Select testing method(s)
      • Select a testing method that is appropriate for the topic and level of complexity (i.e. Orientation/Walkthrough; Tabletop/Mini-drill; and Functional Exercise).
    3. Conduct exercises
      • Testing should be done with centralized coordination so unit interdependencies can be considered.
    4. Evaluate exercises
      • A successful exercise is one that reveals problems.
  2. Develop a strategy for maintaining the Recovery Plan
    • In addition to updating the plan from testing results, plans are also updated as a normal course of operations when changes in business, organization, staffing, processes, and technology require them.
    1. Create schedules and budgets for update and maintenance activities
    2. Consider using a software to assist in the maintenance process
    3. Establish review criteria
    4. Define program status, reporting, and audits
    5. Define plan distribution and security
    6. Establish a tentative date for the next exercise
      • The test cycle ensures that a full year does not elapse between exercises.
    7. Develop an annual schedule for updating the BCP

References

Procedures