Business Continuity Management Guidance and … business they effect. The Business Continuity ... this stage looks at the need to ensure that a continuity culture is ... PUBLIC SECTOR

CUMBRIA FIRE &RESCUE SERVICE

PR

y

Business ContinuitManagement

Guidance and Protocol

EVENTING PROTECTING RESPONDING

CUMBRIA FIRE AND RESCUE SERVICE Business Continuity Management Guidance and Protocol

SUMMARY

The Civil Contingencies Act 2004 places a duty on Category 1 Responders to provide for and maintain plans to ensure they can continue to exercise their functions in the event of an emergency. Fire and Rescue Authorities (FRA’s) are classified as Category 1 Responders and the duty relates to all functions and not just the emergency and civil protection responsibilities.

The duty applies only to those events or situations defined as an emergency in Section 1 of the Act i.e. events or situations that threaten serious damage to the human welfare, environment or security of a place in the United Kingdom.

This guidance provides a framework and advice for managers across all departments and functions within Cumbria Fire and Rescue Service on developing Business Continuity Management (BCM) arrangements and plans within their own areas of work thus ensuring the Fire and Rescue Authority (FRA) fulfils and discharges its statutory duties.

The guidance is structured around the Business Continuity Institutes 5 Stage Life Cycle Model, effective project management principles and the risk management approaches outlined in the Australian / New Zealand Standard AS/NZS 4360 - 1999: Risk Management Standards.

It also includes an introduction to public sector BCM, the objectives, rationale, benefits and costs of such an approach and a detailed guide to the actual process to be followed. Supporting information and suggested formats for documenting the on-going work and analysis are also provided.

BCM is a management responsibility and must be embedded as an organisational culture or ethos. The responsibility for its success rests with all managers across the Service and this guidance will assist in meeting those responsibilities.

Business Continuity Management Guidance & Protocol

Version 1 2 of 49 PDRH/PP May 2006

CONTENTS

SUMMARY

SECTION 1 - INTRODUCTION

SECTION 2 - PUBLIC SECTOR BUSINESS CONTINUITY MANAGEMENT (BCM)2.1 BCM – a management responsibility2.2 Links to other organisation management functions2.3 A risk management approach to continuity management2.4 Britain’s hazardous environment2.5 Role of public sector organisations – accountability and responsibility

SECTION 3 – BENEFITS OF BUSINESS CONTINUITY MANAGEMENT (BCM)3.1 Costs of Business Continuity Management (BCM)

SECTION 4 – THE BUSINESS CONTINUITY MANAGEMENT PROCESS4.1 Initiation and project management4.2 Raising awareness of continuity management among managers4.3 Gaining management commitment and resources4.4 Establishing the BCM team4.5 Raising staff awareness and support

SECTION 5 - DEVELOPMENT OF A RISK MANAGEMENT PROCESS5.1 Establishing the context for BCM – corporate analysis5.2 Determining risk evaluation criteria5.3 Identifying risks5.4 Conducting the impact analysis5.5 Evaluating risks5.6 Identifying risk reduction options

SECTION 6 - IMPLEMENTATION OF RISK REDUCTION STRATEGIES6.1 Preparing a risk reduction plan6.2 Implementing risk reduction strategies

SECTION 7 - DEVELOPMENT OF CONTINGENCY PLANS7.1 Project management7.2 Prepare plans7.3 Agree plans7.4 Implement strategies7.5 Communicate plans to all employees7.6 Training7.7 Testing



7.8 Activate plans as necessary7.9 Maintaining contingency plans

SECTION 8 – DEVELOPING AN EMERGENCY RESPONSE PLAN8.1 Evacuation8.2 Communication8.3 Public relations

SECTION 9 – DEVELOPING A RESUMPTION PLAN9.1 Specific steps in resumption planning9.2 Consolidate all sections of the plan into a resumption plan9.3 Consult with related organisation areas9.4 Obtain senior management approval9.5 Communicate the plan to all employees9.6 Store and maintain back up copies of the plan in off-site storage areas9.7 Test the completed organisation plan9.8 Exercise the plan regularly, evaluate results and update as necessary9.9 Train users in the operation of the plan9.10 Conduct audits of the resumption plans on a regular basis9.11 Ongoing maintenance and review

SECTION 10 - APPENDICES10.1 Risk identification10.2 Risk matrix for determining level of risk10.3 Risk register10.4 Continuity management risk reduction plan10.5 Specific risk action plan10.6 Questions to ask staff10.7 Resumption plan checklist10.8 Sample format for a resumption plan



SECTION 1 - INTRODUCTION

This guidance is designed to provide managers across all departments and functions within Cumbria Fire and Rescue Service with advice on developing BCM arrangements and plans.

BCM is a process that helps manage the risks to the smooth running of an organisation or delivery of a service, ensuring it can continue to operate and function in the event of a disruption. It provides the strategic framework for improving the organisation’s resilience to interruption. Its purpose therefore is to facilitate and assist in the recovery of key business systems and processes within agreed time scales whilst maintaining the organisations critical functions and delivery of vital services to the public. It is an ongoing iterative process that helps organisations anticipate, prepare for, prevent, respond to and recover from disruptions, whatever their source and whatever aspect of the business they effect.

The Business Continuity Institute has developed a BCM model and methodology which is broken down into a 5 Stage Life Cycle. These stages are outlined and summarised below and provide the framework for this guidance.

Stage 1 - Understanding your Business – using business impact analysis and risk assessment to identify critical functions/objectives, evaluate recovery priorities and assess the risk that could lead to a disruption to service delivery.

The Business Impact Analysis is the foundation work upon which the whole BCM process is built. It identifies, quantifies and qualifies the impacts of a loss, interruption or disruption of business processes so management can determine at what point in time these become intolerable.

The Risk Assessment Process identifies the probability and impact of a variety of specific threats that could cause a business interruption.

Stage 2 - BCM Strategies – identifying the alternative strategies available to mitigate loss, assessing their potential effectiveness in maintaining the ability to deliver the organisations critical functions/objectives.

BCM Strategies concern the selection of alternative operating methods and outline the organisations approach to managing the continuity of their business during disruptions.

Stage 3 - Developing and Implementing a BCM Response – developing the response to business continuity challenges and the plans supporting and complementing this. Plans should have regard to the resources and actions which are required to maintain critical functions/objectives.

Stage 4 - Establishing a BCM Culture – this stage looks at the need to ensure that a continuity culture is embedded in the organisation by educating and raising awareness with staff and other key stakeholders. It is also about providing appropriate BCM training for all personnel.



Stage 5 - Maintaining, Exercising and Auditing BCM Plans – ensuring plans are fit for purpose, kept up to date and are quality assured. Exercising the plans can take various forms, from a test of the communication plan, a desk-top walk-through to a live exercise. Outcomes and lessons learned can then be processed and included in revisions or changes to the BCM Strategies and Plans.

Public sector organisations in the United Kingdom are generally able to maintain a constant stream of quality services. Nevertheless, they operate in a range of environments and with risks which have the potential to affect their capacity to maintain these services. The broad discipline that enables organisations to manage risks to maintain and deliver services is called Business Continuity Management (BCM).

BCM in the public sector is defined as management and planning for the continued availability of services including all the functions and resources associated with the provision of these services. The primary objective of BCM is therefore to reduce damage to staff, customers, the community, property and equipment. It is a manager’s responsibility and a logical extension of the operational planning and risk management processes. Successful BCM requires leadership, commitment and support from senior managers and participation of all staff throughout the organisation.

Organisations should be proactive and seek ways of preventing events rather than accepting that disruptions are inevitable. By following this process, Cumbria Fire and Rescue Service can identify the risks, select appropriate cost-effective risk minimisation strategies and determine the level of emergency and resumption planning required to restore services after an interruption.

Advice is also provided on:

► initiating the project► establishing a BCM project team and defining their responsibilities► establishing the corporate context and operating environment; ► identifying and ranking services and associated functions and resources► assessing risks to services, functions and resources;► developing strategies to minimise these risks;► developing appropriate emergency response plans;► developing resumption plans aimed at restoring services in accordance with identified

priorities; and► maintaining and reviewing the BCM arrangements.

The appendices in Section 10 contain examples of suggested forms and tables to assist managers in developing and refining BCM arrangements and plans for their particular areas of responsibility. These guidelines are not intended to be prescriptive and managers may obtain further advice and assistance from other sources.



SECTION 2 - PUBLIC SECTOR BUSINESS CONTINUITY MANAGEMENT (BCM)

Public sector BCM is defined as management and planning for the continued availability of an organisation’s services, including all the functions and resources associated with the provision of these services.

2.1 BCM – a management responsibility

Corporate planning and management decisions are predicated on the assumption that the social infrastructure and resources, which an organisation uses to provide the services, will always be available. The reality is that this is not always the case. From time to time, incidents, emergencies and disasters occur with consequential effects on an organisations normal operating environment. BCM enables organisations to identify and assess risks which could disrupt services and functions, to predict likely problems, and to plan to avoid or minimise the impact should they occur. BCM reduces the impact of events on an organisations capacity to fulfil its statutory duties and corporate objectives. Hence, BCM is a responsibility of management at the highest corporate level and is a responsibility which cannot therefore be delegated or devolved.

Organisations which do not practice and promote BCM may encounter more frequent, longer and more costly disruptions to services compared to those organisations which have high-quality BCM arrangements and plans in place. In fact, managers may be held personally liable if it can be established that their deliberate action or inaction was the underlying cause of the disruption.

2.2 Links to other management functions

BCM is linked to many recognised management functions including corporate planning, risk management, human resource management, information management, security management, financial and administrative practices, disaster recovery planning and emergency and crisis management. Information gained from these activities will therefore contribute to developing BCM strategies and plans.

2.3 A risk management approach to continuity management

BCM is an integral part of an organisations risk management process. The unique position of BCM is that it focuses on maintaining availability of services, while other forms of risk management and assessment are primarily concerned with protecting confidentiality, integrity and safety within an organisation. Advice on managing risks in these areas can be obtained from numerous sources and publications. They all however advocate the use of risk management principles and methods to determine the most cost-effective combination of strategies for managing risks to the availability of services. These strategies include risk reduction measures, organisational and operational assurance procedures, and emergency response and resumption plans.

The primary objectives of public sector BCM arrangements are to maintain the continuity of services provided, as far as is practicable, and to minimise the impact of any disruptions to the availability of services.



To achieve these objectives, organisations should:

► assign priorities to services provided;► determine which functions and resources are associated with the provision of these

services;► aim to continue the most critical services and associated functions and resources;► eliminate and reduce risks to the availability of services;► prepare for and respond to the effects of incidents, emergencies and disasters on the

organisation; and► ensure timely resumption of all services following an incident, emergency or disruption.

2.4 Britain’s hazardous environment

Britain’s climate, physical geography and geology make it prone to a range of risks, emergencies and disasters resulting from natural hazards such as severe storms, floods, landslides and the occasional hurricane or earth tremor. Additionally the United Kingdom, as an industrialised and resource-rich nation, is subject to a variety of emergencies and disasters resulting from transport incidents, major urban fires, incidents involving hazardous materials and the failure of modern technology. Other risks which could cause sudden and serious disruption to all public sector organisations include loss of essential services (e.g. power and telecommunications), terrorist action, fraud, commercial and political espionage, attacks on information infrastructure, industrial action or even public and animal health epidemics/pandemics which could result in the loss of or unavailability of key staff.

In recent years the United Kingdom has experienced several crises including storms and widespread flooding (Boscastle, Carlisle and Glastonbury), the fuel shortage of 2000, industrial disputes and the year 2000 Millenium Bug which all had a significant impact on public sector organisations. Organisations are, however, more often affected by local or site-specific incidents such as leaking pipes, threats of violence, blackouts, computer failure, technology and staff absences. These occur on a regular basis and either individually or collectively, significantly affect an organisations resources, functions and services.

2.5 Role of public sector agencies - accountability and responsibility

Public sector organisations are responsible to both the government and the public. They service government by providing advice and implementing government policies and decisions. They also provide services to the public and other groups.

Public sector organisations also have responsibilities to maintain the capacity to provide these services. Organisations should be able to continue to function in the face of events which may threaten the availability of the services they provide. Failure to function can have severe consequences including substantial financial loss, embarrassment, and loss of credibility or goodwill for the organisation and have consequential impacts on staff, customers, suppliers, taxpayers,



the government and the public. The integral role of public sector organisations to protect and promote the public interest in society provides the rationale for developing public sector BCM plans.

2.5.1 Dependence

Public sector organisations are responsible for providing services upon which the public, community groups, private and public sector agencies depend. These include welfare, health, local government and essential services (such as power, water, transport and communications). Public sector organisations may deliver these services themselves or contract other agencies or the private sector. The continued availability of these services remains an organisational responsibility, regardless of whether the organisation delivers the service itself, or contracts another organisation to deliver the service. Although the authority to deliver a service can be devolved, organisations cannot devolve their ultimate responsibility to the public. Organisations also need to consider whether contractors have BCM plans, including resumption plans, to ensure the availability of contracted services and supplies. Although this decision will be made at the discretion of the department entering into a contract, it should be seriously considered if the contractor’s resources or services are critical to the organisation’s objectives. Hence, when a manager deems that a contractor should have a BCM plan, the requirement must be stated in the contract. Contractors should be encouraged to use these guidelines to develop BCM and resumption plans compatible with those of the organisation to which they are contracting.

2.5.2 Expectations

Public sector organisations contribute significantly to the survival, health, welfare and general well-being of the British community. The British people have expectations that the government will continue to provide a certain level of protection or security, for example police, customs, defence, quarantine, health and information security. They also expect that governments will be there to help them when they are unable to help themselves, or the situation is beyond their normal operating parameters. i.e. in an emergency. People expect that the government will be able to provide services regardless of the circumstances. Disruptions to services put the community’s respect for, and confidence in, governments and their organisations at risk.

2.5.3 Leadership

In times of crisis, the public expects leadership from politicians, public figures, government officers and emergency service personnel. The way they handle emergencies and disasters has a significant impact on the public’s reaction to the event. If it is confident the authorities are performing well, the community will benefit directly from the services it continues to receive and will also benefit psychologically from the positive way in which the event is being managed.

2.5.4 Duty of care

Public sector organisations must provide a safe environment for staff and customers for two reasons: first, due to the duty of care under occupational health and safety legislation; and second,



to protect their most valuable resources and greatest asset the knowledge, skills and capabilities of staff. Customers must be assured of a safe environment in places where they transact with government or receive government services, whether the services are delivered directly by the organisation, or delivered under contract by another organisation.

2.5.5 Politics

Public sector organisations serve the political process. Emergencies and disasters tend to become ‘political’ events. They attract media attention which focuses on elected officials and senior managers. Public sector agencies serve elected officials, who will want to come through the event with the least damage to their relationship with the community and will want to have enhanced, rather than diminished, the community’s confidence in government. This puts increased pressure on public sector agencies to prepare for these events and manage them well.

2.5.6 Public sector emergency management responsibilities

Primary responsibility for protecting life and property lies with agencies at a local level. They develop and maintain capabilities essential for effective emergency and disaster prevention, preparedness, response and recovery through police, the fire and rescue service, ambulance, medical, hospital and other agencies which provide services to the community. An agency at the front-line of emergency response must have some form of continuity management planning to ensure that, should the agency itself be adversely affected by the event, it remains capable of fulfilling its responsibilities. Co-ordination of emergency response is a police responsibility. Larger scale emergencies and disasters are likely to involve other government agencies at local, regional and possible national levels in response and recovery. All agencies which have a role to play in emergency response and recovery should have BCM plans to ensure they can provide the necessary assistance when asked to do so and this is incorporated into the statutory duties imposed under the Civil Contingencies Act 2004.



SECTION 3 - BENEFITS OF BUSINESS CONTINUITY MANAGEMENT (BCM)BCM has significant benefits to an organisation and is an integral part of management best practice. Continuity management:

► is like an insurance policy. An organisation which has an appropriate BCM strategy has provided itself and its customers with an appropriate level of protection for the risks to the availability of services. The emergency response and resumption plans will enable organisations to respond effectively to contingencies and minimise disruption by staging the restoration of functions and services in accordance with organisational priorities;

► provides for good public service performance by providing consistent and timely quality services to government and to the public;

► enables an organisation to better understand and manage the risks and the environment in which it operates;

► can positively influence determination of core business and key result areas in corporate and strategic planning. The process of BCM planning requires an agency to focus on organisational priorities and critical services and functions; and

► is a commitment to staff welfare and client service. The result of a successful BCM programs, which emphasises risk minimisation and effective emergency response, should be fewer incidents and injuries and possible reductions in the costs of workers’ compensation premiums and payments.

3.1 COSTS OF BUSINESS CONTINUITY MANAGEMENT

Managers should assess the costs and benefits of BCM to determine the level of resources which should be allocated to it. The costs of investing in BCM should also be offset against both the potential losses (including financial costs) to the organisation and its customers of disrupted services and also the costs of reacting to an event without existing response and resumption plans. From an outlay perspective, the cost of implementing BCM arrangements in an organisation can be identified in three phases: development, implementation and maintenance.

3.1.1 Development costs

The development costs consist of:

► managing the project and the BCM team;► engaging external consultants, if necessary;► developing and procuring tools such as proforma, questionnaires, BCM software; and► consulting staff and raising their awareness.



3.1.2 Implementation costs

The costs of implementation depend on the combination of risk management strategies used for:► risk reduction;► providing the appropriate level of protection of organisation assets and processes;

and► training staff in risk management; and► the combination of contingency (response and recovery) planning strategies

associated with:

► preparedness, including training staff and plan testing;► standby requirements determined by the quality of back-up resources and

timeframes required for resumption of the process, based on maximum acceptable delay; and

► activation of contingency plans as required.

3.1.3 Maintenance costs

The costs of maintenance cover:

► periodic review of risks faced by the organisation;► periodic monitoring of risk management strategies and assessing likely effectiveness;► keeping response and resumption plans up-to-date; and► continued training in, and testing of, response and resumption plans.



SECTION 4 – THE BCM PROCESS

A systematic risk management approach to developing realistic and cost-effective BCM arrangements is recommended. The approach should be adapted to address the unique individual circumstances of each departments risk environment, structures, functions and the services/functions it fulfils. The information provided is not intended to be prescriptive and managers may well wish to seek more detailed advice on BCM from other government agencies and the private sector. A formal process should be used for incorporating BCM into existing management systems at all levels of the Service. Management commitment, support mechanisms and resources are needed to provide a framework for development, implementation and maintenance of BCM arrangements.

4.1 Initiation and project management

Organisations without existing BCM arrangements need to carefully consider how they will initiate continuity management. The initiation phase focuses on raising awareness of the requirement, gaining support and resources, and planning for development of arrangements.

4.2 Raising awareness of continuity management among managers

Managers are responsible for delivering services or products to customers outside the organisation, or delivering functions which serve internal departments and support the Service. They are also responsible for maintaining the availability of these services, products and functions. They need to employ BCM strategies to fulfil this responsibility. The imperatives, benefits and objectives of BCM should be sold to managers to gain their support and resources. This can be achieved through briefings, formal presentations and appropriate education and training.

4.3 Gaining management commitment and resources

BCM will only succeed with strong and visible commitment, sponsorship and contribution from senior management. Strategic support for the project must be communicated widely throughout the Service. As BCM arrangements are being put into place and, on a continuing basis, senior management should demonstrate their support to ensure its general acceptance and, therefore, its success. Newsletters, memos and presentations to staff are simple methods of communicating management support. Consideration could also be given to incorporating BCM in the job descriptions of managers and their staff. Senior management support is essential to ensure that BCM can compete for financial and personnel resources. Comprehensive BCM can only be established with a commitment of resources throughout the process. Senior management should allocate adequate resources, including assignment of trained personnel to develop, implement and review BCM arrangements. A risk management approach to BCM will ensure that the most cost-effective arrangements are identified, which should result in support from senior management.



4.4 Establishing the continuity management project team

Management responsibility for BCM - for the Service as a whole and, where appropriate, for departments and functions should be assigned early in the process. A person in a senior position, irrespective of other responsibilities, should be assigned with the authority to ensure BCM is established, implemented, maintained and integrated into existing management systems. The responsible manager should establish a multi-functional project management team comprising of representatives from across the organisation, in both corporate and operational areas, to develop the Service’s arrangements. Within Cumbria Fire and Rescue Service this individual is the Assistant Chief Officer Community Risk Management.

The contribution of all managers is also essential and fundamental, in developing BCM arrangements. These managers understand the sensitivity, value and importance of the resources they use, whether they are their own, from another department or function, or those of a contracted supplier. The selection of a broad-based team drawn from different parts of the organisation will improve the risk identification and agency impact analysis so the resultant BCM arrangements accord with the Service’s objectives and priorities. A representative team will also help to ensure ownership and acceptance of the BCM arrangements across the whole organisation.

The team’s authority and responsibilities should be defined and documented. The team’s responsibilities should include:

► identifying relevant administrative and legislative imperatives for BCM management, e.g. government directives, health and safety standards and various codes of practice;

► identifying strategies for awareness training, skills acquisition, training and education of staff, including the project team;

► identifying sources of assistance for BCM planning. External consultants can provide guidance to public sector agencies on continuity management but, for a number of reasons, not least of which is the need to maintain and update it in the future, the Service should ensure ‘ownership’ of its plan. Other local emergency services can also provide advice on relevant hazards, vulnerability and emergency planning;

► establishing the BCM project methodology and plan. This should include a suitable set of objectives and schedules for completing each milestone and reporting to management;

► establishing the project budget, including an estimate of resource requirements;► determining how to break up the task of BCM to make it more manageable. For example, if

the organisation is very large, widely dispersed or has multi-faceted operations, it may be appropriate to form a number of project teams;

► establishing representatives and teams, as necessary, to develop the detailed plans, to direct their implementation and to arrange training;

► co-ordinating the BCM strategies and contingency plans within the organisation and individual departments and where appropriate with external parties, including maintaining communications between teams and liaising with external parties;

► establishing an Emergency Planning Committee (EPC) to implement the emergency response, and a Crisis Management Team (CMT) to implement the resumption plan. Cross-



membership of the project team, the EPC and the CMT will ensure a continuous flow of information between teams and smooth transitions between phases;

► developing and maintaining an agreed level of BCM documentation;► monitoring progress against the agreed project plan;► establishing the requirements for, and monitoring of, quality control;► directing exercises and tests of the emergency response and resumption plans; and► obtaining senior management support at the necessary stages through presentations and

reports. Senior management should, in turn, provide staff with feedback and reports on a regular basis.

One of the project team’s prime responsibilities is to determine the requirement for appropriate BCM documentation. This may need to be sufficient to satisfy independent audit. At each phase in the process, documentation should include:

► aims and objectives;► information sources;► assumptions;► decisions; and► actions taken.

Examples of suggested methods of documentation are outlined in Sections 10.1 – 10.5. (Appendices)

Three key outputs from the BCM process should be plans for risk education, emergency response, and resumption. Managers should consider the practicalities of either combining the three plans in the same publication, or producing three separate documents. It the latter option is chosen, clear linkages between plans should be established.

4.5 Raising staff awareness and support

The BCM project team should emphasise consultation with employees and external customers and suppliers. BCM processes must increase staff awareness of the issues and highlight personal responsibilities and procedures. All staff must see BCM as being important and relevant not only to the Service but also for their personal safety and to enable them to continue to perform their duties in a professional manner. Their active participation in the BCM process will provide the increased awareness and support necessary for effective implementation. The success of BCM is directly related to the degree of involvement in the planning stage of those who have to implement the strategies. Staff should be interviewed or surveyed for information to assist in various phases of the process. A range of consultation strategies can be used. If it is the first time BCM has been undertaken, a personal approach such as an interview is preferable as it provides an opportunity for staff to ask questions and to educate them about BCM. Alternatively, if staff are familiar with BCM and contingency planning processes, questionnaires and surveys should be sufficient. The type of information required from staff to provide the basis for developing BCM arrangements is outlined at Section 10.6.



SECTION 5 – DEVELOPMENT OF A RISK MANAGEMENT PROCESS

All organisations must manage risks to public service activities at an acceptable level. The level of acceptable risk depends on a number of factors, including the correct identification of risks, the level of funding available to manage those risks, and the potential damage that could be caused to life, property and services. All organisations are strongly advised to undertake a comprehensive review of potential risks they face through a formal analysis using, for example, Guidelines for Managing Risk in the Australian Public Sector. The broad approach outlined in this guidance has been adapted from the Australia/New Zealand AS/NZS 4360 –1999: Risk Management Standard. BCM draws heavily on the principles of risk management to enable organisations to keep risks, which can affect the availability of services, at an acceptable level. The risk management framework advocated by the Standard has been adapted for the purpose of BCM and is recognised as international best practice. Risk management consists of steps which, when undertaken in sequence, enables a systematic analysis of risk to which an organisation is exposed and results in the selection of an appropriate mix of strategies to manage those risks. The entire process is iterative and may be re-entered at any point when the inbuilt review mechanisms indicate such a necessity.

5.1 Establishing the context for continuity management – corporate analysis

One of the keys to successful BCM is understanding the nature of the business in terms of the services provided, the functions and resources associated with the provision of those services, and the environment in which the organisation operates. The Service’s strategic and more organisational contexts must therefore be established and fully understood. The strategic context is defined by the position within the public service, by the political, operational, financial, social, legal and competitive aspects of the environment, and by the relationship with various stakeholders and customers. The organisational context will provide a picture of the Service’s broad goals, objectives, high-value services and functions and assist in identifying which parts of the organisation are responsible for these functions or contribute towards them. The following will also have to be identified:

► major projects;► key functional elements; and► any resources (including facilities and assets) which are associated with services, major

projects and functions vital to the operations.

A description of the Service’s, core functions, major projects, critical success factors and risks are contained in documents such as the vision and values, corporate and strategic plans, action/community plans, annual reports and general risk management and emergency plans. An understanding of all these elements enables managers to assign priorities to services, associated functions and resources on the basis of the level of their contribution to the Service’s overall goals. By focusing on higher priority areas, managers can ensure the most cost-effective BCM plans are designed and are aligned with priorities. Ranking the organisations services is especially important for determining which resources, functions and services should be given higher levels of protection and the priorities for resumption following an emergency or disaster.



5.2 Determining risk evaluation criteria

The criteria which will be used to evaluate risks, to assess whether they are acceptableor not, and to assign priorities for implementing risk reduction strategies should be established early in the process. At this stage, managers should consider the level of risk they are prepared to accept from different aspects of the environment. Criteria may be developed with reference to the Service’s strategic and organisational contexts, such as political, financial, legal, social, human or other factors. The length of time that an organisation can tolerate the unavailability of particular services, functions and resources is an important criterion in BCM.

Other criteria which may assist in the development of an evaluation framework include potential losses, the capability of the Service to manage a risk, stakeholder interests, perceptions and expectations, and the dynamics of the risk, especially concerns about its potential to escalate.

5.3 Identifying risks

Risks result from the interaction of sources of risk and elements at risk. This step identifies these interactions by taking a broad and systematic sweep of possible sources of risk and the elements of the Service which could be at risk. Managers can use checklists, past records, brainstorming, surveys, interviews, focus groups, workshops and other techniques to collect data for the identification of risks.

Sources of risk (hazards or threats) are events or conditions which may, when considered in conjunction with elements at risk, cause loss of availability of services, functions or resources. Credible risk from internal and external sources should be identified. Possible sources of risk are listed below:

► Natural hazards such as severe storm, flood, hurricane, storm surge, earthquake, landslides, extreme heat or cold.

► Technological hazards may originate from industry and the failure of social infrastructure and technical systems. These systems include failures related to office equipment, information systems (e.g. from computer viruses).

► Utilities (power, water, telecommunications, sewerage).► Industrial sites (sources of chemical, biological and nuclear hazards).► Building and community infrastructure and transportation.► Civil / political threats such as criminal acts, terrorism, sabotage, civil unrest, external fraud,

demonstrations, hostage situations and enemy attack.► Employee activities - human error, industrial unrest and internal fraud and corruption.► Management activities and controls - deficiencies in areas such as management of

information systems and associated infrastructure, relationships between organisations and/or communities such as compliance with agreements for outsourcing service provision, mutual aid arrangements, statutory requirements and codes of practice.

► Economic circumstances - direct circumstances of the community, as well as factors contributing to those circumstances such as industry restructuring, trade relations,



government policy and global influences. ► Political circumstances/Political stability, legislative changes and factors which may

influence other sources of risk.

Elements at risk also need to be identified. An element at risk is anything the community values which may, when considered in conjunction with sources of risk, be at risk. These could be services and their recipients, functions or resources. Services and functions at risk will be closely linked to the special nature of the Service’s business. For example:

► staff and visitor health and safety► customers and stakeholders► suppliers► the community► facilities, buildings and other accommodation► information: paper or computer records, containing customer details, staff information,

legal documents, classified information on economic and/or defence programmes, law enforcement

► equipment such as workstations (personal computers and software, desks, telephones), photocopiers and fax machines

► the environment► lifelines / utilities including telecommunications, transport, electricity / power, water,

sewerage► performance in terms of quality and timeliness► intangibles such as reputation, goodwill, confidence

Interaction between a source of risk and an element at risk should be identified. These risks are then subject to more detailed investigation as to their potential to affect the continuity of the Service’s functions. This impact analysis step also assists in identifying sources of risk which pose no threat to the availability of the Service’s functions and, therefore, can be excluded from further examination. Section 10.1 provides a suggested approach to tabulation of sources of risk, elements at risk and identified risks to the Service’s functions.

5.4 Conducting the impact analysis

Impact analysis differentiates BCM from other forms of risk management in that it focuses on the potential impact of identified risks on the Service. Risk is usually described as a function of likelihood and consequence. In BCM the consequence can be more closely defined in relation to the impact of the identified risk on the organisation. Impact can only be measured at the resource, functional and service levels. The unavailability of resources has knock-on effects for Service functions which in turn affects the availability of the service. In undertaking impact analysis, managers should collect the best available information on risks from both staff and credible external sources to:



► describe specific characteristics of sources of risk, including their likelihood;► describe potential impact of risks on our resources, functions and services, in the context of

existing reduction measures; and► determine the level of risk based on a combination of the above.

Details about credible sources of risk should be collected. Significant features may include how they arise, likelihood, frequency, intensity, speed of onset, duration, dispersion and perceived threat.

The next step is to describe the potential impact of the risk. This involves appreciating what could happen when sources of risk interact with elements of the Service which are at risk. The first consideration is to describe the point of impact. Which element of the Service is likely to be affected? The first impact of a risk being realised is usually the unavailability of resources. Managers should then assess the effect the lack of resources may have on the capacity to carry out functions and deliver services. In addition to the operational impact, managers should also assess the financial, legal and intangible implications of interruption. The length of time (in minutes, hours, days or weeks) that a resource, function or service will remain unavailable should be estimated. Managers should assess the impact in the context of existing risk reduction measures and the Service’s capacity to cope with, and manage, particular types of incidents, emergencies and disasters with existing contingency plans. They should use this opportunity to review the effectiveness of existing risk reduction measures and contingency plans.

The level of risk is determined by the relationship between both the likelihood of the event and the magnitude of the impact, against the background of any existing risk reduction measures. Neither consequence nor likelihood should dominate the determination of the level of risk. The greatest risks to the organisation are those which have extreme consequences and are almost certain to occur. Conversely, a rare event with negligible consequences may be considered trivial. However, an event which occurs rarely, but which has extreme consequences could be considered a significant risk.

Quantitative methods can be used in situations where the likelihood or the impacts, such as the period of disruption and financial losses, can be enumerated. Managers are likely to find qualitative approaches more useful in determining the consequential effects on government and the public.

Qualitative analysis uses words or descriptive scales to describe likelihoods and impacts. The level of risk is then determined by mapping the relationship between likelihoods and impacts in a matrix. Managers should design their own mapping tables based on their own organisational and strategic contexts. Previously-established risk criteria can be used to add weight to the definitions of impact. An example of a matrix to determine the level of risk is at Section 10.2. Risks should be documented as per the Risk Register at Section 10.3.

5.5 Evaluating risks

Risk evaluation is about comparing the level of risk found during the analysis process with previously-established risk criteria and deciding whether or not the risk can be accepted.



A risk may be accepted if:

► the level is so low that the Service could deal with the impact using existing measures;► the level is so low that specific risk reduction is not appropriate within available resources;► there are no risk reduction measures available to treat the risk;► the Service does not have the means to reduce the risk (i.e. it is out of their control); or► the cost of risk reduction significantly outweighs the benefit to be gained.

Low and accepted risks should be monitored and reviewed to ensure they remain at an acceptable level.

Risks which do not fall into the acceptable category will need to be reduced using one or more of the options outlined below. The risks themselves should be ranked and a prioritised list of risks for further actions produced.

5.6 Identifying risk reduction options

Managers should identify the range of options for treating the identified risks before determining which strategies should be implemented. These options, which are not necessarily mutually exclusive, or appropriate in all circumstances, include the following:

5.6.1 Avoid the risk by deciding not to proceed with the activity likely to generate risk (where this is practicable). Inappropriate risk avoidance, which can occur where there is an attitude of risk aversion, may increase the significance of other risks. Risk aversion results in:

► deciding to avoid or ignore risks regardless of the information available and costs incurred in treating those risks;

► failing to treat risk;► leaving critical choices, decisions and actions up to other parties;► deferring decisions; or► selecting an option because it represents a potential lower risk regardless of► benefits.

5.6.2 Accept the risk. We may decide to accept the risk at the existing level as discussed in ‘Evaluating risks’ (see above) and later in ‘Manage residual risks’.

5.6.3 Reduce the likelihood of occurrence. Actions to reduce the likelihood can include:

► contract conditions;► preventative maintenance;► protective security measures, such as restricted access and surveillance;► inspection and process controls;► quality assurance, management and standards;



► structured training and other programmes;► audit and compliance programmes;► formal reviews of requirements, specifications, design, engineering and operations;► project management and organisational arrangements;► supervision; and► testing.

5.6.4 Reduce the impacts. Actions to reduce impacts can include:

► building design features, engineering and structural barriers;► separation or relocation of an activity and resources;► off-site storage of documents and computer data;► contractual arrangements with conditions which make proper provision for disruption to

services;► contingency plans (emergency response and resumption plans);► emergency response procedures, including removal, containment or suppression of

the source of risk and/or removal of elements at risk, i.e. evacuation of staff, retrieval of essential records;

► resumption strategies;► public relations; and► ex-gratia payments.

5.6.5 Transfer the risk. This involves another party bearing or sharing some part of the risk. Mechanisms include physical transfer, the use of contractors, insurance arrangements, partnerships and joint ventures. In transferring risk, the Service may have acquired a new risk in that the party to which the risk has been transferred may not manage the risk effectively.

5.6.6 Manage residual risk. After risks have been reduced or transferred, there may be a remaining level of risk which can be accepted or retained. Risks can also be retained by default, i.e. when there is a failure to identify, reduce or appropriately transfer the risks. Contingency plans are primary strategies for management of residual risk.

5.6.7 Prevention, preparedness, response and recovery (PPRR) is an alternative way of classing risk reduction options. Prevention strategies include such measures as:

► building site-location and purpose-built design;► locating resources away from sources of risk;► building standards, including smoke, fire and flood detectors;► developing protective security measures, including information storage practices (e.g.

maintain copies of essential information off-site – copies held off-site must be afforded the same level of security as required by the originals);

► limiting dependence on any one supplier to provide resources or services;► building fault tolerance and resilience into information systems and networks;



► practicing occupational health and safety;► developing employee awareness of risks and prevention measures.

5.6.8 Preparedness strategies include such measures as:

► contingency planning, including emergency procedures, evacuation and warning systems;► resumption planning;► training / exercises;► developing employee preparedness;► mutual aid arrangements with other agencies and organisations; and► contracts with suppliers and service providers which address availability issues.

5.6.9 Response strategies include measures such as:

► implementing emergency and contingency plans; and► activating emergency co-ordination centres / teams.

Recovery strategies include measures such as:

► implementing resumption plans to restore services;► counselling for staff;► rebuilding relationships with customers, stakeholders and suppliers.



SECTION 6 – IMPLEMETATION OF RISK REDUCTION STRATEGIES

Selection of the most appropriate risk reduction strategy requires a cost-benefit analysis where the costs of implementing each option is balanced against the benefits to be derived. Benefits can be assessed in terms of both the extent of risk reduction and the extent of benefits or opportunities created. In general, the cost of managing risks needs to be commensurate with the benefits obtained. Where large reductions in risk may be obtained with relatively low expenditure, such options should be implemented. Further options for improvement may be uneconomic and judgement needs to be exercised as to whether they are justifiable. Rare but severe risks may warrant risk reduction measures which are not justifiable on strictly economic grounds.

A number of options may be considered and applied either individually or in combination. In many cases, it is unlikely that any one risk reduction option will be a complete solution for a particular problem. In general terms, the adverse impact of risks should be made as low as is reasonably practicable.

6.1 Preparing a risk reduction plan

A range of risk reduction options, recommendations and their associated costs should be presented to senior management to enable selection and approval of the most cost-effective option within an acceptable level of risk. The agreed risk reduction plan should document the methods for the implementation of the chosen options. The implementation plan should identify responsibilities and individual accountabilities, schedules, the expected outcomes of risk reduction strategies, budgeting, performance measures and the review process to be set in place. Ideally, responsibility for reducing risk should be borne by those in the organisation best able to manage the risk. Responsibilities should be agreed between the parties at the earliest possible time.

The plan should also include a mechanism for evaluating the implementation of the options against performance criteria and individual responsibilities and other objectives, and to monitor critical implementation milestones. Examples of tables for an overall BCM Risk Reduction Plan and Specific Risk Action Plan are outlined in Section 10.4 and Section 10.5 respectively.

These documents should include descriptions of the management strategies to be adopted and the following information:

► management teams and individuals – those responsible for implementing the risk reduction plan and their responsibilities;

► resources to be utilised;► budget allocation;► timetable for implementation; and► details of the mechanism and frequency of review of compliance within the plan.

6.2 Implementing risk reduction strategies



Successful implementation of risk reduction strategies requires an effective management system overseen by managers and the BCM project team. The implementation of the risk reduction plan should be integrated with other planning and management activities. The process followed, the decisions taken, and the actions planned, should be documented. If, after the risk reduction programme, there is a residual risk, a decision should be taken as to whether to retain this risk or repeat the risk assessment and implementation process.



SECTION 7 – DEVELOPMENT OF CONTINGENCY PLANS

Contingency planning is a BCM strategy for dealing with residual risks, i.e. the level of risk which an organisation has decided to accept or has failed to identify in the risk assessment process. Events such as emergencies and disasters which exceed the level of protection will occur from time to time. Organisations should have contingency plans to implement procedures which:

► reduce the immediate impact of these events on the Service (emergency response plan); and

► recover services with minimal disruption (resumption plan).

Contingency plans should build on the information provided by the preceding risk management process. The risk assessment and impact analysis will have determined the following:

► the nature of the business;► the services provided and their associated functions;► the resources required to fulfil these functions;► a listing of services in order of the criticality for resumption► potential sources of disruption (sources of risk), areas of impact (elements at risk) and the

effectiveness of existing safeguards; and► resources, functions and services most at risk of being unavailable.

There are some basic principles which apply to both emergency response and resumption plans. They should:

► be clearly written and easily understood. They must be flexible so they can be implemented on any day of the year, including public holidays, by day or night and in all weather conditions;

► identify the organisation, department, location or premises to which it applies;► be based on routine arrangements and organisational structures. Plans should define

roles and responsibilities of all staff expected to be involved. Staff must be familiar with the contingency procedures for plans to be readily and effectively implemented;

► integrate the various activities and plans across the organisation. Arrangements should also be co-ordinated with neighbouring organisations and/or agencies, building cotenants and other authorities such as the police or ambulance service;

► have sufficient flexibility to cover a wide range of possible sources and levels of risk. Managers may also need to develop plans for specific events, usually of high risk, for example fire or power failure, as some situations may require different and more extreme response and resumption activities. Specific plans will have more or less detail, depending on the likelihood of the event’s occurrence and its potential impact on services, and associated functions and resources. Such plans are normally dealt with comprehensively in the overall emergency response and resumption plans.



Specifically, development of contingency plans requires completion of the following tasks:

7.1 Project management

As a first step, managers should establish appropriate planning teams (Emergency Planning Committee for emergency response and a Crisis Management Team for resumption). The same team established for the risk management phases could be used or separate teams assembled. Plans should be written for those who ultimately use them. Hence, the end-user should be involved in the planning process. As with the risk management process, the following should be considered:

► authority for the contingency planning process;► staff awareness, commitment and support for contingency planning, particularly from senior

managers;► resources for contingency planning;► agreed methodology and milestones for planning;► establishment of local planning teams, where necessary, to develop detailed plans; and► a project plan for developing, implementing, training, exercising, monitoring and reviewing.

Senior management approval must be obtained throughout the contingency planning process.

7.2 Prepare plans

In preparing plans, there must be extensive consultation and co-ordination between the project team, staff, clients and suppliers. Other emergency services personnel should also be consulted to ensure plans are compatible with local emergency management arrangements. This is a time for creative thinking and identifying practical alternatives.

The planning framework, having been endorsed by senior management, provides consistency throughout the planning process. The plan may need to be prepared in blocks, beginning with the smallest discrete unit and, finally, rolling individual unit and branch plans into a comprehensive overall plan for senior management consideration and approval.

Contingency plans must clearly define:

► when plans are to be implemented;► who has the authority to initiate them;► who has delegation for the authorisation of specific functions, e.g. call-out of specialised

support, spending limits;► lists of contact details of key personnel; and► specific details for emergency and resumption plans.

Details on the specific steps in developing an emergency response plan and on the suggested approach to developing a resumption plan are explained later in this guidance.



7.3 Agree plans

Once the plan framework is complete, it must be brought to senior management for approval. In addition to keeping senior managers aware of the project, this assures the necessary resource allocation for plan implementation.

7.4 Implement strategies

Putting a plan into place requires the cooperation and assistance of all elements of the organisation. Support should have been gathered during previous steps and, at this point, the specifics of the plan simply need to be carried out. Ongoing management review during the implementation phase is necessary to facilitate progress.

7.5 Communicate plans to all employees

All employees must understand their role in an emergency and in resuming normal service and functions. They should all have a copy of current emergency procedures, receive appropriate training and participate in exercises and tests on a regular basis. Individuals with key roles should be supplied with simple task cards detailing the actions they must undertake when advised of the event. The cards may prescribe actions to be taken over a course of time or at specific times after the event. Individuals should have ready access to the cards at all times and additional copies for storage in the office, at home and in cars should be provided.

7.6 Training

Members of staff and in particular, individuals who have been given special responsibilities, must be able to perform the roles that are expected of them. Skills and abilities required to fulfil responsibilities should be identified. Managers should develop and present appropriate training programmes and then follow with a system of exercises and tests.

7.7 Testing

Contingency plans must be exercised and tested, in part or in full, to ensure the plan works and remains current. Exercises will also ensure staff remain aware of the plan and practice their roles under the plan.

Emergency management colleagues can provide advice on different types of exercise which can be used to test the plan. These can range from seminars, table-top exercises to full field exercises. Each of these exercises will identify deficiencies in the plan. Sometimes contingency plans fail because incorrect assumptions have been made, risks have not been identified, or there have been changes to the organisation, equipment or personnel. If necessary, changes to plans should be made promptly, so an effective plan is in place at all times. Internal and external auditors and inspectors should regularly audit completed contingency plans in accordance with required standards as part of our overall audit arrangements.



7.8 Activate plan as necessary

When an event occurs, the plan should be activated by the appropriate authority andimplemented in accordance with the agreed arrangements.

A post-event review of the effectiveness of the plan and of the performance of individuals charged with responsibilities in the plan should be conducted after the Service has returned to normal operations. Areas where the plan was not effective or key individuals did not perform effectively, should be identified. The plan should be amended accordingly.

7.9 Maintaining contingency plans

There are many changes which organisations may make which could affect the viability of a contingency plan. There are two distinct features of maintenance: testing (see above) and updating.

Lessons learned from the testing or activation of the plan should be incorporated into the revised plan. Any organisational changes which affect the underlying assumptions of the planning process should be reflected in revisions of the plan. These may include changes to agency services, equipment, staff, agency priorities, contractors or suppliers and information systems. A key personnel contact list of addresses and ‘phone numbers should be maintained as well as contacts for other agencies including sister emergency services and suppliers.

Continuous improvements in contingency management strategies should also be considered for inclusion in the plan. Senior management support for BCM should be demonstrated when re-issuing the plan.



SECTION 8 – DEVELOPING AN EMERGENCY RESPONSE PLAN

Emergency response planning involves planning for the Service’s response to an emergency or disaster which overwhelms the protection mechanisms in place. The purpose of the emergency plan is to reduce the impact of a hazardous event on the organisation by initially containing the incident, then minimising damage to our resources, such as staff, premises and equipment, and setting us on the road to recovery.

The Australian Standard AS 3745 –1995: Emergency Control Organization and Procedures for Buildings recommends procedures for agencies to respond to events until the appropriate emergency service arrives on the scene. The Standard recommends the formation of an Emergency Planning Committee to:

► establish and implement an emergency plan;► ensure personnel are appointed to all positions on the Emergency Control Organisation;► arrange for training of Emergency Control Organisation personnel;► arrange for the conduct of evacuation exercises; and► review the effectiveness of evacuation exercises and arrange for procedural improvements.

In an emergency, immediate assistance may be required. A good relationship with other emergency services is therefore important. The organisation should understand how other emergency services will respond to an incident, what powers they have, their needs (such as access and egress for emergency vehicles and personnel), and how they can assist their efforts. Emergency response plans should be compatible with local emergency plans and with emergency service arrangements. Contact details of other likely sources of assistance should be documented, including office, home telephone numbers, fax numbers and postal addresses.

The emergency plan should contain building evacuation, communications and public relations procedures. Other relevant information is included in the development of resumption plans.

8.1 Evacuation

Evacuation procedures may need to be varied for differing circumstances. If the event occurs while employees are in the workplace, a decision will need to be made whether to evacuate the premises or to keep everyone inside the building until the problem is resolved. An evacuation plan should:

► identify people authorised to initiate the building evacuation plans either on the basis of an alarm sounding or in other circumstances;

► identify escape routes and exits on leaving premises, including arrangements for mobility-impaired persons;

► designate mustering sites for evacuated personnel. The site should be carefully chosen, with preference given to areas with ease of access, in safe proximity, and undercover, to protect evacuees from the elements and to enhance communications;

► select, designate and train personnel to manage the evacuation including control of



evacuation routes and checking that premises have been evacuated;► designate personnel to co-ordinate with emergency services, including briefing them on

arrival and making keys available for access to secured areas; and► designate tasks to individuals if they can undertake them safely prior to evacuation. For

example: calling emergency services using the standard emergency ‘phone number; switching off power, water and other utilities; tasking safe custody of specific items, e.g. key records, cash and valuables; securing the premises; and transferring telephone callers to a predetermined location, by prior arrangement with telecommunications company.

8.2 Communications

It is important that the Service communicates quickly and effectively with those who are likely to be affected by a disruption to services. The include:

► employees (who need to be told what to do);► neighbours and co-tenants;► customers and stakeholders,► local authorities and other emergency services;► suppliers; and► local media (radio, television and newspapers).

This part of the emergency plan should cover:

► internal and external communications;► instructions, procedures and duties of switchboard operators;► arrangements to divert telephone calls and mail to alternative locations;► layout of existing facilities and associated communication plans;► provision of two-way radios and mobile telephones to key personnel;► sources of supply for additional radios and telephones;► arrangements for providing information to all staff if the event occurs outside working hours;► arrangements for handling telephone calls to and from relatives and friends; and► a media management plan – at least one person should be trained in media releases and

should provide the focus for contact with the media. Further details are provided below.

8.3 Public relations

The public relations part of the plan has to cover a wide range of activities. Good relations with the media will be extremely important should disaster strike. It is particularly critical if the cause of the event can be attributable to the agency. Careful planning will result in better, less aggressive reporting of the event by the media. Key points to consider are:

► designated spokesperson with media training;► co-ordination of media management plans with other affected parties including other

emergency services;



► contact lists of media outlets, journalists, radio/television stations;► the need to engage a public relations consultant;► advertising to inform the public of the situation and action being taken;► an emergency newsletter to staff, customers and suppliers;► telephone answering services to field and process enquiries; and► prepared press release on the agency, functions, safety record, key personnel, etc.



SECTION 9 – DEVELOPING A RESUMPTION PLAN

The Service needs to have a resumption plan to minimise disruption or downtime and to restore its functions within accepted timeframes. Resumption planning should assume a realistic worst-case scenario, i.e. disaster has occurred, operations are at a standstill and few, if any, resources are available. The plan should therefore form the basis for resumption of services when a disruption occurs, irrespective of the source. A Crisis Management Team should be established to undertake the planning process and implement the plan as necessary. The focus in resumption planning is to establish a system for restoring the organisation’s services, and associated functions, according to the pre-determined priorities and agreed timeframes for restoration. The plan aims to achieve the continued provision, or immediate resumption, of critical services and the restoration of normal services as soon as possible without any unnecessary expenditure. The established priorities will resolve the conflicting demands for resources.

A good resumption plan will have identified the pre-determined arrangements and have resources (such as accommodation, services, financial arrangements, equipment, personnel and information) on stand-by in order to get critical functions operating with as little delay as possible. The Resumption Plan Checklist at Section 10.7 can be used to check whether the completed resumption plan has adequately covered all the necessary areas.

9.1 Specific steps in resumption planning

The process of resumption plan development draws on information already gathered in the risk management process and emergency response planning. The following steps should provide guidance in plan development, implementation and ongoing maintenance. These steps are not exhaustive, and will not necessarily apply to every department or function.

9.1.2 List the major services or functions in this area of responsibility

The list draws upon information from the risk management process. Sources of information include corporate plans, service plans, area and community action plans, annual reports and other risk information of the organisation.

9.1.3 Rank services and functions

Resumption planning is built around the ranking of services with particular attention paid to the critical services provided by the organisation. A service may be considered critical if its withdrawal would have a serious impact on the personnel and internal and external customers and would significantly impair the successful fulfilment of the Service’s objectives. Functions and resources associated with critical services should then be determined to establish minimum requirements necessary for restoring critical services. Resources which are commonly unavailable may be categorised under four main headings: information, assets, people and facilities.



9.1.4 Assign a priority to each function or service

What would have to be done immediately after a contingency? What could be postponed? How long can the identified critical services be inoperative? A numeric scale (of 1-5, for example) can be used to show the length of time the service, function or resource can remain disrupted.

immediate = priority 1> 24 hours = priority 22-4 days = priority 35-7 days = priority 4> 7 days = priority 5

This period simply becomes the target recovery timeframe for resumption of the service, function or resource. Another option is to use simple categories such as the following:

Critical: critical services and associated functions which need to be maintained, or re-established with minimal delay.Important: critical services and associated functions which need to be reinstated within an agreed timeframe.Average: services and associated functions which should be reinstated eventually after critical and important services.

9.1.5 Develop a planning objective and target recovery timeframe for each service or function

The objectives for resuming each service, function or resource should be stated together with the specified level of service and the target recovery timeframe.

9.1.6 Determine minimum needs for initial resumption

List key positions within the organisation or within other departments that are needed to assist with recovery.

List essential equipment needs (telephones, computers, stationery, etc.) and sources of alternative equipment. Ensure all support services have been considered.

List essential information sources (instructions or manuals, databases) and alternative sources. The alternative source may be stored off-site.

9.1.7 Obtain senior management approval for proposed approach

This step gives management an outline of the plan being developed and an opportunity to confirm previous risk management decisions. Identified critical services, functions, priorities, objective



statements and the proposed approach for development of the plan and associated organisational structures should be included.

9.1.8 Delegate planning assignments to the staff who carry out the critical services and functions on a day-to-day basis

Specify due dates for completion. Include necessary support services personnel, such as HR, Finance, Ops Support, Community Risk Management, Occupational Health, ICT, Corporate Systems etc.

9.1.9 Write the detailed plan

Focus on the impact of the disruption rather than on the source of disruption. The plan should include a strategy for assessing the impact and damage of the event on the organisation. Keep in mind that each department plan must detail what must be done, in what sequence and by whom, to recover critical services and functions should staff be incapacitated, information lost, or facilities or assets lost or rendered inaccessible.

Responsibilities of the Crisis Management Team and their agreed procedures should be identified. Tasks for other staff should be identified and responsibilities assigned to designated positions (in preference to particular individuals) or to teams. Each individual section of the plan should stand alone. A sample format for the plan is outlined at Section 10.8.

Each plan, and the final Service-wide plan, will incorporate costs of implementation, in terms of personnel and financial resources. This could include contracting with the private sector. If necessary for resumption, private sector solutions may be sought and a selection made at this stage.

The plan must cover personal needs of staff, accommodation, equipment suppliers and other sources of assistance, communications and public relations. Suitable accommodation and equipment for the Crisis Management Team should be identified.

9.1.10 Personal needs of staff

The personal needs of staff need to be attended to. General health and safety standards should be maintained, where practicable. The health care system is likely to address the physical needs of staff, however, many psychological needs will require attention from the Service itself.

The psychological impact of an emergency can be enormous, in both positive and negative ways. Individuals will react differently to what appears, on the surface, to be the same experience. Disasters are likely to cause changes to work practices and locations. In the initial stages, morale tends to be high among those involved with the emergency response. However, as personnel become fatigued, individual effectiveness and morale is normally reduced. Therefore, managers should develop a staffing plan which does not commit all of their staffing resources at the outset.



Staff should be kept in reserve to relieve colleagues as they tire and become stressed under the pressure of the event.

Replacement staffing, succession planning and additional staff expenses (including overtime, meals, incidental expenses, accommodation) should also be considered in the plan.

The psychological impact of the event on staff members may not become apparent until some time after the event. Counselling services should be provided both immediately after the event and over an extended period to accommodate different personal reactions. The Occupational Health Department will therefore have an important role to play in these circumstances.

9.1.11 Accommodation

Individuals and departments may have to move to other premises following a disaster to establish a control centre or to restore provision of services. Arrangements for acquiring an alternative location should be included in the resumption plan. Other sources of assistance, such as information technology and communications equipment, may also be required to establish the Service in its new location. The accommodation requirement can be met in a number of ways:

► carefully managed reciprocal arrangements between other organisations or departments for an event which affects either of them;

► leasing arrangements for alternative locations, ranging in levels of equipment pre-positioned or provided by the owner;

► leasing arrangements with companies specialising in continuity and resumption facilities; and

► staff may be able to work at home for short-term disruptions.

9.1.12 Equipment suppliers and other sources of assistance

Contact details of equipment suppliers and other likely sources of assistance should be documented, including office and home telephone numbers, fax numbers and postal addresses. Some of the possible types of assistance required are:

► experts in the salvage of documents and computer data;► smoke residue removal experts;► plant hire contractors for pumps, generator or heating equipment;► experts in decontamination;► points of contact for all utilities (gas, electricity, telephones, water) and local authority

engineering services;► transport and removal companies;► building contractors, architects and structural engineers;► property agents (for emergency coordination);► computer equipment suppliers;► office furniture and equipment suppliers;



► specialist equipment suppliers;► stationery suppliers;► appropriate insurance companies;► site security; and► caterers (staff will need to be fed).

9.1.13 Communications and public relations

Communications with employees, customers and other affected parties and the media must continue through the period of resumption. Correspondence and telephone calls should be redirected. A media strategy should be developed which ensures that designated skilled staff speak officially to the media and other staff are instructed to refer calls to them. Managers must devise and implement a long-term plan for regular dissemination of information until normal services are restored. Managers may consider engaging professional public relations staff to produce and disseminate regular bulletins and media releases. These public relations efforts may be required to restore confidence in the organisation and its services.

9.2 Consolidate all sections of the plan into a resumption plan

The plans should be assembled to form the resumption plan for each department or function and, finally, the Service as a whole.

9.3 Consult with related organisation areas

The input and concurrence of related elements is critical before referring the completed plan to senior management.

9.4 Obtain senior management approval

Senior management should approve the plan as a minimum at two stages –upon conception and upon completion. Approval at both points includes resource costs. Ideally, the planning manager should be reporting to senior management on a regular basis while the plan is being developed.

9.5 Communicate the plan to all employees

The completed, authorised plan should be communicated to all staff and explained in a series of information sessions. The plan should be made available for review by all staff. The authority of the Crisis Management Team in resumption matters should be clearly communicated to staff and displayed under similar arrangements as the Emergency Control Organisation.

9.6 Store and maintain back-up copies of the plan in off-site storage area

A separate geographical location is preferable.



9.7 Test the completed organisation plan

The test should be conducted in a realistic fashion, but with ample warning to staff that it is a test. It is imperative to know if the plan works.

9.8 Exercise the plan regularly, evaluate results and update as required

The resumption plan should be exercised regularly and the results evaluated. The plan should be brought up-to-date on the basis of exercise results and changes in organisational policy, operations or procedures. Management should decide whether to use surprise in exercising the plan, however, it is not recommended that the first exercise be a surprise.

9.9 Train users in operation of the plan

Users should have gained some familiarity with the resumption plan during the implementation phase. It is critical, however, that all potential users be fully praised of their roles and responsibilities under the plan. Depending on the complexity of the plan, it may be advisable to develop formal training; otherwise, ongoing information sessions may be the best approach.

9.10 Conduct audits of completed resumption plans on a regular basis

Update the plan, as required, on the basis of internal audit reports. Agencies should also consider obtaining audits of their plans from independent sources.

9.11 Ongoing maintenance and review

A schedule for ongoing maintenance and review should be established to ensure the BCM arrangements and plans remain relevant and effective in satisfying stated BCM polices and objectives.

Risks and the effectiveness of risk reduction measures need to be monitored to ensure changing circumstances do not alter risk priorities. Few risks remain static. As organisations and environments change, so too do the risks. Factors which may affect the likelihood and consequences of a risk may change, as may the factors which affect the suitability or cost of the various risk reduction options. A switch in priorities, changes to the environment, new equipment or supporting facilities and the introduction of new services are likely to require a change to the BCM arrangements.

Managers should therefore ensure they carry out reviews of the BCM arrangements and associated plans at specified intervals. It is necessary to repeat the risk management process and review the effectiveness of risk reduction strategies, the currency of contingency plans and the effectiveness of the management system which is set up to control implementation. Management review is also essential to ensure continued awareness of the plan. Records of such reviews should be maintained.



10. APPENDICES

10.1 Risk identification

Sources of risk

Sources of risk Description

Elements at risk

Elements at risk Description

Risk identification table

Elements at risk

Sources ofrisk

To indicate whether a relationship exists between sources of risk and elements at risk from tablesabove (Yes/No)



Definitions of risk ratings

• Very High (VH) risk – these are classed as primary or critical risks requiring immediate attention. They may have a high or low likelihood of occurrence, but their potential consequences are such that they must be treated as a high priority. This may mean thatstrategies should be developed to reduce or eliminate the risks, but also that mitigation in the form of (multi – agency) planning, exercising and training for these hazards should be put in place, and the risk monitored on a regular frequency. Consideration should be given to planning being specific to the risk rather than generic.

• High (H) risk – these risks are classes as significant. They may have a high or low likelihood of occurrence, but their potential consequences are sufficiently serious to warrant appropriate consideration after those risks classed as ‘very high’. Consideration should be given to the development of strategies to reduce or eliminate the risks, but also mitigation in the form of at least (multi – agency) generic planning, exercising and training should be put in place and the risk monitored on a regular frequency.

• Medium (M) risk – these risks are less significant, but may cause upset and inconvenience in the short term. These risks should be monitored to ensure that they are being appropriately managed and consideration given to their being managed under generic emergency planning arrangements.

• Low (L) risk – these risks are both unlikely to occur and not sufficient in their impact. They should be managed using normal or generic planning arrangements and require minimal monitoring and control unless subsequent risk assessments show a substantial change,prompting a move to another risk category.

10.2 Risk matrix for determining level of risk



10.3 Risk register

Prio

rity

ratin

gLe

velo

fris

k(fr

omR

isk

Mat

rix)

Con

sequ

ence

ratin

gA

dequ

acy

ofex

istin

gris

kre

duct

ion

mea

sure

s/c

ontr

ols

Pote

ntia

lim

pact

Like

lihoo

dR

isk

Iden

tifie

dris

k(a

)

Iden

tifie

dris

k(b

)

Iden

tifie

dris

k(c

)

Iden

tifie

dris

k(d

)

Iden

tifie

dris

k(e

)

Tran

sfer

high

erpr

iorit

yris

ksto

Con

tinui

tyM

anag

emen

tRis

kR

educ

tion

Pla

n.

Ada

pted

,an

dre

prin

ted

with

perm

issi

on,

from

Aus

tralia

n/N

ewZe

alan

dS

tand

ard

AS

/NZS

4360

–19

99:

Ris

kM

anag

emen

t,S

tand

ards

Aus

tralia

.



10.4 Continuity management risk reduction plan………………...

………………...

Rep

ortin

gan

dm

onito

ring

mec

hani

sms

Dat

e:

Dat

e:

Perf

orm

ance

indi

cato

rs

………………………………………………..…

……………

………………...

………………...

Tim

etab

lefo

rim

plem

ent-

actio

n

Pers

onre

spon

sibl

efo

rim

plem

ent-

atio

n

Dat

eof

risk

revi

ew:

Com

plie

dby

:

Rev

iew

edby

:

Res

ulto

fco

st-b

enef

itan

alys

is(a

ccep

t/re

ject

)

Res

ourc

ere

quire

men

tsPr

efer

red

risk

redu

ctio

nop

tion

Poss

ible

redu

ctio

nop

tions

Ris

ks(in

prio

rity

orde

rfr

omR

isk

Reg

iste

r)

Ada

pted

,an

dre

prin

ted

with

perm

issi

on,

from

Aust

ralia

n/N

ewZe

alan

dS

tand

ard

AS

/NZS

4360

–19

99:

Ris

kM

anag

emen

t,S

tand

ards

Aus

tralia

.



10.5 Specific risk action plan

Risk: Ref:

Summary –recommended response and impact:

Action Plan

1. Proposed actions:

2. Link to (other actions):

3. Responsibility:

4. Resource requirements:

5. Schedule:

6. Performance indicators:

7. Reporting and monitoring required:

Compiler: Date: Reviewer: Date:

Adapted, and reprinted with permission, from Australian/New Zealand Standard AS/NZS 4360 –1999: Risk Management, Standards Australia.



10.6 Questions to ask staff

While this is generally the type of informationmanagers will need to get from staff,additional information may be required atspecific phases in the continuity managementprocess.

1. What services does your area provide?

2. Who are your important clients orcontacts, internal and external?

3. Are other agencies dependent on theservices your area provides? Please list.

4. What external outputs does your areagenerate?

5. What work is in progress?

6. What would be the impact if the identifiedinformation and work in progress weredestroyed and could not be recovered?

7. What work is in progress under contractor at another external facility?

8. Have there been any previous incidentswhich have resulted in the unavailabilityof services, functions or resources?What happened and what was the cause,impact, response, recovery and remedialaction taken?

9. Can you identify any possible sources ofrisk to the services, functions andresources currently in your area?

10. What elements are at risk from thesesources?

11. What are the existing safeguards(including those at external processingsites) and are they adequate?

12. Are there any regulatory requirements orpenalties that must be considered in theevent of a disruption to provision ofservices? Please list.

13. What are the public relations implicationsof a curtailment or shut-down of theseservices?

14.Is there a financial impact of the unit’s non-performance? How significant is thisimpact–is it measurable?

15. What would be the resulting legal orcontractual liabilities if activities werecurtailed or shut down?

16. Would the safety or security of personneland property be jeopardised if the activitywere interrupted?

17. What are the external requirements on aday-to-day basis? What do you needfrom outside the agency in order to beable to continue to function?

18. What are the immediate internalrequirements? Where do they comefrom? Do they need to be situatednearby? Which of the critical operationsare dependent on computer support?

19. Are there alternative manual operatingprocedures in place, with people whounderstand how to use them? How longcould these operations be performedwithout computer support?

20. What staff, with which skills, are requiredto provide the critical services?

21. What essential operating information isneeded for critical services? Prepare achecklist of essential records (paper,electronic data files, artefacts, etc.) andlist special features such as securityrequirements. Who holds keys andcodes?

22. What essential office equipment isrequired (fax, telephone, radio, furniture,special stationery, etc.)?



23. What special computer hardware,software, databases, networks or othertechnology is needed?



10.7 Resumption plan checklist

A checklist is a useful device to considerwhether the completed resumption plan isadequate. The plan should be reviewedregularly to assess whether answers to thefollowing questions have changed andadjustments in the plan are needed.

The following sets of questions are notintended to be exhaustive, but rather to givean indication of the types of questions to ask.Each directorate should develop its ownchecklist, based on its resumption plan, itsmandate and business, and identified threats.

1. Personnel

Have all employees seen the resumptionplan?

Have employees been instructed on theirspecific roles and responsibilities if theresumption plan is put into effect?

Have information sessions beenprovided?

Does the resumption plan include hometelephone numbers of those staffmembers with pivotal roles?

Does every employee know who doeswhat in the event of an emergency?

Have people with special needs beenidentified and provisions made for them?

Does the resumption plan provide meansfor replacement staffing when necessary?

2. Physical

What is the condition of the building? Is itold, recently retrofitted, or new?

Are the premises sole tenancy or sharedwith other organisations?

Is there access to a building engineerwho can inspect the building and facilitiessoon after an incident, so damage can be

identified and repaired, making thepremises safe for quick employee return?

Is there a plan for regular inspection ofthe building and facilities with aninspection checklist?

Are there hazards in adjoining orneighbouring buildings that couldendanger life or the business of thedepartment?

Are emergency exits clearly marked?

Have plans been made for alternativeshelter if needed?

Do employees know where these facilitiesare located?

What is the risk from failure of supplysystem components, such as electricityand gas, or the rupturing of toxic chemicalcontainers and pipes?

Are toxic materials safely stored?

3. Information technology

Have provisions been made soemployees can communicate with theirfamilies without overloading telephonecircuits?

Is there a plan for alternative means ofdata transmission if the computer networkis interrupted? Is the plan in writing? Arekey staff aware of it? Has the security ofalternative means of transmission beenconsidered?

How frequently is the recovery plan forelectronic data processing andemergency communications tested?

Does the resumption plan incorporate areview of computer operations andanalyse networking andinterdependencies between computersand systems?



Are computers protected from leakagefrom fire sprinklers and pipes on upperfloors?

Does the resumption plan consider theneed for a back-up power generator?

4. Administrative procedures

Does the resumption plan coveradministrative and management aspects,as well as operations? Is there amanagement plan to maintain operationsif the headquarters is severely damaged,or if access is denied or limited?

In the event that some or all of seniormanagement are unable to work, doesthe resumption plan have procedures thatwill enable others to assume theirresponsibilities?

Have essential records been identified?Is there a duplicate set of essentialrecords stored in a safe location?

Are essential records segregated for easyretrieval from those not neededimmediately?

Is there a review procedure to check theprotective and emergency devices inoffices?

Does the resumption plan include thenames and ‘phone numbers of suppliers of essential equipment or other material?

5. Contracts

Do any of the agency contractors providea service or deliver goods essential tofulfilling the department’s mandate and, if so, do these contractors have resumptionplans in place?

Have alternative sources of supply beenestablished?

Do any contracts involve the electronicprocessing of government information atthe contractor’s facility?

Are resumption requirements identified incontract documentation?

(Adapted, and reprinted with permission,from Business Resumption Planning:Technical Standards, Treasury Board ofCanada Secretariat, Ministry of Supply andServices, Canada, 1992.)



10.8 Sample format for a resumption plan

There are a number of different ways to present an agency resumption plan. The plan should,however, cover the following components:

1. Introduction

2. How to use the plan Plan structure Plan components:

emergency plan (may be included);and

recovery plan.

3. Authorisation Endorsement by appropriate authority A clear statement of support from senior

management

4. Policy or objective statement Government or agency policy statingrequirement for resumption plan

Objectives to protect lives and physicalassets, minimise disaster impact,activate recovery activities

Principles upon which the plan is based

5. Definitions (could be located as aglossary)

Ensures consistent terminologythroughout guide

6. Scope How the organisation tackles the planbased on size, geographical spread,organisational structure

7. Justification Risk assessment and impact analysis,including list of main sources of risk andpotential impacts on the agency

8. Emergency Response Plan (optional) Duty of care to employees H&S regulations for fire and bomb

evacuation Emergency control organisation Fire and evacuation procedures. (These

procedures should be in place andshould be included in the plan as areference or as an annex. If theseprocedures are not in place, it would bea priority task to establish them.)

9. Incident notification and escalation Identify key appointments within theagency for notification of incidents whichhave the potential to disrupt services

Detail procedures to activate teams orplace them on standby following an



emergency Detail notification process detailed to

minimise disruption or knock-on effectsand prevent delays caused by confusion

10. Damage assessment Assess damage to property andequipment to estimate duration ofdisruption to services

Use people experienced in damageassessment to check property, electricaland electronic equipment

Maintain accurate, up-to-date building,floor and room plans

11. Resumption strategies Summary tasks Detailed tasks Start times, duration and end times Staff responsibilities and contact details Resources required and contact details Contract information

12. Media response Media liaison team will calm public fearsregarding provision of services,alternative processes and quashrumours

13. Testing schedule Train staff Schedule continuity activities throughout

the year Test alternative methods for providing

services to familiarise staff and testeffectiveness

14. Monitoring and review Keep plan up-to-date, includingmaintaining contact lists



Intentional blank page



Documents

Business Continuity Management Guidance and … business they effect. The Business Continuity ... this stage looks at the need to ensure that a continuity culture is ... PUBLIC SECTOR