Business Continuity Toolkit Plan Development – Guidance
Version 1.4 – November 2010
Acknowledgement
• The University of Exeter’s Business Continuity Toolkit has been developed in collaboration with Back2business Ltd.
• We are grateful to Mark Nicholas, (Commercial Director, Stem Group) for sharing his expertise and providing the framework for these toolkit resources.
Introduction & Context
Business Continuity Planning
Plan Template
Recovery Priorities & Requirements
BC Strategies
1
Contents
2
3
4
5
Introduction & Context
• This slide deck is intended to accompany the Business Continuity Plan for additional guidance purposes, in order to assist with the development of departmental plans.
• It also references the ‘Risk, BIA & Strategy’ spreadsheet which once completed, should provide sufficient levels of detail to populate the relevant plan areas.
1
The Business Continuity Process
• Risk & BIA Framework– Agree timeframes, metrics (RTO, RPO),
define critical functions
• Discuss & explore potential strategies and solutions – IT
– Office & Admin Functions
• Framework for Incident Response and Continuity Plans
• Other– Review provided data – e.g. IT DR
Statement
1
Introduction & Context (3)
• Where we are now
• What we need you to do– Complete Risk, BIA & Strategy
information to cover gaps in the plans
– Provide Recovery Timeframes (RTO)
– Provide recovery profile for people over time
– Identify Applications & Systems
1
BC Planning is defined as…
• Business Continuity Planning is the process of advanced planning and preparation to protect against potential loss by formulating and implementing viable strategies and to document them in the form of a plan.
• A BC plan is a documented collection of resources, procedures, tasks, strategy and information that is developed, compiled and maintained in readiness for use following an incident, or crisis situation.
• Remember, this is a living document!
2
Where does my Business Continuity Plan fit in? Structure, Roles and Responsibilities (An example)
Gold Incident Response Plan
Silver Business Continuity Plans
Bronze Operational/Business As UsualProcesses
See slide notes for more information
2
INCIDENT RESPONSE TEAM LEADER
DIR COMMS DIR AS DIR PERS DIR CaS SNR DPTY VC ED
DEPTY DIR COMMS
LEGAL ASST DIR IT H o PROPY SERVS
LIBRARY
STUDENT SERVS
INTERN’L OFFICE
TECH & INFRASTR
SECURITY CONFS & RETAIL
H&S
ELEC ENGR LAB TECH’NS
FACILITIES NETWORKS HELP DESK TRANSP’RT
ACCOMMO-DATION
ACAD’MICSREGISTRY
STRATEGIC
TACTICAL
OPERATNL
Business Continuity Plan – Roles
• BC Team Leader/Plan Owner• Deputies, possibly 1 or 2 depending on number of
functions/activities• BC Team Members• There is no need to include all recovered staff in
the team plan, just those involved in the recovery activities
3
Business Continuity Plan – Template Guidance
• Text within template which is currently in Italics will need to be
– Replaced with your own information– Or deleted, as it is for guidance purposes only
• Plans need to exist for the most appropriate business critical activities
– Guideline should be from ‘Immediate’ to 5/8 days. Anything beyond this will be a judgement call on whether strategies or recovery procedures are required by you
– Simplify or combine Activities or Processes where appropriate (there is no need to list every process/activity as per the BIA feedback – be sensible, as this plan needs to be meaningful and usable!)
– Collaborate and collude with other depts & functions where necessary, e.g. where a process crosses several functions
3
Business Continuity PlanRecovery Priorities & Requirements
• Section 3 of the Plan Template. List Business Critical Activities for function/dept – here you should reference the ‘Risk, BIA & Strategy’ spreadsheet where you should find completed;
– RTO’s & RPO for Colleges / Departments critical functions & activities
– Application and Systems for each critical activity
• (Delete Italic directions in plan once finished)
• Note: any resources, procedures or strategies which are put forward by plan owners will be considered by Insurance & Business Continuity Services to ensure that there are no grey areas or overlaps.
4
Business Continuity Plan – Strategy Development
• From ‘Do Nothing’ to ‘Do Everything’• Which Strategies are cost effective?
– Will require time to implement, cost more or a lot, easy wins
– Consider the sliding scale from localised problems to Worst Case Scenario (e.g. Denial of Access to Campus/College/Building)
• Consider staff, IT (applications & data), lecture resources, facilities, specialised equipment
• For more strategy options – please refer to next slide
5
Business Continuity Plan – Recovery Strategies
• What Strategies could you employ for people?– Working from home?– Working from 3rd party? (supplier, partner, specialist provider)
• What Strategies could you employ for IT?– Broadband, Dongle, telephony, VPN, Laptop– Backup/replicated systems, remote access, cold start up
• What Strategies could you employ for Processes/Activities?– Manual workarounds, paper based systems – Outsource, reciprocal agreements
• Consider running a strategy workshop to develop viable options
Populate Section 4 of the Plan with these options and those derived in the Risk, BIA & Strategy options spreadsheet.
See Crisis Definition table overleaf >
5
Business Continuity Plan – Recovery
Strategies
• As defined for Incident Declaration purposes.
• Consider if your plan would address the relevant scenarios for Levels 2 & 3
• Challenge any assumptions
5
Next Steps
• Start the BIA• Come to the clinics in December and January for support• Complete your plans• Carry out an exercise (this can be fun!)• Review content
– Strategies, requirements and resources– Feasibility– ‘Fitness for Purpose’
For further guidance and support,please email or call:
01392 72 5768