An executive summary should include the purpose of having a BCP for your business and highlight the key points in your plan:

Transcription

1 A Business Continuity Plan (BCP) helps you prepare for a major disruption to your business. It puts processes and plans in place to respond to these events and enable you to limit the impact these events have on your critical business functions. This template is a high level overview of the fundamental steps in putting together this plan. Business name: Date: Created by: EXECUTIVE SUMMARY An executive summary should include the purpose of having a BCP for your business and highlight the key points in your plan: SCOPE Determining the scope of your Business Continuity Programme is the first step in creating a workable BC Plan. It is important to ensure you understand the drivers behind identifying what is included and excluded from the scope to ensure effective deployment of resources. Deciding what products and services should be included in the scope can be driven by Customer requirements Legal and regulatory requirements High risk locations physical threats or proximity to industrial premises High income-generating product or service Business Continuity Plan 1

2 BUSINESS IMPACT ANALYSIS Based on the scope of your programme, the next step is to identify the critical processes within scope as part of the Business Impact Analysis (BIA). This can be done at a strategic level then filter down to an operational level where the systems and people who support those critical processes are identified. In order to prioritise critical processes for inclusion in the BCP, it is essential to understand how long the business can survive without those processes and/or systems before the disruption becomes intolerable this is known as the Maximum Acceptable Outage (MAO). More analysis needs to be carried out on how long that particular process or system takes to recover ideally this should be less that the MAO. If not, the organisation needs to set some Recovery Time Objectives (RTOs) and take action to bring the RTO to well within the MAO. Some consideration should also be given to how much data loss is acceptable to the business and targets set to minimise the impact of data loss this is known as Recovery Point Objective (RPO) and will determine your backup and recovery procedures. List here your critical processes and underlying systems and the impact of their loss: Business Process/System Est. revenue loss per day Estimated recovery time RTO RPO Priority Rating Scale 1 = Very Low 2 = Low 3 = Medium 4 = High 5 = Very High Business Continuity Plan 2

3 THREAT ANALYSIS Now you have determined the scope and identified critical processes and systems, the next step is to analyse potential threats to those processes/systems. Threat analysis uses common risk identification and assessment techniques to understand unacceptable concentrations of risks or single points of failure that could jeopardise critical business processes. Threat analysis should take into account people, premises, resources and suppliers. Threats can be different from one organisation to another however there are some common threats that all organisations face. These range from natural events such as a flood, fire, earthquakes, to human error, sabotage, cyber-attacks, power failure, no site access etc. Below are the most common threat events that have materialised for Interactive s customers. You can use the list as a start to determining your own threat analysis and mitigation strategy. Use a risk rating that does not over-emphasise the impact of minor events (i.e. should a low probability/high impact event have the same significance as a high probability/low impact event?) Threat Probability Impact Rating Mitigation Other Considerations Flood Loss of power Loss of Comms No site access OH&S events Rating Scale 1 = Very Low 2 = Low 3 = Medium 4 = High 5 = Very High Business Continuity Plan 3

4 RECOVERY SOLUTIONS How can you recover if a threat materialises? Having a recovery solution in place is key. Essentially this is your back-up plan. What s yours? For example, do you have insurance? Is your data backed up and easily recoverable? Are there any single points of failure in your technology infrastructure as well as in your processes and people? Threat Recovery Plan Estimated recovery time Responsibility Action point E.g. Disruption to call centre and/or staff contact insurance provider to make a claim re-locate call centre staff to office recovery stations 2-4 weeks IT manager to make insurance claim HR to manage relocation of staff Delegate personnel to manage relationship and contracts with insurance provider Call centre staff to resume day-to-day operations at recovery office station Loss of data Breach of security Business Continuity Plan 4

5 SUPPLIERS & KEY CONTACTS It will be important for you to put a team in place to manage rapid recovery in the case of an emergency. A team will be able to see the gaps that need to be filled as they put the pieces back in place. Who do you need to contact in case of an emergency? What are the first steps to take to mitigate further disaster and to start righting the ship? Suppliers Provider Type Key Contact & Details Alternate Contact & Details Notes Insurance Security Telecommunications provider BC provider Business Continuity Plan 5

6 Key Internal Contacts Keep all internal contacts in one sheet and identify key roles and responsibilities of individuals involved in the recovery of a business. Role Team Members Involved Contact Details Alternate Contact Roles & Responsibilities BC Team Sarah Gully BC manager Tom Bennett BC advisor Sarah Gully S.gully@name.com.au Tom Bennett t.bennett@name.com.au In the declaration of a disaster, BC team will liaise with key internal and external folders to implement BCP They will officially declare a disaster and be the main point of contact. In the event of a major disruption, every business will have specific needs to restore its day to day business operations. Interactive offers alternative premises, system restoration and backup solutions. Contact our team at to schedule a meeting and Business Continuity facility tour. Business Continuity Plan 6