BUSINESS CONTINUITY PLAN

To print to A4, print at 75%.

How to Develop a

BUSINESS

CONTINUITY

SUMMARY

SUMMARY

WHY YOU SHOULD READ THIS

GUIDE

A disaster or interruption can occur at any time without any warning—your company’s survival depends on the steps you take to prepare for these potentially catastrophic events. The most effective preparation takes the form of a written document called a Business Continuity Plan (BCP). This document serves as a guide to writing a formal BCP for your company, which will help minimise recovery time and losses in the event of a disaster or interruption.

FORMAL INSTRUCTIONS ARE CRUCIAL

A BCP is a valuable tool for your company, but its effectiveness is determined by how thorough and clear the document is. A concise, step-by-step guide addressing

numerous scenarios will best aid responders.

PLAN, WRITE, AND REVIEW

The first step in drafting a BCP is to plan by assessing the status quo. Some things you will need to think about are:

» What does your company hope to accomplish by creating and adopting a BCP?

» What informal mechanisms are already in place to minimise losses during a disaster or interruption? Next, you will strengthen current strategies and develop new ones to more effectively mitigate the adverse effects of disasters and interruptions. Use this guide to help you decide how to prioritise efforts and minimise recovery time, then write your plan— thoroughly document your strategies

TABLE OF CONTENTS

SUMMARY

WHAT IS A BUSINESS CONTINUITY PLAN? CHAPTER 01 PREPARING TO WRITE YOUR BUSINESS

CONTINUITY PLAN CHAPTER 02

WRITING YOUR BUSINESS CONTINUITY PLAN CHAPTER 03 NEED HELP ENSURING YOUR COMPANY IS PREPARED

FOR INTERRUPTIONS AND DISASTERS? CHAPTER 04

About the Author

Stuart Mills, Head of Solutions Marketing for Hosting at Macquarie Telecom has 22 years experience working in customer-facing roles for a range of Service Providers offering Systems Integration, Telecoms, Managed Services, Hosting Services and Cloud. Over that time Stuart has been instrumental in delivering Managed Services solutions to a wide range of major Australian and international online, corporate and government clients.

01 02 03 04

SUMMARY

and include all necessary additional information.

Finally, review the plan. Your company and the environment will change frequently; you will need to test and modify your plan continuously to ensure its effectiveness.

01 02 03 04

YOUR COMPANY AND THE ENVIRONMENT

WILL CHANGE FREQUENTLY; YOU WILL

NEED TO TEST AND MODIFY YOUR

PLAN CONTINUOUSLY TO ENSURE ITS

WHA T IS A BUSINES S CONTINUITY PLAN? CHAPTER 01

WHAT IS A

BUSINESS

CONTINUITY PLAN?

A Business Continuity Plan (BCP) keeps your company up and running in the event of an interruption or crisis, from a day-long loss of power to irreparable building or facility damage. Step-by-step, a BCP explains the procedures for continuing operations without

interruption or recovering operations as quickly as possible.

WHAT IS THE DIFFERENCE

BETWEEN A BUSINESS

CONTINUITY PLAN AND A

DISASTER RECOVERY PLAN?

Disaster Recovery Plans (DRPs) and BCPs are often mistakenly considered to be interchangeable. In fact, the

DRP, which provide instructions for IT infrastructure recovery, is a crucial component of the BCP, which encompasses recovering from all aspects of adverse events. This can include facilities and plant damage, loss of materials and equipment, and affected personnel as well as data recovery.

WHY DOES MY COMPANY NEED

A BUSINESS CONTINUITY

PLAN?

Your company needs a BCP in order to remain competitive and profitable in the event of a disaster.

» Disasters can strike at a moment’s

notice, forcing you to respond quickly without time to coordinate your response. Having a BCP in place means your company has a tried and tested plan and responders know exactly what to do. There will be less chaos and a quicker return to normalcy.

» Weather-related natural disasters seem to be increasingly common and more severe. Economic losses from earthquakes and cyclonic wind damage alone are expected to amount to $180 billion per year throughout the 21st _century[1]_.

Showing clients and customers that you are prepared to handle unexpected events with potentially disastrous outcomes gives you the kind of competitive edge needed to bring you more business.

» Without a BCP, your business as a whole is in danger. In 2013, 87% of executives surveyed indicated they had a BCP in place in case of disaster or threat[2]_{. Without a}

BCP, your company is drastically under-prepared compared to your competitors, which leaves you at risk of not only losing profits, but also customers.

» It is more than likely that you will use a BCP. In 2011, 61% of companies with a BCP invoked it[3]_.

With a BCP in place, your company will: » Avoid having to make impulsive

decisions under stressful conditions.

» Remain competitive.

» Retain current customers and increase customer base. » Be prepared.

You have the ability to decrease adverse effects of disaster by enabling operations to resume smoothly and quickly with a BCP. The following section will detail steps to developing a BCP for your company.

01 02 03 04

PREP

ARING T

O WRITE Y

OUR BUSINES

S CONTINUITY PLAN

There is significant preparation that must take place before a

comprehensive BCP can be written. A Business Impact Analysis (BIA) is necessary in order to identify your company’s critical business processes and functions and

potential impacts on these processes and functions during a disaster or interruption. You are then ready to consider how these critical processes and functions will be supported and recovered if interrupted and who will be responsible for their recovery. These tasks are complex undertakings, but crucial to

developing a sound and effective BCP.

CONDUCTING A BUSINESS

IMPACT ANALYSIS

In the event of an interruption, your company needs to keep critical processes and functions running in order to minimise losses. But which critical processes are at risk? And which should be protected and/or restored first? A thorough BIA will answer these questions and set the stage for your BCP.

STEP 1: CONSIDER THE RISKS YOUR COMPANY FACES

Any number of events could disrupt your company’s day-to-day operations. Consider large-scale disasters as well as short-term, routine interruptions. CHAPTER 02

PREPARING TO

WRITE YOUR

BUSINESS

CONTINUITY PLAN

Some possible risks include, but are not limited to:

» Fire. » Explosion.

» Natural disaster. » Pandemic disease.

» Utility outage, prolonged or due to routine maintenance.

» Mechanical breakdown. » Supplier failure.

» Cyber attack. » Flood.

» Loss or illness of key personnel. The risks your company is susceptible to will vary depending on the type of business you conduct as well as geographical location.

STEP 2: IDENTIFY CRITICAL BUSINESS PROCESSES AND FUNCTIONS

Critical business process and functions are the components of

business that must be running in order to deliver your company’s key products and services and otherwise meet objectives.

STEP 3: ASSESS IMPACTS

In the event of the risks considered in Step 1, what would happen to each of these critical process and functions? It is recommended that a BIA survey is distributed to key personnel and

managers, asking them to list the impacts of an interruption and, importantly, how long a process must be interrupted in order to be impacted. This is called the Recovery Time Objective (RTO). For example, an IT network outage may have an immediate impact, whereas a power outage could take several hours to impact business depending on availability of backup power supplies. Some impacts to consider are:

» Loss/delay of sales.

» Increased expenses, such as overtime or expedited shipping costs.

» Penalties for failing to comply with regulations or meet contractual obligations.

01 02 03 04

PREP ARING T O WRITE Y OUR BUSINES S CONTINUITY PLAN » Loss of reputation.

STEP 4: PRIORITISE PROCESSES AND FUNCTIONS

Critical business processes and functions should be ordered by significance of impact on operation in case of interruption. This way, the continuity and/or recovery of processes whose disruption would cause the highest potential financial or operational impact can be prioritised in the BCP.

IDENTIFYING RESOURCES, RECOVERY STRATEGIES, AND RESPONSIBLE PERSONNEL

You are now ready to arm yourself with protective resources. What is needed in order to support your company’s critical processes and functions if they are interrupted? Consider the following and adjust as necessary.

» Employees.

» Office/production space.

» Access to records and data, both electronic and paper.

» Equipment and machinery. » Materials.

Next, think of how these resources will be provided to your company in a time of need; these are your recovery strategies. For example, recovery strategies for a resource such as office space could be having employees work from home, from another branch, or from a third-party provided space. Recovery strategies will depend on your company’s unique organisation and needs. It is at this point that you should start to develop a comprehensive DRP in close consultation with your IT department. As a final stage in the planning

process, decide who will be responsible for implementing the BCP; this will be your recovery team. It is essential that tasks are assigned based on job positions rather than individual people in order to anticipate likely changes in personnel over time.

01 02

WHAT IS NEEDED IN ORDER TO

SUPPORT YOUR COMPANY’S CRITICAL

PROCESSES AND FUNCTIONS IF THEY ARE

INTERRUPTED?

04 03

WRITING Y

OUR BUSINES

S CONTINUITY PLAN

Armed with a thorough

understanding of your company’s vulnerabilities and how they can be protected, you are now ready to create your company’s lifeline in the face of adverse events or interruptions. This section functions as a template for the BCP. Remember to be clear and concise; instructions will be easier to understand and follow in stressful conditions if they contain the minimum amount of information necessary.

PART 1: OBJECTIVES

In the event of a worst case scenario, employees will be faced with an overwhelming task—getting an entire company back up and running. The

first part of the BCP should contain clear objectives to provide a starting point for your recovery team, motivate them, and keep them on track, greatly reducing recovery time. Clearly

indicate prioritised business processes and functions along with their RTOs.

PART 2: DIRECTORY OF KEY PERSONNEL

It is recommended that contact information for key personnel be placed in a table at the beginning of the BCP. You will need contact information for:

» Executives and other personnel who need to be informed that a disaster has been declared.

CHAPTER 03

WRITING YOUR

BUSINESS

CONTINUITY PLAN

» Specialists who can aid in the recovery.

» The recovery team themselves. The easier it is to reach key personnel, the sooner your recovery team can begin action. In addition, time can be saved by arranging a calling tree.

PART 3: HOW TO USE THE PLAN

This may seem like a trivial inclusion, but a crucial component of handling disasters or interruptions is knowing whether to put a continuity plan into effect. If a disaster is unnecessarily declared, this could cost the company valuable time and money. Therefore, the steps needed to declare a disaster must clearly be enumerated.

» What information needs to be gathered before a disaster can be declared? » Who should gather this information? » Who has the authority to declare a

disaster or set the BCP into action? Remember that a BCP is not only for use during what are traditionally called “disasters”, such as natural disasters or IT infrastructure failure. A BCP

can also function during short-term interruptions. It is equally as necessary to know who has the power to decide whether a BCP will be carried out under these circumstances.

PART 4: RECOVERY PROCEDURES

There are three steps involved in enacting recovery procedures: First Response, Recovery Phase, and Post-Recovery Phase.

FIRST RESPONSE

Of course, an organisation’s employees are its most important assets and the first component of any response should be to ensure safety of personnel. In addition to ensuring safety, it is recommended that this section include a checklist containing at least the following:

» Inform senior management, authorities, and clients or customers if necessary. » Gather recovery team. » Assess damage to critical

processes.

» Prevent further damage to critical processes.

01 02 03 04

WRITING Y

OUR BUSINES

S CONTINUITY PLAN

RECOVERY PHASE

A BCP will be most effective if it includes recovery procedures for the restoration/continuity of all critical processes and functions. It is possible that a given interruption or disaster will only affect a subset of processes, but if exhaustive recovery procedures are included, your company has better chances of surviving an unexpected event of large magnitude.

It is recommended that information in this section be organised by risk scenario, for example, Loss of Building, Loss of Data, Loss of Utilities, etc. Instructions should contain clear indication of magnitude of impact (high, medium, or low), functions affected, step-by-step actions to be taken, resources

available, and responsible personnel.

POST-RECOVERY PHASE

Once the recovery phase has been completed, steps must be taken to return your company to normalcy. This can take significant time and procedures enacted during the

recovery stage may stay in place long-term. For example, if a building is lost, employees will need to continue working at alternate locations until

a new building is constructed or attained. A Post-Recovery Phase may include the following:

» Permanent repair of damage.

» Replacement of damaged materials, equipment, facilities.

» Notification of insurance companies.

» Return of employees to main site. » Notification of suppliers, clients,

customers, and media of end of incident and return to normal operations.

PART 5: PLAN EVALUATION

Some of the most effective business continuity planning comes from those who have experienced an interruption or disaster; therefore, it is extremely valuable to evaluate your BCP’s effectiveness after use. This evaluation helps adjust a plan, increasing mitigation of future disasters and interruptions. Members of the recovery team and managers of critical processes should be asked follow-up questions such as:

» Were the overall goals of the BCP met? » How effective was the BCP in

meeting RTOs?

» How could the plan be made more efficient?

» Could the plan be written more clearly?

» What was the financial toll of the recovery process?

PART 6: TRAINING AND TESTING

No plan will be effective unless your company is prepared to enact it. Include a training plan in your BCP and train your current recovery team. It will be necessary to routinely train new employees as well as veterans when the plan is updated.

Similarly, your plan cannot be a trusted source of protection unless it has been thoroughly tested. Develop testing exercises, such as modular simulations or tabletop walk-throughs and conduct them frequently; develop a comprehensive simulation test and conduct it when the plan is adopted for the first time and less frequently thereafter. Be sure to include

instructions as to how often a plan should be tested.

Some areas to test include:

» Consistency and accuracy of First Response.

» Ability to implement recovery procedures in a timely manner (e.g. relocation of employees, implementation of data recovery procedures).

» Communication between recovery team and managers of impacted critical processes.

» Ability of plans to adapt to unexpected scenarios.

» Record results of tests in your BCP and use the results to modify the plan.

PART 7: MAINTENANCE

As your company changes and adapts to the current market, so will its organisation, processes, and functions. Your BCP needs to be adapted, too, through routine maintenance. Simple elements such as contact information can have a drastic effect if not updated. Include

01 02 03 04

WRITING Y

OUR BUSINES

S CONTINUITY PLAN

a maintenance and update schedule detailing how often the plan should be assessed.

REVIEWING AND ADOPTING THE BUSINESS CONTINUITY PLAN

After the BCP has been written, it must be reviewed and approved by key personnel such as executives and the current recovery team. Once the plan has been officially adopted, it should be distributed digitally and in print to relevant staff.

AS YOUR COMPANY CHANGES AND ADAPTS

TO THE CURRENT MARKET, SO WILL

ITS ORGANISATION, PROCESSES, AND

FUNCTIONS.

03 01 02 04

W

ANT MORE HELP T

O PREP

ARE T

O INERRUPTIONS AND DISASTERS?

CHAPTER 04

NEED HELP ENSURING

YOUR COMPANY

IS PREPARED FOR

INTERRUPTIONS AND

DISASTERS?

Macquarie Telecom’s LAUNCH Disaster Recovery and Disaster Avoidance solutions are reliable turnkey solutions that help your company mitigate losses by running smoothly in the face of interruptions and disasters.

WANT TO LEARN MORE ABOUT HOW LAUNCH CAN HELP YOUR COMPANY STAY UP AND RUNNING?

Contact Macquarie Telecom on 1800 004 943 or visit

www.macquarietelecom.com/products/ launch-hosting

REFERENCES:

» [1] Natural Disasters Have Cost the Global Economy $2.5 Trillion Since 2000. http:// www.businessinsider.com/un-natural-disasters-cost-25-trillion-2013-5 Business Insider. 2013.

» [2] AT&T releases results from its 2013 Business Continuity Study. http://www. continuitycentral.com/news06811.html

Continuity Central. 2013.

» [3] Balaouras, Stephanie. The State of Business Continuity Preparedness.

http://www.drj.com/images/surveys_pdf/ forrester/2011_Forrester_SOBC.pdf Disaster Recovery Journal. 2012.

WANT TO LEARN MORE ABOUT HOW

LAUNCH CAN HELP YOUR COMPANY STAY

UP AND RUNNING?

01 02 03 04