As a follow up to the Business Continuity Management program article, here is a more detailed description of the development and implementation phase objectives and content of the Business Continuity Plan (BCP) for major incidents. This plan is in fact a set of plans which is comprised of the following main components:
Emergency action plan and damage assessment
This is a response plan to deal with activity-disrupting incidents. It aims, in the following order, to ensure the health and safety of personnel, to protect assets and to comply with laws and regulations. This plan includes a description of the site and building, prevention measures (fire, training and drills, coordination with public authorities), alert and escalation procedures, damage assessment procedures (affected site, type of event, estimated duration), emergency response procedures (evacuation or shelter plan, etc..) as well as stabilization and damage limitation.
Crisis Management Plan
This plan aims to ensure that decisions are made in a timely manner (e.g. activation of plans), to allocate the resources necessary to managing the incident and to ensure a coordination process. This plan includes an alert and escalation procedure, a procedure to activating the command center (crisis unit), a procedure for disaster declaration and plan activation, as well as coordination procedures throughout the crisis.
Crisis Communication Plan
This plan aims to provide key and consistent messages during a crisis situation (demonstrating that the situation is under control), to help communication teams and reduce the pressure felt by the various teams. It includes different procedures such as the mobilization of the team, the collection and validation of information, message approval and communication, the publication or distribution of communications, maintenance of a communication log. Spokespersons should be used and be tailored to target groups (staff, contractors, media, public authorities, customers, the public, etc.). Furthermore, the means of communication should also be adapted to these groups (telephone call or conference call, website, email, conference or press release, newsletter, etc.). The communication plan is usually part of the crisis management plan.
Preparedness and response plan in case of staff shortage
This plan aims to prepare the organization for dealing with a pandemic or other situation resulting in a staff shortage. It involves the implementation of actions aligned with business needs in order to minimize impacts during a significant staff shortage.
Functional Business Continuity Plans
These plans aim to resume critical activities, for a specific department, within a predetermined timeframe. They provide, to all the personnel involved, the procedures and tools required to resume operations in a "degraded" mode. These plans should include the business continuity strategy, the critical activities to be resumed along with the required recovery time or RTO ("Required Time Objective"), key assumptions, the action plan (reaction to the incident, organization, recovery or resumption of activities, back to normal) as well as various important pieces of information (coordinates; list of all the staffing, informational resource, equipment, supply needs; essential documents, etc.).
IT recovery plan
This plan allows for the recovery of IT systems within the predetermined timeframe (identified during the BIA or “Business Impact Analysis”). It guarantees access to applications and systems required for the organization’s support and critical business functions. The content of an IT recovery plan is similar to functional business continuity plans; however, it is adapted to information technology. An IT recovery plan typically involves the use of an alternative site identified in the recovery strategy. For example, a “Hot Site” or a site equipped with all the necessary and already configured components, a “Warm Site” or equipped site that provides equipment that is not configured, or a “Cold Site” which is an empty facility ready to receive equipment.
Terranova provides awareness training on business continuity management. Add communication and reinforcement tools for an exceptional business continuity management awareness program. See it in action with a live demo
By Patrick Paradis, Information Security Consultant