Professional Documents
Culture Documents
DRI Canada Professional Practices (2014-07) PDF
DRI Canada Professional Practices (2014-07) PDF
DRI Canada Professional Practices (2014-07) PDF
Practices
for Business Continuity
Practitioners
Professional Practice
Introduction
Professional Practice
Subject Area Overview
1. Program Initiation and Management. to define the Recovery Time Objective (RTO)
Establish the need for a Business Continuity and Recovery Point Objective (RPO) for each of
Management Program within the entity the entity’s processes. The result of this analysis
and identify the program components from is to identify time sensi tive processes and the
understanding the entity’s risks and vulnerabilities requirements to recover them in the timeframe
through development of resilience strategies that is acceptable to the entity.
and response, restoration and recovery plans.
The objectives of this professional practice are 4. Business Continuity Strategies.
to obtain the entity’s support and funding and to The data that was collected during the BIA and
build the organizational framework to develop the Risk Evaluation is used in this professional
BCM program. practice to identify available continuity and
recovery strategies for the entity’s operations
2. Risk Evaluation and Control. and technology. Recommended strategies must
The objective of this professional practice is be approved and funded and must meet both
to identify the risks/threats and vulnerabilities the recovery time and recovery point objectives
that are both inherent and acquired which can identified in the BIA. A cost benefit analysis is
adversely affect the entity and its resources, or performed on the recommended strategies to align
impact the entity’s image. Once identified, threats the cost of implementing the strategy against the
and vulnerabilities will be assessed as to the assets at risk.
likelihood that they would occur and the potential
level of impact that would result. The entity can 5. Emergency Response and Operations
then focus on high probability and high impact This professional practice defines the
events to identify where controls, mitigations requirements to develop and implement the
or management processes are non-existent, entity’s plan for response to emergency situations
weak or ineffective. This evaluation results in that may impact safety of the entity’s employees,
recommendations from the BCM Program for visitors or other assets. The emergency response
additional controls, mitigations or processes to plan documents how the entity will respond to
be implemented to increase the entity’s resiliency emergencies in a coordinated, timely and effective
from the most commonly occurring and/or highest manner to address life safety and stabi lization of
impact events. emergency situations until the arrival of trained or
external first responders.
3. Business Impact Analysis.
During the activities of this professional practice,
the entity identifies the likely and potential
impacts from events on the entity or its processes
and the criteria that will be used to quantify and
qualify such impacts. The criteria to measure and
assess the financial, customer, regulato ry and/or
reputational impacts must defined and accepted
and then used consistently through out the entity
Professional Practices for Business Continuity Practitioners
Professional Practice Subject Area Overview (continued)
Establish the need for a BCM Program within the d. Review existing audit reports to ensure
entity and identify the program components from the proposed BCM program adequately
understanding the entity’s risks and vulnerabilities addresses any gaps or opportunities
through development of resilience strategies previously identified (through either internal
and response, restoration and recovery plans. or external sources).
The objectives of this professional practice are e. Identify business practices (such
to obtain the entity’s support and funding and to as complex supply chain strategies
build the organizational frame-work to develop the implemented on a regional or global scale)
BCM program. that may adversely impact the entity’s
ability to recover following a disaster event.
The Professional’s Role in Professional f. State the benefits of BCM and relate them
Practice One is as follows: to the entity’s mission, objectives and
1. Establish why the entity needs a Business operations.
Continuity Management Program g. Explain executive management’s/
2. btain leadership/management support for the leadership’s role, including their
BCM program accountability and liability within the BCM
3. Coordinate and manage the implementation of Process.
the BCM program throughout the entity h. Develop formal reports and presentations
focused on increasing the awareness and
The Business Continuity Professional potential impact of risks to the organization
would demonstrate knowledge of this from a Business Continuity Management
professional practice area by performing (BCM) perspective.
the following:
2. Obtain leadership/management support for the 3. Coordinate and manage the implementation of
BCM program. the BCM program throughout the entity.
a. Develop a mission statement/charter for a. Lead the designated Planning/Steering
the BCM program. Committee in defining objectives, program
b. Develop objectives for the BCM program structure, policies and how critical success
tied to support of the entity’s mission. factors will be managed.
c. Develop Budget Requirements for BCM b. Develop relevant policies, procedures and
program. charters.
d. Define BCM program structure, its policies c. Clearly define and obtain resource needed
and critical success factors. for BCM program.
e. Present and obtain management/ d. Identify teams for BCM program
leadership support and approval of BCM implementation including teams that will
Program. participate in the execution of the following
activities:
f. Identify executive sponsors for BCM
program development. i. Risk assessment and resiliency
strategies
g. Obtain executive approval for budget
requirements. ii. Business impact analysis
h. Gain agreement on the establishment of iii. Recovery strategy selection and
the Planning/Steering Committee along implementation
with tactical support functions needed, iv. Overall incident and emergency
including primary and alternates for each management
role. 1. Incident response and recovery
i. Define the scope, responsibilities and 2.
Crisis management and
overall accountability of each member communication
of the Planning/Steering Committee and
3. Post incident gap analysis and
support functions.
implementation of lessons learned
v. Developing Business continuity plan
documentation
vi. Plan testing, exercise and maintenance
activities
vii. Response, Recovery and restoration
activities during an event
DRI International
Professional Practice One Program Initiation and Management (continued)
2. Identify, develop and implement information 4. Identify probabilities and impact of the threats/
gathering activities across the entity to identify risks identified.
threats/risks and the entity’s vulnerabilities. a. Develop a method to evaluate exposures/
a. Determine methods of information risks in terms of risk frequency, probability,
gathering. speed of development, pre incident
b. Collaborate with entity’s legal counsel, warning (e.g. hurricane), severity and entity
physical security, information security, impact.
privacy and other pertinent areas to identify b. Identify the impact of identified risks. Risk
known risks and vulnerabilities. impacts include, but are not limited to:
c. Determine information sources to be used i.
Facility
to collect data on risks. ii. Security (both physical and logical)
d. Determine the credibility of the information iii. Reputational
sources.
iv.
Legal
e. Develop a strategy to gather information
v.
Customer
consistent with the entity’s policies.
vi.
Procedural
f. Develop a strategy to gather information
that can be managed across all of the vii.
Information Technology (including
entity’s divisions and locations. operational infrastructure)
ii.
Interviews x.
Compliance
iii.
Meetings c. Evaluate identified risk and classify them
according to relevant criteria including, but
iv. Or combinations of above
not limited to:
3. Identify threats/risks and the entity’s
i. Risks under the entity’s control
vulnerabilities.
ii. Risks beyond the entity’s control
a. Identify threats/risks and vulnerabilities to
the entity taking into account frequency, iii. Risks with prior warnings (such as
probability, speed of development, severity tornadoes and hurricanes)
and reputational impact to achieve a iv. Risks with no prior warnings (such as
holistic view of risk across the entity. earthquakes)
b. Identify risk exposures from both internal d. Evaluate impact of risks and vulnerabilities
and external sources. These sources on those factors essential for conducting
include, but are not limited to: the entity’s operations:
i. Natural, technological or acts of man i.
Availability of personnel
ii. Industry/business model ii. Availability of information technology
iii. Accidental versus intentional iii.
Availability of communications
iv. Controllable exposures/risks versus technology
those beyond the entity’s control iv. Status of infrastructure (including
v. Events with prior warnings versus transportation), etc.
those with no prior warnings
Professional Practices for Business Continuity Practitioners
6.
Changes to security and access c. Receive approval of risk assessment
controls, tenant insurance, leasehold recommendations.
agreements.
ii. Logical protection
1.
Assess the need for system-provided
protection of data stored, in process,
or in translation; information backup
and protection.
2.
Evaluate information security:
hardware, software, data, and
network monitoring (e.g., detection,
notification, etc.).
3.
Location of assets.
iii. Changes to personnel procedures.
iv. Increased preventive maintenance and
service as required.
v. Utilities: duplication of utilities, built in
redundancies (Telco, power, water,
etc.).
vi. Interface with outside agencies (vendors,
suppliers, outsourcers, etc.).
Professional Practices for Business Continuity Practitioners
During the activities of this professional practice, The Business Continuity Professional
the entity identifies the likely and potential impacts would demonstrate knowledge of this
from events on the entity or its processes and the professional practice area by performing
criteria that will be used to quantify and qualify the following:
such impacts. The criteria to measure and assess 1) Identify the criteria to be used to quantify and
the financial, operational, customer, regulatory qualify the impact to the entity.
and/or reputational impacts must defined and
a) Define and obtain approval for criteria to be
accepted and then used consistently throughout
used to assess the impact on the entity’s
the entity to define the Recovery Time Objective
operations including but not limited to:
(RTO) and Recovery Point Objective (RPO) for
each of the entity’s processes. The result of this (1) Customer impact
analysis is to identify time sensitive processes and (a) How quickly customers will know
the requirements to recover them in the timeframe you have a problem
that is acceptable to the entity. (b) How worried they will be about it
(c) What is the likelihood they will take
The Professional’s Role in Professional their business elsewhere
Practice Three is as follows:
(d) What the impact to committed
1. Identify the criteria to be used to quantify and service levels will be
qualify the entity’s impact from events. (e) The impact to supply chain of
2. Establish the Business Impact Analysis (BIA) customers
process and methodology. (f) Injury or death of customer (i.e.
3. Plan and coordinate data gathering and hospital patient)
analysis. (2)
Financial impact
4. Gain leadership agreement on BIA (a)
Loss of revenue
methodology and the criteria to be used.
(b) Additional costs to recover
5. Analyze the data collected against the
(i) Declaration and daily usage
approved criteria to establish RTO and RPO
fees
for each operational area and the technology
that supports them. (ii)
Overtime (iii)Travel and
expense
6. Document minimum resource requirements for
resumption and recovery of core and support (iv)
Insurance deductibles
business functions and their escalation over (v) Replacing lost equipment, raw
time. material and supplies
7. Prepare and present the BIA results to the (c) Clean up and restoration cost
entity’s leadership and gain acceptance of the (d) Loss of financial control
RTO and RPO for each process.
(e) Impact to cash flow
Note: While the Business Continuity Professional
(f) Impact to market share
may be given the responsibility to manage a BIA,
the ‘ownership’ of that BIA resides with the entity (g) Impact on future sales
and its leadership, or the owners of the process or (h) Impact share price of stock
processes under consideration. (i) Contractual fines or penalties
DRI International
Professional Practice Three Business Impact Analysis (continued)
(j)
Lawsuits (b) Impact from loss of technology
(3) Regulatory impact needed to perform the process
(a)
Fines (i) Document current recovery
capabilities
(b)
Penalties
(c)
Interdependencies
(c) Required to pull product off market
due to loss of safety information (i)
Internal
(4)
Operational impact (ii)
External (iii)Technology
(a) Reduced service levels (d)
Minimum service levels
(b)
Increased overtime costs (e)
Minimum resource requirements
to perform function at the
(c) Workflow disruptions
minimum acceptable level
(d)
Loss of control
(i)
Technology
(e) Inability to meet deadlines
1. Desktop hardware
(f)
Supply chain disruption
2. Network connectivity
(5) Reputational impact
3.
Printers
(a)
Media attention
a. Standalone
(b)
Social media
b. Network
(c)
Community
c. Mainframe
(d) Shareholder confidence
d. Color/black and
(e) Competitor taking advantage of white
negative attention
4.
Fax machine
(6)
Human impact
5.
Telephones
(a) Loss of life and injury
6. Inbound/outbound trunk
(b) Impact to the community lines
(c)
Stress 7. Print/file servers
(d) Long term emotional impact 8.
Applications
2) Establish the BIA process and methodology. 9.
Vendor software
a) Identify and obtain a sponsor for the BIA 10.
Internet connectivity
activity.
11.
Call recording
b) Define objectives and scope for the BIA
12.
Scanners
process.
(ii)
Physical space
c) Choose an appropriate BIA planning
methodology/tool. 1. Physical desks
d) Choose an appropriate BIA data collection 2.
Footprint needed for
methodology. equipment
i) Data to be collected includes: 3.
Storage space for raw
materials and finished
(1)
Operational process.
product
(2) Impacts to the process and how
4.
Shipping space
those impacts change over time
5. Print/mail space
(a) Impact to the process from loss
of site 6.
Sorting space
(i)
Document current recovery 7.
Power requirements
capabilities 8.
HVAC requirements
Professional Practices for Business Continuity Practitioners
c) Establish definition of the impact scale 5) Analyze the data collected against the
(e.g., high, medium, low) to be used during approved criteria to establish RTO and RPO
the data collection. for each operational area and the technology
d) Obtain agreement from management on that supports them.
final time schedule. a) Based on the data collected, determine the
e) Identify team members to participate in the prioritization of processes/services.
BIA process. b) Document interdependencies between
i) Work with the BIA sponsor to identify the each business process and the supporting
major areas of the entity including potential infra-structure (data systems and related
third party service providers. technology, supply chain management,
third party partners and other resources).
ii) Working with the BIA sponsor to
identify specific individuals to represent i) Intradepartmental
the major areas of the entity. ii) Interdepartmental
(1) Collect and review existing iii) External relationships
organizational charts. c) Determine the order of recovery for core
(2) Identify functional management and support business functions and
team members and appropriate technology.
third party provider representatives
to participate in the data collection
process.
iii) Inform the selected individuals
of the BIA process and its
purpose.
iv) Identify training requirements
and establish a training
schedule.
v) Train knowledgeable functional
management representatives.
f) Conduct data collection.
Professional Practices for Business Continuity Practitioners
Professional Practice Three Business Impact Analysis (continued)
6) Document minimum resource requirements for 7) Prepare and present the BIA results to the
resumption and recovery of core and support entity’s leadership and gain acceptance of the
business functions and their escalation over RTO and RPO for each process as defined by
time. the results of the BIA.
a) Resource requirements to include: a) Prepare draft BIA report using initial impact
i) Internal and external resources findings and identified gaps.
ii) Owned versus non-owned resources i) Provide a statement of entity mission,
goals and objectives.
iii) Short versus long term resource needs
ii) Summarize the impact to the mission,
iv) Existing resources and additional
goals and objectives that may result
resources required
from a disruption.
(1) Key personnel
iii) Provide a prioritized list of the
(2) Equipment processes and services of the entity
(3) Data and the RTO and RPO that resulted
(4) Raw materials from the BIA.
(5) Other (1) Include a summary of resource
requirements over time to recover
b) Vital Records Management.
and resume operations.
i) Document vital records in the entity,
(2) Include a gap analysis between
including paper and electronic, and
current capabilities to meet the
establish when records will be needed
defined RTO and RPO and the
during recovery.
needed capabilities.
ii) Evaluate existing backup and
iv) Issue draft report to participating
restoration procedures to identify
functional representatives and request
any gaps between record recovery
feedback.
requirements and existing backup and
restoration procedures. v) Review functional representative
feedback and, where appropriate,
c) Identify gaps between current recovery
revise findings accordingly, or add to
capabilities and requirements defined by
outstanding issues.
the results of the BIA.
vi) Schedule a workshop or meeting with
participating functional representatives
and third party provider representatives
to discuss initial findings, when
necessary.
vii) Ensure that initial findings are updated,
as necessary, to reflect changes arising
from these meetings.
b) Prepare final BIA report.
c) Prepare and submit formal presentation of
BIA findings to entity’s leadership.
d) Gain acceptance of the RTO and RPO for
each process as defined by the results of
the BIA.
DRI International
The data that was collected during the BIA and a. Review recovery requirements identified
Risk Evaluation is used in this professional for each of the entity’s operations.
practice to identify available continuity and b. Identify alternative business continuity
recovery strategies for the entity’s operations and strategies. Potential options include but are
technology. Recommended strategies must be not limited to:
approved and funded and must meet both the
i. Do nothing and repair or rebuild at time
recovery time (RTO) and recovery point objectives
of disaster
(RPO) identified in the BIA. A cost benefit analysis
is performed on the recommended strategies to ii. Develop manual workaround
align the cost of implementing the strategy against procedures
the assets at risk. iii. Develop reciprocal agreements (more
common in small business operations,
public sector mutual aid agreements
The Professional’s Role in Professional
and manufacturing environments)
Practice Four is as follows:
iv. Identify internal dual usage space that
1. Utilize the data collected during the BIA
could be equipped to support recovery
and Risk evaluation to identify the available
(conference rooms, training rooms,
continuity and recovery strategies for the
cafeterias, etc.)
entity’s operations that will meet the RTO and
RPO identified during the BIA process. v. Identify an external alternate site
2. Utilize the data collected during the BIA vi. Contract with third party service
and Risk evaluation to identify the available providers / outsourcers
continuity and recovery strategies for the vii. Transfer workload to a surviving site
entity’s technology that will meet the RTO and viii. Transfer staff and workload to a
RPO identified during the BIA process. surviving site
3. Consolidate strategies where appropriate to ix. Suspend operations that are not time
reduce costs and/or complexity. sensitive in a surviving site and transfer
4. Assess the cost of implementing identified people/workload from the impacted site
strategies through a cost/benefit analysis. (displacement)
5. Recommended strategies and obtain approval x. Build dedicated alternate site
to implement. xi. Have staff work from home
xii. Recovery strategies for manufacturing
The Business Continuity Professional environments
would demonstrate knowledge of this 1. Repair/Rebuild at time of disaster
professional practice area by performing
2. Reciprocal agreements with other
the following:
manufacturer
1. Utilize the data collected during the BIA
3. SKU prioritization
and Risk evaluation to identify the available
continuity and recovery strategies for the 4. Customer prioritization
entity’s operations that will meet the RTO and 5. Utilize excess capacity in other
RPO identified during the BIA process. plants
Professional Practices for Business Continuity Practitioners
xiii. Strategies for the recovery of vital hard b. Identify alternative technology recovery
copy records and work in process to strategies. Potential options include but
meet the RPO for these records and to are not limited to:
ensure they are accessible following a i. Do nothing and repair or rebuild at time
disaster. of disaster.
1. Photocopy ii. Have business operations develop
2. Scan manual workaround procedures.
3. Fiche iii. Implement active/active technology
4. Film environment through a dual data center
eliminating the need for recovery.
c. Review alternate site alternatives
iv. Implement active/passive technology
i. Location
environment for high availability of time
ii. Available space sensitive technology providing for quick
iii. Suitability of space to need restart of the required technology.
iv. Communications capabilities (voice/ v. Contract with third party service
data) providers / outsourcers to provide
v. Equipment available technology recovery environment. This
includes:
vi. Availability of raw materials
1. A traditional “Hot Site” contract with
vii. Hardness of the site (redundant power,
a vendor where the vendor provides
water, etc.)
the equipment to recover from their
d. Assess viability of alternative strategies inventory
against the results of business impact
2. The entity puts their own equipment
analysis/recovery time objectives
for recovery on the floor of the
i. Compare solutions vendor’s data center
ii. Advantages vi. Outsource the entire technology
iii. Disadvantages environment (cloud computing, etc.).
iv. Costs (startup, maintenance & vii. Identify site where recovery would
execution) occur but build-out only HVAC and
v. Mitigation capability and control options electrical capabilities and populate with
vi. Ability to meet defined RTO and RPO technology at time of disaster (warm
site).
e. Develop preliminary cost/benefit analysis
viii. Identify site where recovery would
2. Utilize the data collected during the BIA
occur but build-out only at time of
and Risk evaluation to identify the available
disaster (cold site).
continuity and recovery strategies for the
entity’s technology that will meet the RTO and ix. Identify strategies for recovery of data
RPO identified during the BIA process. in electronic form that meets the RPO
established for these records and
a. Review recovery requirements identified
ensures they are available following a
for the technology that supports each of
disaster.
the entity’s operations.
DRI International
Professional Practice Four Business Continuity Strategies (continued)
1. Physical and Virtual Tape backup 4. Assess the cost of implementing identified
a. Incremental strategies through a cost/benefit analysis.
b. Full backup a. Estimate the cost of implementing and
maintaining recovery for the identified
c. Differential
recovery strategies
2. Asynchronous replication
b. Validate that the recovery strategy being
3. Synchronous replication implemented is in line with the amount
c. Review alternate site alternatives of business at risk (Example: you would
i. Location not implement a million dollar recovery
strategy to protect $100,000 of business)
ii. Available space
5. Recommended strategies and obtain approval
iii. Suitability of space to need
to implement.
iv. Communications capabilities (voice/
data)
v. Equipment available
vi. Hardness of the site (redundant power,
water, etc.)
d. Assess viability of alternative strategies
against the results of BIA recovery
objectives.
i. Compare solutions
ii. Advantages
iii. Disadvantages
iv. Costs (startup, maintenance &
execution)
v. Mitigation capability and control options
vi. Ability to meet defined RTO and RPO
e. Develop preliminary cost/benefit analysis
3. Consolidate strategies where appropriate to
reduce costs and/or complexity.
a. Identify where the same recovery strategy
could be used to meet the requirements for
multiple areas of operations (i.e. A single
alternate site used for recovery of business
operations from different buildings that are
not expected to be impacted by the same
event)
Professional Practices for Business Continuity Practitioners
(3) Rescue - Arrange for a competent (1) Establish capabilities, document plans,
rescue capability to provide rescue and provide required resources to
services if required by regulation prepare facilities for forecast events
based on the hazards on-site identified. These events may include
(e.g., permit-required confined but are not limited to natural hazards
space). Establish a search and (flood, tropical cyclone, etc.) and
rescue capability if required by the warning for human-caused events
types of emergencies, scenarios, (e.g., civil disturbances, etc.).
and impacts identified and the (2) Establish capabilities to supervise
availability or capability of external building systems, utilities, and
resources is inadequate. equipment to stabilize an incident in
(4) Accountability - Establish a conjunction with building management,
capability to account for the safety public agencies, or others who may be
and well-being of all persons involved with the incident. This includes
affiliated with the organization documenting systems, utilities, and
engaged in an incident or who may equipment, and ensuring competent
be affected by an incident. persons area available to manipulate
(5) Medical - Ensure there is an systems as required by the incident or
internal and or external capability as directed by the incident commander.
compliant with regulations to (3) Establish capabilities, document plans,
promptly administer first aid or and provide required resources to
medical treatment and transport stabilize incidents identified that have
the sick or injured to a medical the potential to damage property or
facility with the capability of treating interrupt or disrupt business operations.
injuries or illnesses that may occur The goal is to safely protect facilities,
at the facility. equipment, and contents and minimize
(6) Counseling - Identify or provide damage while or after actions are taken
access to mental health to protect life safety.
professionals who can provide (4) Establish capabilities, document plans,
counseling and related services and provide (internal or external)
following a traumatic incident. resources for salvage, cleanup, and
(7) Security - Maintain or provide site, loss mitigation following a property
building, and or area security for damage incident.
protection of personnel, physical (5) Coordinate with or establish links to
assets, and information during and the operators of critical infrastructure
following an incident. (e.g., roads, bridges, utilities, etc.)
ii) Property Protection to provide information regarding the
capabilities, availability, and restoration
of infrastructure required to operate the
facility.
iii) Environmental Protection
Professional Practices for Business Continuity Practitioners
iii) The system should include policies vi) Operating procedures should include
and procedures for activation of the identification, assignment, and scheduling
incident management system, opening of persons to fulfill emergency operations
of the emergency operations center, center functions and activities in
communications and coordination with on- accordance with the entity’s incident
scene incident command, and coordination management system.
of emergency preparedness and response vii) Operating procedures should include
activities with continuity and recovery management and operations of the EOC;
activities. communications protocols, procedures,
iv) Incident management should include initial and information flow; and closure of the
and periodic situation analysis and should EOC.
be guided by an incident action plan to 7) Review and coordinate whether emergency
achieve the goals of protective actions for preparedness and response plans and
life safety, property protection, business procedures have been reviewed by, and
continuity, and recovery. coordinated with, first responders
b) Emergency Operations Center a) Identify the documents (e.g., fire
i) A physical or virtual emergency operations prevention, hazardous materials
center (EOC) should be established management plan, integrated
and equipped to facilitate coordination contingency plan, spill prevention and
of response, continuity, and recovery countermeasures, EPA risk management
activities. plan, etc.) that must be submitted to public
ii) Communications capabilities (e.g., agencies to comply with regulations.
two-way radio, email, text messaging, b) Determine whether emergency
pagers, landline and wireless voice and preparedness and response plans
data communications, etc.) necessary to have been submitted to external public
support incident management should be agencies (e.g., emergency services such
provided within the EOC. Communications as fire departments, emergency medical
capabilities should include the ability services, rescue service, hazardous
to gather information from internal and materials response team or contractor, law
external sources, coordinate activities, and enforcement, environmental authorities,
dissemination instructions and information. and other regulatory bodies) identified
iii) Communications during an incident should in Table 1 to comply with regulatory
be documented. requirements and others (e.g., building
manager, tenants, etc.) for the purpose of
iv) The EOC should be sized to house the
coordination.
anticipated number of persons; arranged to
facilitate information gathering, processing, c) Assist with the coordination of response
communications, and decision-making; protocols, plans, and procedures with
and equipped to support occupancy for the public agencies and external resources.
duration of the types of emergencies and Coordination should include response to,
scenarios identified. coordination during, and recovery from, an
incident. Authorization to, and credentials
v) Security for the EOC should be
for, facility access following an incident
implemented.
should be determined.
Professional Practices for Business Continuity Practitioners
Professional Practice Five Emergency Preparedness and Response (continued)
The Business Continuity Plan is a set of iv) Ensure required tasks are completed
documented processes and procedures which for plan implementation that may
will enable the entity to continue or recover time include the following:
sensitive processes to the minimum acceptable (1) Acquiring specified / planned
level within the timeframe acceptable to the recovery/business continuity
entity. In this phase of the Business Continuity resources, e.g. additional
Management Program, the relevant teams design, equipment, system, supplies,
develop, and implement the continuity strategies services, etc.
approved by the entity and document the recovery
(2) Execution of response/recovery/
plans to be used in response to an incident or
restoration/business continuity
event.
required contractual arrangements.
(3) Appropriate documentation access
The Professional’s Role in Professional for plan-in-place.
Practice Six is as follows:
b) Work with the technology planning
1) Design, develop and implement agreed upon team to design, develop and implement
recovery strategies. strategies for recovery of the entity’s
2) Design framework and define document technology.
structure for the plan documentation. i) Work with technology partners and
3) Coordinate the effort to document recovery vendor as appropriate.
plans for the entity’s operations and the ii) Manage budget for strategy
technology that supports them. implementation.
4) Publish the plan documents. iii) Report progress to Steering
Committee.
The Business Continuity Professional iv) Ensure required tasks are
would demonstrate knowledge of this completed for plan implementation
professional practice area by performing that may include the following:
the following:
(1) Acquiring specified / planned recovery/
1) Design, develop and implement agreed upon business continuity resources, e.g.
recovery strategies. additional equipment, system, supplies,
a) Work with the planning team to design, services, etc.
develop and implement recovery strategies (2) Execution of response/recovery/
for the entity’s operations. restoration/technology contractual
i) Work with business partners and arrangements.
vendors as appropriate. (3) Appropriate documentation access for
ii) Manage the budget for strategy plan-in-place.
implementation.
iii) Report progress to Steering
Committee.
Professional Practices for Business Continuity Practitioners
2) Design framework and define document iv) Planning Scenarios to be used during
structure for the plan documentation. plan documentation may include but
a) Determine how the plan will be organized not limited to:
and identify the teams needed to document (1) Short-term (less than 1 month
the plans. outage)
i) Organization – Decide how the plan will (2) Long-term (more than 3 month
be organized. outage)
(1) Enterprise-wide (3) Local (Site or campus specific)
(2) By site (4) Regional impact
(3) By business line (5) Enterprise-wide impact
(4) By product line (6) Cascading impact potential
(5) By service provided b) Define Roles and Responsibilities for Plan
(6) By technology Development.
ii) Teams – individual experts needed i) Identify tasks to be undertaken.
to document recovery procedures. To ii) Create action plans / checklists for plan
include but not limited to: development.
(1) Business process experts from iii) Develop timeline for plan completion.
each process to be recovered iv) Review, evaluate and recommend tools
(2) Voice and data network e.g. planning software, database(s), or
(3) Application support specialized software, templates, etc.
(4) Storage management v) Develop templates to be used to
acquire information on processes,
(5) Equipment
technology matrices and flowcharts.
(6) Human resource
vi) Identify other supporting documentation
(7) Finance needed.
(8) Print and mail services vii) Ensure built-in mechanisms to facilitate
(9) Vendor management maintenance, e.g. version control.
(10) R
ecords management c) Define table of contents for the plan
iii) Types of plans to be documented to documentation which may include but is
include but not limited to: not limited to:
(1) Strategic including succession i) Introduction
planning ii) Policy Statements
(2) Tactical (1) Business Continuity policies
(3) Operational (2) Confidentiality Statement
(4) Emergency response iii) Scope / Objectives
(5) Incident control and damage (1) Tied to organizational mission,
assessment goals and objectives and business
(6) Continuity and recovery continuity policies
(7) Return-to-normal operations (2) Identification of time sensitive
operations and the technology that
supports them covered in this plan
document
DRI International
Professional Practice Six Business Continuity Plan Development and Implementation (continued)
4) Develop Awareness and Training Methodology. 5) Identify, develop or acquire awareness and
a) Conduct awareness and training needs training tools and resources.
assessment. a) Identify internal training resources.
i) Conduct awareness and training b) Contract with external vendors for training.
surveys or other means of assessing c) Purchase training software packages.
current state of awareness and
d) Develop and implement BCM website.
readiness.
e) Utilize social media tools (LinkedIn,
ii) Gain feedback through focus groups.
Facebook, Twitter, YouTube etc.).
iii) Identify trends and new developments.
f) Develop and distribute brochures of
iv) Review previous tests/ exercise results frequently asked questions.
and gap analyses.
g) Create awareness posters.
b) Benchmark current levels of awareness
h) Purchase and distribute awareness
and readiness against desired levels.
promotional items (magnets, pens,
c) Initiate plan to address awareness and flashlights, etc.).
training gaps.
i) Develop training courseware.
d) Design the training process.
6) Identify external awareness and training
i) Identify delivery methods. opportunities.
(1) Awareness campaigns. a) Conferences
(2) Web based training. b) Seminars
(3) Internal web site. c) User groups and associations
(4) Instructor led training. d) White papers/publications
(5) Scenario based training. e) Regional networks and working groups
(6) Instructional guides and templates. f) Industry sector working groups
(7) Briefing papers, newsletters, g) Certification bodies
bulletins, articles.
h) Formal academic education programs
(8) Train the trainer sessions.
i) Awareness special events
(9) Continuity and incident
7) Oversee the delivery training and awareness
management exercises.
activities.
ii) Define training roles and
a) Schedule and deliver training activities.
responsibilities.
b) Schedule and conduct awareness
iii) Prioritize teaching points defining the
activities.
BCM message to be assimilated.
c) Monitor effectiveness of the awareness
iv) Select order and delivery methods.
and training activities.
d) Review results and provide report to
leadership on activities.
Professional Practices for Business Continuity Practitioners
The goal of this professional practice is to b. Obtain executive sponsorship for exercise/
establish an exercise, testing, maintenance and testing program development.
audit program. To continue to be effective, a c. Develop a realistic, progressive and cost
Business Continuity Management (BCM) Program effective program.
must implement a regular exercise schedule
i. Document the exercise/testing
to establish confidence in a predictable and
standards and guidelines to be used.
repeatable performance of recovery activities
throughout the organization. As part of the ii. Defined exercise/testing program
change management program, the tracking and assumptions and limitations.
documentation of these activities provides an iii. Identify exercise types to be included
evaluation of the on-going state of readiness and that will create a comprehensive
allows for continuous improvement to recovery exercise program based on the
capabilities and ensure that plans remain current recovery strategies implemented and
and relevant. Establishing an audit process will the RTO and RPO defined by the entity
validate the plans are complete and accurate for its operations. These may include
and in compliance with organizational goals and operational, facility and technical
industry standards as appropriate. exercises and testing such as:
1. Life safety exercises
The Professional’s Role in Professional 2. Plan walk–through / tabletop review
Practice Eight is as follows: 3. Scenario based tabletop exercise
1. Establish an exercise/testing program. 4. Call notification exercise
2. Establish a plan maintenance program. 5. Alternate site exercise
3. Identify or establish appropriate industry and/ 6. Standalone platform, infrastructure
or organizational standards. or application recovery test
4. Establish a business continuity program audit 7. Full end to end functional exercise
process. of an operation or technology
5. Communicate exercise/test/audit results and 8. Comprehensive exercise of all
recommendations. recovery strategies required
to recover the time sensitive
The Business Continuity Professional operations and technology from a
would demonstrate knowledge of this single site
professional practice area by performing
the following:
1. Establish an Exercise/Testing Program
a. Develop an exercise program that meets
the entity’s continuity objectives.
i. Align with the entity’s strategy and
tactical requirements.
ii. Provide a high level of confidence
for the continuity ad recovery of
operations.
DRI International
Professional Practice Eight Business Continuity Plan Exercise, Audit, and Maintenance (continued)
ii. Develop change control procedures iv. Audit the plan structures, contents,
to monitor changes (utilize existing and action sections.
change control process if already in 1. Audit program requirements,
place). documents and standards.
iii. Create proper version control; develop 2. Audit templates and plan.
plan re-issue, distribution, and
3. Audit test requirements and
circulation procedures.
results.
iv. Identify plan distribution lists for
4. Audit repository for plan and
circulation.
test results.
v. Develop a process to update plans
5. Audit the plan documentation
based on response to audit findings.
control procedures.
vi. Set guidelines for feedback of changes
6. Audit version control process
to planning function.
and documentation.
vii. Implement change control process.
7. Audit distribution lists and
3. Identify or establish appropriate standards. associated processes.
a. Review appropriate industry (NFPA, ISO, 8. Audit change control process.
ANSI, etc.) and national/international (US,
v. Review management response to audit
British, Australian, etc.) standards.
findings.
b. Review process owner expectations based
vi. Confirm responses have been
on industry standards and organizational
submitted and action plans
as well as “client” service expectations.
documented.
c. Develop an organizational standard with
vii. Verify completed actions have been
a recurring review and enhancement/
captured in the plan and supporting
continuous improvement process.
documentation.
d. Based on industry and/or national/
5. Communicate exercise/test/audit results and
international standards as well as
recommendations.
organizational and/ or client expectations.
a. Identify appropriate stakeholders.
e. Frequency and scope appropriate for the
organization. i. Process owners
This professional practice provides the framework ii) Review the organization’s existing
to identify, develop, communicate and exercise crisis communications plan.
a crisis communications plan to address how iii) Identify and document gaps in the
communications will be handled by the entity existing plan.
before, during and after an event. The crisis
iv) Using results of the Risk Assessment
communications plan is developed collaboratively
in Professional Practice 2,
with the entity’s public information and internal
identify potential events for which
information resources where they exist to ensure
communications should be planned.
consistency of the entity’s communications. The
plan will address the need for effective and timely v) Establish roles and responsibilities for
communication between the entity and all the the crisis communication team.
stakeholders impacted by an event or involved (1) Use EOC as a location to control
during the response and recovery efforts. what message goes out and when
(2) Internal information
The Professional’s Role in Professional (3) Public Information
Practice Nine is as follows: (4) Media spokesperson
1) Design, develop and implement a crisis vi) Identify all stakeholders to be
communications plan. considered during the development of
2) Communicate and train stakeholders on the crisis communication plan and the
roles and responsibilities for the crisis appropriate spokesperson for each
communications plan. stakeholder.
3) Exercise the crisis communications plan. (1) Employees and their families
4) Maintain the crisis communications plan as (2) Customers
defined in Professional Practice 8. (3) Vendors and suppliers
(4) Board of Directors
The Business Continuity Professional (5) Investors
would demonstrate knowledge of this
(6) Media
professional practice area by performing
the following: (7) Community leaders
1) Design, develop and implement a crisis (8) Outsourced operations
communications plan. (9) Local responding authorities
a) Identify existing public information and (10) Regulators
internal information resources within the (11) Labor organizations
entity.
(12) Competitors
b) Collaborate with public information and
(13) Industry bloggers
internal information resources to design the
plan. c) Determine how stakeholders will be quickly
and effectively notified of an incident.
i) Define objectives, scope and plan
structure.
DRI International
Professional Practice Nine Crisis Communications (continued)
This professional practice defines the need to c. Identify the authority of regulatory
establish policies and procedures to coordinate agencies to order regional, site, or building
response, continuity and recovery activities evacuation, and obtain, if available,
with external agencies at the local, regional and credentials for priority access to facilities
national levels while ensuring compliance with following an incident.
applicable statutes and regulations. d. Identify requirements for submittal
of information about the facility (i.e.,
The Professional’s Role in Professional “preincident plans”) including a description
Practice Ten is as follows: of its occupancy, hazards, building
construction, utility systems, protection
1. Identify and establish emergency
systems, and emergency preparedness
preparedness and response procedures in
and response procedures.
accordance with Professional Practice Five.
e. Identify requirements for periodic facility
2. Identify applicable emergency preparedness
inspections; observation of tests of building
and response regulations and the agencies
systems and or equipment; conducting
having jurisdiction over the organization’s
evacuation or shelter drills; and the
facilities and operations.
required scope and frequency of training
3. Coordinate emergency preparedness and and exercises.
response procedures with external agencies.
f. Identify requirements, thresholds (i.e.,
quantity or duration), and timeframes for
The Business Continuity Professional mandatory reporting of incidents including
would demonstrate knowledge of this impairments to protection systems, fires,
professional practice area by performing injuries, fatalities, hazardous materials
the following: spills or releases, and other conditions or
1. Identify and establish emergency incidents.
preparedness and response procedures in g. Develop or update emergency
accordance with Professional Practice 5. preparedness and response procedures to
2. Identify applicable emergency preparedness comply with laws, regulations, ordinances,
and response regulations and the agencies and the requirements of regulatory
having jurisdiction over the organization’s agencies.
facilities and operations. h. Disseminate information to appropriate
a. Identify applicable emergency management and team members.
preparedness and response regulations in
accordance with Professional Practice 5.
b. Identify regulatory agencies having
jurisdiction over the organization’s
facilities and operations. Agencies may
include building officials, fire marshals,
law enforcement, environmental
compliance, code enforcement, emergency
management, homeland security, industry
regulators or others.
DRI International
Professional Practice Ten Coordinating with External Agencies (continued)