DRI Canada Professional Practices (2014-07) PDF

Professional
Practices
for Business Continuity
Practitioners
Maintained by DRI International

For questions about this document, contact Traci O’Neal at toneal@drii.org.
For more information, visit www.drii.org.
Professional Practices for Business Continuity Practitioners
Professional Practice
Introduction
Business Continuity Management (BCM) is a These Professional Practices are intended

management process that identifies risk, threats to serve as both a guide for BCM Program
and vulnerabilities that could impact an entity’s development, implementation and maintenance
continued operations and provides a frame-work and as a tool for conducting audits of an existing
for building organizational resilience and the program. Using the Professional Practices to
capability for an effective response. audit a program can identify program gaps or
The objective of Business Continuity Management deficiencies so they may be corrected before an
is to make the entity more resilient to potential event occurs.
threats and allow the entity to resume or continue The Professional Practices have been developed
operations under adverse or abnor mal conditions. and maintained by experienced Business
This is accomplished by the introduction of Continuity professionals to provide a consistent
appropriate resilience strategies to reduce framework for the industry, to assist others who
the likelihood and impact of a threat and the wish to enter this field with the body of knowledge
development of plans to respond and recover to develop the skills needed and to assist
from threats that cannot be controlled or mitigated. organizations in benchmarking their program
The Professional Practices are a body of knowledge against accepted and proven practices.
designed to assist the entity in the devel opment The sections within these practices are not
and implementation of a BCM program. Use of the presented in any particular order of importance,
Professional Practice framework can increase the as it may be necessary to undertake or implement
likelihood that no significant gaps will be present sections in parallel during the development of the
in your program as well as increase the likelihood BCM Program.
that the various parts of the program will work
cohesively in an actual event.
DRI International
Professional Practice
Subject Area Overview
1. Program Initiation and Management. to define the Recovery Time Objective (RTO)
Establish the need for a Business Continuity and Recovery Point Objective (RPO) for each of
Management Program within the entity the entity’s processes. The result of this analysis
and identify the program components from is to identify time sensi tive processes and the
understanding the entity’s risks and vulnerabilities requirements to recover them in the timeframe
through development of resilience strategies that is acceptable to the entity.
and response, restoration and recovery plans.
The objectives of this professional practice are 4. Business Continuity Strategies.
to obtain the entity’s support and funding and to The data that was collected during the BIA and
build the organizational framework to develop the Risk Evaluation is used in this professional
BCM program. practice to identify available continuity and
recovery strategies for the entity’s operations
2. Risk Evaluation and Control. and technology. Recommended strategies must
The objective of this professional practice is be approved and funded and must meet both
to identify the risks/threats and vulnerabilities the recovery time and recovery point objectives
that are both inherent and acquired which can identified in the BIA. A cost benefit analysis is
adversely affect the entity and its resources, or performed on the recommended strategies to align
impact the entity’s image. Once identified, threats the cost of implementing the strategy against the
and vulnerabilities will be assessed as to the assets at risk.
likelihood that they would occur and the potential
level of impact that would result. The entity can 5. Emergency Response and Operations
then focus on high probability and high impact This professional practice defines the
events to identify where controls, mitigations requirements to develop and implement the
or management processes are non-existent, entity’s plan for response to emergency situations
weak or ineffective. This evaluation results in that may impact safety of the entity’s employees,
recommendations from the BCM Program for visitors or other assets. The emergency response
additional controls, mitigations or processes to plan documents how the entity will respond to
be implemented to increase the entity’s resiliency emergencies in a coordinated, timely and effective
from the most commonly occurring and/or highest manner to address life safety and stabi lization of
impact events. emergency situations until the arrival of trained or
external first responders.
3. Business Impact Analysis.
During the activities of this professional practice,
the entity identifies the likely and potential
impacts from events on the entity or its processes
and the criteria that will be used to quantify and
qualify such impacts. The criteria to measure and
assess the financial, customer, regulato ry and/or
reputational impacts must defined and accepted
and then used consistently through out the entity
Professional Practice Subject Area Overview (continued)
6. Plan Implementation and 9. Crisis Communications

Documentation This professional practice provides the
The Business Continuity Plan is a set of framework to identify, develop, communicate,
documented processes and procedures which and exercise a crisis communications plan. A
will enable the entity to continue or recover time Crisis Communications plan addresses the need
sensitive processes to the minimum acceptable for effective and timely communication between
level within the timeframe acceptable to the the entity and all the stakeholders impacted or
entity. In this phase of the Business Continuity involved during the response and recovery efforts.
Management Program, the relevant teams
design, develop, and implement the continuity 10. Coordination with External Agencies
strategies approved by the entity and document
This professional practice defines the need to
the recovery plans to be used in response to an
establish policies and procedures to coordinate
incident or event.
response, continuity and recovery activities
with external agencies at the local, regional and
7. Awareness and Training Programs national levels while ensuring compliance with
In this professional practice, a program is applicable statutes and regulations.
developed and implemented to establish and
maintain corporate awareness about Business
Continuity Management (BCM) and to train the
entity’s staff so that they are prepared to respond
during an event.
8. Business Continuity Plan Exercise,

Audit and Maintenance
The goal of this professional practice is to
establish an exercise, testing, maintenance and
audit program. To continue to be effective, a
BCM Program must implement a regular exercise
schedule to establish confidence in a predictable
and repeatable performance of recovery activities
throughout the organization. As part of the
change management program, the tracking and
documentation of these activities provides an
evaluation of the on-going state of readiness and
allows for continuous improvement of recovery
capabilities and ensures that plans remain current
and relevant. Establishing an audit process will
validate the plans are complete, accurate and in
compliance with organizational goals and industry
standards as appropriate.
DRI International
Professional Practice One

Program Initiation and Management
Establish the need for a BCM Program within the d. Review existing audit reports to ensure
entity and identify the program components from the proposed BCM program adequately
understanding the entity’s risks and vulnerabilities addresses any gaps or opportunities
through development of resilience strategies previously identified (through either internal
and response, restoration and recovery plans. or external sources).
The objectives of this professional practice are e. Identify business practices (such
to obtain the entity’s support and funding and to as complex supply chain strategies
build the organizational frame-work to develop the implemented on a regional or global scale)
BCM program. that may adversely impact the entity’s
ability to recover following a disaster event.
The Professional’s Role in Professional f. State the benefits of BCM and relate them
Practice One is as follows: to the entity’s mission, objectives and
1. Establish why the entity needs a Business operations.
Continuity Management Program g. Explain executive management’s/
2. btain leadership/management support for the leadership’s role, including their
BCM program accountability and liability within the BCM
3. Coordinate and manage the implementation of Process.
the BCM program throughout the entity h. Develop formal reports and presentations
focused on increasing the awareness and
The Business Continuity Professional potential impact of risks to the organization
would demonstrate knowledge of this from a Business Continuity Management
professional practice area by performing (BCM) perspective.
the following:
1. Establish the need for the business continuity

program.
a. Research and reference relevant business,
legal, regulatory, statutory and contractual
requirements and restrictions both from an
internal and external perspective, providing
recommendations on conformance and
compliance for the organization.
b. Reference relevant standards developed
by national or international standards
development bodies and/or trade or
industry associations.
c. Identify and resolve any conflicts between
organizational policies and relevant
external requirements.
Professional Practice One Program Initiation and Management (continued)
2. Obtain leadership/management support for the 3. Coordinate and manage the implementation of
BCM program. the BCM program throughout the entity.
a. Develop a mission statement/charter for a. Lead the designated Planning/Steering
the BCM program. Committee in defining objectives, program
b. Develop objectives for the BCM program structure, policies and how critical success
tied to support of the entity’s mission. factors will be managed.
c. Develop Budget Requirements for BCM b. Develop relevant policies, procedures and
program. charters.
d. Define BCM program structure, its policies c. Clearly define and obtain resource needed
and critical success factors. for BCM program.
e. Present and obtain management/ d. Identify teams for BCM program
leadership support and approval of BCM implementation including teams that will
Program. participate in the execution of the following
activities:
f. Identify executive sponsors for BCM
program development. i. Risk assessment and resiliency
strategies
g. Obtain executive approval for budget
requirements. ii. Business impact analysis
h. Gain agreement on the establishment of iii. Recovery strategy selection and
the Planning/Steering Committee along implementation
with tactical support functions needed, iv. Overall incident and emergency
including primary and alternates for each management
role. 1. Incident response and recovery
i. Define the scope, responsibilities and 2.
Crisis management and
overall accountability of each member communication
of the Planning/Steering Committee and
3. Post incident gap analysis and
support functions.
implementation of lessons learned
v. Developing Business continuity plan
documentation
vi. Plan testing, exercise and maintenance
activities
vii. Response, Recovery and restoration
activities during an event

DRI International
Professional Practice One Program Initiation and Management (continued)
e. Monitor status of ongoing budget impact h. Report to Senior Management/Leadership on

per existing management process. Program status on a regular basis
f. Develop project plans and identify tasks i. Develop a schedule to report the
required to support the agreed upon. progress of the BCM Program to the
critical success factors such as: entity’s leadership.
i.
Schedule ii. Develop regular status reports for
ii.
Time estimates senior management/leadership that
contain concise, pertinent, accurate,
iii.
Milestones
and timely information on key elements
iv. Personnel requirements, including of the BCM Program
training, succession planning and
iii. Provide updates on the State
development
of the BCM Program and make
g. Oversee the ongoing effectiveness of the recommendations for Program
Program. enhancements on an on-going basis
i. Develop the on-going management iv. Monitor relevant industry and
and documentation requirements for organizational standards to ensure
the BCM Program. BCM program is consistently delivering
ii. Monitor, track and report to compliance business value
to established BCM standards.
iii. Conduct internal and external
benchmarking strategies.

Professional Practice Two

Risk Evaluation and Control
The objective of this professional practice is The Business Continuity Professional

to identify the risks/threats and vulnerabilities would demonstrate knowledge of this
that are both inherent and acquired which can professional practice area by performing
adversely affect the entity and its resources, or the following:
impact the entity’s image. Once identified, threats 1. Work with management and any risk
and vulnerabilities will be assessed as to the management/enterprise risk management
likelihood that they would occur and the potential groups within the entity to gain agreement
level of impact that would result. The entity can on a clear and standardized risk assessment
then focus on high probability and high impact methodology and to gain understanding of the
events to identify where controls, mitigations entity’s tolerance for risk.
or management processes are non-existent,
a. Identify risk analysis methodologies and
weak or ineffective. This evaluation results in
tools. These may include:
recommendations from the BCM Program for
additional controls, mitigations or processes to i. Qualitative and quantitative
be implemented to increase the entity’s resiliency methodologies
from the most commonly occurring and/or highest ii. Assessment of advantages and
impact events. disadvantages
iii. Data and content reliability/confidence
The Professional’s Role in Professional factors
Practice Two is as follows: iv. Use of mathematical formulas
1. Work with management and any risk b. Select appropriate methodology and tool(s)
management/enterprise risk management for entity-wide implementation which
groups within the entity to gain agreement parallel the entity’s risk tolerance level.
on a clear and standardized risk assessment c. Work with the entity’s leadership to gain an
methodology and to gain understanding of the understanding of the entity’s tolerance for
entity’s tolerance for risk. risk.
2. Identify, develop and implement information d. Work with management to select an
gathering activities across the entity to identify appropriate cost benefit analysis model.
threats/risks and the entity’s vulnerabilities.
e. Establish the measurement criteria
3. Identify probabilities and impact of the threats/ necessary to quantify the risk identified and
risks identified. the effectiveness of existing controls.
4. Identify and evaluate the effectiveness of the
current controls and safeguards in place.
5. Identify business resiliency strategies to
control, mitigate, accept or take advantage of
the potential impact of the risk/threat or reduce
the entity’s vulnerabilities.
6. Document and present risk/threat/vulnerability
assessment and recommendations to the
entity’s leadership for approval.
DRI International
Professional Practice Two Risk Evaluation and Control (continued)
2. Identify, develop and implement information 4. Identify probabilities and impact of the threats/
gathering activities across the entity to identify risks identified.
threats/risks and the entity’s vulnerabilities. a. Develop a method to evaluate exposures/
a. Determine methods of information risks in terms of risk frequency, probability,
gathering. speed of development, pre incident
b. Collaborate with entity’s legal counsel, warning (e.g. hurricane), severity and entity
physical security, information security, impact.
privacy and other pertinent areas to identify b. Identify the impact of identified risks. Risk
known risks and vulnerabilities. impacts include, but are not limited to:
c. Determine information sources to be used i.
Facility
to collect data on risks. ii. Security (both physical and logical)
d. Determine the credibility of the information iii. Reputational
sources.
iv.
Legal
e. Develop a strategy to gather information
v.
Customer
consistent with the entity’s policies.
vi.
Procedural
f. Develop a strategy to gather information
that can be managed across all of the vii.
Information Technology (including
entity’s divisions and locations. operational infrastructure)
g. Create entity-wide methods of information viii.

People
collection and distribution. ix.
Supply Chain (including
i. Forms and questionnaires outsourcing)
ii.
Interviews x.
Compliance
iii.
Meetings c. Evaluate identified risk and classify them
according to relevant criteria including, but
iv. Or combinations of above
not limited to:
3. Identify threats/risks and the entity’s
i. Risks under the entity’s control
vulnerabilities.
ii. Risks beyond the entity’s control
a. Identify threats/risks and vulnerabilities to
the entity taking into account frequency, iii. Risks with prior warnings (such as
probability, speed of development, severity tornadoes and hurricanes)
and reputational impact to achieve a iv. Risks with no prior warnings (such as
holistic view of risk across the entity. earthquakes)
b. Identify risk exposures from both internal d. Evaluate impact of risks and vulnerabilities
and external sources. These sources on those factors essential for conducting
include, but are not limited to: the entity’s operations:
i. Natural, technological or acts of man i.
Availability of personnel
ii. Industry/business model ii. Availability of information technology
iii. Accidental versus intentional iii.
Availability of communications
iv. Controllable exposures/risks versus technology
those beyond the entity’s control iv. Status of infrastructure (including
v. Events with prior warnings versus transportation), etc.
those with no prior warnings
5. Identify and evaluate the effectiveness of the f. Evaluate security-related communications

current controls and safeguards in place. flow with other internal areas and external
a. Identify and evaluate the effectiveness service providers.
of the inherent protection afforded key 6. Identify business resiliency strategies to
assets by virtue of their location relative to control, mitigate, accept or take advantage of
sources of risk. the potential impact of the risk/threat or reduce
b. Identify and evaluate the effectiveness the entity’s vulnerabilities.
business continuity capabilities for groups a. Discuss strategies and controls for
within and external to the entity on which managing the identified risks.
the entity is dependent to conduct its b. Identify trigger points for key service
operations. and support areas to identify, escalate
c. Identify and evaluate the effectiveness of and execute strategies selected to take
actions taken to reduce the probability of advantage of key risks.
occurrence of incidents that could impair c. Establish interruption scenarios based on
the ability to conduct business. risks to which the entity is exposed. These
i.
Facility sighting scenarios should be based on situations
ii. Safety policies and procedures severe in magnitude, occurring at the
worst possible time, resulting in severe
iii. Training on proper use of equipment
impairment to the entity’s ability to conduct
and tools
business.
iv.
Preventive maintenance
d. Understand options for risk management
d. Identify and evaluate the effectiveness and selection of appropriate or cost-
of controls to inhibit impact exposures: effective responses (examples include: risk
preventive controls (proactive controls that avoidance, transfer, or acceptance of risk).
help to prevent a loss).
e. Develop formal “risk acceptance”
i. Physical security practices (access documentation and re-evaluation practices
control, cameras, security staff) in conjunction with the entity accepted risk
ii.
Information Security practices tolerance.
(firewalls, intrusion detection, f. Make recommendations on feasible, cost-
passwords) effective security measures required to
iii. Employment practices (background prevent/reduce security-related risks and
investigations, hiring practices) exposures.
iv. Privacy practices (clean desk policy,
proprietary waste disposal)
e. Identify and evaluate the effectiveness
of controls to compensate for impact of
exposures: reactive controls (that typically
work or are implemented in response to a
loss).
i. Sprinkler system
ii.
Fire brigade
iii.
Generator
iv.
UPS system
DRI International
Professional Practice Two Risk Evaluation and Control (continued)
g. Recommend changes, if necessary, 7. Document and present risk assessment to the

to reduce impact due to risks and entity’s leadership for approval.
vulnerabilities. a. Prepare a risk assessment report,
i.
Physical protection standardizing the analysis across the entity
1.
Identify requirements necessary to b. Present findings of risk assessment
restrict access at all pertinent levels including, but not limited to:
(e.g. building, room, etc.). i. Information on risks and exposures from
2. Investigate the need for barriers risk analysis.
and strengthened structures to ii. An assessment of controls and/
determine willful and accidental and/ or strategies in place to manage
or unauthorized entry. known risks and a rating of the control
3.
Location: physical construction, effectiveness as fully effective, partially
geographic location, corporate effective or ineffective.
neighbors’, facilities infrastructure, iii. Recommend new controls to be
community infrastructure. implemented including cost/benefit.
4. Identify the need for the use of iv. Recommend control improvements
specialist personnel to conduct including cost/benefit.
checks at key entry points.
v. Recommend appropriate areas to
5. Evaluate the need for manned and/ transfer risk.
or recorded surveillance equipment
vi. Recommend priorities for
to control access points and areas
implementation of new control.
of exclusion; including detection,
notification, suppression (e.g., vii. Document areas where management
sensors, alarms, and sprinklers). accepts risk with a formal sign-off.
6.
Changes to security and access c. Receive approval of risk assessment
controls, tenant insurance, leasehold recommendations.
agreements.
ii. Logical protection
1.
Assess the need for system-provided
protection of data stored, in process,
or in translation; information backup
and protection.
2.
Evaluate information security:
hardware, software, data, and
network monitoring (e.g., detection,
notification, etc.).
3.
Location of assets.
iii. Changes to personnel procedures.
iv. Increased preventive maintenance and
service as required.
v. Utilities: duplication of utilities, built in
redundancies (Telco, power, water,
etc.).
vi. Interface with outside agencies (vendors,
suppliers, outsourcers, etc.).
Professional Practice Three

Business Impact Analysis
During the activities of this professional practice, The Business Continuity Professional
the entity identifies the likely and potential impacts would demonstrate knowledge of this
from events on the entity or its processes and the professional practice area by performing
criteria that will be used to quantify and qualify the following:
such impacts. The criteria to measure and assess 1) Identify the criteria to be used to quantify and
the financial, operational, customer, regulatory qualify the impact to the entity.
and/or reputational impacts must defined and
a) Define and obtain approval for criteria to be
accepted and then used consistently throughout
used to assess the impact on the entity’s
the entity to define the Recovery Time Objective
operations including but not limited to:
(RTO) and Recovery Point Objective (RPO) for
each of the entity’s processes. The result of this (1) Customer impact
analysis is to identify time sensitive processes and (a) How quickly customers will know
the requirements to recover them in the timeframe you have a problem
that is acceptable to the entity. (b) How worried they will be about it
(c) What is the likelihood they will take
The Professional’s Role in Professional their business elsewhere
Practice Three is as follows:
(d) What the impact to committed
1. Identify the criteria to be used to quantify and service levels will be
qualify the entity’s impact from events. (e) The impact to supply chain of
2. Establish the Business Impact Analysis (BIA) customers
process and methodology. (f) Injury or death of customer (i.e.
3. Plan and coordinate data gathering and hospital patient)
analysis. (2)
Financial impact
4. Gain leadership agreement on BIA (a)
Loss of revenue
methodology and the criteria to be used.
(b) Additional costs to recover
5. Analyze the data collected against the
(i) Declaration and daily usage
approved criteria to establish RTO and RPO
fees
for each operational area and the technology
that supports them. (ii)
Overtime (iii)Travel and
expense
6. Document minimum resource requirements for
resumption and recovery of core and support (iv)
Insurance deductibles
business functions and their escalation over (v) Replacing lost equipment, raw
time. material and supplies
7. Prepare and present the BIA results to the (c) Clean up and restoration cost
entity’s leadership and gain acceptance of the (d) Loss of financial control
RTO and RPO for each process.
(e) Impact to cash flow
Note: While the Business Continuity Professional
(f) Impact to market share
may be given the responsibility to manage a BIA,
the ‘ownership’ of that BIA resides with the entity (g) Impact on future sales
and its leadership, or the owners of the process or (h) Impact share price of stock
processes under consideration. (i) Contractual fines or penalties
DRI International
Professional Practice Three Business Impact Analysis (continued)
(j)
Lawsuits (b) Impact from loss of technology
(3) Regulatory impact needed to perform the process
(a)
Fines (i) Document current recovery
capabilities
(b)
Penalties
(c)
Interdependencies
(c) Required to pull product off market
due to loss of safety information (i)
Internal
(4)
Operational impact (ii)
External (iii)Technology
(a) Reduced service levels (d)
Minimum service levels
(b)
Increased overtime costs (e)
Minimum resource requirements
to perform function at the
(c) Workflow disruptions
minimum acceptable level
(d)
Loss of control
(i)
Technology
(e) Inability to meet deadlines
1. Desktop hardware
(f)
Supply chain disruption
2. Network connectivity
(5) Reputational impact
3.
Printers
(a)
Media attention
a. Standalone
(b)
Social media
b. Network
(c)
Community
c. Mainframe
(d) Shareholder confidence
d. Color/black and
(e) Competitor taking advantage of white
negative attention
4.
Fax machine
(6)
Human impact
5.
Telephones
(a) Loss of life and injury
6. Inbound/outbound trunk
(b) Impact to the community lines
(c)
Stress 7. Print/file servers
(d) Long term emotional impact 8.
Applications
2) Establish the BIA process and methodology. 9.
Vendor software
a) Identify and obtain a sponsor for the BIA 10.
Internet connectivity
activity.
11.
Call recording
b) Define objectives and scope for the BIA
12.
Scanners
process.
(ii)
Physical space
c) Choose an appropriate BIA planning
methodology/tool. 1. Physical desks
d) Choose an appropriate BIA data collection 2.
Footprint needed for
methodology. equipment
i) Data to be collected includes: 3.
Storage space for raw
materials and finished
(1)
Operational process.
product
(2) Impacts to the process and how
4.
Shipping space
those impacts change over time
5. Print/mail space
(a) Impact to the process from loss
of site 6.
Sorting space
(i)
Document current recovery 7.
Power requirements
capabilities 8.
HVAC requirements
(iii) Equipment (5) Conduct follow-up discussions

1.
Manufacturing equipment when clarification and/or additional
data is required.
2.
Print mail equipment
ii) Data collection via interviews.
3.
Photocopy machines
(1) Provide consistency with the structure
4.
Tools
of each interview being predefined and
(iv) Vital records following a common format.
1.
Legal records (2) Ensure the base information to
2.
Contracts be collected at each interview is
3.
Procedure manuals predefined.
4.
Forms (3) Enable each interviewee to review and
verify all data gathered.
5.
Letterhead
(4) Schedule follow-up interviews, if initial
6.
Maintenance records
analysis shows a need to clarify and/or
7.
Insurance records add to the data already provided.
8.
Product information iii) Data collection via workshop.
(v)
Personnel (1) Set a clear agenda and set of
1.
How many objectives.
2. What skills (2) Identify the appropriate level of
3.
What shifts workshop participants and obtain
4.
When agreement from management.
(vi) Supplies (3) Choose appropriate venue by

evaluating location, facilities, and
1.
Paper, pens, pencils,
participant availability.
staplers, ink, toner, etc.
(4) Facilitate and lead the workshop or
2. Raw materials
identify an appropriate resource to do
3) Plan and coordinate data gathering and so.
analysis.
(5) Ensure workshop objectives are met.
i) Data collection via questionnaires.
(6) Ensure all outstanding issues at the
(1) Develop questionnaire and instructions end of the workshop are identified and
as required. the appropriate follow up is conducted.
(a) Understand the need for 4) Gain the leadership agreement on BIA
appropriate design and methodology and the criteria to be used.
distribution of questionnaires,
a) Identify and obtain agreement as to how
including explanation of purpose,
potential financial and non-financial impact
to participating departmental
can be quantified and evaluated in each
managers and staff.
impact area.
(2) Manage project kick-off meetings
b) Identify and obtain agreement on
to distribute and explain the
requirements for non-quantifiable impact
questionnaire.
information in each impact area.
(3) Support respondents during completion
of questionnaires.
(4) Review completed questionnaires
and identify those requiring follow-up
interviews.
DRI International
c) Establish definition of the impact scale 5) Analyze the data collected against the
(e.g., high, medium, low) to be used during approved criteria to establish RTO and RPO
the data collection. for each operational area and the technology
d) Obtain agreement from management on that supports them.
final time schedule. a) Based on the data collected, determine the
e) Identify team members to participate in the prioritization of processes/services.
BIA process. b) Document interdependencies between
i) Work with the BIA sponsor to identify the each business process and the supporting
major areas of the entity including potential infra-structure (data systems and related
third party service providers. technology, supply chain management,
third party partners and other resources).
ii) Working with the BIA sponsor to
identify specific individuals to represent i) Intradepartmental
the major areas of the entity. ii) Interdepartmental
(1) Collect and review existing iii) External relationships
organizational charts. c) Determine the order of recovery for core
(2) Identify functional management and support business functions and
team members and appropriate technology.
third party provider representatives
to participate in the data collection
process.
iii) Inform the selected individuals
of the BIA process and its
purpose.
iv) Identify training requirements
and establish a training
schedule.
v) Train knowledgeable functional
management representatives.
f) Conduct data collection.
6) Document minimum resource requirements for 7) Prepare and present the BIA results to the
resumption and recovery of core and support entity’s leadership and gain acceptance of the
business functions and their escalation over RTO and RPO for each process as defined by
time. the results of the BIA.
a) Resource requirements to include: a) Prepare draft BIA report using initial impact
i) Internal and external resources findings and identified gaps.
ii) Owned versus non-owned resources i) Provide a statement of entity mission,
goals and objectives.
iii) Short versus long term resource needs
ii) Summarize the impact to the mission,
iv) Existing resources and additional
goals and objectives that may result
resources required
from a disruption.
(1) Key personnel
iii) Provide a prioritized list of the
(2) Equipment processes and services of the entity
(3) Data and the RTO and RPO that resulted
(4) Raw materials from the BIA.
(5) Other (1) Include a summary of resource
requirements over time to recover
b) Vital Records Management.
and resume operations.
i) Document vital records in the entity,
(2) Include a gap analysis between
including paper and electronic, and
current capabilities to meet the
establish when records will be needed
defined RTO and RPO and the
during recovery.
needed capabilities.
ii) Evaluate existing backup and
iv) Issue draft report to participating
restoration procedures to identify
functional representatives and request
any gaps between record recovery
feedback.
requirements and existing backup and
restoration procedures. v) Review functional representative
feedback and, where appropriate,
c) Identify gaps between current recovery
revise findings accordingly, or add to
capabilities and requirements defined by
outstanding issues.
the results of the BIA.
vi) Schedule a workshop or meeting with
participating functional representatives
and third party provider representatives
to discuss initial findings, when
necessary.
vii) Ensure that initial findings are updated,
as necessary, to reflect changes arising
from these meetings.
b) Prepare final BIA report.
c) Prepare and submit formal presentation of
BIA findings to entity’s leadership.
d) Gain acceptance of the RTO and RPO for
each process as defined by the results of
the BIA.
DRI International
Professional Practice Four

Business Continuity Strategies
The data that was collected during the BIA and a. Review recovery requirements identified
Risk Evaluation is used in this professional for each of the entity’s operations.
practice to identify available continuity and b. Identify alternative business continuity
recovery strategies for the entity’s operations and strategies. Potential options include but are
technology. Recommended strategies must be not limited to:
approved and funded and must meet both the
i. Do nothing and repair or rebuild at time
recovery time (RTO) and recovery point objectives
of disaster
(RPO) identified in the BIA. A cost benefit analysis
is performed on the recommended strategies to ii. Develop manual workaround
align the cost of implementing the strategy against procedures
the assets at risk. iii. Develop reciprocal agreements (more
common in small business operations,
public sector mutual aid agreements
The Professional’s Role in Professional
and manufacturing environments)
Practice Four is as follows:
iv. Identify internal dual usage space that
1. Utilize the data collected during the BIA
could be equipped to support recovery
and Risk evaluation to identify the available
(conference rooms, training rooms,
continuity and recovery strategies for the
cafeterias, etc.)
entity’s operations that will meet the RTO and
RPO identified during the BIA process. v. Identify an external alternate site
2. Utilize the data collected during the BIA vi. Contract with third party service
and Risk evaluation to identify the available providers / outsourcers
continuity and recovery strategies for the vii. Transfer workload to a surviving site
entity’s technology that will meet the RTO and viii. Transfer staff and workload to a
RPO identified during the BIA process. surviving site
3. Consolidate strategies where appropriate to ix. Suspend operations that are not time
reduce costs and/or complexity. sensitive in a surviving site and transfer
4. Assess the cost of implementing identified people/workload from the impacted site
strategies through a cost/benefit analysis. (displacement)
5. Recommended strategies and obtain approval x. Build dedicated alternate site
to implement. xi. Have staff work from home
xii. Recovery strategies for manufacturing
The Business Continuity Professional environments
would demonstrate knowledge of this 1. Repair/Rebuild at time of disaster
professional practice area by performing
2. Reciprocal agreements with other
the following:
manufacturer
3. SKU prioritization
continuity and recovery strategies for the 4. Customer prioritization
entity’s operations that will meet the RTO and 5. Utilize excess capacity in other
RPO identified during the BIA process. plants
xiii. Strategies for the recovery of vital hard b. Identify alternative technology recovery
copy records and work in process to strategies. Potential options include but
meet the RPO for these records and to are not limited to:
ensure they are accessible following a i. Do nothing and repair or rebuild at time
disaster. of disaster.
1. Photocopy ii. Have business operations develop
2. Scan manual workaround procedures.
3. Fiche iii. Implement active/active technology
4. Film environment through a dual data center
eliminating the need for recovery.
c. Review alternate site alternatives
iv. Implement active/passive technology
i. Location
environment for high availability of time
ii. Available space sensitive technology providing for quick
iii. Suitability of space to need restart of the required technology.
iv. Communications capabilities (voice/ v. Contract with third party service
data) providers / outsourcers to provide
v. Equipment available technology recovery environment. This
includes:
vi. Availability of raw materials
1. A traditional “Hot Site” contract with
vii. Hardness of the site (redundant power,
a vendor where the vendor provides
water, etc.)
the equipment to recover from their
d. Assess viability of alternative strategies inventory
against the results of business impact
2. The entity puts their own equipment
analysis/recovery time objectives
for recovery on the floor of the
i. Compare solutions vendor’s data center
ii. Advantages vi. Outsource the entire technology
iii. Disadvantages environment (cloud computing, etc.).
iv. Costs (startup, maintenance & vii. Identify site where recovery would
execution) occur but build-out only HVAC and
v. Mitigation capability and control options electrical capabilities and populate with
vi. Ability to meet defined RTO and RPO technology at time of disaster (warm
site).
e. Develop preliminary cost/benefit analysis
viii. Identify site where recovery would
occur but build-out only at time of
disaster (cold site).
continuity and recovery strategies for the
entity’s technology that will meet the RTO and ix. Identify strategies for recovery of data
RPO identified during the BIA process. in electronic form that meets the RPO
established for these records and
a. Review recovery requirements identified
ensures they are available following a
for the technology that supports each of
disaster.
the entity’s operations.
DRI International
Professional Practice Four Business Continuity Strategies (continued)
1. Physical and Virtual Tape backup 4. Assess the cost of implementing identified
a. Incremental strategies through a cost/benefit analysis.
b. Full backup a. Estimate the cost of implementing and
maintaining recovery for the identified
c. Differential
recovery strategies
2. Asynchronous replication
b. Validate that the recovery strategy being
3. Synchronous replication implemented is in line with the amount
c. Review alternate site alternatives of business at risk (Example: you would
i. Location not implement a million dollar recovery
strategy to protect $100,000 of business)
ii. Available space
5. Recommended strategies and obtain approval
iii. Suitability of space to need
to implement.
iv. Communications capabilities (voice/
data)
v. Equipment available
vi. Hardness of the site (redundant power,
water, etc.)
d. Assess viability of alternative strategies
against the results of BIA recovery
objectives.
i. Compare solutions
ii. Advantages
iii. Disadvantages
iv. Costs (startup, maintenance &
execution)
v. Mitigation capability and control options
vi. Ability to meet defined RTO and RPO
e. Develop preliminary cost/benefit analysis
3. Consolidate strategies where appropriate to
reduce costs and/or complexity.
a. Identify where the same recovery strategy
could be used to meet the requirements for
multiple areas of operations (i.e. A single
alternate site used for recovery of business
operations from different buildings that are
not expected to be impacted by the same
event)
Professional Practice Five

Emergency Preparedness and Response
This professional practice defines the The Business Continuity Professional

requirements to develop and implement the would demonstrate knowledge of this
entity’s plan for response to emergency situations professional practice area by performing
that may impact safety of the entity’s employees, the following:
visitors or other assets. The emergency response 1) Identify applicable emergency preparedness
plan documents how the entity will respond to and response regulations.
emergencies in a coordinated, timely and effective
a) Health and safety
manner to address life safety and stabilization of
emergency situations until the arrival of trained or b) Fire prevention
external first responders. c) Life safety
d) Homeland security
The Professional’s Role in Professional e) Environmental protection
Practice Five is as follows:
f) Regulations promulgated by federal, state,
1) Identify applicable emergency preparedness provincial, county, parish, tribal or local
and response regulations. levels of government
2) Identify potential types of emergencies, g) Regulations applicable because of:
scenarios that may occur and impacts that i) Hazards on-site
may result.
ii) Size, height, or arrangement of a
3) Identify the response capabilities needed. building
4) Review existing emergency response iii) Location (e.g., proximity to waterways)
procedures and assess capabilities to protect
2) Identify potential types of emergencies,
life, property, and the environment.
scenarios that may occur and the impacts that
5) Recommend the development/improvement of may result
emergency procedures.
a) Natural, human-caused (accidental and
6) Recommend the development and intentional), and technological. For each
implementation of an incident management type of emergency, identify potential
system for command, control, and coordination scenarios that may result.
of personnel and resources during
i) Origin or location (internal or external)
emergencies.
ii) Size or magnitude
7) Review and coordinate emergency
preparedness and response plans and iii) Area if impact
procedures with trained, professional first b) For each type of emergency, identify
responders potential impacts including:
i) Casualties
ii) Property damage
iii) Operational interruption or disruption
iv) Environmental contamination
DRI International
Professional Practice Five Emergency Preparedness and Response (continued)
3) Identify the response capabilities needed. 4) Review existing emergency response

a) Capabilities needed to protect life safety procedures and assess capabilities to protect
including: life and property.
i) Evacuation a) Information Gathering
ii) Sheltering i) Identify the response capabilities
required to protect life, property,
iii) Shelter-in-Place (i.e. exterior airborne
and the environment for the types of
hazard)
emergencies, scenarios, and impacts
iv) Lockdown identified.
v) Accounting for all persons affiliated with ii) Identify and establish relationships with
the organization and affected by the the internal departments and personnel
emergency and external agencies, contractors, and
vi) Triage, treatment (first aid, CPR/ others with responsibility for emergency
automated external defibrillator), and preparedness and response.
transport of injured or ill iii) Gather emergency response procedures
vii) Rescue including search and rescue from internal departments and those
b) Capabilities needed to protect property assigned responsibility for emergency
including: response including environmental,
health, safety, security, human
i) Supervision and manipulation of building
resources, facilities management, and
systems and equipment including
operations.
utilities, ventilation and air conditioning,
fire detection and suppression, and iv) Gather emergency response procedures
communications and warning. and a description of emergency
response capabilities from external
ii) Property conservation to prepare a
sources including any building manager.
facility for a forecasted event (e.g.,
orderly shutdown in advance of a v) Contact public agencies (e.g.,
hurricane) and to minimize damage with emergency medical services, fire
salvage and cleanup following an event. department, law enforcement, rescue,
hazardous materials team, emergency
iii) Firefighting (e.g., incipient fire brigade,
management agency, etc.) to identify
coordinated planning with public fire
requirements, practices, and resources,
department, fire extinguisher training,
and to open lines of communication.
etc.)
(Also see Professional Practice Ten).
c) Capabilities needed to prevent
environmental contamination.
i) Documentation, supervision, and
manipulation of process systems,
containment systems, and other systems
designed to contain hazardous materials
on-site
b) Resource Needs Assessment h) Consult with public agencies (e.g.,

i) Identify the resources needed to protect emergency medical services, fire
life, property, and the environment from department, law enforcement, rescue,
the types of emergencies, scenarios, hazardous materials, emergency
and impacts identified. management, etc.) to coordinate
emergency preparedness and response as
ii) Identify the internal and external
required by Professional Practice 10.
personnel including public agencies,
building managers, contractors, and i) Document discrepancies and/or gaps
others that are trained to respond to the between needs and capabilities.
emergencies identified. 5) Recommend the development/improvement of
iii) Identify the systems and equipment emergency procedures.
including detection, alarm, warning, a) Report significant discrepancies between
communications, means of egress (i.e., the procedures, resources, and capabilities
exits), suppression, and containment required for emergency preparedness and
systems available for emergency the procedures, resources, and capabilities
response. currently available to management.
c) Identify materials and supplies needed for b) Provide prioritized recommendations to
emergency response. address the discrepancies or fill the gaps.
d) Verify that mutual aid or partnership c) Solicit management support and
agreements are documented. commitment for required resources.
e) Assess the availability and capabilities of The goal of the program in order of
identified resources to determine whether priority should be to protect life, property,
the resources can be provided in a timely and the environment from the types of
manner and are adequate to protect life, emergencies, scenarios, and impacts
property, and the environment from the identified.
types of emergencies, scenarios, and i) Protection of Life Safety
impacts identified. (1) Warning - Establish a capability to
f) Review emergency response plans promptly warn persons at risk or
to determine whether the types of potentially at risk from a threat or
emergencies, scenarios, and impacts hazard. Warning systems should
identified have been adequately be compliant with applicable
addressed to protect life, property, and the regulations and capable of being
environment. heard and understood.
g) Review emergency response plans to (2) Protective Actions - Organize
determine whether procedures adequately team(s) to evacuate, shelter, or
address hazard or threat monitoring, shelter-in-place (from an exterior
incident detection; prompt reporting to airborne hazard). Establish
responsible person, department, and or procedures for and a capability to
agency; plan activation; alerting of first warn persons at risk from security
responders (internal and or external), threats that may require lockdown.
warning of persons impacted or potentially
impacted; and escalation as required to
stabilize the incident.
DRI International
(3) Rescue - Arrange for a competent (1) Establish capabilities, document plans,
rescue capability to provide rescue and provide required resources to
services if required by regulation prepare facilities for forecast events
based on the hazards on-site identified. These events may include
(e.g., permit-required confined but are not limited to natural hazards
space). Establish a search and (flood, tropical cyclone, etc.) and
rescue capability if required by the warning for human-caused events
types of emergencies, scenarios, (e.g., civil disturbances, etc.).
and impacts identified and the (2) Establish capabilities to supervise
availability or capability of external building systems, utilities, and
resources is inadequate. equipment to stabilize an incident in
(4) Accountability - Establish a conjunction with building management,
capability to account for the safety public agencies, or others who may be
and well-being of all persons involved with the incident. This includes
affiliated with the organization documenting systems, utilities, and
engaged in an incident or who may equipment, and ensuring competent
be affected by an incident. persons area available to manipulate
(5) Medical - Ensure there is an systems as required by the incident or
internal and or external capability as directed by the incident commander.
compliant with regulations to (3) Establish capabilities, document plans,
promptly administer first aid or and provide required resources to
medical treatment and transport stabilize incidents identified that have
the sick or injured to a medical the potential to damage property or
facility with the capability of treating interrupt or disrupt business operations.
injuries or illnesses that may occur The goal is to safely protect facilities,
at the facility. equipment, and contents and minimize
(6) Counseling - Identify or provide damage while or after actions are taken
access to mental health to protect life safety.
professionals who can provide (4) Establish capabilities, document plans,
counseling and related services and provide (internal or external)
following a traumatic incident. resources for salvage, cleanup, and
(7) Security - Maintain or provide site, loss mitigation following a property
building, and or area security for damage incident.
protection of personnel, physical (5) Coordinate with or establish links to
assets, and information during and the operators of critical infrastructure
following an incident. (e.g., roads, bridges, utilities, etc.)
ii) Property Protection to provide information regarding the
capabilities, availability, and restoration
of infrastructure required to operate the
facility.
iii) Environmental Protection
(1) Compile an inventory of hazardous v) Damage Assessment

materials that includes location and (1) Emergency preparedness and response
quantity. Ensure that Material Safety plans should include procedures for
Data Sheets (MSDS) have been situation analysis and damage assessment
compiled as required by “Right to in accordance with the entity’s incident
Know” or Hazard Communication management system.
regulations and the sheets are
(2) Identify qualified persons with knowledge
immediately accessible to emergency
of the organization and its facilities and
responders.
operations to assess interruption/disruption
(2) Establish capabilities as required by of operations and property damage.
regulations and provide required resources
(3) Organize a damage assessment team
to minimize the potential environmental
and develop a method to facilitate prompt
impacts of the hazards identified.
identification of damage and to assess
These events may result in spills of
interruption/disruption and protocols for
hazardous materials, ruptures of piping
communication of situation reports to
or tanks, failure of process systems that
management and others (e.g., business
release hazardous materials, or loss of
continuity organization, crisis management
containment.
team, etc.).
(3) Document process systems, tanks,
6) Recommend the development and assist
piping, and or containment of hazardous
with the implementation of an incident
materials; establish procedures for
management system for command, control,
preventing spills or releases; develop
and coordination of personnel and resources
plans to stabilize an incident; and ensure
during emergencies.
competent persons area available to work
in conjunction with building management, a) Incident Management System
public agencies (e.g., hazardous materials i) Develop and assist with the
response teams), contractors, or others implementation of an incident management
who may be involved with the incident. system that defines organizational titles,
iv) Crisis Communications roles, lines of authority, succession of
authority, and responsibilities for internal
(1) Coordinate crisis communications planning
and external resources (e.g., corporate/
between the emergency preparedness and
business unit, departments, managers,
response plan and emergency organization
supervisors, public agencies, contractors,
with the Crisis Communications Program
etc.).
and crisis communications team described
in Professional Practice 9 “Crisis ii) Protocols and procedures for escalation;
Communications.” the engagement of additional internal and
external services; and procurement of
(2) Identify a spokesperson authorized
additional resources should be addressed
by management and capable of
within the incident management system.
speaking on behalf of the organization
to local audiences as part of the “public
information” position of the incident
management system and as part of
any joint information center with public
agencies.
DRI International
iii) The system should include policies vi) Operating procedures should include
and procedures for activation of the identification, assignment, and scheduling
incident management system, opening of persons to fulfill emergency operations
of the emergency operations center, center functions and activities in
communications and coordination with on- accordance with the entity’s incident
scene incident command, and coordination management system.
of emergency preparedness and response vii) Operating procedures should include
activities with continuity and recovery management and operations of the EOC;
activities. communications protocols, procedures,
iv) Incident management should include initial and information flow; and closure of the
and periodic situation analysis and should EOC.
be guided by an incident action plan to 7) Review and coordinate whether emergency
achieve the goals of protective actions for preparedness and response plans and
life safety, property protection, business procedures have been reviewed by, and
continuity, and recovery. coordinated with, first responders
b) Emergency Operations Center a) Identify the documents (e.g., fire
i) A physical or virtual emergency operations prevention, hazardous materials
center (EOC) should be established management plan, integrated
and equipped to facilitate coordination contingency plan, spill prevention and
of response, continuity, and recovery countermeasures, EPA risk management
activities. plan, etc.) that must be submitted to public
ii) Communications capabilities (e.g., agencies to comply with regulations.
two-way radio, email, text messaging, b) Determine whether emergency
pagers, landline and wireless voice and preparedness and response plans
data communications, etc.) necessary to have been submitted to external public
support incident management should be agencies (e.g., emergency services such
provided within the EOC. Communications as fire departments, emergency medical
capabilities should include the ability services, rescue service, hazardous
to gather information from internal and materials response team or contractor, law
external sources, coordinate activities, and enforcement, environmental authorities,
dissemination instructions and information. and other regulatory bodies) identified
iii) Communications during an incident should in Table 1 to comply with regulatory
be documented. requirements and others (e.g., building
manager, tenants, etc.) for the purpose of
iv) The EOC should be sized to house the
coordination.
anticipated number of persons; arranged to
facilitate information gathering, processing, c) Assist with the coordination of response
communications, and decision-making; protocols, plans, and procedures with
and equipped to support occupancy for the public agencies and external resources.
duration of the types of emergencies and Coordination should include response to,
scenarios identified. coordination during, and recovery from, an
incident. Authorization to, and credentials
v) Security for the EOC should be
for, facility access following an incident
implemented.
should be determined.
Table 1. Coordination of Plans with Public Agencies
Agency Plan to be Reviewed

Fire Dept. Local or county Evacuation, fire, hazmat, rescue, bomb threat, suspicious
package, special events
Local Emergency Planning Local or regional Hazard materials response plan
Committee
Law Enforcement Local, county, or state Bomb threat, suspicious package, labor strife, civil disturbance,
special events
Emergency Medical Ambulance, paramedics, Medical emergencies, hazmat
Services fire dept., private service
Emergency Management Local or county Hurricane, tornado, earthquake, flood, regional disasters
DRI International
Professional Practice Six

Business Continuity Plan Development and Implementation
The Business Continuity Plan is a set of iv) Ensure required tasks are completed
documented processes and procedures which for plan implementation that may
will enable the entity to continue or recover time include the following:
sensitive processes to the minimum acceptable (1) Acquiring specified / planned
level within the timeframe acceptable to the recovery/business continuity
entity. In this phase of the Business Continuity resources, e.g. additional
Management Program, the relevant teams design, equipment, system, supplies,
develop, and implement the continuity strategies services, etc.
approved by the entity and document the recovery
(2) Execution of response/recovery/
plans to be used in response to an incident or
restoration/business continuity
event.
required contractual arrangements.
(3) Appropriate documentation access
The Professional’s Role in Professional for plan-in-place.
Practice Six is as follows:
b) Work with the technology planning
1) Design, develop and implement agreed upon team to design, develop and implement
recovery strategies. strategies for recovery of the entity’s
2) Design framework and define document technology.
structure for the plan documentation. i) Work with technology partners and
3) Coordinate the effort to document recovery vendor as appropriate.
plans for the entity’s operations and the ii) Manage budget for strategy
technology that supports them. implementation.
4) Publish the plan documents. iii) Report progress to Steering
Committee.
The Business Continuity Professional iv) Ensure required tasks are
would demonstrate knowledge of this completed for plan implementation
professional practice area by performing that may include the following:
the following:
(1) Acquiring specified / planned recovery/
1) Design, develop and implement agreed upon business continuity resources, e.g.
recovery strategies. additional equipment, system, supplies,
a) Work with the planning team to design, services, etc.
develop and implement recovery strategies (2) Execution of response/recovery/
for the entity’s operations. restoration/technology contractual
i) Work with business partners and arrangements.
vendors as appropriate. (3) Appropriate documentation access for
ii) Manage the budget for strategy plan-in-place.
implementation.
iii) Report progress to Steering
Committee.
2) Design framework and define document iv) Planning Scenarios to be used during
structure for the plan documentation. plan documentation may include but
a) Determine how the plan will be organized not limited to:
and identify the teams needed to document (1) Short-term (less than 1 month
the plans. outage)
i) Organization – Decide how the plan will (2) Long-term (more than 3 month
be organized. outage)
(1) Enterprise-wide (3) Local (Site or campus specific)
(2) By site (4) Regional impact
(3) By business line (5) Enterprise-wide impact
(4) By product line (6) Cascading impact potential
(5) By service provided b) Define Roles and Responsibilities for Plan
(6) By technology Development.
ii) Teams – individual experts needed i) Identify tasks to be undertaken.
to document recovery procedures. To ii) Create action plans / checklists for plan
include but not limited to: development.
(1) Business process experts from iii) Develop timeline for plan completion.
each process to be recovered iv) Review, evaluate and recommend tools
(2) Voice and data network e.g. planning software, database(s), or
(3) Application support specialized software, templates, etc.
(4) Storage management v) Develop templates to be used to
acquire information on processes,
(5) Equipment
technology matrices and flowcharts.
(6) Human resource
vi) Identify other supporting documentation
(7) Finance needed.
(8) Print and mail services vii) Ensure built-in mechanisms to facilitate
(9) Vendor management maintenance, e.g. version control.
(10) R
ecords management c) Define table of contents for the plan
iii) Types of plans to be documented to documentation which may include but is
include but not limited to: not limited to:
(1) Strategic including succession i) Introduction
planning ii) Policy Statements
(2) Tactical (1) Business Continuity policies
(3) Operational (2) Confidentiality Statement
(4) Emergency response iii) Scope / Objectives
(5) Incident control and damage (1) Tied to organizational mission,
assessment goals and objectives and business
(6) Continuity and recovery continuity policies
(7) Return-to-normal operations (2) Identification of time sensitive
operations and the technology that
supports them covered in this plan
document
DRI International
Professional Practice Six Business Continuity Plan Development and Implementation (continued)
iv) Assumptions/exclusions made during (1) Identify crisis management team.

the planning process (2) Procedures to transition from emergency
v) Recovery team description, response to crisis management and
organizational structure, and the business continuity.
responsibilities of each team (3) Documented procedures for
vi) Plan activation procedures communication to stakeholders
(1) Event notification throughout event.
(2) Event assessment process (a) Notification procedures
(3) Declaration procedures (b) Status updates
(4) Escalation and mobilization (c) Media Releases
procedures (d) Targeted Communications
vii) Restoration and recovery procedures (Stakeholder)
3) Coordinate the effort to document recovery (i) Media
plans for the entity’s operations and the (ii) Employees and their families
technology that supports them. (iii) Regulatory bodies, emergency
a) Emergency Plan / Incident Management first-responders, agencies,
Plan (see Professional Practice 5) special hazmat services
(1) Life safety procedures (iv) Investor relations
(2) Incident command and control (v) Labor relations
Procedures (vi) Relations with other involved
(3) Roles and responsibilities groups (example(s) include
(4) Emergency Operations Center (EOC) customers, vendors, suppliers,
location and activation etc.).
b) Damage assessment d) Recovery site activation.
(1) Initial damage assessment report to (1) Declaration procedures
assist in decision process (2) Recovery infrastructure provided that
(2) Full damage assessment may include:
(a) Protecting site from further loss (a) Administration/logistics
(b) Economics of repair versus (b) New equipment or just-in-time drops
replacement (c) Technical services and procedures,
(c) Time to repair/replace versus plan such as
activation (i) Communication networks (voice,
(d) Agreed upon restoration methods for data, wireless, etc.)
business assets (e.g., equipment, (ii) Data preparation (iii)Application
electronics, documents, data, support
furnishings, premises, plant, (iv) End user liaison
computers, etc.).
(d) Business operations
(e) Approval process for restoration and
(e) Inter-site logistics and
the implications of warranties.
communications
(f) Salvage process.
(f) Production recovery process and
c) Crisis Management and Communication procedure
Plan (see also Professional Practice 5
and 9)
e) Operational / Recovery Plans (3) Required Resources

(1) Recovery Teams (a) Data and storage requirements
(a) Primary and alternates (i) SAN
(2) Logistics (ii) NAS (iii)Tape
(a) Travel and housing recovery staff (b) Voice and data communications
(b) Transporting data needed for hardware
recovery (i) Network bandwidth
(c) Procurement of additional (ii) Phone switch
resources (iii) C
all recording (iv)Routers
(3) Required Resources (c) Hardware and software
(a) Desktop requirements requirements
(b) Vital records (i) Server
(c) Voice and data communications (ii) Mainframe
(d) Key contacts / suppliers (iii) Tape drives/tape silo/virtual tape
(e) Equipment requirements library (iv)Application software
f) Business Continuity Plan (v) O
perating systems (vi)
Scheduling system
(a) Alternative ways to conduct business
when normal resources are unavailable (vii) S
ource code
(b) Business continuity processes, (viii)
procedures and communication (d) Infrastructure requirements
(c) Mobilizing alternate resources (i) Power/PDU
(d) Managing alternate resources (ii) Generator/UPS (iii)Cooling
g) Technology Recovery Plans (iv)Cabling
(1) Recovery teams (v) Footprint (vi)Security
(a) Primary and alternates (e) Information security requirements
(2) Mobilizing resources (i) Firewalls
(a) Logistics (ii) Authentication (iii)Virus
(i) Travel and housing recovery protection
staff (iv)Encryption
(ii) Transporting data needed for (f) Key contacts / suppliers
recovery (g) Equipment requirements
(iii) P
rocurement of additional
resources
DRI International
Professional Practice Six Business Continuity Plan Development and Implementation (continued)
(4) Technology recovery plan (supporting

processes)
(a) Detailed step by step procedures
for recovery of technology
environment
(b) Application interdependencies
(c) Change management
(d) Problem management
(e) Testing/Exercise / Maintenance
(i) Exercise requirements
(ii) Scope, objectives and schedule
(iii)Plan maintenance program
4) Publish plan documents.
a) Provide final draft to plan development
teams / business process owners.
b) Obtain executive management sign-off.
i) Publish and distribute plans or portions
of the plans to everyone who has a
documented role. (The information
necessary for each participant to
execute their role).
c) Establish procedures for distribution and
control of plans, e.g. distribution list.
d) Establish procedures for distribution and
control of plan changes and updates.
Professional Practice Seven

Awareness and Training Programs
In this professional practice, a program is 2) Identify functional awareness and training

developed and implemented to establish and requirements.
maintain awareness about the Business Continuity a) Identify and document the BCM roles and
Management (BCM) Program and to train the responsibilities requiring training.
entity’s staff so that they are prepared to respond
b) Define the desired level of awareness
during an event.
based on responsibilities.
c) Identify desired level of expertise to be
The Professional’s Role in Professional achieved through training.
Practice Seven is as follows:
3) Identify appropriate internal and external
1) Establish objectives of BCM awareness and audiences.
training program.
a) Identify and prioritize internal groups and
2) Identify functional awareness and training their awareness and training needs.
requirements.
i) Management.
3) Identify appropriate internal and external
(1) Incident management training.
audiences.
(2) Understanding BCM Program
4) Develop awareness and training methodology.
components.
5) Identify, acquire or develop awareness and
ii) Team members (including all
training tools.
employees to be engaged at a basic
6) Identify external awareness and training level).
opportunities.
(1) How they will be notified of an
7) Oversee the delivery training and awareness event.
activities.
(2) Responding to specific threats or
events.
The Business Continuity Professional
(3) Knowing what to do when
would demonstrate knowledge of this
evacuated from the work site.
the following: (4) Having knowledge of recovery
plans and their role.
1) Establish objectives and components of BCM
(5) New employee orientation.
awareness and training program.
(6) Training specific to their role.
a) Obtain support of senior management.
b) Identify and prioritize external target
b) Secure adequate budget.
groups.
c) Define program management approach
i) Key stakeholders.
and implementation timeframes.
ii) Third parties.
d) Obtain commitment from managers and
operational staff.
e) Align BCM training to recovery priorities.
DRI International
Professional Practice Seven Awareness and Training Programs (continued)
4) Develop Awareness and Training Methodology. 5) Identify, develop or acquire awareness and
a) Conduct awareness and training needs training tools and resources.
assessment. a) Identify internal training resources.
i) Conduct awareness and training b) Contract with external vendors for training.
surveys or other means of assessing c) Purchase training software packages.
current state of awareness and
d) Develop and implement BCM website.
readiness.
e) Utilize social media tools (LinkedIn,
ii) Gain feedback through focus groups.
Facebook, Twitter, YouTube etc.).
iii) Identify trends and new developments.
f) Develop and distribute brochures of
iv) Review previous tests/ exercise results frequently asked questions.
and gap analyses.
g) Create awareness posters.
b) Benchmark current levels of awareness
h) Purchase and distribute awareness
and readiness against desired levels.
promotional items (magnets, pens,
c) Initiate plan to address awareness and flashlights, etc.).
training gaps.
i) Develop training courseware.
d) Design the training process.
6) Identify external awareness and training
i) Identify delivery methods. opportunities.
(1) Awareness campaigns. a) Conferences
(2) Web based training. b) Seminars
(3) Internal web site. c) User groups and associations
(4) Instructor led training. d) White papers/publications
(5) Scenario based training. e) Regional networks and working groups
(6) Instructional guides and templates. f) Industry sector working groups
(7) Briefing papers, newsletters, g) Certification bodies
bulletins, articles.
h) Formal academic education programs
(8) Train the trainer sessions.
i) Awareness special events
(9) Continuity and incident
7) Oversee the delivery training and awareness
management exercises.
activities.
ii) Define training roles and
a) Schedule and deliver training activities.
responsibilities.
b) Schedule and conduct awareness
iii) Prioritize teaching points defining the
activities.
BCM message to be assimilated.
c) Monitor effectiveness of the awareness
iv) Select order and delivery methods.
and training activities.
d) Review results and provide report to
leadership on activities.
Professional Practice Eight

Business Continuity Plan Exercise, Audit, and Maintenance
The goal of this professional practice is to b. Obtain executive sponsorship for exercise/
establish an exercise, testing, maintenance and testing program development.
audit program. To continue to be effective, a c. Develop a realistic, progressive and cost
Business Continuity Management (BCM) Program effective program.
must implement a regular exercise schedule
i. Document the exercise/testing
to establish confidence in a predictable and
standards and guidelines to be used.
repeatable performance of recovery activities
throughout the organization. As part of the ii. Defined exercise/testing program
change management program, the tracking and assumptions and limitations.
documentation of these activities provides an iii. Identify exercise types to be included
evaluation of the on-going state of readiness and that will create a comprehensive
allows for continuous improvement to recovery exercise program based on the
capabilities and ensure that plans remain current recovery strategies implemented and
and relevant. Establishing an audit process will the RTO and RPO defined by the entity
validate the plans are complete and accurate for its operations. These may include
and in compliance with organizational goals and operational, facility and technical
industry standards as appropriate. exercises and testing such as:
1. Life safety exercises
The Professional’s Role in Professional 2. Plan walk–through / tabletop review
Practice Eight is as follows: 3. Scenario based tabletop exercise
1. Establish an exercise/testing program. 4. Call notification exercise
2. Establish a plan maintenance program. 5. Alternate site exercise
3. Identify or establish appropriate industry and/ 6. Standalone platform, infrastructure
or organizational standards. or application recovery test
4. Establish a business continuity program audit 7. Full end to end functional exercise
process. of an operation or technology
5. Communicate exercise/test/audit results and 8. Comprehensive exercise of all
recommendations. recovery strategies required
to recover the time sensitive
The Business Continuity Professional operations and technology from a
would demonstrate knowledge of this single site
the following:
1. Establish an Exercise/Testing Program
a. Develop an exercise program that meets
the entity’s continuity objectives.
i. Align with the entity’s strategy and
tactical requirements.
ii. Provide a high level of confidence
for the continuity ad recovery of
operations.
DRI International
Professional Practice Eight Business Continuity Plan Exercise, Audit, and Maintenance (continued)
9. Integrated technology exercise vi. Determine exercise

with internal and external requirements for each exercise
interdependencies to be conducted.
iv. Identify participants, roles and 1. Define and document
responsibilities in the exercise/ exercise objectives
test program. 2. Define and document
1. Recovery team(s) in-scope/out-of-scope
2. Observers/reporters requirements
3. Time keepers 3. Define exercise notification
process.
4. Auditor/reviewers
a. Announced/planned
5. Facilitator
b. Unannounced/surprised
6. Suppliers
vii. Schedule exercises/tests to be
7. Out-sourced services and
conducted.
providers
1. Develop a multi-year
v. Define exercise program
progressive schedule
objectives and select
building on lessons learned
appropriate scenarios.
and mastery of recovery
1. Approximate the types of processes.
incidents the organization
2. Develop specific schedule
is likely to experience.
for exercises and tests to
Include suitable activities
be conducted on an annual
to exercise various facets
basis or as frequently
of the recovery strategies,
as necessary to ensure
example(s):
competency and to meet
a. Technical - Does the regulatory requirements.
equipment work?
viii. Define and document evaluation
b. Procedural - Are the criteria aligned with exercise
procedures correct? objectives and scope:
c. Logistical - Can people 1. Quantitative
access the recovery
2. Qualitative
facility and execute their
recovery procedures?
d. Timelines - Can the
required RPO/RTOs be
achieved?
ix. Identify pre exercise activities 6. Perform clean-up activities.

1. Identify resources required xi. Identify post exercise activities.
to conduct the exercise. 1. Conduct debriefing sessions
2. Identify participants to review exercise results
(example(s): business unit and identify actions for
contacts, IT representatives, improvements.
umpires, adjudicators, etc.). 2. Post-exercise reporting.
3. Ensure all understand the 3. Provide a comprehensive
objectives of the exercise summary with
and their roles. recommendations.
4. Provide an inventory of 4. Document action plan
hardware, software and report.
physical assets required
5. Identify open issues.
for the exercise (examples:
PC/laptop, Security access, 6. Identify actionable items
telephone, applications, with responsibilities and
printers, etc.). timeframes for resolution.
5. Document and communicate 7. Monitor (and escalate

specifications for the where necessary) progress
exercise environment. to completion of agreed
actions.
6. Specify production vs. test
environments. 8. Communicate exercise
results.
7. Time for test business day
vs. weekend. 9. Document lessons learned.
8. Provide a timetable of 10. Document expected versus

events and circulate to all actual results.
participants, facilitators and 11. Document unexpected
adjudicators. results.
9. Establish “back-out” or test/ 2. Establish plan maintenance program.
exercise cancellation plan. a. Define plan maintenance method and
x. Conduct exercise. schedule.
1. Should an incident i. Define ownership of plan data.
occur during an exercise ii. Prepare maintenance schedules and
you should have a review procedures.
predetermined mechanism iii. Select maintenance tools.
for cancelling the exercise
iv. Monitor maintenance activities.
and invoking the actual
continuity process. v. Establish plan update process.
2. Record exercise process. vi. Ensure that scheduled plan
maintenance addresses all
3. Document exercise results
documented recommendations.
via the activation and
maintenance of the issues b. Define change control process
log. i. Analyze business changes with
4. Declare end of exercise. planning implications.
5. Shut down procedures.
DRI International
Professional Practice Eight Business Continuity Plan Exercise, Audit, and Maintenance (continued)
ii. Develop change control procedures iv. Audit the plan structures, contents,
to monitor changes (utilize existing and action sections.
change control process if already in 1. Audit program requirements,
place). documents and standards.
iii. Create proper version control; develop 2. Audit templates and plan.
plan re-issue, distribution, and
3. Audit test requirements and
circulation procedures.
results.
iv. Identify plan distribution lists for
4. Audit repository for plan and
circulation.
test results.
v. Develop a process to update plans
5. Audit the plan documentation
based on response to audit findings.
control procedures.
vi. Set guidelines for feedback of changes
6. Audit version control process
to planning function.
and documentation.
vii. Implement change control process.
7. Audit distribution lists and
3. Identify or establish appropriate standards. associated processes.
a. Review appropriate industry (NFPA, ISO, 8. Audit change control process.
ANSI, etc.) and national/international (US,
v. Review management response to audit
British, Australian, etc.) standards.
findings.
b. Review process owner expectations based
vi. Confirm responses have been
on industry standards and organizational
submitted and action plans
as well as “client” service expectations.
documented.
c. Develop an organizational standard with
vii. Verify completed actions have been
a recurring review and enhancement/
captured in the plan and supporting
continuous improvement process.
documentation.
d. Based on industry and/or national/
5. Communicate exercise/test/audit results and
international standards as well as
recommendations.
organizational and/ or client expectations.
a. Identify appropriate stakeholders.
e. Frequency and scope appropriate for the
organization. i. Process owners
f. Approved by leadership. ii. Governance coordinators
4. Establish a business continuity program audit iii. Senior leadership/operations oversight

process. b. Select appropriate communication
a. Define schedule for self-assessment audit. methods and communicate in a timely
manner.
b. Prepare to support other audits which may
occur. i. Reporting level of detail
i. Internal audit ii. Where appropriate, consider graphic

representations or comparison reports
ii. External audit
targeted by audience
iii. Second-party audit
c. Establish a feedback/validation loop to
c. Document audit standards and guidelines. confirm appropriate actions have been
i. Select/develop any needed audit taken as a result of reported findings.
tools. i. Issues tracking
ii. Establish audit schedule. ii. Date item opened
iii. Conduct/monitor audit activities. iii. Owner of issue
iv. Date item closed
Professional Practice Nine

Crisis Communications
This professional practice provides the framework ii) Review the organization’s existing
to identify, develop, communicate and exercise crisis communications plan.
a crisis communications plan to address how iii) Identify and document gaps in the
communications will be handled by the entity existing plan.
before, during and after an event. The crisis
iv) Using results of the Risk Assessment
communications plan is developed collaboratively
in Professional Practice 2,
with the entity’s public information and internal
identify potential events for which
information resources where they exist to ensure
communications should be planned.
consistency of the entity’s communications. The
plan will address the need for effective and timely v) Establish roles and responsibilities for
communication between the entity and all the the crisis communication team.
stakeholders impacted by an event or involved (1) Use EOC as a location to control
during the response and recovery efforts. what message goes out and when
(2) Internal information
The Professional’s Role in Professional (3) Public Information
Practice Nine is as follows: (4) Media spokesperson
1) Design, develop and implement a crisis vi) Identify all stakeholders to be
communications plan. considered during the development of
2) Communicate and train stakeholders on the crisis communication plan and the
roles and responsibilities for the crisis appropriate spokesperson for each
communications plan. stakeholder.
3) Exercise the crisis communications plan. (1) Employees and their families
4) Maintain the crisis communications plan as (2) Customers
defined in Professional Practice 8. (3) Vendors and suppliers
(4) Board of Directors
The Business Continuity Professional (5) Investors
would demonstrate knowledge of this
(6) Media
the following: (7) Community leaders
1) Design, develop and implement a crisis (8) Outsourced operations
communications plan. (9) Local responding authorities
a) Identify existing public information and (10) Regulators
internal information resources within the (11) Labor organizations
entity.
(12) Competitors
b) Collaborate with public information and
(13) Industry bloggers
internal information resources to design the
plan. c) Determine how stakeholders will be quickly
and effectively notified of an incident.
i) Define objectives, scope and plan
structure.
DRI International
Professional Practice Nine Crisis Communications (continued)
d) Provide guidance within the plan to 2) Communicate and train stakeholders on

determine frequency of communications roles and responsibilities defined in the crisis
needed to each stakeholder before an communications plan.
event, during the event itself and following a) Distribute the crisis communication plan to
an event. everyone who has a role within the plan.
e) Identify most effective methods for b) Provide training to those who have a role
communicating with identified stakeholders within the plan.
before, during and after an event.
i) Provide media training to anyone who
i) Notification systems is expected to communicate with the
ii) Email and group distribution lists media.
iii) Conference call c) Communicate to internal stakeholders on
iv) Intranet plan.
v) Press conference i) Available communication methods and
how they will be used for notification.
vi) Event information line
ii) How to respond to notifications.
vii) Media sources
iii) How to respond to requests for
(1) Print
information from external sources.
(2) Radio
iv) Where to get information.
(3) TV
3) Exercise the Crisis Communications Plan.
(4) Internet
a) Establish crisis communication plan
(5) Social media sites exercise schedule consistent with the
(a) Facebook guidelines in Professional Practice 8.
(b) Twitter i) Consider conducting an exercise during
(c) Linked-in other BCM exercises.
(d) Blogs b) Determine methods of testing the crisis
communication plan.
f) Establish guidelines for quickly identifying
the context of an event, its potential c) Develop scenario, scope and objectives for
impacts and its stakeholders. each exercise.
g) Establish guidelines for initial d) Conduct a lessons learned session after
communication to be taken following the exercise and document the action
an event and the intended (an potential items.
unintended) consequences. 4) Update the crisis communication plan based
h) Identify and assign members to the crisis results of exercises and in accordance with
communication teams identified in the plan. the plan maintenance schedule established in
Professional Practice 8.
i) Develop guidelines for communications
with the entity’s emergency response
operations.
j) Prepare pre-scripted messages based on
possible events
k) Document the plan.
Professional Practice Ten

Coordinating with External Agencies
This professional practice defines the need to c. Identify the authority of regulatory
establish policies and procedures to coordinate agencies to order regional, site, or building
response, continuity and recovery activities evacuation, and obtain, if available,
with external agencies at the local, regional and credentials for priority access to facilities
national levels while ensuring compliance with following an incident.
applicable statutes and regulations. d. Identify requirements for submittal
of information about the facility (i.e.,
The Professional’s Role in Professional “preincident plans”) including a description
Practice Ten is as follows: of its occupancy, hazards, building
construction, utility systems, protection
1. Identify and establish emergency
systems, and emergency preparedness
preparedness and response procedures in
and response procedures.
accordance with Professional Practice Five.
e. Identify requirements for periodic facility
2. Identify applicable emergency preparedness
inspections; observation of tests of building
and response regulations and the agencies
systems and or equipment; conducting
having jurisdiction over the organization’s
evacuation or shelter drills; and the
facilities and operations.
required scope and frequency of training
3. Coordinate emergency preparedness and and exercises.
response procedures with external agencies.
f. Identify requirements, thresholds (i.e.,
quantity or duration), and timeframes for
The Business Continuity Professional mandatory reporting of incidents including
would demonstrate knowledge of this impairments to protection systems, fires,
professional practice area by performing injuries, fatalities, hazardous materials
the following: spills or releases, and other conditions or
1. Identify and establish emergency incidents.
preparedness and response procedures in g. Develop or update emergency
accordance with Professional Practice 5. preparedness and response procedures to
2. Identify applicable emergency preparedness comply with laws, regulations, ordinances,
and response regulations and the agencies and the requirements of regulatory
having jurisdiction over the organization’s agencies.
facilities and operations. h. Disseminate information to appropriate
a. Identify applicable emergency management and team members.
preparedness and response regulations in
accordance with Professional Practice 5.
b. Identify regulatory agencies having
jurisdiction over the organization’s
facilities and operations. Agencies may
include building officials, fire marshals,
law enforcement, environmental
compliance, code enforcement, emergency
management, homeland security, industry
regulators or others.
DRI International
Professional Practice Ten Coordinating with External Agencies (continued)
3. Coordinate emergency preparedness and g. Develop procedures for establishing an

response procedures with external agencies. incident command post where responding
a. Identify first responders to the agencies can meet the organization’s
organization’s facilities. First responders incident commander to unify command
may be called for fires, hazardous under the incident management
materials spills or releases, rescue, system used. Document the role and
emergency medical services, law responsibilities of the organization’s staff
enforcement issues, utility outages, or working within the incident management
situations affecting facility access or system used. (See Professional Practice
transportation services (e.g., roads, 5).
bridges, tunnels, or private rail sidings). h. Coordinate, conduct, and or participate
Responders may be public, contracted, in training, drills, and exercises with first
volunteer, or provided as part of mutual aid responders to comply with regulations, as
or partnership agreements. needed to establish required capabilities,
b. Assess the availability (i.e., response and or as requested by first responders.
time) and capabilities of first responders i. Conduct a debrief meeting immediately
in accordance with Professional Practice following training, drills and exercises and
Five. “Needs Assessment.” document actions to be taken to improve
c. Develop and document emergency alerting emergency preparedness and response
procedures (e.g., automatic via fire alarm, capabilities.
telephone, etc.) and notification protocols j. Document the exercise and improvement
or requirements (mandatory reporting of plan and provide copies to management
spills, injuries, etc.). and team members.
d. Identify representatives from first k. Update emergency preparedness and
responder agencies and establish an open response plans using the improvement
dialogue. plan and lessons learned from training,
e. Invite first responders to tour the drills, and exercises
organization’s facilities to develop a
“preincident plan”.
f. Identify and document emergency
preparedness and response roles
and responsibilities for the types of
emergencies, scenarios, and impacts
identified in Professional Practice 5.
Professional Practice Ten Coordinating with External Agencies (continued)
Table 2. Coordination of Plans with Public Agencies
Agency Plan to be Reviewed

Fire Dept. Local or county Evacuation, fire, hazmat, rescue, bomb threat, suspicious
package, special events
Local Emergency Planning Local or regional Hazard materials response plan
Committee
Law Enforcement Local, county, or state Bomb threat, suspicious package, labor strife, civil disturbance,
special events
Emergency Medical Ambulance, paramedics, Medical emergencies, hazmat
Services fire dept., private service
Emergency Management Local or county Hurricane, tornado, earthquake, flood, regional disasters

DRI Canada Professional Practices (2014-07) PDF

Uploaded by

Copyright:

Available Formats

You might also like

DRI Canada Professional Practices (2014-07) PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DRI Canada Professional Practices (2014-07) PDF

Uploaded by

Copyright:

Available Formats

Professional

Maintained by DRI International

Business Continuity Management (BCM) is a These Professional Practices are intended

6. Plan Implementation and 9. Crisis Communications

8. Business Continuity Plan Exercise,

Professional Practice One

1. Establish the need for the business continuity

e. Monitor status of ongoing budget impact h. Report to Senior Management/Leadership on

Professional Practice Two

The objective of this professional practice is The Business Continuity Professional

g. Create entity-wide methods of information viii. 

5. Identify and evaluate the effectiveness of the f. Evaluate security-related communications

g. Recommend changes, if necessary, 7. Document and present risk assessment to the

Professional Practice Three

(iii) Equipment (5) Conduct follow-up discussions

(vi) Supplies (3) Choose appropriate venue by

Professional Practice Four

Professional Practice Five

This professional practice defines the The Business Continuity Professional

3) Identify the response capabilities needed. 4) Review existing emergency response

b) Resource Needs Assessment h) Consult with public agencies (e.g.,

(1) Compile an inventory of hazardous v) Damage Assessment

Table 1. Coordination of Plans with Public Agencies

Agency Plan to be Reviewed

Professional Practice Six

iv) Assumptions/exclusions made during (1) Identify crisis management team.

e) Operational / Recovery Plans (3) Required Resources

(4) Technology recovery plan (supporting

Professional Practice Seven

In this professional practice, a program is 2) Identify functional awareness and training

Professional Practice Eight

9. Integrated technology exercise vi. Determine exercise

ix. Identify pre exercise activities 6. Perform clean-up activities.

5. Document and communicate 7. Monitor (and escalate

8. Provide a timetable of 10. Document expected versus

f. Approved by leadership. ii. Governance coordinators

4. Establish a business continuity program audit iii. Senior leadership/operations oversight

i. Internal audit ii. Where appropriate, consider graphic

Professional Practice Nine

d) Provide guidance within the plan to 2) Communicate and train stakeholders on

Professional Practice Ten

3. Coordinate emergency preparedness and g. Develop procedures for establishing an

Table 2. Coordination of Plans with Public Agencies

Agency Plan to be Reviewed

You might also like

1. Establish the need for the business continuity

e. Monitor status of ongoing budget impact h. Report to Senior Management/Leadership on

g. Create entity-wide methods of information viii.

5. Identify and evaluate the effectiveness of the f. Evaluate security-related communications

g. Recommend changes, if necessary, 7. Document and present risk assessment to the

(iii) Equipment (5) Conduct follow-up discussions

(vi) Supplies (3) Choose appropriate venue by

3) Identify the response capabilities needed. 4) Review existing emergency response

b) Resource Needs Assessment h) Consult with public agencies (e.g.,

(1) Compile an inventory of hazardous v) Damage Assessment

iv) Assumptions/exclusions made during (1) Identify crisis management team.

e) Operational / Recovery Plans (3) Required Resources

(4) Technology recovery plan (supporting

In this professional practice, a program is 2) Identify functional awareness and training

9. Integrated technology exercise vi. Determine exercise

ix. Identify pre exercise activities 6. Perform clean-up activities.

5. Document and communicate 7. Monitor (and escalate

8. Provide a timetable of 10. Document expected versus

f. Approved by leadership. ii. Governance coordinators

4. Establish a business continuity program audit iii. Senior leadership/operations oversight

i. Internal audit ii. Where appropriate, consider graphic

d) Provide guidance within the plan to 2) Communicate and train stakeholders on

3. Coordinate emergency preparedness and g. Develop procedures for establishing an