Professional Documents
Culture Documents
Types of Situations Covered by This Guide
Types of Situations Covered by This Guide
Types of Situations Covered by This Guide
CONTENTS
INTRODUCTION ...........................................................................................................................3
Business Continuity and Disaster Recovery .......................................................................... 3
Protecting Value................................................................................................................... 4
Design for Resilience – a BCM Model.................................................................................. 4
The Ten Professional Practices ............................................................................................. 7
Summary .......................................................................................................................... 8
THE BCP DEVELOPMENT PROCESS........................................................................................9
Levels of Involvement in the Process .................................................................................... 9
Roles and Responsibilities .................................................................................................. 10
The SevenStep BCP Development Process ........................................................................ 11
STEP 1 – PROJECT INITIATION MEETING ...........................................................................12
1.1 Objectives....................................................................................................... 12
1.2 Meeting Agenda ............................................................................................. 12
STEP 2 – KICKOFF MEETING .................................................................................................14
2.1 Objectives....................................................................................................... 14
2.2 Meeting Agenda ............................................................................................. 14
2.3 Future Meetings.............................................................................................. 15
STEP 3 – STRATEGY MEETING ...............................................................................................16
3.1 Objectives....................................................................................................... 16
3.2 Meeting Agenda ............................................................................................. 16
STEP 4 – VALIDATION MEETING............................................................................................17
4.1 Objectives....................................................................................................... 17
4.2 Meeting Agenda ............................................................................................. 17
STEP 5 – WRITING THE PLAN..................................................................................................19
5.1 Objectives....................................................................................................... 20
5.2 Methodology .................................................................................................. 20
5.3 Modular Plan Development ............................................................................ 20
5.4 The Entity BCP .............................................................................................. 21
5.5 Coordinator’s Role ......................................................................................... 27
STEP 6 – FINAL MEETING.........................................................................................................28
6.1 Objectives....................................................................................................... 28
6.2 Meeting Agenda ............................................................................................. 28
STEP 7 – PLAN MAINTENANCE AND EXERCISING.............................................................29
7.1 Maintenance ................................................................................................... 29
7.2 Exercising....................................................................................................... 29
THIRDPARTY RESOURCES.....................................................................................................30
SITE CRISIS/INCIDENT MANAGEMENT TEAMS .................................................................30
APPENDICES................................................................................................................................31
A.1 Summary of Entity Strategic Objectives.......................................................... 31
A.2 List of Entities for BCP Development ............................................................. 32
A.3 Preliminary List of Strategies, Resources and Costs ........................................ 33
A.4 Summary of Strategy Evaluation..................................................................... 34
A.5 Business Continuity Worksheet ...................................................................... 35
A.6 Entity Business Continuity Template .............................................................. 37
Page 2 of 42
Guide to Practical Business Continuity Planning
INTRODUCTION
One of the most frequently asked questions by those attempting to develop a business continuity
plan (BCP) is, “How do I start?” FM Global has developed this guide as the practical, planning
focused element of our business continuity management (BCM) toolkit: an array of services and
products that address this question.
It’s important to understand that BCM is much more than writing a BCP, and there are a number
of stages that an organization needs to go through before and after the plan development stage.
Consequently, this guide should not be viewed as a starting point for BCM, nor as a standalone
resource, but primarily as a collection of guidelines and templates to assist the business
continuity planner. Excellent documents in the public domain provide detailed information on
the context of planning within BCM. These include the Good Practice Guidelines (
www.thebci.org) and the Professional Practices for Business Continuity Professionals (
www.drii.org), authored by the Business Continuity Institute (BCI) and the Disaster Recovery
Institute International (DRII) respectively, two of the most prominent authorities in this field.
Nonetheless, we have included some background information to enable you to put business
continuity planning into context, because we believe a sound understanding of BCM basics is
essential to building effective plans. This information is drawn both from our experience and
from the public domain, particularly the BCI and DRII (FM Global has no connections with
these two organizations and their appearance here does not constitute a recommendation or
endorsement by us).
This manual is made available for informational purposes only in support of the insurance relationship between FM Global and its clients. This
information does not change or supplement policy terms or conditions. The liability of FM Global is limited to that contained in its insurance policies.
Page 3 of 42
Guide to Practical Business Continuity Planning
Although there is inevitably some overlap in these two concepts, this guide focuses on the
development of the BCP, rather than DRP.
Protecting Value
Businesses generally exist to deliver products and services to markets in order to generate value
for stakeholders. The effective delivery of these products and services is enabled by a number of
processes, which exist both inside and outside the organization. Within this context and this
document, we are defining a process very broadly – it can be a person or group of people, an
activity, an asset, a function, a supplier – essentially a discrete enabler of the business model.
Within any business, certain products and services will be deemed critical to continued success
because they generate (or support the generation of) a large proportion of value for the business,
or they may do so in the future. It follows that the processes that enable the delivery of the
critical products and services will themselves be considered critical to the business.
The failure of a critical process, for any reason, could potentially stop the delivery of products
and services, resulting in a reduction in the value generated for stakeholders. Consequently, a
business needs to protect these critical processes to ensure they are able to withstand disruption
to continue delivery of services. The business must, therefore, be sufficiently resilient to achieve
this objective.
a holistic management process that identifies potential impacts that threaten an organization
and provides a framework for building resilience and the capability for an effective response
that safeguards the interest of its key stakeholders, reputation, brand and value creating
activities.
It is a framework that combines various elements of disaster recovery, risk management and
related disciplines, which can ultimately lead to an actionorientated document, the BCP. The
BCP is derived from conclusions and assumptions drawn from informationgathering activities,
risk assessments and assigning roles and responsibilities to key individuals that ensure the
development and implementation of appropriate recovery strategies to achieve specific
objectives.
When contemplating business continuity, many organizations fail to recognize there is plenty to
do before developing the plan. For example, Protecting Value makes it clear that some work
must be done in order to establish which are the critical products, services and processes.
Design for Resilience is a framework for developing and managing business continuity.
Page 4 of 42
Guide to Practical Business Continuity Planning
Design for Resilience represents the ideal that an organization ultimately aspires to internalize
business continuity to the extent that strategic decisions about the design of the organization –
such as the development of new products, services and markets – are influenced by
consideration of how to ensure that the critical enabling processes are resilient from their very
conception. In order to achieve this aspiration, the organization must undertake an iterative
process of analysis, planning and implementation.
Strategy
It is essential that senior executive support and sponsorship are secured at the outset of the
BCM process. Given the strategic nature of business continuity, the lack of such support is
likely to result in failure.
Culture
Not only must business continuity be supported at the executive level, it also needs to be
owned throughout the organization. Communication of the benefits of business continuity
must be organizationwide – the development and implementation of business continuity
strategies and plans will take place at the tactical and operational level, so buyin is critical.
Page 5 of 42
Guide to Practical Business Continuity Planning
ª Testing of all components of the plan to ensure that the desired result is achieved
ª Clarification of roles and responsibilities and communication between participants
Page 6 of 42
Guide to Practical Business Continuity Planning
In addition to exercising and auditing the plan, changes must be made to respond to changes
in key processes. Organizations are dynamic, and a plan can quickly become out of date in
today’s fastpaced business environment. Design for Resilience is an iterative management
process, not simply the oneoff development of a set of plans.
Page 7 of 42
Guide to Practical Business Continuity Planning
Crisis Communications
Develop, coordinate, evaluate, and exercise plans to communicate with internal stakeholders
(employees, corporate management, etc.), external stakeholders (customers, shareholders,
vendors, suppliers, etc.) and the media (print, radio, television, Internet, etc.).
Summary
The Design for Resilience model can be viewed as the recipe of how to implement BCM in an
organization, whereas the Professional Practices could be viewed as the BCM ingredients. More
detail on the Professional Practices, along with a wealth of other BCMrelated information, is
provided on the websites of the DRII and BCI organizations.
The remainder of this document presents what we believe to be a practical approach to
developing BCPs within the context of the model and the Professional Practices. It is intended
to provide general guidance and introduce basic BCM/BCP terms and concepts. Implementing
BCM in an organization can be a very complex matter and further information can be obtained
from numerous sources to help with specific situations. This guide is not intended to address all
needs organizations may have when it comes to implementing BCM in their business or to
develop all types of BCPs.
Page 8 of 42
Guide to Practical Business Continuity Planning
Page 9 of 42
Guide to Practical Business Continuity Planning
However, it should be recognized that the topics at each level in the process will differ in
importance. In general, those entities at the top of the hierarchy will be more focused on
establishing the strategic objectives, whereas the entities in the lower hierarchy will be focused
on activities to implement the strategy. In all cases, the critical activities within each entity level
must be aligned to support the overall strategic objectives of the company’s top level in the
hierarchy as a whole.
Once entity level plans are developed, they should be reviewed and coordinated at the entity
level above and below in the hierarchy to ensure they are consistent, and that interdependencies
between internal and external service providers are addressed for each level.
Role Responsibilities
· Designate a business continuity coordinator with the responsibility and authority for
leading the development of continuity plans.
· Meet with the continuity coordinator to determine the best process for developing
Senior continuity plans at the site.
· Designate which organization entities and managers responsible should participate in
Entity the business continuity planning process.
Manager · Provide the necessary incentives and resources to assure the business continuity
planning process is successful.
· Communicate the toplevel strategic objectives that have been developed, and the
objectives the entity plan must achieve through the BCP.
· Help identify critical functions and service supplier entities within the organization that
underpin the achievement of the given objectives.
Senior
· Work with the business continuity coordinator to ensure each entity within the
Operational organization develops plans for its own critical functions and suppliers.
Managers · Help identify and address dependencies between plans.
· Approve each plan created within each entity.
Senior · Designate entity members to develop their BCP within an agreed time frame.
Department · Work with other entities to address interdependencies and common issues.
Managers · Approve a specific BCP for the entity.
· Become familiar with the business continuity planning process as put forth by
business continuity industry standards (see DRII and/or BCI referenced within this
document).
Business · Lead the site’s business continuity planning process.
Continuity · Work with each entity level within the organization to assure individual BCPs are
Coordinator completed and consistent.
· Coordinate continuity plans within the site, and for the business as a whole.
· Ensure each plan is consistent and aligned with the overall objectives of the business,
as well as integrated with both internal and external supplier dependencies.
Page 10 of 42
Guide to Practical Business Continuity Planning
This process should be applied at each entity level, beginning at Level 1. At each lower
entity level, as indicated in Section 2.1, the process should be extended to separate entities
at each level that could impact the business objectives.
Page 11 of 42
Guide to Practical Business Continuity Planning
1.1 Objectives
ª Develop an understanding of how business continuity planning applies throughout the
company.
ª Set the strategic objectives of the top entity level 1. For lowerlevel entities, establish the
strategic products or services from within the entity that impact the level1 objectives as
the focus of the entity’s BCP.
ª Determine the steps necessary to have a business impact analysis performed for the entity
levels (if not already completed).
Page 12 of 42
Guide to Practical Business Continuity Planning
ª If there are a number of major entities, each may coordinate its own plans, and rollup
all the plans into the next level of hierarchy using the same process.
Based on the objectives developed, list the entities participating in the BCP development in
Appendix A.2.
Page 13 of 42
Guide to Practical Business Continuity Planning
2.1 Objectives
ª Confirm and agree on the process and resources that will be required to complete a BCP
for the entity.
ª Agree on a timeline to have a business impact analysis (BIA)/risk assessment (RA)
completed, if not already available. This will be used to identify and quantify threats,
interdependencies and exposures to critical functions within the entity.
ª Confirm the assumptions under which the entity’s BCPs will be developed.
ª Schedule meetings for each critical function, or activity.
ª Enter the discussion minutes and conclusions into the relevant sections in the Worksheet
Comments, Section 1, Appendix A.5.
Page 14 of 42
Guide to Practical Business Continuity Planning
It evaluates how the disruption of various functions or suppliers would affect the company
as a whole. The entity can then focus its BCPs on its critical functions or suppliers.
The model below shows the integration of three key components to generate the BIA.
It should be appreciated that a BIA is an indepth study of an organization’s activities. The
process is likely to take months rather than days, but is absolutely necessary to ensure the
development of an overall business continuity framework.
Assumptions
Assumptions help define the context within which each entity’s BCP will be developed.
Assumptions should be realistic and give all teams a common starting point for their plans.
Choose the ones that apply to the entity, and add any others needed to create a list of
assumptions that make the most sense. Enter all assumptions in Section 1.4 of Appendix
A.5.
The group should agree on the timeline for individual meetings, and on a date to reconvene for
a review of individual strategies once all meetings are completed.
Page 15 of 42
Guide to Practical Business Continuity Planning
3.1 Objectives
ª Review the BIA and agree on the key areas of the entity that should be safeguarded.
ª Review the risk assessment to identify what would most likely cause an interruption of
the entity’s operations.
ª Review the conclusions from the entity’s kickoff meeting, verify that the conclusions are
valid, and revise them as necessary.
ª Analyze options for operating in continuity mode, and choose a preliminary strategy.
Purpose of Meeting
Review the purpose of the project and ensure that the participants understand the objectives
of the meeting. The ultimate objective at this stage is to identify appropriate strategies for
each critical process within the entity. You may need to review some of the material from
the kickoff meeting to validate the purpose of the project.
It is not necessary to create detailed procedures or equipment lists at this time. This will be
done after the strategy is approved by senior management.
At this point, Section 1: Objectives and Strategies Worksheet of the Entity Worksheet for
Business Continuity Planning (see Appendix A.6) should be complete. The entity head
should take this information to the entity’s senior management for review before proceeding
further. That process is covered in the next part of this guide.
Page 16 of 42
Guide to Practical Business Continuity Planning
4.1 Objectives
ª Review the results of individual meetings.
ª Discuss strategies chosen, and identify possible conflicts.
Entity Results
Individual entity managers should summarize the results of their individual meetings. The
following should be covered:
ª The entity’s key internal and external customers
ª The maximum acceptable time for an interruption of the entity’s critical systems or
operations (RTO/MTO) for the strategic products or services
ª A preliminary estimate of resources and costs for implementing the chosen strategies
Senior management should summarize the overall results of the individual strategies and
approve the strategies for the company as a whole.
Discussion
At this point it is important for all entities to discuss how their business continuity strategies
fit together with senior managers. Are there any conflicts? Do the time lines and
expectations of one fit the needs of the others? Are there any differences perceived in
customer requirements, or dependencies, or minimum operating requirements for the
strategies to succeed?
The costs and benefits of various strategies also should be discussed. If senior management
approval of the cost is necessary, it should be obtained at this time.
Page 17 of 42
Guide to Practical Business Continuity Planning
The ultimate goal of this discussion is for all entities, along with the company’s senior
managers, to agree on, and approve, the strategies to be implemented by the business
entities.
The entities should also discuss a coordinated process for activating their plans. This should
include establishing the criteria for invocation of the plan, designating a specific person to
interface with the incident management teams to receive the notification in the event of
crisis and the authority for invoking.
The coordinator should note any discrepancies or questions that need to be answered, so that
a concrete action plan can be developed in the Next Steps portion of the meeting. The
coordinator should also point out any items that may indicate trouble spots or pitfalls for the
group as a whole. These may be listed as ‘red flags,’ with action items to resolve each one.
Next Steps
The following steps should be agreed:
ª Schedules and deadlines should be agreed upon for completing each entity’s BCP.
A date should be set for the final meeting with senior management (the final meeting is
covered in Step 6 of this guide).
Page 18 of 42
Guide to Practical Business Continuity Planning
It should be recognized that there may be distinct responsibilities for separate entities within a
company, depending on the size and structure of the business. Separate disaster recovery and/or
emergency response plans may be prepared for separate entities within a company, in addition
to the entity based BCP. For example, the response to specific causes or events at a facility may
be the sole responsibility of a facilities or engineering department within larger organizations,
whereas it could be incorporated into the response for a business entity within smaller
companies. Generally, these actions and activities should be contained in the location’s specific
incident emergency response, or disaster recovery plan.
The BCP development methodology ensures all stages of an unforeseen event are catered for
through a process of managed escalation. By designing the overall plan in a modular format,
where each entity level within the company represents a separate module, and including a
similar content for each plan, a consistent approach to referencing essential information can be
achieved.
The completion of the entity plan focuses on the development of procedures necessary to
implement the criteria established in Section 5.2 and in Appendices A.1 and A.2. This section
outlines what must be considered for each section of the BCP document.
Key assumptions in the writing of the final plan include the following:
ª A business impact analysis (BIA) and a risk assessment have been completed, and all
necessary critical criteria for the business to survive have been identified;
ª Essential recovery strategies based on the strategic objectives of the toplevel entity have
been established and approved;
ª Activities, roles and responsibilities and personnel for all entities, from suppliers to
ultimate customers have been identified.
Page 19 of 42
Guide to Practical Business Continuity Planning
5.1 Objectives
ª Correlate information for inclusion in the entity’s final plan.
ª Identify and document the actions required to implement the strategies.
5.2 Methodology
There is no right or wrong way to lay out the individual entity plan. There are many publicly
available designs from various business continuity sources that can be considered. These can
range from simple word documents to sophisticated online software. Each method has benefits
as well as disadvantages. The important feature is that the selected option must reflect the needs
of the company and be structured accordingly for simple reference.
For all companies, however, the plan must be an actionoriented document that enables the
strategic objectives of the company to be achieved in the event of disruption and defines the
roles and responsibilities of those key persons who are expected to implement the response. In
most cases, the plan should only contain action statements and not include discussion,
description or judgment comments normally restricted to the business impact analysis or risk
assessments. The conclusive action statements can be developed from an analysis of the
completed worksheets from each entity meeting.
Small companies may only require a simple, single plan document that reflects the number of
staff and size of the enterprise, with relevant actions for the mitigating strategies. Larger
companies may need more detailed modular plans that reflect the actions required of each key
business unit, and which need to be integrated within the multiple disciplines of the organization
to ensure the appropriate actions of the enterprise as a whole. The following discusses a modular
format that can be used as the structure of a plan for both the more complex and simpler
enterprises.
The information gathered so far and recorded on the appended templates can be reviewed, and
the conclusions incorporated into the report format. Each module is encompassed within the
framework of an overall plan that is typically retained for reference by the IMT. Usually, it is
Page 20 of 42
Guide to Practical Business Continuity Planning
not necessary for each individual team to have access to each other’s plan. A sample of an
overall plan structure for an entity, which incorporates the main elements of the individual
entity plans and can be rolled up to reflect the needs of the company overall, is shown in Table
5.3:
Sections 13 and 7 represent plans that are applicable across the toplevel entity. Sections 4 and
all others represent plans from lowerlevel entities, as may exist within the company for the
selected supply chains.
The guidelines and steps outlined in this document are helpful in creating a formal BCP for key
lower entities, or business functions that can be represented in the above format.
The individual plans define action required to support the key activities at the entity level, and
to ensure that these can continue to operate at a sufficient capacity to maintain a high degree of
transparency of service deliverables to internal and external customers. A key part in any
recovery is to know ahead of time what is required for this to happen.
Each plan within the overall BCP can be divided into the entity modules, each having similar
document content. Typically, this content would include:
ª Introduction ª How to Use this Plan
ª Role and Responsibilities ª Supporting Staff
Page 21 of 42
Guide to Practical Business Continuity Planning
1 Introduction
The plan starts with defining the overall purpose, or objective, of the entity in terms of the
critical products, or services, delivered for the company.
What should be included in the plan: The introduction should be a short statement of the
key products or services provided from the entity that supports the company’s deliverables.
The plan should list the continuity criteria for RTOs and MTOs for strategic products or
services that must be achieved, and what needs to be provided from the entity to meet these
minimum objectives.
What should be in the plan: This section should include a list of persons selected for the
plan, with roles and responsibilities clearly identified. Only selected resources who have
agreed to these responsibilities should be included within the plan.
This section of the BCP describes the trigger points and process for activating, or invoking,
the plan. It should also list the specific managers with authority to activate the plan so there
is no question about who has this authority.
A natural disaster, fire or other crisis may cause activation of the site’s incident, emergency
response or disaster recovery plans. A team member of these plans should be responsible for
notifying the business continuity team members that there may be a significant disruption to
normal operations, as applicable.
These communications should be coordinated at the top entity level so the team member
does not need to notify contacts in numerous individual entities.
Page 22 of 42
Guide to Practical Business Continuity Planning
What should be in the plan: The plan should contain a comment stating that the document
contains necessary reference material to guide business continuity activity by the IMT in the
event of an extended period of disruption.
4 Supporting Staff
Entity managers are responsible for ensuring staffing levels are sufficient to maintain an
adequate level of processing in response to the size of the disruption. Those individuals
within the entity who could maintain the key processes, and their role and responsibilities,
must be clearly identified, communicated and fully understood.
These responsibilities can cover a wide range of activities and may include scaling up
communications through a chain of hierarchy, provision of assets, and travel to alternative
locations. Each specific activity needs to be identified.
What should be in the plan: The plan should address the human resource requirements
identified in Section 2.2 of Appendix A.5. Only the conclusions from this analysis need be
coordinated with Human Resources and Finance to ensure the chosen resources can be
utilized, and that the plan complies with employee regulations.
5 Standby Locations
A standby location for a command center should be selected by the IMT. This should be
established at a safe location that will not be impacted by the incident, but is sufficiently
close to the primary location and adequately sized to facilitate access by the team members.
What should be included in the plan: The initial assembly point for staff should be
included in each entity plan. Full details and directions to an alternative facility, including a
map or diagram of the location, should be included.
6 Public Relations
The control of internal and external communications to public media is essential in
maintaining the integrity of the company’s management to manage the crisis.
What should be included in the plan: Instructions that all communications should be
directed to the media spokesperson of the company on the IMT, or appointed alternative.
The plan should advise that employees not make any comment to the media.
Page 23 of 42
Guide to Practical Business Continuity Planning
What should be included in the plan: The plan should identify specific actions to be
undertaken by the assigned entity function team members. This should include, but is not
limited to:
ª Persons to undertake actions for a shortterm disruption;
ª Other actions identified from the individual business entity plan;
ª Actions identified for a full invocation and a need to relocate operations at alternative
locations.
What should be in the plan: The plan should include key priority actions that are
necessary to expedite the activities identified in the individual entity plan. This is expected
to be specific to each entity, but should address how best to initiate the identified actions
should the BCP be invoked.
9 Contact List
This section facilitates the primary contacts for responsibility and control of each entity.
Key personnel to be immediately notified if the plan is activated as referenced below,
should be listed.
The contact details of employees are confidential and therefore should be treated
accordingly. Some staff may be concerned about having their home information published.
They may, for example, have an unlisted home number. It is essential that all employees
provide a means to be contacted following an incident. These employees must be reassured
that this information will only be distributed on a needtoknow basis, and that the
information will have limited access.
Those that have concerns about the release of contact information and indicate a reluctance
to provide the details would normally not be eligible to participate in the BCP programs. In
all cases, a written agreement must be obtained from the resource, indicating acceptance for
the private information to be made public.
An alternative contact person should be identified for each primary contact listed. This may
be the next contact listed in the table. All participants must be made aware of any
responsibilities aligned to them under the BCP.
What should be included in the plan: The list should contain contact information for
everyone assigned to the plan, including:
Page 24 of 42
Guide to Practical Business Continuity Planning
Primary contacts should be listed in the order of contact. The list should include home and
alternative telephone numbers and other contact information. Essential details, beyond this
basic contact information, should be made available from the BCP developed for Human
Resources with the agreement of the employee.
Contact details for all customers and critical vendors who will need to be advised on the
situation, as appropriate, should be identified.
What should be included in the plan: Where appropriate, plans should be developed to
phase in the reoccupation of the facility from the temporary standby locations, after the
original premise has been restored. This should be driven by a determination of priority
processes from each of the entities that were identified in the individual BCPs for
continuity.
Page 25 of 42
Guide to Practical Business Continuity Planning
What should be included in the plan: It should include any materials identified in the
individual plan that are essential to support the key processes that would not be accessible
from within the building, or could not ultimately be accessed through electronic systems
within an acceptable period of time. These materials should be included in an offsite
storage facility, as appropriate.
What should be included in the plan: Any item of equipment or application that is
required to maintain the key activities should be listed. The priority timeline for applications
to be resumed to meet the entity requirements should be included and communicated to
each service supplier, or provider.
What should be included in the plan: A document log facility (table or spreadsheet) for
recording the activity undertaken by the entity during the period of disruption.
15 Appendices
The scope of plan coverage may be increased to capture continuity management by specific
scenario event (e.g., power outage, loss of IT at month end), or specific details of topics in
the plan that require separate reference for the different business functions. These scenario
events and the management therein can be included as appendices. The recommendation is
to discuss this with the business continuity manager when the need to enhance/amend the
plan arises.
What should be included in the plan: This section of the BCP in each entity should
contain any supporting or additional documents needed to implement the plan. These may
include, but are not limited to, the following:
ª Staffing schedules
ª Process maps or plans
ª Special requirements
ª Essential equipment list with model numbers and sources
ª Equipment photographs
Page 26 of 42
Guide to Practical Business Continuity Planning
ª FM Global contacts
16 Document History
On completion of the plan, the Document Control Tables should be updated, and the final
plan released with version control. A sample control table is shown below.
Version
Classification
Created
Author
References
Quality Review By
ª Ensure the plans are being developed according to the schedule (checkpoints may be
advisable).
Interim ‘status’ meetings during this phase may be helpful for all entities to compare
progress and questions, and perhaps establish synergies or common processes.
Page 27 of 42
Guide to Practical Business Continuity Planning
6.1 Objectives
ª Ensure each entity plan aligns with the strategic objectives of the company.
ª Review and resolve any discrepancies between individual entity plans.
Plan Approval
If not already done, each entity manager should give final approval for his or her entity’s
plan by signing the front of each plan. The next hierarchy manager also should indicate final
approval of all plans by signing the front of the consolidated plan.
Next Steps
Each entity is responsible for updating and maintaining its BCP. The participants at the
meeting should agree on a periodic schedule (at least annually, unless there are significant
changes) when the business continuity coordinator should remind each entity to review and
update its plan. The group should also discuss when and how to exercise its plans. The next
part of this guide provides additional information on plan maintenance and exercising.
Page 28 of 42
Guide to Practical Business Continuity Planning
Each entity should assign a specific person the responsibility for updating its BCPs as
necessary. If there is a change of personnel within an entity, a replacement should be appointed
with this responsibility.
7.1 Maintenance
Unless there is a dedicated fulltime business continuity coordinator within the company, it is
the BCP owner’s responsibility to ensure each entity maintains an uptodate plan and ensures it
is incorporated into the overall company plan. This owner is normally the senior manager
responsible for the entity. If the owner’s position changes, a new owner or coordinator should
be identified and all entities informed of the changes.
7.2 Exercising
Exercising of plans validates the business continuity procedures and confirms that the
people involved know what to do in the event of a disruption. Regular testing of BCPs is the
best way to assure they will work when needed.
ª A tabletop discussion of a hypothetical situation may be a good way to test the plan the
first time.
ª Short drills, such as confirming each entity has access to its plan even if there is no access
to the building, also are desirable.
ª Subsequent tests may involve simulated exercises, but it is important to ensure the people
involved feel prepared for this type of test. Such tests can be combined with a site crisis
team exercise in order to coordinate crisis response with business continuity procedures.
The exercising of plans should be considered an opportunity for further learning, rather than
a test to pass or fail.
Page 29 of 42
Guide to Practical Business Continuity Planning
THIRDPARTY RESOURCES
The following resources and documents are available to assist you in the development of your
BCPs.
ª www.DRII.org
ª www.theBCI.org
ª Your FM Global client service team
Your FM Global client service team contact will be able to provide you with contact details for
any necessary support.
Page 30 of 42
Guide to Practical Business Continuity Planning
APPENDICES
Page 31 of 42
Guide to Practical Business Continuity Planning
Page 32 of 42
Guide to Practical Business Continuity Planning
10
11
12
13
14
15
16
17
18
19
20
Page 33 of 42
Guide to Practical Business Continuity Planning
2.
3.
4.
5.
6.
7.
Page 34 of 42
Guide to Practical Business Continuity Planning
(Name of Site)
PURPOSE
This worksheet records the discussions from each entity meeting.
_____________________________ _______________
Name and Title Date
Page 35 of 42
Guide to Practical Business Continuity Planning
Responsible Manager
Entity Scope of Worksheet
and Phone Number
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
Page 36 of 42
Guide to Practical Business Continuity Planning
Copy this plan worksheet as many times as necessary to create one worksheet for each
entity
ENTITY: ________________________________
COMPANY: ________________________________
LOCATION: ________________________________
SCOPE
The contents of this worksheet are approved for inclusion into the business continuity plan
____________________________ __________________
Name and Title Date
Page 37 of 42
Guide to Practical Business Continuity Planning
WORKSHEET COMMENTS
Page 38 of 42
Guide to Practical Business Continuity Planning
Systems and operations within the entity that are critical for meeting customer requirements,
and which are covered by this plan:
Dependencies: Systems and operations on which this entity depends, but which are not under
its control and are therefore not covered by this plan:
Maximum acceptable time for an interruption of critical systems or operations (the time within
which critical systems or operations must be restored after an interruption):
1.4 ASSUMPTIONS
The following assumptions have been made for this entity in addition to all organizationwide
assumptions:
Taking into account time limits, advantages, disadvantages and costs, the overall continuity
strategy for operating in contingency mode is as follows:
1.6 PRIORITIES
Page 39 of 42
Guide to Practical Business Continuity Planning
þ Specific conditions for invoking this plan (Invocation criteria established by the
strategic objectives):
þ Managers with authority to activate this subplan:
þ Procedures (if necessary) for deciding whether to activate:
þ Convene Business Continuity Team at ______________________.
þ Review summary of situation and damage assessment.
þ Make decision whether to invoke the plan.
þ Determine preliminary time schedule and shifts for key personnel
Page 40 of 42
Guide to Practical Business Continuity Planning
This section of the plan contains specific procedures needed to complete major actions to
deliver the strategy. Using the master checklist in Section 2.2.1 as an initial guideline, the entity
should create as many separate sets of procedures as necessary to complete each major action on
the master checklist for the selected strategies (Appendix A.2).
Each set of procedures should include specific actions to be taken, the timeline, who is
responsible for completing each step, and the resources needed.
Page 41 of 42
Guide to Practical Business Continuity Planning
PROCEDURES
RESOURCES
P07170
Page 42 of 42