TYPES OF SITUATIONS COVERED BY THIS GUIDE

Guide to Practical Business Continuity Planning

CONTENTS
INTRODUCTION ...........................................................................................................................3
Business Continuity and Disaster Recovery .......................................................................... 3
Protecting Value................................................................................................................... 4
Design for Resilience – a BCM Model.................................................................................. 4
The Ten Professional Practices ............................................................................................. 7
Summary .......................................................................................................................... 8
THE BCP DEVELOPMENT PROCESS........................................................................................9
Levels of Involvement in the Process .................................................................................... 9
Roles and Responsibilities .................................................................................................. 10
The Seven­Step BCP Development Process ........................................................................ 11
STEP 1 – PROJECT INITIATION MEETING ...........................................................................12
1.1 Objectives....................................................................................................... 12
1.2 Meeting Agenda ............................................................................................. 12
STEP 2 – KICK­OFF MEETING .................................................................................................14
2.1 Objectives....................................................................................................... 14
2.2 Meeting Agenda ............................................................................................. 14
2.3 Future Meetings.............................................................................................. 15
STEP 3 – STRATEGY MEETING ...............................................................................................16
3.1 Objectives....................................................................................................... 16
3.2 Meeting Agenda ............................................................................................. 16
STEP 4 – VALIDATION MEETING............................................................................................17
4.1 Objectives....................................................................................................... 17
4.2 Meeting Agenda ............................................................................................. 17
STEP 5 – WRITING THE PLAN..................................................................................................19
5.1 Objectives....................................................................................................... 20
5.2 Methodology .................................................................................................. 20
5.3 Modular Plan Development ............................................................................ 20
5.4 The Entity BCP .............................................................................................. 21
5.5 Coordinator’s Role ......................................................................................... 27
STEP 6 – FINAL MEETING.........................................................................................................28
6.1 Objectives....................................................................................................... 28
6.2 Meeting Agenda ............................................................................................. 28
STEP 7 – PLAN MAINTENANCE AND EXERCISING.............................................................29
7.1 Maintenance ................................................................................................... 29
7.2 Exercising....................................................................................................... 29
THIRD­PARTY RESOURCES.....................................................................................................30
SITE CRISIS/INCIDENT MANAGEMENT TEAMS .................................................................30
APPENDICES................................................................................................................................31
A.1 Summary of Entity Strategic Objectives.......................................................... 31
A.2 List of Entities for BCP Development ............................................................. 32
A.3 Preliminary List of Strategies, Resources and Costs ........................................ 33
A.4 Summary of Strategy Evaluation..................................................................... 34
A.5 Business Continuity Worksheet ...................................................................... 35
A.6 Entity Business Continuity Template .............................................................. 37

Page 2 of 42
 Guide to Practical Business Continuity Planning

INTRODUCTION
One of the most frequently asked questions by those attempting to develop a business continuity
plan (BCP) is, “How do I start?” FM Global has developed this guide as the practical, planning­
focused element of our business continuity management (BCM) toolkit: an array of services and
products that address this question.

It’s important to understand that BCM is much more than writing a BCP, and there are a number
of stages that an organization needs to go through before and after the plan development stage.
Consequently, this guide should not be viewed as a starting point for BCM, nor as a stand­alone
resource, but primarily as a collection of guidelines and templates to assist the business
continuity planner. Excellent documents in the public domain provide detailed information on
the context of planning within BCM. These include the Good Practice Guidelines (
www.thebci.org) and the Professional Practices for Business Continuity Professionals (
www.drii.org), authored by the Business Continuity Institute (BCI) and the Disaster Recovery
Institute International (DRII) respectively, two of the most prominent authorities in this field.
Nonetheless, we have included some background information to enable you to put business
continuity planning into context, because we believe a sound understanding of BCM basics is
essential to building effective plans. This information is drawn both from our experience and
from the public domain, particularly the BCI and DRII (FM Global has no connections with
these two organizations and their appearance here does not constitute a recommendation or
endorsement by us).

Business Continuity and Disaster Recovery

What is the difference between a BCP and a disaster recovery plan (DRP)? Both terms are often
used interchangeably, and the fact that there are similarities between the two adds to the
confusion. The distinction between the two terms can be seen from the following:

ª Disaster Recovery refers to those activities necessary to respond to an incident at a

location to restore normal operations after a major incident, or specific scenario. DRPs are
therefore written to establish the necessary actions immediately, during and after an
anticipated event to expedite the resumption of normal operations.
ª Business Continuity is a strategic approach to the business as a whole, involving the
development of a response to safeguard the entire business by managing the impact of a
disruption to achieve the company’s business objectives for survival, irrespective of the
cause of the disruption. By implication, the development of the BCP requires a much
deeper understanding of the business, the criteria for business survival, the continuity
strategies available, and the resources necessary to implement the continuity response.

This manual is made available for informational purposes only in support of the insurance relationship between FM Global and its clients. This
information does not change or supplement policy terms or conditions. The liability of FM Global is limited to that contained in its insurance policies.

Page 3 of 42
Guide to Practical Business Continuity Planning

Although there is inevitably some overlap in these two concepts, this guide focuses on the
development of the BCP, rather than DRP.

Protecting Value
Businesses generally exist to deliver products and services to markets in order to generate value
for stakeholders. The effective delivery of these products and services is enabled by a number of
processes, which exist both inside and outside the organization. Within this context and this
document, we are defining a process very broadly – it can be a person or group of people, an
activity, an asset, a function, a supplier – essentially a discrete enabler of the business model.
Within any business, certain products and services will be deemed critical to continued success
because they generate (or support the generation of) a large proportion of value for the business,
or they may do so in the future. It follows that the processes that enable the delivery of the
critical products and services will themselves be considered critical to the business.
The failure of a critical process, for any reason, could potentially stop the delivery of products
and services, resulting in a reduction in the value generated for stakeholders. Consequently, a
business needs to protect these critical processes to ensure they are able to withstand disruption
to continue delivery of services. The business must, therefore, be sufficiently resilient to achieve
this objective.

Design for Resilience – a BCM Model

BCM is the actualization of this ideal. It is a business culture rather than a project – a
continuous effort by all members of an organization to contribute to building resilient processes.
The BCI and the DRII collectively define BCM as:

a holistic management process that identifies potential impacts that threaten an organization
and provides a framework for building resilience and the capability for an effective response
that safeguards the interest of its key stakeholders, reputation, brand and value creating
activities.
It is a framework that combines various elements of disaster recovery, risk management and
related disciplines, which can ultimately lead to an action­orientated document, the BCP. The
BCP is derived from conclusions and assumptions drawn from information­gathering activities,
risk assessments and assigning roles and responsibilities to key individuals that ensure the
development and implementation of appropriate recovery strategies to achieve specific
objectives.

When contemplating business continuity, many organizations fail to recognize there is plenty to
do before developing the plan. For example, Protecting Value makes it clear that some work
must be done in order to establish which are the critical products, services and processes.
Design for Resilience is a framework for developing and managing business continuity.

Page 4 of 42
Guide to Practical Business Continuity Planning

Design for Resilience represents the ideal that an organization ultimately aspires to internalize
business continuity to the extent that strategic decisions about the design of the organization –
such as the development of new products, services and markets – are influenced by
consideration of how to ensure that the critical enabling processes are resilient from their very
conception. In order to achieve this aspiration, the organization must undertake an iterative
process of analysis, planning and implementation.

Strategy
It is essential that senior executive support and sponsorship are secured at the outset of the
BCM process. Given the strategic nature of business continuity, the lack of such support is
likely to result in failure.

Culture
Not only must business continuity be supported at the executive level, it also needs to be
owned throughout the organization. Communication of the benefits of business continuity
must be organization­wide – the development and implementation of business continuity
strategies and plans will take place at the tactical and operational level, so buy­in is critical.

Page 5 of 42
Guide to Practical Business Continuity Planning

Understand your business

In the context of your organization’s strategy, business impact analysis and risk assessment
tools are used to identify the critical products, services and enabling processes. These tools
help you to gain a full appreciation of the complex relationships and potential vulnerabilities
to extended disruptions within your own organization, your suppliers, customers and the
economic environment within which your company operates

Develop your continuity strategies

Strategies to maintain the effective delivery of products and services in the event of an
impaired process need to be established and evaluated at different levels: organization
(corporate), process level and resource recovery. There are three core types of BCM
strategy: physical solutions; operational solutions and response/recovery solutions. They are
not mutually exclusive; for example, you may choose to physically protect a process to the
maximum feasible extent but still provide operational back­up and a plan to implement this
when required.

Implement your continuity strategies

Having gained a sound understanding of the business, established critical processes,
determined priorities and identified the BCM strategic choices, you can now turn your
attention to implementation. Some strategies – operational solutions, for example – will be
implemented pre­incident, to increase the resilience of the process. Others will be
implemented post­incident – and in order to ensure effective and efficient implementation,
you will need a plan. The BCP is an action­orientated document that effectively transforms
all the conclusions and judgments applied during the information­gathering process and
business impact analysis into direct action. The BCP should be clear, concise and well
organized. A group’s plan should address the five key areas of all organizations: people,
facilities, data/processes/information technology, supply chain and distribution channels.
We will return to the practicalities of developing the plan in the main body of this guide.

Keep continuity alive

Two actions are essential to carry business continuity beyond being ‘just another initiative.’
The developed BCPs must be exercised – by doing so, the capability of the organization to
continue business in the event of a major incident is secured. Benefits of exercising include:

ª Effective training and enhanced awareness of all persons involved in BCM

ª Testing of all components of the plan to ensure that the desired result is achieved
ª Clarification of roles and responsibilities and communication between participants

Exercising should be conducted at least annually, subject to agreement by the sponsor in

discussion with the company’s executives.

Page 6 of 42
Guide to Practical Business Continuity Planning

In addition to exercising and auditing the plan, changes must be made to respond to changes
in key processes. Organizations are dynamic, and a plan can quickly become out of date in
today’s fast­paced business environment. Design for Resilience is an iterative management
process, not simply the one­off development of a set of plans.

The Ten Professional Practices

The Professional Practices for business continuity professionals, as set out by the DRII and the
BCI, is a common body of knowledge comprising the skills, tasks and activities that
characterize the business continuity profession. In developing a BCM framework within your
organization, you will not necessarily need to possess all this knowledge and all these skills, but
it is likely that at some point you will need to access them. The DRII provides the following
summary of the Professional Practices:

Project Initiation and Management

Establish the need for a BCM process or function, including resilience strategies, recovery
objectives, business continuity and crisis management plans, and including obtaining
management support and organizing and managing the formulation of the function or
process either in collaboration with, or as a key component of, an integrated risk
management initiative.

Risk Evaluation and Control

Determine the events and external surroundings that can adversely affect the organization
and its resources (facilities, technologies, etc.) with disruption as well as disaster, the
damage such events can cause, and the controls needed to prevent or minimize the effects of
potential loss. Provide cost­benefit analysis to justify investment in risk mitigation controls.

Business Impact Analysis

Identify the impacts resulting from disruptions and disaster scenarios that can affect the
organization and techniques that can be used to quantify and qualify such impacts. Identify
time­critical functions, their recovery priorities and interdependencies so that recovery time
objectives (RTOs) and maximum tolerable outages (MTOs) can be set.

Developing BCM Strategies

Determine and guide the selection of possible business operating strategies for continuation
of business within the recovery point objective and RTO/MTO, while maintaining the
organization’s critical functions.

Emergency Response and Operations

Develop and implement procedures for response and stabilizing the situation following an
incident or event, including establishing and managing an emergency operations center to
be used as a command center during the emergency.

Page 7 of 42
Guide to Practical Business Continuity Planning

Developing and Implementing Business Continuity and Crisis

Management Plans
Design, develop, and implement Business Continuity and Crisis Management Plans that
provide continuity within the recovery time and recovery point objectives.

Awareness and Training Programs

Prepare a program to create and maintain corporate awareness and enhance the skills
required to develop and implement the BCM Program or process and its supporting
activities.

Maintaining and Exercising Plans

Pre­plan and coordinate plan exercises, and evaluate and document results. Develop
processes to maintain the currency of continuity capabilities and the plan document in
accordance with the organization’s strategic direction. Verify that the plan will prove
effective by comparison with a suitable standard, and report results in a clear and concise
manner.

Crisis Communications
Develop, coordinate, evaluate, and exercise plans to communicate with internal stakeholders
(employees, corporate management, etc.), external stakeholders (customers, shareholders,
vendors, suppliers, etc.) and the media (print, radio, television, Internet, etc.).

Coordination with External Agencies

Establish applicable procedures and policies for coordinating continuity and restoration
activities with external agencies (local, state, national, emergency responders, defense, etc.)
while ensuring compliance with applicable statutes or regulations.

Summary
The Design for Resilience model can be viewed as the recipe of how to implement BCM in an
organization, whereas the Professional Practices could be viewed as the BCM ingredients. More
detail on the Professional Practices, along with a wealth of other BCM­related information, is
provided on the websites of the DRII and BCI organizations.
The remainder of this document presents what we believe to be a practical approach to
developing BCPs within the context of the model and the Professional Practices. It is intended
to provide general guidance and introduce basic BCM/BCP terms and concepts. Implementing
BCM in an organization can be a very complex matter and further information can be obtained
from numerous sources to help with specific situations. This guide is not intended to address all
needs organizations may have when it comes to implementing BCM in their business or to
develop all types of BCPs.

Page 8 of 42
Guide to Practical Business Continuity Planning

THE BCP DEVELOPMENT PROCESS

Levels of Involvement in the Process

There may be several organizational levels involved in business continuity planning. The
following definitions are provided to give a common understanding of each level. This guide
uses the term ‘entity’ to describe an operating group, division, location or site, a business
function, department activity or supplier for the business within a hierarchy structure, depending
on the type of operation involved. There may be more than one entity at each level within the
company. In all cases, the seven­step process outlined on page 11 should be applied to each
entity at each level of the business. The following chart shows typical entity levels for a
company involved in the BCP development process.

Page 9 of 42
Guide to Practical Business Continuity Planning

However, it should be recognized that the topics at each level in the process will differ in
importance. In general, those entities at the top of the hierarchy will be more focused on
establishing the strategic objectives, whereas the entities in the lower hierarchy will be focused
on activities to implement the strategy. In all cases, the critical activities within each entity level
must be aligned to support the overall strategic objectives of the company’s top level in the
hierarchy as a whole.

Once entity level plans are developed, they should be reviewed and coordinated at the entity
level above and below in the hierarchy to ensure they are consistent, and that interdependencies
between internal and external service providers are addressed for each level.

Roles and Responsibilities

Responsibilities for undertaking the plan development at each entity level should be assigned
for all activities that are considered critical for continuity of deliverables throughout the
hierarchy. The following is a list of typical roles and responsibilities for the plan development.

Role Responsibilities
· Designate a business continuity coordinator with the responsibility and authority for
leading the development of continuity plans.
· Meet with the continuity coordinator to determine the best process for developing
Senior continuity plans at the site.
· Designate which organization entities and managers responsible should participate in
Entity the business continuity planning process.
Manager · Provide the necessary incentives and resources to assure the business continuity
planning process is successful.
· Communicate the top­level strategic objectives that have been developed, and the
objectives the entity plan must achieve through the BCP.
· Help identify critical functions and service supplier entities within the organization that
underpin the achievement of the given objectives.
Senior
· Work with the business continuity coordinator to ensure each entity within the
Operational organization develops plans for its own critical functions and suppliers.
Managers · Help identify and address dependencies between plans.
· Approve each plan created within each entity.
Senior · Designate entity members to develop their BCP within an agreed time frame.
Department · Work with other entities to address interdependencies and common issues.
Managers · Approve a specific BCP for the entity.
· Become familiar with the business continuity planning process as put forth by
business continuity industry standards (see DRII and/or BCI referenced within this
document).
Business · Lead the site’s business continuity planning process.
Continuity · Work with each entity level within the organization to assure individual BCPs are
Coordinator completed and consistent.
· Coordinate continuity plans within the site, and for the business as a whole.
· Ensure each plan is consistent and aligned with the overall objectives of the business,
as well as integrated with both internal and external supplier dependencies.

Page 10 of 42
Guide to Practical Business Continuity Planning

The Seven­Step BCP Development Process

The remainder of this document discusses developing an effective BCP utilizing the following
seven­step development process:

This process should be applied at each entity level, beginning at Level 1. At each lower
entity level, as indicated in Section 2.1, the process should be extended to separate entities
at each level that could impact the business objectives.

Page 11 of 42
Guide to Practical Business Continuity Planning

STEP 1 – PROJECT INITIATION MEETING

The Project Initiation Meeting for entity level 1 is an important meeting to ensure plan
development can progress efficiently and cost­effectively throughout the company. A key aspect
of this meeting is to ensure the appropriate managers for each entity level are in attendance, and
that continuity of participants can be maintained throughout the course of the plan development
process. A business continuity coordinator should be appointed in advance to lead this meeting.
A second aspect of the meeting is to establish the strategic objectives for the entity.

1.1 Objectives
ª Develop an understanding of how business continuity planning applies throughout the
company.

ª Set the strategic objectives of the top entity level 1. For lower­level entities, establish the
strategic products or services from within the entity that impact the level­1 objectives as
the focus of the entity’s BCP.
ª Determine the steps necessary to have a business impact analysis performed for the entity
levels (if not already completed).

ª Decide which entities need to participate in the planning process.

ª Determine project timeline and schedule kick­off meetings for each entity level.

1.2 Meeting Agenda

Five primary agenda items are explained below. The business continuity coordinator or site
manager should lead the meeting.

Business Continuity Coordinator

The site manager should confirm the responsibility and authority of the business continuity
coordinator. This should include the authority to set schedules for the project and assure
each entity meets these deadlines.

Plan Development Process Review

The participants should review the purpose of business continuity planning, as well as the
process to be used for creating individual entity plans, and the resources that will be needed.
Any questions regarding the need for BCPs should be addressed to assure all managers fully
support the planning process.

Establishing the Strategic Objectives

The group should establish the strategic objectives for the individual entity to maintain the
optimum level of products or services to meet the customer demands developed for the
business. These should be entered into Appendix A.1.

Page 12 of 42
Guide to Practical Business Continuity Planning

Entities to Participate in Planning

The group should determine which entities should be involved in the planning process. This
would normally include every entity with a mission­critical function that is essential for key
operations, production deadlines or meeting customer requirements.
The group should also determine the best method for creating and coordinating plans at the
site:
ª If there is only one major entity, then plans may be coordinated directly at that level;

ª If there are a number of major entities, each may coordinate its own plans, and roll­up
all the plans into the next level of hierarchy using the same process.

Based on the objectives developed, list the entities participating in the BCP development in
Appendix A.2.

Entity Kick­Off Meetings

The actual planning process for each entity begins at the respective kick­off meeting, as
explained in the next part of this guide. The group should agree on a schedule for these
meetings.

Page 13 of 42
Guide to Practical Business Continuity Planning

STEP 2 – KICK­OFF MEETING

The Kick­Off Meeting builds on the project initiation meeting and commences the planning
process for the BCP development. Business impact analysis and risk assessments are planned
and scoped, plan ownership assigned and timelines established.

2.1 Objectives
ª Confirm and agree on the process and resources that will be required to complete a BCP
for the entity.
ª Agree on a timeline to have a business impact analysis (BIA)/risk assessment (RA)
completed, if not already available. This will be used to identify and quantify threats,
interdependencies and exposures to critical functions within the entity.

ª Confirm the assumptions under which the entity’s BCPs will be developed.
ª Schedule meetings for each critical function, or activity.

ª Enter the discussion minutes and conclusions into the relevant sections in the Worksheet
Comments, Section 1, Appendix A.5.

2.2 Meeting Agenda

Four primary agenda items are explained in detail below. The business continuity coordinator
should lead the meeting.

Purpose of Meeting and Process

Review the purpose of the meeting and the business continuity process. Confirm that the
appropriate people are involved with the necessary authority, and assure the appropriate
level of commitment and availability for the activity from the attendees.

Business Impact Analysis (BIA)

The group should determine resources and assignments required to complete a BIA. A BIA
should be undertaken for a discrete focus of the business, and would normally include every
entity with mission­critical activities (MCA’s) that are essential for operations that are
needed to at least deliver the strategic objectives. The options of performing the BIA
internally or using an outside resource should be considered.
The BIA is one of the most important steps in business continuity planning. It is the
foundation work from which the whole BCM process is built. It identifies, quantifies and
qualifies the business impact of a loss or disruption of business processes on the entity, and
provides the data from which appropriate continuity strategies can be determined to
safeguard the business.

Page 14 of 42
Guide to Practical Business Continuity Planning

It evaluates how the disruption of various functions or suppliers would affect the company
as a whole. The entity can then focus its BCPs on its critical functions or suppliers.

The model below shows the integration of three key components to generate the BIA.
It should be appreciated that a BIA is an in­depth study of an organization’s activities. The
process is likely to take months rather than days, but is absolutely necessary to ensure the
development of an overall business continuity framework.

Risk Assessment (RA)

A risk analysis is used to identify potential threats to the entity’s objectives and activities. It
also determines which risks are most significant. A risk assessment may already have been
completed for the upper level entity as part of a BIA or Risk Register. If so, conclusions
from this activity can be referenced in determining an appropriate focus for a BCP.
However, the primary function of the BCP is to manage the impact to the business overall in
the event of disruption. The BCP should therefore be created to safeguard the pre­defined
company’s appetite for risk from a period of disruption to the high­level strategic objectives
of the company, no matter what the risk, or cause of disruption, is likely to be. In all cases,
the BCP should address the resilience of the operations to deliver on the strategic objectives.
The conclusions from the risk assessment can be considered during the cost benefit analysis
for selected strategies, to ensure optimum return for the cost of the plan.

Assumptions
Assumptions help define the context within which each entity’s BCP will be developed.
Assumptions should be realistic and give all teams a common starting point for their plans.
Choose the ones that apply to the entity, and add any others needed to create a list of
assumptions that make the most sense. Enter all assumptions in Section 1.4 of Appendix
A.5.

2.3 Future Meetings

Each entity with a critical function or activity will need to hold meetings to begin creating a
BCP. These meetings are covered in the next part of this guide.

The group should agree on the timeline for individual meetings, and on a date to re­convene for
a review of individual strategies once all meetings are completed.

Page 15 of 42
Guide to Practical Business Continuity Planning

STEP 3 – STRATEGY MEETING

The goal of the Strategy Meeting is to identify those processes truly vital to the survival of the
entity, and have in place strategies that will ensure their continuity and the continuity of the top
level.

3.1 Objectives
ª Review the BIA and agree on the key areas of the entity that should be safeguarded.

ª Review the risk assessment to identify what would most likely cause an interruption of
the entity’s operations.

ª Review the conclusions from the entity’s kick­off meeting, verify that the conclusions are
valid, and revise them as necessary.
ª Analyze options for operating in continuity mode, and choose a preliminary strategy.

ª Begin to identify minimum requirements for operating in continuity mode.

ª Estimate preliminary costs for the strategy chosen.

3.2 Meeting Agenda

Four primary agenda items are explained in detail below. The business continuity coordinator
should lead the discussion, using this guide as a prompt. Discussion topics from the meeting
should be recorded in Section 1: Objectives and Strategies Worksheet of the Entity Worksheet
for Business Continuity Planning (see Appendix A.6).

Purpose of Meeting
Review the purpose of the project and ensure that the participants understand the objectives
of the meeting. The ultimate objective at this stage is to identify appropriate strategies for
each critical process within the entity. You may need to review some of the material from
the kick­off meeting to validate the purpose of the project.

Preliminary Actions, Resources and Costs

Referencing Appendices A.1, A.3, A.4 and A.5, create a preliminary list of major actions to
be taken for implementing the chosen strategy. Estimate the costs for each action and
complete A.3.12.3.

It is not necessary to create detailed procedures or equipment lists at this time. This will be
done after the strategy is approved by senior management.

At this point, Section 1: Objectives and Strategies Worksheet of the Entity Worksheet for
Business Continuity Planning (see Appendix A.6) should be complete. The entity head
should take this information to the entity’s senior management for review before proceeding
further. That process is covered in the next part of this guide.

Page 16 of 42
Guide to Practical Business Continuity Planning

STEP 4 – VALIDATION MEETING

The Validation Meeting’s primary objective is to resolve variations in assessments and proposed
strategies derived from the individual entity reviews, and to confirm the acceptable strategies to
achieve the company’s objectives on which the BCP will be based. This meeting should include
a senior level decision­maker that can deliver a binding conclusion to those in attendance.

4.1 Objectives
ª Review the results of individual meetings.
ª Discuss strategies chosen, and identify possible conflicts.

ª Management should approve suggested strategies, as appropriate.

ª Agree on next steps and timeline for completion of BCPs.

4.2 Meeting Agenda

Three primary agenda items are explained in detail below.

Entity Results
Individual entity managers should summarize the results of their individual meetings. The
following should be covered:
ª The entity’s key internal and external customers

ª Major risks to the entity’s ability to deliver on the strategic objectives

ª The maximum acceptable time for an interruption of the entity’s critical systems or
operations (RTO/MTO) for the strategic products or services

ª Dependencies that will need to be addressed in another entity plan

ª The entity’s suggested strategy

ª A preliminary estimate of resources and costs for implementing the chosen strategies

Senior management should summarize the overall results of the individual strategies and
approve the strategies for the company as a whole.

Discussion
At this point it is important for all entities to discuss how their business continuity strategies
fit together with senior managers. Are there any conflicts? Do the time lines and
expectations of one fit the needs of the others? Are there any differences perceived in
customer requirements, or dependencies, or minimum operating requirements for the
strategies to succeed?
The costs and benefits of various strategies also should be discussed. If senior management
approval of the cost is necessary, it should be obtained at this time.

Page 17 of 42
Guide to Practical Business Continuity Planning

The ultimate goal of this discussion is for all entities, along with the company’s senior
managers, to agree on, and approve, the strategies to be implemented by the business
entities.
The entities should also discuss a coordinated process for activating their plans. This should
include establishing the criteria for invocation of the plan, designating a specific person to
interface with the incident management teams to receive the notification in the event of
crisis and the authority for invoking.
The coordinator should note any discrepancies or questions that need to be answered, so that
a concrete action plan can be developed in the Next Steps portion of the meeting. The
coordinator should also point out any items that may indicate trouble spots or pitfalls for the
group as a whole. These may be listed as ‘red flags,’ with action items to resolve each one.

Next Steps
The following steps should be agreed:

ª Action items should be listed, with individuals assigned to follow up.

ª Schedules and deadlines should be agreed upon for completing each entity’s BCP.

A date should be set for the final meeting with senior management (the final meeting is
covered in Step 6 of this guide).

Page 18 of 42
Guide to Practical Business Continuity Planning

STEP 5 – WRITING THE PLAN

Steps 1­4 have been all about the process of how to gather information, how to record the
information for analysis to determine what needs to be included in the entity BCP, and the steps
needed to achieve this.

The ultimate application of a BCP is to provide an action­orientated, ready reference framework

for management decision­making. The plan should facilitate the ability to manage a disruption
for any period of time, but still enable the business to be conducted at a level of continuity that
is transparent to the internal and external customer base.
The reason why certain operational processes are unavailable is not the issue at this point. It
could be as a result of a fire, flood, terrorist attack, or a massive power outage. Any one of these
events could result in the entity’s facilities and resources, which are taken for granted in day­to­
day operations, being no longer available for an indeterminate period of time.

It should be recognized that there may be distinct responsibilities for separate entities within a
company, depending on the size and structure of the business. Separate disaster recovery and/or
emergency response plans may be prepared for separate entities within a company, in addition
to the entity based BCP. For example, the response to specific causes or events at a facility may
be the sole responsibility of a facilities or engineering department within larger organizations,
whereas it could be incorporated into the response for a business entity within smaller
companies. Generally, these actions and activities should be contained in the location’s specific
incident emergency response, or disaster recovery plan.

The BCP development methodology ensures all stages of an unforeseen event are catered for
through a process of managed escalation. By designing the overall plan in a modular format,
where each entity level within the company represents a separate module, and including a
similar content for each plan, a consistent approach to referencing essential information can be
achieved.

The completion of the entity plan focuses on the development of procedures necessary to
implement the criteria established in Section 5.2 and in Appendices A.1 and A.2. This section
outlines what must be considered for each section of the BCP document.

Key assumptions in the writing of the final plan include the following:
ª A business impact analysis (BIA) and a risk assessment have been completed, and all
necessary critical criteria for the business to survive have been identified;

ª Essential recovery strategies based on the strategic objectives of the top­level entity have
been established and approved;
ª Activities, roles and responsibilities and personnel for all entities, from suppliers to
ultimate customers have been identified.

Page 19 of 42
Guide to Practical Business Continuity Planning

5.1 Objectives
ª Correlate information for inclusion in the entity’s final plan.
ª Identify and document the actions required to implement the strategies.

ª Develop contact lists.

ª Establish the document format for the ready reference.

5.2 Methodology
There is no right or wrong way to lay out the individual entity plan. There are many publicly
available designs from various business continuity sources that can be considered. These can
range from simple word documents to sophisticated online software. Each method has benefits
as well as disadvantages. The important feature is that the selected option must reflect the needs
of the company and be structured accordingly for simple reference.

For all companies, however, the plan must be an action­oriented document that enables the
strategic objectives of the company to be achieved in the event of disruption and defines the
roles and responsibilities of those key persons who are expected to implement the response. In
most cases, the plan should only contain action statements and not include discussion,
description or judgment comments normally restricted to the business impact analysis or risk
assessments. The conclusive action statements can be developed from an analysis of the
completed worksheets from each entity meeting.

Small companies may only require a simple, single plan document that reflects the number of
staff and size of the enterprise, with relevant actions for the mitigating strategies. Larger
companies may need more detailed modular plans that reflect the actions required of each key
business unit, and which need to be integrated within the multiple disciplines of the organization
to ensure the appropriate actions of the enterprise as a whole. The following discusses a modular
format that can be used as the structure of a plan for both the more complex and simpler
enterprises.

5.3 Modular Plan Development

The modular format enables the BCP documents to be accessed at the time of an incident by the
individual entity managers. This modularity enables specific activities within the separate entity
levels to be addressed and combined with other entity plans to provide an overall BCP for the
business as a whole, or top­level entity. Each BCP can then be rolled up as the company BCP to
be referenced by the incident management team (IMT) and senior managers at the upper entities
within the hierarchy.

The information gathered so far and recorded on the appended templates can be reviewed, and
the conclusions incorporated into the report format. Each module is encompassed within the
framework of an overall plan that is typically retained for reference by the IMT. Usually, it is

Page 20 of 42
Guide to Practical Business Continuity Planning

not necessary for each individual team to have access to each other’s plan. A sample of an
overall plan structure for an entity, which incorporates the main elements of the individual
entity plans and can be rolled up to reflect the needs of the company overall, is shown in Table
5.3:

SECTION 1 Plan Overview

SECTION 2 Incident Management Team

SECTION 3 Business Continuity Management

SECTION 4 Information System Recovery Team

SECTION 5 Recovery and Damage Assessment Team

SECTION 6 Business Entity Team

SECTIONS … Other Business Entity Teams, as needed.

SECTION 7 Facilities Team

APPENDICES Document Configuration Management

Table 5.3: Example of Modular Report Content

Sections 1­3 and 7 represent plans that are applicable across the top­level entity. Sections 4 and
all others represent plans from lower­level entities, as may exist within the company for the
selected supply chains.
The guidelines and steps outlined in this document are helpful in creating a formal BCP for key
lower entities, or business functions that can be represented in the above format.

5.4 The Entity BCP

The purpose of the individual entity plan is to provide managers with a resource reference to
guide early continuity of essential services. Typically, these will include provision of key
human resources, equipment and internal/external supplier services necessary to maintain
critical activities in the event of an extended disruption to normal processing.

The individual plans define action required to support the key activities at the entity level, and
to ensure that these can continue to operate at a sufficient capacity to maintain a high degree of
transparency of service deliverables to internal and external customers. A key part in any
recovery is to know ahead of time what is required for this to happen.
Each plan within the overall BCP can be divided into the entity modules, each having similar
document content. Typically, this content would include:
ª Introduction ª How to Use this Plan
ª Role and Responsibilities ª Supporting Staff

Page 21 of 42
Guide to Practical Business Continuity Planning

ª Standby Locations ª Vital Materials List

ª Public Relations ª Equipment, Software Requirement
ª Actions for Entity Team ª Business Resumption Plan

ª Key First Priority ª Activity Log

ª Contact List ª Appendix

ª Key Resources and Contact Details

1 Introduction
The plan starts with defining the overall purpose, or objective, of the entity in terms of the
critical products, or services, delivered for the company.

What should be included in the plan: The introduction should be a short statement of the
key products or services provided from the entity that supports the company’s deliverables.
The plan should list the continuity criteria for RTOs and MTOs for strategic products or
services that must be achieved, and what needs to be provided from the entity to meet these
minimum objectives.

2 Roles and Responsibilities

A high­level comment stating the overall objectives of the entity, including a list of relevant
roles and responsibilities of individuals within the entity, should be included.

What should be in the plan: This section should include a list of persons selected for the
plan, with roles and responsibilities clearly identified. Only selected resources who have
agreed to these responsibilities should be included within the plan.

This section of the BCP describes the trigger points and process for activating, or invoking,
the plan. It should also list the specific managers with authority to activate the plan so there
is no question about who has this authority.

A natural disaster, fire or other crisis may cause activation of the site’s incident, emergency
response or disaster recovery plans. A team member of these plans should be responsible for
notifying the business continuity team members that there may be a significant disruption to
normal operations, as applicable.

These communications should be coordinated at the top entity level so the team member
does not need to notify contacts in numerous individual entities.

3 How to use this plan

The plan’s key purpose is to provide guidance for entity managers in a business continuity
response in the event of an extended disruption to normal operations.

Page 22 of 42
Guide to Practical Business Continuity Planning

What should be in the plan: The plan should contain a comment stating that the document
contains necessary reference material to guide business continuity activity by the IMT in the
event of an extended period of disruption.

4 Supporting Staff
Entity managers are responsible for ensuring staffing levels are sufficient to maintain an
adequate level of processing in response to the size of the disruption. Those individuals
within the entity who could maintain the key processes, and their role and responsibilities,
must be clearly identified, communicated and fully understood.

These responsibilities can cover a wide range of activities and may include scaling up
communications through a chain of hierarchy, provision of assets, and travel to alternative
locations. Each specific activity needs to be identified.

What should be in the plan: The plan should address the human resource requirements
identified in Section 2.2 of Appendix A.5. Only the conclusions from this analysis need be
coordinated with Human Resources and Finance to ensure the chosen resources can be
utilized, and that the plan complies with employee regulations.

5 Standby Locations
A standby location for a command center should be selected by the IMT. This should be
established at a safe location that will not be impacted by the incident, but is sufficiently
close to the primary location and adequately sized to facilitate access by the team members.
What should be included in the plan: The initial assembly point for staff should be
included in each entity plan. Full details and directions to an alternative facility, including a
map or diagram of the location, should be included.

6 Public Relations
The control of internal and external communications to public media is essential in
maintaining the integrity of the company’s management to manage the crisis.
What should be included in the plan: Instructions that all communications should be
directed to the media spokesperson of the company on the IMT, or appointed alternative.
The plan should advise that employees not make any comment to the media.

7 Actions for Entity Team

Actions required by each entity team will be subject to the specific function and the extent
of the incident. Actions would need to consider the short­term immediate response to the
event (supervision of evacuation procedures, notification to staff at home if after hours,
recovery of key materials and equipment) and those actions needed if the response was
scaled up into a full invocation and a need for relocation of personnel to resume operations
at an alternative location.

Page 23 of 42
Guide to Practical Business Continuity Planning

What should be included in the plan: The plan should identify specific actions to be
undertaken by the assigned entity function team members. This should include, but is not
limited to:
ª Persons to undertake actions for a short­term disruption;
ª Other actions identified from the individual business entity plan;
ª Actions identified for a full invocation and a need to relocate operations at alternative
locations.

8 Key First Priority

Within the entity objectives, key priority activities must be completed at the outset of an
incident for each business entity, if these objectives are to be achieved quickly. Establishing
these priority activities will require careful consideration. Each entity should consider its
individual needs within the criteria identified above.

What should be in the plan: The plan should include key priority actions that are
necessary to expedite the activities identified in the individual entity plan. This is expected
to be specific to each entity, but should address how best to initiate the identified actions
should the BCP be invoked.

9 Contact List
This section facilitates the primary contacts for responsibility and control of each entity.
Key personnel to be immediately notified if the plan is activated as referenced below,
should be listed.
The contact details of employees are confidential and therefore should be treated
accordingly. Some staff may be concerned about having their home information published.
They may, for example, have an unlisted home number. It is essential that all employees
provide a means to be contacted following an incident. These employees must be reassured
that this information will only be distributed on a need­to­know basis, and that the
information will have limited access.

Those that have concerns about the release of contact information and indicate a reluctance
to provide the details would normally not be eligible to participate in the BCP programs. In
all cases, a written agreement must be obtained from the resource, indicating acceptance for
the private information to be made public.
An alternative contact person should be identified for each primary contact listed. This may
be the next contact listed in the table. All participants must be made aware of any
responsibilities aligned to them under the BCP.

What should be included in the plan: The list should contain contact information for
everyone assigned to the plan, including:

Page 24 of 42
Guide to Practical Business Continuity Planning

ª members of the continuity team;

ª a member of the site’s incident/emergency team;

ª members of the incident management team;

ª managers of any operations affected;
ª business entity personnel who have agreed to participate in the continuity plan;
ª personnel from other entities and suppliers, on a need to know basis.

Primary contacts should be listed in the order of contact. The list should include home and
alternative telephone numbers and other contact information. Essential details, beyond this
basic contact information, should be made available from the BCP developed for Human
Resources with the agreement of the employee.

10 Key Resources and Contact Details

The contact lists should contain names and contact information for all key personnel or
entities potentially affected by a business disruption. This may include, but is not limited to
the following:

ª Contractors ª Interdependent operations

ª Emergency agencies ª FM Global contact

ª Key customers ª Key suppliers

ª Fire department

Contact details for all customers and critical vendors who will need to be advised on the
situation, as appropriate, should be identified.

11 Business Resumption Plan

This section provides guidance on the restoration and re­occupation of the original
premises. Plans may not be appropriate for each entity. However, it is appropriate for
facilities planning to accommodate the other entities.

What should be included in the plan: Where appropriate, plans should be developed to
phase in the re­occupation of the facility from the temporary standby locations, after the
original premise has been restored. This should be driven by a determination of priority
processes from each of the entities that were identified in the individual BCPs for
continuity.

12 Vital Materials List

The vital materials list includes all materials that are essential to conduct those business
processes that were identified as ‘mission critical’ in each entity. These materials could
include files, records or other information that would not be accessible if the building could
not be occupied or is inaccessible.

Page 25 of 42
Guide to Practical Business Continuity Planning

What should be included in the plan: It should include any materials identified in the
individual plan that are essential to support the key processes that would not be accessible
from within the building, or could not ultimately be accessed through electronic systems
within an acceptable period of time. These materials should be included in an off­site
storage facility, as appropriate.

13 Equipment and Software Requirements

This section identifies the equipment and IT requirements for the identified mission­critical
processes. This provides the documentation to ensure the equipment is provided by others.

What should be included in the plan: Any item of equipment or application that is
required to maintain the key activities should be listed. The priority timeline for applications
to be resumed to meet the entity requirements should be included and communicated to
each service supplier, or provider.

14 Business Continuity Activity Log

The activity log is a facility to capture all the business continuity activity conducted during
the incident.

What should be included in the plan: A document log facility (table or spreadsheet) for
recording the activity undertaken by the entity during the period of disruption.

15 Appendices
The scope of plan coverage may be increased to capture continuity management by specific
scenario event (e.g., power outage, loss of IT at month end), or specific details of topics in
the plan that require separate reference for the different business functions. These scenario
events and the management therein can be included as appendices. The recommendation is
to discuss this with the business continuity manager when the need to enhance/amend the
plan arises.

What should be included in the plan: This section of the BCP in each entity should
contain any supporting or additional documents needed to implement the plan. These may
include, but are not limited to, the following:

ª Staffing schedules
ª Process maps or plans

ª Utility drawings or layouts

ª Emergency organization procedures in case of fire

ª Special requirements
ª Essential equipment list with model numbers and sources

ª Equipment photographs

Page 26 of 42
Guide to Practical Business Continuity Planning

ª Software inventories with replacement sources

ª Floor space requirements

ª Floor plan for alternate location

ª Street map to alternate location/bridge limitations/cranes and transportation
ª Contract with alternate location
ª Contracts with alternate service providers

ª Regulatory compliance requirement

ª Locations of software backups

ª FM Global contacts

ª List of items in storage areas

ª Essential documents, operating manuals and vital records

16 Document History
On completion of the plan, the Document Control Tables should be updated, and the final
plan released with version control. A sample control table is shown below.

Date Amended by Change details

Version
Classification
Created
Author
References
Quality Review By

5.5 Coordinator’s Role

Upon completion of the entity plans, the business continuity coordinator takes an advisory
role and the entities take the lead. This period may take several weeks. The coordinator’s
role is to:

ª Ensure the plans are being developed according to the schedule (checkpoints may be
advisable).

ª Answer questions to assist in the writing of the plans.

ª Relay problems to the organizational level, if necessary.

ª Keep the entities motivated and check on their progress.

Interim ‘status’ meetings during this phase may be helpful for all entities to compare
progress and questions, and perhaps establish synergies or common processes.

Page 27 of 42
Guide to Practical Business Continuity Planning

STEP 6 – FINAL MEETING

The final meeting is an essential last step to determine the final criteria for the overall
company BCP. The meeting’s primary objective is to resolve differences in assessments
derived from the individual entity reviews, to address inconsistencies between entity plans, and
to agree to the acceptable actions on which the overall BCP should be based.

6.1 Objectives
ª Ensure each entity plan aligns with the strategic objectives of the company.
ª Review and resolve any discrepancies between individual entity plans.

ª Address coordination issues between entities.

ª Review and approve all plans and the consolidated BCP.

6.2 Meeting Agenda

Three primary agenda items are explained below:

Overview of Entity Plans

Either the business continuity coordinator or each entity’s senior manager should provide a
quick overview of the plan to other entity managers. Any discrepancies between individual
entity plans, or need for further coordination between entities, should be discussed and
resolved at this time.

Plan Approval
If not already done, each entity manager should give final approval for his or her entity’s
plan by signing the front of each plan. The next hierarchy manager also should indicate final
approval of all plans by signing the front of the consolidated plan.

Next Steps
Each entity is responsible for updating and maintaining its BCP. The participants at the
meeting should agree on a periodic schedule (at least annually, unless there are significant
changes) when the business continuity coordinator should remind each entity to review and
update its plan. The group should also discuss when and how to exercise its plans. The next
part of this guide provides additional information on plan maintenance and exercising.

Page 28 of 42
Guide to Practical Business Continuity Planning

STEP 7 – PLAN MAINTENANCE AND EXERCISING

BCPs should be updated at least annually or more frequently, whenever there is a significant
change affecting the entity. Changes may include:
ª Customer requirements ª Physical facilities
ª Business processes ª Reorganization
ª Personnel ª Operational procedures

ª Hardware ª New sole­source supplier

ª Software

Each entity should assign a specific person the responsibility for updating its BCPs as
necessary. If there is a change of personnel within an entity, a replacement should be appointed
with this responsibility.

7.1 Maintenance
Unless there is a dedicated full­time business continuity coordinator within the company, it is
the BCP owner’s responsibility to ensure each entity maintains an up­to­date plan and ensures it
is incorporated into the overall company plan. This owner is normally the senior manager
responsible for the entity. If the owner’s position changes, a new owner or coordinator should
be identified and all entities informed of the changes.

7.2 Exercising
Exercising of plans validates the business continuity procedures and confirms that the
people involved know what to do in the event of a disruption. Regular testing of BCPs is the
best way to assure they will work when needed.
ª A tabletop discussion of a hypothetical situation may be a good way to test the plan the
first time.

ª Short drills, such as confirming each entity has access to its plan even if there is no access
to the building, also are desirable.

ª Subsequent tests may involve simulated exercises, but it is important to ensure the people
involved feel prepared for this type of test. Such tests can be combined with a site crisis
team exercise in order to coordinate crisis response with business continuity procedures.

The exercising of plans should be considered an opportunity for further learning, rather than
a test to pass or fail.

Page 29 of 42
Guide to Practical Business Continuity Planning

THIRD­PARTY RESOURCES
The following resources and documents are available to assist you in the development of your
BCPs.
ª www.DRII.org

ª www.theBCI.org
ª Your FM Global client service team

ª FM Global’s Risk Reports

ª FM Global’s Business Risk Consulting Group (BRCG)

ª FM Global’s training and education group

Your FM Global client service team contact will be able to provide you with contact details for
any necessary support.

SITE CRISIS/INCIDENT MANAGEMENT TEAMS

Site crisis or incident management teams should also be familiar with preliminary business
recovery processes, because this is part of overall crisis management. Business continuity teams
should coordinate closely with crisis management teams, and may find additional knowledge
and resources through these teams.

Page 30 of 42
Guide to Practical Business Continuity Planning

APPENDICES

A.1 Summary of Entity Strategic Objectives

Strategic Objectives Business Continuity Design Criteria

Deliverables Activity
(Product/Service to maintain) Maximum Tolerable Outage Recovery Time Objective
(MTO) (RTO)

Page 31 of 42
Guide to Practical Business Continuity Planning

A.2 List of Entities for BCP Development

Entity for BCP Products Impacted Priority Comments

Development

Page 32 of 42
Guide to Practical Business Continuity Planning

A.3 Preliminary List of Strategies, Resources

and Costs

S TEP STRATEGIES MINIMUM RESOURCES E STIMATED COSTS

1

10

11

12

13

14

15

16

17

18

19

20

Page 33 of 42
 Guide to Practical Business Continuity Planning

A.4 Summary of Strategy Evaluation

ALTERNATE ADVANTAGES DISADVANTAGES COST VS. BENEFIT RANK

STRATEGY
1.

2.

3.

4.

5.

6.

7.

Page 34 of 42
Guide to Practical Business Continuity Planning

A.5 Business Continuity Worksheet

BUSINESS CONTINUITY WORKSHEET

(Name of Site)

PURPOSE
This worksheet records the discussions from each entity meeting.

SITE BUSINESS CONTINUITY COORDINATOR/PLAN OWNER

___(Insert name and contact information)____

SENIOR MANAGER’S APPROVAL

This is to verify that I have reviewed and approved this worksheet as the basis for a Business
Continuity Plan.

_____________________________ _______________
Name and Title Date

Page 35 of 42
Guide to Practical Business Continuity Planning

A.5.1 LIST OF WORKSHEETS

The following worksheets are attached.

Responsible Manager
Entity Scope of Worksheet
and Phone Number
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.

Page 36 of 42
Guide to Practical Business Continuity Planning

A.6 Entity Business Continuity Template

Copy this plan worksheet as many times as necessary to create one worksheet for each
entity

ENTITY WORKSHEET FOR

BUSINESS CONTINUITY PLANNING

ENTITY: ________________________________

COMPANY: ________________________________

LOCATION: ________________________________

This is worksheet number _____ of _____ for this company

SCOPE

This worksheet covers the following operations within this entity:

ENTITY MANAGER’S APPROVAL

The contents of this worksheet are approved for inclusion into the business continuity plan

____________________________ __________________
Name and Title Date

Page 37 of 42
Guide to Practical Business Continuity Planning

WORKSHEET COMMENTS

SECTION 1: OBJECTIVES AND STRATEGIES

1.1 Customer and Business Requirements

1.2 Critical Systems and Operations
1.3 Recovery Time Objectives (RTO), Maximum Tolerable Outages (MTO)
1.4 Assumptions
1.5 Continuity Strategy
1.6 Priorities

SECTION 2: PROCEDURES FOR TEMPORARY OPERATIONS

2.1 Activating the Plan

2.2 Major Actions

Page 38 of 42
Guide to Practical Business Continuity Planning

Section 1: Objectives and Strategies Worksheet

1.1 CUSTOMER AND BUSINESS REQUIREMENTS

The entity’s primary responsibilities:

The entity’s key customers (internal and external):

Customer requirements that drive the business continuity strategy:

1.2 CRITICAL SYSTEMS AND OPERATIONS

Systems and operations within the entity that are critical for meeting customer requirements,
and which are covered by this plan:

Dependencies: Systems and operations on which this entity depends, but which are not under
its control and are therefore not covered by this plan:

1.3 RECOVERY TIME OBJECTIVES (RTO), MAXIMUM TOLERABLE OUTAGE

(MTO)

Maximum acceptable time for an interruption of critical systems or operations (the time within
which critical systems or operations must be restored after an interruption):

1.4 ASSUMPTIONS

The following assumptions have been made for this entity in addition to all organization­wide
assumptions:

1.5 CONTINUITY STRATEGY

Taking into account time limits, advantages, disadvantages and costs, the overall continuity
strategy for operating in contingency mode is as follows:

1.6 PRIORITIES

Systems or operations to be restored first. Target time line: _______

Systems or operations to be restored second. Target time line: _______
Systems or operations to be restored third. Target time line: _______

Page 39 of 42
Guide to Practical Business Continuity Planning

Section 2: Worksheet for Invoking the Plan

2.1 CHECKLIST FOR INVOKING THE PLAN

þ Specific conditions for invoking this plan (Invocation criteria established by the
strategic objectives):
þ Managers with authority to activate this sub­plan:
þ Procedures (if necessary) for deciding whether to activate:
þ Convene Business Continuity Team at ______________________.
þ Review summary of situation and damage assessment.
þ Make decision whether to invoke the plan.
þ Determine preliminary time schedule and shifts for key personnel

Page 40 of 42
Guide to Practical Business Continuity Planning

2.2 MAJOR A CTIONS

COPY THIS PAGE FOR EACH MAJOR ACTION LISTED IN

SECTION 2 THAT NEEDS TO BE DEFINED FURTHER

This section of the plan contains specific procedures needed to complete major actions to
deliver the strategy. Using the master checklist in Section 2.2.1 as an initial guideline, the entity
should create as many separate sets of procedures as necessary to complete each major action on
the master checklist for the selected strategies (Appendix A.2).

Each set of procedures should include specific actions to be taken, the timeline, who is
responsible for completing each step, and the resources needed.

Major Action: __________________________ (Reference strategy development for

selected strategy and required action)

Step Timeline Specific Actions to be Taken Person Resources Required

Responsible
1

Page 41 of 42
Guide to Practical Business Continuity Planning

2.2.1 EXAMPLES OF PROCEDURES AND RESOURCES:

(Note: The following should be considered for implementing the strategy. These
procedures are not expected to apply for all entities, but will provide a prompt for
consideration and should be reviewed selectively as applicable).

PROCEDURES

· Delegating authority for purchasing, response ownership, non­core expenses, operations,

implementing emergency accounting procedures and overall responsibility for incident
management
· Arrangements for alternate locations outside potential disaster areas (other sites, hotel or
conference centers, recovery service company sites, supplier or other company sites)
· Alternate floor space requirements (including primary operations, support functions, and
temporary command post areas)
· Transportation of people, equipment, documents and vital records to alternative locations
· Security and access for alternate sites
· Establishing utilities (power, heat, water, sanitary) and other needs at alternate location
· Obtaining essential drawings for operations, network configurations, utility requirements,
and other processes, including uploading of software applications, tapes and data
· Process for repair, relocation or replacement and installation of equipment
· Retrieval and loading of software at alternate location
· Recovery of essential documents, operating manuals and vital records (inventory, backup,
safeguarding, and transportation to alternate location)
· For facilitating employees (especially key employees or skill sets)
· Establishing optimum staffing requirements and schedules
· Implementing employee welfare issues (arrangements for family safety, child care, new
commute time, extra expenses, food and dining areas, sanitary facilities, communications)
· Managing customer ordering and customer service operations when at reduced capacity
· Providing added insurance coverage at alternate location
· Issuing public relations statements

RESOURCES

· Key personnel or specific skill sets, staffing requirements, and schedules

· Vendors for service utilities (power, heat, water, sanitary facilities, etc.)
· Outsourcing suppliers
· Vendors for key operating or processing equipment, essential test equipment and tooling,
raw materials
· Vendors for office supplies and equipment, telecommunications equipment, including land
lines, data lines, satellite phone and pager coverage, 2­way radios
· Essential documents, operating manuals and vital records

P07170
Page 42 of 42