Best Practice Checklist For Business Continuity

No one can predict the future; however, you can be ready with a sound business continuity plan. The business continuity checklist is the first step in the BCP process.  The checklist is not an exhaustive list, it is a simple tool that can be used to ensure that the basic BCP process has been initiated and the Division management has considered what needs to be done to keep essential functions operating if an adverse event occurs.  The checklist is somewhat “information centric” as organisation’s reliance on information is increasing and its successful management provides competitive advantage.

Program Initiation and Management (Pre-Planning)

  • Establish the need for Business Continuity Program
  • Scope of legal and regulatory authority
  • BCP Sponsor (Senior Management)
  • Business Continuity Steering Committee (5-8 people)
  • BCP protects core assets

 

Risk Evaluation and Control (Pre-Planning)

  • Prioritize planning and resource allocation
  • Identify and mitigate exposures
  • Identify the threats, risks and vulnerabilities
  • Gather information
  • Controls/Safeguards
  • Annualized Loss Exposure (Ale) Risk=Frequency x Exposure
  • Quantitative and qualitative
  • Protecting physical property, information, company reputation
  • Risk tolerance and probabilities

 

Business Impact Analysis (Pre-Planning)

  • BIA determines critical, time sensitive, prioritized business processes
  • Interdependencies of these functions (intradepartmental, interdepartmental and external)
  • Establish RTOs (disaster and minimum acceptable level) and RPOs (last good data)
  • Plan and coordinate data gathering and analysis
  • Questionnaires
  • Financial impact, customer impact, legal impact, regulatory impact
  • Disruption<RTO
  • Disaster >RTO
  • Vital records management
  • Data backup strategies
  • Prepare and present BIA

 

Developing Business Continuity Strategies (Planning)

  • Assess strategies, maximum recovery impact in RTO window
  • Support services/resources needed
  • Alternate strategies  (combo, displacement, alternate site, work from home)
  • Cost (advantages and disadvantages)
  • Develop a cost/benefit analysis
  • Other requirements

 

Emergency Preparedness and Response (Planning)

  • Types of emergencies
  • Tactical and strategic planning
  • Evacuation/SIP
  • Facility stabilization
  • Identify and review existing emergency response procedures
  • Life safety
  • Command and control
  • ICS
  • Crisis management
  • Notification and protocols

 

Developing and Implementing Business Plans (Planning)

  • Types of plans (crisis mgt, COOP, DRP, ERP, BCP, etc)
  • Introduction, policy statements, scope, assumptions, essential business functions and processes)
  • BCP structure (base plan)
  • Checklists
  • Disaster recovery management
  • Critical continuity functions
  • Human resource responsibilities
  • Recovery communications
  • Insurance/Emergency funds
  • Plan implementation
  • Plan distribution

 

Awareness and Training Programs (Post-Planning)

  • Importance of BCP
  • Awareness activities
  • Training activities
  • Audience needs
  • Delivery tools

 

Business Continuity Plan Exercise, Audit, and Maintenance (Post-Planning)

  • Exercise and test the plan
  • Tabletop, walkthrough, backup, integrated, comprehensive, standalone, call trees, line of business, facilities)
  • Timeline
  • AAR/IP
  • Maintain BCP
  • Establish an audit process

 

Crisis Communications (Post-Planning)

  • Sources of communication
  • Methods of communication
  • Internal vs. external
  • Stakeholders
  • Media and role of spokesperson
  • Key messaging
  • Crisis communication plan

 

Coordination with External Agencies (Post-Planning)

  • Identify and establish the organizational emergency management procedures
  • Coordination with external agencies
  • Current laws and regulations
  • ICS

Business Continuity Checklist :MITIGATION PLANNING CHECKLISTS

Mitigation Planning

Generic planning tasks (please add other business specific actions points) Completed Y/N
Identify minimum resource requirements  
Identify critical supplies – Ensure sufficient stocks are in place, source alternative suppliers and product  
Contact critical suppliers to identify whether they have contingency plans in place.  
 Use more than one supplier, on a regular basis, for all critical services and materials  
 Identify interdependencies between other businesses, business units, services and organisations, to ensure service delivery can be maintained  
Identify tasks that support business critical functions  
Identify all business critical services and tasks that must continue during a disruptive event  
Consider the impact of greater demand on the critical services you provide and the plan to manage the increased workload, if appropriate  
Determine the potential impact of a disruptive event such as Influenza pandemic, on your business related travel  

 

Staff Issues (please add other business specific actions points)  Completed Y/N
Identify key members of staff in critical roles  
Prepare a skills matrix to identify transferable skills  
Provide and maintain cross-training  
Document operational procedures for all tasks supporting a critical service to enable tasks to be undertaken by other staff  

 

Staff Issues – home-working Completed Y/N
Identify which staff could operate from home  
Test home-working arrangements  
Check Human Resources working at home policy  
Maintain staff contact details including home/mobile phone numbers and e-mail addresses  
Liaise with IT Services regarding IT requirements Hardware, Software, instructions, training etc.  
Prepare Matrix of IT critical equipment requirements in emergency for Critical Tasks/Critical Users  

 

Document Management  Completed Y/N
Liaise with IT Services to set up shared directories for access to key documents. Prepare table of detail of directories  
Ensure key documents are stored in shared directories. Prepare list of key documents  

 

E-Mail Management Completed Y/N
Liaise with IT Services to set up shared Outlook mailboxes for critical user groups. Prepare table of detail of shared mailboxes  
Where appropriate set up secondary user access to personal Outlook mailboxes. Prepare table of detail of secondary users  
Establish routine of sending e-mails/copies to shared Outlook mailboxes  
Communications  Completed Y/N
Collate and create mobile telephone directory  

 

  Service planning tasks  Completed Y/N
Identify services which could be stopped or reduced during a disruption  
Identify staff from non critical task areas who could act as temporary support cover to assist in critical task areas  
Identify how internal resources could be reallocated to ensure those activities connected to critical tasks are maintained during a disruptive event  

Business Continuity Checklist: RESPONSE ACTIONS

Plan Checklists of Initial Actions for each high risk threat (complete a checklist for each high risk threat)

Response Checklists

Loss of Staff (Temporary/Permanent) Completed Y/N
Staff illnessStaff absence due to illness of dependent children/closure of schoolsLoss of large numbers of staff

 

Loss of small numbers of key staff (managers/specialists)

Industrial action.

 
Liaise with Human Resources  
Review staffing arrangements  
Appropriate managers and staff to be re-deployed from other areas as required  
Staff temporarily re-deployed  – cover by agency staff if appropriate  
For industrial action – Human Resources to provide strategic guidance for managers  

 

 

 

 

 

 

 

 

Influenza Pandemic Completed Y/N
Consider the impact of greater demand on the critical services you provide and plan to manage the increased workload if appropriate  
Determine the potential impact of the pandemic on your business-related travel  
Consider planning for the use of audio or video conferencing as alternatives to traveling/attending meetings to reduce person-to-person contact  
Forecast potential employee absence during a pandemic. For InfluenzaPandemic planning purposes, the estimated worst case scenario is for a cumulative clinical attack rate of 50% of the population over 15 weeks for each phase.  

 

          Damage to premises Completed Y/N
Liaise with the Council building control department  regarding dangerous structures, if appropriate  
Notify utility companies (e.g. gas, water, electricity, telecommunications)  
Consider impact on staff and public health and safety e.g.

 

  • Loss of electrical power affecting fire detection and alarms, lighting, emergency lighting, heating, swipe card access, intruder alarms/security
  • Loss of water supply affecting catering, sanitation, e.g. toilets and hand washing facilities etc
 
If structure is dangerous, take advice and reasonable action to remove/reduce immediate danger to staff and the public. Action may include:

 

  • Barricade off
  • Arrange for repair
  • Removal of the hazard if appropriate.
  • Scaffolding or shoring to make the building safe until permanent work can be arranged may have to be organised
  • Have the premises secured to prevent unauthorised access
 
Identify alternative premises if required  
Contact your IT department regarding implications for IT and communications infrastructure  
Implement arrangements to maintain building security  

 

Loss of Premises/Access Denied  Completed Y/N
Identify alternative premises if appropriate.  
Notify staff:Advise of action to take for next working day (e.g. staff for high criticality functions go to alternative location, staff from lower criticality functions call in for further information)  
Staff may need practical assistance e.g. to get home, obtain spare keys, notify relatives/friends to assist  
If you are unable to contact all staff, (e.g. if incident occurs out of working hours) arrange for staff to be met on arrival at site on next working day and advise them what to do and where to go (as above)  
Establish staff ‘information line’ number with recorded message of action to take (Use Reception until a dedicated line can be set up and details publicised to staff)  

 

Loss of Utility Supply (Gas, Water, Electricity)

 

Completed Y/N
Contact service provider to establish:

 

  • Extent of disruption.
  • Remedial action being taken.
  • Length of time before restoration of service
 
Consider impact on staff and public health and safety e.g.

 

  • Loss of power affecting fire detection and alarms, lighting, emergency lighting, heating, swipe card access/security.
  • Loss of water supply affecting catering, sanitation e.g. toilets and hand washing facilities
 
Contact your IT department regarding implications for IT and communications infrastructure  
Identify alternative premises if necessary  

 

Loss of IT and /or Communications Completed Y/N
Contact your IT department regarding impact on IT and communications infrastructure  
Publicise alternative contact details to staff and public  
Identify alternative premises if unable to  
Prolonged incident consider alternative supply  
Loss of Supplier Completed Y/N
Identify alternative material resources  
Identify alternative human resources  
Identify alternative service provider  

 

1 Comment

Leave a Comment

7 + 1 =