Business Continuity Management Assessment - 2015 County/IIA OC Presentation... · Business Continuity Management Assessment - 2015 1 Control # Management Practice ... A BCP program

Business Continuity Management Assessment - 2015

1

Control # Management Practice Questions

Management Response Recommendation

1. ORGANIZATION & STRUCTURE SENIOR MANAGEMENT COMMITMENT Does the Board of

Directors/Trustees/Audit Committee annually review and approve the Business Continuity Plan? Does the review include: Scope of the BCP Program? Frequency of testing? Test results?

NO

The Board is responsible to the shareholders and stakeholders for the ongoing performance of the company and should approve key elements of the business continuity program. The approval process should include the scope of the program, the frequency of testing and the test results.

Has senior management published a policy statement indicating their commitment to BCP?

NO

Senior management should approve a policy statement to provide guidance on how to implement business continuity mandates. Create a corporate policy that addresses how the company’s business units are required to address business continuity issues.

Is management evaluated based on compliance to the BCP policy statement? NO

Management should have incorporated in their performance metrics a measure for adherence to the business continuity policies and procedures. . Develop a program where senior and middle management can be evaluated based on BCP policy compliance.

Are the company’s suppliers/vendors required to comply with the BCP policy statement? NO

Today’s business models incorporate key vendors whose interruption could cause financial, operational and business impacts in cases where they represent single points of failure to the business unit or enterprise. Vendors should be required to comply with the company’s business continuity policy.


2



Does senior management annually approve key elements of the BCP Program? the incident management model; corporate recovery priorities; corporate support plan; business units/processes to be included; and business impact analysis results

NO

Senior management is responsible for the company’s ability to recover from a business interruption. Management should annually approve the major components of the BCP. Some components warranting annual approval include: 1) the incident management model; 2) corporate recovery priorities; 3) the corporate support plan; 4) business units/processes to be included in the program; and 5) the results of the business impact analysis. Approval can be in written form, or appear in meeting minutes.

Has senior management’s roles and responsibilities been identified, documented and the appropriate members been trained accordingly on their particular role in the incident management model?

NO

It is important that senior managers and their direct reports know their roles and responsibilities in a situation that could require the implementation of the BCP. The impact of business interruptions is compounded when leadership does not act according to their defined scope of responsibility. Management should train senior managers annually on their roles and responsibilities for incident management.

Has senior management appointed a management group/person to oversee the development and implementation of the business continuity program?

NO

There is a significant risk that effective plans cannot be developed without the active support of senior management. Senior management, preferably the Executive Committee, should designate a multidisciplinary team responsible for development and implementation of the business continuity program. Management should also consider assigning a senior manager, empowered with the corporate responsibility for the business continuity


3



program to maintain focus and apply appropriate resources.

Is the senior management sponsor involved in the BCP program on a periodic (minimum) basis? NO

A senior manager who does not actively participate in the business continuity program will not be able to provide adequate support for key recovery related initiatives. Develop an appropriate schedule for involvement, including specific triggers that mandate senior input and/or review.

Does management mandate an annual risk assessment?

NO

The Risk Assessment will help management identify scenario exposures/risks (i.e. events that could impact the location of the business or processing centers). In many areas where exposures exist, controls may be implemented to mitigate the impact of the threats. Management may decide to accept certain exposures given the likelihood and weight of impact of the threat on the business and/or the cost of implementing additional controls. Management should also consider new threats and scenarios as the environment changes to accommodate for appropriate response mechanisms

BCP OBJECTIVES Are the BCP program

objectives documented?

NO

The Business continuity program objectives help to document and implement senior management’s mission statement on BCP. BCP objectives are not the same as recovery priorities. They are the operational targets, updated periodically, to help make the overall program successful. Develop significant, measurable, and attainable program objectives that address the organization’s industry and current/future regulatory environment.

Are the BCP program objectives measurable? NO Without measurable (metrics, timeframes, etc…) objectives, it is

difficult to determine whether the target environment has been met.


4



Management should define the business continuity program objectives and communicate them throughout the organization.

Are the BCP program objectives integrated with the company’s strategic business plan?

NO

Business continuity plans are designed to protect the long-term enterprise value. Develop a system to incorporate key strategic objectives into the business continuity program.

Are the BCP program objectives realistic and achievable?

NO

Setting objectives for the BCP program requires the balance of realistic and achievable objectives. Management should determine the resources required for reaching the BCP objectives and the resources readily available. Management should identify any potential resource gaps and report those deficiencies to senior management for either increased support or a redesign of the BCP objectives.

Are the BCP program objectives based on the company’s industry sector? NO

The business continuity program should address the unique industry requirements and processes of the organization. Management should develop BCP objectives that address those industry specifics.

Are the BCP program objectives based on current and anticipated regulatory requirements? NO

Management should be addressing the regulatory environment of the organization in its BCP program. When new regulation is proposed or released, management should review and adjust its BCP program to meet those changes. Management should develop its business continuity program objectives to meet or exceed the current regulatory requirements.

BCP PROGRAM RESOURCES Is there a BCP program

coordinator? NO Document the recovery organization and the associated names with the various team leader roles and responsibilities. The organization must


5



identify who is the point person for all BCP issues. Designate a BCP coordinator who understands the organization and will be supported by its various stakeholders.

Is the BCP Program coordinator held accountable for results of the program? NO

A business continuity program should be treated like any other major company initiative. This includes creating objectives and holding the BCP coordinator accountable to them. Develop a system for evaluating the program coordinator against the program objectives.

Is the role and responsibility of the BCP Program Coordinator documented and understood?

NO

Business continuity interacts with every area of the organization, and it is possible for the duties of a BCP coordinator to be misaligned or miscommunicated. Develop a documented role and list of responsibilities for the BCP coordinator, including how the BCP coordinator will interface with department/business unit representatives. The BCP Coordinator’s responsibility is to manage and coordinate the response to, and recovery from, a crisis. This role will continue through the restoration until the situation returns to normal. The Coordinator’s key roles and responsibilities are:

• Select/Activate Emergency Operations Center;

• Direct information gathering;

• Project manage the recovery;

• Ensure delegated tasks are completed; and

• Communicate and coordinate with Business Recovery Teams.


6



The Coordinator is a project manager and a decision-maker, overseeing and directing recovery efforts and tasks, focusing on the coordination and management role. This function involves gathering relevant information and options from the various teams to enable accurate decision-making, and to delegate and follow up tasks to ensure things actually happen.

Is the BCP Program Coordinator empowered to make significant decisions about the BCP program?

NO

The BCP Program coordinator is senior management’s agent for implementing the business continuity program. Establish clear authority thresholds that permit appropriate flexibility in BCP program management.

Is there a designated BCP representative within each business unit? NO

Each business unit should have input into the contents of the BCP in order to make the plan comprehensive and dynamic. Management should designate a BCP representative for each business unit to liaison with the BCP Program coordinator.

Is a process in place to determine resources (internal, external, and budget) required for ongoing BCP program success?

NO

A BCP program requires a budget and dedicated staffing to ensure that the objectives can be met within the assigned timeframes. Management should also consider situations where external (vendors, business partners, and consultants) may be needed to meet shortfalls due to “peek” periods of key program activities. Additionally, management should identify where additional organizational headcount could be engaged to make up for staffing shortfalls during periods of increased manual workarounds (i.e.: systems downtime). Management should identify the required resources and allocate funding


7



and staffing as need to the BCP program

RECOVERY ORGANIZATION / TEAMS Is there a formal BCP

organization consisting of designated personnel and recovery teams?

NO

Detailed roles and responsibilities for the recovery organization help to provide a framework for a successful plan development and implementation. In developing and maintaining an effective and efficient business resumption capability, leadership roles should be defined. This group has the responsibility for overall strategic guidance during the recovery efforts, allocating resources

Management should create a formal BCP organization that includes a Steering Committee, Damage Assessment, Corporate Support Team, Business Recovery Teams, and Technical Recovery Teams. This will ensure that the overall responsibility for evaluating and making decisions as to the deployment of recovery resources consists of senior corporate managers representing IT, business operations, finance, and such other business functions, as the organization may feel are advisable. Additionally this would facilitate the establishment of a EOC (Emergency Operations Center), identify who is Authorized to Declare and Rescind a Disaster.


8



Is there a distinct technology recovery team?

NO

Management should create a Technology Recovery Team This team is responsible for providing technical recovery of systems, platforms, data, networks and applications. This team is responsible for verifying that applications are functioning properly, ensuring user connectivity and providing recovery services as defined in their documented scope, objectives and roles and responsibilities. At a high-level the team will: (1) Oversee the technical damage assessment; (2) (2) Determine the system recovery priorities based on damage

assessment; and (3) (3) Locate, acquire and restore hardware and software as needed.

Is there a distinct business process recovery team?

NO

Management should create Business Recovery Teams The Business Recovery Teams are responsible for maintaining business operations while minimizing any adverse publicity, client service and financial impact. These teams are responsible for communicating with the BCP Coordinator and initiating recovery tasks as indicated in their documented plans.

These teams consist of members of each of the business units who will be responsible for the recovery of the key business processes and, if and when an incident occurs which requires evacuation of the facility and relocation to a recovery facility, the invocation of their call trees. Each team has a primary and alternate (in cases where the primary person is unavailable) team leader to lead recovery efforts for that specific team.

Is there a distinct corporate support team? NO Management should create a corporate support team to provide

administrative, financial, and other such services, as may be required by


9



the recovery (business and / or technical) teams. This team could include: Logistics, Facilities & Maintenance, Public Relations, Real Estate, Vital Records Crisis Management Desk, Finance, Human Resources, Insurance, IT, Legal.

Is there a distinct damage assessment team?

NO

Management should designate a Damage Assessment team. This could include representatives from Finance, Insurance and Human Resources, Logistics and Facilities, Legal, Public Relations, Information Technology Support team, and the affected business units. The team will arrange for the salvage or repair of resources where possible. This team will make a decision on whether to repair the existing facility or prepare a new facility must be made if significant damage occurs.

Are the roles and responsibilities of the various recovery teams clearly defined?

NO

The roles and responsibilities for the various recovery teams should be clearly defined and documented. The individual teams need to focus on their specific role and responsibilities to ensure that an efficient recovery is implemented.

Are the relationships between the various recovery teams and their joint accountabilities clearly defined? NO

The relationships and effective communication between the various recovery teams are integral to a successful recovery effort. It is important for each team to understand the overall recovery strategy and appreciate what other teams are doing. The BCP Coordinator is responsible for acting as the hub for this communication, communicating information on a regular basis to prevent a silo approach to the recovery.

DOCUMENTATION PROTOCOL Is there a central repository for NO A central repository allows for document control, security and


10



BCP related documentation? maintenance. Management should create a secured database, directory tree, and intranet site or software repository for BCP documentation.

Have all BCP plan components been identified and integrated to ensure a successful implementation? NO

BCP plans include many components (evacuation plans, business relocation plans, technology plans, manual workarounds, data restoration plans, etc…) that need to be leveraged to create an effective enterprise wide plan. Management should ensure that all plan components have been identified and leveraged to ensure a non-siloed and complete recovery effort.

Are plan component documents consistent when referencing common procedures? NO

A consistent approach to referencing procedures or defining nomenclature ensures a level ground for developing and implementing recovery plans. Management should develop a consistent nomenclature and reference procedure.

ESCALATION & EXECUTION Are there clearly defined

thresholds to guide the escalation sequence and trigger recovery activities? NO

Disaster declaration, evacuation, damage assessment, emergency response, and off-site storage and retrieval procedures must be documented in the plan; all procedures must provide sufficient detail to be carried out and tested. Business units must identify specific prioritized activities for the recovery of all critical business functions.

Are formal documented procedures in place to guide the escalation and implementation of the organization’s recovery strategies?

NO

When a crisis situation arises, the designated point person (i.e.: systems issues- contact the IT Manager), based on the situation, must be informed immediately. That person then takes steps to evaluate the situation, with the assistance of other team members where necessary. Based on the disaster criteria, the steering committee or crisis mgmt team either declares a disaster or arranges for the correction of the


11



problem and resumption of normal processing. It is essential that proper call chain procedures are documented and followed. Effective Communications play a vital role in the recovery effort. In a facilities situation when a disaster occurs, all personnel at the facility should be evacuated; all staff should be directed to the predetermined assembly location. One or a number of people (e.g., fire wardens) should be made responsible for taking a head count to ensure all staff have been evacuated. Plans should note any personnel with specific emergency skills such as CPR, fire fighting and medical emergency skills. These people should also have specific responsibilities in an evacuation so their skills can be used to the best advantage. Other people may be assigned responsibilities to complete backups of work in process in a non-life-threatening situation or in a case where advance warning of an impending disaster is received. Document all assembly and evacuation procedures and assembly locations in the plan. All business units should be familiar with emergency response procedures at their site.

Are the recovery strategies coordinated and integrated across all departments, business units, divisions, etc.? NO

A business continuity plan recovers business processes. The identification of cross business unit processes, intra and inter office dependencies (the supply chain) is essential to a successful recovery. Management should ensure that all recovery strategies leverage the business process recovery strategies to ensure that the recovery plan objectives are met.

Do the response programs include physical and logical security requirements? NO

Awareness of physical and logical security threats to your organization, and having them tied to your BCP program is critical to your incident management model. Management should ensure that the security and information security areas of the organization are tied into the BCP


12



process.

Are administrative personnel and associated resources identified and documented in the plan to ensure that the recovery strategies are properly supported?

NO

Administrative resources are required to facilitate recovery needs for such activities as supplies fulfillment and documentation of actions taken (minutes). Management should document the roles and responsibilities of administrative support for the recovery efforts.

BCP PROGRAM AWARENESS Is there a formally documented

training and awareness schedule and format for all applicable employees?

NO

Procedures must be established for informing and keeping staff current on business continuation planning and individual responsibilities. Plan content and implementation must be fully understood by all staff. Procedures should be developed for training all personnel in emergency response and notification procedures. Training in evacuation and the use of disaster prevention measures should be conducted. This should include notifying the proper emergency services and the Business Continuation Officer or alternate contacts and moving to the assembly location. Recovery team members should also be trained in the timing and technical aspects of their recovery tasks where necessary. Information should be presented to the recovery team leaders and alternates explaining the interaction of team activities and their relationship to the recovery of all critical business functions. The interdependence of teams should be emphasized to create unity between the teams and to ensure a smooth recovery. For their own safety, all employees should be aware of the appropriate response in a life threatening emergency situation. Personnel need to understand the interaction between recovery teams and how their


13



specific responsibilities and tasks fit into the overall BCP. For members of recovery teams, the majority of their training will be provided during plan testing. The members of critical department teams should be prepared to complete their normal duties in other surroundings and with minimum required resources.

Is BCP addressed when conducting training for related disciplines (disaster recovery, risk management, security, etc.)?

NO

All employees should be trained in how their particular discipline is interrelated with BCP. Where feasible, management should incorporate BCP into existing training programs (i.e.: information security training programs should include how escalation of a security related event might lead to a BCP implementation).

Do company publications include information and updates on the BCP program?

NO

Management should consider creating an internal publication, website, or other periodic publication to foster BCP awareness in the organization.

Do all employees understand the BCP program and how they can contribute or get involved? NO

Documented procedures must be established for informing and keeping staff current on business continuation planning and their individual responsibilities. Plan content and implementation must be fully understood by all staff. All staff should be able to know how to get in contact with their local business unit BCP representative, and the BCP coordinator.


14



Does the company share information concerning their BCP with outside interests (customers, suppliers, regulatory agencies, insurance companies, etc.)?

NO

Management should have all requests for information on their state of readiness directed to one central liaison. Management should have created and approved a single policy statement regarding the organization’s state of readiness, and where appropriate, test with key external organizations as needed.

2. BUSINESS IMPACT ANALYSIS PROCESS MAPPING Is there a formal procedure to

identify time critical business and operational processes (process mapping) within the company?

NO

Management should document how the organization will identify and document critical business processes and supporting resources. The process should include the roll-out of a Business Impact Analysis to identify each business unit’s Recovery Time Objectives (RTOs), Critical resource requirements; and Processing interdependencies. The identified resources, and the time that these resources must be made available, define the parameters for the Business Continuity Plan (BCP), and ultimately drive the recovery priorities and the strategy for each business unit.

Does the process mapping exercise involve all appropriate stakeholders (internal and external)?

NO

Business units must address workflow interdependencies between their own function’s processes and other business units and/or external sources. Internal and external business process interdependencies should be defined and documented for all critical business processes to ensure the


15



entire process is both identified and can be recovered. Business units relying on third party vendors for critical products or services should verify that the vendor has business continuation plans in place that meet the unit’s service expectations and requirements. The third party should have a documented and tested plan addressing the recovery and resumption of operations in the event of a business disruption. The plan should be available for review by the business unit and Internal Audit, and these units should be allowed to participate in testing if they so request.

Is the process mapping exercise and any corresponding assessment applied consistently across all departments, business units, divisions, etc.?

NO

For each critical business function that a business unit has identified, the business unit should identify critical inputs associated with that function’s processes. Inputs to a critical business process are sources of information or services received from internal business units as well as external Company Name business partners/stakeholders, which are necessary to perform key tasks (Inputs come in a variety of formats and include but are not limited to: paper, magnetic media, microfiche, electronic, reports, telephone calls, transmission feeds, mail, and faxes). Business units must identify not only the apparent applications and processes that are necessary for the successful performance of unit functions, but also the upstream/downstream processes that affect their process. Planners may find it necessary to speak with process owners or other operational support staff/vendors for assistance in identifying these downstream applications. Outputs to a process should also be identified - although a processes’ outputs may not be critical for the business unit producing them, these outputs may be critical inputs to another process or function and should,


16



therefore, be identified.

BUSINESS IMPACT ANALYSIS PROCESS Has a Business Impact

Analysis been completed?

NO

The purpose of a BIA is to identify the Recovery Time Objectives (“RTO”) (the maximum tolerable time to recover critical business functions and existing resources supporting each function). The BIA also includes resource requirements to meet the RTO so you can easily identify and fulfill your recovery needs. These may include: Staff; Desktops, PCs (stand-alone); Telephones and Fax Machines; Office Equipment & Supplies; Stationery & Forms; Applications and Hardware Platforms; Internal Networks; External Connectivity; Vital Records; and Dependencies (Internal Business Functions, External (business partners).

Management should gather through interview and document information on estimates of tangible or intangible costs associated with business disruption (quantitative or qualitative assessments) based on the knowledge of the business should be determined including: - loss of customer goodwill; - loss of market share; - loss of information used to make strategic and operational decisions; - missed business opportunities; reduced cash flow control; and- other operational impacts? Management should identify the IT recovery timeframe for each of the critical applications / software packages identified by the business function? The Work Area and IT Recovery Strategy will be driven by the requirements gathered in the BIA, and the gap of the Time and Resources available from IT and Facilities. Use the BIA information to drive RFPs to vendors for recovery contracts.


17



Is a BIA completed annually?

NO

The BIA is used to facilitate the identification of various impacts and exposures that would result from a significant business disruption. The process of considering financial, customer service, legal and regulatory, and operational impacts will enable the organization to assign a more accurate recovery time objective that is based on the importance of its business functions to the organization and to justify potential contingency related expenditures. Impacts should be documented consistent with the approach that a disruption occurred at the worst possible time (worst-case scenario). The unit should consider peak operating times, workflow fluctuations, and frequency of key reports (end of week, month, quarter). Any methodologies used to arrive at quantitative impacts must be included to support those amounts (For example, if a business unit claims that a one day disruption would result in a financial impact of $50,000, the business unit must provide the detail used to arrive at those amounts, i.e., the number and type of transactions multiplied by the dollar amount per transaction). Management should ensure that all business units perform a business impact analysis (BIA) to evaluate the financial and non-financial impacts of a worst-case disaster scenario on each particular function.

Did the BIA document more than IT applications?

NO

An effective BIA will identify not only the RTOs, but additionally all the resources required by the business unit to perform its critical activities. Those resources should include but are not limited to: • Personnel, including the functions that each employee completes; • Computer hardware and peripherals; • Software, both application and systems; • Networks and communications;


18



• Voice communications; • Office space; • Office and other equipment, including supplies related to that

equipment; • Supplies, business forms, and manuals; and • Vital records necessary to continue critical business operations after

a disaster. Are the impact metrics

associated with the BIA determined by senior management? NO

Management should review and approve all recovery plans. The Business Continuity Officer and appropriate Business Unit Management, Operations & Systems management t, and the Risk Officers should also validate the critical business functions and their related recovery time objectives. The review process should consider all documented impact metrics used to define the necessity to resume business in a timely manner in the event of a disaster.

Did the BIA consider multiple business impact metrics other than financial metrics (intangible costs associated with business disruption (qualitative assessments) based on the knowledge of the business)? NO

Management should consider business impacts such as:

Financial Impacts include the loss of revenue resulting from termination or delays in processing products or providing services, delays in collecting or investing cash receipts that result in a loss of income or increases in borrowings, loss of market share resulting in termination or delays in producing products or providing services, and increases in expenditures to recover Critical Business Functions. Customer Service Impacts include termination or reduction of meeting the requirements or expectations of our customers (including the affect to Company Name’s public and industry image), for information about or support of products and services provided by the organizational unit. The level of impact (Low, Medium, High) may be associated to drivers


19



that are specific to business unit operations; in the case of a call center, a low impact may relate to the inability to service 100 calls per hour versus a high impact of 1,000 calls per hour. The business unit’s degree of impact must be justified using business unit performance drivers. In other words, after specifying the qualitative impact (i.e., “inability to service customer calls”), define the quantitative impact in terms of specific drivers (i.e., customer calls/hour) that can be translated into a low, medium, or high impact to the organization. Business units must also consider the consequences of not meeting the objectives outlined in any existing service level agreements. Legal & Regulatory Compliance Impacts include the potential for breaches of contract or failure to meet regulatory requirements (including the inability to maintain records in conformity with generally accepted accounting principles, and tax requirements or the inability to comply with court orders or applicable settlement or litigation agreements). It also means to (1) Explain the expected timing and exposure to increased legal liabilities; (2) Explain the range of potential damages, fines, and/or penalties; and (3) Identify and paraphrase the specific regulation being violated, how it applies, and the potential sanctions if compliance requirements are not met. Operational Impacts include the inability to meet customer, business unit, and work group performance expectations, the cost of write-offs caused by processing delays, the cost of backlogs created and resource requirements needed to address those backlogs, and the potential cost associated with recovering records damaged or destroyed as well as other operational costs to restore operating performance to minimum acceptable standards.


20



Are roles and responsibilities associated with the BIA process clearly documented and understood? NO

A uniform approach to the rollout of a BIA tool for information gathering ensures a level playing field for evaluating recovery priorities across an organization. Management should develop a consistent methodology and approach for the BIA process. Develop policies and procedures for the BIA process. Designated staff should be responsible for implementing and summarizing the results of the BIA.

Is the BIA process consistently applied across all departments, business units, divisions, etc.?

NO

A uniform approach to the rollout of a BIA tool for information gathering ensures a level playing field for evaluating recovery priorities across an organization. Management should develop a consistent methodology and approach for the BIA process. Designated staff should be responsible for implementing and summarizing the results of the BIA.

Does the BIA process provide the basis for the company’s business interruption insurance program?

NO

Impacts associated with the BIA process provide a basis for providing adequate insurance. The organization should quantify the loss due to an outage where feasible in order to justify loss potential and coverage requirements.

RECOVERY TIME OBJECTIVES Has senior management

established corporate RTOs? NO

Management should set corporate objectives for recovery based on regulatory and market drivers that dictate recovery times. Recovery time objectives (RTO) should be assigned to critical business processes, and should be validated by senior management to ensure accuracy and


21



uniformity.

Are the corporate RTOs aligned with the BCP objectives? NO

Business units need to be able to map their objectives for recovery to the organizational objectives. Management should define the overall corporate objectives for recovery and the individual business processes should map their RTOs to the corporate objectives, where applicable, to ensure that there is a common ground/goal to allocating recovery resources and priority setting.

Have all organizational process stakeholders established RTOs for their individual processes? NO

Without priorities based on critical impact, recovery plans may not adequately address recovery needs, appropriate priorities and ultimately limit financial loss. All business units should identify their RTOs based on criticality and resource requirements.

Are the individual business/operational process RTOs aligned with the corporate RTOs? NO

Business units need to be able to map their objectives for recovery to the organizational objectives. Management should define the overall corporate objectives for recovery. The individual business processes should map their RTOs to the corporate objectives, where applicable, to ensure that there is a common ground/goal to allocating recovery resources.

Are all RTOs achievable based on internal and external conditions?

NO

Management should create a gap analysis to compare the RTOs of the business units to the actual recovery abilities of the organization. Management should ensure that where the business process RTO exceeds the actual recovery time, manual workarounds exist to fill the gap or consider allocating resources to developing a shorter recovery time capability. Where the RTO is less than the actual recovery ability of the organization, consider strategically re-allocating recovery resources.


22



RESOURCE REQUIREMENTS Did the BIA include an

assessment of minimum resources required to recovery operations within the specified recovery time objective (RTO)?

NO

Minimum recovery resources such as critical personnel, IT resources, platforms, hardware, software, workspace requirements, telecommunications, and supplies must be identified by critical business process and within required recovery time frames.

Have minimum personnel been documented for each phase of recovery?

NO

In a phased recovery approach, staff are scheduled to arrive at different times based on RTO. Not all staff for every function is needed immediately. Business units should consider their staffing requirements based on the time that their facility may be inaccessible and working from an alternate site.

Have minimum office/administrative equipment (e.g. photocopier, fax, etc) requirements been documented for each phase of recovery? NO

An effective BIA will identify not only the RTOs, but additionally all the resources required by the business unit to perform its critical activities. Those resources should include but are not limited to: • Personnel, including the functions that each employee completes; • Computer hardware and peripherals; • Software, both application and systems; • Networks and communications; • Voice communications; • Office space; • Office and other equipment, including supplies related to that

equipment;


23



• Supplies, business forms, and manuals; and • Vital records necessary to run critical business operations Identifying the respective resource requirements will not automatically result in those resources being made available in a contingency situation - even if those resources have been communicated to the appropriate infrastructure providers. Management must do that

Have minimum information technology resources been determined for each phase of recovery?

NO

The resource needs of a business unit change over time and should be considered when planning for a recovery. The BIA should identify: • Application name; • Description; • Application version/release • Date of last update; • Hardware and peripheral device requirements; • Communications requirements; • Systems software requirements; • Databases required; • Libraries required; and • Any special forms and supplies used. For a phased recovery, where immediate, intermediate and long-term needs are identified.

Does an accurate inventory of IT applications and their NO Recovery needs and requisite back-up procedures can not be fully

understood and implemented without having a complete picture of the


24



requisite hardware/network exist?

IT environment. Management should identify all the resources required and maintained by the business unit to perform its critical processing activities. Those resources should include but are not limited to: Applications, Platforms, Data, Hardware, and Shared Drives

Have minimum facility/floor space requirements been determined for each phase of recovery?

NO

The business continuation plan must identify all computing, workspace and other resources required to support the unit’s critical business functions based on a phased recovery over time. Business unit’s resources change based on the length of the outage and their RTO, so appropriate resources need to be staged for delivery.

Has minimum specialty equipment been determined for each phase of recovery for each business unit?

NO

Management should identify and document, by critical business function, office, workspace, and special equipment requirements for operations under recovery conditions. Record: • Number of standard workspaces required • Number and type of telephone lines (e.g., dedicated lines); • Collating equipment; • Copiers and paper; • Phone recording devices; • Date stamps • Mailroom equipment (scales, tape guns, meters, etc.); • Security requirements, including security over files, plans, financial

records and other records (i.e., vaults, locking file cabinets, etc.); • Special storage requirements; Cabinet requirements for filing

reference books, storage or other needs.


25



• Stationary; • Forms, noting any specific requirements (e.g., pre-numbering); and Suppliers, including contact names and emergency telephone numbers For a phased recovery, where immediate, intermediate and long-term needs are identified.

Have required vital records been documented for each phase of recovery for each business unit?

NO

Vital records must be identified, protected from destruction, and copies stored off-site where appropriate. Procedures should be developed to ensure that the off-site records remain current. The location of off-site storage should be such that it is unlikely that a single event would destroy both the original and stored records. This standard does not replace or alter other record management policies for other vital and important records. In the context of business continuation, vital records are those records necessary to continue business operations after a disaster. Although certain records may be required as a matter of policy or to comply with federal or state laws or regulations, these records may not be essential to the recovery of critical business functions and will, therefore, not be considered vital for BC purposes. A vital record may be in the form of


26



paper, microfilm, electronic file, microfiche, videotape, optical disk, or other unique forms. They may include things such as customer data, loan documents, debtor information, creditor information, contracts, and payroll records. Vital records should be identified by business function to help ensure that no vital records are omitted. A brief description of the vital record, the location of originals and backups, and the media type on which the vital record is held must be provided. For each type of vital record, determine any other requirements including security, environmental requirements, software required to manipulate data, and any other requirements. Management should identify and document, by critical business function, vital records required for operations under recovery conditions. Record: • Brief description; • Media on which the vital record is held; • Equipment required to make use of the vital record, e.g., microfiche

reader; • Usual location of the vital record; • Off-site storage location, for copies of vital records (include contact

information); • Frequency of backups; • Whether backups are incremental or full; • Whether the vital record is to be held by statutory regulation; and • Any other requirements.

Is there a process in place to NO Management should identify where recovery resources may not comply


27



address and/or satisfy quality control or certification issues associated with the required resources?

with quality control standards (i.e.: ISO 9000, ISO 17799) and develop procedures to ensure quality control measures meet organizational guidelines, and where this can not be accomplished, seek alternate recovery resources.

Where applicable, are multiple sources for recovery resources documented and certified? NO

Management should identify where recovery resources may not comply with quality control standards (i.e.: ISO 9000, ISO 17799) and develop procedures to ensure quality control measures meet organizational guidelines, and where this can not be accomplished, seek alternate recovery resources.

Do the company’s resource requirements at time of disaster serve as the foundation for the extra expense insurance program? NO

A business impact analysis should be used as the foundation for an estimate of recovery resources (fulfillment). Management should leverage this information in its loss estimates for insurance coverage.

3. STRATEGY SELECTION BUSINESS PROCESS RECOVERY Is a business recovery strategy

selected for each business process? NO

Management should identify and document alternate facilities for the recovery of critical business systems (e.g., hardware, applications, and telecommunications).

Is the strategy based on a recent (within 12 months) business impact analysis?

NO Management should re-perform a BIA to ensure that the recovery strategy meets current recovery needs.


28



Have at least two strategies been evaluated for cost and benefit for each business process? NO

Every organizational unit must be prepared to relocate critical business functions to an alternate site and resume operations. Efforts should be focused on selecting an internal, cost-effective recovery solution. In the event that external vendor solutions need to be considered, the business unit must prepare and submit a cost-benefit analysis to their business unit management and senior mgmt. Alternate site agreements, whether internal or external, must be included in the plan document.

Did the selection process include consideration of internal recovery strategies?

NO

Where feasible, an internal solution for recovery should be examined. The ability to leverage existing real estate greatly reduces the cost of recovery in some situations. Management should review their ability to recover internally. It may be possible to distribute the workload of one site across other sites in the event of a disaster. Work with the appropriate infrastructure providers to identify if the organization has any such sites and whether these sites are suitable based on the following considerations: 1. System compatibility (voice, data, access, etc.); 2. Sufficient capacity to handle the additional processing; 3. Availability of staff to handle the increased processing load or whether staff can be temporarily transferred to the alternate site; and 4. The ability for critical business functions to be distributed among multiple sites or whether they must be performed at a single site.

Does the strategy include minimum personnel as has been determined for each phase of recovery?

NO

Redundant headcount, the ability to relocate in the time required, and the ability to obtain local resources may inhibit recovery needs. Management should ensure that the strategy chosen could meet the minimum resources required.

Does the strategy include minimum information technology resources as has

NO Information technology can not always be made available at and alternate site due to timing, expense, and feasibility. Management should ensure that the strategy chosen has the requisite recovery


29



been determined for each phase of recovery?

resources.

Does the strategy include minimum facility/floor space requirements as has been determined for each phase of recovery?

NO

The BIA will drive the work space requirements of the organization. Management should ensure that the strategy chosen has the requisite recovery resources.

Does the strategy include minimum specialty equipment as has been determined for each phase of recovery?

NO

Specialty equipment can not always be made available at and alternate site due to timing, expense, and feasibility. Management should ensure that the strategy chosen has the requisite recovery resources.

Did the strategy selection process include issues involving existing suppliers?

NO

Management should identify where the supply chain could affect the recovery efforts.

4. PLAN DOCUMENTATION PLAN FORMAT Is the BCP in a logical format

that allows all necessary users to access and utilize the plan? NO

The organization should identify the plan scope and objectives during the project initiation phase. The scope of the plan should be explicit; specify the function(s), department(s), unit, business group, and locations that the plan is directed at protecting.


30



At a minimum, the objectives of a business continuation plan should be to: • To establish guidelines and standards to protect associates; • To increase awareness and expose associates to emergency

operations responsibilities; • To ensure the continuation of business operations; • To provide Company Name organizational units and subsidiaries

with a tested vehicle which, when executed, will permit an efficient, timely resumption of the interrupted business operations;

• To establish alternative means of business operation (including interim and manual processing strategies) to minimize the impacts of a disruption to the Enterprise;

• To provide for the timely and orderly restoration of business functions

• To protect corporate assets through reasonable and cost effective measures (data, information, fixed assets, cash flow, etc.);

• To fulfill all critical legal and regulatory obligations and commitments;

• To mitigate deterioration in client and investor services and relations;

• To protect long-term market share; and • To minimize the impact to Company Name’s public and industry

image. In addition, plans must disclose any limitations of the plan, including limitations due to scope or assumptions.

I s the BCP format consistent with the organization’s documentation procedures?

NO Business continuation plans should be completed utilizing enterprise approved and licensed software tools; it is strongly recommended that business units use Enterprise BC planning tools where applicable. In


31



addition, Business Continuation Plans should incorporate the following formatting conventions: • Detailed table of contents • Version Control representing “last update” • Plan version number • Page numbers • Section tabs

Are the definitions and terms utilized in the BCP consistent across all departments, business units, divisions, etc.?

NO

The nomenclature that is utilized in the plan should be universal across the organization to avoid confusion. Management should develop a common glossary or list of acronyms that can be used to facilitate this process.

PLAN ACCESS Is the most recent copy of the

BCP located off-site? NO

Management should ensure that a copy of the BCP is stored off-site, and can be accessed for reference purposes. Where feasible, the copy should be stored at the alternate recovery site.

Is the off-site storage location for the BCP exposed by the same perils as the plan site (e.g. flood, earthquake, tornado, etc.)?

NO

Management should ensure that a copy of the BCP is stored off-site, and can be accessed for reference purposes. The copy should be stored in a facility that is not exposed to the same risk that the original is exposed to. A complete copy of the plan (hard copy and electronic) should be located off-site (i.e., at home or at a storage facility) to guarantee its availability for use during an emergency.

Is the BCP accessible electronically? NO

Management should consider burning a copy of the plan on a CD or other form of media that can allow for back-up without risk of deletion (CDR: no re-write allowed). A complete copy of the plan (hard copy and electronic) should be located off-site (i.e., at home or at a storage


32



facility) to guarantee its availability for use during an emergency.

Is the BCP accessible by all necessary recovery stakeholders?

NO

The BCP contains sensitive organizational information. Management should identify the appropriate stakeholders and control access to the BCP.

Is the appropriate level of information available and accessible to the various recovery stakeholders? NO

Management should identify the appropriate stakeholders and control access to the BCP. The information in a business continuity plan is highly sensitive and should only be distributed to those who need to be involved in the recovery. The BCP Coordinator should maintain a list of all employees who have copies of the plan and ensure that all recipients have a current version.

PLAN CONTENT Has the organization

developed a business continuity plan for its critical business processes?

NO

Management should develop a BCP across its organization. The BCP should encompass all its critical business processes. The first step in determining what processes are critical is to perform a Business Impact Analysis.

Does the plan include alternates for each team position?

NO

Business units must determine the staffing (primary and alternates) and specific responsibilities and tasks of all teams and team members involved in all phases (emergency response, recovery, and restoration) of resumption from a business disruption.

Does the plan include key supplier representatives and NO Business units relying on third party vendors for critical products or

services should verify that the vendor has business continuation plans in


33



contacts (and alternate suppliers)?

place that meet the unit’s service expectations and requirements. The third party should have a documented and tested plan addressing the recovery and resumption of operations in the event of a business disruption. The plan should be available for review by the business unit and Internal Audit and these Company Name units should be allowed to participate in testing if they so request.

Does the plan include up-to-date contact numbers and addresses for team members (and alternates), vendors, suppliers, and emergency support personnel?

NO

Contact numbers (internal call trees, external vendors) are often out of date or maintained by individuals throughout an organization. This leads to either an incomplete listing, or a lack of a backed up copy of the list. Where feasible, management should compile a list of key contact numbers, and store them off-site. Organization charts should include personnel names and titles. As with all documents that are subject to frequent revision, organization charts should note when the document was last updated.

Does the organization have documented team notification procedures?

NO

Disaster declaration, evacuation, damage assessment, emergency response, and off-site storage and retrieval procedures must be documented in the plan; all procedures must provide sufficient detail. Business units must identify specific prioritized activities for the recovery of all critical business functions. Communications play a vital role in the recovery effort. Sequence of notification should be organized in a call chain structure.

Does the organization have documented vendor notification procedures? NO

Management should ensure that there are clear policies and procedures for notifying key supply chain partners key information in crisis situations.


34



Has the organization documented individual responsibilities and procedures for all time sensitive business processes?

NO

Documented policies and procedures ensure that in the event that primary recovery personnel are not available to carry out recovery efforts, others can do such in their place. Additionally, documented policies and procedures allow for training and awareness to be increased in the organization. Management should document individual responsibilities in the BCP.

Does the BCP include the BCP Organization & Structure?

NO

A documented command and control structure allows for clear and concise implementation of recovery efforts. Management should document at a minimum: • The BCP Coordinator • The Crisis Management Team • The Damage Assessment Team • Business Unit Recovery Team Members • The Technology Recovery Team

Is the methodology for the BCP Development, including the BIA process documented within the plan (Standards, Guidelines, Policies and Procedures)?

NO

Without governing standards or formal policies and procedures guiding the plan development the organization may be exposed to an increased risk of not having complete plans developed across all its businesses. Management should consider enhancing its policies and procedures to include these key components: Business Impact Analysis, Plan development, Documentation, Incident Management, Strategy Selection, Maintenance, Awareness and Training, Testing

Is the escalation sequence (i.e. incident management process) adequately documented and explained within the BCP?

NO

Management should document the process that the organization will utilize to rapidly recognize and escalate incidents affecting the systems and / or the facility. The objective of this process is to ensure that a problem is quickly recognized and managed using a set of procedures to ensure command and control during a disruption to its operation, so that


35



the impact of an incident does not spread to other parts of the organization. It is important to note that not all incidents are considered disasters. Problems that can be detected and repaired within the Recovery Time Objectives (RTOs) established by the business units are not considered disasters. A disaster is any potential situation that causes a cessation of normal business functions for an unacceptable period of time; i.e., exceeds the RTOs and requires the implementation of special procedures by the Business Recovery Teams.

Are primary and alternate assembly and Emergency Operations Center (EOC) locations identified and documented in the plan.

NO

Identify and document appropriate locations for assembly of personnel at the time of a disaster and an Emergency Operations Center (EOC) from which the EMT will operate. All personnel should be aware of the immediate steps to be taken in the event of a disaster. The first task is to ensure that all personnel are accounted for and that everyone is aware of the actions to be taken in initiating the recovery process at a common location. An assembly location should be established where all staff could meet if a disaster occurs. When selecting an assembly location, business units should consider the following: • An assembly location should be within walking distance of the

original facility but far enough away to ensure employees are not in further danger. It should be large enough to shelter all employees;

• Receiving permission for assembly locations that are not on Company Name leased or owned properties (i.e., a hotel lobby or adjacent third party parking lot);

• Outdoor assembly locations should always have an alternate


36



location as bad weather can make an outdoor assembly site unusable or unsafe; and

• An assembly location should have access to telephones.

Are the RTOs documented and explained for all critical processes?

NO

Based on the information provided as part of the BIA (and as a basis for subsequent contingency resource planning requirements, each organizational unit must assign a criticality rating. The criticality rating, known as the recovery time objective (RTO), identifies the time frame by which critical business functions must be recovered (e.g., the amount of time a business unit can survive without performing the critical business function). If the recovery time objective is dependent upon the time of the month or year (peak processing periods), base your interval on the most vulnerable time a business interruption may occur.

Are manual workarounds documented in the BCP?

NO

Plans must include interim and manual processing strategies where those procedures currently exist or where they may prove useful or necessary to ensure the continuation of critical business operations.

Did the business process owners document their own manual workarounds/alternate processes?

NO

Business units, in developing solutions to meet their recovery time objectives, may be able to implement interim and/or manual processing strategies. Those solutions, if available, must be documented in the plan Interim processing strategies relate to temporary solutions that a business unit may be able to implement from the time of disruption to the time that a critical function’s applications can be recovered. For example, a call center may be able to reroute calls from the affected site to a call center with excess capacity for a period of three days. In some cases, interim business unit procedures may include using a desktop application (e.g., Microsoft Excel®) to input transaction data that can be transferred or uploaded to the original application when that application


37



becomes available. Business units must be creative in developing interim processing solutions for application failures. Plans should document the interim solution, duration, and all required procedures for implementing the solution. Manual processing strategies relate to recovery procedures that do not rely on the computerized application(s) associated with a critical function. Using manual workarounds, critical functions or portions of a critical function can continue to be processed. For example, a life insurance sales agent could revert to using manual forms to capture client information; the information collected could be collected (input) in a desktop application (the interim processing strategy) and later be uploaded to the recovered application. Manual procedures should be developed and/or documented in business unit plans.

Is the primary/alternate recovery site documented in the BCP? NO

Every organizational unit must be prepared to relocate critical business functions to an alternate site and resume operations. This site should be documented in the plan with appropriate relocation directions.

Are directions to the recovery sites documented in the BCP? NO

Every organizational unit must be prepared to relocate critical business functions to an alternate site and resume operations. This site should be documented in the plan with appropriate relocation directions

Are clear reporting instructions documented in the BCP?

NO

Management should ensure that the crisis management model represents the response mechanism that will ensure that management is efficient in dealing with disaster incidents through a set of procedures that provides for command and control during a disruption to its operation. The model should allow for rapid recognition of severe problems and an ability to escalate them in a controlled and appropriate manner.


38



Are data restoration procedures

documented in the BCP?

NO

In a disaster, data may be lost due to data back-up procedures and systems downtime. Management should ensure that all business units have documented in their plans on how they will re-enter transactions/entries/orders into the systems that may have been lost (not backed up) without adverse affects to the organization.

Did the business process owners document their own data restore procedures? NO

Each business process is unique, and therefore to ensure that a data restoration process is complete, it is important that the user community that is responsible for implementing the data restoration process be involved in the creation of the procedures.

Are the testing/exercising objectives/criteria documented within the BCP?

NO

Management should document the objectives of the plan testing. Some objectives could be to: 1. Determine the state of readiness of the AIGFP recovery organization to respond to and recover from a disruption to business, operations and systems at the facility;

2. Determine whether the required resources (identified through the business impact analysis in chapter 4) for recovery are available at recovery locations;

3. Determine whether the Business Continuity Plan (BCP) has been properly maintained to reflect changes in the business and technology.

4. Manage the expectations of the business units as to what they can expect in the event of an actual incident;

5. Instill a sense of calm and confidence by showing that there is a


39



demonstrable state-of-readiness for a potential disruption of services; and

6. Demonstrate compliance with applicable regulatory requirements. Is the testing/exercising

schedule documented and explained?

NO

Business Continuity Plan test frequencies should be derived from the business unit’s critical business function recovery time objectives. Business units must perform a full integrated test (simulated recovery of all critical business functions within a particular unit) every twelve (12) months,. It is the business unit’s responsibility to schedule with the necessary internal and external service providers and implement testing.

Are pre-test checklists and associated procedures documented in the BCP?

NO

Advance preparation for testing is a key component of a successful test program. A Test Preparation Checklist and Worksheet should be used to detail the proper steps that should be taken for advance planning of plan testing. The worksheet should identify the scope, objectives, assumptions, scenario, test date and post mortem date.

Are post-test checklists and associated procedures documented in the BCP?

NO

Execution and review of test results are some of the key components of a successful test program. After completion of the tests, all test participants should complete a Post Test Evaluation Questionnaire.

Are plan maintenance schedules documented in the BCP?

NO

Plan information that is subject to change must be reviewed and updated on a semi-annually basis and whenever there is a material change to a business unit’s critical functions; the following actions should be performed as part of the update process: 1. Update critical functions and associated recovery time objectives

where appropriate; 2. Confirm that assembly locations, alternate sites, and emergency


40



operations centers are current and available; 3. Review and update contact lists (employees, vendors, clients, etc.)

and emergency phone numbers; 4. Maintain team rosters and information; 5. Update AIGFP business unit organization charts; 6. Review vital record and other off-site storage arrangements; and 6. Review all recovery procedures and update as necessary.

PLAN REFERENCES & INTEGRATION Are appropriate references to

all related plans included in the BCP? NO

BCP plans include evacuation, relocation, manual workarounds, data restoration, IT, etc… Management should ensure that all plan components are included and leveraged for a successful recovery.

Does the BCP properly document and integrate all the company plans, procedures and related disciplines?

NO

BCP plans include evacuation, relocation, manual workarounds, data restoration, IT, etc… Management should ensure that all plan components are documented and appropriately referenced and leveraged for a successful recovery.

Is the process for coordinating with outside agencies (e.g. fire department, local government agencies, etc.) documented and explained?

NO

Management should ensure that their plan documents all the potential local agencies, fire, police, and emergency response organizations in the area to ensure that crisis management roles and responsibilities are coordinated in cases of emergency.

Are all necessary third parties (vendors, suppliers, customers, NO Management should make advance preparations with recovery resource

providers and vendors to ensure recovery resource needs can be


41



etc.) involved in the recovery strategies identified and documented with appropriate contact information provided?

obtained in an efficient manner. Where possible, management should test with these parties to ensure abilities meet needs.

5. AWARENESS & TESTING AWARENESS PROGRAMS Do you have a documented

BCP awareness and training program? NO

Procedures must be established for informing and keeping staff current on BCP and individual responsibilities. Plan content and implementation must be fully understood by all staff.

Do the business unit mangers provide employee awareness on their roles in the BCP?

NO

Business Recovery Teams should responsible for training staff and promoting and maintaining BCP awareness within their organizations; procedures must be developed to meet unit BCP training objectives. Employees need to understand their roles as members of the BCP community. Business Recovery Teams can increase staff awareness by conducting informative sessions presenting the objectives, importance and outline of the BCP. Memos, bulletins, staff meetings, testing, and formal


42



training programs may all be used as means for reinforcing BCP information. Business units may also choose to distribute wallet cards and/or tri-folds containing key information as a tool for increasing staff awareness. Procedures should be developed for training all personnel in emergency response and notification procedures. Training in evacuation and the use of disaster prevention measures should be conducted. This should include notifying the proper emergency services and the BCP Coordinator or alternate contacts and moving to the assembly location.

TEST CRITERIA & OBJECTIVES Is there a formal BCP test

criteria for all departments, business units, divisions, etc.? NO

Business continuation plan test exercises must be conducted to demonstrate the ability of the business unit to recover its critical business functions within specified recovery time objectives. All business units must develop a reasonable test strategy and schedule.

Does the test formats satisfy industry standards and best practices?

NO

Business units should develop an appropriate test strategy and provide detailed test schedules that identify test levels, test types (for component testing), test objectives, and scheduled test dates. Use the EBCO approved planning tool to document these requirements. Three distinct test levels have been identified to help validate a plan’s accuracy and effectiveness: the structured walk-through, component


43



testing and integrated simulations (full operations tests). The testing frequency for each test level is determined by the critical business function’s recovery time objective. Following are short descriptions for each of the three basic test levels: 1. Structured Walk-Through Also referred to as a “table-top” exercise, the structured walk-through is a paper evaluation of a business continuation plan designed to expose errors or omissions without incurring the level of planning and expenses associated with performing a full operations test. The structured walk-through is, in effect, a role-play of a “disaster” scenario that takes place within the confines and safety of a conference room. 2. Component Testing Component tests are actual physical exercises designed to assess the readiness and effectiveness of discrete plan elements and recovery activities. The isolation of key recovery activities allows team members to focus their efforts while limiting testing expense and resources. This methodology is effective for identifying and resolving issues that may adversely affect the successful completion of a full operations test. Component tests include: • Evacuation tests • Emergency notification test (call tree tests)


44



• Application recovery test • Remote or Dial-in access test • Critical business function recovery test 3. Integrated Simulation/Full Operations Test The full operations test requires extensive planning and preparation and should not be performed until most, if not all, of the plan components have been tested. This test requires the simulated recovery of critical business functions across a business unit - it is the closest exercise to an actual disaster. Although a full operations test requires weeks of planning and considerable coordination of personnel and resources, the exercise provides a business unit with a level of confidence about their ability to recover in an actual event.

Is the scope of the test defined and documented (i.e. what portions of the plan will be included in the test) in advance of testing?

NO


Are test objectives clearly defined and documented prior to each test?

NO Advance preparation for testing is a key component of a successful test program. A Test Preparation Checklist and Worksheet should be used to detail the proper steps that should be taken for advance planning of


45



plan testing. The worksheet should identify the scope, objectives, assumptions, scenario, test date and post mortem date.

Are all test assumptions adequately defined and aligned with the test objectives?

NO


Have you tested all plan components in the last 12 months? NO

Organizations that do not test all aspects of their plans have shown to be drastically hampered in their ability to recover from a disaster. Management should ensure that al aspects of their plans are tested regularly. User involvement in the testing process would greatly enhance the effectiveness of testing.

Are users involved in testing?

NO

Organizations that do not involve users in testing have shown that the testing performed is too technically centered, with little benefit to the actual end user. User involvement in the testing process would greatly enhance the effectiveness of testing.

Has your testing included key supply chain vendors? NO

Organizations have many supply chain dependencies. Key vendors and service providers may present a single point of failure in your delivery mechanism. Include vendor dependencies in your testing.

Does an independent observer monitor the tests? NO

An independent observer (not involved in the test preparation) should have the responsibility of monitoring the testing to ensure quality control standards are met, and additionally provide for an objective viewpoint on how to improve testing going forward.


46



TEST SCRIPTS Do you utilize test scripts for

your tests? NO

Test scripts provide for an audit-able and repeatable method of testing. Additionally the test script can be used as a method to train employees on the BCP. Test scripts should be used on all tests.

Do the test scripts require proof of test success/failure?

NO

Proof of test success or failure is critical to ensuring that your plan can withstand an audit. Logs, screen prints, output files, etc… can all be use as proof of testing. Management should require that all testing have documented proof of testing and results.

Do the test scripts compare actual to expected results?

NO

Gaps in the recovery plan are best identified through extensive testing. Comparison of actual to expected test results often leads to plan enhancements an end to end solution that meets recovery needs. Management should ensure that all testing compares actual to expected test results.

Is there a consistent team of internal and third party personnel responsible for developing test scripts? NO

A dedicated testing group can provide for a more efficient testing process, and help in the identification of testing interdependencies. A testing team should be identified, and their associated roles and responsibilities documented.

Is there a process to facilitate review and critique of all test scripts by a qualified BCP practitioner prior to conducting the test?

NO

After completion of the tests, all test participants should complete a post test evaluation questionnaire including questions such as: Was the test objective and scenario clear? What could have made the test run more smoothly? Were any procedures/documents missing during the test? (I.e. not stored off-site or not completely documented.) If so, what was missing


47



Did you notice any single points of failure in the recovery process that were not previously identified? If so, what were they? Were there any prevention or mitigation measures that would lessen the effort needed to recover? If so, what were they? Did you make any assumptions that were not clearly made prior to the test? What were they? Did they change the outcome of the test? Were the appropriate people included in the Recovery Team? If not, who should/should not be part of the Recovery Team? Did you learn any lessons during this test? What were they?

TEST EXECUTION & FOLLOW-UP Have plan component tests

been conducted for all appropriate business units and/or departments?

NO

Component Testing is an off-hours exercise to test a particular segment of the recovery plan. It serves to verify the correctness of operating procedures, hardware components and the ability to restore a business unit’s critical functions. An example of this test is a limited systems restoration and a connectivity test at the recovery site. It may include exercising the effectiveness of the call tree by placing actual phone calls to ensure that awareness exists among recovery teams and that the call trees reflect current staffing and their respective contact information. It may also involve testing evacuation and relocation procedures by personnel evacuating the facility and reporting to the Emergency Operations Center, personnel relocating to their respective recovery locations. It is important to note that while personnel might relocate to the recovery site; this type of testing will not include processing transactions or key activities.

Is there a procedure/tool to log problems/issues during the test? NO

Problems identify weaknesses in plan components. Problem tracking and resolution can lead to altering test objectives going forward and ultimately refining the BCP. A problem tracking process should be established.


48



Is there a designated team

responsible for analyzing and interpreting the test results? NO

Test results must be evaluated and documented subsequent to test completion. The business unit should assess the results against predefined test objectives and communicate the evaluation to the business unit executives; unsuccessful tests must be rescheduled. The Business Continuation Plan must be revised in view of the test results.

Does the follow-up team have a formal process to evaluate the test results?

NO

To determine a test’s success, tests results should be compared with predefined test objectives. Failure to meet test objectives will require a reschedule of the test. Test results that should be measured include elapsed time to perform specific activities, accuracy of documentation for each activity, and amount of work completed. It is worthwhile to distribute evaluation forms to test participants and observers, immediately following a test, to solicit feedback on their impression of the recovery procedures. Evaluations are also effective for promoting a sense of ownership among those involved.

Is there an evaluation form to facilitate the analysis of the test?

NO

After completion of the tests, all test participants should complete a post test evaluation questionnaire including questions such as: Was the test objective and scenario clear? What could have made the test run more smoothly? Were any procedures/documents missing during the test? (I.e. not stored off-site or not completely documented.) If so, what was missing Did you notice any single points of failure in the recovery process that were not previously identified? If so, what were they? Were there any prevention or mitigation measures that would lessen the effort needed to recover? If so, what were they? Did you make any assumptions that were not clearly made prior to the test? What were they? Did they change the outcome of the test? Were the appropriate people included in the Recovery Team? If not,


49



who should/should not be part of the Recovery Team? Did you learn any lessons during this test? What were they?

Is a formal report summarizing the results of the test prepared?

NO

A post mortem session should be conducted after all tests. Involve test participants in a group discussion session to provide feedback on the efficiency of plan procedures. The group discussion and related documentation of test results should occur in a timely manner (i.e., usually within one week following test exercises). The BCP Coordinator, in conjunction with necessary business unit management, will review test results, identify specific action items, assign resolution assignments and related target dates for completion, coordinate appropriate changes to the plan, and reschedule tests, if necessary BCP test documentation and results should be communicated to business unit management in order to keep management apprised of the unit’s state of preparedness. Copies of test results should be part of the plan document.

6. MAINTENANCE PLAN MAINTENANCE Are the maintenance roles and

responsibilities clearly defined and documented?

NO

The Business Continuity Plan (BCP) has been designed to be a living document. To ensure that it remains current, it must be reviewed on a routine basis and revised to reflect changes within the organizational environment. Certain unscheduled business and / or non-business-related events that occur can affect the BCP. For example, system developments or a change in a critical application from one platform to another would require a review of and revision of the recovery and testing strategies, and possibly the IT Vendor Contact lists. Formally documented maintenance policies and procedures that identify triggers for plan maintenance should be put in place.


50



Is there a method to ensure all BCP maintenance is approved?

NO

Management should ensure that BCP is integrated into the organization’s change management process. Additionally, management should ensure that all trigger events are documented to allow for regular maintenance activities. A list of event triggers includes but is not limited to:

• Regulatory requirements;

• New products;

• Business acquisitions;

• New hardware, platforms, applications, or other technology change;

• Vendor bankruptcy;

• Facility move;

• Personnel changes or relocations;

• Transfer of functions;

• Consolidation or outsourcing of work functions;

• Change in critical third party vendor/suppliers;

• Changes in telecommunications (voice or data);

• Structure/equipment; and Results of BCP testing.

Are there automatic triggers to ensure that the core plan elements remain current? NO

The business continuation plan must be reviewed quarterly to ensure that all required updates have been performed. Document control procedures should be implemented in order to protect the integrity of the plan.


51



Plan information that is subject to change must be reviewed and updated on a quarterly basis and whenever there is a material change to a business unit’s critical functions; the following actions should be performed as part of the update process: • Update critical functions and associated recovery time objectives

where appropriate; • Confirm that assembly locations, alternate sites, and emergency

operations centers are current and available; • Review and update contact lists (employees, vendors, clients, etc.)

and emergency phone numbers; • Maintain team rosters and information; • Update business unit organization charts; • Review vital record and other off-site storage arrangements; and • Review all recovery procedures and update as necessary.

A list of event triggers includes but is not limited to:

• Regulatory requirements;

• New products;

• Business acquisitions;

• New hardware, platforms, applications, or other technology change;

• Vendor bankruptcy;

• Facility move;

• Personnel changes or relocations;

• Transfer of functions between existing sites (London, Paris, Tokyo);


52



• Consolidation or outsourcing of work functions;

• Change in critical third party vendor/suppliers;

• Changes in telecommunications (voice or data);

• Structure/equipment; and Results of BCP testing. DOCUMENT CONTROL Documentation produced during a BCP project that forms part of a final deliverable must be maintained throughout the life of the plan. To ensure that all plan recipients are provided with complete, accurate, and current copies of the business continuation plan, plans should adhere to the following document control procedures: • Version Numbering • Revision History • Page Numbering Document Distribution Document Distribution The information in a business continuation plan is highly sensitive and should only be distributed to those who need to be involved in the recovery. The BC Planner should maintain a list of all employees who have copies of the plan and ensure that all recipients have a current version. In addition, Planners are responsible for retrieving plan copies for employees who leave the business unit. The distribution list should be incorporated as part of the document. When new versions are issued, old versions should be destroyed. A


53



distribution list should include the employee’s name, plan version number, date issued, and date returned (when applicable).

Is there a formally documented plan maintenance schedule?

NO

The business continuation plan must be reviewed periodically to ensure that all required updates have been performed. Document control procedures should be implemented in order to protect the integrity of the plan. Plan information that is subject to change must be reviewed and updated on a quarterly basis and whenever there is a material change to a business unit’s critical functions; the following actions should be performed as part of the update process: • Update critical functions and associated recovery time objectives

where appropriate; • Confirm that assembly locations, alternate sites, and emergency

operations centers are current and available; • Review and update contact lists (employees, vendors, clients, etc.)

and emergency phone numbers; • Maintain team rosters and information; • Update business unit organization charts; • Review vital record and other off-site storage arrangements; and • Review all recovery procedures and update as necessary. A list of event triggers includes but is not limited to:

Regulatory requirements;


54



New products;

Business acquisitions;

New hardware, platforms, applications, or other technology change;

Vendor bankruptcy;

Facility move;

Personnel changes or relocations;

Transfer of duties;

Consolidation or outsourcing of work functions;

Change in critical third party vendor/suppliers;

Changes in telecommunications (voice or data);

Structure/equipment; and Results of BCP testing.

Is the responsibility for plan maintenance clearly defined at all levels of the organization? NO

The organization should define in its policies and procedures the event triggers for maintenance to ensure that all changes affecting the operation of critical business processes are communicated and/or adequate notice is given to the appropriate individual(s) responsible for BCP maintenance?

Is there an independent audit process to help ensure all plan elements are updated according to the established maintenance schedule?

NO

An independent review process ensures that the plans meet the corporate objectives. Shifts in corporate priorities may not be present in current recovery efforts. Periodic reviews by an independent internal or external organization (not involved in the planning process) ensure the plans meet all external (Regulatory) and internal (Corporate, business, etc…) requirements.


55



Is there an accountability process for third-party vendors and related BCP stakeholders outside the company?

NO

Business units should verify that critical third party vendors meet specific business continuation planning requirements. Business continuation considerations should be addressed during contract negotiations. Alternate vendors should be identified whenever possible. Business units relying on third party vendors for critical products or services should verify that the vendor has business continuation plans in place that meet the unit’s service expectations and requirements. The third party should have a documented and tested plan addressing the recovery and resumption of operations in the event of a business disruption. The plan should be available for review by the business unit and Internal Audit, and these Company Name units should be allowed to participate in testing if they so request. Business units should clearly communicate their recovery time objectives for all functions that require support from a third party vendor. In addition, the business unit should provide third party vendors with an overview of their recovery strategy including alternate site location, contact names and numbers, and any additional special services that may be required during recovery. The vendors should be included in the testing of business unit plans.

SENIOR MANAGEMENT REVIEW Is there a formal review

process involving senior management?

NO

Senior management commitment is essential to the success of the BCP program. The lack of senior management involvement may increase the risk that: • That plans will not sufficiently limit financial loss • The plans may not be developed and implemented appropriately Management should consider representation on the BCP steering committee. Additionally, management should have periodic reports from the BCP steering Committee to periodically on the state of readiness.


56



Are the BCP program objectives reviewed and revised on a regularly scheduled basis?

NO

An inadequate review process can result in plans not meeting corporate objectives. Shifts in corporate priorities may not be present in current recovery efforts. Periodic reviews by an independent internal or external organization (not involved in the planning process) ensure the plans meet all external (Regulatory) and internal (Corporate, business, etc…) requirements.

Does senior management provide feedback to the recovery stakeholders following the regularly scheduled review?

NO

Management should consider including BCP as an agenda item on a senior level committee (i.e.: Audit Committee) that reports to the Board on BCP readiness for the purpose of review and discourse.

Documents

Business Continuity Management Assessment - 2015 County/IIA OC Presentation... · Business Continuity Management Assessment - 2015 1 Control # Management Practice ... A BCP program