Business Continuity
Toolkit
Plan Development –
Guidance
Version 1.4 – November 2010
Acknowledgement
• The University of Exeter’s Business Continuity
Toolkit has been developed in collaboration
with Back2business Ltd.
• We are grateful to Mark Nicholas,
(Commercial Director, Stem Group) for
sharing his expertise and providing the
framework for these toolkit resources.
Contents
1
Introduction & Context
2
Business Continuity Planning
3
Plan Template
4
Recovery Priorities & Requirements
5
BC Strategies
1
Introduction & Context
• This slide deck is intended to accompany the
Business Continuity Plan for additional
guidance purposes, in order to assist with the
development of departmental plans.
• It also references the ‘Risk, BIA & Strategy’
spreadsheet which once completed, should
provide sufficient levels of detail to populate
the relevant plan areas.
1
The Business Continuity Process
• Risk & BIA Framework
– Agree timeframes, metrics (RTO,
RPO), define critical functions
• Discuss & explore potential
strategies and solutions
– IT
– Office & Admin Functions
• Framework for Incident
Response and Continuity
Plans
• Other
– Review provided data – e.g. IT DR
Statement
1
Introduction & Context (3)
• Where we are now
• What we need you to do
– Complete Risk, BIA & Strategy
information to cover gaps in the
plans
– Provide Recovery Timeframes
(RTO)
– Provide recovery profile for
people over time
– Identify Applications & Systems
2
BC Planning is defined as…
• Business Continuity Planning is the process of
advanced planning and preparation to protect
against potential loss by formulating and
implementing viable strategies and to document
them in the form of a plan.
• A BC plan is a documented collection of resources,
procedures, tasks, strategy and information that is
developed, compiled and maintained in readiness
for use following an incident, or crisis situation.
• Remember, this is a living document!
2
Where does my Business Continuity Plan fit in?
Structure, Roles and Responsibilities (An example)
S
T
R
A
T
E
G
I
C
T
A
C
T
I
C
A
INCIDENT RESPONSE
TEAM LEADER
DIR COMMS
DIR AS
DIR PERS
DIR CaS
DEPTY DIR
COMMS
LEGAL
ASST DIR IT
H o PROPY
SERVS
LIBRARY
STUDENT
SERVS
INTERN’L
OFFICE
TECH &
INFRASTR
SECURITY
CONFS &
RETAIL
H&S
FACILITIES
NETWORKS
HELP DESK
TRANSP’RT
REGISTRY
ACAD’MICS
ACCOMMODATION
ELEC ENGR
LAB
TECH’NS
SNR DPTY
VC ED
Gold Incident
Response Plan
Silver Business
Continuity Plans
L
O
P
E
R
A
T
N
L
Bronze Operational/
Business As Usual
Processes
See slide notes for more
information
3
Business Continuity Plan – Roles
• BC Team Leader/Plan Owner
• Deputies, possibly 1 or 2 depending on number of
functions/activities
• BC Team Members
• There is no need to include all recovered staff in
the team plan, just those involved in the recovery
activities
3
Business Continuity Plan – Template Guidance
• Text within template which is currently in Italics will need
to be
– Replaced with your own information
– Or deleted, as it is for guidance purposes only
• Plans need to exist for the most appropriate business
critical activities
– Guideline should be from ‘Immediate’ to 5/8 days. Anything
beyond this will be a judgement call on whether strategies or
recovery procedures are required by you
– Simplify or combine Activities or Processes where appropriate
(there is no need to list every process/activity as per the BIA
feedback – be sensible, as this plan needs to be meaningful and
usable!)
– Collaborate and collude with other depts & functions where
necessary, e.g. where a process crosses several functions
4
Business Continuity Plan
Recovery Priorities & Requirements
•
Section 3 of the Plan Template. List Business Critical Activities for
function/dept – here you should reference the ‘Risk, BIA & Strategy’
spreadsheet where you should find completed;
– RTO’s & RPO for Colleges / Departments critical functions &
activities
– Application and Systems for each critical activity
•
•
(Delete Italic directions in plan once finished)
Note: any resources, procedures or strategies which are put forward by
plan owners will be considered by Insurance & Business Continuity
Services to ensure that there are no grey areas or overlaps.
5
Business Continuity Plan – Strategy Development
• From ‘Do Nothing’ to ‘Do Everything’
• Which Strategies are cost effective?
– Will require time to implement, cost more or a lot, easy
wins
– Consider the sliding scale from localised problems to
Worst Case Scenario (e.g. Denial of Access to
Campus/College/Building)
• Consider staff, IT (applications & data), lecture resources,
facilities, specialised equipment
• For more strategy options – please refer to next slide
Business Continuity Plan – Recovery Strategies
5
•
•
•
•
What Strategies could you employ for people?
– Working from home?
– Working from 3rd party? (supplier, partner, specialist provider)
What Strategies could you employ for IT?
– Broadband, Dongle, telephony, VPN, Laptop
– Backup/replicated systems, remote access, cold start up
What Strategies could you employ for Processes/Activities?
– Manual workarounds, paper based systems
– Outsource, reciprocal agreements
Consider running a strategy workshop to develop viable options
Populate Section 4 of the Plan with these options and those
derived in the Risk, BIA & Strategy options spreadsheet.
See Crisis Definition table overleaf >
5
Business Continuity
Plan – Recovery
Strategies
•
As defined for
Incident
Declaration
purposes.
•
Consider if your
plan would
address the
relevant scenarios
for Levels 2 & 3
•
Challenge any
assumptions
Next Steps
•
•
•
•
•
Start the BIA
Come to the clinics in December and January for support
Complete your plans
Carry out an exercise (this can be fun!)
Review content
– Strategies, requirements and resources
– Feasibility
– ‘Fitness for Purpose’
For further guidance and support,
please email or call:
Sue Dummett
buscont@ex.ac.uk
01392 72 5768