BCP template - Maritime Exchange for the Delaware River and Bay
advertisement
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Sector Delaware Bay
Business Continuity Planning Template
Developed by: Area Maritime Security Committee
Date of Issue and Status: 10/14/2009, INITIAL DRAFT
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
TABLE OF CONTENTS
A.1
OVERVIEW ............................................................................................................................... 1
A.1.1 PURPOSE..................................................................................................................... 1
A.1.2 AUTHORITIES AND REFERENCES ............................................................................ 1
A.1.3 SCOPE ......................................................................................................................... 2
A.1.4 ACCOUNTABILITY ....................................................................................................... 2
A.2
BUSINESS CONTINUITY ASSESSMENT................................................................................ 2
A.2.1 MISSION AND OBJECTIVES ....................................................................................... 2
A.2.2 ESSENTIAL FUNCTIONS ............................................................................................. 2
A.2.3 GENERAL PLANNING .................................................................................................. 3
A.2.4 STRATEGIC PLANNING .............................................................................................. 3
A.2.5 ASSUMPTIONS ............................................................................................................ 4
A.2.6 THREAT AND RISK ASSESSMENT ............................................................................ 4
A.2.7 BUSINESS IMPACT ANALYSIS (BIA) .......................................................................... 5
A.3
CONCEPT OF OPERATIONS .................................................................................................. 7
A.3.1 CRISIS MANAGEMENT ROLES AND RESPONSIBILITIES......................................... 7
A.3.2 BCP PHASING .............................................................................................................. 8
A.3.3 IMPLEMENTATION .................................................................................................... 11
A.4
TRAINING AND EXERCISES ................................................................................................. 12
A.4.1 COORDINATING INSTRUCTIONS ............................................................................. 12
A.5
ADMINISTRATION AND LOGISTICS .................................................................................... 13
A.5.1 ADMINISTRATION...................................................................................................... 13
A.5.2 LOGISTICS ................................................................................................................. 14
A.6
COMMUNICATIONS............................................................................................................... 14
A.6.1 PUBLIC RELATIONS .................................................................................................. 14
A.6.2 EMERGENCY INFORMATION HOTLINE ................................................................... 14
FOR OFFICIAL USE ONLY
Page i
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
TABLES
TABLE 1
ESSENTIAL FUNCTIONS ............................................................................................. 3
TABLE 2
RISK ASSESSMENT .................................................................................................... 4
TABLE 3
NOTIONAL BCP ORGANIZATION ............................................................................... 7
TABLE 3
BCP ACTIVATION GUIDELINES .................................................................................. 9
TABLE 4
BCP PHASING AND ACTIVITIES ............................................................................... 11
TABLE 5
ICS COMPONENTS/FUNCTIONS ROLES AND RESPONSIBILITIES ....................... 12
TABLE M-1
ACTIVATION STEPS ................................................................................................M-1
TABLE M-2
INITIAL ASSESSMENT AND RECOVERY STRATEGY ...........................................M-3
TABLE M-3
PERFORM ACTIVATE AND NOTIFY .......................................................................M-4
TABLE M-4
RESUMPTION AND RECOVERY CHECKLIST ........................................................M-5
TABLE M-5
DOCUMENTATION/RECORD KEEPING .................................................................M-7
TABLE M-6
DEACTIVATION AND DEBRIEF ...............................................................................M-8
APPENDICES
APPENDIX A
GLOSSARY
APPENDIX B
CONTACT ROSTERS
APPENDIX C
RISK ASSESSMENT
APPENDIX D
FACILITIES
APPENDIX E
ORDERS OF SUCCESSION AND DELEGATION OF AUTHORITY
APPENDIX F
INFORMATION AND COMMUNICATIONS SYSTEMS
APPENDIX G
VITAL RECORDS AND DATABASES
APPENDIX H
TESTING, TRAINING AND EXERCISES
APPENDIX I
MEMORANDUM OF UNDERSTANDING AND AGREEMENT
APPENDIX J
BCP ASSESSMENT
APPENDIX K
DISTRIBUTION AND MAINTENANCE
APPENDIX L
FORMS
APPENDIX M
ACTION STEPS
FOR OFFICIAL USE ONLY
Page ii
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Record of Annual Review
Review
Date
FOR OFFICIAL USE ONLY
Page ii
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
DOCUMENT REVISION HISTORY
Date
Revision
Description
FOR OFFICIAL USE ONLY
Page iii
Approved By
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
BUSINESS CONTINUITY PLANNING TEMPLATE
A.1
OVERVIEW
Business Continuity Planning (BCP) is critical to the viability of any organization in the event of a disaster,
crisis or emergency that may directly or indirectly affect operational and business viability. The impact of recent
hurricanes, tornados, wildfires, earthquakes, and other numerous disasters and events emphasize the
importance and urgency to strengthen BCP procedures.
Organizations in Sector Delaware Bay are vulnerable to a variety of events and hazards that may threaten
employees or their families, businesses and the environment, and challenge regional economic stability. The
Small Business Association (SBA) reports 60 percent (%) of business and organizations impacted, directly or
indirectly, by some form of disaster will ultimately fail. This template is intended to establish a pro-active
framework for effective execution of critical operations and Essential Functions (EF) under emergency
circumstances.
A.1.1
PURPOSE
The purpose of this BCP template is to serve as a guide to assist organizations in the development and
maintenance of continuity plans and procedures. The objective of BCP is to assure the continuity of EFs and
operations following a significant event. The severity of the situation may require organizations to transfer
operations and EFs to an alternate facility, and subsequently, to recover and resume normal operations.
Although general guidance and professional practices and standards are provided for reference 1 2 3,
organizations are encouraged to tailor BCP to meet their own needs and requirements.
A.1.2
AUTHORITIES AND REFERENCES
National Incident Management System (NIMS), December, 2008 National Response Framework (NRF),
March 22, 2008.
Federal Preparedness Circular 65, 15 June 2004
FEMA Continuity of Operations (COOP) Programs
FEMA Continuity of Operations (COOP) Multi-Year Strategy and Program Management Plan Template
Guide
National Fire Protection Association, NFPA 1600 Standard on Disaster/Emergency Management and
Business Continuity Programs, 2007
DRI Professional Practices For Business Continuity Practitioners
DRI Professional Practices for Business Continuity Practitioners, https://www.drii.org/docs/profprac_details.pdf
ASIS International, A Practical Approach for Emergency Preparedness, Crisis Management, and Disaster Recovery;
http://www.uschamber.com/NR/rdonlyres/epg4tobesrsp3rv7ojrc42mhgbcoaqim7ru2flfat3rwoqa4ddvjo6yigmnvp3bbdk7ocqnlydm6k5s4yu65nqqjq4g/
guidelinesbc.pdf
3 NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs, 2007
http://www.nfpa.org/assets/files/PDF/NFPA1600.pdf
1
2
FOR OFFICIAL USE ONLY
Page 1
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
ASIS International, A Practical Approach for Emergency Preparedness, Crisis Management, and Disaster
Recovery
A.1.3
SCOPE
This planning template is applicable to Sector Delaware Bay business activities and can be customized for
organizations regardless of type or size.
Planning should focus on coordination and control activities necessary to: (1) build business resilience; (2)
respond to a disaster that impacts the organization; (3); maintain essential functions, and (4); recover from that
disaster.
A.1.4
ACCOUNTABILITY
It is essential that senior leadership of the organization endorses and takes responsibility for creating,
maintaining, testing, and implementing a comprehensive business continuity program.
A.2
BUSINESS CONTINUITY ASSESSMENT
Developing a business profile as the basis for the business continuity plan is a multi-step process, beginning
with assessment and documenting the organization’s mission, objectives and functions. The business
continuity plan is specifically designed to maintain the essential functions that ensure viability of the enterprise.
The business profile defines the mission of that business and supporting objectives.
A.2.1
MISSION AND OBJECTIVES
The mission of ______________________ is {Insert organizational mission
statement}
The primary organization objectives are:
A.2.2
ESSENTIAL FUNCTIONS
Essential Functions (EF) are those functions that must be continued under all circumstances to maintain
business operations. In the event of a malevolent act or natural disaster, efforts should focus on maintaining
security, communications, financial operations and other essential functions.
Table 1 identifies the essential functions and position/title that is responsible for maintaining that function.
Essential functions should be listed in order of priority for continuity and restoration.
FOR OFFICIAL USE ONLY
Page 2
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Table 1
Essential Functions
Essential Functions
1
Communications
2
Security
3
Material Receiving/Distribution - Emergency
4
Contracts
5
Financial
6
Personnel
7
Purchasing – Emergency
8
Other (specify)
A.2.3
Responsible Position
GENERAL PLANNING
Organizations should prepare for BCP by determining:
A.2.4
Functions that must be continued under all circumstances.
Minimum operational requirements needed to satisfy the organization mission.
Minimum functions required to satisfy the operational requirements.
Functions that can be deferred until additional personnel and resources are available.
Staffing requirements needed to perform essential functions.
Minimum personnel required to satisfy organizational requirements.
Mission critical data, communications and IT systems necessary to conduct essential functions.
STRATEGIC PLANNING
Strategic planning addresses identifying and implementing:
Methods to mitigate the risks and exposures identified in the Risk Assessment and Business
Impact Analysis (BIA). See A.6.2 and A.7.2.
Plans and procedures to respond to any crisis that occurs.
BCP may include a strategy that addresses a variety of probable situations, including the duration
of the business interruption (short- versus long-term), the period within the business cycle in which
it occurs (peak versus low), and the extent of the interruption (partial versus complete). It is
important that the strategy is:
Attainable;
Highly probable to be successful;
Verifiable through tests and exercises;
FOR OFFICIAL USE ONLY
Page 3
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Cost effective; and
Appropriate for the size and scope of the organization.
A.2.5
ASSUMPTIONS
Emergencies or threatened emergencies can adversely impact business operations.
A significant event may require businesses to operate with limited resources for up to 30 days.
Recovery and reconstitution will be achieved per Sector Delaware Bay Recovery Guidelines and this BCP
Template.
Businesses will not normally reconstitute at an alternate site, but will shelter in place to ensure essential
business functions continue.
In the event of a prolonged crisis, telecommuting (i.e., telework) procedures may become necessary for
designated essential employees.
Events requiring activation of the BCP are normally executed consistent with the National Incident
Management System (NIMS), Incident Command System (ICS) processes.
Disruptions may impact personnel services to include postal, financial, legal and transportation.
A.2.6
THREAT AND RISK ASSESSMENT 4
Using available information about known or anticipated risks, each organization should identify and review
risks that could possibly impact their business, and the likelihood of each. A Risk Assessment matrix can aid in
the identification of risks and prioritization of Business Impact Analysis (BIA) development. See Appendix C for
sample risk assessments and Sector Delaware Bay Recovery Guidelines, Section 1.5
Table 2
Risk Assessment
Risk
Likelihood
(Rate 1-5)
X
Impact
(Rate 1-5)
1=Very Low
2 = Low
3 = Medium
4 = High
1 = Negligible
2 = Some
3 = Moderate
4 = Significant
5 = Very High
5 = Severe
=
Earthquake
X
=
Power Failure
X
=
Fire
X
=
Relative Weight
ASIS International, Business Continuity Guideline: A Practical Approach for Emergency Preparedness, Crisis Management, and Disaster
Recovery, 2005
4
FOR OFFICIAL USE ONLY
Page 4
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Risk
A.2.7
Likelihood
(Rate 1-5)
X
Impact
(Rate 1-5)
1=Very Low
2 = Low
3 = Medium
4 = High
1 = Negligible
2 = Some
3 = Moderate
4 = Significant
5 = Very High
5 = Severe
=
Hurricane
X
=
Flood
X
=
Bombing
X
=
Sabotage
X
=
HazMat Accident
X
=
Product Recall
X
=
Public Health
X
=
Work Stoppage
X
=
MTS Disruption
X
=
Transportation Incident
X
=
Cyber Attack
X
=
Other (specify)
X
=
Relative Weight
BUSINESS IMPACT ANALYSIS (BIA)
Regardless of type or size of the business, a critical initial step is to conduct a BIA. The purpose of the BIA is
to identify the organization's mandate and critical services or products; rank the order of priority of services or
products for continuous delivery or rapid recovery; and identify internal and external impacts of disruptions.
Identify the Mandate and Critical Aspects of the Organization
Information can be obtained from the mission statement of the organization, and legal requirements
(e.g., contracts, memorandums of agreement, etc.) for delivering specific services and products.
Prioritize Critical Services or Products
Critical services or products must be prioritized based on minimum acceptable delivery levels and the
maximum period of time the service can be down before severe damage to the organization results.
To establish Recovery Time Objectives (RTO) for essential business functions, information is required
to determine the impact of a disruption to service delivery, loss of revenue, additional expenses and
intangible losses. For businesses that are major data users, establishing Recovery Point Objectives
(RPO) are also necessary.
FOR OFFICIAL USE ONLY
Page 5
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Determine Maximum Allowable Outage and Recovery Time Objectives (RTO)
Determine how long processes can be nonfunctional before impacts become unacceptable and how
soon processes should be restored (shortest allowable outage restored first). Determine different
RTOs according to time of year (e.g., year-end, tax filing, etc.), identify and document alternate
procedures to a process (e.g., manual workarounds or processes, blueprints, notification/calling trees,
etc.), and evaluate costs of alternate procedures versus waiting for system to be restored.
Identify Impacts of Disruptions
The impact of a disruption to a critical service or business product determines how long the
organization could function without the service or product, and how long clients would accept its
unavailability. Determine the time period that a service or product could be unavailable before severe
impact is felt.
Identify Areas of Potential Revenue Loss
Determine which processes and functions that support service or product delivery are involved with
the creation of revenue. Calculate revenue loss if these processes and functions are not performed for
a period of time. Identify additional expenses, such as fines and penalties from breaches of legal
responsibilities, agreements, or governmental regulations.
Identify Intangible Losses
Estimates are required to determine the approximate cost of the loss of consumer and investor
confidence, damage to reputation, loss of competitiveness, reduced market share, and violation of
laws and regulations. Degradation of image or reputation is especially important for public institutions
as they are often perceived as adhering to a higher standard of practice.
Insurance Requirements
When considering insurance options, decide which assets and/or losses to cover. Use the BIA to help
decide both what needs insurance coverage, and the corresponding level of coverage. Document the
level of coverage of your institutional policy, and examine the policy for uninsured areas and non
specified levels of coverage. Include an expert or an insurance team when developing the response
plan.
Ranking
Ranking is based on the potential loss of revenue, time of recovery and severity of impact a disruption
would cause. Minimum service levels and maximum allowable downtimes are then determined.
Identify Dependencies
Internal dependencies include employee availability, corporate assets (e.g., equipment, facilities,
computer applications, data, tools, vehicles, etc.) and support services (e.g., finance, human
resources, security, etc.) and information technology support.
External dependencies include suppliers, external corporate assets (e.g., equipment, facilities,
computer applications, data, tools, vehicles, etc.) and any external support services (e.g., facility
management, utilities, communications, transportation, finance institutions, insurance providers, etc.),
government services, legal services, and health and safety services.
It is also important to consider Service Level Agreements (SLA) between parties and service
providers. The SLA records a common understanding about services, priorities, responsibilities,
guarantees, and warranties. Each area of service scope should have the "level of service" defined.
FOR OFFICIAL USE ONLY
Page 6
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
The SLA may specify the levels of availability, serviceability, performance, operation, or other
attributes of the service, such as billing. The "level of service" can also be specified as "target" and
"minimum," which allows customers to be informed what to expect (the minimum), while providing a
measurable (average) target value that shows the level of organization performance. In some
contracts, penalties may be agreed upon in the case of non-compliance of the SLA. It is important to
note that the "agreement" relates to the services the customer receives, and not how the service
provider delivers that service.
A.3
CONCEPT OF OPERATIONS
Plans for the continuity of services and products are based on the results of the BIA. Ensure that plans are
made for increasing levels of severity of impact from a disruption. For example, if limited flooding occurs
beside an organization's building, sand bagging may be used in response. If water rises to the first floor, work
could be moved to another company building or higher in the same building. If the flooding is severe, the
relocation of critical business components to an alternate facility until flooding subsides may be the best
option.
A.3.1
CRISIS MANAGEMENT ROLES AND RESPONSIBILITIES
It is necessary that an appropriate administrative structure be put in place to effectively deal with crisis
management. Clear definitions must exist for a management structure, authority for decisions, and
responsibility for implementation. Table 3 depicts a notional BCP organization.
Table 3
Notional BCP Organization
Component
Senior Leadership
Composition
Responsibilities
CEO, COO, direct reports and
designated personnel
responsible to implement key
BCP components or annexes
to maintain business functions
Emergency Operations
Center Director
Designated by Senior
Leadership
Backup also designated
Emergency Operations
Center staff
Designated personnel who
serve as the coordination
point for mitigation, and
recovery. Monitor emergency
and non-emergency
operations.
Normally assigned based on
Incident Command System
Provide strategic decision-making support on business recovery
issues.
Activate or partially activate BCP plan activities.
Promote and monitor coordination.
Take necessary actions to minimize event impact and return to
normal operations.
Task, organize, and place personnel on notice (or recall) in order to
address the threat.
Oversees the day-to-day operations for the response to, and
recovery from, an incident or disaster.
Liaison to the Senior Leadership.
Determine, with Senior Leadership, if a disaster declaration is
warranted.
Manage and support the response to, and recovery from, an incident
or disaster.
Initiate notification regarding BCP activation (e.g., call trees; inperson notification, etc.).
External notification of BCP activation.
Access to ready critical processes, systems, resources, and records
necessary to support essential functions.
Coordinating relocation of communications, information technology,
and vital records, and data sets.
FOR OFFICIAL USE ONLY
Page 7
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Component
Composition
Responsibilities
functions.
Ensure safety and security of personnel.
Initiate essential functions from alternate facility(s) or location(s).
Evaluate threats and current/proposed security measures and
recommend courses of action.
Coordinate media communications.
Coordinate emergency public information requirements.
Coordinate inspections, damage assessments, and emergency
repairs.
Communicate and coordinate with emergency response team.
Communicate status with local responders.
Develop plans for reconstitution.
Report to designated location (e.g., Alternate Facility{ AF}, predetermined location, other site, etc.).
Support the EOC as directed. Typical support may be vehicle
operators, maintenance crews, inspection and damage assessment
teams, traffic control and direction; public outreach, and support to
emergency responders.
Carrying out an orderly evacuation of each office.
Conduct training the process and procedures of emergency
evacuation.
Provide other duties as directed.
Responsible for the recovery of critical processes.
Direct recovery efforts
Provide recovery status to the EOC.
Emergency Response
Team (Internal)
Designated personnel with
responsibility for specific
activities necessary to support
essential functions
Recovery Teams
A.3.2
Designated personnel for
departments and/or critical
processes
BCP PHASING
Phase 0: Normal Operations
During normal operations, every effort will be made to plan for maintaining operational capability for
essential functions during emergencies:
Devise mitigation strategies to prevent or lessen the impact of risk or threats identified in the
BIA. For example, a strong records management and technology disaster recovery program
can mitigate the loss of key documents and data.
Train essential personnel and their crisis roles and responsibilities.
Cross train personnel to perform alternate job responsibilities.
Ensure mitigation resources are available and functional, e.g.,
Security plans
Alert and notification procedures
Emergency equipment
Fire alarms and suppression systems
Local resources and vendors
Alternate worksites
FOR OFFICIAL USE ONLY
Page 8
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Maps and floor plans updated/changed due to construction and internal moves
System backups and offsite storage
Contracts for emergency response, assessment, and restoration services
Phase 1: Activation (and Relocation)
A situation assessment and severity assessment should be made at the onset of a crisis. Factors to
be considered include the magnitude and complexity of the incident, the potential for escalation, and
the potential impact of the situation. The point at which a situation is declared to be a crisis should be
clearly defined, documented, and fit specific and controlled parameters.
The priority during Phase 1 is to maintain operations, ensure communications and financial continuity,
transfer computer data/applications necessary to support operations, workforce safety, personnel
accountability, and resource assessment and reporting. Key elements:
Alert and notification procedures (essential personnel and emergency response teams) for
normal and after hours;
Initial actions to maintain primary operations, BCP activation, communications links and AF
requirements;
Activation procedures for Alternate Facility (AF) operations, if required. BCP should include
established procedures for efficient and complete transition to the AF including measures for
security at both sites. These procedures should complement organizational evacuation plans
and emergency response plans, and delineate responsibilities and authorities; and
The Table 3 provides BCP activation guidelines, which can be modified for each organization.
The BCP should include established procedures for efficient and complete transition to the AF
including measures for security at both sites. These procedures should complement organizational
evacuation plans and emergency response plans, and delineate responsibilities and authorities.
Table 3 provides BCP activation guidelines, which can be modified for each organization.
Table 3
BCP Activation Guidelines
Level of Emergency
1
Routine emergency
incidents
2
Minor business
interruptions
BCP Activation Guidelines
Example: Major winter storm
Impact: Disruption of 12 to 72 hours, with minor impact on EFs.
Decision: May require limited BCP activation, depending on organizational requirements.
Example: Major power outage, heightened Homeland Security Advisory System Threat Level
(against a specified target).
Impact: Disruption to one or more EFs or to a vital system for no more than three days.
Decision: May require partial BCP activation to move certain personnel to an alternate facility or
location.
FOR OFFICIAL USE ONLY
Page 9
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Level of Emergency
BCP Activation Guidelines
3
Moderate business
interruptions
Example: Hurricane, major telecommunications failure or extended power outage.
Impact: Disruption to one or more EFs with potential of lasting for more than three days.
Decision: May require partial BCP activation. For example, execute orders of succession for some
key personnel; movement of some personnel to an AF or location in the primary facility for more
than a week. Personnel not supporting EFs may be instructed not to report to work (i.e.,
telecommute or telework), or be reassigned to other activities.
4
Major business
interruptions
Example: Explosion in, or contamination of primary facility, major fire, earthquake, pandemic,
physical attack, or national security emergency.
Impact: Disruption to EFs with a potential for lasting at least two weeks.
Decision: BCP activation. May require activation of orders of succession for key personnel. May
require movement of essential non-security personnel to an alternate work site for more than two
weeks. Personnel not supporting essential functions may be instructed not to report to work
(telework), or be reassigned to other activities.
These levels may aid organizations that are developing business impacts and response plans for use
during a crisis. Determining the initial level of the crisis and the progression from one level to the next
will normally be the responsibility of the Senior Leadership.
Phase 2: Emergency Operations
BCPs should be developed based upon a ‘worst case scenario,’ with the understanding that the
response can be scaled appropriately to match the needs of the actual incident. Issue guidance and
pertinent information to BCP personnel and the work force, identify replacements for missing
personnel, implement orders of succession and delegation of authority, and commence operations
supporting EFs at the alternate facility (AF), as required.
When initiating a response, it is important to ensure the following prioritized actions occur:
Save lives and reduce chances of further injuries/deaths;
Protect physical assets and essential records;
Restore critical business processes and systems;
Reduce the length of the interruption of business;
Maintain communication within the organization and to customers, suppliers and financial
institutions;
Protect reputation and implement damage control measures;
Implement Crisis Communication Plan to manage public information (e.g. local, regional,
national or global); and
Maintain customer relations.
Phase 3: Reconstitution
During this phase, implement actions for resumption of normal operations. Actions include:
Damage and impact assessment;
Resumption of remaining processes. Process recovery needs should be prioritized, scheduled
and documented;
FOR OFFICIAL USE ONLY
Page 10
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Orderly return to normal operating activities; and
After-Action Review to assess all phases and elements of BCP operations and provide
specific recommendations to improve areas of concern (see Appendix H).
A.3.3
IMPLEMENTATION
For immediate actions, see Appendix M, Action Steps.
The CEO or designated successor may implement the organizational BCP based on known or anticipated
threats and emergencies. For AF operations, BCP implementation should ensure critical resources are predeployed with additional resources pre-identified and deployed as required. Table 4 provides a depiction of
phasing and activities to be modified by each organization.
Table 4
BCP Phasing and Activities
Phase
Phase 0 - Normal
Operations
Phase 1 - Activation
and Relocation
Phase 2 Emergency
Operations
Phase 3 Reconstitution
Time Frame
N/A
0-12 Hours
From 12 Hours
to Termination
of Emergency
Return to normal
operations
Activity
Notify Supervisors of impending activation and any relocation requirements.
Instruct key personnel to prepare for the activation of the AF, if required.
Assemble documents/equipment required to support EFs.
Procure needed equipment/supplies.
Assess damage.
Determine impact and status.
Ensure communications and financial continuity.
Activate key staff, communications links and plans.
Transfer computer data/applications necessary to support operations.
Maintain workforce safety and personnel accountability.
Assess and report resource deficiencies.
Notify employees and contractors regarding activation of BCP plan and their
status.
Notify suppliers, customers and impacted local, regional and state organizations.
Assess personnel availability and adjust operations as necessary.
Transport documents and designated communications equipment, if required.
Continue essential functions.
Activate AF and EOC and recovery teams if necessary.
Provide guidance and pertinent information to contingency personnel on duty
assignments, work hours, pay, etc.
Identify replacements for missing personnel (i.e., succession and delegation of
authority).
Commence full execution of operations supporting essential functions.
Assess damage impact and status.
Inform all personnel of the reduced threat status.
Resume remaining processes.
Supervise return to normal operations.
Conduct a review of BCP execution and effectiveness.
FOR OFFICIAL USE ONLY
Page 11
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
A.4
TRAINING AND EXERCISES
Education and training programs should include BCP emergency teams, all employees and familiarization for
external resources who might be involved in response or recovery (e.g., first responders, public health,
vendors, media, etc.).
When feasible, organizations should provide representation to Sector Delaware Bay training and exercise
events, with particular emphasis placed on organizational BCP execution and coordinated recovery
operations. See Appendix H and Sector Delaware Bay Recovery Guidelines, Appendix E.
A.4.1
COORDINATING INSTRUCTIONS
Incident Management System (IMS) legislation was signed into law on August 3, 2007 and the Incident
Command system (ICS) was adopted at the national level under the National Incident Management System
(NIMS). ICS is a standardized model for emergency management, as well as command, control, and
coordination of a response to an incident, emergency, or disaster, and allows multiple departments and/or
organizations to work together for unity of command without jurisdictional or operational boundaries. The
senior emergency responder assumes incident command and is responsible for making critical decisions
necessary to provide aggressive emergency response.
Sector Delaware Bay will use the ICS for significant BCP incidents. Table 5 provides an overview of the five
ICS components/functions and positions. Additional positions may be activated based on the need to support
each section’s function. BCP should consider business integration into the ICS during large scale
emergencies.
Table 5
ICS Components/Functions Roles and Responsibilities
Role
Management Section
EOC (Emergency
Operations Center)
Director
Public Information
Officer
Safety Officer
Responsibilities
Informs and briefs senior management
Leads decision-making
Coordinates the response and recovery
Establishes emergency policies
Responsible for activation and deactivation of emergency response
Liaisons with emergency agencies
Issues news releases
Provides focal point for media
Coordinates all public release of information
Ensures personnel safety in the EOC
Monitors the response and recovery to ensure safe practices, and stops or modifies all
unsafe operations
FOR OFFICIAL USE ONLY
Page 12
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Finance Section
Logistics Section
Planning
Section
Operations
Section
Role
Responsibilities
Operations Section
Leader
Planning Section
Leader
Logistics Section
Leader
Finance Section
Leader
A.5
A.5.1
Provides damage assessments
Responsible for emergency operations
Responsible for recovery operations (including restoring operations,
restoring/repairing damaged assets, removing debris, repairing/demolishing buildings,
restoring utilities)
Collects, evaluates, and disseminates information about the incident and status of
resources
Develops an action plan
Maintains wall charts and documentation
Identifies any potential future emergency response or recovery concerns
Responsible for obtaining resources (e.g., facilities, personnel, equipment, materials,
etc.)
Coordinates sheltering and feeding of employees
Ensures full functioning of the EOC by maintaining needed supplies (e.g., janitorial
services, feeding services, materials, etc.)
Obtains and coordinates transportation resources; schedules transportation for
emergency personnel and shipments of resources
Provides staffing for emergency response
Oversees the financial activities and administrative aspects not assigned to other
functions
Maintains personnel work logs and time sheets
Provides cost analysis of emergency operations
Ensures payment for all materials and personnel services
Maintains accurate records of all financial transactions in support of the disaster
Purchases, rents, or leases equipment, services, and resources
ADMINISTRATION AND LOGISTICS
ADMINISTRATION
Determine staffing requirements and develop procedures to ensure sufficient, qualified personnel are
available throughout the duration of the emergency.
Cost capturing. All supervisors should capture costs associated with BCP.
Ensure supporting documents are carefully maintained to facilitate prompt reimbursement as part of
recovery from the incident, and provide documentation in support of insurance and liability issues.
Legal requirements and considerations. See Sector Delaware Bay Recovery Guidelines, Appendix L.
FOR OFFICIAL USE ONLY
Page 13
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
A.5.2
LOGISTICS
Logistics planning is normally based on organizational requirements for sustaining operations.
Stockpiled and immediately available supplies, equipment and personnel will be used at the onset of an
incident.
Requisitions to obtain identified supply requirements during BCP operations have priority. The Financial
Section will keep detailed records of all requisitions.
Transportation should be arranged ahead of time, when possible. Areas where emergency transportation
is critical include:
Evacuation of personnel;
Transportation to an alternate worksite;
Supplies into the site or to an alternate site;
Transportation of critical data to worksite; and
Transportation for staff with special needs.
A.6
COMMUNICATIONS
Communications are an integral part of BCP activation and operational viability. Communications will be
primarily by standard, established communication methods and protocols (e.g., telephone land lines, two-way
radios (if appropriate), cellular telephones, e-mail, Internet, etc.). As a result of some disasters, standard
communication methods may not be available, requiring rapid activation or implementation of redundant or
alternative communications procedures and protocols. See Appendix F for Information and Communications
Systems.
A.6.1
PUBLIC RELATIONS
Assign a Public Relations representative: This person serves as the public face of your organization in the
event of a disaster. There will be a demand for accurate, current information, and your BCP Team should work
closely with the designated representative to ensure they are prepared to respond to any request for
information.
A.6.2
EMERGENCY INFORMATION HOTLINE
{Organization} emergency hotline provides a central point of contact for employees to obtain
information and direction regarding the organization during an emergency that disrupts normal
operation
Emergency Information Hotline number: {number will be inserted here once it is established}
For administration of the Emergency Information Hotline or to change the announcement, follow
the procedures below:
{Procedures will be inserted here once hotline is established}
FOR OFFICIAL USE ONLY
Page 14
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Use of the Emergency Information Hotline is pursuant to employees authorized to update the
recorded message document.
Note: When leaving a message on the Emergency Information Hotline, it should be assumed that
the media will ultimately gain access to this information. This should be taken into account when
leaving a message on the Emergency Information Hotline.
Sample Scripts
The sample scripts below are examples of messages that can be left on the Emergency Information
Hotline:
Standard “All Clear” script
“You have reached the [insert organization name] Employee Emergency Information Line.
Currently, we have no problems or incidents. During major incidents or emergencies impacting
[insert organization name], information about the problem or emergency will be updated on this
line. Thank you.”
Incident/Emergency Status Update script
“You have reached the [insert organization name] Employee Emergency Information Line. This is
an update for <time>, <date>.”
“<status information>”
<closing>
- “The next update will be at <time>, <date>”
Or, “This line will be updated if there is any new information. Thank you.”
FOR OFFICIAL USE ONLY
Page 15
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
APPENDIX A
GLOSSARY
Alert
A formal notification that an incident has occurred which may develop into a disaster.
After-Action Review (AAR)
A narrative report that presents issues identified during an exercise or actual response and recommendations
on how those issues can be resolved.
All Hazards Threat
Includes military attack, terrorist activities, natural or man-caused disasters. Organizations should address allhazards threats in their procedures, assess the probability of these threats affecting their organization, and
develop procedures to respond to these threats to ensure continuity of their essential functions.
Alternate Database/Records Access
The safekeeping of vital resources, facilities, and records, and the ability to access such resources in the event
the BCP is activated.
Alternate Facility (AF)
A location, other than the normal facility, used to conduct critical functions and/or process data in the event
that access to the primary facility is damaged. The alternate site provides the capability to perform minimum
essential functions until normal operations can be resumed.
Alternate Communications
Communication methods and protocols that provide the capability to perform essential department or office
functions until normal operations can be resumed.
Backup
The practice of copying critical information, regardless of the media (e.g., paper, microfilm, audio or video tape,
computer disks, etc.), to provide a duplicate copy.
BCP Maintenance
Process to ensure the BCP is systematically reviewed and updated.
Business Continuity Management
A proactive process supported by management, which identifies potential threats and associated impact on the
key functions of an organization and the steps necessary to maintain continuity of services. (Associated term:
Continuity of Operations).
Business Continuity Planning (BCP)
The task of identifying, developing, acquiring, documenting, and testing procedures and resources that will
ensure continuity of a firm's key operations in the event of an accident, disaster, emergency, and/or threat. It
involves (1) risk mitigation planning (reducing possibility of the occurrence of adverse events), and (2)
FOR OFFICIAL USE ONLY
Page A-1
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
business recovery planning (ensuring continued operation in the aftermath of a disaster). (Associated term:
Business Continuity Plan).
Business Impact Analysis (BIA)
A management level analysis which identifies the impacts associated with the loss or degradation of an
organization’s resources. The BIA measures the effect of resource loss and escalating losses over time in
order to provide senior management with reliable data upon which to base decisions on risk mitigation and
continuity planning. (Associated terms: Business Impact Assessment, Business Impact Analysis Assessment)
Call-Down List
Prioritized list of personnel and outside emergency personnel in order of notification.
Chief Executive Officer (CEO)
A chief executive officer (CEO) or chief executive is one of the highest-ranking corporate officers (executives)
or administrators in charge of total management. An individual selected as president and CEO of a
corporation, company, organization, or agency, reports to the board of directors.
Chief Operating Officer (COO)
A chief operating officer or chief operations officer (COO) is a corporate officer responsible for managing the
day-to-day activities of the corporation and for operations management (OM). The COO is one of the highestranking members of an organization's senior management, monitoring the daily operations of the company and
reporting to the board of directors and the top executive officer, usually the chief executive officer (CEO).
Cold Site
An alternate facility that has been designated for use during an emergency that requires the relocation and
installation of equipment before it can support operation.
Concept of Operations
A verbal or graphic statement (in generalized outline form) of assumptions or intent for an operation or series
of operations. The concept is designed to give an overall picture of the operation. It is included primarily for
additional clarity of purpose.
Contract
An agreement between two or more parties, especially one that is written and enforceable by law.
Crisis
An abnormal situation, or perception, which threatens the operations, staff, customers or reputation of an
organization.
Database
The data required for the accomplishment of functions to be performed in accordance with the organization’s
BCP plan. Data may be contained in plans, messages, compilations of factual information, pre-positioned
messages, authentication systems, automated data processing tapes and disks, and standardized forms.
FOR OFFICIAL USE ONLY
Page A-2
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Delegation of Authority
Specifies who is authorized to act on behalf of the organization head and other key officials for specific, predetermined purposes.
Disaster
A sudden, unplanned calamitous event that causes great damage or loss. In the business environment, it is
any event that creates an inability of an organization to provide the critical business functions for some
predetermined period of time.
Emergency
Absent a Presidentially declared emergency, any incident(s), human-caused or natural, that requires
responsive action to protect life or property. Under the Robert T. Stafford Disaster Relief and Emergency
Assistance Act, an emergency means any occasion or instance for which, in the determination of the
President, Federal assistance is needed to supplement State and local efforts and capabilities to save lives
and to protect property and public health and safety, or to lessen or avert the threat of a catastrophe in any
part of the United States.
Emergency Operations Center (EOC)
The location from which disaster recovery is directed and tracked; it may also serve as the primary point for
deliveries, services, press briefings and all other external contacts.
Emergency Operations Plan
Provides facility-wide procedures for emergency situations and generally includes personnel safety and
evacuation procedures.
Essential Functions
Any function that is vital to the continuation of operations of the organization. EFs are those continuing
activities that must be performed without interruption to execute critical missions. EFs should be prioritized,
which allows for a graduated response and recovery, as well as relocation to the AF with minimum
interruptions to operations during an emergency or during normal operations.
Essential Positions or Personnel
Those positions required to be filled by suitably trained and experienced individuals whose absence would
jeopardize the continuation of an organization’s essential functions.
Event
Any incident causing an organization to activate their BCP. NOTE: Distinction must be made between a
situation requiring evacuation only and one dictating the need to implement the BCP. An example of a nonBCP initiating event is a fire or hazardous materials incident that may require the evacuation of an
organization’s building but only for a short duration. Alternately, an emergency so severe that an organization
facility is rendered unusable and likely will be for a period long enough to significantly impact normal
operations may require BCP implementation.]
FOR OFFICIAL USE ONLY
Page A-3
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Federal Emergency Management Agency (FEMA)
A Government agency within the U.S. Department of Homeland Security that coordinates Federal efforts and
responsibilities to anticipate, prepare for, and respond to national emergencies.
Hot Site
A fully equipped facility, which includes stand-by computer equipment, environmental systems,
communications capabilities, and other equipment necessary to fully support an organization’s immediate work
and data processing requirements in the event of an emergency or a disaster.
Incident Command System (ICS)
The Incident Command System is a standardized model for command, control, and coordination of a response
for on-scene emergency management.
Infrastructure
The basic installations, facilities, and equipment needed for the functioning of a systems or subsystem (e.g.,
power systems, data systems, transportation systems, communications systems, etc.).
Legal and Financial Records
Records (e.g., personnel records, social security records, payroll records, insurance records, contracts, etc.)
which are essential to the protection of the legal and financial rights of an organization and of the individuals
directly affected by the organization’s activities.
Memorandum of Agreement
A memorandum of agreement (MOA) or cooperative agreement is a document written between parties to
cooperatively work together on an agreed upon project or meet an agreed upon objective. The purpose of an
MOA is to have written documentation of the agreement between parties.
Memorandum of Understanding
A memorandum of understanding (MOU) is a document describing an agreement between parties. It
expresses a convergence of will between the parties, indicating an intended common line of action. It most
often is used in cases where parties either do not imply a legal commitment or in situations where the parties
cannot create a legally enforceable agreement.
Mitigation
Activities taken to reduce the severity of consequences of an emergency.
Mutual-Aid Agreement: Written agreement between organizations that they will assist one another on
request, by furnishing personnel, equipment, and/or expertise in a specified manner and within the limits of
their own circumstances and abilities.
Order of Succession
A formula that specifies (by position) who will automatically fill a position once it is vacated due to the event or
attrition.
Primary Facility
The site of normal, day-to-day operations.
FOR OFFICIAL USE ONLY
Page A-4
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Problem Assessment
An evaluative process used in decision making that determines the nature of the issue to be addressed.
Reconstitution
Actions taken to re-establish an organization or the capabilities of an organization that have been destroyed or
severely damaged. Also refers to the period of time during the post-event phase when organizational activities
re-establish noncritical missions, functions, organizations, resources, and services as they existed prior to the
crisis event.
Recovery
The process of (1) evaluating the status and capability of organizational resources following an attack or other
serious event; and (2) reorganizing so those resources are secure and the organization can continue to
function, though possibly at a reduced capability level.
Recovery Point Objective (RPO)
A point in time to which data must be restored in order to be acceptable to the owner(s) of the processes
supported by that data. This is often thought of as the time between the last available data backup and the
time a disruption could potentially occur. The RPO is established based on tolerance for the loss of data or
reentering of data, and when considered in conjunction with the Recovery Time Objective (RTO), is the basis
on which a data protection strategy is developed.
Recovery Time Objective (RTO)
The time period after a disaster at which business functions need to be restored. Different business functions
may have different recovery time objectives. For example, the RTO for the payroll function may be two weeks,
whereas the RTO for sales order processing may be two days.
Relocation
The movement of the emergency staff to emergency relocation facilities for purposes of maintaining command
and control and conducting mission essential functions on a continuous basis.
Risk Assessment/Analysis
An evaluation of the probability that certain disruptions will occur and the controls to reduce organizational
exposure to such risk.
Service Level Agreement (SLA)
A service level agreement (SLA) is a negotiated agreement between two parties where one is the customer
and the other is the service provider. This can be a legally binding formal or informal "contract".
Severity Assessment
The process of determining the severity of the crisis and the long-term associated costs.
Situational Analysis
The process of evaluating the severity and consequences of an incident and communicating the results to
decision makers.
FOR OFFICIAL USE ONLY
Page A-5
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Threat
A natural or man-made occurrence, individual, entity, or action that has (or indicates) the potential to harm life,
information, operations, the environment and/or property.
Telecommuting (also known as telework)
An arrangement where designated employees perform assigned official duties at an alternative worksite on a
regular and recurring or on a situational basis.
Vendor
An individual or company who provides a service to a department or the organization as a whole.
Vital Records and Systems
Records or documents, regardless of media (e.g., paper, microfilm, audio or video tape, computer disks, etc.)
which, if damaged or destroyed, would disrupt business operations and information flows and cause
considerable inconvenience and require placement or re-creation at considerable expense.
Warm Site
An alternate processing site which is only partially equipped (as compared to a Hot Site which is fully
equipped).
FOR OFFICIAL USE ONLY
Page A-6
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
APPENDIX B
CONTACT ROSTERS
Organization employees will be notified of the intent to activate and de-activate the BCP using standard
protocols whenever possible. Employees will be notified by telephone, pager, two-way radio, and/or e-mail of a
change in BCP status. This information will also be available on {list alternate site or method}. Employees will
be notified of a change in BCP status based on the priority of the essential function that they perform.
B.1
ESSENTIAL PERSONNEL ROSTER
Positions considered essential by each department are listed below. Updated call-down lists are maintained on
file with each department.
W ORK
H OME
C ELL
D EP ’ T
N AME
P OSITION
E MAIL
P HONE
P HONE
P HONE /P AGER
B.2
EMPLOYEE ROSTER
P RIORITY
B.3
N AME
P OSITION
E MAIL
W ORK
P HONE
H OME
P HONE
FAX AND TELEPHONE FORWARDING NUMBERS
Name and/or Location of Phone/Fax
Phone/Fax Number
FOR OFFICIAL USE ONLY
Page B-1
C ELL
P HONE /P AGER
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
B.4
VENDOR ROSTER
Key vendors and customers also will be notified of the intent to activate and de-activate the BCP. Notifications
will occur using normal methods i.e., land line telephone, cellular telephone, or e-mail. Alternate sources for
key supplies and services should be included.
Service
Vendor
Point of Contact
Phone Number
FOR OFFICIAL USE ONLY
Page B-2
Email
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
APPENDIX C
RISK ASSESSMENT
The objective of the risk assessment is to document organizational risks that may result in the need to activate
the BCP. Organizations should include the probability of each identified event occurring and the proposed
mitigation efforts. Example risks, analysis and proposed mitigations are provided below.
Risk: Disruption of local power source.
Analysis: The probability is low, based upon historical data of outages and countermeasures employed.
Mitigation: Conduct electrical service vulnerability assessment to ensure continuity of service.
Risk: Disruption or discontinuance of service due to water damage, fire, or other natural disaster.
Analysis: The probability is medium based upon historical data of natural disaster damage.
Mitigation: Ensure vital records and databases are backed up and accessible from an alternate location.
Risk: Natural disaster damage could force the operation to relocate to an alternate facility location. This may
create operational backlogs.
Analysis: The probability is low, dependant on dispersed operational locations and backup sites.
Mitigation: Alternate facility location is identified and prepared.
Risk: Disruption of communication services through internal and external tampering.
Analysis: This has a medium probability of occurring. Information can be obtained by intercepting nonencrypted data communication.
Mitigation: Data can be encrypted prior to communication transmission.
Risk: Unauthorized persons gaining access to the facility to disrupt essential functions.
Analysis: This has a low probability of occurring
Mitigation: Enhance security and employ random anti-terrorism and intrusion measures.
Risk: Unauthorized persons gaining access to computer systems to sabotage, obtain, alter, or destroy
information.
Analysis: This has a medium probability of occurring. Unauthorized access could cause damage to the
effectiveness of Information Technology (IT) architecture.
Mitigation: Continue to review system security and ensure security countermeasures are in place and
effectively operating.
Risk: Disgruntled employee sabotaging the computer system network.
Analysis: This has a low probability of occurring. This could lead to disruption or destruction of data files.
Mitigation: Limit access for those employees experiencing adverse personnel actions.
FOR OFFICIAL USE ONLY
Page C-1
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
APPENDIX D
FACILITIES
D.1
FACILITIES CHECKLIST
Facilities Protective Measures:
YES
NO
N/A
Personnel trained in emergency evacuation procedures
Emergency exits are clearly marked
Emergency drills are regularly practiced
Evacuation Assembly points have been identified
Floor plans are posted
Fire safety procedures in place
Staff familiarized with location of the mains switches and valves (i.e. for electricity,
gas and water)?
Risk assessment conducted of surrounding area and businesses
Physical security policy adopted and disseminated to staff?
Appropriate security system installed and operational
Security training conducted
Access control measures implemented and enforced
D.2
ALTERNATE FACILITY (AF)
The AF should provide the following:
- Immediate capability and reliable support services to perform essential functions under
emergency conditions;
- Sufficient space and equipment to sustain operations;.
- Ability to sustain operations for a period of up to 30 days;
- Appropriate physical security and access controls; and
- Reliable logistical support and infrastructure systems including water, electrical power,
and communications.
Organizational process for alternate facilities:
{Insert} maps, completed process descriptions, checklists, desktop procedures etc. here for
reference by those who will use the plan. Include information about activation/notification;
whether an MOU will need to be activated; procedure to notify building manager of alternate
facility and public officials where the facility resides; and mobilization of an advance element
to ready the facility.
Organizational emergency kit
FOR OFFICIAL USE ONLY
Page D-1
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
An emergency kit should include copies of the Emergency Operations Plan (EOP), the
department EOP, the organization BCP, call-down lists, other vital records and alternate
operating locations with maps to these locations. The emergency kit should also contain a
laptop computer loaded with current facility locations, essential human resources and payroll
information, and organization-specific software. Copies of paper forms needed to continue
providing essential services as well as paper forms that can be used to perform work manually
should computer systems become inoperable should also be included.
D.3
Personal emergency kit
Essential personnel may want to have a personal emergency kit that includes personal care
items needed for an extended operation at an alternate site or facility.
ALTERNATE FACILITY SURVEY
Facility Name
D.4
Facility Address
Agreement Type
and Date
Annual
Cost
Comments
EMERGENCY RESPONSE TEAM
Position Title
Responsibilities
IT and Communications Systems
Building Systems operation and maintenance
IT Systems
Network and Radio
Other
D.5
ALTERNATE FACILITY REQUIREMENTS AND RISK ASSESSMENT
Checklist
Yes
No
Perform all hazard risk assessment of the AF
Is the AF capable of supporting essential functions for {insert}
days?
How many personnel per shift will be required to accomplish
AF functions for {insert} days?
What are the minimum space requirements for emergency
operations?
Is there reliable logistical support, services and infrastructure
system, including water, fuel, electric power, HVAC, IT
communications, etc?
FOR OFFICIAL USE ONLY
Page D-2
Comments
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Checklist
Yes
No
Comments
Is there sufficient AF backup power?
Are AF secure storage requirements met?
Are AF requirements incorporated into the organization’s
Physical Security Plan, e.g. e.g. access control, roving
security, etc.?
Can human needs be met, e.g. food service, sleeping, medical
services, etc.
D.6
ALTERNATE FACILITY EQUIPMENT REQUIREMENTS
Equipment and supplies, including software, desktop and laptop computers, will be required to continue
essential functions from the alternate facility.
Equipment
Quantity
PrePositioned
Personal Computer
Laptop Computer
Photocopier
Fax machine
Desks
Telephones
Chairs
Staplers
Printer
File cabinets
Typewriter
Document Scanner
Consumable supplies
Wireless network router
Network cables
Uninterrupted Power Supply units
Other (specify)
FOR OFFICIAL USE ONLY
Page D-3
HandCarried
To Be
Ordered
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
APPENDIX E
ORDERS OF SUCCESSION AND DELEGATION OF AUTHORITY
E.1
ORDERS OF SUCCESSION
E.2
DELEGATION OF AUTHORITY
E.3
Establish an organizational order of succession.
Establish succession procedures and conditions under which succession will take place.
Identify which authorities can/should be delegated.
Identify limitations on delegation of authority.
Describe orders of succession by positions rather than by names.
Revise and distribute orders of succession as necessary
Identify circumstances under which the authorities would be exercised.
Delineate the limits of authority and accountability.
Indicate circumstances under which delegated authorities would become effective and when
they would terminate.
Ensure individuals who may be expected to assume authorities in an emergency are trained
to carry out their emergency duties.
SUCCESSOR PLAN
This table identifies orders of succession to key positions in the organization. At least two successors to each
position designated as essential should be identified, preferably by position rather than by name. The
designation of a position as essential should be a formal part of the position description.
Position
CEO
COO
Designated Supervisors
Deputy Supervisors
Etc…
Successor
1. COO
2.
1.
2.
1.
2.
1.
2.
1.
2.
FOR OFFICIAL USE ONLY
Page E-1
Responsibility
Full
Condition
All emergencies
Full
If required
Partial (Define)
If required
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
APPENDIX F
INFORMATION AND COMMUNICATIONS SYSTEMS
F.1
INTEROPERABLE COMMUNICATIONS
An essential component of an effective business continuity plan is the ability to initiate immediate continuous
two-way communications with all personnel involved in the crisis. It’s absolutely critical in the face of a
disruptive event, whatever the scale; organization to ensure that employees can communicate with one
another, and with the organization’s partners and customers. In the face of any interruption to normal
business, employees need to receive information about the event, and how they are to continue operating,
often on a continuous basis. The goal is always to minimize confusion, so that employees spend as little time
as possible figuring out how to do their jobs, and as much time as possible actually doing them. Operational
continuity is dependent upon available and interoperable communication systems which include:
Ability to communicate with contingency staffs and affected elements;
Ability to communicate with external agencies, e.g. Emergency Medical Service responders;
Access to data and systems necessary to conduct essential functions;
Ability to communicate with partners and customers;
Secure communications and data links; and
Variable and redundant capability.
.1
F.2
MISSION CRITICAL SYSTEMS
Equipment, documents and personnel that are essential to the operation and maintenance of the IT network
and communications systems should be identified.
Information Technology and
Communications
Critical IT Systems
Name
Location
All IT Systems
Bld. XX
Restoration
Priority
Responsible
Position
Network
Manager
Alternate
Facility
EOC
Network Server A
Room 2
2
Systems
Administrator II
Network Server B
Room 2
1
Systems
Administrator II
Computer 2
EOC
Computer 1
CEO
Page F-1
Phone
Cell
Email
Wireless network
router
FOR OFFICIAL USE ONLY
Contact
Information
Systems
Administrator I
Systems
Administrator I
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Information Technology and
Communications
Name
Location
Restoration
Priority
Responsible
Position
Contact
Information
office
Computer 7
Finance
Video
Conferencing
Audio
Conferencing
Etc.
IT office
IT Disaster Recovery Plan
(includes Recovery Point
Objectives & Recovery Point
Objectives)
Systems
Administrator I
Testing Plan
IT Security Policies and Procedures
All
Communications
systems
Communications
Phone
Cell
Email
Hand held twoway radio
EOC
Network
Manager
Hand held twoway radio
Response
Team 1
Response Team
Leader
Telephones
Communications
Coordinator
Communications Plan
Emergency Alert/Notification
system
Other (specify)
.2
F.3
INTEROPERABLE COMMUNICATIONS WORKSHEET
Service
Provider
Specifications
Voice lines
Fax lines
Data lines
Cellular phones
E-mail
Internet
FOR OFFICIAL USE ONLY
Page F-2
Alternative
Provider
Special notes
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Service
Provider
Specifications
PDA Wireless
Instant Messenger
Text Messaging
Computers
Couriers
Other (specify)
FOR OFFICIAL USE ONLY
Page F-3
Alternative
Provider
Special notes
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
APPENDIX G
VITAL RECORDS AND DATABASES
Vital records, data systems and equipment needed to maintain business operations and activities should be
identified, protected and accessible during the recovery and restoration phases. Vital records are typically in
paper or electronic format and should be available at multiple locations during an emergency.
G.1
VITAL RECORDS AND DATABASE OBJECTIVES:
G.2
VITAL RECORDS INCLUDE:
G.3
Ensure vital records are retrievable
Outline procedures for, and prioritize the recovery of, vital records
Ensure damage to vital records is minimized
Emergency Operating Records
Records, regardless of media, essential to continued function or reconstitution during and
after an emergency
Legal and Financial Records (e.g., accounts receivables, official personnel records, insurance
documents, contract records, legal and regulatory authorities and litigation files, etc.)
Working Records and Documents (i.e., records, including electronic, and documents needed
to respond to or recover from an emergency)
VITAL RECORDS (EXAMPLES):
Telephone directories and listings of supervisors and employees
Financial records
Maps, drawings, GIS data of facility plans and key resources
Legal documents including contracts, MOU, MOA, MAAs
Forms
Electronic data
Portable hardware to use electronic data
Table G.4 provides typical emergency operating and legal / financial records documentation.
G.4
EMERGENCY OPERATING RECORDS (EXAMPLE)
Category
Description
Form of
record
Emergency plan
Directive
Paper
Delegations of authority
Directive
Paper &
Electronic
Off site storage
location
Emergency Relocation
Facility
FOR OFFICIAL USE ONLY
Page G-1
Maintenance
Frequency
When updated
Monthly
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Building plans
Blue print
Paper
When modified
Systems manuals
Equipment & systems
operating guides
Paper &
Electronic
At time of purchase
G.5
LEGAL AND FINANCIAL RECORDS (EXAMPLE)
Category
Description
Form of
record
Off site storage location
Maintenance
Frequency
Accounts receivable
Near report
Electronic
Weekly
Payroll
Employees Payroll record
Electronic
Bi-weekly
Accounts payable
Vendors invoices
Paper &
Monthly
Electronic
Official personnel
records
Salary and insurance records
Active contracts
Agreements
MAA / MOU
Electronic
Monthly
Paper
Quarterly
Paper &
Quarterly
Electronic
FOR OFFICIAL USE ONLY
Page G-2
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
APPENDIX H
TESTING, TRAINING AND EXERCISES
H.1
TESTING
Action
Responsible Party
Frequency
Tentative Schedule
Test BCP alert, notification, and activation
procedures
CEO or designate
Quarterly
Sept.
Dec.
March
June
Test BCP communications equipment
CEO or IT Manager
Quarterly
Sept.
Dec.
March
June
Test BCP communications protocols
CEO or IT Manager
Quarterly
Sept.
Dec.
March
June
Test vital records implementation and
recovery plan
CEO or designate
Semi-Annually
Oct.
April
Test data recovery plan
CEO or IT Manager
Semi-Annually
Oct.
April
Test infrastructure at alternate facility, to
include power, backup power, heating,
cooling, water, and sewer
Facilities Maintenance
Supervisor
Annually
June
H.2
TRAINING
Training is essential to BCP execution and familiarizing personnel with their emergency functions. The key
objectives of the training program are:
Train personnel and stakeholders on BCP procedures and policies.
Train BCP teams on emergency operations to ensure essential functions are maintained. A
sample training plan, to be modified by the organization, is provided (terms defined in H.4):
FOR OFFICIAL USE ONLY
Page H-1
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
PROGRAMS
METHODS
Orientation
Classroom
AUDIENCE
FREQUENCY
Senior leadership
As required with
position turnover
Study material
Seminar / workshop
Classroom
All employees
Yearly
Workshop
Tabletop
Senior leadership,
supervisors, BCP
Teams, successors,
selected alternate
facility staff customers
& suppliers
Yearly
All employees
As required
Study material
Operations-based
exercise
H.3
Case study
COST
Drill
EXERCISES
Exercises are used to validate policies and procedures for responding to focused emergency situations and to
identify deficiencies. Exercises are simulated emergency incidents that are used to promote preparedness,
improve response capabilities, validate plans, procedures and systems, and determine the effectiveness of
command, control, and communications. BCP exercises should be a realistic simulation of an emergency, in
which individuals and teams practice the tasks that would be expected of them in a real emergency.
Exercises are conducted in a “No Fault” environment that is intended to evaluate systems or procedures.
Performance by individuals or teams is not graded. Exercise evaluation is intended to identify systemic
weaknesses and to suggest corrective actions. A hot-wash and an After-Action Report (AAR) are conducted
on completion of each exercise to evaluate procedures and coordination.
H.4
USEFUL TERMS
EXERCISE TYPE
PURPOSE
DURATION
Discussion-based Exercises
Seminar
Seminars are informal discussions, unconstrained by real-time portrayal of events and led
by a presenter. They are generally employed to orient participants to, or provide an
overview of, authorities, strategies, plans, policies, procedures, protocols, response
resources, and/or concepts and ideas. Seminars provide a good starting point for entities
that are developing or making major changes to their plans and procedures.
2-5 hours
Workshop
Workshops represent the second tier of exercises. They differ from seminars in two
important respects: participant interaction is increased, and the focus is on achieving or
building a product (such as a draft plan or policy). Workshops are often employed in
conjunction with exercise development to determine objectives, develop scenarios, and
define evaluation criteria.
3-8 hours
FOR OFFICIAL USE ONLY
Page H-2
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
EXERCISE TYPE
Tabletop Exercise
(TTX)
PURPOSE
TTXs involve key personnel discussing hypothetical scenarios in an informal setting. This
type of exercise can be used to assess plans, policies, and procedures or to assess the
systems needed to guide the prevention of, response to, and recovery from a defined
incident. TTXs typically are aimed at facilitating understanding of concepts, identifying
strengths and shortfalls, and achieving changes in the approach to a particular situation.
Participants are encouraged to discuss issues in depth and develop decisions through
slow-paced problem solving, rather than the rapid, spontaneous decision making that
occurs under actual or simulated emergency conditions.
DURATION
4-8 hours
Operations-based Exercises
Case Study
Tests problems-solving capabilities.
Drill
A drill is a coordinated, supervised activity usually employed to validate a single, specific
operation or function in a single agency or organizational entity. Drills are commonly used
to provide training on new equipment, develop or validate new policies or procedures, or
practice and maintain current skills.
Functional Exercises
(FE)
An FE is designed to validate and evaluate individual capabilities, multiple functions,
activities within a function, or interdependent groups of functions. Events are projected
through an exercise scenario with simulated event updates that drive activity at the
management level.
4-8 hours
Full-Scale Exercise
(FSE)
FSEs validate many facets of preparedness. They focus on implementing and analyzing
the plans, policies, procedures, and cooperative agreements developed in discussionbased exercises and honed in previous, smaller, operations-based exercises. In FSEs,
the reality of operations in multiple functional areas presents complex and realistic
problems that require critical thinking, rapid problem solving, and effective responses by
trained personnel. During FSEs, events are projected through a scripted exercise
scenario with built-in flexibility to allow simulated updates to drive activity. FSEs are
conducted in real time, creating a stressful, time-constrained environment that closely
mirrors real events.
One day
H.5
2-4 hours
AFTER ACTION REPORT (AAR)
The After Action Report documents the performance of an exercise or actual event for which Business
Continuity Planning (BCP) was involved and is the basis for recommendations for improvement. This AAR
Template is modeled on the U.S. Homeland Security Exercise and Evaluation Program, Volume 2:
H.5.1
Overview
The “Overview” section should be used to briefly describe the following:
Exercise date(s): month, day, and year;
Type of Exercise: Seminar, Workshop, Drill, Game, Tabletop, Functional, or Full-Scale;
Scenario: Brief description of scenario, threat and specific details;
Location: applicable information regarding the specific exercise location;
Participating organizations;
Number of participants and roles;
Major strengths demonstrated during the exercise, and
FOR OFFICIAL USE ONLY
Page H-3
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Areas that require improvement.
H.5.2 Goals and Objectives
“Goals and Objectives” should define the purpose, end state and supporting objectives for the exercise. These
are developed during the planning and design phase and are used to define the scope and content of the
exercise and the participants.
H.5.3 Synopsis
The “Synopsis” should provide an overview of the scenario and actions taken by the players to respond to the
simulated event. The activities are presented in the sequence and timeline in which they happened at each
site. The synopsis provides an overview of what happened at each location and is used to analyze the
effectiveness of the response.
H.5.4 Performance Analysis
“Performance Analysis” details participant performance in meeting the mission outcomes as outlined in “Goals
and Objectives”. Tasks performed as expected require only a short write up. For tasks that were not performed
as expected, the write-up should describe what happened or did not happen and the root causes for the
variance from the plan. Recommendations for improvement should be presented in the format below:
Task Number: {Insert specific task number}.
Summary of Issue: Briefly describe the issue.
Consequence: Briefly state the consequence of the action.
Analysis: Briefly explain the issue and the consequences.
Recommendations: List recommendations that would help rectify the issue.
Actions: List the action steps required to ensure the recommendations are followed.
H.5.5 Conclusions
The “Conclusions” section should summarize all AAR sections, and include:
Participants demonstrated capabilities;
Lessons learned;
Major recommendations, and
A summary of steps necessary to refine plans, procedures, training.
H.5.6 Improvement Plan
The “Improvement Plan” outlines actions to address recommendations contained in the after action report. It
lists the recommendation, action, responsible party and status.
FOR OFFICIAL USE ONLY
Page H-4
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
APPENDIX I
MEMORANDUM OF UNDERSTANDING AND AGREEMENT
Business continuity procedures may be supported and enhanced through the implementation of Memorandum
of Understanding, Mutual Aid Agreements and contracts (see Sector Delaware Bay Recovery Guidelines,
Appendix F). The following memorandum of understanding and agreement and mutual aid agreements are in
place to coordinate emergency response, continuity of operations and recovery:
I.1
MEMORANDUMS OF AGREEMENT/UNDERSTANDING
Title
I.2
I.3
Proponent
Date
Title
Proponent
Date
Title
Proponent
Date
MUTUAL AID AGREEMENTS
CONTRACTS
FOR OFFICIAL USE ONLY
Page I-1
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
APPENDIX J BCP ASSESSMENT
Table J.1 provides a checklist that can be used as a guide for the development of a comprehensive
BCP regardless of organizational size. The checklist can be modified to meet organizational
requirements.
Table J.1: BCP Checklist
BCP CHECKLIST
This is a quick assessment to determine the current state of business continuity management
components and functions within an organization.
Identify Essential Functions:
Complete
In Process
TBD
N/A
Complete
In Process
TBD
N/A
Complete
In Process
TBD
N/A
Determine which functions must be continued under all
circumstances
Determine the minimum operational requirements
Determine the minimum functions required to satisfy the
operational requirements
Determine functions that can be deferred
Establish staffing requirements
Establish the minimum number of personnel required
Identify mission critical data, communications and IT systems
Identify staff with critical and unique skills
Identify Appropriate Authorities and References:
Legal
Financial
Contracting
Human resources
Other
Succession Plan
Written Line of succession for key leaders, managers and
essential employees
Devolution strategy
Delegations of Authority
FOR OFFICIAL USE ONLY
Page J-1
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
BCP Activation/Alert/Notification
Complete
In Process
TBD
N/A
Complete
In Process
TBD
N/A
Complete
In Process
TBD
N/A
Complete
In Process
TBD
N/A
Activation protocol – when, why, who
Primary and back-up systems
Essential employees
Emergency Response Team
All other employees
Suppliers / vendors / customers
Public
Business hour vs. non-business hour notification
Standard notification messages
Files / Records / Databases
Identify vital files, records, databases needed to support
essential functions
Back-up procedures for vital records
Secure location for backed-up records
Business unit or person responsible for maintenance
Relocation Plans
Functions to be relocated
Alternate locations (include telework)
Emergency kits
Match staff with relocation option
Transportation to alternate facility
Emergency relocation operating procedures
Logistics (e.g. site acquisition agreements, services,
personnel, resources, equipment, etc.)
Mission critical systems
Responsibilities
Assigned BCP responsibilities
Assigned BCP training responsibilities
Training Curriculum, exercise schedule, system tests
BCP maintenance and management
FOR OFFICIAL USE ONLY
Page J-2
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
APPENDIX K DISTRIBUTION AND MAINTENANCE
K.1
GENERAL DISTRIBUTION
Distribution is governed by organizational handling regulations. However a copy of the BCP should be made
available to all personnel to assure the highest level of readiness. Due to the inclusion of personal information
about organization employees, this plan shall be protected by the Freedom of Information Act, Exemption Six.
K.2
BCP MAINTENANCE
Maintenance includes the process of conducting scheduled review and revision of the BCP. The following
schedule should be used to conduct annual BCP maintenance.
January 1-31:
- Update APPENDIX B, Recall Rosters
- Update APPENDIX D, Alternate Facilities (include risk assessments, costs, and maps)
- Update APPENDIX E, Succession / Delegation of Authority
- Update APPENDIX G, Vital Records/Databases
- Update APPENDIX H, Testing, Training and Exercises
- Update APPENDIX I, Memoranda of Understanding and Agreement
- Update Appendix M, Action Steps
June 1-31:
- Update APPENDIX B, Recall Rosters
- Update APPENDIX C, Risk Assessment
- Update APPENDIX F, Communications Systems
- Update APPENDIX G, Vital Records/Databases
- Update APPENDIX H, Testing, Training and Exercises
- Update APPENDIX K, Distribution and Maintenance
- Update Appendix L, Forms
- Update Appendix M, Action Steps
- Perform comprehensive review of BCP
FOR OFFICIAL USE ONLY
Page K-1
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
K.3
BCP MAINTENANCE RESPONSIBILITIES
Position
Responsibility
Update BCP annually
Update Appendices
Update telephone rosters
Review status of vital files, records, and databases.
Conduct alert and notification tests
Develop and lead BCP training & exercises
K.4
GENERAL BCP MAINTENANCE GUIDANCE
Activity
Plan review and update
Tasks
Frequency
Semi-annually
Review entire plan for accuracy
Ensure compatibility with related response /
recovery plans
Incorporate lessons learned and changes in
procedures
Manage distribution of plan updates
Ensure currency of designated successors
Update Delegation of Authorities
Checklists
Update and revise checklists
Ensure validation
As needed
Annual exercise
Update BCP rosters
Confirm/update information on BCP Team
members
Monthly or quarterly
Appoint new members of the BCP Team
Qualifications determined by BCP Team
Leaders
Issue appointment letter and schedule new
member orientation
As needed
Maintain and update Orders of Succession
As needed
Maintain AF readiness
Check systems status/interoperability
Cycle supplies and equipment as needed
Quarterly
Review and update supporting Memoranda of
Understanding/ Agreements
Review for currency
Incorporate changes, if required
Obtain signatures renewing agreement
Annually
Maintain AF equipment
Train users
Provide technical assistance
Ongoing
FOR OFFICIAL USE ONLY
Page K-2
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Activity
Tasks
Frequency
Training
Provide an orientation and training class
Schedule training and exercise events
Per Training Plan
Orient supervisory personnel
Per Training Plan
Plan and conduct exercises
Brief each supervisor on his/her responsibilities
under the BCP
Conduct internal exercises
Conduct exercises with local, regional, and/or
state agencies
Annually
FOR OFFICIAL USE ONLY
Page K-3
Semi-annually
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
APPENDIX L
FORMS
Appendix L contains forms that support the steps listed in this document and includes forms that support EOC
functions.
FOR OFFICIAL USE ONLY
Page L-1
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
EOC FACILITY DAMAGE ASSESSMENT FORM
Location:
Completed By:
Date:
Time:
Code Key:
C
O
D
E
1 = Needs replacement
2 = Needs repair
3 = No action needed; functioning properly
COMMENTS/RECOMMENDATIONS
DESCRIPTION
(e.g., water, smoke, fire, or wind damage, how many items
damaged, estimated time to repair, etc.)
Facility (Structural)
Facility (Non-Structural)
Facility (Contents)
Electrical
Generator
- Fuel
Natural Gas
Heating, ventilation, and air conditioning (HVAC)
Water
Phones
- Fax lines
- POTS lines
- Cell Phones
Physical Security of Facility
Computers
- Hardware
- Network infrastructure
FOR OFFICIAL USE ONLY
Page L-2
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
INITIAL ASSESSMENT FORM
Location:
Completed By:
Date:
Time:
Purpose: Provides a framework to conduct and document the initial assessment of facilities or locations that will be used for business
recovery activities. [Note: Detailed information may not be readily available until proper approval is obtained to re-enter the facility (e.g.,
after the fire department has performed an inspection and gives permission for entrance to the facility, etc.).]
Area
OK
Damaged
Occupants
Are all personnel and visitors safe
and accounted for? Injuries?
Work Centers
Facility Structure
Facility Non-Structure (e.g., Power,
HVAC, Connection to data & voice,
lighting, etc.)
Physical Security of Facility
Facility Contents
Office Equipment
Desktop computing
Network servers
Other Equipment
Network Connectivity
Voice Network
LAN / WAN
Key IT/Computing Resources
Applications
Servers
Data
Vital Records Availability
Further threats or impacts in the future?
Other?
FOR OFFICIAL USE ONLY
Page L-3
Comments
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
SIGN-IN LOG
Purpose: To capture critical information for employees signing in at the recovery location, or employees calling in and reporting their locations and work being
performed. This form provides a means identify and account for the location of all employees during an event.
NAME
EMPLOYEE
ID#
DATE
TIME
IN
TIME
OUT
EMERGENCY CONTACT #
MGR NAME/
(How and where can you
be reached?)
DEPT/
FOR OFFICIAL USE ONLY
Page L-4
CONTACT #
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
MESSAGE FORM
Purpose: May be used to document and track incoming message details, and may be forwarded to the message recipient for follow-up. Tracking information
should be logged on Incoming/Outgoing Message Log.
Control Number:
Date:
Time:
Incoming
Outgoing
TO:
FROM:
Location of Incident:
Received by: Initials:___________________________
Telephone
Radio
Other:_________________________
Message:
Forwarded to:
Priority:
Life Threat
Facility Threat
Routine
Can Be Delayed
Information Only
Action Taken:
Resources Committed:
Follow-up Actions:
Complete
Personnel
Review/Manager
Equipment
Plotted on Status Board
FOR OFFICIAL USE ONLY
Page L-5
Supplies
Runner
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
INCOMING / OUTGOING MESSAGE LOG
Purpose: To record and track incoming messages for all activities in a location, and can also be used at a message center (if activated). The person assigned
this task logs all incoming and outgoing messages, and assigns a control number.
Control
Number
Date
To
From
Action Taken
FOR OFFICIAL USE ONLY
Page L-6
Closed
()
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
ACTION ITEMS
Purpose: To track action items and ongoing status identified during recovery effort.
Item
#
Date/Time
Assigned
Description
Person
Assigned
Contact
Number
FOR OFFICIAL USE ONLY
Page L-7
Status
Update
Due
(time)
Resolved
Time
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
RESOURCE / EQUIPMENT STATUS
Type/Description of Resource
Location of Resource
Comments
FOR OFFICIAL USE ONLY
Page L-8
Date/Time
Units
Available
Units
Allocated.
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
PERSONNEL RESOURCE STATUS
Individual's Info
(Name, Address, and Phone)
Subject Expertise or
Special Skill
Organizational Info
FOR OFFICIAL USE ONLY
Page L-9
Availability
Comments
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
EVENT / SITUATION STATUS
Event No.
Date/Time
Description of Event
Location
FOR OFFICIAL USE ONLY
Page L-10
Action Taken
Status
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
APPENDIX M
ACTION STEPS
This section describes the high-level response and recovery actions to be initiated by the EOC Team in response
to an incident.
M.1
ACTION STEPS ARE ORGANIZED INTO THE FOLLOWING CHECKLISTS:
Activation – Steps followed to activate and begin recovery preparations
Incident Damage Assessments – Steps followed to perform and assess what can be salvaged or
recovered, and what needs to be replaced.
Assemble and Brief – Steps followed to follow to assemble the team and brief them on what has
occurred.
Recovery – Steps followed for resumption and recovery actions.
Documentation/Record Keeping – Steps followed to document the incident.
Deactivation and Debrief – Steps followed to capture event documentation and lessons learned, to
resolve open issues, and to resume normal business operations.
After Action Report - An After Action Report (AAR) captures observations, lessons learned, and
recommendations for improvements based upon the ability of the organizations to meet operational
objectives. An AAR may be developed after an exercise or actual event (see Appendix H).
FOR OFFICIAL USE ONLY
Page M-1
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Incident Action Plan
[Steps followed to activate and begin recovery operations.]
Table M-1 Activation Steps
Resources
Available
Action Step
Perform initial damage assessment
Form(s):
Responsible
Party
Operations Section
Initial Assessment
Form
Provide EOC Director any known damage
assessment information or impact
information to assist in disaster declaration
decision
All Sections
Evaluate need to activate EOC and
Recovery Teams. Contact EOC Staff and
Recovery Team members and inform them
of situation.
EOC Director
Have a member of the EOC Team assess
the condition of the primary EOC location
and determine if it is safe or if the team
needs to convene at the secondary
location.
If secondary location is selected,
communicate to recovery team
Notify Senior Leadership Team
Assigned
to
Form(s):
EOC Director
EOC Facility
Damage
Assessment Form
Procedure(s)
Appendix A –
Emergency
Operations Center
Location
Documents:
Plan Data Appendix E –
Emergency
Notification/Key
Personnel
EOC Director
FOR OFFICIAL USE ONLY
Page M-1
Start/
Stop
Notes
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Resources
Available
Action Step
Evaluate need to declare a disaster.
Evaluate resources needs.
Obtain disaster expense codes
Set up and Secure EOC
Form(s):
Set up EOC equipment and supplies
Establish secure entry point for the
EOC and use the Sign-in Log to aid
with tracking personnel
Communicate response status to
Recovery Teams
Where to convene
When to convene
Personal safety considerations
(weather, road conditions, etc.)
Notify key external personnel, vendors,
and service providers of disaster
declaration
Vendors (local)
Building Owners
As needed:
− Utility Companies
− Disaster Vendors
− Restoration Contractors
− Emergency Management
Organizations
− Local Government Organizations
Responsible
Party
Assigned
to
EOC Director
Form(s):
Resource/Equipme
nt Status Form
Operations Section
Finance Section
Sign-in Log
Documents:
EOC Director
Logistics Section
Plan Data Appendix E –
Emergency
Notification/Key
Personnel
Logistics Section
FOR OFFICIAL USE ONLY
Page M-2
Start/
Stop
Notes
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
INCIDENT DAMAGE ASSESSMENTS
[Steps needed to perform and assess damages and determine what resources or assets may be salvaged or recovered. The damage assessment will also
identify resources or assets that are beyond repair and must be replaced.]
Table M-2 Initial Assessment and Recovery Strategy
Action Step
Resources Available
Responsible
Party
Conduct Facility Assessment – structural,
non-structural damage assessments and
contents damage assessments
Operations Section
Conduct Business Processes Assessment
– business units impacted and recovery
needs
Operations Section
Assigned
to
FOR OFFICIAL USE ONLY
Page M-3
Start/
Stop
Notes
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
ASSEMBLE AND BRIEF
[Steps needed to assemble the team and brief them on what has occurred.]
Table M-3 Perform Activate and Notify
Action Step
Responsible
Party
Resource Available
Review current situation and steps already
initiated
EOC Director
Clarify roles and responsibilities
EOC Director
Establish shift schedules as needed
Logistics Section
Recovery Team
Leaders
Review documentation and reporting
requirements:
Review safety and security procedures
Review any documented action items
Form(s):
Incoming / Outgoing
Message Log
Message Form
Event Log
Sign-in Log
Update Company Emergency Information
Hotline
Set time and place for next status update
briefing
EOC Director
Safety
Form(s):
Assigned
to
EOC Director
Action Items
Procedure(s):
Appendix C –
Emergency Information
Hotline
Public Information
Officer
EOC Director
FOR OFFICIAL USE ONLY
Page M-4
Start/
Stop
Notes
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
RECOVERY
[Action Steps necessary to conduct resumption and recovery operations.]
Table M-4 Resumption and Recovery Checklist
Action Step
Contact appropriate Recovery Team
Leaders
Documents:
Review Recovery Time Objectives (RTO) of
critical process
Documents:
Prioritize recovery actions
Documents:
Gather damage assessment results
By phone, fax or e-mail or any other
method.
Gather recovery team, vendor, and supplier
recommendations regarding restoration or
replacement of resources or assets
Estimated time for repair?
Estimated resource needs ( e.g..
personnel, vendors, equipment,
facilities)?
Estimated cost?
Responsible
Party
Resource Available
Logistics Section
Appendix E –Emergency
Notification/Key
Personnel
Planning and
Intelligence
Section
Appendix F – Critical
Process Summary
EOC Director
Appendix G – Supporting
Elements
Planning and
Intelligence
Section
Planning and
Intelligence
Section
FOR OFFICIAL USE ONLY
Page M-5
Assigned
to
Start/
Stop
Recovery Notes
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Action Step
R re-prioritize recovery effort and begin
resource deployment based on the damage
assessment reports
Obtain and deploy required resources
EOC Director
Form(s):
Continue to coordinate resource
requirements throughout the recovery
process
Equipment
People
Vendors
Direct Human Resources to resolve/address
incident stress management (within 72
hours of incident/disaster)
Responsible
Party
Resource Available
Logistics Section
Resource/Equipment
Status Form
Form(s):
Resource/Equipment
Status Form
Personnel Resource
Status Form
Logistics Section
Documents:
Safety
Plan Data – Appendix D:
Critical Incident Stress
Management Guide
Contractual Agreements
FOR OFFICIAL USE ONLY
Page M-6
Assigned
to
Start/
Stop
Recovery Notes
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
DOCUMENTATION/RECORD KEEPING
[Action Steps needed to assure completion of documentation and the appropriate required forms.]
Table M-5 Documentation/Record Keeping
Resources
Available
Action Step
Update damage assessment information
Recovery status
Reprioritize as needed
Shift schedule
Employee availability
Document communications
Message Form
Event Log
Assigned
to
EOC Director
Document Resource Status
Responsible
Party
Logistics Section
Form(s):
Incoming / Outgoing
Message Log
Message form
Event/Situation
Status
Logistics Section
Update status reports to Senior Management
Team
.
EOC Director
Update status reports to key external contacts
EOC Director
As needed:
Building Owners
Utility companies
Vendors
Local Emergency Management
Organizations
Track all costs and expenses relating to this
incident or disaster
Finance Section
FOR OFFICIAL USE ONLY
Page M-7
Start/
Stop
Notes
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
DEACTIVATION AND DEBRIEF
[Action Steps necessary to document operational issues, lessons learned, resolve open issues, and resume
normal business operations.]
Table M-6 Deactivation and Debrief
Action Step
Resolve personnel/staffing
issues
Have all temporary and
‘borrowed’ staff returned to
normal duties?
Are regular staff resources
ready to handle operations?
Have staffing expenses
been properly documented
and submitted for payment
(for example, food, travel,
lodging, overtime)?
Resolve equipment issues
Has all borrowed,
purchased, leased or owned equipment been
accounted for?
Operational?
If rented or leased, how
long will we need it; do we
need to order permanent
replacement equipment?
Has unused borrowed
equipment been properly
returned?
Has paperwork for
purchased or leased
equipment been completed
and processed? (purchase
orders, lease agreements,
invoices)
Resources
Available
Responsible
Party
Logistics
Section
Finance Section
Logistics
Section
Finance Section
FOR OFFICIAL USE ONLY
Page M-8
Assigned
to
Start/
Stop
Notes
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Action Step
Expense reporting
Obtain all receipts and
documentation for
expenses incurred during
the incident
Capture/document all hours
worked by employees—
including overtime
Work with Finance to
determine project or
expense codes and how
expenses will be submitted
Submit expenses/copy of
receipts for payment
Capture lessons learned –
Document what worked well and
areas need improvement:
Disaster
prevention/mitigation issues
Emergency Response
Emergency Operations
Recovery process
Communications
(information flow, content
and frequency)
Communication methods
(phone, paging, etc.)
Human resources/shift
schedules/workforce issues
Equipment issues/spares
inventory
Vendor availability, support,
and responsiveness.
EOC location
EOC supplies and
equipment
Availability of key internal
personnel
Availability of key external
personnel
Vendor
cooperation/availability/
timely response
Municipality cooperation
Resources
Available
Responsible
Party
Finance Section
EOC Director
FOR OFFICIAL USE ONLY
Page M-9
Assigned
to
Start/
Stop
Notes
FOR OFFICIAL USE ONLY
AMSC Sector Delaware Bay
Business Continuity Planning Template
Action Step
Complete/gather up and
transcribe all Disaster Recovery
documentation, as needed
Event logs
Forms
Reports
Replenish equipment and
supplies
Have equipment and
supplies been inventoried?
Have inventory deficiencies
been replenished?
(including spares)
What additional items
should be added to prepare
for future disasters?
Schedule incident debrief/afteraction meeting
Schedule meeting to
accommodate all parties
involved in the disaster
(BEFORE everyone
scatters)
Notify all participants of
meeting
Prepare a meeting agenda
Coordinate Critical Incident
Stress debrief session(s),
as needed
Document action items to close
out event (short-term).
Identify action items to be
completed, who owns each
item, and target completion
dates
Assign one person to
project-manage
deactivation, including
tracking the resolution of
action items
Resources
Available
Responsible
Party
EOC Director
EOC Director
EOC Director
EOC Director
FOR OFFICIAL USE ONLY
Page M-10
Assigned
to
Start/
Stop
Notes
